Handle attribution data for trampoline payments

The trampoline node must unwrap the attribution data with its shared secrets and use what's remaining as the attribution data from the next trampoline node.

Author: thomash-acinq

eclair-core/src/main/scala/fr/acinq/eclair/crypto/Sphinx.scala

@@ -280,9 +280,10 @@ object Sphinx extends Logging {
   /**
    * The downstream failure could not be decrypted.
    *
-   * @param unwrapped encrypted failure packet after unwrapping using our shared secrets.
+   * @param unwrapped       encrypted failure packet after unwrapping using our shared secrets.
+   * @param attribution_opt attribution data after unwrapping using our shared secrets
    */
-  case class CannotDecryptFailurePacket(unwrapped: ByteVector)
+  case class CannotDecryptFailurePacket(unwrapped: ByteVector, attribution_opt: Option[ByteVector])
 
   case class HoldTime(duration: FiniteDuration, remoteNodeId: PublicKey)
 
@@ -334,16 +335,16 @@ object Sphinx extends Logging {
      * @return failure message if the origin of the packet could be identified and the packet decrypted, the unwrapped
      *         failure packet otherwise.
      */
-    def decrypt(packet: ByteVector, attribution_opt: Option[ByteVector], sharedSecrets: Seq[SharedSecret], hopIndex: Int = 0): HtlcFailure = {
+    def decrypt(packet: ByteVector, attribution_opt: Option[ByteVector], sharedSecrets: Seq[SharedSecret]): HtlcFailure = {
       sharedSecrets match {
-        case Nil => HtlcFailure(Nil, Left(CannotDecryptFailurePacket(packet)))
+        case Nil => HtlcFailure(Nil, Left(CannotDecryptFailurePacket(packet, attribution_opt)))
         case ss :: tail =>
           val packet1 = wrap(packet, ss.secret)
-          val attribution1_opt = attribution_opt.flatMap(Attribution.unwrap(_, packet1, ss.secret, hopIndex))
+          val attribution1_opt = attribution_opt.flatMap(Attribution.unwrap(_, packet1, ss.secret, sharedSecrets.length))
           val um = generateKey("um", ss.secret)
           val HtlcFailure(downstreamHoldTimes, failure) = FailureMessageCodecs.failureOnionCodec(Hmac256(um)).decode(packet1.toBitVector) match {
             case Attempt.Successful(value) => HtlcFailure(Nil, Right(DecryptedFailurePacket(ss.remoteNodeId, value.value)))
-            case _ => decrypt(packet1, attribution1_opt.map(_._2), tail, hopIndex + 1)
+            case _ => decrypt(packet1, attribution1_opt.map(_._2), tail)
           }
           HtlcFailure(attribution1_opt.map(n => HoldTime(n._1, ss.remoteNodeId) +: downstreamHoldTimes).getOrElse(Nil), failure)
       }
@@ -389,11 +390,11 @@ object Sphinx extends Logging {
       }))
 
     /**
-     * Computes the HMACs for the node that is `minNumHop` hops away from us. Hence we only compute `maxNumHops - minNumHop` HMACs.
+     * Computes the HMACs for the node that is `maxNumHops - remainingHops` hops away from us. Hence we only compute `remainingHops` HMACs.
      * HMACs are truncated to 4 bytes to save space. An attacker has only one try to guess the HMAC so 4 bytes should be enough.
      */
-    private def computeHmacs(mac: Mac32, failurePacket: ByteVector, holdTimes: ByteVector, hmacs: Seq[Seq[ByteVector]], minNumHop: Int): Seq[ByteVector] = {
-      (minNumHop until maxNumHops).map(i => {
+    private def computeHmacs(mac: Mac32, failurePacket: ByteVector, holdTimes: ByteVector, hmacs: Seq[Seq[ByteVector]], remainingHops: Int): Seq[ByteVector] = {
+      ((maxNumHops - remainingHops) until maxNumHops).map(i => {
         val y = maxNumHops - i
         mac.mac(failurePacket ++
           holdTimes.take(y * holdTimeLength) ++
@@ -411,38 +412,41 @@ object Sphinx extends Logging {
       val previousHmacs = getHmacs(previousAttribution).dropRight(1).map(_.drop(1))
       val mac = Hmac256(generateKey("um", sharedSecret))
       val holdTimes = uint32.encode(holdTime.toMillis).require.bytes ++ previousAttribution.take((maxNumHops - 1) * holdTimeLength)
-      val hmacs = computeHmacs(mac, failurePacket_opt.getOrElse(ByteVector.empty), holdTimes, previousHmacs, 0) +: previousHmacs
+      val hmacs = computeHmacs(mac, failurePacket_opt.getOrElse(ByteVector.empty), holdTimes, previousHmacs, maxNumHops) +: previousHmacs
       cipher(holdTimes ++ ByteVector.concat(hmacs.map(ByteVector.concat(_))), sharedSecret)
     }
 
     /**
      * Unwrap one hop of attribution data
      * @return a pair with the hold time for this hop and the attribution data for the next hop, or None if the attribution data was invalid
      */
-    def unwrap(encrypted: ByteVector, failurePacket: ByteVector, sharedSecret: ByteVector32, minNumHop: Int): Option[(FiniteDuration, ByteVector)] = {
+    def unwrap(encrypted: ByteVector, failurePacket: ByteVector, sharedSecret: ByteVector32, remainingHops: Int): Option[(FiniteDuration, ByteVector)] = {
       val bytes = cipher(encrypted, sharedSecret)
       val holdTime = uint32.decode(bytes.take(holdTimeLength).bits).require.value.milliseconds
       val hmacs = getHmacs(bytes)
       val mac = Hmac256(generateKey("um", sharedSecret))
-      if (computeHmacs(mac, failurePacket, bytes.take(maxNumHops * holdTimeLength), hmacs.drop(1), minNumHop) == hmacs.head.drop(minNumHop)) {
+      if (computeHmacs(mac, failurePacket, bytes.take(maxNumHops * holdTimeLength), hmacs.drop(1), remainingHops) == hmacs.head.drop(maxNumHops - remainingHops)) {
         val unwrapped = bytes.slice(holdTimeLength, maxNumHops * holdTimeLength) ++ ByteVector.low(holdTimeLength) ++ ByteVector.concat((hmacs.drop(1) :+ Seq()).map(s => ByteVector.low(hmacLength) ++ ByteVector.concat(s)))
         Some(holdTime, unwrapped)
       } else {
         None
       }
     }
 
+    case class UnwrappedAttribution(holdTimes: List[HoldTime], remaining_opt: Option[ByteVector])
+
     /**
      * Decrypt the hold times from the attribution data of a fulfilled HTLC
      */
-    def fulfillHoldTimes(attribution: ByteVector, sharedSecrets: Seq[SharedSecret], hopIndex: Int = 0): List[HoldTime] = {
+    def fulfillHoldTimes(attribution: ByteVector, sharedSecrets: Seq[SharedSecret]): UnwrappedAttribution = {
       sharedSecrets match {
-        case Nil => Nil
+        case Nil => UnwrappedAttribution(Nil, Some(attribution))
         case ss :: tail =>
-          unwrap(attribution, ByteVector.empty, ss.secret, hopIndex) match {
+          unwrap(attribution, ByteVector.empty, ss.secret, sharedSecrets.length) match {
             case Some((holdTime, nextAttribution)) =>
-              HoldTime(holdTime, ss.remoteNodeId) :: fulfillHoldTimes(nextAttribution, tail, hopIndex + 1)
-            case None => Nil
+              val UnwrappedAttribution(holdTimes, remaining_opt) = fulfillHoldTimes(nextAttribution, tail)
+              UnwrappedAttribution(HoldTime(holdTime, ss.remoteNodeId) :: holdTimes, remaining_opt)
+            case None => UnwrappedAttribution(Nil, None)
           }
       }
     }

eclair-core/src/main/scala/fr/acinq/eclair/db/PaymentsDb.scala

@@ -250,7 +250,7 @@ object FailureSummary {
   def apply(f: PaymentFailure): FailureSummary = f match {
     case LocalFailure(_, route, t) => FailureSummary(FailureType.LOCAL, t.getMessage, route.map(h => HopSummary(h)).toList, route.headOption.map(_.nodeId))
     case RemoteFailure(_, route, e) => FailureSummary(FailureType.REMOTE, e.failureMessage.message, route.map(h => HopSummary(h)).toList, Some(e.originNode))
-    case UnreadableRemoteFailure(_, route, _, _) => FailureSummary(FailureType.UNREADABLE_REMOTE, "could not decrypt failure onion", route.map(h => HopSummary(h)).toList, None)
+    case UnreadableRemoteFailure(_, route, _, _, _) => FailureSummary(FailureType.UNREADABLE_REMOTE, "could not decrypt failure onion", route.map(h => HopSummary(h)).toList, None)
   }
 }
 

eclair-core/src/main/scala/fr/acinq/eclair/db/pg/PgAuditDb.scala

@@ -391,7 +391,8 @@ class PgAuditDb(implicit ds: DataSource) extends AuditDb with Logging {
                 rs.getByteVector32FromHex("payment_preimage"),
                 MilliSatoshi(rs.getLong("recipient_amount_msat")),
                 PublicKey(rs.getByteVectorFromHex("recipient_node_id")),
-                Seq(part))
+                Seq(part),
+                None)
             }
             sentByParentId + (parentId -> sent)
           }.values.toSeq.sortBy(_.timestamp)

eclair-core/src/main/scala/fr/acinq/eclair/db/sqlite/SqliteAuditDb.scala

@@ -363,7 +363,8 @@ class SqliteAuditDb(val sqlite: Connection) extends AuditDb with Logging {
               rs.getByteVector32("payment_preimage"),
               MilliSatoshi(rs.getLong("recipient_amount_msat")),
               PublicKey(rs.getByteVector("recipient_node_id")),
-              Seq(part))
+              Seq(part),
+              None)
           }
           sentByParentId + (parentId -> sent)
         }.values.toSeq.sortBy(_.timestamp)

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentEvents.scala

@@ -46,15 +46,16 @@ sealed trait PaymentEvent {
 /**
  * A payment was successfully sent and fulfilled.
  *
- * @param id              id of the whole payment attempt (if using multi-part, there will be multiple parts, each with
- *                        a different id).
- * @param paymentHash     payment hash.
- * @param paymentPreimage payment preimage (proof of payment).
- * @param recipientAmount amount that has been received by the final recipient.
- * @param recipientNodeId id of the final recipient.
- * @param parts           child payments (actual outgoing HTLCs).
+ * @param id                       id of the whole payment attempt (if using multi-part, there will be multiple parts,
+ *                                 each with a different id).
+ * @param paymentHash              payment hash.
+ * @param paymentPreimage          payment preimage (proof of payment).
+ * @param recipientAmount          amount that has been received by the final recipient.
+ * @param recipientNodeId          id of the final recipient.
+ * @param parts                    child payments (actual outgoing HTLCs).
+ * @param remainingAttribution_opt for relayed trampoline payments, the attribution data that needs to be sent upstream
  */
-case class PaymentSent(id: UUID, paymentHash: ByteVector32, paymentPreimage: ByteVector32, recipientAmount: MilliSatoshi, recipientNodeId: PublicKey, parts: Seq[PaymentSent.PartialPayment]) extends PaymentEvent {
+case class PaymentSent(id: UUID, paymentHash: ByteVector32, paymentPreimage: ByteVector32, recipientAmount: MilliSatoshi, recipientNodeId: PublicKey, parts: Seq[PaymentSent.PartialPayment], remainingAttribution_opt: Option[ByteVector]) extends PaymentEvent {
   require(parts.nonEmpty, "must have at least one payment part")
   val amountWithFees: MilliSatoshi = parts.map(_.amountWithFees).sum
   val feesPaid: MilliSatoshi = amountWithFees - recipientAmount // overall fees for this payment
@@ -151,7 +152,7 @@ case class LocalFailure(amount: MilliSatoshi, route: Seq[Hop], t: Throwable) ext
 case class RemoteFailure(amount: MilliSatoshi, route: Seq[Hop], e: Sphinx.DecryptedFailurePacket) extends PaymentFailure
 
 /** A remote node failed the payment but we couldn't decrypt the failure (e.g. a malicious node tampered with the message). */
-case class UnreadableRemoteFailure(amount: MilliSatoshi, route: Seq[Hop], failurePacket: ByteVector, holdTimes: Seq[HoldTime]) extends PaymentFailure
+case class UnreadableRemoteFailure(amount: MilliSatoshi, route: Seq[Hop], failurePacket: ByteVector, attribution_opt: Option[ByteVector], holdTimes: Seq[HoldTime]) extends PaymentFailure
 
 object PaymentFailure {
 
@@ -236,7 +237,7 @@ object PaymentFailure {
       }
     case RemoteFailure(_, hops, Sphinx.DecryptedFailurePacket(nodeId, _)) =>
       ignoreNodeOutgoingEdge(nodeId, hops, ignore)
-    case UnreadableRemoteFailure(_, hops, _, holdTimes) =>
+    case UnreadableRemoteFailure(_, hops, _, _, holdTimes) =>
       // TODO: Once everyone supports attributable errors, we should only exclude two nodes: the last for which we have attribution data and the next one.
       // We don't know which node is sending garbage, let's blacklist all nodes except:
       //  - the nodes that returned attribution data (except the last one)

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala

@@ -389,8 +389,9 @@ object OutgoingPaymentPacket {
               // We drop downstream attribution data and report our own attribution data to the previous trampoline node.
               // Note that we could use the downstream attribution data to score downstream nodes.
               val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
-              val attribution = Sphinx.Attribution.create(previousAttribution_opt = None, Some(trampolinePacket), holdTime, ss.outerOnionSecret)
-              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), attribution)
+              val attributionInner = Sphinx.Attribution.create(previousAttribution_opt, Some(packet), holdTime, trampolineOnionSecret)
+              val attributionOuter = Sphinx.Attribution.create(Some(attributionInner), Some(trampolinePacket), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), attributionOuter)
             case None =>
               val attribution = Sphinx.Attribution.create(previousAttribution_opt, Some(packet), holdTime, ss.outerOnionSecret)
               (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), attribution)
@@ -402,12 +403,19 @@ object OutgoingPaymentPacket {
           (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), attribution)
         case FailureReason.LocalTrampolineFailure(failure) =>
           // This is a trampoline failure: we try to encrypt it to the node who created the trampoline onion.
-          val packet = ss.trampolineOnionSecret_opt match {
-            case Some(trampolineOnionSecret) => Sphinx.FailurePacket.wrap(Sphinx.FailurePacket.create(trampolineOnionSecret, failure), trampolineOnionSecret)
-            case None => ByteVector.empty // this shouldn't happen, we only generate trampoline failures when there was a trampoline onion
+          ss.trampolineOnionSecret_opt match {
+            case Some(trampolineOnionSecret) =>
+              val packet = Sphinx.FailurePacket.create(trampolineOnionSecret, failure)
+              val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
+              val attributionInner = Sphinx.Attribution.create(previousAttribution_opt = None, Some(packet), holdTime, trampolineOnionSecret)
+              val attributionOuter = Sphinx.Attribution.create(Some(attributionInner), Some(trampolinePacket), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), attributionOuter)
+
+            case None => // this shouldn't happen, we only generate trampoline failures when there was a trampoline onion
+              val packet = Sphinx.FailurePacket.create(ss.outerOnionSecret, failure)
+              val attribution = Sphinx.Attribution.create(previousAttribution_opt = None, Some(packet), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), attribution)
           }
-          val attribution = Sphinx.Attribution.create(previousAttribution_opt = None, Some(packet), holdTime, ss.outerOnionSecret)
-          (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), attribution)
       }
     })
   }

eclair-core/src/main/scala/fr/acinq/eclair/payment/relay/NodeRelay.scala

@@ -42,6 +42,7 @@ import fr.acinq.eclair.router.{BalanceTooLow, RouteNotFound}
 import fr.acinq.eclair.wire.protocol.PaymentOnion.IntermediatePayload
 import fr.acinq.eclair.wire.protocol._
 import fr.acinq.eclair.{Alias, CltvExpiry, CltvExpiryDelta, EncodedNodeId, FeatureSupport, Features, InitFeature, InvoiceFeature, Logs, MilliSatoshi, MilliSatoshiLong, NodeParams, TimestampMilli, UInt64, UnknownFeature, nodeFee, randomBytes32}
+import scodec.bits.ByteVector
 
 import java.util.UUID
 import java.util.concurrent.TimeUnit
@@ -195,7 +196,7 @@ object NodeRelay {
             // If we received a failure from the next trampoline node, we won't be able to decrypt it: we should encrypt
             // it with our trampoline shared secret and relay it upstream, because only the sender can decrypt it.
             // Note that we currently don't process the downstream attribution data, but we could!
-            failures.collectFirst { case UnreadableRemoteFailure(_, _, packet, _) => FailureReason.EncryptedDownstreamFailure(packet, attribution_opt = None) }
+            failures.collectFirst { case UnreadableRemoteFailure(_, _, packet, attribution_opt, _) => FailureReason.EncryptedDownstreamFailure(packet, attribution_opt) }
               .getOrElse(FailureReason.LocalTrampolineFailure(TemporaryTrampolineFailure()))
           case nextPayload: IntermediatePayload.NodeRelay.ToNonTrampoline =>
             // The recipient doesn't support trampoline: if we received a failure from them, we forward it upstream.
@@ -416,11 +417,11 @@ class NodeRelay private(nodeParams: NodeParams,
     Behaviors.receiveMessagePartial {
       rejectExtraHtlcPartialFunction orElse {
         // this is the fulfill that arrives from downstream channels
-        case WrappedPreimageReceived(PreimageReceived(_, paymentPreimage)) =>
+        case WrappedPreimageReceived(PreimageReceived(_, paymentPreimage, attribution_opt)) =>
           if (!fulfilledUpstream) {
             // We want to fulfill upstream as soon as we receive the preimage (even if not all HTLCs have fulfilled downstream).
             context.log.debug("got preimage from downstream")
-            fulfillPayment(upstream, paymentPreimage)
+            fulfillPayment(upstream, paymentPreimage, attribution_opt)
             sending(upstream, recipient, walletNodeId_opt, recipientFeatures_opt, nextPayload, startedAt, fulfilledUpstream = true)
           } else {
             // we don't want to fulfill multiple times
@@ -548,16 +549,15 @@ class NodeRelay private(nodeParams: NodeParams,
     upstream.received.foreach(r => rejectHtlc(r.add.id, r.add.channelId, upstream.amountIn, r.receivedAt, Some(failure1)))
   }
 
-  private def fulfillPayment(upstream: Upstream.Hot.Trampoline, paymentPreimage: ByteVector32): Unit = upstream.received.foreach(r => {
-    // Note that we currently ignore downstream attribution data, but we could process it here to score downstream nodes.
-    val cmd = CMD_FULFILL_HTLC(r.add.id, paymentPreimage, downstreamAttribution_opt = None, Some(r.receivedAt), commit = true)
+  private def fulfillPayment(upstream: Upstream.Hot.Trampoline, paymentPreimage: ByteVector32, downstreamAttribution_opt: Option[ByteVector]): Unit = upstream.received.foreach(r => {
+    val cmd = CMD_FULFILL_HTLC(r.add.id, paymentPreimage, downstreamAttribution_opt, Some(r.receivedAt), commit = true)
     PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, r.add.channelId, cmd)
   })
 
   private def success(upstream: Upstream.Hot.Trampoline, fulfilledUpstream: Boolean, paymentSent: PaymentSent): Unit = {
     // We may have already fulfilled upstream, but we can now emit an accurate relayed event and clean-up resources.
     if (!fulfilledUpstream) {
-      fulfillPayment(upstream, paymentSent.paymentPreimage)
+      fulfillPayment(upstream, paymentSent.paymentPreimage, paymentSent.remainingAttribution_opt)
     }
     val incoming = upstream.received.map(r => PaymentRelayed.IncomingPart(r.add.amountMsat, r.add.channelId, r.receivedAt))
     val outgoing = paymentSent.parts.map(part => PaymentRelayed.OutgoingPart(part.amountWithFees, part.toChannelId, part.timestamp))

eclair-core/src/main/scala/fr/acinq/eclair/payment/relay/OnTheFlyFunding.scala

@@ -106,11 +106,11 @@ object OnTheFlyFunding {
           case Some(f) => f match {
             case f: FailureReason.EncryptedDownstreamFailure =>
               Sphinx.FailurePacket.decrypt(f.packet, f.attribution_opt, onionSharedSecrets).failure match {
-                case Left(Sphinx.CannotDecryptFailurePacket(unwrapped)) =>
+                case Left(Sphinx.CannotDecryptFailurePacket(unwrapped, attribution_opt)) =>
                   log.info("received encrypted on-the-fly funding failure")
                   // If we cannot decrypt the error, it is encrypted for the payer using the trampoline onion secrets.
                   // We unwrap the outer onion encryption and will relay the error upstream.
-                  FailureReason.EncryptedDownstreamFailure(unwrapped, None)
+                  FailureReason.EncryptedDownstreamFailure(unwrapped, attribution_opt)
                 case Right(f) =>
                   log.warning("downstream on-the-fly funding failure: {}", f.failureMessage.message)
                   // Otherwise, there was an issue with the way we forwarded the payment to the recipient.