#include #include #include #include #include #include #include #include #include #include #include #include #include #define BLINDING_FACTOR_SIZE 32 #define SHARED_SECRET_SIZE 32 #define KEY_LEN 32 #define NUM_STREAM_BYTES (2*ROUTING_INFO_SIZE) #define ONION_REPLY_SIZE 256 #define RHO_KEYTYPE "rho" struct hop_params { u8 secret[SHARED_SECRET_SIZE]; u8 blind[BLINDING_FACTOR_SIZE]; struct pubkey ephemeralkey; }; struct keyset { u8 pi[KEY_LEN]; u8 mu[KEY_LEN]; u8 rho[KEY_LEN]; u8 gamma[KEY_LEN]; }; /* * All the necessary information to generate a valid onion for this hop on a * sphinx path. The payload is preserialized in order since the onion * generation is payload agnostic. */ struct sphinx_hop { struct pubkey pubkey; enum sphinx_payload_type type; const u8 *payload; u8 hmac[HMAC_SIZE]; }; /* Encapsulates the information about a given payment path for the the onion * routing algorithm. */ struct sphinx_path { /* The session_key used to generate the shared secrets along the * path. This MUST be generated in a cryptographically secure manner, * and is exposed solely for testing, i.e., it can be set to known * values in unit tests. If unset it'll be generated during the packet * generation. */ struct secret *session_key; /* The associated data is appended to the packet when generating the * HMAC, but is not passed along as part of the packet. It is used to * ensure some external data (HTLC payment_hash) is not modified along * the way. */ u8 *associated_data; /* The individual hops on this route. */ struct sphinx_hop *hops; }; struct sphinx_path *sphinx_path_new(const tal_t *ctx, const u8 *associated_data) { struct sphinx_path *sp = tal(ctx, struct sphinx_path); sp->associated_data = tal_dup_arr(sp, u8, associated_data, tal_bytelen(associated_data), 0); sp->session_key = NULL; sp->hops = tal_arr(sp, struct sphinx_hop, 0); return sp; } struct sphinx_path *sphinx_path_new_with_key(const tal_t *ctx, const u8 *associated_data, const struct secret *session_key) { struct sphinx_path *sp = sphinx_path_new(ctx, associated_data); sp->session_key = tal_dup(sp, struct secret, session_key); return sp; } static size_t sphinx_hop_size(const struct sphinx_hop *hop) { size_t size = tal_bytelen(hop->payload), vsize; /* There is no point really in trying to serialize something that is * larger than the maximum length we can fit into the payload region * anyway. 3 here is the maximum varint size that we allow. */ assert(size < ROUTING_INFO_SIZE - 3 - HMAC_SIZE); /* Backwards compatibility: realm 0 is the legacy hop_data format and * always has 65 bytes in size */ if (hop->type == SPHINX_V0_PAYLOAD) return 65; /* Since this uses the bigsize serialization format for variable * length integer encodings we need to allocate enough space for * it. Values >= 0xfd are used to signal multi-byte serializations. */ if (size < 0xFD) vsize = 1; else vsize = 3; /* The hop must accomodate the hop_payload, as well as the varint * describing the length and HMAC. */ return vsize + size + HMAC_SIZE; } static size_t sphinx_path_payloads_size(const struct sphinx_path *path) { size_t size = 0; for (size_t i=0; ihops); i++) size += sphinx_hop_size(&path->hops[i]); return size; } void sphinx_add_raw_hop(struct sphinx_path *path, const struct pubkey *pubkey, enum sphinx_payload_type type, const u8 *payload) { struct sphinx_hop sp; sp.payload = payload; sp.type = type; sp.pubkey = *pubkey; tal_arr_expand(&path->hops, sp); assert(sphinx_path_payloads_size(path) <= ROUTING_INFO_SIZE); } void sphinx_add_v0_hop(struct sphinx_path *path, const struct pubkey *pubkey, const struct short_channel_id *scid, struct amount_msat forward, u32 outgoing_cltv) { const u8 padding[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; u8 *buf = tal_arr(path, u8, 0); towire_short_channel_id(&buf, scid); towire_u64(&buf, forward.millisatoshis); /* Raw: low-level serializer */ towire_u32(&buf, outgoing_cltv); towire(&buf, padding, ARRAY_SIZE(padding)); assert(tal_bytelen(buf) == 32); sphinx_add_raw_hop(path, pubkey, 0, buf); } /* Small helper to append data to a buffer and update the position * into the buffer */ static void write_buffer(u8 *dst, const void *src, const size_t len, int *pos) { memcpy(dst + *pos, src, len); *pos += len; } /* Read len bytes from the source at position pos into dst and update * the position pos accordingly. */ static void read_buffer(void *dst, const u8 *src, const size_t len, int *pos) { memcpy(dst, src + *pos, len); *pos += len; } u8 *serialize_onionpacket( const tal_t *ctx, const struct onionpacket *m) { u8 *dst = tal_arr(ctx, u8, TOTAL_PACKET_SIZE); u8 der[PUBKEY_CMPR_LEN]; int p = 0; pubkey_to_der(der, &m->ephemeralkey); write_buffer(dst, &m->version, 1, &p); write_buffer(dst, der, sizeof(der), &p); write_buffer(dst, m->routinginfo, ROUTING_INFO_SIZE, &p); write_buffer(dst, m->mac, sizeof(m->mac), &p); return dst; } struct onionpacket *parse_onionpacket(const tal_t *ctx, const void *src, const size_t srclen, enum onion_type *why_bad) { struct onionpacket *m; int p = 0; u8 rawEphemeralkey[PUBKEY_CMPR_LEN]; assert(srclen == TOTAL_PACKET_SIZE); m = talz(ctx, struct onionpacket); read_buffer(&m->version, src, 1, &p); if (m->version != 0x00) { // FIXME add logging *why_bad = WIRE_INVALID_ONION_VERSION; return tal_free(m); } read_buffer(rawEphemeralkey, src, sizeof(rawEphemeralkey), &p); if (!pubkey_from_der(rawEphemeralkey, sizeof(rawEphemeralkey), &m->ephemeralkey)) { *why_bad = WIRE_INVALID_ONION_KEY; return tal_free(m); } read_buffer(&m->routinginfo, src, ROUTING_INFO_SIZE, &p); read_buffer(&m->mac, src, HMAC_SIZE, &p); return m; } static void xorbytes(uint8_t *d, const uint8_t *a, const uint8_t *b, size_t len) { size_t i; for (i = 0; i < len; i++) d[i] = a[i] ^ b[i]; } /* * Generate a pseudo-random byte stream of length `dstlen` from key `k` and * store it in `dst`. `dst must be at least `dstlen` bytes long. */ static void generate_cipher_stream(void *dst, const u8 *k, size_t dstlen) { u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; crypto_stream_chacha20(dst, dstlen, nonce, k); } static bool compute_hmac( void *dst, const void *src, size_t len, const void *key, size_t keylen) { crypto_auth_hmacsha256_state state; crypto_auth_hmacsha256_init(&state, key, keylen); crypto_auth_hmacsha256_update(&state, memcheck(src, len), len); crypto_auth_hmacsha256_final(&state, dst); return true; } static void compute_packet_hmac(const struct onionpacket *packet, const u8 *assocdata, const size_t assocdatalen, u8 *mukey, u8 *hmac) { u8 mactemp[ROUTING_INFO_SIZE + assocdatalen]; u8 mac[32]; int pos = 0; write_buffer(mactemp, packet->routinginfo, ROUTING_INFO_SIZE, &pos); write_buffer(mactemp, assocdata, assocdatalen, &pos); compute_hmac(mac, mactemp, sizeof(mactemp), mukey, KEY_LEN); memcpy(hmac, mac, HMAC_SIZE); } static bool generate_key(void *k, const char *t, u8 tlen, const u8 *s) { return compute_hmac(k, s, KEY_LEN, t, tlen); } static bool generate_header_padding(void *dst, size_t dstlen, const struct sphinx_path *path, struct hop_params *params) { u8 stream[2 * ROUTING_INFO_SIZE]; u8 key[KEY_LEN]; size_t fillerStart, fillerEnd, fillerSize; memset(dst, 0, dstlen); for (int i = 0; i < tal_count(path->hops) - 1; i++) { if (!generate_key(&key, RHO_KEYTYPE, strlen(RHO_KEYTYPE), params[i].secret)) return false; generate_cipher_stream(stream, key, sizeof(stream)); /* Sum up how many bytes have been used by previous hops, * that gives us the start in the stream */ fillerSize = 0; for (int j = 0; j < i; j++) fillerSize += sphinx_hop_size(&path->hops[j]); fillerStart = ROUTING_INFO_SIZE - fillerSize; /* The filler will dangle off of the end by the current * hop-size, we'll make sure to copy it into the correct * position in the next step. */ fillerEnd = ROUTING_INFO_SIZE + sphinx_hop_size(&path->hops[i]); /* Apply the cipher-stream to the part of the filler that'll * be added by this hop */ xorbytes(dst, dst, stream + fillerStart, fillerEnd - fillerStart); } return true; } static void compute_blinding_factor(const struct pubkey *key, const u8 sharedsecret[SHARED_SECRET_SIZE], u8 res[BLINDING_FACTOR_SIZE]) { struct sha256_ctx ctx; u8 der[PUBKEY_CMPR_LEN]; struct sha256 temp; pubkey_to_der(der, key); sha256_init(&ctx); sha256_update(&ctx, der, sizeof(der)); sha256_update(&ctx, sharedsecret, SHARED_SECRET_SIZE); sha256_done(&ctx, &temp); memcpy(res, &temp, 32); } static bool blind_group_element(struct pubkey *blindedelement, const struct pubkey *pubkey, const u8 blind[BLINDING_FACTOR_SIZE]) { /* tweak_mul is inplace so copy first. */ if (pubkey != blindedelement) *blindedelement = *pubkey; if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx, &blindedelement->pubkey, blind) != 1) return false; return true; } static bool create_shared_secret(u8 *secret, const struct pubkey *pubkey, const struct secret *session_key) { if (secp256k1_ecdh(secp256k1_ctx, secret, &pubkey->pubkey, session_key->data, NULL, NULL) != 1) return false; return true; } bool onion_shared_secret( u8 *secret, const struct onionpacket *packet, const struct privkey *privkey) { return create_shared_secret(secret, &packet->ephemeralkey, &privkey->secret); } static void generate_key_set(const u8 secret[SHARED_SECRET_SIZE], struct keyset *keys) { generate_key(keys->rho, "rho", 3, secret); generate_key(keys->pi, "pi", 2, secret); generate_key(keys->mu, "mu", 2, secret); generate_key(keys->gamma, "gamma", 5, secret); } static struct hop_params *generate_hop_params( const tal_t *ctx, const u8 *sessionkey, struct sphinx_path *path) { int i, j, num_hops = tal_count(path->hops); struct pubkey temp; u8 blind[BLINDING_FACTOR_SIZE]; struct hop_params *params = tal_arr(ctx, struct hop_params, num_hops); /* Initialize the first hop with the raw information */ if (secp256k1_ec_pubkey_create(secp256k1_ctx, ¶ms[0].ephemeralkey.pubkey, path->session_key->data) != 1) return NULL; if (!create_shared_secret(params[0].secret, &path->hops[0].pubkey, path->session_key)) return NULL; compute_blinding_factor( ¶ms[0].ephemeralkey, params[0].secret, params[0].blind); /* Recursively compute all following ephemeral public keys, * secrets and blinding factors */ for (i = 1; i < num_hops; i++) { if (!blind_group_element( ¶ms[i].ephemeralkey, ¶ms[i - 1].ephemeralkey, params[i - 1].blind)) return NULL; /* Blind this hop's point with all previous blinding factors * Order is indifferent, multiplication is commutative. */ memcpy(&blind, sessionkey, 32); temp = path->hops[i].pubkey; if (!blind_group_element(&temp, &temp, blind)) return NULL; for (j = 0; j < i; j++) if (!blind_group_element( &temp, &temp, params[j].blind)) return NULL; /* Now hash temp and store it. This requires us to * DER-serialize first and then skip the sign byte. */ u8 der[PUBKEY_CMPR_LEN]; pubkey_to_der(der, &temp); struct sha256 h; sha256(&h, der, sizeof(der)); memcpy(¶ms[i].secret, &h, sizeof(h)); compute_blinding_factor( ¶ms[i].ephemeralkey, params[i].secret, params[i].blind); } return params; } static void deserialize_hop_data(struct hop_data *data, const u8 *src) { const u8 *cursor = src; size_t max = FRAME_SIZE; data->realm = fromwire_u8(&cursor, &max); fromwire_short_channel_id(&cursor, &max, &data->channel_id); data->amt_forward = fromwire_amount_msat(&cursor, &max); data->outgoing_cltv = fromwire_u32(&cursor, &max); } static bool sphinx_write_frame(u8 *dest, const struct sphinx_hop *hop) { size_t raw_size = tal_bytelen(hop->payload); size_t hop_size = sphinx_hop_size(hop); size_t padding_size; int pos = 0; #if !EXPERIMENTAL_FEATURES if (hop->type != SPHINX_V0_PAYLOAD) return false; #endif /* Backwards compatibility for the legacy hop_data format. */ if (hop->type == SPHINX_V0_PAYLOAD) dest[pos++] = 0x00; else pos += bigsize_put(dest+pos, raw_size); memcpy(dest + pos, hop->payload, raw_size); pos += raw_size; padding_size = hop_size - pos - HMAC_SIZE; memset(dest + pos, 0, padding_size); pos += padding_size; memcpy(dest + pos, hop->hmac, HMAC_SIZE); assert(pos + HMAC_SIZE == hop_size); return true; } static void sphinx_parse_payload(struct route_step *step, const u8 *src) { size_t hop_size, raw_size, vsize; #if !EXPERIMENTAL_FEATURES if (src[0] != 0x00) { step->type = SPHINX_INVALID_PAYLOAD; return; } #endif /* Legacy hop_data support */ if (src[0] == 0x00) { vsize = 1; raw_size = 32; hop_size = FRAME_SIZE; step->type = SPHINX_V0_PAYLOAD; } else { vsize = varint_get(src, 3, &raw_size); hop_size = raw_size + vsize + HMAC_SIZE; step->type = SPHINX_TLV_PAYLOAD; } /* Copy common pieces over */ step->raw_payload = tal_dup_arr(step, u8, src + vsize, raw_size, 0); memcpy(step->next->mac, src + hop_size - HMAC_SIZE, HMAC_SIZE); /* And now try to parse whatever the payload contains so we can use it * later. */ if (step->type == SPHINX_V0_PAYLOAD) deserialize_hop_data(&step->payload.v0, src); } struct onionpacket *create_onionpacket( const tal_t *ctx, struct sphinx_path *sp, struct secret **path_secrets ) { struct onionpacket *packet = talz(ctx, struct onionpacket); int i, num_hops = tal_count(sp->hops); size_t fillerSize = sphinx_path_payloads_size(sp) - sphinx_hop_size(&sp->hops[num_hops - 1]); u8 filler[fillerSize]; struct keyset keys; u8 nexthmac[HMAC_SIZE]; u8 stream[ROUTING_INFO_SIZE]; struct hop_params *params; struct secret *secrets = tal_arr(ctx, struct secret, num_hops); if (sp->session_key == NULL) { sp->session_key = tal(sp, struct secret); randombytes_buf(sp->session_key, sizeof(struct secret)); } params = generate_hop_params(ctx, sp->session_key->data, sp); if (!params) { tal_free(packet); tal_free(secrets); return NULL; } packet->version = 0; memset(nexthmac, 0, HMAC_SIZE); memset(packet->routinginfo, 0, ROUTING_INFO_SIZE); generate_header_padding(filler, sizeof(filler), sp, params); for (i = num_hops - 1; i >= 0; i--) { memcpy(sp->hops[i].hmac, nexthmac, HMAC_SIZE); generate_key_set(params[i].secret, &keys); generate_cipher_stream(stream, keys.rho, ROUTING_INFO_SIZE); /* Rightshift mix-header by FRAME_SIZE */ size_t shiftSize = sphinx_hop_size(&sp->hops[i]); memmove(packet->routinginfo + shiftSize, packet->routinginfo, ROUTING_INFO_SIZE-shiftSize); if (!sphinx_write_frame(packet->routinginfo, &sp->hops[i])) { tal_free(packet); tal_free(secrets); return NULL; } xorbytes(packet->routinginfo, packet->routinginfo, stream, ROUTING_INFO_SIZE); if (i == num_hops - 1) { memcpy(packet->routinginfo + ROUTING_INFO_SIZE - fillerSize, filler, fillerSize); } compute_packet_hmac(packet, sp->associated_data, tal_bytelen(sp->associated_data), keys.mu, nexthmac); } memcpy(packet->mac, nexthmac, sizeof(nexthmac)); memcpy(&packet->ephemeralkey, ¶ms[0].ephemeralkey, sizeof(secp256k1_pubkey)); for (i=0; inext = talz(step, struct onionpacket); step->next->version = msg->version; generate_key_set(shared_secret, &keys); compute_packet_hmac(msg, assocdata, assocdatalen, keys.mu, hmac); if (memcmp(msg->mac, hmac, sizeof(hmac)) != 0) { /* Computed MAC does not match expected MAC, the message was modified. */ return tal_free(step); } //FIXME:store seen secrets to avoid replay attacks generate_cipher_stream(stream, keys.rho, sizeof(stream)); memset(paddedheader, 0, sizeof(paddedheader)); memcpy(paddedheader, msg->routinginfo, ROUTING_INFO_SIZE); xorbytes(paddedheader, paddedheader, stream, sizeof(stream)); compute_blinding_factor(&msg->ephemeralkey, shared_secret, blind); if (!blind_group_element(&step->next->ephemeralkey, &msg->ephemeralkey, blind)) return tal_free(step); sphinx_parse_payload(step, paddedheader); /* Extract how many bytes we need to shift away */ if (paddedheader[0] == 0x00) { shift_size = FRAME_SIZE; } else { /* In addition to the raw payload we need to also shift the * length encoding itself and the HMAC away. */ vsize = bigsize_get(paddedheader, 3, &shift_size); shift_size += vsize + HMAC_SIZE; /* If we get an unreasonable shift size we must return an error. */ if (shift_size >= ROUTING_INFO_SIZE) return tal_free(step); } step->raw_payload = tal_dup_arr(step, u8, paddedheader + 1, shift_size - 1 - HMAC_SIZE, 0); /* Copy the hmac from the last HMAC_SIZE bytes */ memcpy(&step->next->mac, paddedheader + shift_size - HMAC_SIZE, HMAC_SIZE); /* Left shift the current payload out and make the remainder the new onion */ memcpy(&step->next->routinginfo, paddedheader + shift_size, ROUTING_INFO_SIZE); if (memeqzero(step->next->mac, sizeof(step->next->mac))) { step->nextcase = ONION_END; } else { step->nextcase = ONION_FORWARD; } return step; } u8 *create_onionreply(const tal_t *ctx, const struct secret *shared_secret, const u8 *failure_msg) { size_t msglen = tal_count(failure_msg); size_t padlen = ONION_REPLY_SIZE - msglen; u8 *reply = tal_arr(ctx, u8, 0), *payload = tal_arr(ctx, u8, 0); u8 key[KEY_LEN]; u8 hmac[HMAC_SIZE]; /* BOLT #4: * * The node generating the error message (_erring node_) builds a return * packet consisting of * the following fields: * * 1. data: * * [`32*byte`:`hmac`] * * [`u16`:`failure_len`] * * [`failure_len*byte`:`failuremsg`] * * [`u16`:`pad_len`] * * [`pad_len*byte`:`pad`] */ towire_u16(&payload, msglen); towire(&payload, failure_msg, msglen); towire_u16(&payload, padlen); towire_pad(&payload, padlen); /* BOLT #4: * * The _erring node_: * - SHOULD set `pad` such that the `failure_len` plus `pad_len` is * equal to 256. * - Note: this value is 118 bytes longer than the longest * currently-defined message. */ assert(tal_count(payload) == ONION_REPLY_SIZE + 4); /* BOLT #4: * * Where `hmac` is an HMAC authenticating the remainder of the packet, * with a key generated using the above process, with key type `um` */ generate_key(key, "um", 2, shared_secret->data); compute_hmac(hmac, payload, tal_count(payload), key, KEY_LEN); towire(&reply, hmac, sizeof(hmac)); towire(&reply, payload, tal_count(payload)); tal_free(payload); return reply; } u8 *wrap_onionreply(const tal_t *ctx, const struct secret *shared_secret, const u8 *reply) { u8 key[KEY_LEN]; size_t streamlen = tal_count(reply); u8 stream[streamlen]; u8 *result = tal_arr(ctx, u8, streamlen); /* BOLT #4: * * The erring node then generates a new key, using the key type `ammag`. * This key is then used to generate a pseudo-random stream, which is * in turn applied to the packet using `XOR`. * * The obfuscation step is repeated by every hop along the return path. */ generate_key(key, "ammag", 5, shared_secret->data); generate_cipher_stream(stream, key, streamlen); xorbytes(result, stream, reply, streamlen); return result; } struct onionreply *unwrap_onionreply(const tal_t *ctx, const struct secret *shared_secrets, const int numhops, const u8 *reply) { struct onionreply *oreply = tal(tmpctx, struct onionreply); u8 *msg = tal_arr(oreply, u8, tal_count(reply)); u8 key[KEY_LEN], hmac[HMAC_SIZE]; const u8 *cursor; size_t max; u16 msglen; if (tal_count(reply) != ONION_REPLY_SIZE + sizeof(hmac) + 4) { return NULL; } memcpy(msg, reply, tal_count(reply)); oreply->origin_index = -1; for (int i = 0; i < numhops; i++) { /* Since the encryption is just XORing with the cipher * stream encryption is identical to decryption */ msg = wrap_onionreply(tmpctx, &shared_secrets[i], msg); /* Check if the HMAC matches, this means that this is * the origin */ generate_key(key, "um", 2, shared_secrets[i].data); compute_hmac(hmac, msg + sizeof(hmac), tal_count(msg) - sizeof(hmac), key, KEY_LEN); if (memcmp(hmac, msg, sizeof(hmac)) == 0) { oreply->origin_index = i; break; } } if (oreply->origin_index == -1) { return NULL; } cursor = msg + sizeof(hmac); max = tal_count(msg) - sizeof(hmac); msglen = fromwire_u16(&cursor, &max); if (msglen > ONION_REPLY_SIZE) { return NULL; } oreply->msg = tal_arr(oreply, u8, msglen); fromwire(&cursor, &max, oreply->msg, msglen); tal_steal(ctx, oreply); return oreply; }