Implement receiving and forwarding onion messages

This required adapting `onion_utils::decode_next_hop` to work for both payments
and onion messages.

Currently we just print out the path_id of any onion messages we receive. In
the future, these received onion messages will be redirected to their
respective handlers: i.e. an invoice_request will go to an InvoiceHandler,
custom onion messages will go to a custom handler, etc.

lightning/src/ln/channelmanager.rs

@@ -2159,7 +2159,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			}
 		}
 
-		let next_hop = match onion_utils::decode_next_hop(shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, msg.payment_hash) {
+		let next_hop = match onion_utils::decode_next_payment_hop(shared_secret, &msg.onion_routing_packet.hop_data[..], msg.onion_routing_packet.hmac, msg.payment_hash) {
 			Ok(res) => res,
 			Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 				return_malformed_err!(err_msg, err_code);
@@ -3058,7 +3058,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 												let phantom_secret_res = self.keys_manager.get_node_secret(Recipient::PhantomNode);
 												if phantom_secret_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id) {
 													let phantom_shared_secret = SharedSecret::new(&onion_packet.public_key.unwrap(), &phantom_secret_res.unwrap()).secret_bytes();
-													let next_hop = match onion_utils::decode_next_hop(phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
+													let next_hop = match onion_utils::decode_next_payment_hop(phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
 														Ok(res) => res,
 														Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
 															let sha256_of_onion = Sha256::hash(&onion_packet.hop_data).into_inner();

lightning/src/ln/msgs.rs

@@ -42,7 +42,7 @@ use io_extras::read_to_end;
 
 use util::events::MessageSendEventsProvider;
 use util::logger;
-use util::ser::{LengthReadable, Readable, Writeable, Writer, FixedLengthReader, HighZeroBytesDroppedVarInt, Hostname};
+use util::ser::{LengthReadable, Readable, ReadableArgs, Writeable, Writer, FixedLengthReader, HighZeroBytesDroppedVarInt, Hostname};
 
 use ln::{PaymentPreimage, PaymentHash, PaymentSecret};
 
@@ -1417,6 +1417,14 @@ impl Writeable for OnionHopData {
 	}
 }
 
+// ReadableArgs because we need onion_utils::decode_next_hop to accommodate payment packets and
+// onion message packets.
+impl ReadableArgs<()> for OnionHopData {
+	fn read<R: Read>(r: &mut R, _arg: ()) -> Result<Self, DecodeError> {
+		<Self as Readable>::read(r)
+	}
+}
+
 impl Readable for OnionHopData {
 	fn read<R: Read>(mut r: &mut R) -> Result<Self, DecodeError> {
 		use bitcoin::consensus::encode::{Decodable, Error, VarInt};

lightning/src/ln/onion_utils.rs

@@ -15,7 +15,7 @@ use routing::gossip::NetworkUpdate;
 use routing::router::RouteHop;
 use util::chacha20::{ChaCha20, ChaChaReader};
 use util::errors::{self, APIError};
-use util::ser::{Readable, Writeable, LengthCalculatingWriter};
+use util::ser::{Readable, ReadableArgs, Writeable, LengthCalculatingWriter};
 use util::logger::Logger;
 
 use bitcoin::hashes::{Hash, HashEngine};
@@ -82,7 +82,7 @@ pub(super) fn gen_ammag_from_shared_secret(shared_secret: &[u8]) -> [u8; 32] {
 	Hmac::from_engine(hmac).into_inner()
 }
 
-pub(super) fn next_hop_packet_pubkey<T: secp256k1::Signing + secp256k1::Verification>(secp_ctx: &Secp256k1<T>, mut packet_pubkey: PublicKey, packet_shared_secret: &[u8; 32]) -> Result<PublicKey, secp256k1::Error> {
+pub(crate) fn next_hop_packet_pubkey<T: secp256k1::Signing + secp256k1::Verification>(secp_ctx: &Secp256k1<T>, mut packet_pubkey: PublicKey, packet_shared_secret: &[u8; 32]) -> Result<PublicKey, secp256k1::Error> {
 	let blinding_factor = {
 		let mut sha = Sha256::engine();
 		sha.input(&packet_pubkey.serialize()[..]);
@@ -580,7 +580,50 @@ pub(super) fn process_onion_failure<T: secp256k1::Signing, L: Deref>(secp_ctx: &
 	} else { unreachable!(); }
 }
 
-/// Data decrypted from the onion payload.
+/// An input used when decoding an onion packet.
+pub(crate) trait DecodeInput {
+	type Arg;
+	/// If Some, this is the input when checking the hmac of the onion packet.
+	fn payment_hash(&self) -> Option<&PaymentHash>;
+	/// Read argument when decrypting our hop payload.
+	fn read_arg(self) -> Self::Arg;
+}
+
+impl DecodeInput for PaymentHash {
+	type Arg = ();
+	fn payment_hash(&self) -> Option<&PaymentHash> {
+		Some(self)
+	}
+	fn read_arg(self) -> Self::Arg { () }
+}
+
+impl DecodeInput for SharedSecret {
+	type Arg = SharedSecret;
+	fn payment_hash(&self) -> Option<&PaymentHash> {
+		None
+	}
+	fn read_arg(self) -> Self::Arg { self }
+}
+
+/// Allows `decode_next_hop` to return the next hop packet bytes for either payments or onion
+/// message forwards.
+pub(crate) trait NextPacketBytes: AsMut<[u8]> {
+	fn new(len: usize) -> Self;
+}
+
+impl NextPacketBytes for FixedSizeOnionPacket {
+	fn new(_len: usize) -> Self  {
+		Self([0 as u8; ONION_DATA_LEN])
+	}
+}
+
+impl NextPacketBytes for Vec<u8> {
+	fn new(len: usize) -> Self {
+		vec![0 as u8; len]
+	}
+}
+
+/// Data decrypted from a payment's onion payload.
 pub(crate) enum Hop {
 	/// This onion payload was for us, not for forwarding to a next-hop. Contains information for
 	/// verifying the incoming payment.
@@ -592,11 +635,12 @@ pub(crate) enum Hop {
 		/// HMAC of the next hop's onion packet.
 		next_hop_hmac: [u8; 32],
 		/// Bytes of the onion packet we're forwarding.
-		new_packet_bytes: [u8; 20*65],
+		new_packet_bytes: [u8; ONION_DATA_LEN],
 	},
 }
 
 /// Error returned when we fail to decode the onion packet.
+#[derive(Debug)]
 pub(crate) enum OnionDecodeErr {
 	/// The HMAC of the onion packet did not match the hop data.
 	Malformed {
@@ -610,11 +654,27 @@ pub(crate) enum OnionDecodeErr {
 	},
 }
 
-pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash) -> Result<Hop, OnionDecodeErr> {
+pub(crate) fn decode_next_payment_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], payment_hash: PaymentHash) -> Result<Hop, OnionDecodeErr> {
+	match decode_next_hop(shared_secret, hop_data, hmac_bytes, payment_hash) {
+		Ok((next_hop_data, None)) => Ok(Hop::Receive(next_hop_data)),
+		Ok((next_hop_data, Some((next_hop_hmac, FixedSizeOnionPacket(new_packet_bytes))))) => {
+			Ok(Hop::Forward {
+				next_hop_data,
+				next_hop_hmac,
+				new_packet_bytes
+			})
+		},
+		Err(e) => Err(e),
+	}
+}
+
+pub(crate) fn decode_next_hop<D: DecodeInput, R: ReadableArgs<D::Arg>, N: NextPacketBytes>(shared_secret: [u8; 32], hop_data: &[u8], hmac_bytes: [u8; 32], decode_input: D) -> Result<(R, Option<([u8; 32], N)>), OnionDecodeErr> {
 	let (rho, mu) = gen_rho_mu_from_shared_secret(&shared_secret);
 	let mut hmac = HmacEngine::<Sha256>::new(&mu);
 	hmac.input(hop_data);
+	if let Some(payment_hash) = decode_input.payment_hash() {
 		hmac.input(&payment_hash.0[..]);
+	}
 	if !fixed_time_eq(&Hmac::from_engine(hmac).into_inner(), &hmac_bytes) {
 		return Err(OnionDecodeErr::Malformed {
 			err_msg: "HMAC Check failed",
@@ -624,7 +684,7 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 
 	let mut chacha = ChaCha20::new(&rho, &[0u8; 8]);
 	let mut chacha_stream = ChaChaReader { chacha: &mut chacha, read: Cursor::new(&hop_data[..]) };
-	match <msgs::OnionHopData as Readable>::read(&mut chacha_stream) {
+	match R::read(&mut chacha_stream, decode_input.read_arg()) {
 		Err(err) => {
 			let error_code = match err {
 				msgs::DecodeError::UnknownVersion => 0x4000 | 1, // unknown realm byte
@@ -662,10 +722,10 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 					chacha_stream.read_exact(&mut next_bytes).unwrap();
 					assert_ne!(next_bytes[..], [0; 32][..]);
 				}
-				return Ok(Hop::Receive(msg));
+				return Ok((msg, None)); // We are the final destination for this packet
 			} else {
-				let mut new_packet_bytes = [0; 20*65];
-				let read_pos = chacha_stream.read(&mut new_packet_bytes).unwrap();
+				let mut new_packet_bytes = N::new(hop_data.len());
+				let read_pos = chacha_stream.read(new_packet_bytes.as_mut()).unwrap();
 				#[cfg(debug_assertions)]
 				{
 					// Check two things:
@@ -677,12 +737,8 @@ pub(crate) fn decode_next_hop(shared_secret: [u8; 32], hop_data: &[u8], hmac_byt
 				}
 				// Once we've emptied the set of bytes our peer gave us, encrypt 0 bytes until we
 				// fill the onion hop data we'll forward to our next-hop peer.
-				chacha_stream.chacha.process_in_place(&mut new_packet_bytes[read_pos..]);
-				return Ok(Hop::Forward {
-					next_hop_data: msg,
-					next_hop_hmac: hmac,
-					new_packet_bytes,
-				})
+				chacha_stream.chacha.process_in_place(&mut new_packet_bytes.as_mut()[read_pos..]);
+				return Ok((msg, Some((hmac, new_packet_bytes)))) // This packet needs forwarding
 			}
 		},
 	}

lightning/src/onion_message/messenger.rs

@@ -10,9 +10,12 @@
 //! LDK sends, receives, and forwards onion messages via the [`OnionMessenger`]. See its docs for
 //! more information.
 
+use bitcoin::hashes::{Hash, HashEngine};
+use bitcoin::hashes::hmac::{Hmac, HmacEngine};
+use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::secp256k1::{self, PublicKey, Secp256k1, SecretKey};
 
-use chain::keysinterface::{InMemorySigner, KeysInterface, KeysManager, Sign};
+use chain::keysinterface::{InMemorySigner, KeysInterface, KeysManager, Recipient, Sign};
 use ln::msgs;
 use ln::onion_utils;
 use super::blinded_route::{BlindedRoute, ForwardTlvs, ReceiveTlvs};
@@ -104,6 +107,97 @@ impl<Signer: Sign, K: Deref, L: Deref> OnionMessenger<Signer, K, L>
 		);
 		Ok(())
 	}
+
+	/// Handle an incoming onion message. Currently, if a message was destined for us we will log, but
+	/// soon we'll delegate the onion message to a handler that can generate invoices or send
+	/// payments.
+	pub fn handle_onion_message(&self, _peer_node_id: &PublicKey, msg: &msgs::OnionMessage) {
+		let control_tlvs_ss = match self.keys_manager.ecdh(Recipient::Node, &msg.blinding_point, None) {
+			Ok(ss) => ss,
+			Err(e) =>  {
+				log_error!(self.logger, "Failed to retrieve node secret: {:?}", e);
+				return
+			}
+		};
+		let onion_decode_ss = {
+			let blinding_factor = {
+				let mut hmac = HmacEngine::<Sha256>::new(b"blinded_node_id");
+				hmac.input(control_tlvs_ss.as_ref());
+				Hmac::from_engine(hmac).into_inner()
+			};
+			match self.keys_manager.ecdh(Recipient::Node, &msg.onion_routing_packet.public_key,
+				Some(&blinding_factor))
+			{
+				Ok(ss) => ss.secret_bytes(),
+				Err(()) => {
+					log_trace!(self.logger, "Failed to compute onion packet shared secret");
+					return
+				}
+			}
+		};
+		match onion_utils::decode_next_hop(onion_decode_ss, &msg.onion_routing_packet.hop_data[..],
+			msg.onion_routing_packet.hmac, control_tlvs_ss)
+		{
+			Ok((Payload::Receive {
+				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { path_id })
+			}, None)) => {
+				log_info!(self.logger, "Received an onion message with path_id: {:02x?}", path_id);
+			},
+			Ok((Payload::Forward(ForwardControlTlvs::Unblinded(ForwardTlvs {
+				next_node_id, next_blinding_override
+			})), Some((next_hop_hmac, new_packet_bytes)))) => {
+				// TODO: we need to check whether `next_node_id` is our node, in which case this is a dummy
+				// blinded hop and this onion message is destined for us. In this situation, we should keep
+				// unwrapping the onion layers to get to the final payload. Since we don't have the option
+				// of creating blinded routes with dummy hops currently, we should be ok to not handle this
+				// for now.
+				let new_pubkey = match onion_utils::next_hop_packet_pubkey(&self.secp_ctx, msg.onion_routing_packet.public_key, &onion_decode_ss) {
+					Ok(pk) => pk,
+					Err(e) => {
+						log_trace!(self.logger, "Failed to compute next hop packet pubkey: {}", e);
+						return
+					}
+				};
+				let outgoing_packet = Packet {
+					version: 0,
+					public_key: new_pubkey,
+					hop_data: new_packet_bytes,
+					hmac: next_hop_hmac,
+				};
+
+				let mut pending_per_peer_msgs = self.pending_messages.lock().unwrap();
+				let pending_msgs = pending_per_peer_msgs.entry(next_node_id).or_insert(Vec::new());
+				pending_msgs.push(
+					msgs::OnionMessage {
+						blinding_point: match next_blinding_override {
+							Some(blinding_point) => blinding_point,
+							None => {
+								let blinding_factor = {
+									let mut sha = Sha256::engine();
+									sha.input(&msg.blinding_point.serialize()[..]);
+									sha.input(control_tlvs_ss.as_ref());
+									Sha256::from_engine(sha).into_inner()
+								};
+								let mut next_blinding_point = msg.blinding_point;
+								if let Err(e) = next_blinding_point.mul_assign(&self.secp_ctx, &blinding_factor[..]) {
+									log_trace!(self.logger, "Failed to compute next blinding point: {}", e);
+									return
+								}
+								next_blinding_point
+							},
+						},
+						onion_routing_packet: outgoing_packet,
+					},
+				);
+			},
+			Err(e) => {
+				log_trace!(self.logger, "Errored decoding onion message packet: {:?}", e);
+			},
+			_ => {
+				log_trace!(self.logger, "Received bogus onion message packet, either the sender encoded a final hop as a forwarding hop or vice versa");
+			},
+		};
+	}
 }
 
 // TODO: parameterize the below Simple* types with OnionMessenger and handle the messages it

lightning/src/onion_message/packet.rs

@@ -10,15 +10,16 @@
 //! Structs and enums useful for constructing and reading an onion message packet.
 
 use bitcoin::secp256k1::PublicKey;
+use bitcoin::secp256k1::ecdh::SharedSecret;
 
 use ln::msgs::DecodeError;
 use ln::onion_utils;
 use super::blinded_route::{ForwardTlvs, ReceiveTlvs};
-use util::chacha20poly1305rfc::ChaChaPolyWriteAdapter;
-use util::ser::{LengthRead, LengthReadable, Readable, Writeable, Writer};
+use util::chacha20poly1305rfc::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
+use util::ser::{FixedLengthReader, LengthRead, LengthReadable, LengthReadableArgs, Readable, ReadableArgs, Writeable, Writer};
 
 use core::cmp;
-use io;
+use io::{self, Read};
 use prelude::*;
 
 // Per the spec, an onion message packet's `hop_data` field length should be
@@ -28,14 +29,14 @@ pub(super) const BIG_PACKET_HOP_DATA_LEN: usize = 32768;
 
 #[derive(Clone, Debug, PartialEq)]
 pub(crate) struct Packet {
-	version: u8,
-	public_key: PublicKey,
+	pub(super) version: u8,
+	pub(super) public_key: PublicKey,
 	// Unlike the onion packets used for payments, onion message packets can have payloads greater
 	// than 1300 bytes.
 	// TODO: if 1300 ends up being the most common size, optimize this to be:
 	// enum { ThirteenHundred([u8; 1300]), VarLen(Vec<u8>) }
-	hop_data: Vec<u8>,
-	hmac: [u8; 32],
+	pub(super) hop_data: Vec<u8>,
+	pub(super) hmac: [u8; 32],
 }
 
 impl onion_utils::Packet for Packet {
@@ -156,3 +157,94 @@ impl Writeable for (Payload, [u8; 32]) {
 		Ok(())
 	}
 }
+
+// Uses the provided secret to simultaneously decode and decrypt the control TLVs.
+impl ReadableArgs<SharedSecret> for Payload {
+	fn read<R: Read>(mut r: &mut R, encrypted_tlvs_ss: SharedSecret) -> Result<Self, DecodeError> {
+		use bitcoin::consensus::encode::{Decodable, Error, VarInt};
+		let v: VarInt = Decodable::consensus_decode(&mut r)
+			.map_err(|e| match e {
+				Error::Io(ioe) => DecodeError::from(ioe),
+				_ => DecodeError::InvalidValue
+			})?;
+
+		let mut rd = FixedLengthReader::new(r, v.0);
+		// TODO: support reply paths
+		let mut _reply_path_bytes: Option<Vec<u8>> = Some(Vec::new());
+		let mut read_adapter: Option<ChaChaPolyReadAdapter<ControlTlvs>> = None;
+		let rho = onion_utils::gen_rho_from_shared_secret(&encrypted_tlvs_ss.secret_bytes());
+		decode_tlv_stream!(&mut rd, {
+			(2, _reply_path_bytes, vec_type),
+			(4, read_adapter, (option: LengthReadableArgs, rho))
+		});
+		rd.eat_remaining().map_err(|_| DecodeError::ShortRead)?;
+
+		match read_adapter {
+			None => return Err(DecodeError::InvalidValue),
+			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Forward(tlvs)}) => {
+				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
+			},
+			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Receive(tlvs)}) => {
+				Ok(Payload::Receive { control_tlvs: ReceiveControlTlvs::Unblinded(tlvs)})
+			},
+		}
+	}
+}
+
+/// When reading a packet off the wire, we don't know a priori whether the packet is to be forwarded
+/// or received. Thus we read a ControlTlvs rather than reading a ForwardControlTlvs or
+/// ReceiveControlTlvs directly.
+pub(super) enum ControlTlvs {
+	/// This onion message is intended to be forwarded.
+	Forward(ForwardTlvs),
+	/// This onion message is intended to be received.
+	Receive(ReceiveTlvs),
+}
+
+impl Readable for ControlTlvs {
+	fn read<R: Read>(mut r: &mut R) -> Result<Self, DecodeError> {
+		let mut _padding: Option<Padding> = None;
+		let mut _short_channel_id: Option<u64> = None;
+		let mut next_node_id: Option<PublicKey> = None;
+		let mut path_id: Option<[u8; 32]> = None;
+		let mut next_blinding_override: Option<PublicKey> = None;
+		decode_tlv_stream!(&mut r, {
+			(1, _padding, option),
+			(2, _short_channel_id, option),
+			(4, next_node_id, option),
+			(6, path_id, option),
+			(8, next_blinding_override, option),
+		});
+
+		let valid_fwd_fmt  = next_node_id.is_some() && path_id.is_none();
+		let valid_recv_fmt = next_node_id.is_none() && next_blinding_override.is_none();
+
+		let payload_fmt = if valid_fwd_fmt {
+			ControlTlvs::Forward(ForwardTlvs {
+				next_node_id: next_node_id.unwrap(),
+				next_blinding_override,
+			})
+		} else if valid_recv_fmt {
+			ControlTlvs::Receive(ReceiveTlvs {
+				path_id,
+			})
+		} else {
+			return Err(DecodeError::InvalidValue)
+		};
+
+		Ok(payload_fmt)
+	}
+}
+
+/// Reads padding to the end, ignoring what's read.
+pub(crate) struct Padding {}
+impl Readable for Padding {
+	#[inline]
+	fn read<R: Read>(reader: &mut R) -> Result<Self, DecodeError> {
+		loop {
+			let mut buf = [0; 8192];
+			if reader.read(&mut buf[..])? == 0 { break; }
+		}
+		Ok(Self {})
+	}
+}