Add a BlindedMessagePath constructor for external recipients

dunxen · dunxen · commit d6dee2b5f149 · 2026-06-24T13:54:41.000+02:00
Add `new_for_external_recipient`, which builds a recipient hop using standard
BOLT-4 ChaCha20Poly1305 (empty AAD) and no `MessageContext` or deanonymisation
protections.

Tests by Claude
diff --git a/lightning/src/blinded_path/message.rs b/lightning/src/blinded_path/message.rs
@@ -113,6 +113,50 @@ impl BlindedMessagePath {
 		intermediate_nodes: &[MessageForwardNode], recipient_node_id: PublicKey,
 		dummy_hop_count: usize, local_node_receive_key: ReceiveAuthKey, context: MessageContext,
 		compact_padding: bool, entropy_source: ES, secp_ctx: &Secp256k1<T>,
+	) -> Self {
+		Self::new_inner(
+			intermediate_nodes,
+			recipient_node_id,
+			dummy_hop_count,
+			Some(local_node_receive_key),
+			Some(context),
+			compact_padding,
+			entropy_source,
+			secp_ctx,
+		)
+	}
+
+	/// Create a path for a message to a recipient that is not an LDK node (e.g. CLN).
+	///
+	/// The other constructors authenticate the recipient hop with a [`ReceiveAuthKey`] and require a
+	/// [`MessageContext`], which a non-LDK node cannot decrypt. This drops deanonymization protections
+	/// and adds no dummy hops.
+	///
+	/// See [`BlindedMessagePath::new`] regarding `compact_padding`.
+	pub fn new_for_external_recipient<
+		ES: EntropySource,
+		T: secp256k1::Signing + secp256k1::Verification,
+	>(
+		intermediate_nodes: &[MessageForwardNode], recipient_node_id: PublicKey,
+		compact_padding: bool, entropy_source: ES, secp_ctx: &Secp256k1<T>,
+	) -> Self {
+		Self::new_inner(
+			intermediate_nodes,
+			recipient_node_id,
+			0,
+			None,
+			None,
+			compact_padding,
+			entropy_source,
+			secp_ctx,
+		)
+	}
+
+	fn new_inner<ES: EntropySource, T: secp256k1::Signing + secp256k1::Verification>(
+		intermediate_nodes: &[MessageForwardNode], recipient_node_id: PublicKey,
+		dummy_hop_count: usize, local_node_receive_key: Option<ReceiveAuthKey>,
+		context: Option<MessageContext>, compact_padding: bool, entropy_source: ES,
+		secp_ctx: &Secp256k1<T>,
 	) -> Self {
 		let introduction_node = IntroductionNode::NodeId(
 			intermediate_nodes.first().map_or(recipient_node_id, |n| n.node_id),
@@ -760,17 +804,16 @@ pub const MAX_DUMMY_HOPS_COUNT: usize = 10;
 /// Construct blinded onion message hops for the given `intermediate_nodes` and `recipient_node_id`.
 pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
-	recipient_node_id: PublicKey, dummy_hop_count: usize, context: MessageContext,
-	session_priv: &SecretKey, local_node_receive_key: ReceiveAuthKey, compact_padding: bool,
+	recipient_node_id: PublicKey, dummy_hop_count: usize, context: Option<MessageContext>,
+	session_priv: &SecretKey, local_node_receive_key: Option<ReceiveAuthKey>,
+	compact_padding: bool,
 ) -> Vec<BlindedHop> {
 	let dummy_count = cmp::min(dummy_hop_count, MAX_DUMMY_HOPS_COUNT);
 	let pks = intermediate_nodes
 		.iter()
 		.map(|node| (node.node_id, None))
-		.chain(
-			core::iter::repeat((recipient_node_id, Some(local_node_receive_key))).take(dummy_count),
-		)
-		.chain(core::iter::once((recipient_node_id, Some(local_node_receive_key))));
+		.chain(core::iter::repeat((recipient_node_id, local_node_receive_key)).take(dummy_count))
+		.chain(core::iter::once((recipient_node_id, local_node_receive_key)));
 
 	let intermediate_tlvs = pks
 		.clone()
@@ -816,7 +859,7 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 			res
 		})
 		.chain(core::iter::once(BlindedPathWithPadding {
-			tlvs: ControlTlvs::Receive(ReceiveTlvs { context: Some(context) }),
+			tlvs: ControlTlvs::Receive(ReceiveTlvs { context }),
 			round_off: if compact_padding { 0 } else { MESSAGE_PADDING_ROUND_OFF },
 		}));
 
diff --git a/lightning/src/onion_message/functional_tests.rs b/lightning/src/onion_message/functional_tests.rs
@@ -21,24 +21,27 @@ use super::messenger::{
 	OnionMessagePath, OnionMessenger, Responder, ResponseInstruction, SendError, SendSuccess,
 };
 use super::offers::{OffersMessage, OffersMessageHandler};
-use super::packet::{OnionMessageContents, Packet};
+use super::packet::{ControlTlvs, OnionMessageContents, Packet};
 use crate::blinded_path::message::{
 	AsyncPaymentsContext, BlindedMessagePath, DNSResolverContext, MessageContext,
-	MessageForwardNode, NextMessageHop, OffersContext, MESSAGE_PADDING_ROUND_OFF,
+	MessageForwardNode, NextMessageHop, OffersContext, ReceiveTlvs, MESSAGE_PADDING_ROUND_OFF,
 };
 use crate::blinded_path::utils::is_padded;
 use crate::blinded_path::NodeIdLookUp;
+use crate::crypto::streams::ChaChaPolyReadAdapter;
 use crate::events::{Event, EventsProvider};
 use crate::ln::msgs::{self, BaseMessageHandler, DecodeError, OnionMessageHandler};
+use crate::ln::onion_utils::gen_rho_from_shared_secret;
 use crate::routing::gossip::{NetworkGraph, P2PGossipSync};
 use crate::routing::test_utils::{add_channel, add_or_update_node};
 use crate::sign::{NodeSigner, Recipient};
 use crate::types::features::{ChannelFeatures, InitFeatures};
-use crate::util::ser::{FixedLengthReader, LengthReadable, Writeable, Writer};
+use crate::util::ser::{FixedLengthReader, LengthReadable, LengthReadableArgs, Writeable, Writer};
 use crate::util::test_utils::{TestChainSource, TestKeysInterface, TestLogger, TestNodeSigner};
 
 use bitcoin::hex::FromHex;
 use bitcoin::network::Network;
+use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::secp256k1::{All, PublicKey, Secp256k1, SecretKey};
 
 use crate::io;
@@ -480,6 +483,41 @@ fn one_blinded_hop() {
 	pass_along_path(&nodes);
 }
 
+#[test]
+fn blinded_path_for_external_recipient() {
+	// Check a path for a non-LDK recipient is delivered, and that its recipient hop can be read by a
+	// spec-standard ChaCha20Poly1305 decryptor with no context.
+	let nodes = create_nodes(2);
+	let test_msg = TestCustomMessage::Pong;
+
+	let secp_ctx = Secp256k1::new();
+	let entropy = &*nodes[1].entropy_source;
+	let node_id = nodes[1].node_id;
+	let blinded_path =
+		BlindedMessagePath::new_for_external_recipient(&[], node_id, false, entropy, &secp_ctx);
+
+	// The recipient hop must decrypt under standard ChaCha20Poly1305 (empty AAD) with no context.
+	{
+		let ss = SharedSecret::new(&blinded_path.blinding_point(), &nodes[1].privkey);
+		let rho = gen_rho_from_shared_secret(&ss.secret_bytes());
+		let encrypted_payload = &blinded_path.blinded_hops()[0].encrypted_payload;
+		let mut s = io::Cursor::new(encrypted_payload);
+		let mut reader = FixedLengthReader::new(&mut s, encrypted_payload.len() as u64);
+		let ChaChaPolyReadAdapter { readable } =
+			<ChaChaPolyReadAdapter<ControlTlvs>>::read(&mut reader, rho).unwrap();
+		match readable {
+			ControlTlvs::Receive(ReceiveTlvs { context }) => assert!(context.is_none()),
+			_ => panic!("Expected a receive-hop control TLV"),
+		}
+	}
+
+	let destination = Destination::BlindedPath(blinded_path);
+	let instructions = MessageSendInstructions::WithoutReplyPath { destination };
+	nodes[0].messenger.send_onion_message(test_msg, instructions).unwrap();
+	nodes[1].custom_message_handler.expect_message(TestCustomMessage::Pong);
+	pass_along_path(&nodes);
+}
+
 #[test]
 fn blinded_path_with_dummy_hops() {
 	let nodes = create_nodes(2);
