Introduce DummyTlvs

Adds new `Dummy` variant to `ControlTlvs`, allowing insertion
of arbitrary dummy hops before the final `ReceiveTlvs`.
This increases the length of the blinded path, making it harder
for a malicious actor to infer the position of the true final hop.

Author: shaavan

lightning/src/blinded_path/message.rs

@@ -11,6 +11,7 @@
 
 use bitcoin::secp256k1::{self, PublicKey, Secp256k1, SecretKey};
 
+use crate::offers::signer;
 #[allow(unused_imports)]
 use crate::prelude::*;
 
@@ -19,9 +20,9 @@ use crate::blinded_path::{BlindedHop, BlindedPath, Direction, IntroductionNode,
 use crate::crypto::streams::ChaChaPolyReadAdapter;
 use crate::io;
 use crate::io::Cursor;
-use crate::ln::channelmanager::PaymentId;
+use crate::ln::channelmanager::{PaymentId, Verification};
 use crate::ln::msgs::DecodeError;
-use crate::ln::onion_utils;
+use crate::ln::{inbound_payment, onion_utils};
 use crate::offers::nonce::Nonce;
 use crate::onion_message::packet::ControlTlvs;
 use crate::routing::gossip::{NodeId, ReadOnlyNetworkGraph};
@@ -258,6 +259,94 @@ pub(crate) struct ForwardTlvs {
 	pub(crate) next_blinding_override: Option<PublicKey>,
 }
 
+/// Represents a dummy TLV that can be used in a blinded path to extend the path length.
+/// The first dummy TLV is authenticated and contains an HMAC, while subsequent dummy TLVs are
+/// empty and do not contain any data. This allows for the path length to be extended without
+/// adding any additional data, while still ensuring that the path is legitimate and terminates
+/// in valid [`ReceiveTlvs`] data.
+pub(crate) enum DummyTlv {
+	/// The first dummy TLV, which contains an HMAC and is authenticated.
+	/// This TLV is used to ensure that the path is legitimate and terminates in valid
+	/// [`ReceiveTlvs`] data.
+	Primary(PrimaryDummyTlv),
+	/// Subsequent dummy TLVs, which are empty and do not contain any data.
+	/// These TLVs are used to extend the path length without adding any additional data.
+	Subsequent,
+}
+
+impl Writeable for DummyTlv {
+	fn write<W: Writer>(&self, writer: &mut W) -> Result<(), io::Error> {
+		match self {
+			DummyTlv::Primary(primary) => primary.write(writer)?,
+			DummyTlv::Subsequent => {
+				// Subsequent dummy TLVs are empty, so we don't write anything.
+				// This is to ensure that the path length can be extended without
+				// adding any additional data.
+				encode_tlv_stream!(writer, {
+					(65541, (), required), // Represents that this is a Dummy Tlv variant
+				})
+			},
+		}
+		Ok(())
+	}
+}
+
+/// Represents the first dummy TLV in a blinded path, which is authenticated and contains an HMAC.
+/// These TLV are intended for the final node.
+///
+/// ## Authentication
+/// Authentication provides an additional layer of security, ensuring that the path is legitimate
+/// and terminates in valid [`ReceiveTlvs`] data. Verification begins with the first dummy hop and
+/// continues recursively until the final [`ReceiveTlvs`] is reached.
+///
+/// This prevents an attacker from crafting a bogus blinded path consisting solely of dummy tlv
+/// without any valid payload, which could otherwise waste resources through recursive
+/// processing — a potential vector for DoS-like attacks.
+pub(crate) struct PrimaryDummyTlv {
+	/// The dummy TLV that holds the empty data for the Dummy Hop.
+	pub(crate) dummy_tlv: UnauthenticatedDummyTlv,
+	/// An HMAC of `tlvs` along with a nonce used to construct it.
+	pub(crate) authentication: (Hmac<Sha256>, Nonce),
+}
+
+impl Writeable for PrimaryDummyTlv {
+	fn write<W: Writer>(&self, writer: &mut W) -> Result<(), io::Error> {
+		encode_tlv_stream!(writer, {
+			(65539, self.authentication, required),
+			// The Some(()) represents that this is a Dummy Tlv variant
+			(65541, (), required),
+		});
+
+		Ok(())
+	}
+}
+
+/// A blank struct, representing a dummy TLV prior to authentication.
+///
+/// For more details, see [`PrimaryDummyTlv`].
+pub(crate) struct UnauthenticatedDummyTlv {}
+
+impl Writeable for UnauthenticatedDummyTlv {
+	fn write<W: Writer>(&self, _writer: &mut W) -> Result<(), io::Error> {
+		Ok(())
+	}
+}
+
+impl Verification for UnauthenticatedDummyTlv {
+	/// Constructs an HMAC to include in [`OffersContext`] for the data along with the given
+	/// [`Nonce`].
+	fn hmac_data(&self, nonce: Nonce, expanded_key: &inbound_payment::ExpandedKey) -> Hmac<Sha256> {
+		signer::hmac_for_dummy_tlv(self, nonce, expanded_key)
+	}
+
+	/// Authenticates the data using an HMAC and a [`Nonce`] taken from an [`OffersContext`].
+	fn verify_data(
+		&self, hmac: Hmac<Sha256>, nonce: Nonce, expanded_key: &inbound_payment::ExpandedKey,
+	) -> Result<(), ()> {
+		signer::verify_dummy_tlv(self, hmac, nonce, expanded_key)
+	}
+}
+
 /// Similar to [`ForwardTlvs`], but these TLVs are for the final node.
 pub(crate) struct ReceiveTlvs {
 	/// If `context` is `Some`, it is used to identify the blinded path that this onion message is

lightning/src/offers/signer.rs

@@ -9,6 +9,7 @@
 
 //! Utilities for signing offer messages and verifying metadata.
 
+use crate::blinded_path::message::UnauthenticatedDummyTlv;
 use crate::blinded_path::payment::UnauthenticatedReceiveTlvs;
 use crate::ln::channelmanager::PaymentId;
 use crate::ln::inbound_payment::{ExpandedKey, IV_LEN};
@@ -570,3 +571,26 @@ pub(crate) fn verify_held_htlc_available_context(
 		Err(())
 	}
 }
+
+pub(crate) fn hmac_for_dummy_tlv(
+	tlvs: &UnauthenticatedDummyTlv, nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Hmac<Sha256> {
+	const IV_BYTES: &[u8; IV_LEN] = b"LDK Msgs Dummies";
+	let mut hmac = expanded_key.hmac_for_offer();
+	hmac.input(IV_BYTES);
+	hmac.input(&nonce.0);
+	hmac.input(PAYMENT_TLVS_HMAC_INPUT);
+	tlvs.write(&mut hmac).unwrap();
+
+	Hmac::from_engine(hmac)
+}
+
+pub(crate) fn verify_dummy_tlv(
+	tlvs: &UnauthenticatedDummyTlv, hmac: Hmac<Sha256>, nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Result<(), ()> {
+	if hmac_for_dummy_tlv(tlvs, nonce, expanded_key) == hmac {
+		Ok(())
+	} else {
+		Err(())
+	}
+}

lightning/src/onion_message/packet.rs

@@ -17,7 +17,10 @@ use super::async_payments::AsyncPaymentsMessage;
 use super::dns_resolution::DNSResolverMessage;
 use super::messenger::CustomOnionMessageHandler;
 use super::offers::OffersMessage;
-use crate::blinded_path::message::{BlindedMessagePath, ForwardTlvs, NextMessageHop, ReceiveTlvs};
+use crate::blinded_path::message::{
+	BlindedMessagePath, DummyTlv, ForwardTlvs, NextMessageHop, PrimaryDummyTlv, ReceiveTlvs,
+	UnauthenticatedDummyTlv,
+};
 use crate::crypto::streams::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
 use crate::ln::msgs::DecodeError;
 use crate::ln::onion_utils;
@@ -111,6 +114,8 @@ impl LengthReadable for Packet {
 pub(super) enum Payload<T: OnionMessageContents> {
 	/// This payload is for an intermediate hop.
 	Forward(ForwardControlTlvs),
+	/// This payload is dummy, and is inteded to be peeled.
+	Dummy(DummyControlTlvs),
 	/// This payload is for the final hop.
 	Receive { control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
 }
@@ -204,6 +209,11 @@ pub(super) enum ForwardControlTlvs {
 	Unblinded(ForwardTlvs),
 }
 
+pub(super) enum DummyControlTlvs {
+	/// See [`ForwardControlTlvs::Unblinded`]
+	Unblinded(DummyTlv),
+}
+
 /// Receive control TLVs in their blinded and unblinded form.
 pub(super) enum ReceiveControlTlvs {
 	/// See [`ForwardControlTlvs::Blinded`].
@@ -234,6 +244,10 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
 				_encode_varint_length_prefixed_tlv!(w, { (4, write_adapter, required) })
 			},
+			Payload::Dummy(DummyControlTlvs::Unblinded(control_tlvs)) => {
+				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
+				_encode_varint_length_prefixed_tlv!(w, { (4, write_adapter, required) })
+			},
 			Payload::Receive {
 				control_tlvs: ReceiveControlTlvs::Unblinded(control_tlvs),
 				reply_path,
@@ -310,6 +324,9 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 				}
 				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
 			},
+			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Dummy(tlvs) }) => {
+				Ok(Payload::Dummy(DummyControlTlvs::Unblinded(tlvs)))
+			},
 			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Receive(tlvs) }) => {
 				Ok(Payload::Receive {
 					control_tlvs: ReceiveControlTlvs::Unblinded(tlvs),
@@ -328,6 +345,8 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 pub(crate) enum ControlTlvs {
 	/// This onion message is intended to be forwarded.
 	Forward(ForwardTlvs),
+	/// This onion message is a dummy, and is intended to be peeled.
+	Dummy(DummyTlv),
 	/// This onion message is intended to be received.
 	Receive(ReceiveTlvs),
 }
@@ -343,6 +362,8 @@ impl Readable for ControlTlvs {
 			(4, next_node_id, option),
 			(8, next_blinding_override, option),
 			(65537, context, option),
+			(65539, authentication, option),
+			(65541, dummy_tlv, option),
 		});
 
 		let next_hop = match (short_channel_id, next_node_id) {
@@ -352,18 +373,18 @@ impl Readable for ControlTlvs {
 			(None, None) => None,
 		};
 
-		let valid_fwd_fmt = next_hop.is_some();
-		let valid_recv_fmt = next_hop.is_none() && next_blinding_override.is_none();
-
-		let payload_fmt = if valid_fwd_fmt {
-			ControlTlvs::Forward(ForwardTlvs {
-				next_hop: next_hop.unwrap(),
-				next_blinding_override,
-			})
-		} else if valid_recv_fmt {
-			ControlTlvs::Receive(ReceiveTlvs { context })
-		} else {
-			return Err(DecodeError::InvalidValue);
+		let payload_fmt = match (dummy_tlv, next_hop, next_blinding_override, authentication) {
+			(None, Some(hop), _, None) => {
+				ControlTlvs::Forward(ForwardTlvs { next_hop: hop, next_blinding_override })
+			},
+			(None, None, None, None) => ControlTlvs::Receive(ReceiveTlvs { context }),
+			(Some(()), None, None, Some(auth)) => {
+				let tlv =
+					PrimaryDummyTlv { dummy_tlv: UnauthenticatedDummyTlv {}, authentication: auth };
+				ControlTlvs::Dummy(DummyTlv::Primary(tlv))
+			},
+			(Some(()), None, None, None) => ControlTlvs::Dummy(DummyTlv::Subsequent),
+			_ => return Err(DecodeError::InvalidValue),
 		};
 
 		Ok(payload_fmt)
@@ -374,6 +395,7 @@ impl Writeable for ControlTlvs {
 	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
 		match self {
 			Self::Forward(tlvs) => tlvs.write(w),
+			Self::Dummy(tlvs) => tlvs.write(w),
 			Self::Receive(tlvs) => tlvs.write(w),
 		}
 	}