Calculate Trampoline onion packet sizes dynamically.

[arik-so]

Given that Trampoline onion sizes will be variable, this obviates the need to pass the onion size a priori.

Builds on top of #3446.

[valentinewallace]

Is it harmful for privacy to not use a fixed length?

[arik-so]

Yes. But we can always pad after the fact, right? Or we can make this an option.

[arik-so]

Given that the recipient has to read the entire onion anyway, and therefore its potential size is limited by how many outer onion hops came before, and that there are not usually many Trampoline hops, there is a potential limitation of privacy even so.

[valentinewallace]

Would the code be more confusing if we padded after the fact? I'd kinda prefer to review this commit amidst some more context.

[arik-so]

Hm, I do think padding after the fact would be more complicated. The context is mostly integration tests against ACINQ, where the current version does not appear to be padding the onion to a fixed size, which we should actually bring up to Bastien. It didn't occur to me yesterday.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 20 lines in your changes missing coverage. Please review.

Project coverage is 89.60%. Comparing base (66fb520) to head (b4da6fb).
Report is 12 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/onion_utils.rs	0.00%	20 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3333      +/-   ##
==========================================
- Coverage   89.66%   89.60%   -0.06%     
==========================================
  Files         126      126              
  Lines      102676   102766      +90     
  Branches   102676   102766      +90     
==========================================
+ Hits        92062    92088      +26     
- Misses       7894     7943      +49     
- Partials     2720     2735      +15     

Flag	Coverage Δ
	89.60% <0.00%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[TheBlueMatt]

Feel free to squash when you next push.

[TheBlueMatt]

Why check + expect rather than just adding? I don't think we're at any real risk of a u64 overflowing here.

[arik-so]

frankly, I've been thinking the same thing. Currently it's in a bit of a limbo state, because even with the checked addition, it's still expecting. So either I should surface it to an Error struct, or allow it to throw immediately. Though you're also right, it's unlikely to happen outside of a fuzz scenario.

[TheBlueMatt]

I'm not sure its possible anyway? We'd have to have a huge custom TLV and we should reject that long before we get to this point (or just blame the user for trying to stuff 4GB of garbage down an onion).

[tankyleo]

Suggested change

	let packet_length = length.unwrap_or(minimum_packet_length as u16) as usize;
	let packet_length = length.map(|l| usize::from(l)).unwrap_or(minimum_packet_length);

usize::from guarantees no information loss, as usize does not.

[tankyleo]

Nit: doesn't seem like : usize is needed, but I let you make the decision on style - from my point of view, we are talking about lengths here, so not surprising that the type is usize.

[TheBlueMatt]

Please no hard assertions unless its gonna result in us losing money. debug assert and handle the err.

[valentinewallace]

LGTM after squash!

[valentinewallace]

Thought I ACK'd already but guess not