Accept blinded paths built by a phantom node participant

In the next commit we'll add support for building a BOLT 12 offer
which can be paid to any one of a number of participant nodes. Here
we add support for validating blinded paths as coming from one of
the participating nodes by deriving a new key as a part of the
`ExpandedKey`.

We keep this separate from the existing `ReceiveAuthKey` which is
node-specific to ensure that we only allow this key to be used for
blinded payment paths and contexts in `invoice_request` messages.
This ensures that normal onion messages are still tied to specific
nodes.

Note that we will not yet use the blinded payment path phantom
support which requires additional future work. However, allowing
them to be authenticated in a phantom configuration should allow
for compatibility across versions once the building logic lands.

Author: TheBlueMatt

fuzz/src/onion_message.rs

@@ -260,7 +260,7 @@ impl NodeSigner for KeyProvider {
 	}
 
 	fn get_expanded_key(&self) -> ExpandedKey {
-		unreachable!()
+		ExpandedKey::new([42; 32])
 	}
 
 	fn sign_invoice(

lightning/src/blinded_path/payment.rs

@@ -14,7 +14,7 @@ use bitcoin::secp256k1::{self, PublicKey, Secp256k1, SecretKey};
 
 use crate::blinded_path::utils::{self, BlindedPathWithPadding};
 use crate::blinded_path::{BlindedHop, BlindedPath, IntroductionNode, NodeIdLookUp};
-use crate::crypto::streams::ChaChaDualPolyReadAdapter;
+use crate::crypto::streams::{ChaChaTriPolyReadAdapter, TriPolyAADUsed};
 use crate::io;
 use crate::io::Cursor;
 use crate::ln::channel_state::CounterpartyForwardingInfo;
@@ -268,18 +268,20 @@ impl BlindedPaymentPath {
 			node_signer.ecdh(Recipient::Node, &self.inner_path.blinding_point, None)?;
 		let rho = onion_utils::gen_rho_from_shared_secret(&control_tlvs_ss.secret_bytes());
 		let receive_auth_key = node_signer.get_receive_auth_key();
+		let phantom_auth_key = node_signer.get_expanded_key().phantom_node_blinded_path_key;
+		let read_arg = (rho, receive_auth_key.0, phantom_auth_key);
+
 		let encrypted_control_tlvs =
 			&self.inner_path.blinded_hops.get(0).ok_or(())?.encrypted_payload;
 		let mut s = Cursor::new(encrypted_control_tlvs);
 		let mut reader = FixedLengthReader::new(&mut s, encrypted_control_tlvs.len() as u64);
-		let ChaChaDualPolyReadAdapter { readable, used_aad } =
-			ChaChaDualPolyReadAdapter::read(&mut reader, (rho, receive_auth_key.0))
-				.map_err(|_| ())?;
-
-		match (&readable, used_aad) {
-			(BlindedPaymentTlvs::Forward(_), false)
-			| (BlindedPaymentTlvs::Dummy(_), true)
-			| (BlindedPaymentTlvs::Receive(_), true) => Ok((readable, control_tlvs_ss)),
+		let ChaChaTriPolyReadAdapter { readable, used_aad } =
+			ChaChaTriPolyReadAdapter::read(&mut reader, read_arg).map_err(|_| ())?;
+
+		match (&readable, used_aad == TriPolyAADUsed::None) {
+			(BlindedPaymentTlvs::Forward(_), true)
+			| (BlindedPaymentTlvs::Dummy(_), false)
+			| (BlindedPaymentTlvs::Receive(_), false) => Ok((readable, control_tlvs_ss)),
 			_ => Err(()),
 		}
 	}

lightning/src/crypto/streams.rs

@@ -58,7 +58,7 @@ impl<'a, T: Writeable> Writeable for ChaChaPolyWriteAdapter<'a, T> {
 }
 
 /// Encrypts the provided plaintext with the given key using ChaCha20Poly1305 in the modified
-/// with-AAD form used in [`ChaChaDualPolyReadAdapter`].
+/// with-AAD form used in [`ChaChaTriPolyReadAdapter`].
 pub(crate) fn chachapoly_encrypt_with_swapped_aad(
 	mut plaintext: Vec<u8>, key: [u8; 32], aad: [u8; 32],
 ) -> Vec<u8> {
@@ -84,34 +84,48 @@ pub(crate) fn chachapoly_encrypt_with_swapped_aad(
 	plaintext
 }
 
+#[derive(PartialEq, Eq)]
+pub(crate) enum TriPolyAADUsed {
+	/// No AAD was used.
+	///
+	/// The HMAC validated with standard ChaCha20Poly1305.
+	None,
+	/// The HMAC vlidated using the first AAD provided.
+	First,
+	/// The HMAC vlidated using the second AAD provided.
+	Second,
+}
+
 /// Enables the use of the serialization macros for objects that need to be simultaneously decrypted
 /// and deserialized. This allows us to avoid an intermediate Vec allocation.
 ///
-/// This variant of [`ChaChaPolyReadAdapter`] calculates Poly1305 tags twice, once using the given
-/// key and once with the given 32-byte AAD appended after the encrypted stream, accepting either
-/// being correct as sufficient.
+/// This variant of [`ChaChaPolyReadAdapter`] calculates Poly1305 tags thrice, once using the given
+/// key and once each for the two given 32-byte AADs appended after the encrypted stream, accepting
+/// any being correct as sufficient.
 ///
-/// Note that we do *not* use the provided AAD as the standard ChaCha20Poly1305 AAD as that would
+/// Note that we do *not* use the provided AADs as the standard ChaCha20Poly1305 AAD as that would
 /// require placing it first and prevent us from avoiding redundant Poly1305 rounds. Instead, the
 /// ChaCha20Poly1305 MAC check is tweaked to move the AAD to *after* the the contents being
 /// checked, effectively treating the contents as the AAD for the AAD-containing MAC but behaving
 /// like classic ChaCha20Poly1305 for the non-AAD-containing MAC.
-pub(crate) struct ChaChaDualPolyReadAdapter<R: Readable> {
+pub(crate) struct ChaChaTriPolyReadAdapter<R: Readable> {
 	pub readable: R,
-	pub used_aad: bool,
+	pub used_aad: TriPolyAADUsed,
 }
 
-impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32])> for ChaChaDualPolyReadAdapter<T> {
+impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32], [u8; 32])>
+	for ChaChaTriPolyReadAdapter<T>
+{
 	// Simultaneously read and decrypt an object from a LengthLimitedRead storing it in
 	// Self::readable. LengthLimitedRead must be used instead of std::io::Read because we need the
 	// total length to separate out the tag at the end.
 	fn read<R: LengthLimitedRead>(
-		r: &mut R, params: ([u8; 32], [u8; 32]),
+		r: &mut R, params: ([u8; 32], [u8; 32], [u8; 32]),
 	) -> Result<Self, DecodeError> {
 		if r.remaining_bytes() < 16 {
 			return Err(DecodeError::InvalidValue);
 		}
-		let (key, aad) = params;
+		let (key, aad_a, aad_b) = params;
 
 		let mut chacha = ChaCha20::new(&key[..], &[0; 12]);
 		let mut mac_key = [0u8; 64];
@@ -125,7 +139,7 @@ impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32])> for ChaChaDualPolyRea
 		let decrypted_len = r.remaining_bytes() - 16;
 		let s = FixedLengthReader::new(r, decrypted_len);
 		let mut chacha_stream =
-			ChaChaDualPolyReader { chacha: &mut chacha, poly: &mut mac, read_len: 0, read: s };
+			ChaChaTriPolyReader { chacha: &mut chacha, poly: &mut mac, read_len: 0, read: s };
 
 		let readable: T = Readable::read(&mut chacha_stream)?;
 		while chacha_stream.read.bytes_remain() {
@@ -142,14 +156,18 @@ impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32])> for ChaChaDualPolyRea
 			mac.input(&[0; 16][0..16 - (read_len % 16)]);
 		}
 
-		let mut mac_aad = mac;
+		let mut mac_aad_a = mac;
+		let mut mac_aad_b = mac;
 
-		mac_aad.input(&aad[..]);
+		mac_aad_a.input(&aad_a[..]);
+		mac_aad_b.input(&aad_b[..]);
 		// Note that we don't need to pad the AAD since its a multiple of 16 bytes
 
 		// For the AAD-containing MAC, swap the AAD and the read data, effectively.
-		mac_aad.input(&(read_len as u64).to_le_bytes());
-		mac_aad.input(&32u64.to_le_bytes());
+		mac_aad_a.input(&(read_len as u64).to_le_bytes());
+		mac_aad_b.input(&(read_len as u64).to_le_bytes());
+		mac_aad_a.input(&32u64.to_le_bytes());
+		mac_aad_b.input(&32u64.to_le_bytes());
 
 		// For the non-AAD-containing MAC, leave the data and AAD where they belong.
 		mac.input(&0u64.to_le_bytes());
@@ -158,23 +176,25 @@ impl<T: Readable> LengthReadableArgs<([u8; 32], [u8; 32])> for ChaChaDualPolyRea
 		let mut tag = [0 as u8; 16];
 		r.read_exact(&mut tag)?;
 		if fixed_time_eq(&mac.result(), &tag) {
-			Ok(Self { readable, used_aad: false })
-		} else if fixed_time_eq(&mac_aad.result(), &tag) {
-			Ok(Self { readable, used_aad: true })
+			Ok(Self { readable, used_aad: TriPolyAADUsed::None })
+		} else if fixed_time_eq(&mac_aad_a.result(), &tag) {
+			Ok(Self { readable, used_aad: TriPolyAADUsed::First })
+		} else if fixed_time_eq(&mac_aad_b.result(), &tag) {
+			Ok(Self { readable, used_aad: TriPolyAADUsed::Second })
 		} else {
 			return Err(DecodeError::InvalidValue);
 		}
 	}
 }
 
-struct ChaChaDualPolyReader<'a, R: Read> {
+struct ChaChaTriPolyReader<'a, R: Read> {
 	chacha: &'a mut ChaCha20,
 	poly: &'a mut Poly1305,
 	read_len: usize,
 	pub read: R,
 }
 
-impl<'a, R: Read> Read for ChaChaDualPolyReader<'a, R> {
+impl<'a, R: Read> Read for ChaChaTriPolyReader<'a, R> {
 	// Decrypts bytes from Self::read into `dest`.
 	// After all reads complete, the caller must compare the expected tag with
 	// the result of `Poly1305::result()`.
@@ -349,15 +369,15 @@ mod tests {
 	}
 
 	#[test]
-	fn short_read_chacha_dual_read_adapter() {
-		// Previously, if we attempted to read from a ChaChaDualPolyReadAdapter but the object
+	fn short_read_chacha_tri_read_adapter() {
+		// Previously, if we attempted to read from a ChaChaTriPolyReadAdapter but the object
 		// being read is shorter than the available buffer while the buffer passed to
-		// ChaChaDualPolyReadAdapter itself always thinks it has room, we'd end up
+		// ChaChaTriPolyReadAdapter itself always thinks it has room, we'd end up
 		// infinite-looping as we didn't handle `Read::read`'s 0 return values at EOF.
 		let mut stream = &[0; 1024][..];
 		let mut too_long_stream = FixedLengthReader::new(&mut stream, 2048);
-		let keys = ([42; 32], [99; 32]);
-		let res = super::ChaChaDualPolyReadAdapter::<u8>::read(&mut too_long_stream, keys);
+		let keys = ([42; 32], [98; 32], [99; 32]);
+		let res = super::ChaChaTriPolyReadAdapter::<u8>::read(&mut too_long_stream, keys);
 		match res {
 			Ok(_) => panic!(),
 			Err(e) => assert_eq!(e, DecodeError::ShortRead),

lightning/src/ln/blinded_payment_tests.rs

@@ -1696,7 +1696,7 @@ fn route_blinding_spec_test_vector() {
 			}
 			Ok(SharedSecret::new(other_key, &node_secret))
 		}
-		fn get_expanded_key(&self) -> ExpandedKey { unreachable!() }
+		fn get_expanded_key(&self) -> ExpandedKey { ExpandedKey::new([42; 32]) }
 		fn get_node_id(&self, _recipient: Recipient) -> Result<PublicKey, ()> { unreachable!() }
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,
@@ -2011,7 +2011,7 @@ fn test_trampoline_inbound_payment_decoding() {
 			}
 			Ok(SharedSecret::new(other_key, &node_secret))
 		}
-		fn get_expanded_key(&self) -> ExpandedKey { unreachable!() }
+		fn get_expanded_key(&self) -> ExpandedKey { ExpandedKey::new([42; 32]) }
 		fn get_node_id(&self, _recipient: Recipient) -> Result<PublicKey, ()> { unreachable!() }
 		fn sign_invoice(
 			&self, _invoice: &RawBolt11Invoice, _recipient: Recipient,

lightning/src/ln/msgs.rs

@@ -56,7 +56,7 @@ use core::str::FromStr;
 #[cfg(feature = "std")]
 use std::net::SocketAddr;
 
-use crate::crypto::streams::ChaChaDualPolyReadAdapter;
+use crate::crypto::streams::{ChaChaTriPolyReadAdapter, TriPolyAADUsed};
 use crate::util::base32;
 use crate::util::logger;
 use crate::util::ser::{
@@ -3924,10 +3924,13 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPaylo
 				.map_err(|_| DecodeError::InvalidValue)?;
 			let rho = onion_utils::gen_rho_from_shared_secret(&enc_tlvs_ss.secret_bytes());
 			let receive_auth_key = node_signer.get_receive_auth_key();
+			let phantom_auth_key = node_signer.get_expanded_key().phantom_node_blinded_path_key;
+			let read_args = (rho, receive_auth_key.0, phantom_auth_key);
+
 			let mut s = Cursor::new(&enc_tlvs);
 			let mut reader = FixedLengthReader::new(&mut s, enc_tlvs.len() as u64);
-			match ChaChaDualPolyReadAdapter::read(&mut reader, (rho, receive_auth_key.0))? {
-				ChaChaDualPolyReadAdapter {
+			match ChaChaTriPolyReadAdapter::read(&mut reader, read_args)? {
+				ChaChaTriPolyReadAdapter {
 					readable:
 						BlindedPaymentTlvs::Forward(ForwardTlvs {
 							short_channel_id,
@@ -3942,7 +3945,7 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPaylo
 						|| cltv_value.is_some() || total_msat.is_some()
 						|| keysend_preimage.is_some()
 						|| invoice_request.is_some()
-						|| used_aad
+						|| used_aad != TriPolyAADUsed::None
 					{
 						return Err(DecodeError::InvalidValue);
 					}
@@ -3955,7 +3958,7 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPaylo
 						next_blinding_override,
 					}))
 				},
-				ChaChaDualPolyReadAdapter {
+				ChaChaTriPolyReadAdapter {
 					readable:
 						BlindedPaymentTlvs::Dummy(DummyTlvs { payment_relay, payment_constraints }),
 					used_aad,
@@ -3964,7 +3967,7 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPaylo
 						|| cltv_value.is_some() || total_msat.is_some()
 						|| keysend_preimage.is_some()
 						|| invoice_request.is_some()
-						|| !used_aad
+						|| used_aad == TriPolyAADUsed::None
 					{
 						return Err(DecodeError::InvalidValue);
 					}
@@ -3974,11 +3977,11 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundOnionPaylo
 						intro_node_blinding_point,
 					}))
 				},
-				ChaChaDualPolyReadAdapter {
+				ChaChaTriPolyReadAdapter {
 					readable: BlindedPaymentTlvs::Receive(receive_tlvs),
 					used_aad,
 				} => {
-					if !used_aad {
+					if used_aad == TriPolyAADUsed::None {
 						return Err(DecodeError::InvalidValue);
 					}
 
@@ -4041,6 +4044,7 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundTrampoline
 	fn read<R: Read>(r: &mut R, args: (Option<PublicKey>, NS)) -> Result<Self, DecodeError> {
 		let (update_add_blinding_point, node_signer) = args;
 		let receive_auth_key = node_signer.get_receive_auth_key();
+		let phantom_auth_key = node_signer.get_expanded_key().phantom_node_blinded_path_key;
 
 		let mut amt = None;
 		let mut cltv_value = None;
@@ -4094,8 +4098,9 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundTrampoline
 			let rho = onion_utils::gen_rho_from_shared_secret(&enc_tlvs_ss.secret_bytes());
 			let mut s = Cursor::new(&enc_tlvs);
 			let mut reader = FixedLengthReader::new(&mut s, enc_tlvs.len() as u64);
-			match ChaChaDualPolyReadAdapter::read(&mut reader, (rho, receive_auth_key.0))? {
-				ChaChaDualPolyReadAdapter {
+			let read_args = (rho, receive_auth_key.0, phantom_auth_key);
+			match ChaChaTriPolyReadAdapter::read(&mut reader, read_args)? {
+				ChaChaTriPolyReadAdapter {
 					readable:
 						BlindedTrampolineTlvs::Forward(TrampolineForwardTlvs {
 							next_trampoline,
@@ -4110,7 +4115,7 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundTrampoline
 						|| cltv_value.is_some() || total_msat.is_some()
 						|| keysend_preimage.is_some()
 						|| invoice_request.is_some()
-						|| used_aad
+						|| used_aad != TriPolyAADUsed::None
 					{
 						return Err(DecodeError::InvalidValue);
 					}
@@ -4123,11 +4128,11 @@ impl<NS: NodeSigner> ReadableArgs<(Option<PublicKey>, NS)> for InboundTrampoline
 						next_blinding_override,
 					}))
 				},
-				ChaChaDualPolyReadAdapter {
+				ChaChaTriPolyReadAdapter {
 					readable: BlindedTrampolineTlvs::Receive(receive_tlvs),
 					used_aad,
 				} => {
-					if !used_aad {
+					if used_aad == TriPolyAADUsed::None {
 						return Err(DecodeError::InvalidValue);
 					}