forked from ElementsProject/lightning
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathonion.c
389 lines (349 loc) · 10.4 KB
/
onion.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
#include "config.h"
#include <assert.h>
#include <ccan/array_size/array_size.h>
#include <ccan/cast/cast.h>
#include <common/ecdh.h>
#include <common/onion.h>
#include <common/sphinx.h>
#include <sodium/crypto_aead_chacha20poly1305.h>
/* BOLT #4:
*
* ### `tlv_payload` format
*
* This is a more flexible format, which avoids the redundant
* `short_channel_id` field for the final node. It is formatted
* according to the Type-Length-Value format defined in [BOLT
* #1](01-messaging.md#type-length-value-format).
*/
static u8 *make_tlv_hop(const tal_t *ctx,
const struct tlv_tlv_payload *tlv)
{
/* We can't have over 64k anyway */
u8 *tlvs = tal_arr(ctx, u8, 3);
towire_tlv_tlv_payload(&tlvs, tlv);
switch (bigsize_put(tlvs, tal_bytelen(tlvs) - 3)) {
case 1:
/* Move over two unused bytes */
memmove(tlvs + 1, tlvs + 3, tal_bytelen(tlvs) - 3);
tal_resize(&tlvs, tal_bytelen(tlvs) - 2);
return tlvs;
case 3:
return tlvs;
}
abort();
}
u8 *onion_nonfinal_hop(const tal_t *ctx,
const struct short_channel_id *scid,
struct amount_msat forward,
u32 outgoing_cltv,
const struct pubkey *blinding,
const u8 *enctlv)
{
struct tlv_tlv_payload *tlv = tlv_tlv_payload_new(tmpctx);
/* BOLT #4:
*
* The writer:
*...
* - For every node:
* - MUST include `amt_to_forward` and `outgoing_cltv_value`.
* - For every non-final node:
* - MUST include `short_channel_id`
* - MUST NOT include `payment_data`
*/
tlv->amt_to_forward = &forward.millisatoshis; /* Raw: TLV convert */
tlv->outgoing_cltv_value = &outgoing_cltv;
tlv->short_channel_id = cast_const(struct short_channel_id *, scid);
#if EXPERIMENTAL_FEATURES
tlv->blinding_point = cast_const(struct pubkey *, blinding);
tlv->encrypted_recipient_data = cast_const(u8 *, enctlv);
#endif
return make_tlv_hop(ctx, tlv);
}
u8 *onion_final_hop(const tal_t *ctx,
struct amount_msat forward,
u32 outgoing_cltv,
struct amount_msat total_msat,
const struct pubkey *blinding,
const u8 *enctlv,
const struct secret *payment_secret,
const u8 *payment_metadata)
{
struct tlv_tlv_payload *tlv = tlv_tlv_payload_new(tmpctx);
struct tlv_tlv_payload_payment_data tlv_pdata;
/* These go together! */
if (!payment_secret)
assert(amount_msat_eq(total_msat, forward));
/* BOLT #4:
*
* The writer:
*...
* - For every node:
* - MUST include `amt_to_forward` and `outgoing_cltv_value`.
*...
* - For the final node:
* - MUST NOT include `short_channel_id`
* - if the recipient provided `payment_secret`:
* - MUST include `payment_data`
* - MUST set `payment_secret` to the one provided
* - MUST set `total_msat` to the total amount it will send
*/
tlv->amt_to_forward = &forward.millisatoshis; /* Raw: TLV convert */
tlv->outgoing_cltv_value = &outgoing_cltv;
if (payment_secret) {
tlv_pdata.payment_secret = *payment_secret;
tlv_pdata.total_msat = total_msat.millisatoshis; /* Raw: TLV convert */
tlv->payment_data = &tlv_pdata;
}
tlv->payment_metadata = cast_const(u8 *, payment_metadata);
#if EXPERIMENTAL_FEATURES
tlv->blinding_point = cast_const(struct pubkey *, blinding);
tlv->encrypted_recipient_data = cast_const(u8 *, enctlv);
#endif
return make_tlv_hop(ctx, tlv);
}
/* Returns true if valid, and fills in type. */
static bool pull_payload_length(const u8 **cursor,
size_t *max,
bool has_realm,
enum onion_payload_type *type,
size_t *len)
{
/* *len will incorporate bytes we read from cursor */
const u8 *start = *cursor;
/* BOLT #4:
*
* The `length` field determines both the length and the format of the
* `hop_payload` field; the following formats are defined:
*/
*len = fromwire_bigsize(cursor, max);
if (!cursor)
return false;
/* BOLT #4:
* - Legacy `hop_data` format, identified by a single `0x00` byte for
* length. In this case the `hop_payload_length` is defined to be 32
* bytes.
*/
if (has_realm && *len == 0) {
if (type)
*type = ONION_V0_PAYLOAD;
assert(*cursor - start == 1);
*len = 1 + 32;
return true;
}
/* BOLT #4:
* - `tlv_payload` format, identified by any length over `1`. In this
* case the `hop_payload_length` is equal to the numeric value of
* `length`.
*/
if (!has_realm || *len > 1) {
/* It's still invalid if it claims to be too long! */
if (has_realm) {
if (*len > ROUTING_INFO_SIZE - HMAC_SIZE)
return false;
} else {
if (*len > *max)
return false;
}
if (type)
*type = ONION_TLV_PAYLOAD;
*len += (*cursor - start);
return true;
}
return false;
}
size_t onion_payload_length(const u8 *raw_payload, size_t len, bool has_realm,
bool *valid,
enum onion_payload_type *type)
{
size_t max = len, payload_len;
*valid = pull_payload_length(&raw_payload, &max, has_realm, type, &payload_len);
/* If it's not valid, copy the entire thing. */
if (!*valid)
return len;
return payload_len;
}
#if EXPERIMENTAL_FEATURES
static struct tlv_tlv_payload *decrypt_tlv(const tal_t *ctx,
const struct secret *blinding_ss,
const u8 *enc)
{
const unsigned char npub[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
struct secret rho;
u8 *dec;
const u8 *cursor;
size_t max;
int ret;
subkey_from_hmac("rho", blinding_ss, &rho);
if (tal_bytelen(enc) < crypto_aead_chacha20poly1305_ietf_ABYTES)
return NULL;
dec = tal_arr(tmpctx, u8,
tal_bytelen(enc)
- crypto_aead_chacha20poly1305_ietf_ABYTES);
ret = crypto_aead_chacha20poly1305_ietf_decrypt(dec, NULL,
NULL,
enc,
tal_bytelen(enc),
NULL, 0,
npub,
rho.data);
if (ret != 0)
return NULL;
cursor = dec;
max = tal_bytelen(dec);
return fromwire_tlv_tlv_payload(ctx, &cursor, &max);
}
#endif /* EXPERIMENTAL_FEATURES */
struct onion_payload *onion_decode(const tal_t *ctx,
const struct route_step *rs,
const struct pubkey *blinding,
const struct secret *blinding_ss,
const u64 *accepted_extra_tlvs,
u64 *failtlvtype,
size_t *failtlvpos)
{
struct onion_payload *p = tal(ctx, struct onion_payload);
const u8 *cursor = rs->raw_payload;
size_t max = tal_bytelen(cursor), len;
struct tlv_tlv_payload *tlv;
if (!pull_payload_length(&cursor, &max, true, &p->type, &len)) {
*failtlvtype = 0;
*failtlvpos = tal_bytelen(rs->raw_payload);
goto fail_no_tlv;
}
/* Very limited legacy handling: forward only. */
if (p->type == ONION_V0_PAYLOAD && rs->nextcase == ONION_FORWARD) {
p->forward_channel = tal(p, struct short_channel_id);
fromwire_short_channel_id(&cursor, &max, p->forward_channel);
p->total_msat = NULL;
p->amt_to_forward = fromwire_amount_msat(&cursor, &max);
p->outgoing_cltv = fromwire_u32(&cursor, &max);
p->payment_secret = NULL;
p->payment_metadata = NULL;
p->blinding = NULL;
/* We can't handle blinding with a legacy payload */
if (blinding)
return tal_free(p);
/* If they somehow got an invalid onion this far, fail. */
if (!cursor)
return tal_free(p);
p->tlv = NULL;
return p;
}
/* We do this manually so we can accept extra types, and get
* error off and type. */
tlv = tlv_tlv_payload_new(p);
if (!fromwire_tlv(&cursor, &max, tlvs_tlv_tlv_payload,
TLVS_ARRAY_SIZE_tlv_tlv_payload,
tlv, &tlv->fields, accepted_extra_tlvs,
failtlvpos, failtlvtype)) {
goto fail;
}
/* BOLT #4:
*
* The reader:
* - MUST return an error if `amt_to_forward` or
* `outgoing_cltv_value` are not present.
*/
if (!tlv->amt_to_forward) {
*failtlvtype = TLV_TLV_PAYLOAD_AMT_TO_FORWARD;
goto field_bad;
}
if (!tlv->outgoing_cltv_value) {
*failtlvtype = TLV_TLV_PAYLOAD_OUTGOING_CLTV_VALUE;
goto field_bad;
}
p->amt_to_forward = amount_msat(*tlv->amt_to_forward);
p->outgoing_cltv = *tlv->outgoing_cltv_value;
/* BOLT #4:
*
* The writer:
*...
* - For every non-final node:
* - MUST include `short_channel_id`
*/
if (rs->nextcase == ONION_FORWARD) {
if (!tlv->short_channel_id) {
*failtlvtype = TLV_TLV_PAYLOAD_SHORT_CHANNEL_ID;
goto field_bad;
}
p->forward_channel = tal_dup(p, struct short_channel_id,
tlv->short_channel_id);
p->total_msat = NULL;
} else {
p->forward_channel = NULL;
/* BOLT #4:
* - if it is the final node:
* - MUST treat `total_msat` as if it were equal to
* `amt_to_forward` if it is not present. */
p->total_msat = tal_dup(p, struct amount_msat,
&p->amt_to_forward);
}
p->payment_secret = NULL;
p->blinding = tal_dup_or_null(p, struct pubkey, blinding);
#if EXPERIMENTAL_FEATURES
if (!p->blinding) {
/* If we have no blinding, it could be in TLV. */
if (tlv->blinding_point) {
p->blinding =
tal_dup(p, struct pubkey,
tlv->blinding_point);
ecdh(p->blinding, &p->blinding_ss);
}
} else
p->blinding_ss = *blinding_ss;
if (p->blinding) {
/* If they give us a blinding and we're not terminal,
* we must have an enctlv. */
if (rs->nextcase == ONION_FORWARD) {
struct tlv_tlv_payload *ntlv;
if (!tlv->encrypted_recipient_data) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
goto field_bad;
}
ntlv = decrypt_tlv(tmpctx,
&p->blinding_ss,
tlv->encrypted_recipient_data);
if (!ntlv) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
goto field_bad;
}
/* Must override short_channel_id */
if (!ntlv->short_channel_id) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
/* Place error at *end* of enctlv,
* indicating missing field. */
*failtlvpos = tlv_field_offset(rs->raw_payload,
tal_bytelen(rs->raw_payload),
*failtlvtype)
+ tal_bytelen(tlv->encrypted_recipient_data);
goto fail;
}
*p->forward_channel
= *ntlv->short_channel_id;
}
}
#endif /* EXPERIMENTAL_FEATURES */
if (tlv->payment_data) {
p->payment_secret = tal_dup(p, struct secret,
&tlv->payment_data->payment_secret);
tal_free(p->total_msat);
p->total_msat = tal(p, struct amount_msat);
*p->total_msat
= amount_msat(tlv->payment_data->total_msat);
}
if (tlv->payment_metadata)
p->payment_metadata
= tal_dup_talarr(p, u8, tlv->payment_metadata);
else
p->payment_metadata = NULL;
p->tlv = tal_steal(p, tlv);
return p;
field_bad:
*failtlvpos = tlv_field_offset(rs->raw_payload, tal_bytelen(rs->raw_payload),
*failtlvtype);
fail:
tal_free(tlv);
fail_no_tlv:
tal_free(p);
return NULL;
}