Add helpers for serializing and deserializing attr data

Implemented methods to wrap attribution data, update the attribution data.

Key Changes:
 - Use 'ammagext' subkey to crypt the attr data.
 - Write method to add HMACs to the attr data.
 - Update attribution data to a given onionreply.
 - Write method to verify attr data to find erring node.
 - Use all these helpers inside unwrap_onionreply().

Author: adi2011

common/sphinx.c

@@ -818,14 +818,15 @@ struct onionreply *create_onionreply(const tal_t *ctx,
 	towire(&reply->contents, payload, tal_count(payload));
 	tal_free(payload);
 
+	reply->attr_data = NULL;
 	return reply;
 }
 
 struct onionreply *wrap_onionreply(const tal_t *ctx,
 				   const struct secret *shared_secret,
 				   const struct onionreply *reply)
 {
-	struct secret key;
+	struct secret key, attr_key;
 	struct onionreply *result = tal(ctx, struct onionreply);
 
 	/* BOLT #4:
@@ -839,9 +840,109 @@ struct onionreply *wrap_onionreply(const tal_t *ctx,
 	subkey_from_hmac("ammag", shared_secret, &key);
 	result->contents = tal_dup_talarr(result, u8, reply->contents);
 	xor_cipher_stream(result->contents, &key, tal_bytelen(result->contents));
+
+	if (reply->attr_data) {
+		result->attr_data = tal(ctx, struct attribution_data);
+		subkey_from_hmac("ammagext", shared_secret, &attr_key);
+		result->attr_data->htlc_hold_time = tal_dup_talarr(result, u8, reply->attr_data->htlc_hold_time);
+		xor_cipher_stream_off(&attr_key, 0, result->attr_data->htlc_hold_time, tal_bytelen(result->attr_data->htlc_hold_time));
+		result->attr_data->truncated_hmac = tal_dup_talarr(result, u8, reply->attr_data->truncated_hmac);
+		xor_cipher_stream_off(&attr_key,
+				      tal_bytelen(result->attr_data->htlc_hold_time),
+				      result->attr_data->truncated_hmac,
+				      tal_bytelen(result->attr_data->truncated_hmac));
+	} else {
+		result->attr_data = NULL;
+	}
+
 	return result;
 }
 
+static void write_downstream_hmacs(struct crypto_auth_hmacsha256_state *state, int pos, u8 *truncated_hmac) {
+	int hmac_idx = MAX_HOPS + MAX_HOPS - pos - 1;
+	for (int i = 0; i < pos; i++) {
+		hmac_update(state, truncated_hmac + (hmac_idx * TRUNC_HMAC_LEN), TRUNC_HMAC_LEN);
+		int block_size = MAX_HOPS - i - 1;
+		hmac_idx += block_size;
+	}
+}
+
+static void add_hmacs_to_attribution_data(struct onionreply *failonion, struct secret *shared_secret) {
+	struct secret um_key;
+	subkey_from_hmac("um", shared_secret, &um_key);
+	for (int i = 0; i < MAX_HOPS; i++) {
+		struct crypto_auth_hmacsha256_state state;
+		struct hmac hmac;
+		int pos = MAX_HOPS - i - 1;
+		hmac_start(&state, um_key.data, sizeof(um_key.data));
+		hmac_update(&state, failonion->contents, tal_bytelen(failonion->contents));
+		hmac_update(&state, failonion->attr_data->htlc_hold_time, (pos + 1) * HOLD_TIME_LEN);
+		write_downstream_hmacs(&state, pos, failonion->attr_data->truncated_hmac);
+		hmac_done(&state, &hmac);
+		memcpy(failonion->attr_data->truncated_hmac + (i * TRUNC_HMAC_LEN), hmac.bytes, TRUNC_HMAC_LEN);
+	}
+
+}
+
+void update_attributable_data(struct onionreply *failonion, u32 hold_times, struct secret *shared_secret) {
+	if (!failonion->attr_data) {
+		failonion->attr_data = tal(failonion, struct attribution_data);
+		failonion->attr_data->htlc_hold_time = tal_arrz(failonion, u8, 80);
+		failonion->attr_data->truncated_hmac = tal_arrz(failonion, u8, 840);
+	} else {
+		/* Right shift */
+		memmove(&failonion->attr_data->htlc_hold_time[HOLD_TIME_LEN], failonion->attr_data->htlc_hold_time, HOLD_TIME_LEN * (MAX_HOPS - 1));
+		int src_index = HMAC_COUNT - 2;
+		int dest_index = HMAC_COUNT - 1;
+		int copy_len = 1;
+
+		for (int i = 0; i < MAX_HOPS - 1; i++) {
+			memmove(&failonion->attr_data->truncated_hmac[dest_index * TRUNC_HMAC_LEN],
+				&failonion->attr_data->truncated_hmac[src_index * TRUNC_HMAC_LEN],
+				copy_len * TRUNC_HMAC_LEN);
+			if (i == MAX_HOPS - 2)
+				break;
+
+			copy_len += 1;
+			src_index -= copy_len + 1;
+			dest_index -= copy_len;
+		}
+	}
+	u8 *hold_times_be = tal_arr(failonion, u8, 0);
+	towire_u32(&hold_times_be, hold_times);
+	memcpy(failonion->attr_data->htlc_hold_time, hold_times_be, HOLD_TIME_LEN);
+	add_hmacs_to_attribution_data(failonion, shared_secret);
+}
+
+static u8 *verify_attr_data(struct onionreply *reply,
+		     int pos,
+		     const struct secret *shared_secret)
+{
+	struct secret um_key;
+	struct hmac hmac;
+	struct crypto_auth_hmacsha256_state state;
+	u8 expected_hmac[4], actual_hmac[4];
+
+	subkey_from_hmac("um", shared_secret, &um_key);
+
+	hmac_start(&state, um_key.data, sizeof(um_key.data));
+	hmac_update(&state, reply->contents, tal_bytelen(reply->contents));
+	hmac_update(&state, reply->attr_data->htlc_hold_time, (pos + 1) * HOLD_TIME_LEN);
+	write_downstream_hmacs(&state, pos, reply->attr_data->truncated_hmac);
+	hmac_done(&state, &hmac);
+	memcpy(expected_hmac, hmac.bytes, TRUNC_HMAC_LEN);
+
+	/* Compare with actual index. */
+	int hmac_idx = MAX_HOPS - pos - 1;
+	memcpy(actual_hmac, reply->attr_data->truncated_hmac + hmac_idx * TRUNC_HMAC_LEN, TRUNC_HMAC_LEN);
+
+	if (memcmp(actual_hmac, expected_hmac, 4) != 0) {
+		return NULL;
+	}
+
+	return tal_dup_arr(reply, u8, reply->attr_data->htlc_hold_time, 4, 0);
+}
+
 u8 *unwrap_onionreply(const tal_t *ctx,
 		      const struct secret *shared_secrets,
 		      const int numhops,
@@ -852,9 +953,9 @@ u8 *unwrap_onionreply(const tal_t *ctx,
 	const u8 *cursor;
 	size_t max;
 	u16 msglen;
-
-	r = new_onionreply(tmpctx, reply->contents);
+	r = new_onionreply(tmpctx, reply->contents, reply->attr_data);
 	*origin_index = -1;
+	int attr_hop_count = numhops > 20 ? 20 : numhops;
 
 	for (int i = 0; i < numhops; i++) {
 		struct secret key;
@@ -871,6 +972,36 @@ u8 *unwrap_onionreply(const tal_t *ctx,
 		cursor = r->contents;
 		max = tal_count(r->contents);
 
+		/* Check attribution error HMACs, If present. */
+		if (r->attr_data) {
+			if (i < attr_hop_count) {
+				int pos = attr_hop_count - i - 1;
+				u8 *hop_time = verify_attr_data(r, pos, &shared_secrets[i]);
+				if (hop_time) {
+					/* Shift Left */
+					memmove(r->attr_data->htlc_hold_time, &r->attr_data->htlc_hold_time[HOLD_TIME_LEN], HOLD_TIME_LEN * (MAX_HOPS - 1));
+
+					int src_index = MAX_HOPS;
+					int dest_index = 1;
+					int copy_len = MAX_HOPS - 1;
+
+					for (int i = 0; i < MAX_HOPS - 1; i++) {
+						memmove(&r->attr_data->truncated_hmac[dest_index * TRUNC_HMAC_LEN],
+							&r->attr_data->truncated_hmac[src_index * TRUNC_HMAC_LEN],
+							copy_len * TRUNC_HMAC_LEN);
+
+						src_index += copy_len;
+						dest_index += copy_len + 1;
+						copy_len -= 1;
+					}
+					// printf("Hop time at position %d: %s \n", i, tal_hexstr(tmpctx, hop_time, 4));
+				} else {
+					/* FIXME: Add logging */
+					// printf("Invalid HMAC at pos: %d", i);
+				}
+			}
+		}
+
 		fromwire_hmac(&cursor, &max, &hmac);
 		/* Too short. */
 		if (!cursor)

common/sphinx.h

@@ -18,6 +18,11 @@ struct node_id;
 #define ROUTING_INFO_SIZE 1300
 #define TOTAL_PACKET_SIZE(payload) (VERSION_SIZE + PUBKEY_SIZE + (payload) + HMAC_SIZE)
 
+#define HOLD_TIME_LEN 4
+#define MAX_HOPS 20
+#define HMAC_COUNT 210
+#define TRUNC_HMAC_LEN 4
+
 struct onionpacket {
 	/* Cleartext information */
 	u8 version;
@@ -241,6 +246,7 @@ struct onionpacket *sphinx_decompress(const tal_t *ctx,
 				      const struct sphinx_compressed_onion *src,
 				      const struct secret *shared_secret);
 
+void update_attributable_data(struct onionreply *failonion, u32 hold_times, struct secret *shared_secret);
 /**
  * Use ECDH to generate a shared secret from a privkey and a pubkey.
  *

common/test/run-blindedpath_onion.c

@@ -76,7 +76,7 @@ void fromwire_sciddir_or_pubkey(const u8 **cursor UNNEEDED, size_t *max UNNEEDED
 				struct sciddir_or_pubkey *sciddpk UNNEEDED)
 { fprintf(stderr, "fromwire_sciddir_or_pubkey called!\n"); abort(); }
 /* Generated stub for new_onionreply */
-struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED, const struct attribution_data *attr_data TAKES UNNEEDED)
 { fprintf(stderr, "new_onionreply called!\n"); abort(); }
 /* Generated stub for pubkey_from_node_id */
 bool pubkey_from_node_id(struct pubkey *key UNNEEDED, const struct node_id *id UNNEEDED)

common/test/run-onion-message-test.c

@@ -31,7 +31,7 @@ bool fromwire_channel_id(const u8 **cursor UNNEEDED, size_t *max UNNEEDED,
 void fromwire_node_id(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, struct node_id *id UNNEEDED)
 { fprintf(stderr, "fromwire_node_id called!\n"); abort(); }
 /* Generated stub for new_onionreply */
-struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED, const struct attribution_data *attr_data TAKES UNNEEDED)
 { fprintf(stderr, "new_onionreply called!\n"); abort(); }
 /* Generated stub for pubkey_from_node_id */
 bool pubkey_from_node_id(struct pubkey *key UNNEEDED, const struct node_id *id UNNEEDED)

common/test/run-onion-test-vector.c

@@ -86,7 +86,7 @@ bool fromwire_tlv(const u8 **cursor UNNEEDED, size_t *max UNNEEDED,
 const char *mvt_tag_str(enum mvt_tag tag UNNEEDED)
 { fprintf(stderr, "mvt_tag_str called!\n"); abort(); }
 /* Generated stub for new_onionreply */
-struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED, const struct attribution_data *attr_data TAKES UNNEEDED)
 { fprintf(stderr, "new_onionreply called!\n"); abort(); }
 /* Generated stub for node_id_from_hexstr */
 bool node_id_from_hexstr(const char *str UNNEEDED, size_t slen UNNEEDED, struct node_id *id UNNEEDED)

common/test/run-route_blinding_onion_test.c

@@ -33,7 +33,7 @@ void fromwire_sciddir_or_pubkey(const u8 **cursor UNNEEDED, size_t *max UNNEEDED
 const char *mvt_tag_str(enum mvt_tag tag UNNEEDED)
 { fprintf(stderr, "mvt_tag_str called!\n"); abort(); }
 /* Generated stub for new_onionreply */
-struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED, const struct attribution_data *attr_data TAKES UNNEEDED)
 { fprintf(stderr, "new_onionreply called!\n"); abort(); }
 /* Generated stub for node_id_from_hexstr */
 bool node_id_from_hexstr(const char *str UNNEEDED, size_t slen UNNEEDED, struct node_id *id UNNEEDED)

common/test/run-sphinx-xor_cipher_stream.c

@@ -98,7 +98,7 @@ void hmac_update(crypto_auth_hmacsha256_state *state UNNEEDED,
 		 const void *src UNNEEDED, size_t slen UNNEEDED)
 { fprintf(stderr, "hmac_update called!\n"); abort(); }
 /* Generated stub for new_onionreply */
-struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED, const struct attribution_data *attr_data TAKES UNNEEDED)
 { fprintf(stderr, "new_onionreply called!\n"); abort(); }
 /* Generated stub for pubkey_from_node_id */
 bool pubkey_from_node_id(struct pubkey *key UNNEEDED, const struct node_id *id UNNEEDED)

plugins/xpay/xpay.c

@@ -580,7 +580,7 @@ static void update_knowledge_from_error(struct command *aux_cmd,
 	if (!tok)
 		plugin_err(aux_cmd->plugin, "Invalid injectpaymentonion result '%.*s'",
 			   json_tok_full_len(error), json_tok_full(buf, error));
-	reply = new_onionreply(tmpctx, take(json_tok_bin_from_hex(NULL, buf, tok)));
+	reply = new_onionreply(tmpctx, take(json_tok_bin_from_hex(NULL, buf, tok)), NULL);
 
 	replymsg = unwrap_onionreply(tmpctx,
 				     attempt->shared_secrets,

wallet/test/run-wallet.c

@@ -1218,6 +1218,9 @@ u8 *unwrap_onionreply(const tal_t *ctx UNNEEDED,
 		      const struct onionreply *reply UNNEEDED,
 		      int *origin_index UNNEEDED)
 { fprintf(stderr, "unwrap_onionreply called!\n"); abort(); }
+/* Generated stub for update_attributable_data */
+void update_attributable_data(struct onionreply *failonion UNNEEDED, u32 hold_times UNNEEDED, struct secret *shared_secret UNNEEDED)
+{ fprintf(stderr, "update_attributable_data called!\n"); abort(); }
 /* Generated stub for watch_opening_inflight */
 void watch_opening_inflight(struct lightningd *ld UNNEEDED,
 			    struct channel_inflight *inflight UNNEEDED)
@@ -2229,7 +2232,7 @@ static bool test_htlc_crud(struct lightningd *ld, const tal_t *ctx)
 	CHECK_MSG(
 		transaction_wrap(w->db, wallet_htlc_update(w, in.dbid, SENT_REMOVE_HTLC, &payment_key, 0, 0, NULL, NULL, &we_filled, in.key.id, in.key.channel, REMOTE, &in.payment_hash, in.cltv_expiry, in.msat)),
 	    "Update HTLC with payment_key failed");
-	onionreply = new_onionreply(tmpctx, tal_arrz(tmpctx, u8, 100));
+	onionreply = new_onionreply(tmpctx, tal_arrz(tmpctx, u8, 100), NULL);
 	CHECK_MSG(
 		transaction_wrap(w->db, wallet_htlc_update(w, in.dbid, SENT_REMOVE_HTLC, NULL, 0, 0, onionreply, NULL, &we_filled, in.key.id, in.key.channel, REMOTE, &in.payment_hash, in.cltv_expiry, in.msat)),
 	    "Update HTLC with failonion failed");

wire/test/run-peer-wire.c

@@ -202,6 +202,8 @@ struct msg_update_fail_htlc {
 	struct channel_id channel_id;
 	u64 id;
 	u8 *reason;
+
+	struct tlv_update_fail_htlc_tlvs *tlvs;
 };
 struct msg_channel_announcement {
 	secp256k1_ecdsa_signature node_signature_1;
@@ -488,7 +490,8 @@ static void *towire_struct_update_fail_htlc(const tal_t *ctx,
 	return towire_update_fail_htlc(ctx,
 				       &s->channel_id,
 				       s->id,
-				       s->reason);
+				       s->reason,
+				       s->tlvs);
 }
 
 static struct msg_update_fail_htlc *fromwire_struct_update_fail_htlc(const tal_t *ctx, const void *p)
@@ -498,7 +501,8 @@ static struct msg_update_fail_htlc *fromwire_struct_update_fail_htlc(const tal_t
 	if (!fromwire_update_fail_htlc(ctx, p,
 				      &s->channel_id,
 				      &s->id,
-				      &s->reason))
+				      &s->reason,
+				      &s->tlvs))
 		return tal_free(s);
 	return s;
 
@@ -784,12 +788,19 @@ static bool announcement_signatures_eq(const struct msg_announcement_signatures
 	return eq_upto(a, b, short_channel_id) &&
 		short_channel_id_eq(a->short_channel_id, b->short_channel_id);
 }
+static bool tlv_update_fail_htlc_eq(const struct tlv_update_fail_htlc_tlvs_attribution_data *a,
+				    const struct tlv_update_fail_htlc_tlvs_attribution_data *b)
+{
+	return eq_field(a, b, htlc_hold_times)
+		&& eq_field(a, b, truncated_hmacs);
+}
 
 static bool update_fail_htlc_eq(const struct msg_update_fail_htlc *a,
 				const struct msg_update_fail_htlc *b)
 {
 	return eq_with(a, b, id)
-		&& eq_var(a, b, reason);
+		&& eq_var(a, b, reason)
+		&& eq_tlv(a, b, attribution_data, tlv_update_fail_htlc_eq);
 }
 
 static bool tlv_splice_info_eq(const struct tlv_commitment_signed_tlvs_splice_info *a,
@@ -1015,12 +1026,15 @@ int main(int argc, char *argv[])
 
 	memset(&ufh, 2, sizeof(ufh));
  	ufh.reason = tal_arr(ctx, u8, 2);
- 	memset(ufh.reason, 2, 2);
+	ufh.tlvs = tlv_update_fail_htlc_tlvs_new(tmpctx);
+	ufh.tlvs->attribution_data = tal(ctx, struct tlv_update_fail_htlc_tlvs_attribution_data);
+	memset(ufh.tlvs->attribution_data, 3, sizeof(struct tlv_update_fail_htlc_tlvs_attribution_data));
+	memset(ufh.reason, 2, 2);
 
 	msg = towire_struct_update_fail_htlc(ctx, &ufh);
 	ufh2 = fromwire_struct_update_fail_htlc(ctx, msg);
 	assert(update_fail_htlc_eq(&ufh, ufh2));
-	test_corruption(&ufh, ufh2, update_fail_htlc);
+	test_corruption_tlv(&ufh, ufh2, update_fail_htlc);
 
 	memset(&cs, 2, sizeof(cs));
 	cs.htlc_signature = tal_arr(ctx, secp256k1_ecdsa_signature, 2);