Handle receiving payments via Trampoline

[arik-so]

This PR implements handling payment receives from Trampoline onions, but does not yet implement forwarding payments through Trampoline. It also adds tests for end-to-end payment scenarios, including both for single-hop Trampoline receives, as well as for multi-hop Trampoline forwards, thus also providing sufficient coverage to remove the cfg gating.

The overall set of Trampoline components can be tracked here.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[valentinewallace]

Would it work to check the failure code for INVALID_ONION_BLINDING instead of having the extra argument?

[arik-so]

yes, provided we never ever want to use that error code with non-zeroed data

[joostjager]

If we always want to use it with zeroed data, why would the sha256 field for INVALID_ONION_BLINDING then be in the spec?

[arik-so]

Right, hence my question :)

[valentinewallace]

We'll only ever want to use zeroed data with this error code, which I think is just a special exception for update_malformeds for blinded HTLCs.

[arik-so]

I modified it to infer the onion hash from the error code instead of adding an extra field.

[valentinewallace]

Somewhat annoying, but if we want to be accurate to the spec I believe we shouldn't be returning INVALID_ONION_BLINDING for non-blinded trampoline forward/receives, or for blinded receives where the intro blinding point is set. Apologies if I misunderstood some context on this when we discussed offline. I think if we matched on the specific variants instead of _ this change should be doable?

[arik-so]

yeah, I was wondering about that lol. Trivial fix, no worries

[valentinewallace]

Is this the discussion you're referring to in the commit message? lightning/bolts#836 (comment)

[arik-so]

yup, exactly! @t-bast and I discussed it a bit offline, and I believe they're assessing Eclair code viability for not mandating it outside of MPP scenarios. Alternatively, I can also make it mandatory on the sending side (right now we have an internal mismatch), but I think this approach makes more sense for now.

[joostjager]

I'd think that for simplicity, it may be better to just always set this field? One code path.

[valentinewallace]

I'd agree, although it's all cfg-gated for now anyway I suppose... @arik-so was the reason for doing this now for ease of testing?

[arik-so]

Partially. The other option would require us deciding on a mechanism to convert the prng_seed into a pseudo-random payment secret in the outgoing onion construction method, that's about it.

[joostjager]

But generating that secret is something to be looked at when implementing the forwarding part isn't it? Isn't it best for now to stick with the proposed spec?

[arik-so]

The spec did actually get updated this morning to make it optional for the outer onion.

[TheBlueMatt]

Maybe should update the commit message then?

[joostjager]

I've been gathering more background knowledge on blinded paths and trampoline and did my best to review this PR. I feel I am still missing quite a few pieces, so wouldn't count me as a full reviewer.

[joostjager]

I'd think that for simplicity, it may be better to just always set this field? One code path.

[joostjager]

If we always want to use it with zeroed data, why would the sha256 field for INVALID_ONION_BLINDING then be in the spec?

[joostjager]

Add to commit msg why we need to serialize blinded trampoline fwds in the future and not yet now?

[arik-so]

I adjusted the message.

[joostjager]

Ah I meant explain why this code is needed now, besides unit tests? I got that it encodes tlv data.

[joostjager]

If it's only for the unit test, maybe squash with the test? Or just leave as is, non blocking.

[joostjager]

Mention trampoline in the msg?

[arik-so]

Changed the message to mention Trampoline.

[valentinewallace]

I'm not sure how much correct error handling actually matters here, but to be accurate to the spec we'd want to return Relay if the intro node blinding point is set IIUC. Looks pretty easy though:

diff --git a/lightning/src/ln/onion_utils.rs b/lightning/src/ln/onion_utils.rs
index 45a9e7a09..eeb513319 100644
--- a/lightning/src/ln/onion_utils.rs
+++ b/lightning/src/ln/onion_utils.rs
@@ -1831,13 +1831,33 @@ where
                                                        trampoline_shared_secret,
                                                ),
                                        }),
-                                       Ok((msgs::InboundTrampolinePayload::BlindedForward(_), None)) => {
+                                       Ok((msgs::InboundTrampolinePayload::BlindedForward(hop_data), None)) => {
+                                               if hop_data.intro_node_blinding_point.is_some() {
+                                                       return Err(OnionDecodeErr::Relay {
+                                                               err_msg: "Non-final intro node Trampoline onion data provided to us as last hop",
+                                                               err_code: INVALID_ONION_BLINDING,
+                                                               shared_secret,
+                                                               trampoline_shared_secret: Some(SharedSecret::from_bytes(
+                                                                               trampoline_shared_secret,
+                                                               )),
+                                                       })
+                                               }
                                                Err(OnionDecodeErr::Malformed {
                                                        err_msg: "Non-final Trampoline onion data provided to us as last hop",
                                                        err_code: INVALID_ONION_BLINDING,
                                                })
                                        },

[arik-so]

Good catch; I think in this scenario it should also be an invalid payload, so I adjusted it accordingly.

[valentinewallace]

Ah since we're the intro node to the blinded path I believe we should still blind the error but just do Relay instead of Malformed, no?

[arik-so]

adjusted the error code for being the intro node to a multi-hop blinded path

[valentinewallace]

Somewhat similarly here -- if the intro node blinding point is set we want to return an unblinded error, because if we're a receiver and the intro node, the blinded path only had 1 hop to begin with so no need to blind the error:

diff --git a/lightning/src/ln/onion_utils.rs b/lightning/src/ln/onion_utils.rs
index 45a9e7a09..a6a28ff3d 100644
--- a/lightning/src/ln/onion_utils.rs
+++ b/lightning/src/ln/onion_utils.rs
@@ -1837,7 +1837,17 @@ where
                                                        err_code: INVALID_ONION_BLINDING,
                                                })
                                        },
-                                       Ok((msgs::InboundTrampolinePayload::BlindedReceive(_), Some(_))) => {
+                                       Ok((msgs::InboundTrampolinePayload::BlindedReceive(hop_data), Some(_))) => {
+                                               if hop_data.intro_node_blinding_point.is_some() {
+                                                       return Err(OnionDecodeErr::Relay {
+                                                               err_msg: "Final Trampoline intro node onion data provided to us as intermediate hop",
+                                                               err_code: 0x4000 | 22,
+                                                               shared_secret,
+                                                               trampoline_shared_secret: Some(SharedSecret::from_bytes(
+                                                                               trampoline_shared_secret,
+                                                               )),
+                                                       })
+                                               }
                                                Err(OnionDecodeErr::Malformed {
                                                        err_msg:
                                                                "Final Trampoline onion data provided to us as intermediate hop",

[valentinewallace]

nit: extra newline

[valentinewallace]

I think this is outdated now?

[arik-so]

modified comment to apply to both the invalid onion and the unblinded receive

[valentinewallace]

Maybe note that we don't support sending to unblinded trampolines which is why we need to do all this manual stuff

[arik-so]

added a comment at the top of the replacement_onion block

[valentinewallace]

LGTM after last feedback is addressed. Fine with a squash

[arik-so]

I addressed your feedback, @valentinewallace, and squashed most things, but left two fixup commits where I suspect you might have further thoughts. Also a bit unsure about the last commit, which combines all the unit tests into one, but happy either way.

[joostjager]

No longer necessary change?

[arik-so]

indeed, removed

[joostjager]

Probably more clear to be explicit with these final two arms?
Ok((msgs::InboundTrampolinePayload::Forward(_) | msgs::InboundTrampolinePayload::Receive(_), None)) => Err(OnionDecodeErr::Relay {

[arik-so]

you mean like this?

Ok((
	msgs::InboundTrampolinePayload::Forward(_)
	| msgs::InboundTrampolinePayload::BlindedForward(_),
	None,
)) => Err(OnionDecodeErr::Relay {
	err_msg: "Non-final Trampoline onion data provided to us as last hop",
	err_code: 0x4000 | 22,
	shared_secret,
	trampoline_shared_secret: Some(SharedSecret::from_bytes(
		trampoline_shared_secret,
	)),
}),
Ok((
	msgs::InboundTrampolinePayload::Receive(_)
	| msgs::InboundTrampolinePayload::BlindedReceive(_),
	Some(_),
)) => Err(OnionDecodeErr::Relay {
	err_msg: "Final Trampoline onion data provided to us as intermediate hop",
	err_code: 0x4000 | 22,
	shared_secret,
	trampoline_shared_secret: Some(SharedSecret::from_bytes(
		trampoline_shared_secret,
	)),
}),

[joostjager]

Yes. I was wondering what cases I was looking at, what was left. I think explicit makes it easier?

[arik-so]

done

[joostjager]

This change looks like a bug fix, or is it part of the new functionality?

[arik-so]

it is a bug fix I noticed in passing, shall I move it into a separate commit? I think since I stopped using this method for the test, I can remove it from the PR entirely and open a separate one

[joostjager]

If it is independent, I think it is helpful to isolate in a commit or pr with some explanation.

[arik-so]

removed the change from this PR

[joostjager]

Hmm yes the scenario value seems to push this to the point where it becomes hard to read. I'd say: just acceptable? There are probably other ways to compose a test from reusable building blocks, but maybe not worth it now.

[arik-so]

Yeah perhaps I should just drop the final commit.

[joostjager]

Up to you.

[arik-so]

Dropped the scenario commit.

[joostjager]

Is there currently a test covering the forwarding operation of trampoline node? It's not yet implemented, but to assert that nothing weird happens if we receive a forward?

[joostjager]

Especially without the cfg flag.

[arik-so]

there isn't, but then again, what should happen if we receive it prior to supporting it? I think this is actually a good argument to simply remove it in the subsequent PR instead.

[arik-so]

Added a test ensuring sane behavior when receiving a Trampoline forward hop.

[joostjager]

Add something as a PR description - or maybe the title is self-explanatory?

[arik-so]

Hm, I need to think of what description would be more than just a rephrasing of the title, but I can probably come up with something.

[joostjager]

Perhaps something about what is and isn't supported yet and a link to a follow up issue or the parent issue? That's something at least...

[TheBlueMatt]

LGTM, I think? I mean nothing stands out.

[TheBlueMatt]

Maybe should update the commit message then?

[valentinewallace]

I'm not following the commit message here in 908c6bf since we don't support trampoline forwarding yet?

[arik-so]

ah, it ensures that receiving forwarding onions results in a rejection, but not a panic or some undefined behavior. I'll rephrase.

[valentinewallace]

Ok Joost explained that we test that we don't support forwarding basically

[joostjager]

Add comment what this error code is?

[arik-so]

added comment

[valentinewallace]

Nothing blocking :)

[valentinewallace]

Can we DRY this now with the other OUR PAYMENT! case?

[arik-so]

good point. CI's far from finished anyway, so I pushed the squashed fixup

[valentinewallace]

It's kind of a shame to keep this duplicated with InboundOnionPayload since the code is complex and ~identical, but might be best to save this consideration for follow-up so we can get this in

[arik-so]

ah, that one saw a lot of back and forth, and I agree, but the alternative is clunky, too, and loses the benefit of semantic distinction

[valentinewallace]

I like that these variants are spelled out explicitly now, reads more obviously correct 👍

[valentinewallace]

nit: I don't think this is a keysend payment?

[joostjager]

LGTM with the remark that my mental model of LDK still isn't complete enough to be fully confident

[valentinewallace]

With Matt's LGTM we should be good to land when CI passes!