channelmanager: add fake_last_hops and create_fake_last_hop

This allows users to insert a fake last-hop, where actually any of the previous
second-to-last hops can receive the payment because they have the last hop's
secret key

Author: valentinewallace

lightning/src/ln/channelmanager.rs

@@ -544,23 +544,29 @@ struct ExpandedPmtKey {
 	metadata_key: [u8; 32],
 	ldk_pmt_hash_key: [u8; 32],
 	user_pmt_hash_key: [u8; 32],
+	node_secret_key: Option<SecretKey>, // Only set for fake last hops
 }
 
 impl Writeable for ExpandedPmtKey {
 	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
-		self.key_material.write(w)
+		self.key_material.write(w)?;
+		if self.node_secret_key.is_some() {
+			Ok(true.write(w)?)
+		} else { Ok(false.write(w)?) }
 	}
 }
 
 impl Readable for ExpandedPmtKey {
 	fn read<R: Read>(r: &mut R) -> Result<Self, DecodeError> {
 		let key_material: KeyMaterial = Readable::read(r)?;
-		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key) = hkdf_extract_expand(&vec![0], &key_material);
+		let fake_node_key: bool = Readable::read(r)?; // TODO amend #1177 to write this value too
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, node_key_bytes) = hkdf_extract_expand(&vec![0], &key_material);
 		Ok(ExpandedPmtKey {
 			key_material,
 			metadata_key,
 			ldk_pmt_hash_key,
 			user_pmt_hash_key,
+			node_secret_key: if fake_node_key { Some(SecretKey::from_slice(&node_key_bytes).unwrap()) } else { None },
 		})
 	}
 }
@@ -644,6 +650,8 @@ pub struct ChannelManager<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref,
 	#[cfg(not(any(test, feature = "_test_utils")))]
 	channel_state: Mutex<ChannelHolder<Signer>>,
 
+	fake_last_hops: Mutex<HashMap<u64, ExpandedPmtKey>>,
+
 	/// Storage for PaymentSecrets and any requirements on future inbound payments before we will
 	/// expose them to users via a PaymentReceived event. HTLCs which do not meet the requirements
 	/// here are failed when we process them as pending-forwardable-HTLCs, and entries are removed
@@ -1347,12 +1355,13 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		let mut secp_ctx = Secp256k1::new();
 		secp_ctx.seeded_randomize(&keys_manager.get_secure_random_bytes());
 		let inbound_pmt_key_material = keys_manager.get_inbound_payment_key_material();
-		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key) = hkdf_extract_expand(&vec![0], &inbound_pmt_key_material);
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, _) = hkdf_extract_expand(&vec![0], &inbound_pmt_key_material);
 		let expanded_inbound_key = ExpandedPmtKey {
 			key_material: inbound_pmt_key_material,
 			metadata_key,
 			ldk_pmt_hash_key,
-			user_pmt_hash_key
+			user_pmt_hash_key,
+			node_secret_key: None,
 		};
 
 		ChannelManager {
@@ -1371,6 +1380,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 				claimable_htlcs: HashMap::new(),
 				pending_msg_events: Vec::new(),
 			}),
+			fake_last_hops: Mutex::new(HashMap::new()),
 			pending_inbound_payments: Mutex::new(HashMap::new()),
 			pending_outbound_payments: Mutex::new(HashMap::new()),
 
@@ -1736,6 +1746,25 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		}
 	}
 
+	/// Insert a fake last hop. This allows you to generate invoices for payments that can
+	/// actually be received by one of multiple nodes. `last_hop_key` should consist of 32 random
+	/// bytes.
+	// TODO we prob don't want to return the node secret, but how to sign invoices?
+	pub fn create_fake_last_hop(&self, last_hop_key: KeyMaterial, last_hop_scid: u64) -> SecretKey {
+		let mut fake_hops = self.fake_last_hops.lock().unwrap();
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, node_key) = hkdf_extract_expand(&vec![0], &last_hop_key);
+		let node_secret = SecretKey::from_slice(&node_key).unwrap();
+		fake_hops.insert(last_hop_scid, ExpandedPmtKey {
+			key_material: last_hop_key,
+			metadata_key,
+			ldk_pmt_hash_key,
+			user_pmt_hash_key,
+			node_secret_key: Some(node_secret),
+		});
+
+		node_secret
+	}
+
 	fn decode_update_add_htlc_onion(&self, msg: &msgs::UpdateAddHTLC) -> (PendingHTLCStatus, MutexGuard<ChannelHolder<Signer>>) {
 		macro_rules! return_malformed_err {
 			($msg: expr, $err_code: expr) => {
@@ -5882,9 +5911,11 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> Writeable f
 				_ => {},
 			}
 		}
+		let fake_last_hops = self.fake_last_hops.lock().unwrap();
 		write_tlv_fields!(writer, {
 			(1, pending_outbound_payments_no_retry, required),
 			(3, pending_outbound_payments, required),
+			(5, fake_last_hops, required),
 		});
 
 		Ok(())
@@ -6179,9 +6210,11 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 		// pending_outbound_payments_no_retry is for compatibility with 0.0.101 clients.
 		let mut pending_outbound_payments_no_retry: Option<HashMap<PaymentId, HashSet<[u8; 32]>>> = None;
 		let mut pending_outbound_payments = None;
+		let mut fake_last_hops = Some(HashMap::new());
 		read_tlv_fields!(reader, {
 			(1, pending_outbound_payments_no_retry, option),
 			(3, pending_outbound_payments, option),
+			(5, fake_last_hops, option),
 		});
 		if pending_outbound_payments.is_none() && pending_outbound_payments_no_retry.is_none() {
 			pending_outbound_payments = Some(pending_outbound_payments_compat);
@@ -6246,12 +6279,13 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 		}
 
 		let inbound_pmt_key_material = args.keys_manager.get_inbound_payment_key_material();
-		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key) = hkdf_extract_expand(&vec![0], &inbound_pmt_key_material);
+		let (metadata_key, ldk_pmt_hash_key, user_pmt_hash_key, _) = hkdf_extract_expand(&vec![0], &inbound_pmt_key_material);
 		let expanded_inbound_key = ExpandedPmtKey {
 			key_material: inbound_pmt_key_material,
 			metadata_key,
 			ldk_pmt_hash_key,
-			user_pmt_hash_key
+			user_pmt_hash_key,
+			node_secret_key: None,
 		};
 
 		let channel_manager = ChannelManager {
@@ -6270,6 +6304,7 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 				pending_msg_events: Vec::new(),
 			}),
 			inbound_payment_key: expanded_inbound_key,
+			fake_last_hops: Mutex::new(fake_last_hops.unwrap()),
 			pending_inbound_payments: Mutex::new(pending_inbound_payments),
 			pending_outbound_payments: Mutex::new(pending_outbound_payments.unwrap()),
 
@@ -6303,7 +6338,7 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 	}
 }
 
-fn hkdf_extract_expand(salt: &[u8], ikm: &KeyMaterial) -> ([u8; 32], [u8; 32], [u8; 32]) {
+fn hkdf_extract_expand(salt: &[u8], ikm: &KeyMaterial) -> ([u8; 32], [u8; 32], [u8; 32], [u8; 32]) {
 	let mut hmac = HmacEngine::<Sha256>::new(salt);
 	hmac.input(&ikm.0);
 	let prk = Hmac::from_engine(hmac).into_inner();
@@ -6321,7 +6356,12 @@ fn hkdf_extract_expand(salt: &[u8], ikm: &KeyMaterial) -> ([u8; 32], [u8; 32], [
 	hmac.input(&[3; 1]);
 	let t3 = Hmac::from_engine(hmac).into_inner();
 
-	(t1, t2, t3)
+	let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+	hmac.input(&t3);
+	hmac.input(&[4; 1]);
+	let t4 = Hmac::from_engine(hmac).into_inner();
+
+	(t1, t2, t3, t4)
 }
 
 #[cfg(test)]