convert to fat errors

lightningnetwork · Nov 10, 2022 · c342f47 · c342f47
1 parent b62f49f
commit c342f47
Showing 1 changed file with 192 additions and 28 deletions.
diff --git a/crypto.go b/crypto.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"crypto/hmac"
 	"crypto/sha256"
-	"errors"
 	"fmt"
 
 	"github.com/aead/chacha20"
@@ -249,10 +248,11 @@ const onionErrorLength = 2 + 2 + 256 + sha256.Size
 func (o *OnionErrorDecrypter) DecryptError(encryptedData []byte) (
 	*DecryptedError, error) {
 
-	// Ensure the error message length is as expected.
-	if len(encryptedData) != onionErrorLength {
+	// Ensure the error message length is enough to contain the payloads and
+	// hmacs blocks.
+	if len(encryptedData) < hmacsAndPayloadsLen {
 		return nil, fmt.Errorf("invalid error length: "+
-			"expected %v got %v", onionErrorLength,
+			"expected at least %v got %v", hmacsAndPayloadsLen,
 			len(encryptedData))
 	}
 
@@ -292,30 +292,40 @@ func (o *OnionErrorDecrypter) DecryptError(encryptedData []byte) (
 		// encryption from the encrypted error payload.
 		encryptedData = onionEncrypt(&sharedSecret, encryptedData)
 
-		// Next, we'll need to separate the data, from the MAC itself
-		// so we can reconstruct and verify it.
-		expectedMac := encryptedData[:sha256.Size]
-		data := encryptedData[sha256.Size:]
-
-		// With the data split, we'll now re-generate the MAC using its
-		// specified key.
-		umKey := generateKey("um", &sharedSecret)
-		h := hmac.New(sha256.New, umKey[:])
-		h.Write(data)
-
-		// If the MAC matches up, then we've found the sender of the
-		// error and have also obtained the fully decrypted message.
-		realMac := h.Sum(nil)
-		if hmac.Equal(realMac, expectedMac) && sender == 0 {
+		message, payloads, hmacs := getMsgComponents(encryptedData)
+
+		final := payloads[0] == payloadFinal
+		// TODO: Extract hold time from payload.
+
+		expectedHmac := calculateHmac(sharedSecret, i, message, payloads, hmacs)
+		actualHmac := hmacs[i*sha256.Size : (i+1)*sha256.Size]
+
+		// If the hmac does not match up, exit with a nil message.
+		if !bytes.Equal(actualHmac, expectedHmac[:]) && sender == 0 {
 			sender = i + 1
-			msg = data
+			msg = nil
 		}
+
+		// If we are at the node that is the source of the error, we can now
+		// save the message in our return variable.
+		if final && sender == 0 {
+			sender = i + 1
+			msg = message
+		}
+
+		// Shift payloads and hmacs to the left to prepare for the next
+		// iteration.
+		shiftPayloadsLeft(payloads)
+		shiftHmacsLeft(hmacs)
 	}
 
-	// If the sender index is still zero, then we haven't found the sender,
-	// meaning we've failed to decrypt.
+	// If the sender index is still zero, all hmacs checked out but none of the
+	// payloads was a final payload. In this case we must be dealing with a max
+	// length route and a final hop that returned an intermediate payload. Blame
+	// the final hop.
 	if sender == 0 {
-		return nil, errors.New("unable to retrieve onion failure")
+		sender = NumMaxHops
+		msg = nil
 	}
 
 	return &DecryptedError{
@@ -325,6 +335,132 @@ func (o *OnionErrorDecrypter) DecryptError(encryptedData []byte) (
 	}, nil
 }
 
+const (
+	totalHmacs          = (NumMaxHops * (NumMaxHops + 1)) / 2
+	allHmacsLen         = totalHmacs * sha256.Size
+	hmacsAndPayloadsLen = allHmacsLen + allPayloadsLen
+
+	// payloadLen is the size of the per-node payload. It consists of a 1-byte
+	// payload type and an 8-byte hold time.
+	payloadLen = 1 + 8
+
+	allPayloadsLen = payloadLen * NumMaxHops
+
+	payloadFinal        = 1
+	payloadIntermediate = 0
+)
+
+func shiftHmacsRight(hmacs []byte) {
+	if len(hmacs) != allHmacsLen {
+		panic("invalid hmac block length")
+	}
+
+	srcIdx := totalHmacs - 2
+	destIdx := totalHmacs - 1
+	copyLen := 1
+	for i := 0; i < NumMaxHops-1; i++ {
+		copy(hmacs[destIdx*sha256.Size:], hmacs[srcIdx*sha256.Size:(srcIdx+copyLen)*sha256.Size])
+
+		copyLen++
+
+		srcIdx -= copyLen + 1
+		destIdx -= copyLen
+	}
+}
+
+func shiftHmacsLeft(hmacs []byte) {
+	if len(hmacs) != allHmacsLen {
+		panic("invalid hmac block length")
+	}
+
+	srcIdx := NumMaxHops
+	destIdx := 1
+	copyLen := NumMaxHops - 1
+	for i := 0; i < NumMaxHops-1; i++ {
+		copy(hmacs[destIdx*sha256.Size:], hmacs[srcIdx*sha256.Size:(srcIdx+copyLen)*sha256.Size])
+
+		srcIdx += copyLen
+		destIdx += copyLen + 1
+		copyLen--
+	}
+}
+
+func shiftPayloadsRight(payloads []byte) {
+	if len(payloads) != allPayloadsLen {
+		panic("invalid payload block length")
+	}
+
+	copy(payloads[payloadLen:], payloads)
+}
+
+func shiftPayloadsLeft(payloads []byte) {
+	if len(payloads) != allPayloadsLen {
+		panic("invalid payload block length")
+	}
+
+	copy(payloads, payloads[payloadLen:NumMaxHops*payloadLen])
+}
+
+// getMsgComponents splits a complete failure message into its components
+// without re-allocating memory.
+func getMsgComponents(data []byte) ([]byte, []byte, []byte) {
+	payloads := data[len(data)-hmacsAndPayloadsLen : len(data)-allHmacsLen]
+	hmacs := data[len(data)-allHmacsLen:]
+	message := data[:len(data)-hmacsAndPayloadsLen]
+
+	return message, payloads, hmacs
+}
+
+// calculateHmac calculates an hmac given a shared secret and a presumed
+// position in the path. Position is expressed as the distance to the error
+// source. The error source itself is at position 0.
+func calculateHmac(sharedSecret Hash256, position int,
+	message, payloads, hmacs []byte) []byte {
+
+	var dataToHmac []byte
+
+	// Include payloads including our own.
+	dataToHmac = append(dataToHmac, payloads[:(NumMaxHops-position)*payloadLen]...)
+
+	// Include downstream hmacs.
+	var downstreamHmacsIdx = position + NumMaxHops
+	for j := 0; j < NumMaxHops-position-1; j++ {
+		dataToHmac = append(dataToHmac, hmacs[downstreamHmacsIdx*sha256.Size:(downstreamHmacsIdx+1)*sha256.Size]...)
+
+		downstreamHmacsIdx += NumMaxHops - j - 1
+	}
+
+	// Include message.
+	dataToHmac = append(dataToHmac, message...)
+
+	// Calculate and return hmac.
+	umKey := generateKey("um", &sharedSecret)
+	hash := hmac.New(sha256.New, umKey[:])
+	hash.Write(dataToHmac)
+
+	return hash.Sum(nil)
+}
+
+// calculateHmac calculates an hmac using the shared secret for this
+// OnionErrorEncryptor instance.
+func (o *OnionErrorEncrypter) calculateHmac(position int,
+	message, payloads, hmacs []byte) []byte {
+
+	return calculateHmac(o.sharedSecret, position, message, payloads, hmacs)
+}
+
+// addHmacs updates the failure data with a series of hmacs corresponding to all
+// possible positions in the path for the current node.
+func (o *OnionErrorEncrypter) addHmacs(data []byte) {
+	message, payloads, hmacs := getMsgComponents(data)
+
+	for i := 0; i < NumMaxHops; i++ {
+		hmac := o.calculateHmac(i, message, payloads, hmacs)
+
+		copy(hmacs[i*sha256.Size:], hmac)
+	}
+}
+
 // EncryptError is used to make data obfuscation using the generated shared
 // secret.
 //
@@ -338,12 +474,40 @@ func (o *OnionErrorDecrypter) DecryptError(encryptedData []byte) (
 // failure and its origin.
 func (o *OnionErrorEncrypter) EncryptError(initial bool, data []byte) []byte {
 	if initial {
-		umKey := generateKey("um", &o.sharedSecret)
-		hash := hmac.New(sha256.New, umKey[:])
-		hash.Write(data)
-		h := hash.Sum(nil)
-		data = append(h, data...)
+		data = o.initializePayload(data)
+	} else {
+		o.addIntermediatePayload(data)
 	}
 
+	// Update hmac block.
+	o.addHmacs(data)
+
+	// Obfuscate.
 	return onionEncrypt(&o.sharedSecret, data)
 }
+
+func (o *OnionErrorEncrypter) initializePayload(message []byte) []byte {
+	// Add space for payloads and hmacs.
+	data := make([]byte, len(message)+hmacsAndPayloadsLen)
+	copy(data, message)
+
+	_, payloads, _ := getMsgComponents(data)
+
+	// Signal final hops in the payload.
+	// TODO: Add hold time to payload.
+	payloads[0] = payloadFinal
+
+	return data
+}
+
+func (o *OnionErrorEncrypter) addIntermediatePayload(data []byte) {
+	_, payloads, hmacs := getMsgComponents(data)
+
+	// Shift hmacs and payloads to create space for the payload.
+	shiftPayloadsRight(payloads)
+	shiftHmacsRight(hmacs)
+
+	// Signal intermediate hop in the payload.
+	// TODO: Add hold time to payload.
+	payloads[0] = payloadIntermediate
+}