Use invalid_onion_blinding everywhere

Allowing any node inside the blinded route to return helpful errors to the sender creates a probing attack vector for malicious senders, even for errors coming from the final recipient, because it lets the sender know that it was able to reach the recipient. We now require every node in blinded paths to exclusively use `invalid_onion_blinding`, and also convert downstream errors to `invalid_onion_blinding` to ensure that buggy/malicious downstream nodes are unable to exfiltrate data.
lightning · Jan 9, 2023 · cb12600 · cb12600
1 parent 0ef5347
commit cb12600
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 20 deletions.
diff --git a/02-peer-protocol.md b/02-peer-protocol.md
@@ -1157,7 +1157,13 @@ A receiving node:
   - if the `sha256_of_onion` in `update_fail_malformed_htlc` doesn't match the
   onion it sent:
     - MAY retry or choose an alternate error response.
-  - otherwise, a receiving node which has an outgoing HTLC canceled by `update_fail_malformed_htlc`:
+  - a receiving node which has an outgoing HTLC canceled by `update_fail_htlc`:
+    - if `current_blinding_point` is set in the onion payload of the corresponding incoming HTLC:
+      - MUST return an `update_fail_malformed_htlc` error using the
+        `invalid_onion_blinding` failure code, with the `sha256_of_onion`
+        of the onion it received.
+      - SHOULD add a random delay before sending `update_fail_malformed_htlc`.
+  - a receiving node which has an outgoing HTLC canceled by `update_fail_malformed_htlc`:
     - if it is part of a blinded route:
       - MUST return an `update_fail_malformed_htlc` error using the
         `invalid_onion_blinding` failure code, with the `sha256_of_onion`
@@ -1187,10 +1193,8 @@ errors. However, without re-checking the actual encrypted packet sent,
 it won't know whether the error was its own or the remote's; so
 such detection is left as an option.
 
-Intermediate nodes inside a blinded route must use `update_fail_malformed_htlc`
-to avoid leaking information to senders trying to probe the blinded route. The
-final recipient however may use `update_fail_htlc` to help senders retry failed
-payments.
+Nodes inside a blinded route must use `update_fail_malformed_htlc` to avoid
+leaking information to senders trying to probe the blinded route.
 
 ### Committing Updates So Far: `commitment_signed`
 

diff --git a/04-onion-routing.md b/04-onion-routing.md
@@ -591,11 +591,6 @@ set `payment_constraints.max_cltv_expiry` to restrict the lifetime of a blinded
 route and reduce the risk that an intermediate node updates its fees and rejects
 payments (which could be used to unblind nodes inside the route).
 
-When route blinding is used for payments, intermediate nodes inside the blinded
-route must not return standard onion errors, because they would provide
-information to the sender that could help them unblind the identity of the
-blinded nodes.
-
 # Accepting and Forwarding a Payment
 
 Once a node has decoded the payload it either accepts the payment locally, or forwards it to the peer indicated as the next hop in the payload.
@@ -1042,10 +1037,9 @@ channel.
 
 Error handling for HTLCs with `blinding_point` is particularly fraught,
 since differences in implementations (or versions) may be leveraged to
-de-anonymize elements of the blinded path. Thus the decision to allow
-only errors from the final node to propagate, and turn every other error
-into `invalid_onion_blinding` which will be converted to a normal onion
-error by the introduction point.
+de-anonymize elements of the blinded path. Thus the decision turn every
+error into `invalid_onion_blinding` which will be converted to a normal
+onion error by the introduction point.
 
 ### Requirements
 
@@ -1055,12 +1049,7 @@ The _erring node_:
     256. Deviating from this may cause older nodes to be unable to parse the
     return message.
   - If `blinding_point` is set in the incoming `update_add_htlc`:
-    - if it is not the final node (including if the `onion_routing_packet` is malformed):
-	    - SHOULD forward normal downstream `update_fail_htlc` errors (which the final node may send).
-      - MUST return `invalid_onion_blinding` for any local error or other downstream errors.
-    - otherwise (it is the final node):
-      - MAY return normal errors that help senders retry the payment (e.g. `mpp_timeout`).
-      - SHOULD return `invalid_onion_blinding` for all other errors.
+    - MUST return `invalid_onion_blinding` for any local error or other downstream errors.
 
 The _origin node_:
   - once the return message has been decrypted: