Support phantom payment receive in ChannelManager, with invoice util

See PhantomKeysManager and invoice util's create_phantom_invoice for more info

Author: valentinewallace

lightning-invoice/src/lib.rs

@@ -1387,6 +1387,12 @@ pub enum CreationError {
 
 	/// The supplied millisatoshi amount was greater than the total bitcoin supply.
 	InvalidAmount,
+
+	/// Route hints were required for this invoice and were missing. Applies to
+	/// [phantom invoices].
+	///
+	/// [phantom invoices]: crate::utils::create_phantom_invoice
+	MissingRouteHints,
 }
 
 impl Display for CreationError {
@@ -1396,6 +1402,7 @@ impl Display for CreationError {
 			CreationError::RouteTooLong => f.write_str("The specified route has too many hops and can't be encoded"),
 			CreationError::TimestampOutOfBounds => f.write_str("The Unix timestamp of the supplied date is less than zero or greater than 35-bits"),
 			CreationError::InvalidAmount => f.write_str("The supplied millisatoshi amount was greater than the total bitcoin supply"),
+			CreationError::MissingRouteHints => f.write_str("The invoice required route hints and they weren't provided"),
 		}
 	}
 }

lightning-invoice/src/utils.rs

@@ -10,7 +10,7 @@ use lightning::chain;
 use lightning::chain::chaininterface::{BroadcasterInterface, FeeEstimator};
 use lightning::chain::keysinterface::{Recipient, KeysInterface, Sign};
 use lightning::ln::{PaymentHash, PaymentPreimage, PaymentSecret};
-use lightning::ln::channelmanager::{ChannelDetails, ChannelManager, PaymentId, PaymentSendFailure, MIN_FINAL_CLTV_EXPIRY};
+use lightning::ln::channelmanager::{ChannelDetails, ChannelManager, PaymentId, PaymentSendFailure, PhantomRouteHints, MIN_FINAL_CLTV_EXPIRY, MIN_CLTV_EXPIRY_DELTA};
 use lightning::ln::msgs::LightningError;
 use lightning::routing::scoring::Score;
 use lightning::routing::network_graph::{NetworkGraph, RoutingFees};
@@ -21,6 +21,99 @@ use core::convert::TryInto;
 use core::ops::Deref;
 use core::time::Duration;
 
+#[cfg(feature = "std")]
+/// Utility to create an invoice that can be paid to one of multiple nodes, or a "phantom invoice."
+/// See [`PhantomKeysManager`] for more information on phantom node payments.
+///
+/// `phantom_route_hints` parameter:
+/// * Contains channel info for all nodes participating in the phantom invoice
+/// * Entries are retrieved from a call to [`ChannelManager::get_phantom_route_hints`] on each
+///   participating node
+/// * It is fine to cache `phantom_route_hints` and reuse it across invoices, as long as the data is
+///   updated when a channel becomes disabled or closes
+/// * Note that if too many channels are included in [`PhantomRouteHints::channels`], the invoice
+///   may be too long for QR code scanning. To fix this, `PhantomRouteHints::channels` may be pared
+///   down
+///
+/// `payment_hash` and `payment_secret` come from [`ChannelManager::create_inbound_payment`] or
+/// [`ChannelManager::create_inbound_payment_for_hash`]. These values can be retrieved from any
+/// participating node.
+///
+/// Note that the provided `keys_manager`'s `KeysInterface` implementation must support phantom
+/// invoices in its `sign_invoice` implementation ([`PhantomKeysManager`] satisfies this
+/// requirement).
+///
+/// [`PhantomKeysManager`]: lightning::chain::keysinterface::PhantomKeysManager
+/// [`ChannelManager::get_phantom_route_hints`]: lightning::ln::channelmanager::ChannelManager::get_phantom_route_hints
+/// [`PhantomRouteHints::channels`]: lightning::ln::channelmanager::PhantomRouteHints::channels
+pub fn create_phantom_invoice<Signer: Sign, K: Deref>(
+	amt_msat: Option<u64>, description: String, payment_hash: PaymentHash, payment_secret:
+	PaymentSecret, phantom_route_hints: Vec<PhantomRouteHints>, keys_manager: K, network: Currency
+) -> Result<Invoice, SignOrCreationError<()>> where K::Target: KeysInterface {
+	if phantom_route_hints.len() == 0 {
+		return Err(SignOrCreationError::CreationError(CreationError::MissingRouteHints))
+	}
+	let mut invoice = InvoiceBuilder::new(network)
+		.description(description)
+		.current_timestamp()
+		.payment_hash(Hash::from_slice(&payment_hash.0).unwrap())
+		.payment_secret(payment_secret)
+		.min_final_cltv_expiry(MIN_FINAL_CLTV_EXPIRY.into());
+	if let Some(amt) = amt_msat {
+		invoice = invoice.amount_milli_satoshis(amt);
+	}
+
+	for hint in phantom_route_hints {
+		for channel in &hint.channels {
+			let short_channel_id = match channel.short_channel_id {
+				Some(id) => id,
+				None => continue,
+			};
+			let forwarding_info = match &channel.counterparty.forwarding_info {
+				Some(info) => info.clone(),
+				None => continue,
+			};
+			invoice = invoice.private_route(RouteHint(vec![
+					RouteHintHop {
+						src_node_id: channel.counterparty.node_id,
+						short_channel_id,
+						fees: RoutingFees {
+							base_msat: forwarding_info.fee_base_msat,
+							proportional_millionths: forwarding_info.fee_proportional_millionths,
+						},
+						cltv_expiry_delta: forwarding_info.cltv_expiry_delta,
+						htlc_minimum_msat: None,
+						htlc_maximum_msat: None,
+					},
+					RouteHintHop {
+						src_node_id: hint.real_node_pubkey,
+						short_channel_id: hint.phantom_scid,
+						fees: RoutingFees {
+							base_msat: 0,
+							proportional_millionths: 0,
+						},
+						cltv_expiry_delta: MIN_CLTV_EXPIRY_DELTA,
+						htlc_minimum_msat: None,
+						htlc_maximum_msat: None,
+					}])
+			);
+		}
+	}
+
+	let raw_invoice = match invoice.build_raw() {
+		Ok(inv) => inv,
+		Err(e) => return Err(SignOrCreationError::CreationError(e))
+	};
+	let hrp_str = raw_invoice.hrp.to_string();
+	let hrp_bytes = hrp_str.as_bytes();
+	let data_without_signature = raw_invoice.data.to_base32();
+	let signed_raw_invoice = raw_invoice.sign(|_| keys_manager.sign_invoice(hrp_bytes, &data_without_signature, Recipient::PhantomNode));
+	match signed_raw_invoice {
+		Ok(inv) => Ok(Invoice::from_signed(inv).unwrap()),
+		Err(e) => Err(SignOrCreationError::SignError(e))
+	}
+}
+
 #[cfg(feature = "std")]
 /// Utility to construct an invoice. Generally, unless you want to do something like a custom
 /// cltv_expiry, this is what you should be using to create an invoice. The reason being, this
@@ -192,13 +285,17 @@ where
 mod test {
 	use core::time::Duration;
 	use {Currency, Description, InvoiceDescription};
-	use lightning::ln::PaymentHash;
+	use bitcoin_hashes::Hash;
+	use bitcoin_hashes::sha256::Hash as Sha256;
+	use lightning::chain::keysinterface::PhantomKeysManager;
+	use lightning::ln::{PaymentPreimage, PaymentHash};
 	use lightning::ln::channelmanager::MIN_FINAL_CLTV_EXPIRY;
 	use lightning::ln::functional_test_utils::*;
 	use lightning::ln::features::InitFeatures;
 	use lightning::ln::msgs::ChannelMessageHandler;
 	use lightning::routing::router::{PaymentParameters, RouteParameters, find_route};
-	use lightning::util::events::MessageSendEventsProvider;
+	use lightning::util::enforcing_trait_impls::EnforcingSigner;
+	use lightning::util::events::{MessageSendEvent, MessageSendEventsProvider, Event};
 	use lightning::util::test_utils;
 	use utils::create_invoice_from_channelmanager_and_duration_since_epoch;
 
@@ -254,4 +351,121 @@ mod test {
 		let events = nodes[1].node.get_and_clear_pending_msg_events();
 		assert_eq!(events.len(), 2);
 	}
+
+	#[test]
+	#[cfg(feature = "std")]
+	fn test_multi_node_receive() {
+		do_test_multi_node_receive(true);
+		do_test_multi_node_receive(false);
+	}
+
+	#[cfg(feature = "std")]
+	fn do_test_multi_node_receive(user_generated_pmt_hash: bool) {
+		let mut chanmon_cfgs = create_chanmon_cfgs(3);
+		let seed_1 = [42 as u8; 32];
+		let seed_2 = [43 as u8; 32];
+		let cross_node_seed = [44 as u8; 32];
+		chanmon_cfgs[1].keys_manager.backing = PhantomKeysManager::new(&seed_1, 43, 44, &cross_node_seed);
+		chanmon_cfgs[2].keys_manager.backing = PhantomKeysManager::new(&seed_2, 43, 44, &cross_node_seed);
+		let node_cfgs = create_node_cfgs(3, &chanmon_cfgs);
+		let node_chanmgrs = create_node_chanmgrs(3, &node_cfgs, &[None, None, None]);
+		let nodes = create_network(3, &node_cfgs, &node_chanmgrs);
+		let chan_0_1 = create_announced_chan_between_nodes_with_value(&nodes, 0, 1, 100000, 10001, InitFeatures::known(), InitFeatures::known());
+		nodes[0].node.handle_channel_update(&nodes[1].node.get_our_node_id(), &chan_0_1.1);
+		nodes[1].node.handle_channel_update(&nodes[0].node.get_our_node_id(), &chan_0_1.0);
+		let chan_0_2 = create_announced_chan_between_nodes_with_value(&nodes, 0, 2, 100000, 10001, InitFeatures::known(), InitFeatures::known());
+		nodes[0].node.handle_channel_update(&nodes[2].node.get_our_node_id(), &chan_0_2.1);
+		nodes[2].node.handle_channel_update(&nodes[0].node.get_our_node_id(), &chan_0_2.0);
+
+		let payment_amt = 10_000;
+		let (payment_preimage, payment_hash, payment_secret) = {
+			if user_generated_pmt_hash {
+				let payment_preimage = PaymentPreimage([1; 32]);
+				let payment_hash = PaymentHash(Sha256::hash(&payment_preimage.0[..]).into_inner());
+				let payment_secret = nodes[1].node.create_inbound_payment_for_hash(payment_hash, Some(payment_amt), 3600).unwrap();
+				(payment_preimage, payment_hash, payment_secret)
+			} else {
+				let (payment_hash, payment_secret) = nodes[1].node.create_inbound_payment(Some(payment_amt), 3600).unwrap();
+				let payment_preimage = nodes[1].node.get_payment_preimage(payment_hash, payment_secret).unwrap();
+				(payment_preimage, payment_hash, payment_secret)
+			}
+		};
+		let route_hints = vec![
+			nodes[1].node.get_phantom_route_hints(),
+			nodes[2].node.get_phantom_route_hints(),
+		];
+		let invoice = ::utils::create_phantom_invoice::<EnforcingSigner, &test_utils::TestKeysInterface>(Some(payment_amt), "test".to_string(), payment_hash, payment_secret, route_hints, &nodes[1].keys_manager, Currency::BitcoinTestnet).unwrap();
+
+		assert_eq!(invoice.min_final_cltv_expiry(), MIN_FINAL_CLTV_EXPIRY as u64);
+		assert_eq!(invoice.description(), InvoiceDescription::Direct(&Description("test".to_string())));
+		assert_eq!(invoice.route_hints().len(), 2);
+		assert!(!invoice.features().unwrap().supports_basic_mpp());
+
+		let payment_params = PaymentParameters::from_node_id(invoice.recover_payee_pub_key())
+			.with_features(invoice.features().unwrap().clone())
+			.with_route_hints(invoice.route_hints());
+		let params = RouteParameters {
+			payment_params,
+			final_value_msat: invoice.amount_milli_satoshis().unwrap(),
+			final_cltv_expiry_delta: invoice.min_final_cltv_expiry() as u32,
+		};
+		let first_hops = nodes[0].node.list_usable_channels();
+		let network_graph = node_cfgs[0].network_graph;
+		let logger = test_utils::TestLogger::new();
+		let scorer = test_utils::TestScorer::with_penalty(0);
+		let route = find_route(
+			&nodes[0].node.get_our_node_id(), &params, network_graph,
+			Some(&first_hops.iter().collect::<Vec<_>>()), &logger, &scorer,
+		).unwrap();
+		let (payment_event, fwd_idx) = {
+			let mut payment_hash = PaymentHash([0; 32]);
+			payment_hash.0.copy_from_slice(&invoice.payment_hash().as_ref()[0..32]);
+			nodes[0].node.send_payment(&route, payment_hash, &Some(invoice.payment_secret().clone())).unwrap();
+			let mut added_monitors = nodes[0].chain_monitor.added_monitors.lock().unwrap();
+			assert_eq!(added_monitors.len(), 1);
+			added_monitors.clear();
+
+			let mut events = nodes[0].node.get_and_clear_pending_msg_events();
+			assert_eq!(events.len(), 1);
+			let fwd_idx = match events[0] {
+				MessageSendEvent::UpdateHTLCs { node_id, .. } => {
+					if node_id == nodes[1].node.get_our_node_id() {
+						1
+					} else { 2 }
+				},
+				_ => panic!("Unexpected event")
+			};
+			(SendEvent::from_event(events.remove(0)), fwd_idx)
+		};
+		nodes[fwd_idx].node.handle_update_add_htlc(&nodes[0].node.get_our_node_id(), &payment_event.msgs[0]);
+		commitment_signed_dance!(nodes[fwd_idx], nodes[0], &payment_event.commitment_msg, false, true);
+
+		// Note that we have to "forward pending HTLCs" twice before we see the PaymentReceived as
+		// this "emulates" the payment taking two hops, providing some privacy to make phantom node
+		// payments "look real" by taking more time.
+		expect_pending_htlcs_forwardable_ignore!(nodes[fwd_idx]);
+		nodes[fwd_idx].node.process_pending_htlc_forwards();
+		expect_pending_htlcs_forwardable_ignore!(nodes[fwd_idx]);
+		nodes[fwd_idx].node.process_pending_htlc_forwards();
+
+		let payment_preimage_opt = if user_generated_pmt_hash { None } else { Some(payment_preimage) };
+		expect_payment_received!(&nodes[fwd_idx], payment_hash, payment_secret, payment_amt, payment_preimage_opt);
+		do_claim_payment_along_route(&nodes[0], &vec!(&vec!(&nodes[fwd_idx])[..]), false, payment_preimage);
+		let events = nodes[0].node.get_and_clear_pending_events();
+		assert_eq!(events.len(), 2);
+		match events[0] {
+			Event::PaymentSent { payment_preimage: ref ev_preimage, payment_hash: ref ev_hash, ref fee_paid_msat, .. } => {
+				assert_eq!(payment_preimage, *ev_preimage);
+				assert_eq!(payment_hash, *ev_hash);
+				assert_eq!(fee_paid_msat, &Some(0));
+			},
+			_ => panic!("Unexpected event")
+		}
+		match events[1] {
+			Event::PaymentPathSuccessful { payment_hash: hash, .. } => {
+				assert_eq!(hash, Some(payment_hash));
+			},
+			_ => panic!("Unexpected event")
+		}
+	}
 }

lightning/src/ln/channelmanager.rs

@@ -2295,6 +2295,11 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 				if let Some((err, code, chan_update)) = loop {
 					let forwarding_id = match id_option {
 						None => { // unknown_next_peer
+							// Note that this is likely a timing oracle for detecting whether an scid is a
+							// phantom.
+							if fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, *short_channel_id) {
+								break None
+							}
 							break Some(("Don't have available channel for forwarding as requested.", 0x4000 | 10, None));
 						},
 						Some(id) => id.clone(),
@@ -2984,6 +2989,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 
 		let mut new_events = Vec::new();
 		let mut failed_forwards = Vec::new();
+		let mut phantom_receives: Vec<(u64, OutPoint, Vec<(PendingHTLCInfo, u64)>)> = Vec::new();
 		let mut handle_errors = Vec::new();
 		{
 			let mut channel_state_lock = self.channel_state.lock().unwrap();
@@ -2994,26 +3000,69 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 					let forward_chan_id = match channel_state.short_to_id.get(&short_chan_id) {
 						Some(chan_id) => chan_id.clone(),
 						None => {
-							failed_forwards.reserve(pending_forwards.len());
 							for forward_info in pending_forwards.drain(..) {
 								match forward_info {
-									HTLCForwardInfo::AddHTLC { prev_short_channel_id, prev_htlc_id, forward_info,
-									                           prev_funding_outpoint } => {
-										let htlc_source = HTLCSource::PreviousHopData(HTLCPreviousHopData {
-											short_channel_id: prev_short_channel_id,
-											outpoint: prev_funding_outpoint,
-											htlc_id: prev_htlc_id,
-											incoming_packet_shared_secret: forward_info.incoming_shared_secret,
-										});
-										failed_forwards.push((htlc_source, forward_info.payment_hash,
-											HTLCFailReason::Reason { failure_code: 0x4000 | 10, data: Vec::new() }
-										));
-									},
+									HTLCForwardInfo::AddHTLC { prev_short_channel_id, prev_htlc_id, forward_info: PendingHTLCInfo {
+										routing, incoming_shared_secret, payment_hash, amt_to_forward, outgoing_cltv_value },
+										prev_funding_outpoint } => {
+											macro_rules! fail_forward {
+												($msg: expr, $err_code: expr, $err_data: expr) => {
+													{
+														log_info!(self.logger, "Failed to accept/forward incoming HTLC: {}", $msg);
+														let htlc_source = HTLCSource::PreviousHopData(HTLCPreviousHopData {
+															short_channel_id: short_chan_id,
+															outpoint: prev_funding_outpoint,
+															htlc_id: prev_htlc_id,
+															incoming_packet_shared_secret: incoming_shared_secret,
+														});
+														failed_forwards.push((htlc_source, payment_hash,
+																HTLCFailReason::Reason { failure_code: $err_code, data: $err_data }
+														));
+														continue;
+													}
+												}
+											}
+											if let PendingHTLCRouting::Forward { onion_packet, .. } = routing {
+												let phantom_secret_res = self.keys_manager.get_node_secret(Recipient::PhantomNode);
+												if phantom_secret_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id) {
+													let shared_secret = {
+														let mut arr = [0; 32];
+														arr.copy_from_slice(&SharedSecret::new(&onion_packet.public_key.unwrap(), &phantom_secret_res.unwrap())[..]);
+														arr
+													};
+													let next_hop = match onion_utils::decode_next_hop(shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
+														Ok(res) => res,
+														Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {
+															fail_forward!(err_msg, err_code, Vec::new());
+														},
+														Err(onion_utils::OnionDecodeErr::Relay { err_msg, err_code }) => {
+															fail_forward!(err_msg, err_code, Vec::new());
+														},
+													};
+													match next_hop {
+														onion_utils::Hop::Receive(hop_data) => {
+															match self.construct_recv_pending_htlc_info(hop_data, shared_secret, payment_hash, amt_to_forward, outgoing_cltv_value) {
+																Ok(info) => phantom_receives.push((prev_short_channel_id, prev_funding_outpoint, vec![(info, prev_htlc_id)])),
+																Err(ReceiveError { err_code, err_data, msg }) => fail_forward!(msg, err_code, err_data)
+															}
+														},
+														_ => panic!(),
+													}
+												} else {
+													fail_forward!(format!("Unknown short channel id {} for forward HTLC", short_chan_id), 0x4000 | 10, Vec::new());
+												}
+											} else {
+												fail_forward!(format!("Unknown short channel id {} for forward HTLC", short_chan_id), 0x4000 | 10, Vec::new());
+											}
+										},
 									HTLCForwardInfo::FailHTLC { .. } => {
 										// Channel went away before we could fail it. This implies
 										// the channel is now on chain and our counterparty is
 										// trying to broadcast the HTLC-Timeout, but that's their
 										// problem, not ours.
+										//
+										// `fail_htlc_backwards_internal` is never called for
+										// phantom payments, so this is unreachable for them.
 									}
 								}
 							}
@@ -3320,6 +3369,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		for (htlc_source, payment_hash, failure_reason) in failed_forwards.drain(..) {
 			self.fail_htlc_backwards_internal(self.channel_state.lock().unwrap(), htlc_source, &payment_hash, failure_reason);
 		}
+		self.forward_htlcs(&mut phantom_receives);
 
 		for (counterparty_node_id, err) in handle_errors.drain(..) {
 			let _ = handle_error!(self, err, counterparty_node_id);