Decrypt Trampoline onions [expound]

Author: arik-so

lightning/src/ln/channelmanager.rs

@@ -4453,6 +4453,9 @@ where
 					Err(InboundHTLCErr { err_code, err_data, msg }) => return_err!(msg, err_code, &err_data)
 				}
 			},
+			onion_utils::Hop::TrampolineForward { outer_hop_data, next_trampoline_hop_hmac, new_trampoline_packet_bytes, .. } => {
+				todo!()
+			},
 			onion_utils::Hop::Forward { next_hop_data, next_hop_hmac, new_packet_bytes, .. } => {
 				match create_fwd_pending_htlc_info(msg, msgs::InboundOnionPayload::Forward(next_hop_data), next_hop_hmac,
 					new_packet_bytes, shared_secret, next_packet_pubkey_opt) {

lightning/src/ln/msgs.rs

@@ -1800,7 +1800,7 @@ mod fuzzy_internal_msgs {
 
 	#[allow(unused_imports)]
 	use crate::prelude::*;
-
+	use crate::routing::gossip::NodeId;
 	// These types aren't intended to be pub, but are exposed for direct fuzzing (as we deserialize
 	// them from untrusted input):
 
@@ -1811,6 +1811,13 @@ mod fuzzy_internal_msgs {
 		pub outgoing_cltv_value: u32,
 	}
 
+	pub struct InboundTrampolineForwardPayload {
+		pub next_node_id: NodeId,
+		/// The value, in msat, of the payment after this hop's fee is deducted.
+		pub amt_to_forward: u64,
+		pub outgoing_cltv_value: u32,
+	}
+
 	pub struct InboundTrampolineEntrypointPayload {
 		pub amt_to_forward: u64,
 		pub outgoing_cltv_value: u32,
@@ -1853,6 +1860,9 @@ mod fuzzy_internal_msgs {
 		Receive(InboundOnionReceivePayload),
 		BlindedForward(InboundOnionBlindedForwardPayload),
 		BlindedReceive(InboundOnionBlindedReceivePayload),
+
+		// these are inner Trampoline onions that should not be applicable outside
+		TrampolineForward(InboundTrampolineForwardPayload)
 	}
 
 	pub(crate) enum OutboundOnionPayload<'a> {

lightning/src/ln/onion_payment.rs

@@ -105,6 +105,14 @@ pub(super) fn create_fwd_pending_htlc_info(
 			}),
 		msgs::InboundOnionPayload::TrampolineEntrypoint { .. } => {
 			todo!()
+		},
+		msgs::InboundOnionPayload::TrampolineForward(_) => {
+			// we should never be receiving inner onion packets here
+			return Err(InboundHTLCErr {
+				msg: "Trampoline OnionHopData provided for us as an outer onion",
+				err_code: 0x4000 | 22,
+				err_data: Vec::new(),
+			})
 		}
 	};
 
@@ -181,6 +189,13 @@ pub(super) fn create_recv_pending_htlc_info(
 				msg: "Got blinded non final data with an HMAC of 0",
 			})
 		},
+		onion_utils::Hop::TrampolineForward { .. } => {
+			return Err(InboundHTLCErr {
+				err_code: 0x4000|22,
+				err_data: Vec::new(),
+				msg: "Got non-final Trampoline data with an HMAC of 0",
+			})
+		},
 	};
 	// final_incorrect_cltv_expiry
 	if onion_cltv_expiry > cltv_expiry {

lightning/src/ln/onion_utils.rs

@@ -34,7 +34,7 @@ use bitcoin::secp256k1::{PublicKey, Scalar, Secp256k1, SecretKey};
 
 use crate::io::{Cursor, Read};
 use core::ops::Deref;
-
+use crate::ln::msgs::InboundOnionPayload;
 #[allow(unused_imports)]
 use crate::prelude::*;
 
@@ -1426,6 +1426,16 @@ pub(crate) enum Hop {
 		/// Bytes of the onion packet we're forwarding.
 		new_packet_bytes: [u8; ONION_DATA_LEN],
 	},
+	/// This onion was received via Trampoline, and needs to be forwarded to a subsequent Trampoline
+	/// node.
+	TrampolineForward {
+		outer_hop_data: msgs::InboundTrampolineEntrypointPayload,
+		outer_shared_secret: SharedSecret,
+		next_trampoline_hop_data: msgs::InboundTrampolineForwardPayload,
+		trampoline_shared_secret: SharedSecret,
+		next_trampoline_hop_hmac: [u8; 32],
+		new_trampoline_packet_bytes: Vec<u8>
+	},
 	/// This onion payload needs to be forwarded to a next-hop.
 	BlindedForward {
 		/// Onion payload data used in forwarding the payment.
@@ -1473,6 +1483,7 @@ impl Hop {
 		match self {
 			Hop::Forward { shared_secret, .. } => shared_secret,
 			Hop::BlindedForward { shared_secret, .. } => shared_secret,
+			Hop::TrampolineForward { outer_shared_secret, .. } => outer_shared_secret,
 			Hop::Receive { shared_secret, .. } => shared_secret,
 			Hop::BlindedReceive { shared_secret, .. } => shared_secret,
 		}
@@ -1509,7 +1520,7 @@ where
 		hop_data,
 		hmac_bytes,
 		Some(payment_hash),
-		(blinding_point, node_signer),
+		(blinding_point, &(*node_signer)),
 	);
 	match decoded_hop {
 		Ok((next_hop_data, Some((next_hop_hmac, FixedSizeOnionPacket(new_packet_bytes))))) => {
@@ -1551,6 +1562,46 @@ where
 			msgs::InboundOnionPayload::BlindedReceive(hop_data) => {
 				Ok(Hop::BlindedReceive { shared_secret, hop_data })
 			},
+			msgs::InboundOnionPayload::TrampolineEntrypoint(hop_data) => {
+				let trampoline_shared_secret = node_signer.ecdh(
+					recipient, &hop_data.trampoline_packet.public_key, blinded_node_id_tweak.as_ref(),
+				).unwrap().secret_bytes();
+				let decoded_trampoline_hop: Result<(msgs::InboundOnionPayload, Option<([u8; 32], Vec<u8>)>), _> = decode_next_hop(
+					trampoline_shared_secret,
+					&hop_data.trampoline_packet.hop_data,
+					hop_data.trampoline_packet.hmac,
+					Some(payment_hash),
+					(blinding_point, node_signer),
+				);
+				match decoded_trampoline_hop {
+					Ok((next_trampoline_hop_data, Some((next_trampoline_hop_hmac, new_trampoline_packet_bytes)))) => {
+						match next_trampoline_hop_data {
+							InboundOnionPayload::TrampolineForward(trampoline_hop_data) => {
+								Ok(Hop::TrampolineForward {
+									outer_hop_data: hop_data,
+									outer_shared_secret: shared_secret,
+									next_trampoline_hop_data: trampoline_hop_data,
+									trampoline_shared_secret: SharedSecret::from_bytes(trampoline_shared_secret),
+									next_trampoline_hop_hmac,
+									new_trampoline_packet_bytes,
+								})
+							}
+							_ => Err(OnionDecodeErr::Malformed {
+								err_msg: "Non-Trampoline onion data provided to us as inner onion",
+								// todo: find more suitable error code
+								err_code: 0x4000 | 22,
+							})
+						}
+					}
+					Ok((_next_trampoline_hop_data, None)) => {
+						// this is a trampoline receive
+						todo!()
+					},
+					Err(e) => {
+						Err(e)
+					}
+				}
+			},
 			_ => {
 				if blinding_point.is_some() {
 					return Err(OnionDecodeErr::Malformed {