Authenticate blinded path contexts with a secret AAD in the MAC

lightning/src/blinded_path/message.rs

@@ -92,6 +92,7 @@ impl BlindedMessagePath {
 				recipient_node_id,
 				context,
 				&blinding_secret,
+				[41; 32], // TODO: Pass this in
 			)
 			.map_err(|_| ())?,
 		}))
@@ -514,18 +515,19 @@ pub(crate) const MESSAGE_PADDING_ROUND_OFF: usize = 100;
 pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[MessageForwardNode],
 	recipient_node_id: PublicKey, context: MessageContext, session_priv: &SecretKey,
+	local_node_receive_key: [u8; 32],
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
 	let pks = intermediate_nodes
 		.iter()
-		.map(|node| node.node_id)
-		.chain(core::iter::once(recipient_node_id));
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((recipient_node_id, Some(local_node_receive_key))));
 	let is_compact = intermediate_nodes.iter().any(|node| node.short_channel_id.is_some());
 
 	let tlvs = pks
 		.clone()
 		.skip(1) // The first node's TLVs contains the next node's pubkey
 		.zip(intermediate_nodes.iter().map(|node| node.short_channel_id))
-		.map(|(pubkey, scid)| match scid {
+		.map(|((pubkey, _), scid)| match scid {
 			Some(scid) => NextMessageHop::ShortChannelId(scid),
 			None => NextMessageHop::NodeId(pubkey),
 		})

lightning/src/blinded_path/payment.rs

@@ -664,8 +664,10 @@ pub(super) fn blinded_hops<T: secp256k1::Signing + secp256k1::Verification>(
 	secp_ctx: &Secp256k1<T>, intermediate_nodes: &[PaymentForwardNode], payee_node_id: PublicKey,
 	payee_tlvs: ReceiveTlvs, session_priv: &SecretKey,
 ) -> Result<Vec<BlindedHop>, secp256k1::Error> {
-	let pks =
-		intermediate_nodes.iter().map(|node| node.node_id).chain(core::iter::once(payee_node_id));
+	let pks = intermediate_nodes
+		.iter()
+		.map(|node| (node.node_id, None))
+		.chain(core::iter::once((payee_node_id, None)));
 	let tlvs = intermediate_nodes
 		.iter()
 		.map(|node| BlindedPaymentTlvsRef::Forward(&node.tlvs))

lightning/src/blinded_path/utils.rs

@@ -17,7 +17,8 @@ use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1, SecretKey};
 
 use super::message::BlindedMessagePath;
 use super::{BlindedHop, BlindedPath};
-use crate::crypto::streams::ChaChaPolyWriteAdapter;
+use crate::crypto::chacha20poly1305rfc::ChaCha20Poly1305RFC;
+use crate::crypto::streams::chachapoly_encrypt_with_swapped_aad;
 use crate::io;
 use crate::ln::onion_utils;
 use crate::onion_message::messenger::Destination;
@@ -105,17 +106,20 @@ macro_rules! build_keys_helper {
 	};
 }
 
-#[inline]
 pub(crate) fn construct_keys_for_onion_message<'a, T, I, F>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, destination: Destination, session_priv: &SecretKey,
 	mut callback: F,
 ) -> Result<(), secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
 	I: Iterator<Item = PublicKey>,
-	F: FnMut(PublicKey, SharedSecret, PublicKey, [u8; 32], Option<PublicKey>, Option<Vec<u8>>),
+	F: FnMut(SharedSecret, PublicKey, [u8; 32], Option<PublicKey>, Option<Vec<u8>>),
 {
-	build_keys_helper!(session_priv, secp_ctx, callback);
+	let mut callback_wrapper =
+		|_, ss, pk, encrypted_payload_rho, unblinded_hop_data, encrypted_payload| {
+			callback(ss, pk, encrypted_payload_rho, unblinded_hop_data, encrypted_payload);
+		};
+	build_keys_helper!(session_priv, secp_ctx, callback_wrapper);
 
 	for pk in unblinded_path {
 		build_keys_in_loop!(pk, false, None);
@@ -133,8 +137,7 @@ where
 	Ok(())
 }
 
-#[inline]
-pub(super) fn construct_keys_for_blinded_path<'a, T, I, F, H>(
+fn construct_keys_for_blinded_path<'a, T, I, F, H>(
 	secp_ctx: &Secp256k1<T>, unblinded_path: I, session_priv: &SecretKey, mut callback: F,
 ) -> Result<(), secp256k1::Error>
 where
@@ -145,14 +148,16 @@ where
 {
 	build_keys_helper!(session_priv, secp_ctx, callback);
 
-	for pk in unblinded_path {
+	let mut iter = unblinded_path.peekable();
+	while let Some(pk) = iter.next() {
 		build_keys_in_loop!(pk, false, None);
 	}
 	Ok(())
 }
 
 struct PublicKeyWithTlvs<W: Writeable> {
 	pubkey: PublicKey,
+	hop_recv_key: Option<[u8; 32]>,
 	tlvs: W,
 }
 
@@ -167,20 +172,26 @@ pub(crate) fn construct_blinded_hops<'a, T, I, W>(
 ) -> Result<Vec<BlindedHop>, secp256k1::Error>
 where
 	T: secp256k1::Signing + secp256k1::Verification,
-	I: Iterator<Item = (PublicKey, W)>,
+	I: Iterator<Item = ((PublicKey, Option<[u8; 32]>), W)>,
 	W: Writeable,
 {
 	let mut blinded_hops = Vec::with_capacity(unblinded_path.size_hint().0);
 	construct_keys_for_blinded_path(
 		secp_ctx,
-		unblinded_path.map(|(pubkey, tlvs)| PublicKeyWithTlvs { pubkey, tlvs }),
+		unblinded_path.map(|((pubkey, hop_recv_key), tlvs)| PublicKeyWithTlvs {
+			pubkey,
+			hop_recv_key,
+			tlvs,
+		}),
 		session_priv,
 		|blinded_node_id, _, _, encrypted_payload_rho, unblinded_hop_data, _| {
+			let hop_data = unblinded_hop_data.unwrap();
 			blinded_hops.push(BlindedHop {
 				blinded_node_id,
 				encrypted_payload: encrypt_payload(
-					unblinded_hop_data.unwrap().tlvs,
+					hop_data.tlvs,
 					encrypted_payload_rho,
+					hop_data.hop_recv_key,
 				),
 			});
 		},
@@ -189,9 +200,19 @@ where
 }
 
 /// Encrypt TLV payload to be used as a [`crate::blinded_path::BlindedHop::encrypted_payload`].
-fn encrypt_payload<P: Writeable>(payload: P, encrypted_tlvs_rho: [u8; 32]) -> Vec<u8> {
-	let write_adapter = ChaChaPolyWriteAdapter::new(encrypted_tlvs_rho, &payload);
-	write_adapter.encode()
+fn encrypt_payload<P: Writeable>(
+	payload: P, encrypted_tlvs_rho: [u8; 32], hop_recv_key: Option<[u8; 32]>,
+) -> Vec<u8> {
+	let mut payload_data = payload.encode();
+	if let Some(hop_recv_key) = hop_recv_key {
+		chachapoly_encrypt_with_swapped_aad(payload_data, encrypted_tlvs_rho, hop_recv_key)
+	} else {
+		let mut chacha = ChaCha20Poly1305RFC::new(&encrypted_tlvs_rho, &[0; 12], &[]);
+		let mut tag = [0; 16];
+		chacha.encrypt_full_message_in_place(&mut payload_data, &mut tag);
+		payload_data.extend_from_slice(&tag);
+		payload_data
+	}
 }
 
 /// A data structure used exclusively to pad blinded path payloads, ensuring they are of