lightningd: split onion_message hook.

Only way to be sure that plugins don't accidentally respond to onion_message sent via reply path from another message (which would potentially leak our identity!). To quote BOLT ElementsProject#7 (Onion Messages) in the offers PR: ```markdown The reader: - MUST ignore any message which contains a `blinding` which it did not expect, or does not contain a `blinding` when one is expected. ... `blinding` is critical to the use of blinded paths: there are various means by which a blinded path is passed to a node. The receipt of an expected `blinding` indicates that blinded path has been used: it is important that a node not accept unblinded messages when it is expecting a blinded message, as this implies the sender is probing to detect if the recipient is the terminus of the blinded path. Similarly, since blinded paths don't expire, a node could try to use a blinded path to send an unexpected message hoping for a response. ``` Signed-off-by: Rusty Russell <[email protected]>
johnongit · Dec 5, 2020 · 695a8bd · 695a8bd
1 parent 6142219
commit 695a8bd
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lightningd/onion_message.c b/lightningd/onion_message.c
@@ -51,12 +51,20 @@ onion_message_hook_cb(struct onion_message_hook_payload *payload STEALS)
 	tal_free(payload);
 }
 
+/* Two hooks, because it's critical we only accept blinding if we expect that
+ * exact blinding key.  Otherwise, we can be probed using old blinded paths. */
 REGISTER_PLUGIN_HOOK(onion_message,
 		     plugin_hook_continue,
 		     onion_message_hook_cb,
 		     onion_message_serialize,
 		     struct onion_message_hook_payload *);
 
+REGISTER_PLUGIN_HOOK(onion_message_blinded,
+		     plugin_hook_continue,
+		     onion_message_hook_cb,
+		     onion_message_serialize,
+		     struct onion_message_hook_payload *);
+
 /* Returns false if we can't tell it */
 static bool make_peer_send(struct lightningd *ld,
 			   struct channel *dst, const u8 *msg TAKES)
@@ -113,7 +121,11 @@ void handle_onionmsg_to_us(struct channel *channel, const u8 *msg)
 	log_debug(channel->log, "Got onionmsg%s%s",
 		  payload->reply_blinding ? " reply_blinding": "",
 		  payload->reply_path ? " reply_path": "");
-	plugin_hook_call_onion_message(ld, payload);
+
+	if (payload->blinding_in)
+		plugin_hook_call_onion_message_blinded(ld, payload);
+	else
+		plugin_hook_call_onion_message(ld, payload);
 }
 
 void handle_onionmsg_forward(struct channel *channel, const u8 *msg)