Introduce DummyTlvs

Adds new `Dummy` variant to `ControlTlvs`, allowing insertion
of arbitrary dummy hops before the final `ReceiveTlvs`.
This increases the length of the blinded path, making it harder
for a malicious actor to infer the position of the true final hop.

Author: shaavan

lightning/src/blinded_path/message.rs

@@ -11,6 +11,7 @@
 
 use bitcoin::secp256k1::{self, PublicKey, Secp256k1, SecretKey};
 
+use crate::offers::signer;
 #[allow(unused_imports)]
 use crate::prelude::*;
 
@@ -19,9 +20,9 @@ use crate::blinded_path::{BlindedHop, BlindedPath, Direction, IntroductionNode,
 use crate::crypto::streams::ChaChaPolyReadAdapter;
 use crate::io;
 use crate::io::Cursor;
-use crate::ln::channelmanager::PaymentId;
+use crate::ln::channelmanager::{PaymentId, Verification};
 use crate::ln::msgs::DecodeError;
-use crate::ln::onion_utils;
+use crate::ln::{inbound_payment, onion_utils};
 use crate::offers::nonce::Nonce;
 use crate::onion_message::packet::ControlTlvs;
 use crate::routing::gossip::{NodeId, ReadOnlyNetworkGraph};
@@ -258,6 +259,45 @@ pub(crate) struct ForwardTlvs {
 	pub(crate) next_blinding_override: Option<PublicKey>,
 }
 
+pub(crate) struct UnauthenticatedDummyTlvs {}
+
+impl Writeable for UnauthenticatedDummyTlvs {
+	fn write<W: Writer>(&self, _writer: &mut W) -> Result<(), io::Error> {
+		Ok(())
+	}
+}
+
+impl Verification for UnauthenticatedDummyTlvs {
+	/// Constructs an HMAC to include in [`OffersContext`] for the data along with the given
+	/// [`Nonce`].
+	fn hmac_data(&self, nonce: Nonce, expanded_key: &inbound_payment::ExpandedKey) -> Hmac<Sha256> {
+		signer::hmac_for_dummy_tlvs(self, nonce, expanded_key)
+	}
+
+	/// Authenticates the data using an HMAC and a [`Nonce`] taken from an [`OffersContext`].
+	fn verify_data(
+		&self, hmac: Hmac<Sha256>, nonce: Nonce, expanded_key: &inbound_payment::ExpandedKey,
+	) -> Result<(), ()> {
+		signer::verify_dummy_tlvs(self, hmac, nonce, expanded_key)
+	}
+}
+
+pub(crate) struct DummyTlvs {
+	pub(crate) dummy_tlvs: UnauthenticatedDummyTlvs,
+	/// An HMAC of `tlvs` along with a nonce used to construct it.
+	pub(crate) authentication: (Hmac<Sha256>, Nonce),
+}
+
+impl Writeable for DummyTlvs {
+	fn write<W: Writer>(&self, writer: &mut W) -> Result<(), io::Error> {
+		encode_tlv_stream!(writer, {
+			(65539, self.authentication, required),
+		});
+
+		Ok(())
+	}
+}
+
 /// Similar to [`ForwardTlvs`], but these TLVs are for the final node.
 pub(crate) struct ReceiveTlvs {
 	/// If `context` is `Some`, it is used to identify the blinded path that this onion message is

lightning/src/offers/signer.rs

@@ -9,6 +9,7 @@
 
 //! Utilities for signing offer messages and verifying metadata.
 
+use crate::blinded_path::message::UnauthenticatedDummyTlvs;
 use crate::blinded_path::payment::UnauthenticatedReceiveTlvs;
 use crate::ln::channelmanager::PaymentId;
 use crate::ln::inbound_payment::{ExpandedKey, IV_LEN};
@@ -555,3 +556,26 @@ pub(crate) fn verify_held_htlc_available_context(
 		Err(())
 	}
 }
+
+pub(crate) fn hmac_for_dummy_tlvs(
+	tlvs: &UnauthenticatedDummyTlvs, nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Hmac<Sha256> {
+	const IV_BYTES: &[u8; IV_LEN] = b"LDK Msgs Dummies";
+	let mut hmac = expanded_key.hmac_for_offer();
+	hmac.input(IV_BYTES);
+	hmac.input(&nonce.0);
+	hmac.input(PAYMENT_TLVS_HMAC_INPUT);
+	tlvs.write(&mut hmac).unwrap();
+
+	Hmac::from_engine(hmac)
+}
+
+pub(crate) fn verify_dummy_tlvs(
+	tlvs: &UnauthenticatedDummyTlvs, hmac: Hmac<Sha256>, nonce: Nonce, expanded_key: &ExpandedKey,
+) -> Result<(), ()> {
+	if hmac_for_dummy_tlvs(tlvs, nonce, expanded_key) == hmac {
+		Ok(())
+	} else {
+		Err(())
+	}
+}

lightning/src/onion_message/packet.rs

@@ -17,7 +17,10 @@ use super::async_payments::AsyncPaymentsMessage;
 use super::dns_resolution::DNSResolverMessage;
 use super::messenger::CustomOnionMessageHandler;
 use super::offers::OffersMessage;
-use crate::blinded_path::message::{BlindedMessagePath, ForwardTlvs, NextMessageHop, ReceiveTlvs};
+use crate::blinded_path::message::{
+	BlindedMessagePath, DummyTlvs, ForwardTlvs, NextMessageHop, ReceiveTlvs,
+	UnauthenticatedDummyTlvs,
+};
 use crate::crypto::streams::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
 use crate::ln::msgs::DecodeError;
 use crate::ln::onion_utils;
@@ -111,6 +114,8 @@ impl LengthReadable for Packet {
 pub(super) enum Payload<T: OnionMessageContents> {
 	/// This payload is for an intermediate hop.
 	Forward(ForwardControlTlvs),
+	/// This payload is dummy, and is inteded to be peeled.
+	Dummy(DummyControlTlvs),
 	/// This payload is for the final hop.
 	Receive { control_tlvs: ReceiveControlTlvs, reply_path: Option<BlindedMessagePath>, message: T },
 }
@@ -204,6 +209,11 @@ pub(super) enum ForwardControlTlvs {
 	Unblinded(ForwardTlvs),
 }
 
+pub(super) enum DummyControlTlvs {
+	/// See [`ForwardControlTlvs::Unblinded`]
+	Unblinded(DummyTlvs),
+}
+
 /// Receive control TLVs in their blinded and unblinded form.
 pub(super) enum ReceiveControlTlvs {
 	/// See [`ForwardControlTlvs::Blinded`].
@@ -234,6 +244,10 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
 				_encode_varint_length_prefixed_tlv!(w, { (4, write_adapter, required) })
 			},
+			Payload::Dummy(DummyControlTlvs::Unblinded(control_tlvs)) => {
+				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
+				_encode_varint_length_prefixed_tlv!(w, { (4, write_adapter, required) })
+			},
 			Payload::Receive {
 				control_tlvs: ReceiveControlTlvs::Unblinded(control_tlvs),
 				reply_path,
@@ -310,6 +324,9 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 				}
 				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
 			},
+			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Dummy(tlvs) }) => {
+				Ok(Payload::Dummy(DummyControlTlvs::Unblinded(tlvs)))
+			},
 			Some(ChaChaPolyReadAdapter { readable: ControlTlvs::Receive(tlvs) }) => {
 				Ok(Payload::Receive {
 					control_tlvs: ReceiveControlTlvs::Unblinded(tlvs),
@@ -328,6 +345,8 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 pub(crate) enum ControlTlvs {
 	/// This onion message is intended to be forwarded.
 	Forward(ForwardTlvs),
+	/// This onion message is a dummy, and is intended to be peeled.
+	Dummy(DummyTlvs),
 	/// This onion message is intended to be received.
 	Receive(ReceiveTlvs),
 }
@@ -343,6 +362,7 @@ impl Readable for ControlTlvs {
 			(4, next_node_id, option),
 			(8, next_blinding_override, option),
 			(65537, context, option),
+			(65539, authentication, option),
 		});
 
 		let next_hop = match (short_channel_id, next_node_id) {
@@ -363,7 +383,10 @@ impl Readable for ControlTlvs {
 		} else if valid_recv_fmt {
 			ControlTlvs::Receive(ReceiveTlvs { context })
 		} else {
-			return Err(DecodeError::InvalidValue);
+			ControlTlvs::Dummy(DummyTlvs {
+				dummy_tlvs: UnauthenticatedDummyTlvs {},
+				authentication: authentication.ok_or(DecodeError::InvalidValue)?,
+			})
 		};
 
 		Ok(payload_fmt)
@@ -374,6 +397,7 @@ impl Writeable for ControlTlvs {
 	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
 		match self {
 			Self::Forward(tlvs) => tlvs.write(w),
+			Self::Dummy(tlvs) => tlvs.write(w),
 			Self::Receive(tlvs) => tlvs.write(w),
 		}
 	}