Add support for trampoline failure encryption

When returning trampoline failures for the payer (the creator of the
trampoline onion), they must be encrypted using the sphinx shared
secret of the trampoline onion.

When relaying a trampoline payment, we re-wrap the (peeled) trampoline
onion inside a payment onion: if we receive a failure for the outgoing
payment, it can be either coming from before the next trampoline node
or after them. If it's coming from before, we can decrypt that error
using the shared secrets we created for the payment onion: depending
on the error, we can then return our own error to the payer. If it's
coming from after the next trampoline onion, it will be encrypted for
the payer, so we cannot decrypt it. We must peel the shared secrets of
our payment onion, and then re-encrypted with the shared secret of the
incoming trampoline onion. This way only the payer will be able to
decrypt the failure, which is relayed back through each intermediate
trampoline node.

Author: t-bast

eclair-core/src/main/scala/fr/acinq/eclair/payment/Monitoring.scala

@@ -130,6 +130,7 @@ object Monitoring {
       def apply(cmdFail: CMD_FAIL_HTLC): String = cmdFail.reason match {
         case _: FailureReason.EncryptedDownstreamFailure => Remote
         case FailureReason.LocalFailure(f) => f.getClass.getSimpleName
+        case FailureReason.LocalTrampolineFailure(f) => f.getClass.getSimpleName
       }
 
       def apply(pf: PaymentFailure): String = pf match {

eclair-core/src/main/scala/fr/acinq/eclair/payment/PaymentPacket.scala

@@ -18,7 +18,7 @@ package fr.acinq.eclair.payment
 
 import fr.acinq.bitcoin.scalacompat.ByteVector32
 import fr.acinq.bitcoin.scalacompat.Crypto.{PrivateKey, PublicKey}
-import fr.acinq.eclair.channel.{CMD_ADD_HTLC, CMD_FAIL_HTLC, CMD_FULFILL_HTLC, CannotExtractSharedSecret, Origin}
+import fr.acinq.eclair.channel._
 import fr.acinq.eclair.crypto.Sphinx
 import fr.acinq.eclair.payment.send.Recipient
 import fr.acinq.eclair.router.Router.Route
@@ -378,30 +378,81 @@ object OutgoingPaymentPacket {
     }
   }
 
-  private def buildHtlcFailure(nodeSecret: PrivateKey, useAttributableFailures: Boolean, reason: FailureReason, add: UpdateAddHtlc, holdTime: FiniteDuration): Either[CannotExtractSharedSecret, (ByteVector, TlvStream[UpdateFailHtlcTlv])] = {
-    extractSharedSecret(nodeSecret, add).map(sharedSecret => {
-      val (packet, attribution) = reason match {
-        case FailureReason.EncryptedDownstreamFailure(packet, attribution) => (packet, attribution)
-        case FailureReason.LocalFailure(failure) => (Sphinx.FailurePacket.create(sharedSecret, failure), None)
+  private def buildHtlcFailure(nodeSecret: PrivateKey, reason: FailureReason, add: UpdateAddHtlc, holdTime: FiniteDuration): Either[CannotExtractSharedSecret, (ByteVector, Option[ByteVector])] = {
+    extractSharedSecret(nodeSecret, add).map(ss => {
+      reason match {
+        case FailureReason.EncryptedDownstreamFailure(packet, previousAttribution_opt) =>
+          ss.trampolineOnionSecret_opt match {
+            case Some(trampolineOnionSecret) if !ss.blinded =>
+              // If we are unable to decrypt the downstream failure and the payment is using trampoline, the failure is
+              // intended for the payer. We encrypt it with the trampoline secret first and then the outer secret.
+              val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
+              val attributionInner = Sphinx.Attribution.create(previousAttribution_opt, Some(packet), holdTime, trampolineOnionSecret)
+              val attributionOuter = Sphinx.Attribution.create(Some(attributionInner), Some(trampolinePacket), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), Some(attributionOuter))
+            case Some(trampolineOnionSecret) =>
+              // When we're inside a blinded path, we don't report our attribution data.
+              val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), None)
+            case None =>
+              val attribution = Sphinx.Attribution.create(previousAttribution_opt, Some(packet), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), Some(attribution))
+          }
+        case FailureReason.LocalFailure(failure) =>
+          // This isn't a trampoline failure, so we only encrypt it for the node who created the outer onion.
+          val packet = Sphinx.FailurePacket.create(ss.outerOnionSecret, failure)
+          val attribution = Sphinx.Attribution.create(previousAttribution_opt = None, Some(packet), holdTime, ss.outerOnionSecret)
+          (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), Some(attribution))
+        case FailureReason.LocalTrampolineFailure(failure) =>
+          // This is a trampoline failure: we try to encrypt it to the node who created the trampoline onion.
+          ss.trampolineOnionSecret_opt match {
+            case Some(trampolineOnionSecret) if !ss.blinded =>
+              val packet = Sphinx.FailurePacket.create(trampolineOnionSecret, failure)
+              val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
+              val attributionInner = Sphinx.Attribution.create(previousAttribution_opt = None, Some(packet), holdTime, trampolineOnionSecret)
+              val attributionOuter = Sphinx.Attribution.create(Some(attributionInner), Some(trampolinePacket), holdTime, ss.outerOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), Some(attributionOuter))
+            case Some(trampolineOnionSecret) =>
+              val packet = Sphinx.FailurePacket.create(trampolineOnionSecret, failure)
+              val trampolinePacket = Sphinx.FailurePacket.wrap(packet, trampolineOnionSecret)
+              (Sphinx.FailurePacket.wrap(trampolinePacket, ss.outerOnionSecret), None)
+            case None =>
+              // This shouldn't happen, we only generate trampoline failures when there was a trampoline onion.
+              val packet = Sphinx.FailurePacket.create(ss.outerOnionSecret, failure)
+              (Sphinx.FailurePacket.wrap(packet, ss.outerOnionSecret), None)
+          }
       }
-      val tlvs: TlvStream[UpdateFailHtlcTlv] = if (useAttributableFailures) {
-        TlvStream(UpdateFailHtlcTlv.AttributionData(Sphinx.Attribution.create(attribution, Some(packet), holdTime, sharedSecret)))
-      } else {
-        TlvStream.empty
-      }
-      (Sphinx.FailurePacket.wrap(packet, sharedSecret), tlvs)
     })
   }
 
+  private case class HtlcSharedSecrets(outerOnionSecret: ByteVector32, trampolineOnionSecret_opt: Option[ByteVector32], blinded: Boolean)
+
   /**
    * We decrypt the onion again to extract the shared secret used to encrypt onion failures.
    * We could avoid this by storing the shared secret after the initial onion decryption, but we would have to store it
    * in the database since we must be able to fail HTLCs after restarting our node.
    * It's simpler to extract it again from the encrypted onion.
    */
-  private def extractSharedSecret(nodeSecret: PrivateKey, add: UpdateAddHtlc): Either[CannotExtractSharedSecret, ByteVector32] = {
+  private def extractSharedSecret(nodeSecret: PrivateKey, add: UpdateAddHtlc): Either[CannotExtractSharedSecret, HtlcSharedSecrets] = {
     Sphinx.peel(nodeSecret, Some(add.paymentHash), add.onionRoutingPacket) match {
-      case Right(Sphinx.DecryptedPacket(_, _, sharedSecret)) => Right(sharedSecret)
+      case Right(Sphinx.DecryptedPacket(payload, _, outerOnionSecret)) =>
+        // Let's look at the onion payload to see if it contains a trampoline onion.
+        PaymentOnionCodecs.perHopPayloadCodec.decode(payload.bits) match {
+          case Attempt.Successful(DecodeResult(perHopPayload, _)) =>
+            // We try to extract the trampoline shared secret, if we can find one.
+            val trampolineOnionSecret_opt = perHopPayload.get[OnionPaymentPayloadTlv.TrampolineOnion].map(_.packet).flatMap(trampolinePacket => {
+              val trampolinePathKey_opt = perHopPayload.get[OnionPaymentPayloadTlv.PathKey].map(_.publicKey)
+              val trampolineOnionDecryptionKey = trampolinePathKey_opt.map(pathKey => Sphinx.RouteBlinding.derivePrivateKey(nodeSecret, pathKey)).getOrElse(nodeSecret)
+              Sphinx.peel(trampolineOnionDecryptionKey, Some(add.paymentHash), trampolinePacket).toOption.map(_.sharedSecret)
+            })
+            // We check if we are an intermediate node in a blinded (potentially trampoline) path.
+            val blinded = trampolineOnionSecret_opt match {
+              case Some(_) => perHopPayload.get[OnionPaymentPayloadTlv.PathKey].nonEmpty
+              case None => add.pathKey_opt.nonEmpty
+            }
+            Right(HtlcSharedSecrets(outerOnionSecret, trampolineOnionSecret_opt, blinded))
+          case Attempt.Failure(_) => Right(HtlcSharedSecrets(outerOnionSecret, None, blinded = false))
+        }
       case Left(_) => Left(CannotExtractSharedSecret(add.channelId, add))
     }
   }
@@ -415,24 +466,33 @@ object OutgoingPaymentPacket {
       case None =>
         // If the htlcReceivedAt was lost (because the node restarted), we use a hold time of 0 which should be ignored by the payer.
         val holdTime = cmd.htlcReceivedAt_opt.map(now - _).getOrElse(0 millisecond)
-        buildHtlcFailure(nodeSecret, useAttributableFailures, cmd.reason, add, holdTime).map {
-          case (encryptedReason, tlvs) => UpdateFailHtlc(add.channelId, cmd.id, encryptedReason, tlvs)
+        buildHtlcFailure(nodeSecret, cmd.reason, add, holdTime).map {
+          case (encryptedReason, attributionData_opt) =>
+            val tlvs: Set[UpdateFailHtlcTlv] = Set(
+              if (useAttributableFailures) attributionData_opt.map(UpdateFailHtlcTlv.AttributionData(_)) else None
+            ).flatten
+            UpdateFailHtlc(add.channelId, cmd.id, encryptedReason, TlvStream(tlvs))
         }
     }
   }
 
   def buildHtlcFulfill(nodeSecret: PrivateKey, useAttributionData: Boolean, cmd: CMD_FULFILL_HTLC, add: UpdateAddHtlc, now: TimestampMilli = TimestampMilli.now()): UpdateFulfillHtlc = {
     // If we are part of a blinded route, we must not populate attribution data.
-    val tlvs: TlvStream[UpdateFulfillHtlcTlv] = if (useAttributionData && add.pathKey_opt.isEmpty) {
-      extractSharedSecret(nodeSecret, add) match {
-        case Left(_) => TlvStream.empty
-        case Right(sharedSecret) =>
-          val holdTime = cmd.htlcReceivedAt_opt.map(now - _).getOrElse(0 millisecond)
-          TlvStream(UpdateFulfillHtlcTlv.AttributionData(Sphinx.Attribution.create(cmd.downstreamAttribution_opt, None, holdTime, sharedSecret)))
-      }
-    } else {
-      TlvStream.empty
+    val attributionData_opt = add.pathKey_opt match {
+      case None if useAttributionData =>
+        extractSharedSecret(nodeSecret, add) match {
+          case Right(sharedSecret) =>
+            // Note that we use the outer shared secret: we report our hold time to the previous trampoline node, not
+            // necessarily to the payer.
+            val holdTime = cmd.htlcReceivedAt_opt.map(now - _).getOrElse(0 millisecond)
+            Some(Sphinx.Attribution.create(cmd.downstreamAttribution_opt, None, holdTime, sharedSecret.outerOnionSecret))
+          case Left(_) => None
+        }
+      case _ => None
     }
-    UpdateFulfillHtlc(add.channelId, cmd.id, cmd.r, tlvs)
+    val tlvs: Set[UpdateFulfillHtlcTlv] = Set(
+      attributionData_opt.map(UpdateFulfillHtlcTlv.AttributionData(_))
+    ).flatten
+    UpdateFulfillHtlc(add.channelId, cmd.id, cmd.r, TlvStream(tlvs))
   }
 }

eclair-core/src/main/scala/fr/acinq/eclair/payment/receive/MultiPartHandler.scala

@@ -461,7 +461,12 @@ object MultiPartHandler {
 
   private def validateStandardPayment(nodeParams: NodeParams, add: UpdateAddHtlc, payload: FinalPayload.Standard, record: IncomingStandardPayment, receivedAt: TimestampMilli)(implicit log: LoggingAdapter): Option[CMD_FAIL_HTLC] = {
     // We send the same error regardless of the failure to avoid probing attacks.
-    val cmdFail = CMD_FAIL_HTLC(add.id, FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight)), Some(receivedAt), commit = true)
+    val failure = if (payload.isTrampoline) {
+      FailureReason.LocalTrampolineFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight))
+    } else {
+      FailureReason.LocalFailure(IncorrectOrUnknownPaymentDetails(payload.totalAmount, nodeParams.currentBlockHeight))
+    }
+    val cmdFail = CMD_FAIL_HTLC(add.id, failure, Some(receivedAt), commit = true)
     val commonOk = validateCommon(nodeParams, add, payload, record)
     val secretOk = validatePaymentSecret(add, payload, record.invoice)
     if (commonOk && secretOk) None else Some(cmdFail)