lnpeer: update_add_htlc: take blinding into account for HTLCs arriving via blinded path

Author: accumulator

electrum/lnpeer.py

@@ -21,9 +21,10 @@
 import aiorpcx
 from aiorpcx import ignore_after
 
-from .crypto import sha256, sha256d, privkey_to_pubkey
+from .crypto import sha256, sha256d, privkey_to_pubkey, get_ecdh
 from . import bitcoin, util
 from . import constants
+from .onion_message import blinding_privkey
 from .util import (log_exceptions, ignore_exceptions, chunks, OldTaskGroup,
                    UnrelatedTransactionException, error_text_bytes_to_safe_str, AsyncHangDetector,
                    NoDynamicFeeEstimates, event_listener, EventListener)
@@ -35,7 +36,7 @@
 from .lnonion import (new_onion_packet, OnionFailureCode, calc_hops_data_for_payment, process_onion_packet,
                       OnionPacket, construct_onion_error, obfuscate_onion_error, OnionRoutingFailure,
                       ProcessedOnionPacket, UnsupportedOnionPacketVersion, InvalidOnionMac, InvalidOnionPubkey,
-                      OnionFailureCodeMetaFlag, calc_hops_data_for_blinded_payment)
+                      OnionFailureCodeMetaFlag, calc_hops_data_for_blinded_payment, decrypt_onionmsg_data_tlv)
 from .lnchannel import Channel, RevokeAndAck, RemoteCtnTooFarInFuture, ChannelState, PeerState, ChanCloseOption, CF_ANNOUNCE_CHANNEL
 from . import lnutil
 from .lnutil import (Outpoint, LocalConfig, RECEIVED, UpdateAddHtlc, ChannelConfig,
@@ -2063,12 +2064,14 @@ def on_update_add_htlc(self, chan: Channel, payload):
         cltv_abs = payload["cltv_expiry"]
         amount_msat_htlc = payload["amount_msat"]
         onion_packet = payload["onion_routing_packet"]
+        blinding = payload.get("update_add_htlc_tlvs", {}).get("blinded_path", {}).get("path_key")
         htlc = UpdateAddHtlc(
             amount_msat=amount_msat_htlc,
             payment_hash=payment_hash,
             cltv_abs=cltv_abs,
             timestamp=int(time.time()),
-            htlc_id=htlc_id)
+            htlc_id=htlc_id,
+            blinding=blinding)
         self.logger.info(f"on_update_add_htlc. chan {chan.short_channel_id}. htlc={str(htlc)}")
         if chan.get_state() != ChannelState.OPEN:
             raise RemoteMisbehaving(f"received update_add_htlc while chan.get_state() != OPEN. state was {chan.get_state()!r}")
@@ -2115,11 +2118,29 @@ def check_accepted_htlc(
             raise OnionRoutingFailure(
                 code=OnionFailureCode.FINAL_INCORRECT_CLTV_EXPIRY,
                 data=htlc.cltv_abs.to_bytes(4, byteorder="big"))
-        try:
-            total_msat = processed_onion.hop_data.payload["payment_data"]["total_msat"]  # type: int
-        except Exception:
-            log_fail_reason(f"'total_msat' missing from onion")
-            raise exc_incorrect_or_unknown_pd
+
+        if htlc.blinding:  # payment over blinded path
+            # spec: MUST return an error if the payload contains other tlv fields than encrypted_recipient_data,
+            # current_path_key, amt_to_forward, outgoing_cltv_value and total_amount_msat.
+            assert all(x in ['encrypted_recipient_data', 'current_blinding_point', 'amt_to_forward', 'outgoing_cltv_value', 'total_amount_msat']
+                       for x in processed_onion.hop_data.payload.keys())
+            shared_secret = get_ecdh(self.privkey, htlc.blinding)
+            recipient_data = decrypt_onionmsg_data_tlv(
+                shared_secret=shared_secret,
+                encrypted_recipient_data=processed_onion.hop_data.payload['encrypted_recipient_data']['encrypted_data']
+            )
+            payment_secret_from_onion = recipient_data['path_id']['data']
+            try:
+                total_msat = processed_onion.hop_data.payload['total_amount_msat']['total_msat']
+            except Exception as e:
+                log_fail_reason(f"'total_msat' missing from onion")
+                raise exc_incorrect_or_unknown_pd
+        else:
+            try:
+                total_msat = processed_onion.hop_data.payload["payment_data"]["total_msat"]  # type: int
+            except Exception:
+                log_fail_reason(f"'total_msat' missing from onion")
+                raise exc_incorrect_or_unknown_pd
 
         if chan.opening_fee:
             channel_opening_fee = chan.opening_fee['channel_opening_fee']  # type: int
@@ -2134,11 +2155,12 @@ def check_accepted_htlc(
                 code=OnionFailureCode.FINAL_INCORRECT_HTLC_AMOUNT,
                 data=htlc.amount_msat.to_bytes(8, byteorder="big"))
 
-        try:
-            payment_secret_from_onion = processed_onion.hop_data.payload["payment_data"]["payment_secret"]  # type: bytes
-        except Exception:
-            log_fail_reason(f"'payment_secret' missing from onion")
-            raise exc_incorrect_or_unknown_pd
+        if not htlc.blinding:
+            try:
+                payment_secret_from_onion = processed_onion.hop_data.payload["payment_data"]["payment_secret"]  # type: bytes
+            except Exception:
+                log_fail_reason(f"'payment_secret' missing from onion")
+                raise exc_incorrect_or_unknown_pd
 
         return payment_secret_from_onion, total_msat, channel_opening_fee, exc_incorrect_or_unknown_pd
 
@@ -2794,7 +2816,7 @@ async def htlc_switch(self):
                     onion_packet = None
                     try:
                         onion_packet = OnionPacket.from_bytes(onion_packet_bytes)
-                    except OnionRoutingFailure as e:
+                    except OnionRoutingFailure as e:  # NOTE: never reached?
                         error_reason = e
                     else:
                         try:
@@ -2808,6 +2830,7 @@ async def htlc_switch(self):
                                 assert forwarding_key is None
                                 unfulfilled[htlc_id] = onion_packet_hex, _forwarding_key
                         except OnionRoutingFailure as e:
+                            self.logger.debug(f'OnionRoutingFailure: {e.code!r}')
                             error_bytes = construct_onion_error(e, onion_packet.public_key, self.privkey, self.network.get_local_height())
                         if error_bytes:
                             error_bytes = obfuscate_onion_error(error_bytes, onion_packet.public_key, our_onion_private_key=self.privkey)
@@ -2874,6 +2897,7 @@ def process_unfulfilled_htlc(
         processed_onion = self.process_onion_packet(
             onion_packet,
             payment_hash=payment_hash,
+            blinding=htlc.blinding,
             onion_packet_bytes=onion_packet_bytes)
 
         preimage, forwarding_info = self.maybe_fulfill_htlc(
@@ -2940,13 +2964,16 @@ def process_onion_packet(
             onion_packet: OnionPacket, *,
             payment_hash: bytes,
             onion_packet_bytes: bytes,
+            blinding: bytes = None,
             is_trampoline: bool = False) -> ProcessedOnionPacket:
 
         failure_data = sha256(onion_packet_bytes)
+        privkey = blinding_privkey(privkey=self.privkey, blinding=blinding) if blinding else self.privkey
+
         try:
             processed_onion = process_onion_packet(
                 onion_packet,
-                our_onion_private_key=self.privkey,
+                our_onion_private_key=privkey,
                 associated_data=payment_hash,
                 is_trampoline=is_trampoline)
         except UnsupportedOnionPacketVersion:

electrum/lnutil.py

@@ -1913,16 +1913,18 @@ class UpdateAddHtlc:
     cltv_abs: int
     htlc_id: Optional[int] = dataclasses.field(default=None)
     timestamp: int = dataclasses.field(default_factory=lambda: int(time.time()))
+    blinding: bytes = None
 
     @staticmethod
     @stored_in('adds', tuple)
-    def from_tuple(amount_msat, rhash, cltv_abs, htlc_id, timestamp) -> 'UpdateAddHtlc':
+    def from_tuple(amount_msat, rhash, cltv_abs, htlc_id, timestamp, blinding = None) -> 'UpdateAddHtlc':
         return UpdateAddHtlc(
             amount_msat=amount_msat,
             payment_hash=bytes.fromhex(rhash),
             cltv_abs=cltv_abs,
             htlc_id=htlc_id,
-            timestamp=timestamp)
+            timestamp=timestamp,
+            blinding=None if blinding is None else bytes.fromhex(blinding))
 
     def to_json(self):
         self._validate()

electrum/lnwire/peer_wire.csv

@@ -116,8 +116,9 @@ msgdata,update_add_htlc,amount_msat,u64,
 msgdata,update_add_htlc,payment_hash,sha256,
 msgdata,update_add_htlc,cltv_expiry,u32,
 msgdata,update_add_htlc,onion_routing_packet,byte,1366
-tlvtype,update_add_htlc_tlvs,blinding_point,0
-tlvdata,update_add_htlc_tlvs,blinding_point,blinding,point,
+msgdata,update_add_htlc,tlvs,update_add_htlc_tlvs,
+tlvtype,update_add_htlc_tlvs,blinded_path,0
+tlvdata,update_add_htlc_tlvs,blinded_path,path_key,point,
 msgtype,update_fulfill_htlc,130
 msgdata,update_fulfill_htlc,channel_id,channel_id,
 msgdata,update_fulfill_htlc,id,u64,