WIP

Author: thomash-acinq

eclair-core/src/main/scala/fr/acinq/eclair/crypto/Sphinx.scala

@@ -26,7 +26,7 @@ import scodec.bits.ByteVector
 import scodec.codecs.uint32
 
 import scala.annotation.tailrec
-import scala.concurrent.duration.FiniteDuration
+import scala.concurrent.duration.{DurationLong, FiniteDuration}
 import scala.util.{Failure, Success, Try}
 
 /**
@@ -284,6 +284,10 @@ object Sphinx extends Logging {
    */
   case class CannotDecryptFailurePacket(unwrapped: ByteVector)
 
+  case class HoldTime(duration: FiniteDuration, remoteNodeId: PublicKey)
+
+  case class HtlcFailure(holdTimes: Seq[HoldTime], failure: Either[CannotDecryptFailurePacket, DecryptedFailurePacket])
+
   object FailurePacket {
 
     /**
@@ -336,41 +340,64 @@ object Sphinx extends Logging {
      * @return failure message if the origin of the packet could be identified and the packet decrypted, the unwrapped
      *         failure packet otherwise.
      */
-    @tailrec
-    def decrypt(packet: ByteVector, sharedSecrets: Seq[SharedSecret]): Either[CannotDecryptFailurePacket, DecryptedFailurePacket] = {
+    def decrypt(packet: ByteVector, attribution_opt: Option[ByteVector], sharedSecrets: Seq[SharedSecret], hopIndex: Int = 0): HtlcFailure = {
       sharedSecrets match {
-        case Nil => Left(CannotDecryptFailurePacket(packet))
+        case Nil => HtlcFailure(Nil, Left(CannotDecryptFailurePacket(packet)))
         case ss :: tail =>
           val packet1 = wrap(packet, ss.secret)
+          val next_opt = attribution_opt.flatMap(Attribution.unwrap(_, packet1, ss.secret, hopIndex))
           val um = generateKey("um", ss.secret)
-          FailureMessageCodecs.failureOnionCodec(Hmac256(um)).decode(packet1.toBitVector) match {
-            case Attempt.Successful(value) => Right(DecryptedFailurePacket(ss.remoteNodeId, value.value))
-            case _ => decrypt(packet1, tail)
+          val HtlcFailure(holdTimes, failure) = FailureMessageCodecs.failureOnionCodec(Hmac256(um)).decode(packet1.toBitVector) match {
+            case Attempt.Successful(value) => HtlcFailure(Nil, Right(DecryptedFailurePacket(ss.remoteNodeId, value.value)))
+            case _ => decrypt(packet1, next_opt.map(_._2), tail, hopIndex + 1)
           }
+          HtlcFailure(next_opt.map(n => HoldTime(n._1, ss.remoteNodeId) +: holdTimes).getOrElse(Nil), failure)
       }
     }
 
-    def attribution(previousAttribution_opt: Option[ByteVector], reason: ByteVector, holdTime: FiniteDuration, sharedSecret: ByteVector32): ByteVector = {
-      val previousAttribution = previousAttribution_opt.getOrElse(ByteVector.low(920))
-      val previousHmacs = (0 until 19).map(i => (1 until (20 - i)).map(j => {
-        val start = 80 + (20 * i - (i * (i - 1)) / 2 + j) * 4
-        previousAttribution.slice(start, start + 4)
-      }))
-      val mac = Hmac256(generateKey("um", sharedSecret))
-      val holdTimes = uint32.encode(holdTime.toMillis).require.bytes ++ previousAttribution.take(19 * 4)
-      val hmacs = computeHmacs(mac, reason, holdTimes, previousHmacs) +: previousHmacs
-      val key = generateKey("ammagext", sharedSecret)
-      val stream = generateStream(key, 920)
-      (holdTimes ++ ByteVector.concat(hmacs.map(ByteVector.concat(_)))) xor stream
-    }
+    object Attribution {
+      private def cipher(bytes: ByteVector, sharedSecret: ByteVector32): ByteVector = {
+        val key = generateKey("ammagext", sharedSecret)
+        val stream = generateStream(key, 920)
+        bytes xor stream
+      }
+
+      private def getHmacs(bytes: ByteVector): Seq[Seq[ByteVector]] =
+        (0 until 20).map(i => (0 until (20 - i)).map(j => {
+          val start = (20 + 20 * i - (i * (i - 1)) / 2 + j) * 4
+          bytes.slice(start, start + 4)
+        }))
+
+      private def computeHmacs(mac: Mac32, reason: ByteVector, holdTimes: ByteVector, hmacs: Seq[Seq[ByteVector]], minNumHop: Int): Seq[ByteVector] = {
+        (minNumHop until 20).map(i => {
+          val y = 20 - i
+          mac.mac(reason ++
+            holdTimes.take(y * 4) ++
+            ByteVector.concat((0 until y - 1).map(j => hmacs(j)(i)))).bytes.take(4)
+        })
+      }
+
+      def create(previousAttribution_opt: Option[ByteVector], reason: ByteVector, holdTime: FiniteDuration, sharedSecret: ByteVector32): ByteVector = {
+        val previousAttribution = previousAttribution_opt.getOrElse(ByteVector.low(920))
+        val previousHmacs = getHmacs(previousAttribution).dropRight(1).map(_.drop(1))
+        val mac = Hmac256(generateKey("um", sharedSecret))
+        val holdTimes = uint32.encode(holdTime.toMillis).require.bytes ++ previousAttribution.take(19 * 4)
+        val hmacs = computeHmacs(mac, reason, holdTimes, previousHmacs, 0) +: previousHmacs
+        cipher(holdTimes ++ ByteVector.concat(hmacs.map(ByteVector.concat(_))), sharedSecret)
+      }
 
-    private def computeHmacs(mac: Mac32, reason: ByteVector, holdTimes: ByteVector, hmacs: Seq[Seq[ByteVector]]): Seq[ByteVector] = {
-      (0 until 20).map(i => {
-        val y = 20 - i
-        mac.mac(reason ++
-          holdTimes.take(y * 4) ++
-          ByteVector.concat((0 until y - 1).map(j => hmacs(j)(i)))).bytes.take(4)
-      })
+      def unwrap(encrypted: ByteVector, reason: ByteVector, sharedSecret: ByteVector32, minNumHop: Int): Option[(FiniteDuration, ByteVector)] = {
+        val bytes = cipher(encrypted, sharedSecret)
+        val holdTime = uint32.decode(bytes.take(4).bits).require.value.milliseconds
+        val hmacs = getHmacs(bytes)
+        val mac = Hmac256(generateKey("um", sharedSecret))
+        if (computeHmacs(mac, reason, bytes.take(20 * 4), hmacs.drop(1), minNumHop) == hmacs.head.drop(minNumHop)) {
+          val unwraped = bytes.slice(4, 20 * 4) ++ ByteVector.low(4) ++ ByteVector.concat((hmacs.drop(1) :+ Seq()).map(s => ByteVector.low(4) ++ ByteVector.concat(s)))
+          Some(holdTime, unwraped)
+        } else {
+          None
+        }
+      }
     }
   }
 

eclair-core/src/main/scala/fr/acinq/eclair/db/PaymentsDb.scala

@@ -250,7 +250,7 @@ object FailureSummary {
   def apply(f: PaymentFailure): FailureSummary = f match {
     case LocalFailure(_, route, t) => FailureSummary(FailureType.LOCAL, t.getMessage, route.map(h => HopSummary(h)).toList, route.headOption.map(_.nodeId))
     case RemoteFailure(_, route, e) => FailureSummary(FailureType.REMOTE, e.failureMessage.message, route.map(h => HopSummary(h)).toList, Some(e.originNode))
-    case UnreadableRemoteFailure(_, route, _) => FailureSummary(FailureType.UNREADABLE_REMOTE, "could not decrypt failure onion", route.map(h => HopSummary(h)).toList, None)
+    case UnreadableRemoteFailure(_, route, _, _) => FailureSummary(FailureType.UNREADABLE_REMOTE, "could not decrypt failure onion", route.map(h => HopSummary(h)).toList, None)
   }
 }
 

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentEvents.scala

@@ -19,6 +19,7 @@ package fr.acinq.eclair.payment
 import fr.acinq.bitcoin.scalacompat.ByteVector32
 import fr.acinq.bitcoin.scalacompat.Crypto.PublicKey
 import fr.acinq.eclair.crypto.Sphinx
+import fr.acinq.eclair.crypto.Sphinx.HoldTime
 import fr.acinq.eclair.payment.Invoice.ExtraEdge
 import fr.acinq.eclair.payment.send.PaymentError.RetryExhausted
 import fr.acinq.eclair.payment.send.PaymentInitiator.SendPaymentConfig
@@ -150,7 +151,7 @@ case class LocalFailure(amount: MilliSatoshi, route: Seq[Hop], t: Throwable) ext
 case class RemoteFailure(amount: MilliSatoshi, route: Seq[Hop], e: Sphinx.DecryptedFailurePacket) extends PaymentFailure
 
 /** A remote node failed the payment but we couldn't decrypt the failure (e.g. a malicious node tampered with the message). */
-case class UnreadableRemoteFailure(amount: MilliSatoshi, route: Seq[Hop], failurePacket: ByteVector) extends PaymentFailure
+case class UnreadableRemoteFailure(amount: MilliSatoshi, route: Seq[Hop], failurePacket: ByteVector, holdTimes: Seq[HoldTime]) extends PaymentFailure
 
 object PaymentFailure {
 
@@ -235,13 +236,14 @@ object PaymentFailure {
       }
     case RemoteFailure(_, hops, Sphinx.DecryptedFailurePacket(nodeId, _)) =>
       ignoreNodeOutgoingEdge(nodeId, hops, ignore)
-    case UnreadableRemoteFailure(_, hops, _) =>
+    case UnreadableRemoteFailure(_, hops, _, holdTimes) => // TODO
       // We don't know which node is sending garbage, let's blacklist all nodes except:
+      //  - the nodes that returned attribution data (except the last one)
       //  - the one we are directly connected to: it would be too restrictive for retries
       //  - the final recipient: they have no incentive to send garbage since they want that payment
       //  - the introduction point of a blinded route: we don't want a node before the blinded path to force us to ignore that blinded path
       //  - the trampoline node: we don't want a node before the trampoline node to force us to ignore that trampoline node
-      val blacklist = hops.collect { case hop: ChannelHop => hop }.map(_.nextNodeId).drop(1).dropRight(1).toSet
+      val blacklist = hops.collect { case hop: ChannelHop => hop }.map(_.nextNodeId).drop(1 max (holdTimes.length - 1)).dropRight(1).toSet
       ignore ++ blacklist
     case LocalFailure(_, hops, _) => hops.headOption match {
       case Some(hop: ChannelHop) =>

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala

@@ -351,15 +351,15 @@ object OutgoingPaymentPacket {
       reason match {
         case FailureReason.EncryptedDownstreamFailure(packet, attribution) =>
           val tlvs: TlvStream[UpdateFailHtlcTlv] = if (useAttributableFailures) {
-            TlvStream(UpdateFailHtlcTlv.AttributionData(Sphinx.FailurePacket.attribution(attribution, packet, holdTime, sharedSecret)))
+            TlvStream(UpdateFailHtlcTlv.AttributionData(Sphinx.FailurePacket.Attribution.create(attribution, packet, holdTime, sharedSecret)))
           } else {
             TlvStream.empty
           }
           (Sphinx.FailurePacket.wrap(packet, sharedSecret), tlvs)
         case FailureReason.LocalFailure(failure) =>
           val packet = Sphinx.FailurePacket.create(sharedSecret, failure)
           val tlvs: TlvStream[UpdateFailHtlcTlv] = if (useAttributableFailures) {
-            TlvStream(UpdateFailHtlcTlv.AttributionData(Sphinx.FailurePacket.attribution(None, packet, holdTime, sharedSecret)))
+            TlvStream(UpdateFailHtlcTlv.AttributionData(Sphinx.FailurePacket.Attribution.create(None, packet, holdTime, sharedSecret)))
           } else {
             TlvStream.empty
           }

eclair-core/src/main/scala/fr/acinq/eclair/payment/relay/OnTheFlyFunding.scala

@@ -107,7 +107,7 @@ object OnTheFlyFunding {
             case f: FailureReason.EncryptedDownstreamFailure =>
               // In the trampoline case, we currently ignore downstream failures: we should add dedicated failures to
               // the BOLTs to better handle those cases.
-              Sphinx.FailurePacket.decrypt(f.packet, onionSharedSecrets) match {
+              Sphinx.FailurePacket.decrypt(f.packet, f.attribution_opt, onionSharedSecrets).failure match {
                 case Left(Sphinx.CannotDecryptFailurePacket(_)) =>
                   log.warning("couldn't decrypt downstream on-the-fly funding failure")
                 case Right(f) =>

eclair-core/src/main/scala/fr/acinq/eclair/payment/send/PaymentLifecycle.scala

@@ -164,12 +164,13 @@ class PaymentLifecycle(nodeParams: NodeParams, cfg: SendPaymentConfig, router: A
 
   private def handleRemoteFail(d: WaitingForComplete, fail: UpdateFailHtlc) = {
     import d._
-    ((Sphinx.FailurePacket.decrypt(fail.reason, sharedSecrets) match {
+    val htlcFailure = Sphinx.FailurePacket.decrypt(fail.reason, fail.attribution_opt, sharedSecrets)
+    ((htlcFailure.failure match {
       case success@Right(e) =>
         Metrics.PaymentError.withTag(Tags.Failure, Tags.FailureType(RemoteFailure(request.amount, Nil, e))).increment()
         success
       case failure@Left(e) =>
-        Metrics.PaymentError.withTag(Tags.Failure, Tags.FailureType(UnreadableRemoteFailure(request.amount, Nil, e.unwrapped))).increment()
+        Metrics.PaymentError.withTag(Tags.Failure, Tags.FailureType(UnreadableRemoteFailure(request.amount, Nil, e.unwrapped, htlcFailure.holdTimes))).increment()
         failure
     }) match {
       case res@Right(Sphinx.DecryptedFailurePacket(nodeId, failureMessage)) =>
@@ -217,13 +218,13 @@ class PaymentLifecycle(nodeParams: NodeParams, cfg: SendPaymentConfig, router: A
             RemoteFailure(request.amount, route.fullRoute, e)
           case Left(Sphinx.CannotDecryptFailurePacket(unwrapped)) =>
             log.warning(s"cannot parse returned error ${fail.reason.toHex} with sharedSecrets=$sharedSecrets: unwrapped=$unwrapped")
-            UnreadableRemoteFailure(request.amount, route.fullRoute, unwrapped)
+            UnreadableRemoteFailure(request.amount, route.fullRoute, unwrapped, htlcFailure.holdTimes)
         }
         log.warning(s"too many failed attempts, failing the payment")
         myStop(request, Left(PaymentFailed(id, paymentHash, failures :+ failure)))
       case Left(Sphinx.CannotDecryptFailurePacket(unwrapped)) =>
         log.warning(s"cannot parse returned error: unwrapped=$unwrapped, route=${route.printNodes()}")
-        val failure = UnreadableRemoteFailure(request.amount, route.fullRoute, unwrapped)
+        val failure = UnreadableRemoteFailure(request.amount, route.fullRoute, unwrapped, htlcFailure.holdTimes)
         retry(failure, d)
       case Right(e@Sphinx.DecryptedFailurePacket(nodeId, failureMessage: Node)) =>
         log.info(s"received 'Node' type error message from nodeId=$nodeId, trying to route around it (failure=$failureMessage)")