Prepare to auth blinded path contexts with a secret AAD in the MAC

When we receive an onion message, we often want to make sure it was
sent through a blinded path we constructed. This protects us from
various deanonymization attacks where someone can send a message to
every node on the network until they find us, effectively
unwrapping the blinded path and identifying its recipient.

We generally do so by adding authentication tags to our
`MessageContext` variants. Because the contexts themselves are
encrypted (and MAC'd) to us, we only have to ensure that they
cannot be forged, which is trivially accomplished with a simple
nonce and a MAC covering it.

This logic has ended up being repeated in nearly all of our onion
message handlers, and has gotten quite repetitive.

Instead, here, we simply authenticate the blinded path contexts
using the MAC that's already there, but tweaking it with an
additional secret as the AAD in Poly1305. This prevents forgery as
the secret is now required to make the MAC check pass.

Ultimately this means that no one can ever build a blinded path
which terminates at an LDK node that we'll accept, but over time
we've come to recognize this as a useful property, rather than
something to fight. Here we finally break from the spec fully in
our context encryption (not just the contents thereof).

This will save a bit of space in some of our `MessageContext`s,
though sadly not in the blinded path we include in `Bolt12Offer`s,
so they're generally not in space-sensitive blinded paths.

We can apply the same logic in our blinded payment paths as well,
but we do not do so here.

This commit only adds the required changes to the cryptography, for
now it uses a constant key of `[41; 32]`.

Co-authored-by: Shashwat Vangani <[email protected]>

Author: 2 people

lightning/src/blinded_path/message.rs

@@ -26,7 +26,7 @@ use crate::offers::nonce::Nonce;
 use crate::offers::offer::OfferId;
 use crate::onion_message::packet::ControlTlvs;
 use crate::routing::gossip::{NodeId, ReadOnlyNetworkGraph};
-use crate::sign::{EntropySource, NodeSigner, Recipient};
+use crate::sign::{EntropySource, NodeSigner, ReceiveAuthKey, Recipient};
 use crate::types::payment::PaymentHash;
 use crate::util::scid_utils;
 use crate::util::ser::{FixedLengthReader, LengthReadableArgs, Readable, Writeable, Writer};
@@ -94,6 +94,7 @@ impl BlindedMessagePath {
 				recipient_node_id,
 				context,
 				&blinding_secret,
+				ReceiveAuthKey([41; 32]), // TODO: Pass this in
 			)
 			.map_err(|_| ())?,
 		}))
@@ -661,18 +662,19 @@ pub(crate) const MESSAGE_PADDING_ROUND_OFF: usize = 100;
 pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
 	recipient_node_id: PublicKey, context: MessageContext, session_priv: &SecretKey,
+	local_node_receive_key: ReceiveAuthKey,
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
 	let pks = intermediate_nodes
 		.iter()
-		.map(|node| node.node_id)
-		.chain(core::iter::once(recipient_node_id));
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((recipient_node_id, Some(local_node_receive_key))));
 	let is_compact = intermediate_nodes.iter().any(|node| node.short_channel_id.is_some());
 
 	let tlvs = pks
 		.clone()
 		.skip(1) // The first node's TLVs contains the next node's pubkey
 		.zip(intermediate_nodes.iter().map(|node| node.short_channel_id))
-		.map(|(pubkey, scid)| match scid {
+		.map(|((pubkey, _), scid)| match scid {
 			Some(scid) => NextMessageHop::ShortChannelId(scid),
 			None => NextMessageHop::NodeId(pubkey),
 		})

lightning/src/blinded_path/payment.rs

@@ -664,8 +664,10 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[PaymentForwardNode], payee_node_id: PublicKey,
 	payee_tlvs: ReceiveTlvs, session_priv: &SecretKey,
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
-	let pks =
-		intermediate_nodes.iter().map(|node| node.node_id).chain(core::iter::once(payee_node_id));
+	let pks = intermediate_nodes
+		.iter()
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((payee_node_id, None)));
 	let tlvs = intermediate_nodes
 		.iter()
 		.map(|node| BlindedPaymentTlvsRef::Forward(&node.tlvs))

lightning/src/blinded_path/utils.rs

@@ -17,10 +17,11 @@ use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1, SecretKey};
 
 use super::message::BlindedMessagePath;
 use super::{BlindedHop, BlindedPath};
-use crate::crypto::streams::ChaChaPolyWriteAdapter;
+use crate::crypto::streams::{chachapoly_encrypt_with_swapped_aad, ChaChaPolyWriteAdapter};
 use crate::io;
 use crate::ln::onion_utils;
 use crate::onion_message::messenger::Destination;
+use crate::sign::ReceiveAuthKey;
 use crate::util::ser::{Writeable, Writer};
 
 use core::borrow::Borrow;
@@ -105,7 +106,6 @@ macro_rules! build_keys_helper {
 	};
 }
 
-#[inline]
 pub(crate) fn construct_keys_for_onion_message<'a, T, I, F>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, destination: Destination, session_priv: &SecretKey,
 	mut callback: F,
@@ -137,8 +137,7 @@ where
 	Ok(())
 }
 
-#[inline]
-pub(super) fn construct_keys_for_blinded_path<'a, T, I, F, H>(
+fn construct_keys_for_blinded_path<'a, T, I, F, H>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey, mut callback: F,
 ) -> Result<(), secp256k1::Error>
 where
@@ -157,6 +156,7 @@ where
 
 struct PublicKeyWithTlvs<W: Writeable> {
 	pubkey: PublicKey,
+	hop_recv_key: Option<ReceiveAuthKey>,
 	tlvs: W,
 }
 
@@ -171,20 +171,26 @@ pub(crate) fn construct_blinded_hops<'a, T, I, W>(
 ) -> Result<Vec<BlindedHop>, secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
-	I: Iterator<Item = (PublicKey, W)>,
+	I: Iterator<Item = ((PublicKey, Option<ReceiveAuthKey>), W)>,
 	W: Writeable,
 {
 	let mut blinded_hops = Vec::with_capacity(unblinded_path.size_hint().0);
 	construct_keys_for_blinded_path(
 		secp_ctx,
-		unblinded_path.map(|(pubkey, tlvs)| PublicKeyWithTlvs { pubkey, tlvs }),
+		unblinded_path.map(|((pubkey, hop_recv_key), tlvs)| PublicKeyWithTlvs {
+			pubkey,
+			hop_recv_key,
+			tlvs,
+		}),
 		session_priv,
 		|blinded_node_id, _, _, encrypted_payload_rho, unblinded_hop_data, _| {
+			let hop_data = unblinded_hop_data.unwrap();
 			blinded_hops.push(BlindedHop {
 				blinded_node_id,
 				encrypted_payload: encrypt_payload(
-					unblinded_hop_data.unwrap().tlvs,
+					hop_data.tlvs,
 					encrypted_payload_rho,
+					hop_data.hop_recv_key,
 				),
 			});
 		},
@@ -193,9 +199,15 @@ where
 }
 
 /// Encrypt TLV payload to be used as a [`crate::blinded_path::BlindedHop::encrypted_payload`].
-fn encrypt_payload<P: Writeable>(payload: P, encrypted_tlvs_rho: [u8; 32]) -> Vec<u8> {
-	let write_adapter = ChaChaPolyWriteAdapter::new(encrypted_tlvs_rho, &payload);
-	write_adapter.encode()
+fn encrypt_payload<P: Writeable>(
+	payload: P, encrypted_tlvs_rho: [u8; 32], hop_recv_key: Option<ReceiveAuthKey>,
+) -> Vec<u8> {
+	if let Some(hop_recv_key) = hop_recv_key {
+		chachapoly_encrypt_with_swapped_aad(payload.encode(), encrypted_tlvs_rho, hop_recv_key.0)
+	} else {
+		let write_adapter = ChaChaPolyWriteAdapter::new(encrypted_tlvs_rho, &payload);
+		write_adapter.encode()
+	}
 }
 
 /// A data structure used exclusively to pad blinded path payloads, ensuring they are of

lightning/src/ln/blinded_payment_tests.rs

@@ -1556,17 +1556,23 @@ fn route_blinding_spec_test_vector() {
 	let blinding_override = PublicKey::from_secret_key(&secp_ctx, &dave_eve_session_priv);
 	assert_eq!(blinding_override, pubkey_from_hex("031b84c5567b126440995d3ed5aaba0565d71e1834604819ff9c17f5e9d5dd078f"));
 	// Can't use the public API here as the encrypted payloads contain unknown TLVs.
-	let path = [(dave_node_id, WithoutLength(&dave_unblinded_tlvs)), (eve_node_id, WithoutLength(&eve_unblinded_tlvs))];
+	let path = [
+		((dave_node_id, None), WithoutLength(&dave_unblinded_tlvs)),
+		((eve_node_id, None), WithoutLength(&eve_unblinded_tlvs)),
+	];
 	let mut dave_eve_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &dave_eve_session_priv
+		&secp_ctx, path.into_iter(), &dave_eve_session_priv,
 	).unwrap();
 
 	// Concatenate an additional Bob -> Carol blinded path to the Eve -> Dave blinded path.
 	let bob_carol_session_priv = secret_from_hex("0202020202020202020202020202020202020202020202020202020202020202");
 	let bob_blinding_point = PublicKey::from_secret_key(&secp_ctx, &bob_carol_session_priv);
-	let path = [(bob_node_id, WithoutLength(&bob_unblinded_tlvs)), (carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+	let path = [
+		((bob_node_id, None), WithoutLength(&bob_unblinded_tlvs)),
+		((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs)),
+	];
 	let bob_carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &bob_carol_session_priv
+		&secp_ctx, path.into_iter(), &bob_carol_session_priv,
 	).unwrap();
 
 	let mut blinded_hops = bob_carol_blinded_hops;
@@ -2026,9 +2032,9 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 		let payee_tlvs = payee_tlvs.authenticate(nonce, &expanded_key);
 		let carol_unblinded_tlvs = payee_tlvs.encode();
 
-		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+		let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 		).unwrap()
 	} else {
 		let payee_tlvs = blinded_path::payment::TrampolineForwardTlvs {
@@ -2047,9 +2053,9 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 		};
 
 		let carol_unblinded_tlvs = payee_tlvs.encode();
-		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+		let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 		).unwrap()
 	};
 
@@ -2249,11 +2255,11 @@ fn test_trampoline_unblinded_receive() {
 	};
 
 	let carol_unblinded_tlvs = payee_tlvs.encode();
-	let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+	let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 	let carol_alice_trampoline_session_priv = secret_from_hex("a0f4b8d7b6c2d0ffdfaf718f76e9decaef4d9fb38a8c4addb95c4007cc3eee03");
 	let carol_blinding_point = PublicKey::from_secret_key(&secp_ctx, &carol_alice_trampoline_session_priv);
 	let carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 	).unwrap();
 
 	let route = Route {

lightning/src/onion_message/messenger.rs

@@ -40,7 +40,7 @@ use crate::ln::msgs::{
 };
 use crate::ln::onion_utils;
 use crate::routing::gossip::{NetworkGraph, NodeId, ReadOnlyNetworkGraph};
-use crate::sign::{EntropySource, NodeSigner, Recipient};
+use crate::sign::{EntropySource, NodeSigner, ReceiveAuthKey, Recipient};
 use crate::types::features::{InitFeatures, NodeFeatures};
 use crate::util::async_poll::{MultiResultFuturePoller, ResultFuture};
 use crate::util::logger::{Logger, WithContext};
@@ -1074,22 +1074,39 @@ where
 			},
 		}
 	};
+	let receiving_context_auth_key = ReceiveAuthKey([41; 32]); // TODO: pass this in
 	let next_hop = onion_utils::decode_next_untagged_hop(
 		onion_decode_ss,
 		&msg.onion_routing_packet.hop_data[..],
 		msg.onion_routing_packet.hmac,
-		(control_tlvs_ss, custom_handler.deref(), logger.deref()),
+		(control_tlvs_ss, custom_handler.deref(), receiving_context_auth_key, logger.deref()),
 	);
 	match next_hop {
 		Ok((
 			Payload::Receive {
 				message,
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context }),
 				reply_path,
+				control_tlvs_authenticated,
 			},
 			None,
 		)) => match (message, context) {
 			(ParsedOnionMessageContents::Offers(msg), Some(MessageContext::Offers(ctx))) => {
+				match ctx {
+					OffersContext::InvoiceRequest { .. } => {
+						// Note: We introduced the `control_tlvs_authenticated` check in LDK v0.2
+						// to simplify and standardize onion message authentication.
+						// To continue supporting offers created before v0.2, we allow
+						// unauthenticated control TLVs for these messages, as they can be
+						// verified using the legacy method.
+					},
+					_ => {
+						if !control_tlvs_authenticated {
+							log_trace!(logger, "Received an unauthenticated offers onion message");
+							return Err(());
+						}
+					},
+				}
 				Ok(PeeledOnion::Offers(msg, Some(ctx), reply_path))
 			},
 			(ParsedOnionMessageContents::Offers(msg), None) => {
@@ -1099,8 +1116,18 @@ where
 			(
 				ParsedOnionMessageContents::AsyncPayments(msg),
 				Some(MessageContext::AsyncPayments(ctx)),
-			) => Ok(PeeledOnion::AsyncPayments(msg, ctx, reply_path)),
+			) => {
+				if !control_tlvs_authenticated {
+					log_trace!(logger, "Received an unauthenticated async payments onion message");
+					return Err(());
+				}
+				Ok(PeeledOnion::AsyncPayments(msg, ctx, reply_path))
+			},
 			(ParsedOnionMessageContents::Custom(msg), Some(MessageContext::Custom(ctx))) => {
+				if !control_tlvs_authenticated {
+					log_trace!(logger, "Received an unauthenticated custom onion message");
+					return Err(());
+				}
 				Ok(PeeledOnion::Custom(msg, Some(ctx), reply_path))
 			},
 			(ParsedOnionMessageContents::Custom(msg), None) => {
@@ -1109,7 +1136,13 @@ where
 			(
 				ParsedOnionMessageContents::DNSResolver(msg),
 				Some(MessageContext::DNSResolver(ctx)),
-			) => Ok(PeeledOnion::DNSResolver(msg, Some(ctx), reply_path)),
+			) => {
+				if !control_tlvs_authenticated {
+					log_trace!(logger, "Received an unauthenticated DNS resolver onion message");
+					return Err(());
+				}
+				Ok(PeeledOnion::DNSResolver(msg, Some(ctx), reply_path))
+			},
 			(ParsedOnionMessageContents::DNSResolver(msg), None) => {
 				Ok(PeeledOnion::DNSResolver(msg, None, reply_path))
 			},
@@ -2334,7 +2367,12 @@ fn packet_payloads_and_keys<
 
 	if let Some(control_tlvs) = final_control_tlvs {
 		payloads.push((
-			Payload::Receive { control_tlvs, reply_path: reply_path.take(), message },
+			Payload::Receive {
+				control_tlvs,
+				reply_path: reply_path.take(),
+				message,
+				control_tlvs_authenticated: false,
+			},
 			prev_control_tlvs_ss.unwrap(),
 		));
 	} else {
@@ -2343,6 +2381,7 @@ fn packet_payloads_and_keys<
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context: None }),
 				reply_path: reply_path.take(),
 				message,
+				control_tlvs_authenticated: false,
 			},
 			prev_control_tlvs_ss.unwrap(),
 		));