mirrors/core-lightning
1
0
Fork 0
mirror of https://github.com/ElementsProject/lightning.git synced 2024-11-19 18:11:28 +01:00
Code Issues Projects Releases Wiki Activity
6f7d51ee68
core-lightning/common/onion.c
Rusty Russell 6f7d51ee68 common/onion: always fill in failtlvtype and failtlvpos parameters. 
When we did fill them in, we filled them in wrong: the offset should be
the offset in the message, not the field number!

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-03-25 13:55:44 +10:30

355 lines
9.2 KiB
C
Raw Blame History

#include "config.h"
#include <assert.h>
#include <ccan/array_size/array_size.h>
#include <ccan/cast/cast.h>
#include <common/ecdh.h>
#include <common/onion.h>
#include <common/sphinx.h>
#include <sodium/crypto_aead_chacha20poly1305.h>
/* BOLT #4:
*
* ### `tlv_payload` format
*
* This is a more flexible format, which avoids the redundant
* `short_channel_id` field for the final node. It is formatted
* according to the Type-Length-Value format defined in [BOLT
* #1](01-messaging.md#type-length-value-format).
*/
static u8 *make_tlv_hop(const tal_t *ctx,
const struct tlv_tlv_payload *tlv)
{
/* We can't have over 64k anyway */
u8 *tlvs = tal_arr(ctx, u8, 3);
towire_tlv_payload(&tlvs, tlv);
switch (bigsize_put(tlvs, tal_bytelen(tlvs) - 3)) {
case 1:
/* Move over two unused bytes */
memmove(tlvs + 1, tlvs + 3, tal_bytelen(tlvs) - 3);
tal_resize(&tlvs, tal_bytelen(tlvs) - 2);
return tlvs;
case 3:
return tlvs;
}
abort();
}
u8 *onion_nonfinal_hop(const tal_t *ctx,
const struct short_channel_id *scid,
struct amount_msat forward,
u32 outgoing_cltv,
const struct pubkey *blinding,
const u8 *enctlv)
{
struct tlv_tlv_payload *tlv = tlv_tlv_payload_new(tmpctx);
/* BOLT #4:
*
* The writer:
*...
* - For every node:
* - MUST include `amt_to_forward` and `outgoing_cltv_value`.
* - For every non-final node:
* - MUST include `short_channel_id`
* - MUST NOT include `payment_data`
*/
tlv->amt_to_forward = &forward.millisatoshis; /* Raw: TLV convert */
tlv->outgoing_cltv_value = &outgoing_cltv;
tlv->short_channel_id = cast_const(struct short_channel_id *, scid);
#if EXPERIMENTAL_FEATURES
tlv->blinding_point = cast_const(struct pubkey *, blinding);
tlv->encrypted_recipient_data = cast_const(u8 *, enctlv);
#endif
return make_tlv_hop(ctx, tlv);
}
u8 *onion_final_hop(const tal_t *ctx,
struct amount_msat forward,
u32 outgoing_cltv,
struct amount_msat total_msat,
const struct pubkey *blinding,
const u8 *enctlv,
const struct secret *payment_secret)
{
struct tlv_tlv_payload *tlv = tlv_tlv_payload_new(tmpctx);
struct tlv_tlv_payload_payment_data tlv_pdata;
/* These go together! */
if (!payment_secret)
assert(amount_msat_eq(total_msat, forward));
/* BOLT #4:
*
* The writer:
*...
* - For every node:
* - MUST include `amt_to_forward` and `outgoing_cltv_value`.
*...
* - For the final node:
* - MUST NOT include `short_channel_id`
* - if the recipient provided `payment_secret`:
* - MUST include `payment_data`
* - MUST set `payment_secret` to the one provided
* - MUST set `total_msat` to the total amount it will send
*/
tlv->amt_to_forward = &forward.millisatoshis; /* Raw: TLV convert */
tlv->outgoing_cltv_value = &outgoing_cltv;
if (payment_secret) {
tlv_pdata.payment_secret = *payment_secret;
tlv_pdata.total_msat = total_msat.millisatoshis; /* Raw: TLV convert */
tlv->payment_data = &tlv_pdata;
}
#if EXPERIMENTAL_FEATURES
tlv->blinding_point = cast_const(struct pubkey *, blinding);
tlv->encrypted_recipient_data = cast_const(u8 *, enctlv);
#endif
return make_tlv_hop(ctx, tlv);
}
/* Returns true if valid, and fills in len. */
static bool pull_payload_length(const u8 **cursor,
size_t *max,
bool has_realm,
size_t *len)
{
/* *len will incorporate bytes we read from cursor */
const u8 *start = *cursor;
/* BOLT #4:
*
* The `length` field determines both the length and the format of the
* `hop_payload` field; the following formats are defined:
*/
*len = fromwire_bigsize(cursor, max);
if (!cursor)
return false;
/* BOLT #4:
* - `tlv_payload` format, identified by any length over `1`. In this
* case the `hop_payload_length` is equal to the numeric value of
* `length`.
*/
if (!has_realm || *len > 1) {
/* It's still invalid if it claims to be too long! */
if (has_realm) {
if (*len > ROUTING_INFO_SIZE - HMAC_SIZE)
return false;
} else {
if (*len > *max)
return false;
}
*len += (*cursor - start);
return true;
}
return false;
}
size_t onion_payload_length(const u8 *raw_payload, size_t len, bool has_realm,
bool *valid)
{
size_t max = len, payload_len;
*valid = pull_payload_length(&raw_payload, &max, has_realm, &payload_len);
/* If it's not valid, copy the entire thing. */
if (!*valid)
return len;
return payload_len;
}
#if EXPERIMENTAL_FEATURES
static struct tlv_tlv_payload *decrypt_tlv(const tal_t *ctx,
const struct secret *blinding_ss,
const u8 *enc)
{
const unsigned char npub[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
struct secret rho;
u8 *dec;
const u8 *cursor;
size_t max;
int ret;
struct tlv_tlv_payload *tlv;
subkey_from_hmac("rho", blinding_ss, &rho);
if (tal_bytelen(enc) < crypto_aead_chacha20poly1305_ietf_ABYTES)
return NULL;
dec = tal_arr(tmpctx, u8,
tal_bytelen(enc)
- crypto_aead_chacha20poly1305_ietf_ABYTES);
ret = crypto_aead_chacha20poly1305_ietf_decrypt(dec, NULL,
NULL,
enc,
tal_bytelen(enc),
NULL, 0,
npub,
rho.data);
if (ret != 0)
return NULL;
tlv = tlv_tlv_payload_new(ctx);
cursor = dec;
max = tal_bytelen(dec);
if (!fromwire_tlv_payload(&cursor, &max, tlv))
return tal_free(tlv);
return tlv;
}
#endif /* EXPERIMENTAL_FEATURES */
struct onion_payload *onion_decode(const tal_t *ctx,
const struct route_step *rs,
const struct pubkey *blinding,
const struct secret *blinding_ss,
u64 *accepted_extra_tlvs,
u64 *failtlvtype,
size_t *failtlvpos)
{
struct onion_payload *p = tal(ctx, struct onion_payload);
const u8 *cursor = rs->raw_payload;
size_t max = tal_bytelen(cursor), len;
struct tlv_tlv_payload *tlv;
size_t badfield;
if (!pull_payload_length(&cursor, &max, true, &len))
goto general_fail;
tlv = tlv_tlv_payload_new(p);
if (!fromwire_tlv_payload(&cursor, &max, tlv)) {
/* FIXME: Fill in correct thing here! */
goto general_fail;
}
/* FIXME: This API makes it really hard to get the actual
* offset of field. */
if (!tlv_fields_valid(tlv->fields, accepted_extra_tlvs, &badfield)) {
*failtlvtype = tlv->fields[badfield].numtype;
goto field_bad;
}
/* BOLT #4:
*
* The reader:
* - MUST return an error if `amt_to_forward` or
* `outgoing_cltv_value` are not present.
*/
if (!tlv->amt_to_forward) {
*failtlvtype = TLV_TLV_PAYLOAD_AMT_TO_FORWARD;
goto field_bad;
}
if (!tlv->outgoing_cltv_value) {
*failtlvtype = TLV_TLV_PAYLOAD_OUTGOING_CLTV_VALUE;
goto field_bad;
}
p->amt_to_forward = amount_msat(*tlv->amt_to_forward);
p->outgoing_cltv = *tlv->outgoing_cltv_value;
/* BOLT #4:
*
* The writer:
*...
* - For every non-final node:
* - MUST include `short_channel_id`
*/
if (rs->nextcase == ONION_FORWARD) {
if (!tlv->short_channel_id) {
*failtlvtype = TLV_TLV_PAYLOAD_SHORT_CHANNEL_ID;
goto field_bad;
}
p->forward_channel = tal_dup(p, struct short_channel_id,
tlv->short_channel_id);
p->total_msat = NULL;
} else {
p->forward_channel = NULL;
/* BOLT #4:
* - if it is the final node:
* - MUST treat `total_msat` as if it were equal to
* `amt_to_forward` if it is not present. */
p->total_msat = tal_dup(p, struct amount_msat,
&p->amt_to_forward);
}
p->payment_secret = NULL;
p->blinding = tal_dup_or_null(p, struct pubkey, blinding);
#if EXPERIMENTAL_FEATURES
if (!p->blinding) {
/* If we have no blinding, it could be in TLV. */
if (tlv->blinding_point) {
p->blinding =
tal_dup(p, struct pubkey,
tlv->blinding_point);
ecdh(p->blinding, &p->blinding_ss);
}
} else
p->blinding_ss = *blinding_ss;
if (p->blinding) {
/* If they give us a blinding and we're not terminal,
* we must have an enctlv. */
if (rs->nextcase == ONION_FORWARD) {
struct tlv_tlv_payload *ntlv;
if (!tlv->encrypted_recipient_data) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
goto field_bad;
}
ntlv = decrypt_tlv(tmpctx,
&p->blinding_ss,
tlv->encrypted_recipient_data);
if (!ntlv) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
goto field_bad;
}
/* Must override short_channel_id */
if (!ntlv->short_channel_id) {
*failtlvtype = TLV_TLV_PAYLOAD_ENCRYPTED_RECIPIENT_DATA;
/* Place error at *end* of enctlv,
* indicating missing field. */
*failtlvpos = tlv_field_offset(rs->raw_payload,
tal_bytelen(rs->raw_payload),
*failtlvtype)
+ tal_bytelen(tlv->encrypted_recipient_data);
goto fail;
}
*p->forward_channel
= *ntlv->short_channel_id;
}
}
#endif /* EXPERIMENTAL_FEATURES */
if (tlv->payment_data) {
p->payment_secret = tal_dup(p, struct secret,
&tlv->payment_data->payment_secret);
tal_free(p->total_msat);
p->total_msat = tal(p, struct amount_msat);
*p->total_msat
= amount_msat(tlv->payment_data->total_msat);
}
p->tlv = tal_steal(p, tlv);
return p;
field_bad:
*failtlvpos = tlv_field_offset(rs->raw_payload, tal_bytelen(rs->raw_payload),
*failtlvtype);
goto fail;
general_fail:
*failtlvtype = 0;
*failtlvpos = tal_bytelen(rs->raw_payload);
goto fail;
fail:
tal_free(tlv);
tal_free(p);
return NULL;
}
Reference in New Issue View Git Blame Copy Permalink