Decrypt Trampoline error onions #3657
Conversation
|
👋 Thanks for assigning @joostjager as a reviewer! |
|
👋 The first review has been submitted! Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer. |
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
from
dd8098b to
af31dd1
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3657 +/- ##
==========================================
+ Coverage 89.24% 89.25% +0.01%
==========================================
Files 155 155
Lines 119280 119584 +304
Branches 119280 119584 +304
==========================================
+ Hits 106446 106735 +289
- Misses 10240 10247 +7
- Partials 2594 2602 +8 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
2 times, most recently
from
9caa2b6 to
a2dc11f
Compare
lightning/src/ln/onion_utils.rs
Outdated
| // Handle packed channel/node updates for passing back for the route handler | ||
| let callback = |shared_secret, _, _, route_hop_opt: Option<&RouteHop>, route_hop_idx| { | ||
| for (route_hop_idx, (route_hop_option, shared_secret)) in onion_keys.into_iter().enumerate() { |
There was a problem hiding this comment.
I like this refactoring. And I am also wondering if you can take it another step further by extracting this main for loop into a function that returns the FailureLearnings. To avoid this modification of variables outside of the loop.
There was a problem hiding this comment.
definitely doable, but I first wanna make sure the approach is sound
There was a problem hiding this comment.
Overall clean approach where indeed failure message processing isn't touched all that much. Perhaps add some more comments explaining the code, especially for devs who do not fully understand trampoline, and isolate a bit more refactor into separate commits.
One question that I haven't fully answered is how this intersects with attributable failures. That pertains mainly to the spec level of course.
lightning/src/ln/onion_utils.rs
Outdated
| if res.is_some() { | ||
| return; | ||
| break; |
There was a problem hiding this comment.
res.is_some is never going to happen now with the breaks?
There was a problem hiding this comment.
turns out it actually was, but I made it a bit more obvious
There was a problem hiding this comment.
I do think all of these breaks would be avoidable with a simple return statement though once the loop is in its own function
There was a problem hiding this comment.
yes, that would also help with accidentally missing a break in some future change
| cltv_expiry_delta: 36, | ||
| } | ||
| ], | ||
| hops: vec
|
It might be nice to link to a tracking issue that links all trampoline work together? |
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
from
a2dc11f to
e7d5c53
Compare
lightning/src/ln/onion_utils.rs
Outdated
| @@ -943,6 +943,7 @@ fn decrypt_onion_error_packet(packet: &mut Vec<u8>, shared_secret: SharedSecret) | |||
| #[inline] | |||
| pub(super) fn process_onion_failure<T: secp256k1::Signing, L: Deref>( | |||
| secp_ctx: &Secp256k1<T>, logger: &L, htlc_source: &HTLCSource, mut encrypted_packet: Vec<u8>, | |||
| secondary_session_priv: Option<SecretKey>, | |||
There was a problem hiding this comment.
If it is just for testing, it shouldn't be on the public interface?
There was a problem hiding this comment.
perhaps an internal façade would do the trick?
There was a problem hiding this comment.
ah, actually, the interface isn't public, it's just visible to the crate
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
2 times, most recently
from
d3cef50 to
3e45cb2
Compare
In an upcoming commit, we will need to decrypt error onions constructed from multiple session_privs. In order to simplify the code legibility, we move from a single-iteration model to one where we first aggregate the shared secrets, and then use them for the error decryption.
We currently check whether our hop is the last in the path by accessing the hops vector by the next index. However, once we start handling Trampoline hops that will become inadequate. Instead, we switch it to check whether there is a subsequent element in the iterator.
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
from
3e45cb2 to
36f8514
Compare
When we start handling Trampoline, the hops in our error decryption path could be either `RouteHop`s or `TrampolineHop`s. To avoid excessive code duplication, we introduce an enum with some methods for common accessors.
We don't need to recalculate the blinded hop count on each iteration, and clarify the meaning of `is_from_final_hop` to mean that it refers to all non-blinded hops, including Trampoline.
Rather than solely iterating over `RouteHop`s, we now also append the shared secrets from the inner onion containing `TrampolineHop`s.
Create unit tests covering the hybrid outer and inner onion shared secrets, as well as the Trampoline error test vectors. Additionally, we allow the `outer_session_priv` to be overridden to accommodate the test vector requirements.
arik-so
force-pushed
the
arik/trampoline/error-decryption
branch
from
36f8514 to
83e58e9
Compare
| if res.is_some() { | ||
| return; | ||
| } | ||
| let mut onion_keys = Vec::with_capacity(path.hops.len()); |
There was a problem hiding this comment.
Shouldn't the length of the blinded tail be added here too?
There was a problem hiding this comment.
when I move out the blinded_hop_count to optimize the initial vector capacity allocation, the pre-Trampoline optimization commit becomes just the is_final_hop rename, which I think should just be squashed into the subsequent commit that sees the introduction of Trampoline nodes
| onion_keys.push((route_hop_option.cloned(), shared_secret)) | ||
| }, | ||
| ) | ||
| .expect("Route we used spontaneously grew invalid keys in the middle of it?"); |
There was a problem hiding this comment.
I suppose it doesn't matter what text is in here, but isn't this an implementation detail that the caller can't really know?
There was a problem hiding this comment.
it is. Really it is for us, I think, because this should never be getting hit
lightning/src/ln/onion_utils.rs
Outdated
| @@ -1008,13 +1009,13 @@ where | |||
| // from the current hop (i.e., the next hop's inbound channel). | |||
| let num_blinded_hops = path.blinded_tail.as_ref().map_or(0, |bt| bt.hops.len()); | |||
| // For 1-hop blinded paths, the final `path.hops` entry is the recipient. | |||
| is_from_final_node = route_hop_idx + 1 == path.hops.len() && num_blinded_hops <= 1; | |||
| is_from_final_node = iterator.peek().is_none() && num_blinded_hops <= 1; | |||
There was a problem hiding this comment.
iterator.peek().is_none() - is this really the same as route_hop_idx + 1 == path.hops.len(), because the latter doesn't include the blinded tail?
There was a problem hiding this comment.
it is only the same when num_blinded_hops <= 1, but because that's also a condition, the end result is equivalent
| match path.hops.get(route_hop_idx + 1) { | ||
| Some(hop) => hop, | ||
| None => { | ||
| match iterator.peek() { |
There was a problem hiding this comment.
Store peek in a variable instead of peeking twice (here and above)?
If you're touching this code anyway, it might benefit from a comment explaining why we are now getting the next hop.
| path.blinded_tail.as_ref(), | ||
| session_priv, | ||
| blinded_tail, | ||
| outer_session_priv.as_ref().unwrap_or(session_priv), |
There was a problem hiding this comment.
Maybe something can be gained just with naming. By always have an outer_session_priv and optionally also an inner_session_priv?
| |shared_secret, _, _, route_hop_option: Option<&RouteHop>, _| { | ||
| onion_keys.push((route_hop_option.map(|rh| ErrorHop::RouteHop(rh)), shared_secret)) | ||
| }, | ||
| ) | ||
| .expect("Route we used spontaneously grew invalid keys in the middle of it?"); | ||
|
|
||
| if path.has_trampoline_hops() { |
There was a problem hiding this comment.
Maybe this method can become get_trampoline_hops returning an option, and then only calling it once at the top and reusing the result? That would avoid &path.blinded_tail.as_ref().unwrap().trampoline_hops below.
There was a problem hiding this comment.
if we have a blinded tail, the number of Trampoline hops within it could still be 0. Should this method then return None, or Some with an empty array?
There was a problem hiding this comment.
Ah okay, there are two cases. Yes, this is just a thought. If you think it doesn't really solve anything in terms or readability, just ignore.
| let session_priv_hash = Sha256::hash(&session_priv.secret_bytes()).to_byte_array(); | ||
| SecretKey::from_slice(&session_priv_hash[..]).expect("You broke SHA-256!") | ||
| secondary_session_priv.unwrap_or_else(|| { | ||
| let session_priv_hash = Sha256::hash(&session_priv.secret_bytes()).to_byte_array(); |
There was a problem hiding this comment.
Perhaps an alternative is to now move the hashing to the caller, so that this function just always gets a secondary key (not just for testing)?
There was a problem hiding this comment.
hm, I think it's better for the hashing to happen inside the method so the caller needs not be aware of the process, and I can see if I can hide the secondary_session_priv behind a test cfg.
| payment_id: PaymentId([1; 32]), | ||
| }; | ||
|
|
||
| { |
There was a problem hiding this comment.
A comment per test case would be nice here. Reorg worked out well.
lightning/src/ln/onion_utils.rs
Outdated
| if res.is_some() { | ||
| return; | ||
| break; |
There was a problem hiding this comment.
yes, that would also help with accidentally missing a break in some future change
| cltv_expiry_delta: 36, | ||
| } | ||
| ], | ||
| hops: vec
No description provided.