Prepare to auth blinded path contexts with a secret AAD in the MAC

When we receive an onion message, we often want to make sure it was
sent through a blinded path we constructed. This protects us from
various deanonymization attacks where someone can send a message to
every node on the network until they find us, effectively
unwrapping the blinded path and identifying its recipient.

We generally do so by adding authentication tags to our
`MessageContext` variants. Because the contexts themselves are
encrypted (and MAC'd) to us, we only have to ensure that they
cannot be forged, which is trivially accomplished with a simple
nonce and a MAC covering it.

This logic has ended up being repeated in nearly all of our onion
message handlers, and has gotten quite repetitive.

Instead, here, we simply authenticate the blinded path contexts
using the MAC that's already there, but tweaking it with an
additional secret as the AAD in Poly1305. This prevents forgery as
the secret is now required to make the MAC check pass.

Ultimately this means that no one can ever build a blinded path
which terminates at an LDK node that we'll accept, but over time
we've come to recognize this as a useful property, rather than
something to fight. Here we finally break from the spec fully in
our context encryption (not just the contents thereof).

This will save a bit of space in some of our `MessageContext`s,
though sadly not in the blinded path we include in `Bolt12Offer`s,
so they're generally not in space-sensitive blinded paths.

We can apply the same logic in our blinded payment paths as well,
but we do not do so here.

This commit only adds the required changes to the cryptography, for
now it uses a constant key of `[41; 32]`.

Author: TheBlueMatt

lightning/src/blinded_path/message.rs

@@ -92,6 +92,7 @@ impl BlindedMessagePath {
 				recipient_node_id,
 				context,
 				&blinding_secret,
+				[41; 32], // TODO: Pass this in
 			)
 			.map_err(|_| ())?,
 		}))
@@ -514,6 +515,7 @@ pub(crate) const MESSAGE_PADDING_ROUND_OFF: usize = 100;
 pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
 	recipient_node_id: PublicKey, context: MessageContext, session_priv: &SecretKey,
+	local_node_receive_key: [u8; 32],
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
 	let pks = intermediate_nodes
 		.iter()
@@ -536,13 +538,13 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 
 	if is_compact {
 		let path = pks.zip(tlvs);
-		utils::construct_blinded_hops(secp_ctx, path, session_priv)
+		utils::construct_blinded_hops(secp_ctx, path, session_priv, Some(local_node_receive_key))
 	} else {
 		let path =
 			pks.zip(tlvs.map(|tlv| BlindedPathWithPadding {
 				tlvs: tlv,
 				round_off: MESSAGE_PADDING_ROUND_OFF,
 			}));
-		utils::construct_blinded_hops(secp_ctx, path, session_priv)
+		utils::construct_blinded_hops(secp_ctx, path, session_priv, Some(local_node_receive_key))
 	}
 }

lightning/src/blinded_path/payment.rs

@@ -675,7 +675,7 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 		tlvs.map(|tlv| BlindedPathWithPadding { tlvs: tlv, round_off: PAYMENT_PADDING_ROUND_OFF }),
 	);
 
-	utils::construct_blinded_hops(secp_ctx, path, session_priv)
+	utils::construct_blinded_hops(secp_ctx, path, session_priv, None)
 }
 
 /// `None` if underflow occurs.

lightning/src/blinded_path/utils.rs

@@ -17,7 +17,8 @@ use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1, SecretKey};
 
 use super::message::BlindedMessagePath;
 use super::{BlindedHop, BlindedPath};
-use crate::crypto::streams::ChaChaPolyWriteAdapter;
+use crate::crypto::chacha20poly1305rfc::ChaCha20Poly1305RFC;
+use crate::crypto::streams::chachapoly_encrypt_with_swapped_aad;
 use crate::io;
 use crate::ln::onion_utils;
 use crate::onion_message::messenger::Destination;
@@ -38,7 +39,7 @@ macro_rules! build_keys_helper {
 		let mut onion_packet_pubkey = msg_blinding_point.clone();
 
 		macro_rules! build_keys {
-			($hop: expr, $blinded: expr, $encrypted_payload: expr) => {{
+			($hop: expr, $blinded: expr, $encrypted_payload: expr, $node_recv_key: expr) => {{
 				let pk = *$hop.borrow();
 				let encrypted_data_ss = SharedSecret::new(&pk, &msg_blinding_point_priv);
 
@@ -65,16 +66,17 @@ macro_rules! build_keys_helper {
 					onion_packet_pubkey,
 					rho,
 					unblinded_hop_opt,
+					$node_recv_key,
 					$encrypted_payload,
 				);
 				(encrypted_data_ss, onion_packet_ss)
 			}};
 		}
 
 		macro_rules! build_keys_in_loop {
-			($pk: expr, $blinded: expr, $encrypted_payload: expr) => {
+			($pk: expr, $blinded: expr, $encrypted_payload: expr, $node_recv_key: expr) => {
 				let (encrypted_data_ss, onion_packet_ss) =
-					build_keys!($pk, $blinded, $encrypted_payload);
+					build_keys!($pk, $blinded, $encrypted_payload, $node_recv_key);
 
 				let msg_blinding_point_blinding_factor = {
 					let mut sha = Sha256::engine();
@@ -105,7 +107,6 @@ macro_rules! build_keys_helper {
 	};
 }
 
-#[inline]
 pub(crate) fn construct_keys_for_onion_message<'a, T, I, F>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, destination: Destination, session_priv: &SecretKey,
 	mut callback: F,
@@ -115,41 +116,43 @@ where
 	I: Iterator<Item = PublicKey>,
 	F: FnMut(SharedSecret, PublicKey, [u8; 32], Option<PublicKey>, Option<Vec<u8>>),
 {
-	let mut callback_wrapper = |_, ss, pk, encrypted_payload_rho, unblinded_hop_data, encrypted_payload| {
+	let mut callback_wrapper = |_, ss, pk, encrypted_payload_rho, unblinded_hop_data, _: Option<()>, encrypted_payload| {
 		callback(ss, pk, encrypted_payload_rho, unblinded_hop_data, encrypted_payload);
 	};
 	build_keys_helper!(session_priv, secp_ctx, callback_wrapper);
 
 	for pk in unblinded_path {
-		build_keys_in_loop!(pk, false, None);
+		build_keys_in_loop!(pk, false, None, None);
 	}
 	match destination {
 		Destination::Node(pk) => {
-			build_keys!(pk, false, None);
+			build_keys!(pk, false, None, None);
 		},
 		Destination::BlindedPath(BlindedMessagePath(BlindedPath { blinded_hops, .. })) => {
 			for hop in blinded_hops {
-				build_keys_in_loop!(hop.blinded_node_id, true, Some(hop.encrypted_payload));
+				build_keys_in_loop!(hop.blinded_node_id, true, Some(hop.encrypted_payload), None);
 			}
 		},
 	}
 	Ok(())
 }
 
-#[inline]
-pub(super) fn construct_keys_for_blinded_path<'a, T, I, F, H>(
-	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey, mut callback: F,
+fn construct_keys_for_blinded_path<'a, T, I, F, H>(
+	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv:  &SecretKey,
+	mut last_hop_receive_key: Option<[u8; 32]>, mut callback: F,
 ) -> Result<(), secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
 	H: Borrow<PublicKey>,
 	I: Iterator<Item = H>,
-	F: FnMut(PublicKey, SharedSecret, PublicKey, [u8; 32], Option<H>, Option<Vec<u8>>),
+	F: FnMut(PublicKey, SharedSecret, PublicKey, [u8; 32], Option<H>, Option<[u8; 32]>, Option<Vec<u8>>),
 {
 	build_keys_helper!(session_priv, secp_ctx, callback);
 
-	for pk in unblinded_path {
-		build_keys_in_loop!(pk, false, None);
+	let mut iter = unblinded_path.peekable();
+	while let Some(pk) = iter.next() {
+		let receive_key = if iter.peek().is_none() { last_hop_receive_key.take() } else { None };
+		build_keys_in_loop!(pk, false, None, receive_key);
 	}
 	Ok(())
 }
@@ -167,6 +170,7 @@ impl<W: Writeable> Borrow<PublicKey> for PublicKeyWithTlvs<W> {
 
 pub(crate) fn construct_blinded_hops<'a, T, I, W>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey,
+	last_hop_receive_key: Option<[u8; 32]>,
 ) -> Result<Vec<BlindedHop>, secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
@@ -178,12 +182,14 @@ where
 		secp_ctx,
 		unblinded_path.map(|(pubkey, tlvs)| PublicKeyWithTlvs { pubkey, tlvs }),
 		session_priv,
-		|blinded_node_id, _, _, encrypted_payload_rho, unblinded_hop_data, _| {
+		last_hop_receive_key,
+		|blinded_node_id, _, _, encrypted_payload_rho, unblinded_hop_data, hop_recv_key, _| {
 			blinded_hops.push(BlindedHop {
 				blinded_node_id,
 				encrypted_payload: encrypt_payload(
 					unblinded_hop_data.unwrap().tlvs,
 					encrypted_payload_rho,
+					hop_recv_key,
 				),
 			});
 		},
@@ -192,9 +198,17 @@ where
 }
 
 /// Encrypt TLV payload to be used as a [`crate::blinded_path::BlindedHop::encrypted_payload`].
-fn encrypt_payload<P: Writeable>(payload: P, encrypted_tlvs_rho: [u8; 32]) -> Vec<u8> {
-	let write_adapter = ChaChaPolyWriteAdapter::new(encrypted_tlvs_rho, &payload);
-	write_adapter.encode()
+fn encrypt_payload<P: Writeable>(payload: P, encrypted_tlvs_rho: [u8; 32], hop_recv_key: Option<[u8; 32]>) -> Vec<u8> {
+	let mut payload_data = payload.encode();
+	if let Some(hop_recv_key) = hop_recv_key {
+		chachapoly_encrypt_with_swapped_aad(payload_data, encrypted_tlvs_rho, hop_recv_key)
+	} else {
+		let mut chacha = ChaCha20Poly1305RFC::new(&encrypted_tlvs_rho, &[0; 12], &[]);
+		let mut tag = [0; 16];
+		chacha.encrypt_full_message_in_place(&mut payload_data, &mut tag);
+		payload_data.extend_from_slice(&tag);
+		payload_data
+	}
 }
 
 /// A data structure used exclusively to pad blinded path payloads, ensuring they are of

lightning/src/crypto/streams.rs

@@ -51,6 +51,31 @@ impl<'a, T: Writeable> Writeable for ChaChaPolyWriteAdapter<'a, T> {
 	}
 }
 
+/// Encrypts the provided plaintext with the given key using ChaCha20Poly1305 in the modified
+/// with-AAD form used in [`ChaChaDualPolyReadAdapter`].
+pub(crate) fn chachapoly_encrypt_with_swapped_aad(mut plaintext: Vec<u8>, key: [u8; 32], aad: [u8; 32]) -> Vec<u8> {
+	let mut chacha = ChaCha20::new(&key[..], &[0; 12]);
+	let mut mac_key = [0u8; 64];
+	chacha.process_in_place(&mut mac_key);
+
+	let mut mac = Poly1305::new(&mac_key[..32]);
+	chacha.process_in_place(&mut plaintext[..]);
+	mac.input(&plaintext[..]);
+
+	if plaintext.len() % 16 != 0 {
+		mac.input(&[0; 16][0..16 - (plaintext.len() % 16)]);
+	}
+
+	mac.input(&aad[..]);
+	// Note that we don't need to pad the AAD since its a multiple of 16 bytes
+
+	mac.input(&(plaintext.len() as u64).to_le_bytes());
+	mac.input(&32u64.to_le_bytes());
+
+	plaintext.extend_from_slice(&mac.result());
+	plaintext
+}
+
 /// Enables the use of the serialization macros for objects that need to be simultaneously decrypted
 /// and deserialized. This allows us to avoid an intermediate Vec allocation.
 ///

lightning/src/ln/blinded_payment_tests.rs

@@ -1558,15 +1558,15 @@ fn route_blinding_spec_test_vector() {
 	// Can't use the public API here as the encrypted payloads contain unknown TLVs.
 	let path = [(dave_node_id, WithoutLength(&dave_unblinded_tlvs)), (eve_node_id, WithoutLength(&eve_unblinded_tlvs))];
 	let mut dave_eve_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &dave_eve_session_priv
+		&secp_ctx, path.into_iter(), &dave_eve_session_priv, None,
 	).unwrap();
 
 	// Concatenate an additional Bob -> Carol blinded path to the Eve -> Dave blinded path.
 	let bob_carol_session_priv = secret_from_hex("0202020202020202020202020202020202020202020202020202020202020202");
 	let bob_blinding_point = PublicKey::from_secret_key(&secp_ctx, &bob_carol_session_priv);
 	let path = [(bob_node_id, WithoutLength(&bob_unblinded_tlvs)), (carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
 	let bob_carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &bob_carol_session_priv
+		&secp_ctx, path.into_iter(), &bob_carol_session_priv, None,
 	).unwrap();
 
 	let mut blinded_hops = bob_carol_blinded_hops;
@@ -2028,7 +2028,7 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 
 		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv, None,
 		).unwrap()
 	} else {
 		let payee_tlvs = blinded_path::payment::TrampolineForwardTlvs {
@@ -2049,7 +2049,7 @@ fn do_test_trampoline_single_hop_receive(success: bool) {
 		let carol_unblinded_tlvs = payee_tlvs.encode();
 		let path = [(carol_node_id, WithoutLength(&carol_unblinded_tlvs))];
 		blinded_path::utils::construct_blinded_hops(
-			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+			&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv, None,
 		).unwrap()
 	};
 
@@ -2253,7 +2253,7 @@ fn test_trampoline_unblinded_receive() {
 	let carol_alice_trampoline_session_priv = secret_from_hex("a0f4b8d7b6c2d0ffdfaf718f76e9decaef4d9fb38a8c4addb95c4007cc3eee03");
 	let carol_blinding_point = PublicKey::from_secret_key(&secp_ctx, &carol_alice_trampoline_session_priv);
 	let carol_blinded_hops = blinded_path::utils::construct_blinded_hops(
-		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv
+		&secp_ctx, path.into_iter(), &carol_alice_trampoline_session_priv, None,
 	).unwrap();
 
 	let route = Route {

lightning/src/onion_message/messenger.rs

@@ -1068,18 +1068,20 @@ where
 			},
 		}
 	};
+	let receiving_context_auth_key = [41; 32]; // TODO: pass this in
 	let next_hop = onion_utils::decode_next_untagged_hop(
 		onion_decode_ss,
 		&msg.onion_routing_packet.hop_data[..],
 		msg.onion_routing_packet.hmac,
-		(control_tlvs_ss, custom_handler.deref(), logger.deref()),
+		(control_tlvs_ss, custom_handler.deref(), receiving_context_auth_key, logger.deref()),
 	);
 	match next_hop {
 		Ok((
 			Payload::Receive {
 				message,
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context }),
 				reply_path,
+				control_tlvs_authenticated,
 			},
 			None,
 		)) => match (message, context) {
@@ -1108,6 +1110,8 @@ where
 				Ok(PeeledOnion::DNSResolver(msg, None, reply_path))
 			},
 			_ => {
+				// Hide the "`control_tlvs_authenticated` is unused warning". We'll use it here soon
+				let _ = control_tlvs_authenticated;
 				log_trace!(
 					logger,
 					"Received message was sent on a blinded path with wrong or missing context."
@@ -2298,7 +2302,7 @@ fn packet_payloads_and_keys<
 
 	if let Some(control_tlvs) = final_control_tlvs {
 		payloads.push((
-			Payload::Receive { control_tlvs, reply_path: reply_path.take(), message },
+			Payload::Receive { control_tlvs, reply_path: reply_path.take(), message, control_tlvs_authenticated: false, },
 			prev_control_tlvs_ss.unwrap(),
 		));
 	} else {
@@ -2307,6 +2311,7 @@ fn packet_payloads_and_keys<
 				control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { context: None }),
 				reply_path: reply_path.take(),
 				message,
+				control_tlvs_authenticated: false,
 			},
 			prev_control_tlvs_ss.unwrap(),
 		));

lightning/src/onion_message/packet.rs

@@ -18,7 +18,7 @@ use super::dns_resolution::DNSResolverMessage;
 use super::messenger::CustomOnionMessageHandler;
 use super::offers::OffersMessage;
 use crate::blinded_path::message::{BlindedMessagePath, ForwardTlvs, NextMessageHop, ReceiveTlvs};
-use crate::crypto::streams::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
+use crate::crypto::streams::{ChaChaDualPolyReadAdapter, ChaChaPolyWriteAdapter};
 use crate::ln::msgs::DecodeError;
 use crate::ln::onion_utils;
 use crate::util::logger::Logger;
@@ -112,7 +112,11 @@ pub(super) enum Payload<T: OnionMessageContents> {
 	/// This payload is for an intermediate hop.
 	Forward(ForwardControlTlvs),
 	/// This payload is for the final hop.
-	Receive { control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
+	Receive {
+		/// The [`ReceiveControlTlvs`] were authenticated with the additional key which was
+		/// provided to [`ReadableArgs::read`].
+		control_tlvs_authenticated: bool,
+		control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
 }
 
 /// The contents of an [`OnionMessage`] as read from the wire.
@@ -223,6 +227,7 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				control_tlvs: ReceiveControlTlvs::Blinded(encrypted_bytes),
 				reply_path,
 				message,
+				control_tlvs_authenticated: _,
 			} => {
 				_encode_varint_length_prefixed_tlv!(w, {
 					(2, reply_path, option),
@@ -238,6 +243,7 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				control_tlvs: ReceiveControlTlvs::Unblinded(control_tlvs),
 				reply_path,
 				message,
+				control_tlvs_authenticated: _,
 			} => {
 				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
 				_encode_varint_length_prefixed_tlv!(w, {
@@ -252,22 +258,22 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 }
 
 // Uses the provided secret to simultaneously decode and decrypt the control TLVs and data TLV.
-impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(SharedSecret, &H, &L)>
+impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(SharedSecret, &H, [u8; 32], &L)>
 	for Payload<ParsedOnionMessageContents<<H as CustomOnionMessageHandler>::CustomMessage>>
 {
-	fn read<R: Read>(r: &mut R, args: (SharedSecret, &H, &L)) -> Result<Self, DecodeError> {
-		let (encrypted_tlvs_ss, handler, logger) = args;
+	fn read<R: Read>(r: &mut R, args: (SharedSecret, &H, [u8; 32], &L)) -> Result<Self, DecodeError> {
+		let (encrypted_tlvs_ss, handler, receive_tlvs_key, logger) = args;
 
 		let v: BigSize = Readable::read(r)?;
 		let mut rd = FixedLengthReader::new(r, v.0);
 		let mut reply_path: Option<BlindedMessagePath> = None;
-		let mut read_adapter: Option<ChaChaPolyReadAdapter<ControlTlvs>> = None;
+		let mut read_adapter: Option<ChaChaDualPolyReadAdapter<ControlTlvs>> = None;
 		let rho = onion_utils::gen_rho_from_shared_secret(&encrypted_tlvs_ss.secret_bytes());
 		let mut message_type: Option<u64> = None;
 		let mut message = None;
 		decode_tlv_stream_with_custom_tlv_decode!(&mut rd, {
 			(2, reply_path, option),
-			(4, read_adapter, (option: LengthReadableArgs, rho)),
+			(4, read_adapter, (option: LengthReadableArgs, (rho, receive_tlvs_key))),
 		}, |msg_type, msg_reader| {
 			if msg_type < 64 { return Ok(false) }
 			// Don't allow reading more than one data TLV from an onion message.
@@ -304,17 +310,18 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 
 		match read_adapter {
 			None => return Err(DecodeError::InvalidValue),
-			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Forward(tlvs) }) => {
-				if message_type.is_some() {
+			Some(ChaChaDualPolyReadAdapter { readable: ControlTlvs::Forward(tlvs), used_aad }) => {
+				if used_aad || message_type.is_some() {
 					return Err(DecodeError::InvalidValue);
 				}
 				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
 			},
-			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Receive(tlvs) }) => {
+			Some(ChaChaDualPolyReadAdapter { readable: ControlTlvs::Receive(tlvs), used_aad }) => {
 				Ok(Payload::Receive {
 					control_tlvs: ReceiveControlTlvs::Unblinded(tlvs),
 					reply_path,
 					message: message.ok_or(DecodeError::InvalidValue)?,
+					control_tlvs_authenticated: used_aad,
 				})
 			},
 		}