1
0
mirror of https://github.com/lightning/bolts.git synced 2024-11-19 10:00:04 +01:00
Commit Graph

117 Commits

Author SHA1 Message Date
Darosior
452a0eb916
bolt-04: fix some typos (#752)
A missing parenthesis closure and some trailing tabs.
2020-03-11 09:28:56 +01:00
Orfeas Stefanos Thyfronitis Litos
a2afdfd12b
Keep hmac case consistent (#547)
Use `hmac` (lower-case) in packet fields to stay consistent with other fields.
2020-02-18 09:51:57 +01:00
Tim Ruffing
fb7102e034
Remove reference to DER encoding for public keys in compressed format (#742)
ECDSA signatures in Bitcoin are DER-encoded but public keys are not.

The compressed format for public keys is for example standardized in
Sections 2.3.3 and 2.3.4 of

  Standards for Efficient Cryptography, SEC 1: Elliptic Curve
  Cryptography, Certicom Research, Version 2, 2009,
  https://www.secg.org/sec1-v2.pdf
2020-02-17 11:00:30 +01:00
Christian Decker
7c1edeb063 bolt04: minor JSON fix and generate the exact number of bytes for the padding 2020-01-24 18:17:10 +01:00
Olaoluwa Osuntokun
8dd0b75809 BOLT-04: modify Sphinx packet construction to use starting random bytes
In this commit, we modify the existing instructions to create the Sphinx
packet to no longer start out with a zero initialize set of 1366 bytes.
Instead, we now instruct the sender to use _random_ bytes derived from a
CSPRG. This fixes a recently discovered privacy leak that allows an
adversarial exit hop to ascertain a lower bound on the true path length.

Note that this doesn't affect packet processing, so this is a backwards
compatible change. Only clients need to update in order to avoid this
privacy leak.

After this change is applied, the test vectors as is don't match the
spec, as they're created using the original all zero starting bytes. We
can either update these with our specified set of random bytes, or leave
them as is, as they're fully deterministic as is.

An alternative path would be to generate more random bytes from the
shared secret as we do elsewhere (the chacha based CSPRNG).
2020-01-24 18:17:10 +01:00
Conner Fromknecht
53653e5c52 BOLT 04: add missing subsections to ToC 2020-01-21 13:26:49 +01:00
ZmnSCPxj, ZmnSCPxj jxPCSmnZ
11f6017e84 04-onion-routing.md: Fix factual error about final_expiry_too_soon. (#722)
As reading of commit 6729755f shows, `final_expiry_too_soon` was
17, not PERM|17.

Note that because we folded a previously non-permanent failure into
the now-permanent PERM|15 failure code, modifications to payment
algorithms may now be needed to specificalyl detect this case,
otherwise payment algorithms may give up in some edge cases where
blocks are mined while payments are in-transit between sender and
receiver.
2020-01-10 13:27:29 -08:00
ueno
f219ee048a #711 don't allow a "fee" for the final node. (#718)
Update a requirement that was missed in #711
2020-01-08 10:06:04 +01:00
Rusty Russell
6ad8ee4cc4 BOLT 4/11: require payment_secret for multi-part payments.
This means the BOLT11 invoice must offer it (we already say it must
set the field if it offers it), and that the receiving node must
require it (again, we already say it must check it if it requires it).

Without the payment_secret, MPP payments are especially vulnerable to
probing attacks: unlike normal payments (with amounts) they can be
detected with 1msat payment probes.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 14:20:02 +10:30
Rusty Russell
4c3d01616d BOLT 4: Multi-part payments.
This also defines the TLV format for payment_secret; the two are intertwined.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 03:48:57 +00:00
Rusty Russell
2422630274 BOLT 4: don't allow a "fee" for the final node.
I recently made a cut & paste bug with the protocol tests, and
paid an HTLC of amount 100M msat, but with only a 1M msat `amt_to_forward`
in the hop_data.  To my surprise, it was accepted.

This is because we allow overpaying the routing fee (considered 0
for the final hop).  This doesn't make sense for the final hop: anything
but exact equality implies a bug, or that the previous node took the
wrong amount from the payment.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 01:07:09 +00:00
Darosior
6e1bea0d48 bolt04: Correct some typos (#667) 2019-09-06 08:39:16 +00:00
Bastien Teinturier
db92932a9f
BOLT 04: Add failure code for invalid payload. (#627)
The specification currently doesn't specify the case where the onion per-hop
payload can't be correctly decoded.

This is somewhat fine with the fixed frames because every field of the payload
can always be interpreted as a numeric value from the input bytes, so it leads
to application errors in upper layers when those values are actually
interpreted (and we realize that for instance we have an invalid
short_channel_id` value).

With variable-length tlv streams in the onion payloads, we will encounter
decoding errors (duplicate tlv types, invalid ordering, etc) and the spec
should define the failure code to use in that case.
2019-09-03 06:54:13 +00:00
Joost Jager
6729755f0c BOLT 4: Merge final_expiry_too_soon into incorrect_or_unknown_payment_details (#608)
In commit 914ebab908 the
incorrect_payment_amount error was merged into
incorrect_or_unknown_payment_details to prevent a probing attack
that allowed intermediate nodes to learn the final destination of
a payment.

A similar attack is possible using the htlc expiry value. By trying
payments with the correct amount but low expiry values to candidate
destinations, an incorrect_or_unknown_payment_details error can be
elicited. This would signal that the probe payment was sent to the
final destination.

For the intermediate node to determine the correct amount, an estimate
must be calculated. A logical choice would be the outgoing amount of the
intermediate node plus some allowance for routing fees that would
otherwise be paid to subsequent nodes along the path.

Picking a low enough - but not too low - expiry value is more tricky.
A reasonable guess could be made using external knowledge of the
final destination's implementation defaults or the type of invoice that
is paid to. Especially in the case of an hodl invoice that typically has
a large expiry delta, it is easier to make a correct guess.

This form of attack is arguably harder to realize than the amount probe
that was previously possible. The attacker may accidentally
pay the invoice if the expiry value guess satisfies the invoice
final cltv requirement. In that case, the attacker still has the
incoming htlc to pull which limits the loss.
2019-08-19 13:12:52 -07:00
Bastien Teinturier
8b2cf00546
Bolt 04: fix a few left-over spelling / clean-up nits (#653)
* Fix a few left-over spelling / clean-up nits
* Bolt 09: fix spec links
2019-07-31 07:21:38 +00:00
Christian Decker
d23f4b056c bolt04: Remove TLV based termination signal
As discussed during the IRC meeting on 2019-07-22 this would have been a
duplication of signals. It was decided to use one for now, with the option of
coming back should we ever need the last 32 bytes of the onion.
2019-07-26 11:38:33 +02:00
Christian Decker
0616c29bed bolt04: Introduce the destination_signal to the tlv_payload
As discussed during the spec meeting this allows us not to use the 32 byte
HMAC to identify the last hop, and use a 2-byte signal instead.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
6cdbedb649 bolt04: Add the TLV types for the new payload format
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
10c345bcf4 bolt04: Remove in-spec test vector in favor of JSON test vector
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
ecaf591bca bolt04: Amend the filler generation and onion decoding to varpayload
This actually introduces the variable size shift and filler generation.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
a148abbad5 bolt04: Describe the variable size hop_payload
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
3ac0091ef9 bolt04: Formatting cleanup and fold clarifications into conventions
The clarifications were tacked on after the fact, but they should really be
part of the conventions. I also updated the links to use the reference style,
which results in better text flow and makes it easier to read the source.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Orfeas Stefanos Thyfronitis Litos
238c06282d Rephrase last node payload requirements (#615)
Mention that `outgoing_cltv_value` has to be equal to
`min_final_cltv_expiry` and `amt_to_forward` has to be equal to
`amount` if the [BOLT #11](11-payment-encoding.md) invoice is used
2019-07-22 22:42:00 +02:00
Rusty Russell
6f6ea63233 BOLT 1,2,4,7: remove pubkey fundamental type in favor of point.
And remove `secret` and `preimage` types in favor of open-coding.

Agreed-at: http://www.erisian.com.au/meetbot/lightning-dev/2019/lightning-dev.2019-07-08-20.05.html

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-07-09 00:48:46 +00:00
Rusty Russell
6639cef095 Spec: use explicit types, not just bytelengths for fields.
It's trivial to make types->lengths, but not so much the other way.

The types I used here are the ones I found useful in implementation, and
I think add some clarity, though we can certainly argue about them.

There's no normative changes to the spec in here.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-07-09 00:48:46 +00:00
sstone
da71867c84 BOLT 4: fix onion vectors
Final result was correct but intermediary results had not been updated when the payloads were changed.
Fixes #494
2019-02-18 20:20:42 +00:00
Orfeas Stefanos Thyfronitis Litos
835ca46a81 BOLT 4: Correct "16-byte" to "12-byte" (padding) 2019-02-04 23:45:38 +00:00
Rusty Russell
a2480ca138 BOLT 4: remove incorrect_payment_amount altogether.
914ebab908 effectively deprecated this, but
left it for "reject if more than 2x expected amount" case.

Leaving it for gross overpayment still leaves an attack on the current
network in practice (all implementations I know of reject grossly excessive
payments), and removing it causes our code to nicely break when regenerating,
since that error code is now not defined anywhere.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-01-22 21:44:22 +01:00
Pierre-Marie Padiou
137106a716 report outgoing HTLC values when appropriate
For some relaying errors it makes more sense to report the values of the outgoing HTLC rather than the incoming HTLC.
2019-01-21 21:16:11 +01:00
Rusty Russell
cdb275b52e
Merge pull request #523 from nayuta-gondo/pr/20181204-ek_k
BOLT 4: fix the index of `ek`.
2019-01-07 19:42:17 +00:00
Matt Corallo
914ebab908 Merge incorrect_payment_amount and unknown_payment_hash errors
Because the errors are separate, if an intermediate node sees a
payment hash for relay and has several guesses as to the
destination of the payment, they can check their guesses by sending
HTLCs with the same payment hashes first and seeing the error sent
back.

By adding the htlc_msat that the final node received to
unknown_or_incorrect_payment_details, origin nodes can still
identify bad value-relaying peers.
2018-12-10 22:24:05 +00:00
Hiroki Gondo
88b0000a91 BOLT 4: fix the index of ek. 2018-12-04 18:05:49 +09:00
Conner Fromknecht
7163c52d93 04-onion-routing: document non-strict forwarding
This commit documents the allowance of non-strict
forwarding, permitting forwarding nodes to select
between any available outgoing channel with the peer
that would otherwise be specified by the
short_channel_id in the onion packet.

It also includes recommendations for fee schedules
when using non-strict forwarding, either by using
a uniform fee schedule with a peer or only
considering like-policied channels, to ensure the
channel is truly equivalent in terms of fee revenue
for the forwarder.
2018-11-29 04:21:46 +00:00
araspitzu
2b2e5632ca BOLT 4 Add clarifications about the longest route 2018-11-29 04:12:36 +00:00
araspitzu
90ba6ddbc5 Explicit the number of intermediate nodes in the longest route supported by the spec 2018-11-29 04:12:36 +00:00
araspitzu
a01efdd65e BOLT 4: clarify the maximum length of the route 2018-11-29 04:12:36 +00:00
Rusty Russell
bca814e270 BOLT 4: final_incorrect_htlc_amount should be 64-bits.
Fixes: #469
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2018-10-18 05:17:48 +00:00
sstone
6e6c28dae5 BOLT4: fix description of incorrect_cltv_expiry error
The explanation in the requirements section is correct but the
error message description was probably copy-pasted from
`final_incorrect_cltv_expiry`
2018-10-01 13:22:58 -07:00
ueno
3f2c747955 fix typos 2018-08-07 00:07:42 +00:00
Fabrice Drouin
33698608da Add changes requested by @cdecker 2018-05-14 01:03:44 +00:00
Fabrice Drouin
cac009cf7b BOLT4: channel_update is mandatory in UPDATE error messages 2018-05-14 01:03:44 +00:00
ueno
d52e54e1a4 the amount paid is less than the amount expected 2018-04-16 23:28:03 +02:00
Olaoluwa Osuntokun
71630b4766 BOLT 4: update sphinx packet test vector (#372)
* BOLT 4: update sphinx packet test vector

In this commit, we update the test vector for the final onion packet. In
commit 068b0bccf9, the per-hop payloads
were updated to use 8 byte amounts everywhere. However, the test vectors
were not updated. In 578573f92f the test
vectors were updated to use the proper version prefix. However, this
assumed that the state of the vectors as is was correct.

To remedy this, we've updated the test vectors to reflect the final
result using the current format for encoding the per-hop payloads. This
final test vector was generated using the original tool that we used to
confirm compatibility between the C and Go versions.
2018-04-16 16:41:04 +02:00
Jim Posen
c4e42bcfd6 BOLT 4: Rearrange sections, moving dependent concepts lower. 2018-03-05 20:11:32 +01:00
Jim Posen
3927ae3fd1 BOLT 4: Update onion construction reference code.
The description now suggests the use of an ephemeral private key, so
the reference code is simplified by using that concept. The reference
code is also updated to make fewer calls to undefined functions.
2018-03-05 20:11:32 +01:00
Jim Posen
5a3b5ce0bd BOLT 4: Clarify the onion construction section.
The new description introduces the concept of an ephemeral private key,
which I find easier to reason about and suggests a linear instead of
quadratic construction algorithm.
2018-03-05 20:11:32 +01:00
Jim Posen
745629d0f2 BOLT 4: Correct blinding factor calculation.
The instructions reference nodepk_k instead of epk_k.
2018-03-05 20:11:32 +01:00
Jim Posen
f7eb7e4d96 BOLT 4: Correct shared secret calculation.
Reference code and all implementations hash the ECDH output point with SHA256.
2018-03-05 20:11:32 +01:00
practicalswift
2c3466a2af Remove trailing whitespace 2018-01-30 04:54:31 +00:00
Rusty Russell
f6a91fbb11 BOLT 4: the failure codes are not one long enumerated list.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2018-01-30 03:47:32 +00:00