Comments

Author: thomash-acinq

eclair-core/src/main/scala/fr/acinq/eclair/channel/ChannelData.scala

@@ -215,7 +215,7 @@ final case class CMD_ADD_HTLC(replyTo: ActorRef,
 
 sealed trait HtlcSettlementCommand extends HasOptionalReplyToCommand with ForbiddenCommandDuringQuiescenceNegotiation with ForbiddenCommandWhenQuiescent { def id: Long }
 final case class CMD_FULFILL_HTLC(id: Long, r: ByteVector32, commit: Boolean = false, replyTo_opt: Option[ActorRef] = None) extends HtlcSettlementCommand
-final case class CMD_FAIL_HTLC(id: Long, reason: FailureReason, startHoldTime: TimestampMilli, delay_opt: Option[FiniteDuration] = None, commit: Boolean = false, replyTo_opt: Option[ActorRef] = None) extends HtlcSettlementCommand
+final case class CMD_FAIL_HTLC(id: Long, reason: FailureReason, htlcReceivedAt_opt: Option[TimestampMilli], delay_opt: Option[FiniteDuration] = None, commit: Boolean = false, replyTo_opt: Option[ActorRef] = None) extends HtlcSettlementCommand
 final case class CMD_FAIL_MALFORMED_HTLC(id: Long, onionHash: ByteVector32, failureCode: Int, commit: Boolean = false, replyTo_opt: Option[ActorRef] = None) extends HtlcSettlementCommand
 final case class CMD_UPDATE_FEE(feeratePerKw: FeeratePerKw, commit: Boolean = false, replyTo_opt: Option[ActorRef] = None) extends HasOptionalReplyToCommand with ForbiddenCommandDuringQuiescenceNegotiation with ForbiddenCommandWhenQuiescent
 final case class CMD_SIGN(replyTo_opt: Option[ActorRef] = None) extends HasOptionalReplyToCommand with ForbiddenCommandWhenQuiescent

eclair-core/src/main/scala/fr/acinq/eclair/channel/fsm/Channel.scala

@@ -668,7 +668,7 @@ class Channel(val nodeParams: NodeParams, val channelKeys: ChannelKeys, val wall
             case PostRevocationAction.RejectHtlc(add) =>
               log.debug("rejecting incoming htlc {}", add)
               // NB: we don't set commit = true, we will sign all updates at once afterwards.
-              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(TemporaryChannelFailure(Some(d.channelUpdate))), TimestampMilli.now(), commit = true)
+              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(TemporaryChannelFailure(Some(d.channelUpdate))), Some(TimestampMilli.now()), commit = true)
             case PostRevocationAction.RelayFailure(result) =>
               log.debug("forwarding {} to relayer", result)
               relayer ! result
@@ -1617,11 +1617,11 @@ class Channel(val nodeParams: NodeParams, val channelKeys: ChannelKeys, val wall
             case PostRevocationAction.RelayHtlc(add) =>
               // BOLT 2: A sending node SHOULD fail to route any HTLC added after it sent shutdown.
               log.debug("closing in progress: failing {}", add)
-              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(PermanentChannelFailure()), TimestampMilli.now(), commit = true)
+              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(PermanentChannelFailure()), Some(TimestampMilli.now()), commit = true)
             case PostRevocationAction.RejectHtlc(add) =>
               // BOLT 2: A sending node SHOULD fail to route any HTLC added after it sent shutdown.
               log.debug("closing in progress: rejecting {}", add)
-              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(PermanentChannelFailure()), TimestampMilli.now(), commit = true)
+              self ! CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(PermanentChannelFailure()), Some(TimestampMilli.now()), commit = true)
             case PostRevocationAction.RelayFailure(result) =>
               log.debug("forwarding {} to relayer", result)
               relayer ! result

eclair-core/src/main/scala/fr/acinq/eclair/crypto/Sphinx.scala

@@ -291,21 +291,14 @@ object Sphinx extends Logging {
   object FailurePacket {
 
     /**
-     * Create a failure packet that will be returned to the sender.
+     * Create a failure packet that needs to be wrapped before being returned to the sender.
      * Each intermediate hop will add a layer of encryption and forward to the previous hop.
      * Note that malicious intermediate hops may drop the packet or alter it (which breaks the mac).
      *
      * @param sharedSecret destination node's shared secret that was computed when the original onion for the HTLC
      *                     was created or forwarded: see OnionPacket.create() and OnionPacket.wrap().
      * @param failure      failure message.
-     * @return a failure packet that can be sent to the destination node.
-     */
-    def createAndWrap(sharedSecret: ByteVector32, failure: FailureMessage): ByteVector = {
-      wrap(create(sharedSecret, failure), sharedSecret)
-    }
-
-    /**
-     * Create a failure packet that needs to be wrapped before being returned to the sender.
+     * @return a failure packet that still needs to be wrapped before being sent to the destination node.
      */
     def create(sharedSecret: ByteVector32, failure: FailureMessage): ByteVector = {
       val um = generateKey("um", sharedSecret)
@@ -348,44 +341,74 @@ object Sphinx extends Logging {
           val packet1 = wrap(packet, ss.secret)
           val attribution1_opt = attribution_opt.flatMap(Attribution.unwrap(_, packet1, ss.secret, hopIndex))
           val um = generateKey("um", ss.secret)
-          val HtlcFailure(holdTimes, failure) = FailureMessageCodecs.failureOnionCodec(Hmac256(um)).decode(packet1.toBitVector) match {
+          val HtlcFailure(downstreamHoldTimes, failure) = FailureMessageCodecs.failureOnionCodec(Hmac256(um)).decode(packet1.toBitVector) match {
             case Attempt.Successful(value) => HtlcFailure(Nil, Right(DecryptedFailurePacket(ss.remoteNodeId, value.value)))
             case _ => decrypt(packet1, attribution1_opt.map(_._2), tail, hopIndex + 1)
           }
-          HtlcFailure(attribution1_opt.map(n => HoldTime(n._1, ss.remoteNodeId) +: holdTimes).getOrElse(Nil), failure)
+          HtlcFailure(attribution1_opt.map(n => HoldTime(n._1, ss.remoteNodeId) +: downstreamHoldTimes).getOrElse(Nil), failure)
       }
     }
 
+    /**
+     * Attribution data is added to the failure packet and prevents a node from evading responsibility for its failures.
+     * Nodes that relay attribution data can prove that they are not the erring node and in case the erring node tries
+     * to hide, there will only be at most two nodes that can be the erring node (the last one to send attribution data
+     * and the one after it).
+     * It also adds timing data for each node on the path.
+     * https://github.com/lightning/bolts/pull/1044
+     */
     object Attribution {
+      val maxNumHops = 20
+      val holdTimeLength = 4
+      val hmacLength = 4 // HMACs are truncated to 4 bytes to save space
+      val totalLength = maxNumHops * holdTimeLength + maxNumHops * (maxNumHops + 1) / 2 * hmacLength // = 920
+
       private def cipher(bytes: ByteVector, sharedSecret: ByteVector32): ByteVector = {
         val key = generateKey("ammagext", sharedSecret)
-        val stream = generateStream(key, 920)
+        val stream = generateStream(key, totalLength)
         bytes xor stream
       }
 
+      /**
+       * Get the HMACs from the attribution data.
+       * The layout of the attribution data is as follows (using maxNumHops = 3 for conciseness):
+       * holdTime(0) ++ holdTime(1) ++ holdTime(2) ++
+       * hmacs(0)(0) ++ hmacs(0)(1) ++ hmacs(0)(2) ++
+       * hmacs(1)(0) ++ hmacs(1)(1) ++
+       * hmacs(2)(0)
+       *
+       * Where `hmac(i)(j)` is the hmac added by node `i` (counted from the node that built the attribution data),
+       * assuming it is `maxNumHops - 1 - i - j` hops away from the erring node.
+       */
       private def getHmacs(bytes: ByteVector): Seq[Seq[ByteVector]] =
-        (0 until 20).map(i => (0 until (20 - i)).map(j => {
-          val start = (20 + 20 * i - (i * (i - 1)) / 2 + j) * 4
-          bytes.slice(start, start + 4)
+        (0 until maxNumHops).map(i => (0 until (maxNumHops - i)).map(j => {
+          val start = maxNumHops * holdTimeLength + (maxNumHops * i - (i * (i - 1)) / 2 + j) * hmacLength
+          bytes.slice(start, start + hmacLength)
         }))
 
+      /**
+       * Computes the HMACs for the node that is `minNumHop` hops away from us. Hence we only compute `maxNumHops - minNumHop` HMACs.
+       * HMACs are truncated to 4 bytes to save space. An attacker has only one try to guess the HMAC so 4 bytes should be enough.
+       */
       private def computeHmacs(mac: Mac32, reason: ByteVector, holdTimes: ByteVector, hmacs: Seq[Seq[ByteVector]], minNumHop: Int): Seq[ByteVector] = {
-        (minNumHop until 20).map(i => {
-          val y = 20 - i
+        (minNumHop until maxNumHops).map(i => {
+          val y = maxNumHops - i
           mac.mac(reason ++
-            holdTimes.take(y * 4) ++
-            ByteVector.concat((0 until y - 1).map(j => hmacs(j)(i)))).bytes.take(4)
+            holdTimes.take(y * holdTimeLength) ++
+            ByteVector.concat((0 until y - 1).map(j => hmacs(j)(i)))).bytes.take(hmacLength)
         })
       }
 
       /**
        * Create attribution data to send with the failure packet
+       *
+       * @param reason the failure packet before being wrapped
        */
       def create(previousAttribution_opt: Option[ByteVector], reason: ByteVector, holdTime: FiniteDuration, sharedSecret: ByteVector32): ByteVector = {
-        val previousAttribution = previousAttribution_opt.getOrElse(ByteVector.low(920))
+        val previousAttribution = previousAttribution_opt.getOrElse(ByteVector.low(totalLength))
         val previousHmacs = getHmacs(previousAttribution).dropRight(1).map(_.drop(1))
         val mac = Hmac256(generateKey("um", sharedSecret))
-        val holdTimes = uint32.encode(holdTime.toMillis).map(_.bytes).getOrElse(ByteVector.high(4)) ++ previousAttribution.take(19 * 4)
+        val holdTimes = uint32.encode(holdTime.toMillis).require.bytes ++ previousAttribution.take((maxNumHops - 1) * holdTimeLength)
         val hmacs = computeHmacs(mac, reason, holdTimes, previousHmacs, 0) +: previousHmacs
         cipher(holdTimes ++ ByteVector.concat(hmacs.map(ByteVector.concat(_))), sharedSecret)
       }
@@ -396,12 +419,12 @@ object Sphinx extends Logging {
        */
       def unwrap(encrypted: ByteVector, reason: ByteVector, sharedSecret: ByteVector32, minNumHop: Int): Option[(FiniteDuration, ByteVector)] = {
         val bytes = cipher(encrypted, sharedSecret)
-        val holdTime = uint32.decode(bytes.take(4).bits).require.value.milliseconds
+        val holdTime = uint32.decode(bytes.take(holdTimeLength).bits).require.value.milliseconds
         val hmacs = getHmacs(bytes)
         val mac = Hmac256(generateKey("um", sharedSecret))
-        if (computeHmacs(mac, reason, bytes.take(20 * 4), hmacs.drop(1), minNumHop) == hmacs.head.drop(minNumHop)) {
-          val unwraped = bytes.slice(4, 20 * 4) ++ ByteVector.low(4) ++ ByteVector.concat((hmacs.drop(1) :+ Seq()).map(s => ByteVector.low(4) ++ ByteVector.concat(s)))
-          Some(holdTime, unwraped)
+        if (computeHmacs(mac, reason, bytes.take(maxNumHops * holdTimeLength), hmacs.drop(1), minNumHop) == hmacs.head.drop(minNumHop)) {
+          val unwrapped = bytes.slice(holdTimeLength, maxNumHops * holdTimeLength) ++ ByteVector.low(holdTimeLength) ++ ByteVector.concat((hmacs.drop(1) :+ Seq()).map(s => ByteVector.low(hmacLength) ++ ByteVector.concat(s)))
+          Some(holdTime, unwrapped)
         } else {
           None
         }

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala

@@ -29,7 +29,7 @@ import fr.acinq.eclair.{CltvExpiry, CltvExpiryDelta, Feature, Features, MilliSat
 import scodec.bits.ByteVector
 import scodec.{Attempt, DecodeResult}
 
-import scala.concurrent.duration.FiniteDuration
+import scala.concurrent.duration.{DurationInt, FiniteDuration}
 import scala.util.{Failure, Success}
 
 /**
@@ -381,7 +381,8 @@ object OutgoingPaymentPacket {
         val failure = InvalidOnionBlinding(Sphinx.hash(add.onionRoutingPacket))
         Right(UpdateFailMalformedHtlc(add.channelId, add.id, failure.onionHash, failure.code))
       case None =>
-        val holdTime = now - cmd.startHoldTime
+        // If the htlcReceivedAt was lost (because the node restarted), we use a hold time of 0 which should be ignored by the payer.
+        val holdTime = cmd.htlcReceivedAt_opt.map(now - _).getOrElse(0 millisecond)
         buildHtlcFailure(nodeSecret, useAttributableFailures, cmd.reason, add, holdTime).map {
           case (encryptedReason, tlvs) => UpdateFailHtlc(add.channelId, cmd.id, encryptedReason, tlvs)
         }

eclair-core/src/main/scala/fr/acinq/eclair/payment/receive/MultiPartHandler.scala

@@ -119,7 +119,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
               ctx.self ! ProcessPacket(add, payload, Some(IncomingStandardPayment(invoice, paymentPreimage, PaymentType.KeySend, TimestampMilli.now(), IncomingPaymentStatus.Pending)))
             case _ =>
               Metrics.PaymentFailed.withTag(Tags.Direction, Tags.Directions.Received).withTag(Tags.Failure, "InvoiceNotFound").increment()
-              val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), TimestampMilli.now(), commit = true)
+              val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), Some(TimestampMilli.now()), commit = true)
               PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, add.channelId, cmdFail)
           }
         }
@@ -145,7 +145,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
 
     case RejectPacket(add, failure) if doHandle(add.paymentHash) =>
       Metrics.PaymentFailed.withTag(Tags.Direction, Tags.Directions.Received).withTag(Tags.Failure, failure.getClass.getSimpleName).increment()
-      val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(failure), TimestampMilli.now(), commit = true)
+      val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(failure), Some(TimestampMilli.now()), commit = true)
       PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, add.channelId, cmdFail)
 
     case MultiPartPaymentFSM.MultiPartPaymentFailed(paymentHash, failure, parts) if doHandle(paymentHash) =>
@@ -154,7 +154,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
         log.warning("payment with paidAmount={} failed ({})", parts.map(_.amount).sum, failure)
         pendingPayments.get(paymentHash).foreach { case (_, handler: ActorRef) => handler ! PoisonPill }
         parts.collect {
-          case p: MultiPartPaymentFSM.HtlcPart => PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(failure), p.startTime, commit = true))
+          case p: MultiPartPaymentFSM.HtlcPart => PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(failure), Some(p.receivedAt), commit = true))
         }
         pendingPayments = pendingPayments - paymentHash
       }
@@ -174,7 +174,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
       Logs.withMdc(log)(Logs.mdc(paymentHash_opt = Some(paymentHash))) {
         failure match {
           case Some(failure) => p match {
-            case p: MultiPartPaymentFSM.HtlcPart => PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(failure), p.startTime, commit = true))
+            case p: MultiPartPaymentFSM.HtlcPart => PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(failure), Some(p.receivedAt), commit = true))
             case _: MultiPartPaymentFSM.RecipientBlindedPathFeePart => ()
           }
           case None => p match {
@@ -186,7 +186,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
                 PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, CMD_FULFILL_HTLC(p.htlc.id, record.paymentPreimage, commit = true))
                 ctx.system.eventStream.publish(received)
               } else {
-                val cmdFail = CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(received.amount, nodeParams.currentBlockHeight)), p.startTime, commit = true)
+                val cmdFail = CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(received.amount, nodeParams.currentBlockHeight)), Some(p.receivedAt), commit = true)
                 PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, cmdFail)
               }
             })
@@ -221,7 +221,7 @@ class MultiPartHandler(nodeParams: NodeParams, register: ActorRef, db: IncomingP
           parts.collect {
             case p: MultiPartPaymentFSM.HtlcPart =>
               Metrics.PaymentFailed.withTag(Tags.Direction, Tags.Directions.Received).withTag(Tags.Failure, "InvoiceNotFound").increment()
-              val cmdFail = CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(received.amount, nodeParams.currentBlockHeight)), p.startTime, commit = true)
+              val cmdFail = CMD_FAIL_HTLC(p.htlc.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(received.amount, nodeParams.currentBlockHeight)), Some(p.receivedAt), commit = true)
               PendingCommandsDb.safeSend(register, nodeParams.db.pendingCommands, p.htlc.channelId, cmdFail)
           }
         }
@@ -466,15 +466,15 @@ object MultiPartHandler {
 
   private def validateStandardPayment(nodeParams: NodeParams, add: UpdateAddHtlc, payload: FinalPayload.Standard, record: IncomingStandardPayment)(implicit log: LoggingAdapter): Option[CMD_FAIL_HTLC] = {
     // We send the same error regardless of the failure to avoid probing attacks.
-    val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), TimestampMilli.now(), commit = true)
+    val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), Some(TimestampMilli.now()), commit = true)
     val commonOk = validateCommon(nodeParams, add, payload, record)
     val secretOk = validatePaymentSecret(add, payload, record.invoice)
     if (commonOk && secretOk) None else Some(cmdFail)
   }
 
   private def validateBlindedPayment(nodeParams: NodeParams, add: UpdateAddHtlc, payload: FinalPayload.Blinded, record: IncomingBlindedPayment, maxRecipientPathFees: MilliSatoshi)(implicit log: LoggingAdapter): Option[CMD_FAIL_HTLC] = {
     // We send the same error regardless of the failure to avoid probing attacks.
-    val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), TimestampMilli.now(), commit = true)
+    val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), Some(TimestampMilli.now()), commit = true)
     val commonOk = validateCommon(nodeParams, add, payload, record)
     // The payer isn't aware of the blinded path fees if we decided to hide them. The HTLC amount will thus be smaller
     // than the onion amount, but should match when re-adding the blinded path fees.

eclair-core/src/main/scala/fr/acinq/eclair/payment/receive/MultiPartPaymentFSM.scala

@@ -134,7 +134,7 @@ object MultiPartPaymentFSM {
     def totalAmount: MilliSatoshi
   }
   /** An incoming HTLC. */
-  case class HtlcPart(totalAmount: MilliSatoshi, htlc: UpdateAddHtlc, startTime: TimestampMilli = TimestampMilli.now()) extends PaymentPart {
+  case class HtlcPart(totalAmount: MilliSatoshi, htlc: UpdateAddHtlc, receivedAt: TimestampMilli = TimestampMilli.now()) extends PaymentPart {
     override def paymentHash: ByteVector32  = htlc.paymentHash
     override def amount: MilliSatoshi  = htlc.amountMsat
   }