Decrypt Trampoline onions

In this commit, we start decrypting the inner onion we receive, and lay
some groundwork towards handling the subsequent routing or payment
receipt.

Author: arik-so

lightning/src/ln/channelmanager.rs

@@ -4479,11 +4479,36 @@ where
 					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
 				}
 			},
+			#[cfg(trampoline)]
+			onion_utils::Hop::TrampolineReceive { .. } => {
+				// OUR PAYMENT!
+				let current_height: u32 = self.best_block.read().unwrap().height;
+				match create_recv_pending_htlc_info(decoded_hop, shared_secret, msg.payment_hash,
+					msg.amount_msat, msg.cltv_expiry, None, allow_underpay, msg.skimmed_fee_msat,
+					current_height)
+				{
+					Ok(info) => {
+						// Note that we could obviously respond immediately with an update_fulfill_htlc
+						// message, however that would leak that we are the recipient of this payment, so
+						// instead we stay symmetric with the forwarding case, only responding (after a
+						// delay) once they've sent us a commitment_signed!
+						PendingHTLCStatus::Forward(info)
+					},
+					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
+				}
+			},
 			onion_utils::Hop::Forward { .. } | onion_utils::Hop::BlindedForward { .. } => {
 				match create_fwd_pending_htlc_info(msg, decoded_hop, shared_secret, next_packet_pubkey_opt) {
 					Ok(info) => PendingHTLCStatus::Forward(info),
 					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
 				}
+			},
+			#[cfg(trampoline)]
+			onion_utils::Hop::TrampolineForward { .. } | onion_utils::Hop::TrampolineBlindedForward { .. } => {
+				match create_fwd_pending_htlc_info(msg, decoded_hop, shared_secret, next_packet_pubkey_opt) {
+					Ok(info) => PendingHTLCStatus::Forward(info),
+					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
+				}
 			}
 		}
 	}
@@ -5895,7 +5920,7 @@ where
 														// of the onion.
 														failed_payment!(err_msg, err_code, sha256_of_onion.to_vec(), None);
 													},
-													Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret }) => {
+													Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret, .. }) => {
 														let phantom_shared_secret = shared_secret.secret_bytes();
 														failed_payment!(err_msg, err_code, Vec::new(), Some(phantom_shared_secret));
 													},

lightning/src/ln/onion_payment.rs

@@ -5,7 +5,7 @@
 
 use bitcoin::hashes::Hash;
 use bitcoin::hashes::sha256::Hash as Sha256;
-use bitcoin::secp256k1::{self, PublicKey, Secp256k1};
+use bitcoin::secp256k1::{self, PublicKey, Secp256k1, ecdh::SharedSecret};
 
 use crate::blinded_path;
 use crate::blinded_path::payment::{PaymentConstraints, PaymentRelay};
@@ -15,7 +15,7 @@ use crate::ln::channelmanager::{BlindedFailure, BlindedForward, CLTV_FAR_FAR_AWA
 use crate::types::features::BlindedHopFeatures;
 use crate::ln::msgs;
 use crate::ln::onion_utils;
-use crate::ln::onion_utils::{HTLCFailReason, INVALID_ONION_BLINDING};
+use crate::ln::onion_utils::{HTLCFailReason, INVALID_ONION_BLINDING, ONION_DATA_LEN};
 use crate::routing::gossip::NodeId;
 use crate::sign::{NodeSigner, Recipient};
 use crate::util::logger::Logger;
@@ -61,20 +61,37 @@ fn check_blinded_forward(
 	Ok((amt_to_forward, outgoing_cltv_value))
 }
 
+enum RoutingInfo {
+	Direct {
+		short_channel_id: u64,
+		new_packet_bytes: [u8; ONION_DATA_LEN],
+		next_hop_hmac: [u8; 32]
+	},
+	#[cfg(trampoline)]
+	Trampoline {
+		outgoing_node_id: NodeId,
+		// Trampoline onions are currently variable length
+		new_packet_bytes: Vec<u8>,
+		next_hop_hmac: [u8; 32],
+		shared_secret: SharedSecret,
+		current_path_key: Option<PublicKey>
+	}
+}
+
 pub(super) fn create_fwd_pending_htlc_info(
 	msg: &msgs::UpdateAddHTLC, hop_data: onion_utils::Hop, shared_secret: [u8; 32],
 	next_packet_pubkey_opt: Option<Result<PublicKey, secp256k1::Error>>
 ) -> Result<PendingHTLCInfo, InboundHTLCErr> {
 	debug_assert!(next_packet_pubkey_opt.is_some());
 
 	let (
-		short_channel_id, amt_to_forward, outgoing_cltv_value, intro_node_blinding_point,
-		next_blinding_override, new_packet_bytes, next_hop_hmac
+		routing_info, amt_to_forward, outgoing_cltv_value, intro_node_blinding_point,
+		next_blinding_override
 	) = match hop_data {
 		onion_utils::Hop::Forward { next_hop_data: msgs::InboundOnionForwardPayload {
 			short_channel_id, amt_to_forward, outgoing_cltv_value
 		}, new_packet_bytes, next_hop_hmac, .. } =>
-			(short_channel_id, amt_to_forward, outgoing_cltv_value, None, None, new_packet_bytes, next_hop_hmac),
+			(RoutingInfo::Direct { short_channel_id, new_packet_bytes, next_hop_hmac }, amt_to_forward, outgoing_cltv_value, None, None),
 		onion_utils::Hop::BlindedForward { next_hop_data: msgs::InboundOnionBlindedForwardPayload {
 			short_channel_id, payment_relay, payment_constraints, intro_node_blinding_point, features,
 			next_blinding_override,
@@ -90,38 +107,124 @@ pub(super) fn create_fwd_pending_htlc_info(
 					err_data: vec![0; 32],
 				}
 			})?;
-			(short_channel_id, amt_to_forward, outgoing_cltv_value, intro_node_blinding_point,
-			 next_blinding_override, new_packet_bytes, next_hop_hmac)
+			(RoutingInfo::Direct { short_channel_id, new_packet_bytes, next_hop_hmac }, amt_to_forward, outgoing_cltv_value, intro_node_blinding_point,
+				next_blinding_override)
 		},
 		onion_utils::Hop::Receive { .. } | onion_utils::Hop::BlindedReceive { .. } =>
 			return Err(InboundHTLCErr {
 				msg: "Final Node OnionHopData provided for us as an intermediary node",
 				err_code: 0x4000 | 22,
 				err_data: Vec::new(),
 			}),
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineReceive { .. } =>
+			return Err(InboundHTLCErr {
+				msg: "Final Node OnionHopData provided for us as an intermediary node",
+				err_code: 0x4000 | 22,
+				err_data: Vec::new(),
+			}),
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineForward { next_trampoline_hop_data, next_trampoline_hop_hmac, new_trampoline_packet_bytes, trampoline_shared_secret, .. } => {
+			(
+				RoutingInfo::Trampoline {
+					outgoing_node_id: next_trampoline_hop_data.outgoing_node_id,
+					new_packet_bytes: new_trampoline_packet_bytes,
+					next_hop_hmac: next_trampoline_hop_hmac,
+					shared_secret: trampoline_shared_secret,
+					current_path_key: None
+				},
+				next_trampoline_hop_data.amt_to_forward,
+				next_trampoline_hop_data.outgoing_cltv_value,
+				None,
+				None
+			)
+		},
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineBlindedForward { outer_hop_data, next_trampoline_hop_data, next_trampoline_hop_hmac, new_trampoline_packet_bytes, trampoline_shared_secret, .. } => {
+			let (amt_to_forward, outgoing_cltv_value) = check_blinded_forward(
+				msg.amount_msat, msg.cltv_expiry, &next_trampoline_hop_data.payment_relay, &next_trampoline_hop_data.payment_constraints, &next_trampoline_hop_data.features
+			).map_err(|()| {
+				// We should be returning malformed here if `msg.blinding_point` is set, but this is
+				// unreachable right now since we checked it in `decode_update_add_htlc_onion`.
+				InboundHTLCErr {
+					msg: "Underflow calculating outbound amount or cltv value for blinded forward",
+					err_code: INVALID_ONION_BLINDING,
+					err_data: vec![0; 32],
+				}
+			})?;
+			(
+				RoutingInfo::Trampoline {
+					outgoing_node_id: next_trampoline_hop_data.outgoing_node_id,
+					new_packet_bytes: new_trampoline_packet_bytes,
+					next_hop_hmac: next_trampoline_hop_hmac,
+					shared_secret: trampoline_shared_secret,
+					current_path_key: outer_hop_data.current_path_key
+				},
+				amt_to_forward,
+				outgoing_cltv_value,
+				next_trampoline_hop_data.intro_node_blinding_point,
+				next_trampoline_hop_data.next_blinding_override
+			)
+		},
 	};
 
-	let outgoing_packet = msgs::OnionPacket {
-		version: 0,
-		public_key: next_packet_pubkey_opt.unwrap_or(Err(secp256k1::Error::InvalidPublicKey)),
-		hop_data: new_packet_bytes,
-		hmac: next_hop_hmac,
+	let routing = match routing_info {
+		RoutingInfo::Direct { short_channel_id, new_packet_bytes, next_hop_hmac } => {
+			let outgoing_packet = msgs::OnionPacket {
+				version: 0,
+				public_key: next_packet_pubkey_opt.unwrap_or(Err(secp256k1::Error::InvalidPublicKey)),
+				hop_data: new_packet_bytes,
+				hmac: next_hop_hmac,
+			};
+			PendingHTLCRouting::Forward {
+				onion_packet: outgoing_packet,
+				short_channel_id,
+				incoming_cltv_expiry: Some(msg.cltv_expiry),
+				blinded: intro_node_blinding_point.or(msg.blinding_point)
+					.map(|bp| BlindedForward {
+						inbound_blinding_point: bp,
+						next_blinding_override,
+						failure: intro_node_blinding_point
+							.map(|_| BlindedFailure::FromIntroductionNode)
+							.unwrap_or(BlindedFailure::FromBlindedNode),
+					}),
+			}
+		}
+		#[cfg(trampoline)]
+		RoutingInfo::Trampoline { outgoing_node_id, new_packet_bytes, next_hop_hmac, shared_secret, current_path_key } => {
+			let next_trampoline_packet_pubkey = match next_packet_pubkey_opt {
+				Some(Ok(pubkey)) => pubkey,
+				_ => return Err(InboundHTLCErr {
+					msg: "Missing next Trampoline hop pubkey from intermediate Trampoline forwarding data",
+					err_code: 0x4000 | 22,
+					err_data: Vec::new(),
+				}),
+			};
+			let outgoing_packet = msgs::TrampolineOnionPacket {
+				version: 0,
+				public_key: next_trampoline_packet_pubkey,
+				hop_data: new_packet_bytes,
+				hmac: next_hop_hmac,
+			};
+			PendingHTLCRouting::TrampolineForward {
+				incoming_shared_secret: shared_secret.secret_bytes(),
+				onion_packet: outgoing_packet,
+				node_id: outgoing_node_id,
+				incoming_cltv_expiry: msg.cltv_expiry,
+				blinded: intro_node_blinding_point.or(current_path_key)
+					.map(|bp| BlindedForward {
+						inbound_blinding_point: bp,
+						next_blinding_override,
+						failure: intro_node_blinding_point
+							.map(|_| BlindedFailure::FromIntroductionNode)
+							.unwrap_or(BlindedFailure::FromBlindedNode),
+					})
+			}
+		}
 	};
 
 	Ok(PendingHTLCInfo {
-		routing: PendingHTLCRouting::Forward {
-			onion_packet: outgoing_packet,
-			short_channel_id,
-			incoming_cltv_expiry: Some(msg.cltv_expiry),
-			blinded: intro_node_blinding_point.or(msg.blinding_point)
-				.map(|bp| BlindedForward {
-					inbound_blinding_point: bp,
-					next_blinding_override,
-					failure: intro_node_blinding_point
-						.map(|_| BlindedFailure::FromIntroductionNode)
-						.unwrap_or(BlindedFailure::FromBlindedNode),
-				}),
-		},
+		routing,
 		payment_hash: msg.payment_hash,
 		incoming_shared_secret: shared_secret,
 		incoming_amt_msat: Some(msg.amount_msat),
@@ -167,6 +270,8 @@ pub(super) fn create_recv_pending_htlc_info(
 			 sender_intended_htlc_amt_msat, cltv_expiry_height, None, Some(payment_context),
 			 intro_node_blinding_point.is_none(), true, invoice_request)
 		}
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineReceive { .. } => todo!(),
 		onion_utils::Hop::Forward { .. } => {
 			return Err(InboundHTLCErr {
 				err_code: 0x4000|22,
@@ -181,6 +286,14 @@ pub(super) fn create_recv_pending_htlc_info(
 				msg: "Got blinded non final data with an HMAC of 0",
 			})
 		},
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineForward { .. } | onion_utils::Hop::TrampolineBlindedForward { .. } => {
+			return Err(InboundHTLCErr {
+				err_code: 0x4000|22,
+				err_data: Vec::new(),
+				msg: "Got Trampoline non final data with an HMAC of 0",
+			})
+		},
 	};
 	// final_incorrect_cltv_expiry
 	if onion_cltv_expiry > cltv_expiry {
@@ -391,7 +504,7 @@ where
 		return_malformed_err!("Unknown onion packet version", 0x8000 | 0x4000 | 4);
 	}
 
-	let encode_relay_error = |message: &str, err_code: u16, shared_secret: [u8; 32], data: &[u8]| {
+	let encode_relay_error = |message: &str, err_code: u16, shared_secret: [u8; 32], trampoline_shared_secret: Option<[u8; 32]>, data: &[u8]| {
 		if msg.blinding_point.is_some() {
 			return_malformed_err!(message, INVALID_ONION_BLINDING)
 		}
@@ -401,7 +514,7 @@ where
 			channel_id: msg.channel_id,
 			htlc_id: msg.htlc_id,
 			reason: HTLCFailReason::reason(err_code, data.to_vec())
-				.get_encrypted_failure_packet(&shared_secret, &None),
+				.get_encrypted_failure_packet(&shared_secret, &trampoline_shared_secret),
 		}));
 	};
 
@@ -413,8 +526,8 @@ where
 		Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 			return_malformed_err!(err_msg, err_code);
 		},
-		Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret }) => {
-			return encode_relay_error(err_msg, err_code, shared_secret.secret_bytes(), &[0; 0]);
+		Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code, shared_secret, trampoline_shared_secret }) => {
+			return encode_relay_error(err_msg, err_code, shared_secret.secret_bytes(), trampoline_shared_secret.map(|tss| tss.secret_bytes()), &[0; 0]);
 		},
 	};
 
@@ -434,7 +547,7 @@ where
 				Ok((amt, cltv)) => (amt, cltv),
 				Err(()) => {
 					return encode_relay_error("Underflow calculating outbound amount or cltv value for blinded forward",
-						INVALID_ONION_BLINDING, shared_secret.secret_bytes(), &[0; 32]);
+						INVALID_ONION_BLINDING, shared_secret.secret_bytes(), None, &[0; 32]);
 				}
 			};
 			let next_packet_pubkey = onion_utils::next_hop_pubkey(&secp_ctx,
@@ -444,6 +557,17 @@ where
 				outgoing_cltv_value
 			})
 		}
+		#[cfg(trampoline)]
+		onion_utils::Hop::TrampolineForward { next_trampoline_hop_data: msgs::InboundTrampolineForwardPayload { amt_to_forward, outgoing_cltv_value, outgoing_node_id }, trampoline_shared_secret, incoming_trampoline_public_key, .. } => {
+			let next_trampoline_packet_pubkey = onion_utils::next_hop_pubkey(secp_ctx,
+				incoming_trampoline_public_key, &trampoline_shared_secret.secret_bytes());
+			Some(NextPacketDetails {
+				next_packet_pubkey: next_trampoline_packet_pubkey,
+				outgoing_connector: HopConnector::Trampoline(outgoing_node_id),
+				outgoing_amt_msat: amt_to_forward,
+				outgoing_cltv_value,
+			})
+		}
 		_ => None
 	};