From 695a8bd8686f30c052dc28301a7a9ca551132c7e Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Thu, 3 Dec 2020 20:04:02 +1030 Subject: [PATCH] lightningd: split onion_message hook. Only way to be sure that plugins don't accidentally respond to onion_message sent via reply path from another message (which would potentially leak our identity!). To quote BOLT #7 (Onion Messages) in the offers PR: ```markdown The reader: - MUST ignore any message which contains a `blinding` which it did not expect, or does not contain a `blinding` when one is expected. ... `blinding` is critical to the use of blinded paths: there are various means by which a blinded path is passed to a node. The receipt of an expected `blinding` indicates that blinded path has been used: it is important that a node not accept unblinded messages when it is expecting a blinded message, as this implies the sender is probing to detect if the recipient is the terminus of the blinded path. Similarly, since blinded paths don't expire, a node could try to use a blinded path to send an unexpected message hoping for a response. ``` Signed-off-by: Rusty Russell --- lightningd/onion_message.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lightningd/onion_message.c b/lightningd/onion_message.c index 9c875f2dd..e77b899af 100644 --- a/lightningd/onion_message.c +++ b/lightningd/onion_message.c @@ -51,12 +51,20 @@ onion_message_hook_cb(struct onion_message_hook_payload *payload STEALS) tal_free(payload); } +/* Two hooks, because it's critical we only accept blinding if we expect that + * exact blinding key. Otherwise, we can be probed using old blinded paths. */ REGISTER_PLUGIN_HOOK(onion_message, plugin_hook_continue, onion_message_hook_cb, onion_message_serialize, struct onion_message_hook_payload *); +REGISTER_PLUGIN_HOOK(onion_message_blinded, + plugin_hook_continue, + onion_message_hook_cb, + onion_message_serialize, + struct onion_message_hook_payload *); + /* Returns false if we can't tell it */ static bool make_peer_send(struct lightningd *ld, struct channel *dst, const u8 *msg TAKES) @@ -113,7 +121,11 @@ void handle_onionmsg_to_us(struct channel *channel, const u8 *msg) log_debug(channel->log, "Got onionmsg%s%s", payload->reply_blinding ? " reply_blinding": "", payload->reply_path ? " reply_path": ""); - plugin_hook_call_onion_message(ld, payload); + + if (payload->blinding_in) + plugin_hook_call_onion_message_blinded(ld, payload); + else + plugin_hook_call_onion_message(ld, payload); } void handle_onionmsg_forward(struct channel *channel, const u8 *msg)