Browse Source

sphinx: Implemented sphinx onion routing

Implements a spec-compliant sphinx onion routing format. The format has
been cross-checked with the go implementation
cdecker/lightning-onion@b9e117e.
ppa-0.6.1
Christian Decker 9 years ago
parent
commit
7bb5c279a8
  1. 4
      Makefile
  2. 526
      daemon/sphinx.c
  3. 126
      daemon/sphinx.h
  4. 106
      test/test_sphinx.c

4
Makefile

@ -25,7 +25,8 @@ FEATURES := $(BITCOIN_FEATURES)
TEST_PROGRAMS := \ TEST_PROGRAMS := \
test/onion_key \ test/onion_key \
test/test_protocol \ test/test_protocol \
test/test_onion test/test_onion \
test/test_sphinx
BITCOIN_SRC := \ BITCOIN_SRC := \
bitcoin/base58.c \ bitcoin/base58.c \
@ -38,6 +39,7 @@ BITCOIN_SRC := \
bitcoin/signature.c \ bitcoin/signature.c \
bitcoin/tx.c \ bitcoin/tx.c \
bitcoin/varint.c bitcoin/varint.c
BITCOIN_OBJS := $(BITCOIN_SRC:.c=.o) BITCOIN_OBJS := $(BITCOIN_SRC:.c=.o)
CORE_SRC := \ CORE_SRC := \

526
daemon/sphinx.c

@ -0,0 +1,526 @@
#include "sphinx.h"
#include <assert.h>
#include <ccan/crypto/ripemd160/ripemd160.h>
#include <ccan/crypto/sha256/sha256.h>
#include <ccan/mem/mem.h>
#include <err.h>
#include <sodium/crypto_auth_hmacsha256.h>
#include <sodium/crypto_stream_chacha20.h>
#define BLINDING_FACTOR_SIZE 32
#define SHARED_SECRET_SIZE 32
#define NUM_STREAM_BYTES (2 * NUM_MAX_HOPS + 2) * SECURITY_PARAMETER
#define KEY_LEN 32
struct hop_params {
u8 secret[SHARED_SECRET_SIZE];
u8 blind[BLINDING_FACTOR_SIZE];
secp256k1_pubkey ephemeralkey;
};
struct keyset {
u8 pi[KEY_LEN];
u8 mu[KEY_LEN];
u8 rho[KEY_LEN];
u8 gamma[KEY_LEN];
};
/* Small helper to append data to a buffer and update the position
* into the buffer
*/
static void write_buffer(u8 *dst, const void *src, const size_t len, int *pos)
{
memcpy(dst + *pos, src, len);
*pos += len;
}
/* Read len bytes from the source at position pos into dst and update
* the position pos accordingly.
*/
static void read_buffer(void *dst, const u8 *src, const size_t len, int *pos)
{
memcpy(dst, src + *pos, len);
*pos += len;
}
u8 *serialize_onionpacket(
const tal_t *ctx,
const secp256k1_context *secpctx,
const struct onionpacket *m)
{
u8 *dst = tal_arr(ctx, u8, TOTAL_PACKET_SIZE);
u8 der[33];
size_t outputlen = 33;
int p = 0;
secp256k1_ec_pubkey_serialize(secpctx,
der,
&outputlen,
&m->ephemeralkey,
SECP256K1_EC_COMPRESSED);
write_buffer(dst, &m->version, 1, &p);
write_buffer(dst, der, outputlen, &p);
write_buffer(dst, m->mac, sizeof(m->mac), &p);
write_buffer(dst, m->routinginfo, ROUTING_INFO_SIZE, &p);
write_buffer(dst, m->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE, &p);
write_buffer(dst, m->payload, MESSAGE_SIZE, &p);
return dst;
}
struct onionpacket *parse_onionpacket(
const tal_t *ctx,
const secp256k1_context *secpctx,
const void *src,
const size_t srclen
)
{
struct onionpacket *m;
int p = 0;
u8 rawEphemeralkey[33];
if (srclen != TOTAL_PACKET_SIZE)
return NULL;
m = talz(ctx, struct onionpacket);
read_buffer(&m->version, src, 1, &p);
if (m->version != 0x01) {
// FIXME add logging
return NULL;
}
read_buffer(rawEphemeralkey, src, 33, &p);
if (secp256k1_ec_pubkey_parse(secpctx, &m->ephemeralkey, rawEphemeralkey, 33) != 1)
return NULL;
read_buffer(&m->mac, src, 20, &p);
read_buffer(&m->routinginfo, src, ROUTING_INFO_SIZE, &p);
read_buffer(&m->hoppayloads, src, TOTAL_HOP_PAYLOAD_SIZE, &p);
read_buffer(m->payload, src, MESSAGE_SIZE, &p);
return m;
}
static struct hoppayload *parse_hoppayload(const tal_t *ctx, u8 *src)
{
int p = 0;
struct hoppayload *result = talz(ctx, struct hoppayload);
read_buffer(&result->realm, src, sizeof(&result->realm), &p);
read_buffer(&result->amount, src, sizeof(&result->amount), &p);
read_buffer(&result->remainder, src, sizeof(&result->remainder), &p);
return result;
}
static void serialize_hoppayload(u8 *dst, struct hoppayload *hp)
{
int p = 0;
write_buffer(dst, &hp->realm, sizeof(&hp->realm), &p);
write_buffer(dst, &hp->amount, sizeof(&hp->amount), &p);
write_buffer(dst, &hp->remainder, sizeof(&hp->remainder), &p);
}
static void xorbytes(uint8_t *d, const uint8_t *a, const uint8_t *b, size_t len)
{
size_t i = 0;
for (i = 0; i < len; i++)
d[i] = a[i] ^ b[i];
}
/*
* Encrypt a message `m` of length `mlen` with key `key` and store the
* ciphertext in `c`. `c` must be pre-allocated to at least `mlen` bytes.
*/
static void stream_encrypt(void *c, const void *m, const size_t mlen, const u8 *key)
{
u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
memcheck(c, mlen);
crypto_stream_chacha20_xor(c, m, mlen, nonce, key);
}
/*
* Decrypt a ciphertext `c` of length `clen` with key `key` and store the
* cleartext in `m`. `m` must be pre-allocated to at least `clen` bytes.
*/
static void stream_decrypt(void *m, const void *c, const size_t clen, const u8 *key)
{
stream_encrypt(m, c, clen, key);
}
/*
* Generate a pseudo-random byte stream of length `dstlen` from key `k` and
* store it in `dst`. `dst must be at least `dstlen` bytes long.
*/
static void generate_cipher_stream(void *dst, const u8 *k, size_t dstlen)
{
u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
crypto_stream_chacha20(dst, dstlen, nonce, k);
}
static bool compute_hmac(
void *dst,
const void *src,
size_t len,
const void *key,
size_t keylen)
{
crypto_auth_hmacsha256_state state;
crypto_auth_hmacsha256_init(&state, key, keylen);
crypto_auth_hmacsha256_update(&state, memcheck(src, len), len);
crypto_auth_hmacsha256_final(&state, dst);
return true;
}
static void compute_packet_hmac(struct onionpacket *packet, u8 *mukey, u8 *hmac)
{
u8 mactemp[ROUTING_INFO_SIZE + TOTAL_HOP_PAYLOAD_SIZE + MESSAGE_SIZE];
memcpy(mactemp, packet->routinginfo, ROUTING_INFO_SIZE);
memcpy(mactemp + ROUTING_INFO_SIZE, packet->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE);
memcpy(mactemp + ROUTING_INFO_SIZE + TOTAL_HOP_PAYLOAD_SIZE, packet->payload, sizeof(packet->payload));
compute_hmac(hmac, mactemp, sizeof(mactemp), mukey, KEY_LEN);
}
static bool generate_key(void *k, const char *t, u8 tlen, const u8 *s)
{
return compute_hmac(k, s, KEY_LEN, t, tlen);
}
static bool generate_header_padding(
void *dst, size_t dstlen,
const size_t hopsize,
const char *keytype,
size_t keytypelen,
const u8 numhops,
struct hop_params *params
)
{
int i;
u8 cipher_stream[(NUM_MAX_HOPS + 1) * hopsize];
u8 key[KEY_LEN];
memset(dst, 0, dstlen);
for (i = 1; i < numhops; i++) {
if (!generate_key(&key, keytype, keytypelen, params[i - 1].secret))
return false;
generate_cipher_stream(cipher_stream, key, sizeof(cipher_stream));
int pos = ((NUM_MAX_HOPS - i) + 1) * hopsize;
xorbytes(dst, dst, cipher_stream + pos, sizeof(cipher_stream) - pos);
}
return true;
}
static void compute_blinding_factor(secp256k1_context *secpctx,
secp256k1_pubkey *key,
u8 sharedsecret[SHARED_SECRET_SIZE],
u8 res[BLINDING_FACTOR_SIZE])
{
struct sha256_ctx ctx;
u8 der[33];
size_t outputlen = 33;
struct sha256 temp;
secp256k1_ec_pubkey_serialize(secpctx, der, &outputlen, key,
SECP256K1_EC_COMPRESSED);
sha256_init(&ctx);
sha256_update(&ctx, der, sizeof(der));
sha256_update(&ctx, sharedsecret, SHARED_SECRET_SIZE);
sha256_done(&ctx, &temp);
memcpy(res, &temp, 32);
}
static bool blind_group_element(
secp256k1_context *secpctx,
secp256k1_pubkey *blindedelement,
secp256k1_pubkey *pubkey,
u8 blind[BLINDING_FACTOR_SIZE])
{
/* tweak_mul is inplace so copy first. */
if (pubkey != blindedelement)
memcpy(blindedelement, pubkey, sizeof(secp256k1_pubkey));
if (secp256k1_ec_pubkey_tweak_mul(secpctx, blindedelement, blind) != 1)
return false;
return true;
}
static bool create_shared_secret(
secp256k1_context *secpctx,
u8 *secret,
const secp256k1_pubkey *pubkey,
const u8 *sessionkey)
{
/* Need to copy since tweak is in-place */
secp256k1_pubkey pkcopy;
u8 ecres[33];
memcpy(&pkcopy, pubkey, sizeof(pkcopy));
if (secp256k1_ec_pubkey_tweak_mul(secpctx, &pkcopy, sessionkey) != 1)
return false;
/* Serialize and strip first byte, this gives us the X coordinate */
size_t outputlen = 33;
secp256k1_ec_pubkey_serialize(secpctx, ecres, &outputlen,
&pkcopy, SECP256K1_EC_COMPRESSED);
struct sha256 h;
sha256(&h, ecres + 1, sizeof(ecres) - 1);
memcpy(secret, &h, sizeof(h));
return true;
}
void pubkey_hash160(
const secp256k1_context *secpctx,
u8 *dst,
const struct pubkey *pubkey)
{
struct ripemd160 r;
struct sha256 h;
u8 der[33];
size_t outputlen = 33;
secp256k1_ec_pubkey_serialize(secpctx,
der,
&outputlen,
&pubkey->pubkey,
SECP256K1_EC_COMPRESSED);
sha256(&h, der, sizeof(der));
ripemd160(&r, h.u.u8, sizeof(h));
memcpy(dst, r.u.u8, sizeof(r));
}
static void generate_key_set(u8 secret[SHARED_SECRET_SIZE], struct keyset *keys)
{
generate_key(keys->rho, "rho", 3, secret);
generate_key(keys->pi, "pi", 2, secret);
generate_key(keys->mu, "mu", 2, secret);
generate_key(keys->gamma, "gamma", 5, secret);
}
static struct hop_params *generate_hop_params(
const tal_t *ctx,
secp256k1_context *secpctx,
const u8 *sessionkey,
struct pubkey path[])
{
int i, j, num_hops = tal_count(path);
secp256k1_pubkey temp;
u8 blind[BLINDING_FACTOR_SIZE];
struct hop_params *params = tal_arr(ctx, struct hop_params, num_hops);
/* Initialize the first hop with the raw information */
if (secp256k1_ec_pubkey_create(
secpctx, &params[0].ephemeralkey, sessionkey) != 1)
return NULL;
if (!create_shared_secret(
secpctx, params[0].secret, &path[0].pubkey, sessionkey))
return NULL;
compute_blinding_factor(
secpctx, &params[0].ephemeralkey, params[0].secret,
params[0].blind);
/* Recursively compute all following ephemeral public keys,
* secrets and blinding factors
*/
for (i = 1; i < num_hops; i++) {
if (!blind_group_element(
secpctx, &params[i].ephemeralkey,
&params[i - 1].ephemeralkey,
params[i - 1].blind))
return NULL;
/* Blind this hop's point with all previous blinding factors
* Order is indifferent, multiplication is commutative.
*/
memcpy(&blind, sessionkey, 32);
memcpy(&temp, &path[i], sizeof(temp));
if (!blind_group_element(secpctx, &temp, &temp, blind))
return NULL;
for (j = 0; j < i; j++)
if (!blind_group_element(
secpctx,
&temp,
&temp,
params[j].blind))
return NULL;
/* Now hash temp and store it. This requires us to
* DER-serialize first and then skip the sign byte.
*/
u8 der[33];
size_t outputlen = 33;
secp256k1_ec_pubkey_serialize(
secpctx, der, &outputlen, &temp,
SECP256K1_EC_COMPRESSED);
struct sha256 h;
sha256(&h, der + 1, sizeof(der) - 1);
memcpy(&params[i].secret, &h, sizeof(h));
compute_blinding_factor(
secpctx, &params[i].ephemeralkey,
params[i].secret, params[i].blind);
}
return params;
}
struct onionpacket *create_onionpacket(
const tal_t *ctx,
secp256k1_context *secpctx,
struct pubkey *path,
struct hoppayload hoppayloads[],
const u8 *sessionkey,
const u8 *message,
const size_t messagelen
)
{
struct onionpacket *packet = talz(ctx, struct onionpacket);
int i, num_hops = tal_count(path);
u8 filler[2 * (num_hops - 1) * SECURITY_PARAMETER];
u8 hopfiller[(num_hops - 1) * HOP_PAYLOAD_SIZE];
struct keyset keys;
u8 nextaddr[20], nexthmac[SECURITY_PARAMETER];
u8 stream[ROUTING_INFO_SIZE], hopstream[TOTAL_HOP_PAYLOAD_SIZE];
struct hop_params *params = generate_hop_params(ctx, secpctx, sessionkey, path);
u8 binhoppayloads[tal_count(path)][HOP_PAYLOAD_SIZE];
for (i = 0; i < num_hops; i++)
serialize_hoppayload(binhoppayloads[i], &hoppayloads[i]);
if (MESSAGE_SIZE > messagelen) {
memset(&packet->hoppayloads, 0, TOTAL_HOP_PAYLOAD_SIZE);
memset(&packet->payload, 0xFF, MESSAGE_SIZE);
memcpy(&packet->payload, message, messagelen);
packet->payload[messagelen] = 0x7f;
}
if (!params)
return NULL;
packet->version = 1;
memset(nextaddr, 0, 20);
memset(nexthmac, 0, 20);
memset(packet->routinginfo, 0, ROUTING_INFO_SIZE);
generate_header_padding(filler, sizeof(filler), 2 * SECURITY_PARAMETER,
"rho", 3, num_hops, params);
generate_header_padding(hopfiller, sizeof(hopfiller), HOP_PAYLOAD_SIZE,
"gamma", 5, num_hops, params);
for (i = num_hops - 1; i >= 0; i--) {
generate_key_set(params[i].secret, &keys);
generate_cipher_stream(stream, keys.rho, ROUTING_INFO_SIZE);
/* Rightshift mix-header by 2*SECURITY_PARAMETER */
memmove(packet->routinginfo + 2 * SECURITY_PARAMETER, packet->routinginfo,
ROUTING_INFO_SIZE - 2 * SECURITY_PARAMETER);
memcpy(packet->routinginfo, nextaddr, SECURITY_PARAMETER);
memcpy(packet->routinginfo + SECURITY_PARAMETER, nexthmac, SECURITY_PARAMETER);
xorbytes(packet->routinginfo, packet->routinginfo, stream, ROUTING_INFO_SIZE);
/* Rightshift hop-payloads and obfuscate */
memmove(packet->hoppayloads + HOP_PAYLOAD_SIZE, packet->hoppayloads,
TOTAL_HOP_PAYLOAD_SIZE - HOP_PAYLOAD_SIZE);
memcpy(packet->hoppayloads, binhoppayloads[i], HOP_PAYLOAD_SIZE);
generate_cipher_stream(hopstream, keys.gamma, TOTAL_HOP_PAYLOAD_SIZE);
xorbytes(packet->hoppayloads, packet->hoppayloads, hopstream,
TOTAL_HOP_PAYLOAD_SIZE);
if (i == num_hops - 1) {
size_t len = (NUM_MAX_HOPS - num_hops + 1) * 2 * SECURITY_PARAMETER;
memcpy(packet->routinginfo + len, filler, sizeof(filler));
len = (NUM_MAX_HOPS - num_hops + 1) * HOP_PAYLOAD_SIZE;
memcpy(packet->hoppayloads + len, hopfiller, sizeof(hopfiller));
}
/* Obfuscate end-to-end payload */
stream_encrypt(packet->payload, packet->payload, sizeof(packet->payload), keys.pi);
compute_packet_hmac(packet, keys.mu, nexthmac);
pubkey_hash160(secpctx, nextaddr, &path[i]);
}
memcpy(packet->mac, nexthmac, sizeof(nexthmac));
memcpy(&packet->ephemeralkey, &params[0].ephemeralkey, sizeof(secp256k1_pubkey));
return packet;
}
/*
* Given a onionpacket msg extract the information for the current
* node and unwrap the remainder so that the node can forward it.
*/
struct route_step *process_onionpacket(
const tal_t *ctx,
secp256k1_context *secpctx,
struct onionpacket *msg,
struct privkey *hop_privkey
)
{
struct route_step *step = talz(ctx, struct route_step);
u8 secret[SHARED_SECRET_SIZE];
u8 hmac[20];
struct keyset keys;
u8 paddedhoppayloads[TOTAL_HOP_PAYLOAD_SIZE + HOP_PAYLOAD_SIZE];
u8 hopstream[TOTAL_HOP_PAYLOAD_SIZE + HOP_PAYLOAD_SIZE];
u8 blind[BLINDING_FACTOR_SIZE];
u8 stream[NUM_STREAM_BYTES];
u8 paddedheader[ROUTING_INFO_SIZE + 2 * SECURITY_PARAMETER];
step->next = talz(ctx, struct onionpacket);
step->next->version = msg->version;
create_shared_secret(secpctx, secret, &msg->ephemeralkey, hop_privkey->secret);
generate_key_set(secret, &keys);
compute_packet_hmac(msg, keys.mu, hmac);
if (memcmp(msg->mac, hmac, sizeof(hmac)) != 0) {
warnx("Computed MAC does not match expected MAC, the message was modified.");
return NULL;
}
//FIXME:store seen secrets to avoid replay attacks
generate_cipher_stream(stream, keys.rho, sizeof(stream));
memset(paddedheader, 0, sizeof(paddedheader));
memcpy(paddedheader, msg->routinginfo, ROUTING_INFO_SIZE);
xorbytes(paddedheader, paddedheader, stream, sizeof(stream));
/* Extract the per-hop payload */
generate_cipher_stream(hopstream, keys.gamma, sizeof(hopstream));
memset(paddedhoppayloads, 0, sizeof(paddedhoppayloads));
memcpy(paddedhoppayloads, msg->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE);
xorbytes(paddedhoppayloads, paddedhoppayloads, hopstream, sizeof(hopstream));
step->hoppayload = parse_hoppayload(step, paddedhoppayloads);
memcpy(&step->next->hoppayloads, paddedhoppayloads + HOP_PAYLOAD_SIZE,
TOTAL_HOP_PAYLOAD_SIZE);
compute_blinding_factor(secpctx, &msg->ephemeralkey, secret, blind);
if (!blind_group_element(secpctx, &step->next->ephemeralkey, &msg->ephemeralkey, blind))
return NULL;
memcpy(&step->next->nexthop, paddedheader, SECURITY_PARAMETER);
memcpy(&step->next->mac,
paddedheader + SECURITY_PARAMETER,
SECURITY_PARAMETER);
stream_decrypt(step->next->payload, msg->payload, sizeof(msg->payload), keys.pi);
memcpy(&step->next->routinginfo, paddedheader + 2 * SECURITY_PARAMETER, ROUTING_INFO_SIZE);
if (memeqzero(step->next->mac, sizeof(&step->next->mac))) {
step->nextcase = ONION_END;
} else {
step->nextcase = ONION_FORWARD;
}
return step;
}

126
daemon/sphinx.h

@ -0,0 +1,126 @@
#ifndef LIGHTNING_DAEMON_SPHINX_H
#define LIGHTNING_DAEMON_SPHINX_H
#include "config.h"
#include "bitcoin/privkey.h"
#include "bitcoin/pubkey.h"
#include <ccan/short_types/short_types.h>
#include <ccan/tal/tal.h>
#include <secp256k1.h>
#include <sodium/randombytes.h>
#define SECURITY_PARAMETER 20
#define NUM_MAX_HOPS 20
#define HOP_PAYLOAD_SIZE 20
#define TOTAL_HOP_PAYLOAD_SIZE NUM_MAX_HOPS * HOP_PAYLOAD_SIZE
#define MESSAGE_SIZE 0
#define ROUTING_INFO_SIZE 2 * NUM_MAX_HOPS * SECURITY_PARAMETER
#define TOTAL_PACKET_SIZE 1 + 33 + SECURITY_PARAMETER + ROUTING_INFO_SIZE + \
TOTAL_HOP_PAYLOAD_SIZE + MESSAGE_SIZE
struct onionpacket {
/* Cleartext information */
u8 version;
u8 nexthop[20];
u8 mac[20];
secp256k1_pubkey ephemeralkey;
/* Encrypted information */
u8 routinginfo[ROUTING_INFO_SIZE];
u8 hoppayloads[TOTAL_HOP_PAYLOAD_SIZE];
u8 payload[MESSAGE_SIZE];
};
enum route_next_case {
ONION_END = 0,
ONION_FORWARD = 1,
};
struct hoppayload {
u8 realm;
u64 amount;
u8 remainder[11];
};
struct route_step {
enum route_next_case nextcase;
struct onionpacket *next;
u8 *payload;
struct hoppayload *hoppayload;
};
/**
* create_onionpacket - Create a new onionpacket that can be routed
* over a path of intermediate nodes.
*
* @ctx: tal context to allocate from
* @secpctx: the secp256k1_context for EC operations
* @path: public keys of nodes along the path.
* @hoppayloads: payloads destined for individual hosts (limited to
* HOP_PAYLOAD_SIZE bytes)
* @num_hops: path length in nodes
* @sessionkey: 20 byte random session key to derive secrets from
* @message: end-to-end payload destined for the final recipient
* @messagelen: length of @message
*/
struct onionpacket *create_onionpacket(
const tal_t * ctx,
secp256k1_context * secpctx,
struct pubkey path[],
struct hoppayload hoppayloads[],
const u8 * sessionkey,
const u8 * message,
const size_t messagelen
);
/**
* process_onionpacket - process an incoming packet by stripping one
* onion layer and return the packet for the next hop.
*
* @ctx: tal context to allocate from
* @secpctx: the secp256k1_context for EC operations
* @packet: incoming packet being processed
* @hop_privkey: the processing node's private key to decrypt the packet
* @hoppayload: the per-hop payload destined for the processing node.
*/
struct route_step *process_onionpacket(
const tal_t * ctx,
secp256k1_context * secpctx,
struct onionpacket *packet,
struct privkey *hop_privkey
);
/**
* serialize_onionpacket - Serialize an onionpacket to a buffer.
*
* @ctx: tal context to allocate from
* @secpctx: the secp256k1_context for EC operations
* @packet: the packet to serialize
*/
u8 *serialize_onionpacket(
const tal_t *ctx,
const secp256k1_context *secpctx,
const struct onionpacket *packet);
/**
* parese_onionpacket - Parse an onionpacket from a buffer.
*
* @ctx: tal context to allocate from
* @secpctx: the secp256k1_context for EC operations
* @src: buffer to read the packet from
* @srclen: length of the @src
*/
struct onionpacket *parse_onionpacket(
const tal_t *ctx,
const secp256k1_context *secpctx,
const void *src,
const size_t srclen
);
void pubkey_hash160(
const secp256k1_context *secpctx,
u8 *dst,
const struct pubkey *pubkey);
#endif /* LIGHTNING_DAEMON_SPHINX_H */

106
test/test_sphinx.c

@ -0,0 +1,106 @@
#include <secp256k1.h>
#include <ccan/opt/opt.h>
#include <ccan/short_types/short_types.h>
#include <string.h>
#include <ccan/str/hex/hex.h>
#include <ccan/read_write_all/read_write_all.h>
#include <err.h>
#include <stdio.h>
#include <assert.h>
#include <unistd.h>
#include "daemon/sphinx.h"
#include "daemon/sphinx.c"
int main(int argc, char **argv)
{
bool generate = false, decode = false;
secp256k1_context *secpctx = secp256k1_context_create(
SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN);
const tal_t *ctx = talz(NULL, tal_t);
opt_register_noarg("--help|-h", opt_usage_and_exit,
"--generate <pubkey1> <pubkey2>... OR\n"
"--decode <privkey>\n"
"Either create an onion message, or decode one step",
"Print this message.");
opt_register_noarg("--generate",
opt_set_bool, &generate,
"Generate onion through the given hex pubkeys");
opt_register_noarg("--decode",
opt_set_bool, &decode,
"Decode onion from stdin given the private key");
opt_parse(&argc, argv, opt_log_stderr_exit);
if (generate) {
int num_hops = argc - 1;
struct pubkey *path = tal_arr(ctx, struct pubkey, num_hops);
u8 privkeys[argc - 1][32];
u8 sessionkey[32];
memset(&sessionkey, 'A', sizeof(sessionkey));
int i;
for (i = 0; i < num_hops; i++) {
hex_decode(argv[1 + i], 66, privkeys[i], 33);
if (secp256k1_ec_pubkey_create(secpctx, &path[i].pubkey, privkeys[i]) != 1)
return 1;
}
struct hoppayload *hoppayloads = tal_arr(ctx, struct hoppayload, num_hops);
for (i=0; i<num_hops; i++)
memset(&hoppayloads[i], 'A', sizeof(hoppayloads[i]));
struct onionpacket *res = create_onionpacket(ctx, secpctx,
path,
hoppayloads,
sessionkey,
(u8*)"testing",
7);
u8 *serialized = serialize_onionpacket(ctx, secpctx, res);
if (!serialized)
errx(1, "Error serializing message.");
char hextemp[2 * tal_count(serialized) + 1];
hex_encode(serialized, tal_count(serialized), hextemp, sizeof(hextemp));
printf("%s\n", hextemp);
} else if (decode) {
struct route_step *step;
struct onionpacket *msg;
struct privkey seckey;
const tal_t *ctx = talz(NULL, tal_t);
u8 serialized[TOTAL_PACKET_SIZE];
char hextemp[2 * sizeof(serialized) + 1];
memset(hextemp, 0, sizeof(hextemp));
if (argc != 2)
opt_usage_exit_fail("Expect a privkey with --decode");
if (!hex_decode(argv[1], strlen(argv[1]), &seckey, sizeof(seckey)))
errx(1, "Invalid private key hex '%s'", argv[1]);
if (!read_all(STDIN_FILENO, hextemp, sizeof(hextemp)))
errx(1, "Reading in onion");
hex_decode(hextemp, sizeof(hextemp), serialized, sizeof(serialized));
msg = parse_onionpacket(ctx, secpctx, serialized, sizeof(serialized));
if (!msg)
errx(1, "Error parsing message.");
step = process_onionpacket(ctx, secpctx, msg, &seckey);
if (!step->next)
errx(1, "Error processing message.");
u8 *ser = serialize_onionpacket(ctx, secpctx, step->next);
if (!ser)
errx(1, "Error serializing message.");
hex_encode(ser, tal_count(ser), hextemp, sizeof(hextemp));
printf("%s\n", hextemp);
}
secp256k1_context_destroy(secpctx);
tal_free(ctx);
return 0;
}
Loading…
Cancel
Save