Prepare to auth blinded path contexts with a secret AAD in the MAC

When we receive an onion message, we often want to make sure it was
sent through a blinded path we constructed. This protects us from
various deanonymization attacks where someone can send a message to
every node on the network until they find us, effectively
unwrapping the blinded path and identifying its recipient.

We generally do so by adding authentication tags to our
`MessageContext` variants. Because the contexts themselves are
encrypted (and MAC'd) to us, we only have to ensure that they
cannot be forged, which is trivially accomplished with a simple
nonce and a MAC covering it.

This logic has ended up being repeated in nearly all of our onion
message handlers, and has gotten quite repetitive.

Instead, here, we simply authenticate the blinded path contexts
using the MAC that's already there, but tweaking it with an
additional secret as the AAD in Poly1305. This prevents forgery as
the secret is now required to make the MAC check pass.

Ultimately this means that no one can ever build a blinded path
which terminates at an LDK node that we'll accept, but over time
we've come to recognize this as a useful property, rather than
something to fight. Here we finally break from the spec fully in
our context encryption (not just the contents thereof).

This will save a bit of space in some of our `MessageContext`s,
though sadly not in the blinded path we include in `Bolt12Offer`s,
so they're generally not in space-sensitive blinded paths.

We can apply the same logic in our blinded payment paths as well,
but we do not do so here.

This commit only adds the required changes to the cryptography, for
now it uses a constant key of `[41; 32]`.

Author: TheBlueMatt

lightning/src/blinded_path/message.rs

@@ -92,6 +92,7 @@ impl BlindedMessagePath {
 				recipient_node_id,
 				context,
 				&blinding_secret,
+				[41; 32], // TODO: Pass this in
 			)
 			.map_err(|_| ())?,
 		}))
@@ -514,18 +515,19 @@ pub(crate) const MESSAGE_PADDING_ROUND_OFF: usize = 100;
 pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
 	recipient_node_id: PublicKey, context: MessageContext, session_priv: &SecretKey,
+	local_node_receive_key: [u8; 32],
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
 	let pks = intermediate_nodes
 		.iter()
-		.map(|node| node.node_id)
-		.chain(core::iter::once(recipient_node_id));
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((recipient_node_id, Some(local_node_receive_key))));
 	let is_compact = intermediate_nodes.iter().any(|node| node.short_channel_id.is_some());
 
 	let tlvs = pks
 		.clone()
 		.skip(1) // The first node's TLVs contains the next node's pubkey
 		.zip(intermediate_nodes.iter().map(|node| node.short_channel_id))
-		.map(|(pubkey, scid)| match scid {
+		.map(|((pubkey, _), scid)| match scid {
 			Some(scid) => NextMessageHop::ShortChannelId(scid),
 			None => NextMessageHop::NodeId(pubkey),
 		})

lightning/src/blinded_path/payment.rs

@@ -664,8 +664,10 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[PaymentForwardNode], payee_node_id: PublicKey,
 	payee_tlvs: ReceiveTlvs, session_priv: &SecretKey,
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
-	let pks =
-		intermediate_nodes.iter().map(|node| node.node_id).chain(core::iter::once(payee_node_id));
+	let pks = intermediate_nodes
+		.iter()
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((payee_node_id, None)));
 	let tlvs = intermediate_nodes
 		.iter()
 		.map(|node| BlindedPaymentTlvsRef::Forward(&node.tlvs))

lightning/src/blinded_path/utils.rs

@@ -17,7 +17,8 @@ use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1, SecretKey};
 
 use super::message::BlindedMessagePath;
 use super::{BlindedHop, BlindedPath};
-use crate::crypto::streams::ChaChaPolyWriteAdapter;
+use crate::crypto::chacha20poly1305rfc::ChaCha20Poly1305RFC;
+use crate::crypto::streams::chachapoly_encrypt_with_swapped_aad;
 use crate::io;
 use crate::ln::onion_utils;
 use crate::onion_message::messenger::Destination;
@@ -105,7 +106,6 @@ macro_rules! build_keys_helper {
 	};
 }
 
-#[inline]
 pub(crate) fn construct_keys_for_onion_message<'a, T, I, F>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, destination: Destination, session_priv: &SecretKey,
 	mut callback: F,
@@ -137,26 +137,35 @@ where
 	Ok(())
 }
 
-#[inline]
-pub(super) fn construct_keys_for_blinded_path<'a, T, I, F, H>(
-	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey, mut callback: F,
+fn construct_keys_for_blinded_path<'a, T, I, F, H>(
+	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey,
+	mut callback: F,
 ) -> Result<(), secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
 	H: Borrow<PublicKey>,
 	I: Iterator<Item = H>,
-	F: FnMut(PublicKey, SharedSecret, PublicKey, [u8; 32], Option<H>, Option<Vec<u8>>),
+	F: FnMut(
+		PublicKey,
+		SharedSecret,
+		PublicKey,
+		[u8; 32],
+		Option<H>,
+		Option<Vec<u8>>,
+	),
 {
 	build_keys_helper!(session_priv, secp_ctx, callback);
 
-	for pk in unblinded_path {
+	let mut iter = unblinded_path.peekable();
+	while let Some(pk) = iter.next() {
 		build_keys_in_loop!(pk, false, None);
 	}
 	Ok(())
 }
 
 struct PublicKeyWithTlvs<W: Writeable> {
 	pubkey: PublicKey,
+	hop_recv_key: Option<[u8; 32]>,
 	tlvs: W,
 }
 
@@ -171,20 +180,24 @@ pub(crate) fn construct_blinded_hops<'a, T, I, W>(
 ) -> Result<Vec<BlindedHop>, secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
-	I: Iterator<Item = (PublicKey, W)>,
+	I: Iterator<Item = ((PublicKey, Option<[u8; 32]>), W)>,
 	W: Writeable,
 {
 	let mut blinded_hops = Vec::with_capacity(unblinded_path.size_hint().0);
 	construct_keys_for_blinded_path(
 		secp_ctx,
-		unblinded_path.map(|(pubkey, tlvs)| PublicKeyWithTlvs { pubkey, tlvs }),
+		unblinded_path.map(|((pubkey, hop_recv_key), tlvs)| {
+			PublicKeyWithTlvs { pubkey, hop_recv_key, tlvs }
+		}),
 		session_priv,
 		|blinded_node_id, _, _, encrypted_payload_rho, unblinded_hop_data, _| {
+			let hop_data = unblinded_hop_data.unwrap();
 			blinded_hops.push(BlindedHop {
 				blinded_node_id,
 				encrypted_payload: encrypt_payload(
-					unblinded_hop_data.unwrap().tlvs,
+					hop_data.tlvs,
 					encrypted_payload_rho,
+					hop_data.hop_recv_key,
 				),
 			});
 		},
@@ -193,9 +206,19 @@ where
 }
 
 /// Encrypt TLV payload to be used as a [`crate::blinded_path::BlindedHop::encrypted_payload`].
-fn encrypt_payload<P: Writeable>(payload: P, encrypted_tlvs_rho: [u8; 32]) -> Vec<u8> {
-	let write_adapter = ChaChaPolyWriteAdapter::new(encrypted_tlvs_rho, &payload);
-	write_adapter.encode()
+fn encrypt_payload<P: Writeable>(
+	payload: P, encrypted_tlvs_rho: [u8; 32], hop_recv_key: Option<[u8; 32]>,
+) -> Vec<u8> {
+	let mut payload_data = payload.encode();
+	if let Some(hop_recv_key) = hop_recv_key {
+		chachapoly_encrypt_with_swapped_aad(payload_data, encrypted_tlvs_rho, hop_recv_key)
+	} else {
+		let mut chacha = ChaCha20Poly1305RFC::new(&encrypted_tlvs_rho, &[0; 12], &[]);
+		let mut tag = [0; 16];
+		chacha.encrypt_full_message_in_place(&mut payload_data, &mut tag);
+		payload_data.extend_from_slice(&tag);
+		payload_data
+	}
 }
 
 /// A data structure used exclusively to pad blinded path payloads, ensuring they are of

lightning/src/ln/blinded_payment_tests.rs

@@ -1556,17 +1556,23 @@ fn route_blinding_spec_test_vector() {
 	let blinding_override = PublicKey::from_secret_key(&secp_ctx, &dave_eve_session_priv);
 	assert_eq!(blinding_override, pubkey_from_hex("031b84c5567b126440995d3ed5aaba0565d71e1834604819ff9c17f5e9d5dd078f"));
 	// Can't use the public API here as the encrypted payloads contain unknown TLVs.
-	let path = [(dave_node_id, WithoutLength(&dave_unblinded_tlvs)), (eve_node_id, WithoutLength(&eve_unblinded_tlvs))];
+	let path = [
+		((dave_node_id, None), WithoutLength(&dave_unblinded_tlvs)),
+		((eve_node_id, None), WithoutLength(&eve_unblinded_tlvs)),
+	];
 	let mut dave_eve_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &dave_eve_session_priv
+		&secp_ctx, path.into_iter(), &dave_eve_session_priv,
 	).unwrap();
 
 	// Concatenate an additional Bob -> Carol blinded path to the Eve -> Dave blinded path.
 	let bob_carol_session_priv = secret_from_hex("0202020202020202020202020202020202020202020202020202020202020202");
 	let bob_blinding_point = PublicKey::from_secret_key(&secp_ctx, &bob_carol_session_priv);
-	let path = [(bob_node_id, WithoutLength(&bob_unblinded_tlvs)), (carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+	let path = [
+		((bob_node_id, None), WithoutLength(&bob_unblinded_tlvs)),
+		((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs)),
+	];
 	let bob_carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &bob_carol_session_priv
+		&secp_ctx, path.into_iter(), &bob_carol_session_priv,
 	).unwrap();
 
 	let mut blinded_hops = bob_carol_blinded_hops;
@@ -2026,9 +2032,9 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 		let payee_tlvs = payee_tlvs.authenticate(nonce, &expanded_key);
 		let carol_unblinded_tlvs = payee_tlvs.encode();
 
-		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+		let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 		).unwrap()
 	} else {
 		let payee_tlvs = blinded_path::payment::TrampolineForwardTlvs {
@@ -2047,9 +2053,9 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 		};
 
 		let carol_unblinded_tlvs = payee_tlvs.encode();
-		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+		let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 		).unwrap()
 	};
 
@@ -2249,11 +2255,11 @@ fn test_trampoline_unblinded_receive() {
 	};
 
 	let carol_unblinded_tlvs = payee_tlvs.encode();
-	let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
+	let path = [((carol_node_id, None), WithoutLength(&carol_unblinded_tlvs))];
 	let carol_alice_trampoline_session_priv = secret_from_hex("a0f4b8d7b6c2d0ffdfaf718f76e9decaef4d9fb38a8c4addb95c4007cc3eee03");
 	let carol_blinding_point = PublicKey::from_secret_key(&secp_ctx, &carol_alice_trampoline_session_priv);
 	let carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv,
 	).unwrap();
 
 	let route = Route {

lightning/src/onion_message/messenger.rs

@@ -1068,18 +1068,20 @@ where
 			},
 		}
 	};
+	let receiving_context_auth_key = [41; 32]; // TODO: pass this in
 	let next_hop = onion_utils::decode_next_untagged_hop(
 		onion_decode_ss,
 		&msg.onion_routing_packet.hop_data[..],
 		msg.onion_routing_packet.hmac,
-		(control_tlvs_ss, custom_handler.deref(), logger.deref()),
+		(control_tlvs_ss, custom_handler.deref(), receiving_context_auth_key, logger.deref()),
 	);
 	match next_hop {
 		Ok((
 			Payload::Receive {
 				message,
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context }),
 				reply_path,
+				control_tlvs_authenticated,
 			},
 			None,
 		)) => match (message, context) {
@@ -1108,6 +1110,8 @@ where
 				Ok(PeeledOnion::DNSResolver(msg, None, reply_path))
 			},
 			_ => {
+				// Hide the "`control_tlvs_authenticated` is unused warning". We'll use it here soon
+				let _ = control_tlvs_authenticated;
 				log_trace!(
 					logger,
 					"Received message was sent on a blinded path with wrong or missing context."
@@ -2294,7 +2298,7 @@ fn packet_payloads_and_keys<
 
 	if let Some(control_tlvs) = final_control_tlvs {
 		payloads.push((
-			Payload::Receive { control_tlvs, reply_path: reply_path.take(), message },
+			Payload::Receive { control_tlvs, reply_path: reply_path.take(), message, control_tlvs_authenticated: false, },
 			prev_control_tlvs_ss.unwrap(),
 		));
 	} else {
@@ -2303,6 +2307,7 @@ fn packet_payloads_and_keys<
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context: None }),
 				reply_path: reply_path.take(),
 				message,
+				control_tlvs_authenticated: false,
 			},
 			prev_control_tlvs_ss.unwrap(),
 		));

lightning/src/onion_message/packet.rs

@@ -18,7 +18,7 @@ use super::dns_resolution::DNSResolverMessage;
 use super::messenger::CustomOnionMessageHandler;
 use super::offers::OffersMessage;
 use crate::blinded_path::message::{BlindedMessagePath, ForwardTlvs, NextMessageHop, ReceiveTlvs};
-use crate::crypto::streams::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
+use crate::crypto::streams::{ChaChaDualPolyReadAdapter, ChaChaPolyWriteAdapter};
 use crate::ln::msgs::DecodeError;
 use crate::ln::onion_utils;
 use crate::util::logger::Logger;
@@ -112,7 +112,11 @@ pub(super) enum Payload<T: OnionMessageContents> {
 	/// This payload is for an intermediate hop.
 	Forward(ForwardControlTlvs),
 	/// This payload is for the final hop.
-	Receive { control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
+	Receive {
+		/// The [`ReceiveControlTlvs`] were authenticated with the additional key which was
+		/// provided to [`ReadableArgs::read`].
+		control_tlvs_authenticated: bool,
+		control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
 }
 
 /// The contents of an [`OnionMessage`] as read from the wire.
@@ -223,6 +227,7 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				control_tlvs: ReceiveControlTlvs::Blinded(encrypted_bytes),
 				reply_path,
 				message,
+				control_tlvs_authenticated: _,
 			} => {
 				_encode_varint_length_prefixed_tlv!(w, {
 					(2, reply_path, option),
@@ -238,6 +243,7 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				control_tlvs: ReceiveControlTlvs::Unblinded(control_tlvs),
 				reply_path,
 				message,
+				control_tlvs_authenticated: _,
 			} => {
 				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
 				_encode_varint_length_prefixed_tlv!(w, {
@@ -252,22 +258,22 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 }
 
 // Uses the provided secret to simultaneously decode and decrypt the control TLVs and data TLV.
-impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(SharedSecret, &H, &L)>
+impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(SharedSecret, &H, [u8; 32], &L)>
 	for Payload<ParsedOnionMessageContents<<H as CustomOnionMessageHandler>::CustomMessage>>
 {
-	fn read<R: Read>(r: &mut R, args: (SharedSecret, &H, &L)) -> Result<Self, DecodeError> {
-		let (encrypted_tlvs_ss, handler, logger) = args;
+	fn read<R: Read>(r: &mut R, args: (SharedSecret, &H, [u8; 32], &L)) -> Result<Self, DecodeError> {
+		let (encrypted_tlvs_ss, handler, receive_tlvs_key, logger) = args;
 
 		let v: BigSize = Readable::read(r)?;
 		let mut rd = FixedLengthReader::new(r, v.0);
 		let mut reply_path: Option<BlindedMessagePath> = None;
-		let mut read_adapter: Option<ChaChaPolyReadAdapter<ControlTlvs>> = None;
+		let mut read_adapter: Option<ChaChaDualPolyReadAdapter<ControlTlvs>> = None;
 		let rho = onion_utils::gen_rho_from_shared_secret(&encrypted_tlvs_ss.secret_bytes());
 		let mut message_type: Option<u64> = None;
 		let mut message = None;
 		decode_tlv_stream_with_custom_tlv_decode!(&mut rd, {
 			(2, reply_path, option),
-			(4, read_adapter, (option: LengthReadableArgs, rho)),
+			(4, read_adapter, (option: LengthReadableArgs, (rho, receive_tlvs_key))),
 		}, |msg_type, msg_reader| {
 			if msg_type < 64 { return Ok(false) }
 			// Don't allow reading more than one data TLV from an onion message.
@@ -304,17 +310,18 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 
 		match read_adapter {
 			None => return Err(DecodeError::InvalidValue),
-			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Forward(tlvs) }) => {
-				if message_type.is_some() {
+			Some(ChaChaDualPolyReadAdapter { readable: ControlTlvs::Forward(tlvs), used_aad }) => {
+				if used_aad || message_type.is_some() {
 					return Err(DecodeError::InvalidValue);
 				}
 				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
 			},
-			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Receive(tlvs) }) => {
+			Some(ChaChaDualPolyReadAdapter { readable: ControlTlvs::Receive(tlvs), used_aad }) => {
 				Ok(Payload::Receive {
 					control_tlvs: ReceiveControlTlvs::Unblinded(tlvs),
 					reply_path,
 					message: message.ok_or(DecodeError::InvalidValue)?,
+					control_tlvs_authenticated: used_aad,
 				})
 			},
 		}