Fix trampoline error packet encryption using trampoline shared secret

a-mpch · a-mpch · commit b426301bd025 · 2025-09-19T11:16:26.000-03:00
When handling HTLC failures in trampoline routing, error packets were not being properly encrypted with the trampoline shared secret. This caused error messages to be unreadable by the original sender when failures occurred within trampoline hops. The fix prioritizes trampoline_shared_secret over phantom_shared_secret when both are available, ensuring error packets can be properly decrypted by trampoline senders. Fixes the bug surfaced in test_trampoline_single_hop_receive in 39a98f5.
diff --git a/lightning/src/ln/blinded_payment_tests.rs b/lightning/src/ln/blinded_payment_tests.rs
@@ -2041,8 +2041,8 @@ fn test_trampoline_forward_payload_encoded_as_receive() {
 		let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
 			&secp_ctx, path.into_iter(), &trampoline_session_priv,
-		).unwrap()
-	};
+		)
+  };
 
 	let route = Route {
 		paths: vec![Path {
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -277,6 +277,9 @@ pub enum PendingHTLCRouting {
 		/// provide the onion shared secret used to decrypt the next level of forwarding
 		/// instructions.
 		phantom_shared_secret: Option<[u8; 32]>,
+		/// If the onion had trampoline forwarding instruction to our node.
+		/// This will provice the onion shared secret to encrypt error packets to the sender.
+		trampoline_shared_secret: Option<[u8; 32]>,
 		/// Custom TLVs which were set by the sender.
 		///
 		/// For HTLCs received by LDK, this will ultimately be exposed in
@@ -466,6 +469,13 @@ impl PendingAddHTLCInfo {
 			PendingHTLCRouting::Receive { phantom_shared_secret, .. } => phantom_shared_secret,
 			_ => None,
 		};
+		let trampoline_shared_secret = match self.forward_info.routing {
+			PendingHTLCRouting::Receive { trampoline_shared_secret, .. } => {
+				trampoline_shared_secret
+			},
+			_ => None,
+		};
+
 		HTLCPreviousHopData {
 			short_channel_id: self.prev_short_channel_id,
 			user_channel_id: Some(self.prev_user_channel_id),
@@ -475,6 +485,7 @@ impl PendingAddHTLCInfo {
 			htlc_id: self.prev_htlc_id,
 			incoming_packet_shared_secret: self.forward_info.incoming_shared_secret,
 			phantom_shared_secret,
+			trampoline_shared_secret,
 			blinded_failure: self.forward_info.routing.blinded_failure(),
 			cltv_expiry: self.forward_info.routing.incoming_cltv_expiry(),
 		}
@@ -798,6 +809,7 @@ mod fuzzy_channelmanager {
 		pub htlc_id: u64,
 		pub incoming_packet_shared_secret: [u8; 32],
 		pub phantom_shared_secret: Option<[u8; 32]>,
+		pub trampoline_shared_secret: Option<[u8; 32]>,
 		pub blinded_failure: Option<BlindedFailure>,
 		pub channel_id: ChannelId,
 
@@ -6835,14 +6847,16 @@ where
 						Some(payment_hash),
 					);
 					let mut failure_handler =
-						|msg, reason, err_data, phantom_ss, next_hop_unknown| {
+						|msg, reason, err_data, phantom_ss, trampoline_ss, next_hop_unknown| {
 							log_info!(logger, "Failed to accept/forward incoming HTLC: {}", msg);
 
 							let mut prev_hop = payment.htlc_previous_hop_data();
 							// Override the phantom shared secret because it wasn't set in the originating
 							// `PendingAddHTLCInfo` above, it was calculated below after detecting this as a
 							// phantom payment.
 							prev_hop.phantom_shared_secret = phantom_ss;
+							prev_hop.trampoline_shared_secret = trampoline_ss;
+
 							let failure_type = if next_hop_unknown {
 								HTLCHandlingFailureType::InvalidForward {
 									requested_forward_scid: short_chan_id,
@@ -6891,6 +6905,7 @@ where
 										reason,
 										sha256_of_onion.to_vec(),
 										None,
+										None,
 										false,
 									);
 									continue;
@@ -6907,6 +6922,7 @@ where
 										reason,
 										Vec::new(),
 										Some(phantom_shared_secret),
+										None,
 										false,
 									);
 									continue;
@@ -6940,6 +6956,7 @@ where
 										reason,
 										err_data,
 										Some(phantom_shared_secret),
+										None,
 										false,
 									);
 									continue;
@@ -6955,6 +6972,7 @@ where
 								LocalHTLCFailureReason::UnknownNextPeer,
 								Vec::new(),
 								None,
+								None,
 								true,
 							);
 							continue;
@@ -6967,6 +6985,7 @@ where
 							LocalHTLCFailureReason::UnknownNextPeer,
 							Vec::new(),
 							None,
+							None,
 							true,
 						);
 						continue;
@@ -7044,6 +7063,7 @@ where
 							panic!("short_channel_id != 0 should imply any pending_forward entries are of type Forward");
 						},
 					};
+
 					let next_blinding_point = blinded.and_then(|b| {
 						b.next_blinding_override.or_else(|| {
 							let encrypted_tlvs_ss = self
@@ -7276,13 +7296,15 @@ where
 						mut onion_fields,
 						has_recipient_created_payment_secret,
 						invoice_request_opt,
+						trampoline_shared_secret,
 					) = match routing {
 						PendingHTLCRouting::Receive {
 							payment_data,
 							payment_metadata,
 							payment_context,
 							incoming_cltv_expiry,
 							phantom_shared_secret,
+							trampoline_shared_secret,
 							custom_tlvs,
 							requires_blinded_error: _,
 						} => {
@@ -7301,6 +7323,7 @@ where
 								onion_fields,
 								true,
 								None,
+								trampoline_shared_secret,
 							)
 						},
 						PendingHTLCRouting::ReceiveKeysend {
@@ -7330,6 +7353,7 @@ where
 								onion_fields,
 								has_recipient_created_payment_secret,
 								invoice_request,
+								None,
 							)
 						},
 						_ => {
@@ -7377,6 +7401,7 @@ where
 									htlc_id: $htlc.prev_hop.htlc_id,
 									incoming_packet_shared_secret,
 									phantom_shared_secret,
+									trampoline_shared_secret,
 									blinded_failure,
 									cltv_expiry: Some(cltv_expiry),
 								}),
@@ -8176,6 +8201,7 @@ where
 				ref htlc_id,
 				ref incoming_packet_shared_secret,
 				ref phantom_shared_secret,
+				ref trampoline_shared_secret,
 				outpoint: _,
 				ref blinded_failure,
 				ref channel_id,
@@ -8188,6 +8214,7 @@ where
 					&payment_hash,
 					onion_error
 				);
+				let secondary_shared_secret = trampoline_shared_secret.or(*phantom_shared_secret);
 				let failure = match blinded_failure {
 					Some(BlindedFailure::FromIntroductionNode) => {
 						let blinded_onion_error = HTLCFailReason::reason(
@@ -8196,7 +8223,7 @@ where
 						);
 						let err_packet = blinded_onion_error.get_encrypted_failure_packet(
 							incoming_packet_shared_secret,
-							phantom_shared_secret,
+							&secondary_shared_secret,
 						);
 						HTLCForwardInfo::FailHTLC { htlc_id: *htlc_id, err_packet }
 					},
@@ -8208,7 +8235,7 @@ where
 					None => {
 						let err_packet = onion_error.get_encrypted_failure_packet(
 							incoming_packet_shared_secret,
-							phantom_shared_secret,
+							&secondary_shared_secret,
 						);
 						HTLCForwardInfo::FailHTLC { htlc_id: *htlc_id, err_packet }
 					},
@@ -8470,7 +8497,8 @@ where
 		ComplFunc: FnOnce(
 			Option<u64>,
 			bool,
-		) -> (Option<MonitorUpdateCompletionAction>, Option<RAAMonitorUpdateBlockingAction>),
+		)
+			-> (Option<MonitorUpdateCompletionAction>, Option<RAAMonitorUpdateBlockingAction>),
 	>(
 		&self, prev_hop: HTLCPreviousHopData, payment_preimage: PaymentPreimage,
 		payment_info: Option<PaymentClaimDetails>, attribution_data: Option<AttributionData>,
@@ -8508,7 +8536,8 @@ where
 		ComplFunc: FnOnce(
 			Option<u64>,
 			bool,
-		) -> (Option<MonitorUpdateCompletionAction>, Option<RAAMonitorUpdateBlockingAction>),
+		)
+			-> (Option<MonitorUpdateCompletionAction>, Option<RAAMonitorUpdateBlockingAction>),
 	>(
 		&self, prev_hop: HTLCClaimSource, payment_preimage: PaymentPreimage,
 		payment_info: Option<PaymentClaimDetails>, attribution_data: Option<AttributionData>,
@@ -15173,6 +15202,7 @@ impl_writeable_tlv_based_enum!(PendingHTLCRouting,
 		(5, custom_tlvs, optional_vec),
 		(7, requires_blinded_error, (default_value, false)),
 		(9, payment_context, option),
+		(11, trampoline_shared_secret, option),
 	},
 	(2, ReceiveKeysend) => {
 		(0, payment_preimage, required),
@@ -15301,6 +15331,7 @@ impl_writeable_tlv_based!(HTLCPreviousHopData, {
 	// filled in, so we can safely unwrap it here.
 	(9, channel_id, (default_value, ChannelId::v1_from_funding_outpoint(outpoint.0.unwrap()))),
 	(11, counterparty_node_id, option),
+	(13, trampoline_shared_secret, option),
 });
 
 impl Writeable for ClaimableHTLC {
diff --git a/lightning/src/ln/onion_payment.rs b/lightning/src/ln/onion_payment.rs
@@ -253,14 +253,14 @@ pub(super) fn create_recv_pending_htlc_info(
 	let (
 		payment_data, keysend_preimage, custom_tlvs, onion_amt_msat, onion_cltv_expiry,
 		payment_metadata, payment_context, requires_blinded_error, has_recipient_created_payment_secret,
-		invoice_request
+		invoice_request, trampoline_shared_secret,
 	) = match hop_data {
 		onion_utils::Hop::Receive { hop_data: msgs::InboundOnionReceivePayload {
 			payment_data, keysend_preimage, custom_tlvs, sender_intended_htlc_amt_msat,
 			cltv_expiry_height, payment_metadata, ..
 		}, .. } =>
 			(payment_data, keysend_preimage, custom_tlvs, sender_intended_htlc_amt_msat,
-			 cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none(), None),
+			 cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none(), None, None),
 		onion_utils::Hop::BlindedReceive { hop_data: msgs::InboundOnionBlindedReceivePayload {
 			sender_intended_htlc_amt_msat, total_msat, cltv_expiry_height, payment_secret,
 			intro_node_blinding_point, payment_constraints, payment_context, keysend_preimage,
@@ -279,7 +279,7 @@ pub(super) fn create_recv_pending_htlc_info(
 			let payment_data = msgs::FinalOnionHopData { payment_secret, total_msat };
 			(Some(payment_data), keysend_preimage, custom_tlvs,
 			 sender_intended_htlc_amt_msat, cltv_expiry_height, None, Some(payment_context),
-			 intro_node_blinding_point.is_none(), true, invoice_request)
+			 intro_node_blinding_point.is_none(), true, invoice_request, None)
 		}
 		onion_utils::Hop::TrampolineReceive {
 			trampoline_hop_data: msgs::InboundOnionReceivePayload {
@@ -288,8 +288,9 @@ pub(super) fn create_recv_pending_htlc_info(
 			}, ..
 		} =>
 			(payment_data, keysend_preimage, custom_tlvs, sender_intended_htlc_amt_msat,
-				cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none(), None),
+				cltv_expiry_height, payment_metadata, None, false, keysend_preimage.is_none(), None, None),
 		onion_utils::Hop::TrampolineBlindedReceive {
+			trampoline_shared_secret,
 			trampoline_hop_data: msgs::InboundOnionBlindedReceivePayload {
 				sender_intended_htlc_amt_msat, total_msat, cltv_expiry_height, payment_secret,
 				intro_node_blinding_point, payment_constraints, payment_context, keysend_preimage,
@@ -309,7 +310,7 @@ pub(super) fn create_recv_pending_htlc_info(
 			let payment_data = msgs::FinalOnionHopData { payment_secret, total_msat };
 			(Some(payment_data), keysend_preimage, custom_tlvs,
 				sender_intended_htlc_amt_msat, cltv_expiry_height, None, Some(payment_context),
-				intro_node_blinding_point.is_none(), true, invoice_request)
+				intro_node_blinding_point.is_none(), true, invoice_request, Some(trampoline_shared_secret.secret_bytes()))
 		},
 		onion_utils::Hop::Forward { .. } => {
 			return Err(InboundHTLCErr {
@@ -398,6 +399,7 @@ pub(super) fn create_recv_pending_htlc_info(
 			payment_context,
 			incoming_cltv_expiry: onion_cltv_expiry,
 			phantom_shared_secret,
+			trampoline_shared_secret,
 			custom_tlvs,
 			requires_blinded_error,
 		}
