Merge pull request #3941 from TheBlueMatt/2025-07-3917-followups

Various followups to #3917

Author: TheBlueMatt

lightning/src/blinded_path/message.rs

@@ -543,27 +543,20 @@ impl_writeable_tlv_based_enum!(MessageContext,
 	{3, DNSResolver} => (),
 );
 
-// NOTE:
-// Several TLV fields (`nonce`, `hmac`, etc.) were removed in LDK v0.2
-// following the introduction of `ReceiveAuthKey`-based authentication for
-// inbound `BlindedMessagePath`s. These fields are now commented out and
-// their `type` values must not be reused unless support for LDK v0.2
-// and earlier is fully dropped.
-//
-// For context-specific removals, see the commented-out fields within each enum variant.
+// Note: Several TLV fields (`nonce`, `hmac`, etc.) were removed in LDK v0.2 following the
+// introduction of `ReceiveAuthKey`-based authentication for inbound `BlindedMessagePath`s. Because
+// we do not support receiving to those contexts anymore (they will fail the `ReceiveAuthKey`-based
+// authentication checks), we can reuse those fields here.
 impl_writeable_tlv_based_enum!(OffersContext,
 	(0, InvoiceRequest) => {
 		(0, nonce, required),
 	},
 	(1, OutboundPayment) => {
 		(0, payment_id, required),
 		(1, nonce, required),
-		// Removed: (2, hmac, option)
 	},
 	(2, InboundPayment) => {
 		(0, payment_hash, required),
-		// Removed: (1, nonce, required),
-		// Removed: (2, hmac, required)
 	},
 	(3, StaticInvoiceRequested) => {
 		(0, recipient_id, required),
@@ -575,12 +568,8 @@ impl_writeable_tlv_based_enum!(OffersContext,
 impl_writeable_tlv_based_enum!(AsyncPaymentsContext,
 	(0, OutboundPayment) => {
 		(0, payment_id, required),
-		// Removed: (2, nonce, required),
-		// Removed: (4, hmac, required),
 	},
 	(1, InboundPayment) => {
-		// Removed: (0, nonce, required),
-		// Removed: (2, hmac, required),
 		(4, path_absolute_expiry, required),
 	},
 	(2, OfferPaths) => {

lightning/src/crypto/streams.rs

@@ -51,6 +51,10 @@ impl<'a, T: Writeable> Writeable for ChaChaPolyWriteAdapter<'a, T> {
 
 		Ok(())
 	}
+
+	fn serialized_length(&self) -> usize {
+		self.writeable.serialized_length() + 16
+	}
 }
 
 /// Encrypts the provided plaintext with the given key using ChaCha20Poly1305 in the modified
@@ -124,7 +128,10 @@ impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32])> for ChaChaDualPolyRea
 			ChaChaDualPolyReader { chacha: &mut chacha, poly: &mut mac, read_len: 0, read: s };
 
 		let readable: T = Readable::read(&mut chacha_stream)?;
-		chacha_stream.read.eat_remaining()?;
+		while chacha_stream.read.bytes_remain() {
+			let mut buf = [0; 256];
+			chacha_stream.read(&mut buf)?;
+		}
 
 		let read_len = chacha_stream.read_len;
 
@@ -199,7 +206,10 @@ impl<T: Readable> LengthReadableArgs<[u8; 32]> for ChaChaPolyReadAdapter<T> {
 		let s = FixedLengthReader::new(r, decrypted_len);
 		let mut chacha_stream = ChaChaPolyReader { chacha: &mut chacha, read: s };
 		let readable: T = Readable::read(&mut chacha_stream)?;
-		chacha_stream.read.eat_remaining()?;
+		while chacha_stream.read.bytes_remain() {
+			let mut buf = [0; 256];
+			chacha_stream.read(&mut buf)?;
+		}
 
 		let mut tag = [0 as u8; 16];
 		r.read_exact(&mut tag)?;

lightning/src/offers/flow.rs

@@ -501,13 +501,12 @@ where
 
 	/// Verifies the provided [`AsyncPaymentsContext`] for an inbound [`HeldHtlcAvailable`] message.
 	///
-	/// The context is verified using the `nonce` and `hmac` values, and ensures that the context
-	/// has not expired based on `path_absolute_expiry`.
+	/// Because blinded path contexts are verified as a part of onion message processing, this only
+	/// validates that the context is not yet expired based on `path_absolute_expiry`.
 	///
 	/// # Errors
 	///
 	/// Returns `Err(())` if:
-	/// - The HMAC verification fails for inbound context.
 	/// - The inbound payment context has expired.
 	#[cfg(async_payments)]
 	pub fn verify_inbound_async_payment_context(

lightning/src/offers/signer.rs

@@ -42,7 +42,7 @@ const WITH_ENCRYPTED_PAYMENT_ID_HMAC_INPUT: &[u8; 16] = &[4; 16];
 // `OffersContext`, but were removed in LDK v0.2 with the introduction of `ReceiveAuthKey`-based
 // authentication.
 // Their corresponding values (`[5; 16]` and `[7; 16]`) are now reserved and must not
-// be reused to preserve backward compatibility.
+// be reused to ensure type confusion attacks are impossible.
 //
 // Reserved HMAC_INPUT values — do not reuse:
 //