Decrypt inbound Trampoline packets

Author: arik-so

lightning/src/ln/msgs.rs

@@ -1812,6 +1812,36 @@ mod fuzzy_internal_msgs {
 		}
 	}
 
+	#[allow(unused)]
+	pub enum InboundTrampolinePayload {
+		Forward {
+			/// The value, in msat, of the payment after this hop's fee is deducted.
+			amt_to_forward: u64,
+			outgoing_cltv_value: u32,
+			/// The node id to which the trampoline node must find a route.
+			outgoing_node_id: PublicKey,
+		},
+		BlindedForward {
+			short_channel_id: u64,
+			payment_relay: PaymentRelay,
+			payment_constraints: PaymentConstraints,
+			features: BlindedHopFeatures,
+			intro_node_blinding_point: Option<PublicKey>,
+			next_blinding_override: Option<PublicKey>,
+		},
+		BlindedReceive {
+			sender_intended_htlc_amt_msat: u64,
+			total_msat: u64,
+			cltv_expiry_height: u32,
+			payment_secret: PaymentSecret,
+			payment_constraints: PaymentConstraints,
+			payment_context: PaymentContext,
+			intro_node_blinding_point: Option<PublicKey>,
+			keysend_preimage: Option<PaymentPreimage>,
+			custom_tlvs: Vec<(u64, Vec<u8>)>,
+		}
+	}
+
 	pub(crate) enum OutboundOnionPayload<'a> {
 		Forward {
 			short_channel_id: u64,
@@ -2990,6 +3020,114 @@ impl<NS: Deref> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPayload wh
 	}
 }
 
+impl<NS: Deref> ReadableArgs<(Option<PublicKey>, NS)> for InboundTrampolinePayload where NS::Target: NodeSigner {
+	fn read<R: Read>(r: &mut R, args: (Option<PublicKey>, NS)) -> Result<Self, DecodeError> {
+		let (update_add_blinding_point, node_signer) = args;
+
+		let mut amt = None;
+		let mut cltv_value = None;
+		let mut payment_data: Option<FinalOnionHopData> = None;
+		let mut encrypted_tlvs_opt: Option<WithoutLength<Vec<u8>>> = None;
+		let mut intro_node_blinding_point = None;
+		let mut outgoing_node_id: Option<PublicKey> = None;
+		let mut total_msat = None;
+		let mut keysend_preimage: Option<PaymentPreimage> = None;
+		let mut custom_tlvs = Vec::new();
+
+		let tlv_len = <BigSize as Readable>::read(r)?;
+		let mut rd = FixedLengthReader::new(r, tlv_len.0);
+		decode_tlv_stream_with_custom_tlv_decode!(&mut rd, {
+			(2, amt, (option, encoding: (u64, HighZeroBytesDroppedBigSize))),
+			(4, cltv_value, (option, encoding: (u32, HighZeroBytesDroppedBigSize))),
+			(8, payment_data, option),
+			(10, encrypted_tlvs_opt, option),
+			(12, intro_node_blinding_point, option),
+			(14, outgoing_node_id, option),
+			(18, total_msat, (option, encoding: (u64, HighZeroBytesDroppedBigSize))),
+			// See https://github.com/lightning/blips/blob/master/blip-0003.md
+			(5482373484, keysend_preimage, option)
+		}, |msg_type: u64, msg_reader: &mut FixedLengthReader<_>| -> Result<bool, DecodeError> {
+			if msg_type < 1 << 16 { return Ok(false) }
+			let mut value = Vec::new();
+			msg_reader.read_to_limit(&mut value, u64::MAX)?;
+			custom_tlvs.push((msg_type, value));
+			Ok(true)
+		});
+
+		if amt.unwrap_or(0) > MAX_VALUE_MSAT { return Err(DecodeError::InvalidValue) }
+		if intro_node_blinding_point.is_some() && update_add_blinding_point.is_some() {
+			return Err(DecodeError::InvalidValue)
+		}
+
+		if let Some(blinding_point) = intro_node_blinding_point.or(update_add_blinding_point) {
+			if payment_data.is_some() {
+				return Err(DecodeError::InvalidValue)
+			}
+			let enc_tlvs = encrypted_tlvs_opt.ok_or(DecodeError::InvalidValue)?.0;
+			let enc_tlvs_ss = node_signer.ecdh(Recipient::Node, &blinding_point, None)
+				.map_err(|_| DecodeError::InvalidValue)?;
+			let rho = onion_utils::gen_rho_from_shared_secret(&enc_tlvs_ss.secret_bytes());
+			let mut s = Cursor::new(&enc_tlvs);
+			let mut reader = FixedLengthReader::new(&mut s, enc_tlvs.len() as u64);
+			match ChaChaPolyReadAdapter::read(&mut reader, rho)? {
+				ChaChaPolyReadAdapter { readable: BlindedPaymentTlvs::Forward(ForwardTlvs {
+				short_channel_id, payment_relay, payment_constraints, features, next_blinding_override
+																			  })} => {
+					if amt.is_some() || cltv_value.is_some() || total_msat.is_some() ||
+						keysend_preimage.is_some()
+					{
+						return Err(DecodeError::InvalidValue)
+					}
+					Ok(Self::BlindedForward {
+						short_channel_id,
+						payment_relay,
+						payment_constraints,
+						features,
+						intro_node_blinding_point,
+						next_blinding_override,
+					})
+				},
+				ChaChaPolyReadAdapter { readable: BlindedPaymentTlvs::Receive(receive_tlvs) } => {
+					let ReceiveTlvs { tlvs, authentication: (hmac, nonce) } = receive_tlvs;
+					let expanded_key = node_signer.get_inbound_payment_key();
+					if tlvs.verify_for_offer_payment(hmac, nonce, &expanded_key).is_err() {
+						return Err(DecodeError::InvalidValue);
+					}
+
+					let UnauthenticatedReceiveTlvs {
+						payment_secret, payment_constraints, payment_context,
+					} = tlvs;
+					if total_msat.unwrap_or(0) > MAX_VALUE_MSAT { return Err(DecodeError::InvalidValue) }
+					Ok(Self::BlindedReceive {
+						sender_intended_htlc_amt_msat: amt.ok_or(DecodeError::InvalidValue)?,
+						total_msat: total_msat.ok_or(DecodeError::InvalidValue)?,
+						cltv_expiry_height: cltv_value.ok_or(DecodeError::InvalidValue)?,
+						payment_secret,
+						payment_constraints,
+						payment_context,
+						intro_node_blinding_point,
+						keysend_preimage,
+						custom_tlvs,
+					})
+				},
+			}
+		} else if let Some(outgoing_node_id) = outgoing_node_id {
+			if payment_data.is_some() || encrypted_tlvs_opt.is_some() ||
+				total_msat.is_some()
+			{ return Err(DecodeError::InvalidValue) }
+			Ok(Self::Forward {
+				outgoing_node_id,
+				amt_to_forward: amt.ok_or(DecodeError::InvalidValue)?,
+				outgoing_cltv_value: cltv_value.ok_or(DecodeError::InvalidValue)?,
+			})
+		} else {
+			// unblinded Trampoline receives are not supported
+			return Err(DecodeError::InvalidValue);
+		}
+	}
+}
+
+
 impl Writeable for Ping {
 	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
 		self.ponglen.write(w)?;

lightning/src/ln/onion_payment.rs

@@ -16,7 +16,7 @@ use crate::ln::channelmanager::{BlindedFailure, BlindedForward, CLTV_FAR_FAR_AWA
 use crate::types::features::BlindedHopFeatures;
 use crate::ln::msgs;
 use crate::ln::onion_utils;
-use crate::ln::onion_utils::{HTLCFailReason, INVALID_ONION_BLINDING};
+use crate::ln::onion_utils::{HTLCFailReason, InboundTrampolineHop, INVALID_ONION_BLINDING};
 use crate::routing::gossip::NodeId;
 use crate::sign::{NodeSigner, Recipient};
 use crate::util::logger::Logger;
@@ -432,7 +432,7 @@ where
 
 	let next_hop = match onion_utils::decode_next_payment_hop(
 		shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac,
-		msg.payment_hash, msg.blinding_point, node_signer
+		msg.payment_hash, msg.blinding_point, &(*node_signer)
 	) {
 		Ok(res) => res,
 		Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
@@ -482,8 +482,42 @@ where
 		} => {
 			return_err!("TrampolineEntrypoint data provided in intermediary node", 0x4000 | 22, &[0; 0]);
 		},
-		onion_utils::Hop::Receive(msgs::InboundOnionPayload::TrampolineEntrypoint { .. }) => {
-			todo!()
+		onion_utils::Hop::Receive(msgs::InboundOnionPayload::TrampolineEntrypoint { ref trampoline_packet, .. }) => {
+			{
+				let trampoline_shared_secret = node_signer.ecdh(
+					Recipient::Node, &trampoline_packet.public_key, blinded_node_id_tweak.as_ref(),
+				).unwrap().secret_bytes();
+				let next_trampoline_hop = match onion_utils::decode_next_trampoline_hop(
+					trampoline_shared_secret, &trampoline_packet.hop_data[..], trampoline_packet.hmac,
+					msg.payment_hash, msg.blinding_point, node_signer,
+				) {
+					Ok(res) => res,
+					Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
+						return_malformed_err!(err_msg, err_code);
+					}
+					Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code }) => {
+						return_err!(err_msg, err_code, &[0; 0]);
+					}
+				};
+				match next_trampoline_hop {
+					InboundTrampolineHop::Forward { next_hop_data: msgs::InboundTrampolinePayload::Forward { amt_to_forward, outgoing_cltv_value, outgoing_node_id }, .. } => {
+						let next_packet_pubkey = onion_utils::next_hop_pubkey(&secp_ctx,
+							msg.onion_routing_packet.public_key.unwrap(), &trampoline_shared_secret);
+						NextPacketDetails {
+							next_packet_pubkey,
+							outgoing_connector: HopConnector::Trampoline{
+								shared_secret: trampoline_shared_secret,
+								node_id: NodeId::from_pubkey(&outgoing_node_id),
+							},
+							outgoing_amt_msat: amt_to_forward,
+							outgoing_cltv_value,
+						}
+					}
+					_ => {
+						todo!();
+					}
+				}
+			}
 		}
 		onion_utils::Hop::Receive { .. } => return Ok((next_hop, shared_secret, None)),
 		onion_utils::Hop::Forward { next_hop_data: msgs::InboundOnionPayload::Receive { .. }, .. } |

lightning/src/ln/onion_utils.rs

@@ -1444,6 +1444,23 @@ impl Hop {
 	}
 }
 
+/// Data decrypted from a payment's Trampoline onion payload.
+#[allow(unused)]
+pub(crate) enum InboundTrampolineHop {
+	/// This onion payload was for us, not for forwarding to a next-hop. Contains information for
+	/// verifying the incoming payment.
+	Receive(msgs::InboundTrampolinePayload),
+	/// This onion payload needs to be forwarded to a next-hop.
+	Forward {
+		/// Onion payload data used in forwarding the payment.
+		next_hop_data: msgs::InboundTrampolinePayload,
+		/// HMAC of the next hop's onion packet.
+		next_hop_hmac: [u8; 32],
+		/// Bytes of the onion packet we're forwarding.
+		new_packet_bytes: [u8; ONION_DATA_LEN],
+	},
+}
+
 /// Error returned when we fail to decode the onion packet.
 #[derive(Debug)]
 pub(crate) enum OnionDecodeErr {
@@ -1475,6 +1492,28 @@ where
 	}
 }
 
+pub(crate) fn decode_next_trampoline_hop<NS: Deref>(
+	shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash,
+	blinding_point: Option<PublicKey>, node_signer: NS,
+) -> Result<InboundTrampolineHop, OnionDecodeErr>
+where
+	NS::Target: NodeSigner,
+{
+	match decode_next_hop(
+		shared_secret,
+		hop_data,
+		hmac_bytes,
+		Some(payment_hash),
+		(blinding_point, node_signer),
+	) {
+		Ok((next_hop_data, None)) => Ok(InboundTrampolineHop::Receive(next_hop_data)),
+		Ok((next_hop_data, Some((next_hop_hmac, FixedSizeOnionPacket(new_packet_bytes))))) => {
+			Ok(InboundTrampolineHop::Forward { next_hop_data, next_hop_hmac, new_packet_bytes })
+		},
+		Err(e) => Err(e),
+	}
+}
+
 /// Build a payment onion, returning the first hop msat and cltv values as well.
 /// `cur_block_height` should be set to the best known block height + 1.
 pub fn create_payment_onion<T: secp256k1::Signing>(