f Use unique keys for deriving inbound payment secrets

valentinewallace · valentinewallace · commit 2c7716604b86 · 2021-11-19T17:16:16.000-05:00
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -640,6 +640,8 @@ pub struct ChannelManager<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref,
 	our_network_key: SecretKey,
 	our_network_pubkey: PublicKey,
 
+	inbound_payments_key: SecretKey,
+
 	/// Used to track the last value sent in a node_announcement "timestamp" field. We ensure this
 	/// value increases strictly since we don't assume access to a time source.
 	last_node_announcement_serial: AtomicUsize,
@@ -1340,6 +1342,8 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			our_network_pubkey: PublicKey::from_secret_key(&secp_ctx, &keys_manager.get_node_secret()),
 			secp_ctx,
 
+			inbound_payments_key: SecretKey::from_slice(&keys_manager.get_secure_random_bytes()).expect("broken RNG"),
+
 			last_node_announcement_serial: AtomicUsize::new(0),
 			highest_seen_timestamp: AtomicUsize::new(0),
 
@@ -2590,7 +2594,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 	// Check that an inbound payment's `payment_data` field is sane.
 	fn verify_inbound_payment_data(&self, payment_hash: PaymentHash, payment_data: msgs::FinalOnionHopData) -> Result<Option<PaymentPreimage>, ()> {
 		let (iv_bytes, encrypted_metadata_bytes) = payment_data.payment_secret.0.split_at(16);
-		let mut chacha = ChaCha20::new(&self.our_network_key[..], &iv_bytes[..12]);
+		let mut chacha = ChaCha20::new(&self.inbound_payments_key[..], &iv_bytes[..12]);
 		let mut chacha_bytes = [0; 16];
 		chacha.process_in_place(&mut chacha_bytes);
 
@@ -2606,9 +2610,10 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		}
 
 		let is_user_payment_hash = metadata_bytes[0] & 1 << 7 != 0;
+		let (user_pmt_hash_key, ldk_pmt_hash_key) = hkdf_extract_expand(&vec![0], &self.inbound_payments_key[..]);
 		let mut payment_preimage = None;
 		if is_user_payment_hash {
-			let mut hmac = HmacEngine::<Sha256>::new(&self.our_network_key[..]);
+			let mut hmac = HmacEngine::<Sha256>::new(&user_pmt_hash_key);
 			hmac.input(&metadata_bytes[..]);
 			hmac.input(&payment_hash.0[..]);
 			if iv_bytes != Hmac::from_engine(hmac).into_inner().split_at_mut(16).0 {
@@ -2630,7 +2635,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 				log_trace!(self.logger, "Failing HTLC with payment_hash {} due to total_msat {} being less than the minimum amount of {} msat", log_bytes!(payment_hash.0), payment_data.total_msat, min_amt_msat);
 				return Err(())
 			}
-			let mut hmac = HmacEngine::<Sha256>::new(&self.our_network_key[..]);
+			let mut hmac = HmacEngine::<Sha256>::new(&ldk_pmt_hash_key);
 			hmac.input(&iv_bytes);
 			hmac.input(&metadata_bytes);
 			let decoded_payment_preimage = Hmac::from_engine(hmac).into_inner();
@@ -4626,7 +4631,8 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 		let rand_bytes = self.keys_manager.get_secure_random_bytes();
 		let iv_bytes = &rand_bytes[..16];
 
-		let mut hmac = HmacEngine::<Sha256>::new(&self.our_network_key[..]);
+		let (_, ldk_pmt_hash_key) = hkdf_extract_expand(&vec![0], &self.inbound_payments_key[..]);
+		let mut hmac = HmacEngine::<Sha256>::new(&ldk_pmt_hash_key);
 		hmac.input(iv_bytes);
 		hmac.input(&metadata_bytes);
 		let payment_preimage_bytes = Hmac::from_engine(hmac).into_inner();
@@ -4636,7 +4642,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			let (iv_slice, encrypted_metadata_slice) = payment_secret_bytes.split_at_mut(16);
 			iv_slice.copy_from_slice(iv_bytes);
 
-			let mut chacha = ChaCha20::new(&self.our_network_key[..], &iv_bytes[..12]);
+			let mut chacha = ChaCha20::new(&self.inbound_payments_key[..], &iv_bytes[..12]);
 			let mut chacha_bytes = [0; 16];
 			chacha.process_in_place(&mut chacha_bytes);
 
@@ -4705,7 +4711,8 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			expiry_slice.copy_from_slice(&expiry_bytes);
 		}
 
-		let mut hmac = HmacEngine::<Sha256>::new(&self.our_network_key[..]);
+		let (user_pmt_hash_key, _) = hkdf_extract_expand(&vec![0], &self.inbound_payments_key[..]);
+		let mut hmac = HmacEngine::<Sha256>::new(&user_pmt_hash_key);
 		hmac.input(&metadata_bytes);
 		hmac.input(&payment_hash.0);
 		let hmac_bytes = Hmac::from_engine(hmac).into_inner();
@@ -4716,7 +4723,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			let (iv_slice, encrypted_metadata_slice) = payment_secret_bytes.split_at_mut(16);
 			iv_slice.copy_from_slice(iv_bytes);
 
-			let mut chacha = ChaCha20::new(&self.our_network_key[..], &iv_bytes[..12]);
+			let mut chacha = ChaCha20::new(&self.inbound_payments_key[..], &iv_bytes[..12]);
 			let mut chacha_bytes = [0; 16];
 			chacha.process_in_place(&mut chacha_bytes);
 
@@ -5796,6 +5803,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> Writeable f
 		}
 		write_tlv_fields!(writer, {
 			(1, pending_outbound_payments_no_retry, required),
+			(2, self.inbound_payments_key, required),
 			(3, pending_outbound_payments, required),
 		});
 
@@ -6089,10 +6097,15 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 		// pending_outbound_payments_no_retry is for compatibility with 0.0.101 clients.
 		let mut pending_outbound_payments_no_retry: Option<HashMap<PaymentId, HashSet<[u8; 32]>>> = None;
 		let mut pending_outbound_payments = None;
+		let mut inbound_payments_key = None;
 		read_tlv_fields!(reader, {
 			(1, pending_outbound_payments_no_retry, option),
+			(2, inbound_payments_key, option),
 			(3, pending_outbound_payments, option),
 		});
+		if inbound_payments_key.is_none() {
+			inbound_payments_key = Some(SecretKey::from_slice(&args.keys_manager.get_secure_random_bytes()).expect("broken RNG"));
+		}
 		if pending_outbound_payments.is_none() && pending_outbound_payments_no_retry.is_none() {
 			pending_outbound_payments = Some(pending_outbound_payments_compat);
 		} else if pending_outbound_payments.is_none() {
@@ -6170,6 +6183,7 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 				claimable_htlcs,
 				pending_msg_events: Vec::new(),
 			}),
+			inbound_payments_key: inbound_payments_key.unwrap(),
 			pending_inbound_payments: Mutex::new(pending_inbound_payments),
 			pending_outbound_payments: Mutex::new(pending_outbound_payments.unwrap()),
 
@@ -6203,6 +6217,19 @@ impl<'a, Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref>
 	}
 }
 
+fn hkdf_extract_expand(salt: &[u8], ikm: &[u8]) -> ([u8; 32], [u8; 32]) {
+	let mut hmac = HmacEngine::<Sha256>::new(salt);
+	hmac.input(ikm);
+	let prk = Hmac::from_engine(hmac).into_inner();
+	let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+	hmac.input(&[1; 1]);
+	let t1 = Hmac::from_engine(hmac).into_inner();
+	let mut hmac = HmacEngine::<Sha256>::new(&prk[..]);
+	hmac.input(&t1);
+	hmac.input(&[2; 1]);
+	(t1, Hmac::from_engine(hmac).into_inner())
+}
+
 #[cfg(test)]
 mod tests {
 	use bitcoin::hashes::Hash;
