diff --git a/src/lib.rs b/src/lib.rs index 06b4ff6..a697b74 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -9,7 +9,7 @@ //! //! ```rust //! use secp256k1::{PublicKey, SecretKey, Secp256k1}; -//! use fiber_sphinx::{new_onion_packet, SphinxError}; +//! use fiber_sphinx::OnionPacket; //! //! let secp = Secp256k1::new(); //! let hops_keys = vec![ @@ -24,15 +24,17 @@ //! let get_length = |packet_data: &[u8]| Some(packet_data[0] as usize + 1); //! let assoc_data = vec![0x42u8; 32]; //! -//! let packet = new_onion_packet( -//! 1300, -//! hops_path, +//! let packet = OnionPacket::create( //! session_key, +//! hops_path, //! hops_data.clone(), //! Some(assoc_data.clone()), +//! 1300, +//! &secp, //! ).expect("new onion packet"); //! //! // Hop 0 +//! # use fiber_sphinx::SphinxError; //! # { //! # // error cases //! # let res = packet.clone().peel(&hops_keys[0], None, &secp, get_length); @@ -95,6 +97,7 @@ const HMAC_KEY_UM: &[u8] = b"um"; const HMAC_KEY_AMMAG: &[u8] = b"ammag"; const CHACHA_NONCE: [u8; 12] = [0u8; 12]; +/// Onion packet to send encrypted message via multiple hops. #[derive(Debug, Clone, Eq, PartialEq)] pub struct OnionPacket { /// Version of the onion packet, currently 0 @@ -107,12 +110,80 @@ pub struct OnionPacket { pub hmac: [u8; 32], } +/// Onion error packet to return errors to the origin node. +/// +/// The nodes must store the shared secrets to forward `OnionPacket` locally and reuse them to obfuscate +/// the error packet. See the section "Returning Errors" in the specification for details. +/// +/// ## Example +/// +/// ```rust +/// use secp256k1::{PublicKey, SecretKey, Secp256k1}; +/// use std::str::FromStr; +/// use fiber_sphinx::{OnionErrorPacket, OnionPacket, OnionSharedSecretIter}; +/// +/// let secp = Secp256k1::new(); +/// let hops_path = vec![ +/// PublicKey::from_str("02eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619").expect("valid public key"), +/// PublicKey::from_str("0324653eac434488002cc06bbfb7f10fe18991e35f9fe4302dbea6d2353dc0ab1c").expect("valid public key"), +/// PublicKey::from_str("027f31ebc5462c1fdce1b737ecff52d37d75dea43ce11c74d25aa297165faa2007").expect("valid public key"), +/// ]; +/// let session_key = SecretKey::from_slice(&[0x41; 32]).expect("32 bytes, within curve order"); +/// let hops_ss = OnionSharedSecretIter::new(hops_path.iter(), session_key, &secp).collect::>(); +/// +/// // The node [0x21; 32] generates the error +/// let shared_secret = hops_ss[1]; +/// let error_packet = OnionErrorPacket::create(&shared_secret, b"error message".to_vec()); +/// ``` +#[derive(Debug, Clone, Eq, PartialEq)] pub struct OnionErrorPacket { /// Encrypted error-returning packet data. pub packet_data: Vec, } impl OnionPacket { + /// Creates the new onion packet for the first hop. + /// + /// - `hops_path`: The public keys for each hop. These are _y_i in the specification. + /// - `session_key`: The ephemeral secret key for the onion packet. It must be generated securely using a random process. + /// This is _x_ in the specification. + /// - `hops_data`: The unencrypted data for each hop. **Attention** that the data for each hop will be concatenated with + /// the remaining encrypted data. To extract the data, the receiver must know the data length. For example, the hops + /// data can include its length at the beginning. These are _m_i in the specification. + /// - `assoc_data`: The associated data. It will not be included in the packet itself but will be covered by the packet's + /// HMAC. This allows each hop to verify that the associated data has not been tampered with. This is _A_ in the + /// specification. + /// - `onion_packet_len`: The length of the onion packet. The packet has the same size for each hop. + pub fn create( + session_key: SecretKey, + hops_path: Vec, + hops_data: Vec>, + assoc_data: Option>, + packet_data_len: usize, + secp_ctx: &Secp256k1, + ) -> Result { + if hops_path.len() != hops_data.len() { + return Err(SphinxError::HopsLenMismatch); + } + if hops_path.is_empty() { + return Err(SphinxError::HopsIsEmpty); + } + + let hops_keys = derive_hops_forward_keys(&hops_path, session_key, secp_ctx); + let pad_key = derive_key(HMAC_KEY_PAD, &session_key.secret_bytes()); + let packet_data = generate_padding_data(packet_data_len, &pad_key); + let filler = generate_filler(packet_data_len, &hops_keys, &hops_data)?; + + construct_onion_packet( + packet_data, + session_key.public_key(secp_ctx), + &hops_keys, + &hops_data, + assoc_data, + filler, + ) + } + /// Converts the onion packet into a byte vector. pub fn into_bytes(self) -> Vec { let mut bytes = Vec::with_capacity(1 + 33 + self.packet_data.len() + 32); @@ -190,6 +261,89 @@ impl OnionPacket { } } +impl OnionErrorPacket { + /// Creates an onion error packet using the erring node shared secret. + /// + /// The erring node should store the shared secrets to forward the onion packet locally and reuse them to obfuscate + /// the error packet. + /// + /// The shared secret can be obtained via `OnionPacket::shared_secret`. + pub fn create(shared_secret: &[u8; 32], mut payload: Vec) -> Self { + let ReturnKeys { ammag, um } = ReturnKeys::new(shared_secret); + let mut packet_data = compute_hmac(&um, &payload, None).to_vec(); + packet_data.append(&mut payload); + + (OnionErrorPacket { packet_data }).xor_cipher_stream_with_ammag(ammag) + } + + fn xor_cipher_stream_with_ammag(self, ammag: [u8; 32]) -> Self { + let mut chacha = ChaCha20::new(&ammag.into(), &CHACHA_NONCE.into()); + let mut packet_data = self.packet_data; + chacha.apply_keystream(&mut packet_data[..]); + + Self { packet_data } + } + + /// Encrypts or decrypts the packet data with the chacha20 stream. + /// + /// Apply XOR on the packet data with the keystream generated by the chacha20 stream cipher. + pub fn xor_cipher_stream(self, shared_secret: &[u8; 32]) -> Self { + let ammag = derive_ammag_key(shared_secret); + self.xor_cipher_stream_with_ammag(ammag) + } + + /// Decrypts the packet data and parses the error message. + /// + /// This method is for the origin node to decrypts the packet data node by node and try to parse the message. + /// + /// - `hops_path`: The public keys for each hop. These are _y_i in the specification. + /// - `session_key`: The ephemeral secret key for the onion packet. It must be generated securely using a random process. + /// This is _x_ in the specification. + /// - `parse_payload`: A function to parse the error payload from the decrypted packet data. It should return `Some(T)` if + /// the given buffer starts with a valid error payload, otherwise `None`. + /// + /// Returns the parsed error message and the erring node public key if the HMAC is valid and the error message is successfully + /// parsed by the function `parse_payload`. + pub fn parse( + self, + hops_path: Vec, + session_key: SecretKey, + parse_payload: F, + ) -> Option<(T, PublicKey)> + where + F: Fn(&[u8]) -> Option, + { + // The packet must contain the HMAC so it has to be at least 32 bytes + if self.packet_data.len() < 32 { + return None; + } + + let secp_ctx = Secp256k1::new(); + let mut packet = self; + for (public_key, shared_secret) in hops_path.iter().zip(OnionSharedSecretIter::new( + hops_path.iter(), + session_key, + &secp_ctx, + )) { + let ReturnKeys { ammag, um } = ReturnKeys::new(&shared_secret); + packet = packet.xor_cipher_stream_with_ammag(ammag); + if let Some(error) = parse_payload(&packet.packet_data[32..]) { + let hmac = compute_hmac(&um, &packet.packet_data[32..], None); + if hmac == packet.packet_data[..32] { + return Some((error, public_key.clone())); + } + } + } + + None + } + + /// Converts the onion packet into a byte vector. + pub fn into_bytes(self) -> Vec { + self.packet_data + } +} + #[derive(Error, Debug, Eq, PartialEq)] pub enum SphinxError { #[error("The hops path does not match the hops data length")] @@ -209,6 +363,7 @@ pub enum SphinxError { } /// Keys used to forward the onion packet. +#[derive(Debug, Clone, Eq, PartialEq)] pub struct ForwardKeys { /// Key derived from the shared secret for the hop. It is used to encrypt the packet data. pub rho: [u8; 32], @@ -216,7 +371,18 @@ pub struct ForwardKeys { pub mu: [u8; 32], } +impl ForwardKeys { + /// Derive keys for forwarding the onion packet from the shared secret. + pub fn new(shared_secret: &[u8]) -> ForwardKeys { + ForwardKeys { + rho: derive_key(HMAC_KEY_RHO, shared_secret), + mu: derive_key(HMAC_KEY_MU, shared_secret), + } + } +} + /// Keys used to return the error packet. +#[derive(Debug, Clone, Eq, PartialEq)] pub struct ReturnKeys { /// Key derived from the shared secret for the hop. It is used to encrypt the error packet data. pub ammag: [u8; 32], @@ -224,13 +390,28 @@ pub struct ReturnKeys { pub um: [u8; 32], } +impl ReturnKeys { + /// Derive keys for returning the error onion packet from the shared secret. + pub fn new(shared_secret: &[u8]) -> ReturnKeys { + ReturnKeys { + ammag: derive_ammag_key(shared_secret), + um: derive_key(HMAC_KEY_UM, shared_secret), + } + } +} + +#[inline] +pub fn derive_ammag_key(shared_secret: &[u8]) -> [u8; 32] { + derive_key(HMAC_KEY_AMMAG, shared_secret) +} + /// Shared secrets generator. /// /// ## Example /// /// ```rust /// use secp256k1::{PublicKey, SecretKey, Secp256k1}; -/// use fiber_sphinx::{SharedSecretIter}; +/// use fiber_sphinx::{OnionSharedSecretIter}; /// /// let secp = Secp256k1::new(); /// let hops_keys = vec![ @@ -241,17 +422,17 @@ pub struct ReturnKeys { /// let hops_path: Vec<_> = hops_keys.iter().map(|sk| sk.public_key(&secp)).collect(); /// let session_key = SecretKey::from_slice(&[0x41; 32]).expect("32 bytes, within curve order"); /// // Gets shared secrets for each hop -/// let hops_ss: Vec<_> = SharedSecretIter::new(hops_path.into_iter(), session_key, &secp).collect(); +/// let hops_ss: Vec<_> = OnionSharedSecretIter::new(hops_path.iter(), session_key, &secp).collect(); /// ``` #[derive(Clone)] -pub struct SharedSecretIter<'a, I, C: Signing> { +pub struct OnionSharedSecretIter<'s, I, C: Signing> { /// A list of node public keys hops_path_iter: I, ephemeral_secret_key: SecretKey, - secp_ctx: &'a Secp256k1, + secp_ctx: &'s Secp256k1, } -impl<'a, I, C: Signing> SharedSecretIter<'a, I, C> { +impl<'s, I, C: Signing> OnionSharedSecretIter<'s, I, C> { /// Creates an iterator to generate shared secrets for each hop. /// /// - `hops_path`: The public keys for each hop. These are _y_i in the specification. @@ -260,9 +441,9 @@ impl<'a, I, C: Signing> SharedSecretIter<'a, I, C> { pub fn new( hops_path_iter: I, session_key: SecretKey, - secp_ctx: &'a Secp256k1, - ) -> SharedSecretIter { - SharedSecretIter { + secp_ctx: &'s Secp256k1, + ) -> OnionSharedSecretIter { + OnionSharedSecretIter { hops_path_iter, secp_ctx, ephemeral_secret_key: session_key, @@ -270,7 +451,9 @@ impl<'a, I, C: Signing> SharedSecretIter<'a, I, C> { } } -impl<'a, I: Iterator, C: Signing> Iterator for SharedSecretIter<'a, I, C> { +impl<'s, 'i, I: Iterator, C: Signing> Iterator + for OnionSharedSecretIter<'s, I, C> +{ type Item = [u8; 32]; fn next(&mut self) -> Option { @@ -289,33 +472,14 @@ impl<'a, I: Iterator, C: Signing> Iterator for SharedSecretIte } } -/// Derive keys for forwarding the onion packet from the shared secret. -pub fn derive_forward_keys(shared_secret: &[u8]) -> ForwardKeys { - ForwardKeys { - rho: derive_key(HMAC_KEY_RHO, shared_secret), - mu: derive_key(HMAC_KEY_MU, shared_secret), - } -} - -/// Derive keys for returning the error onion packet from the shared secret. -pub fn derive_return_keys(shared_secret: &[u8]) -> ReturnKeys { - ReturnKeys { - ammag: derive_key(HMAC_KEY_AMMAG, shared_secret), - um: derive_key(HMAC_KEY_UM, shared_secret), - } -} - /// Derives keys for forwarding the onion packet. -pub fn derive_hops_forward_keys( +fn derive_hops_forward_keys( hops_path: &Vec, session_key: SecretKey, secp_ctx: &Secp256k1, ) -> Vec { - SharedSecretIter::new(hops_path.iter().cloned(), session_key, secp_ctx) - .map(|shared_secret| ForwardKeys { - rho: derive_key(HMAC_KEY_RHO, shared_secret.as_ref()), - mu: derive_key(HMAC_KEY_MU, shared_secret.as_ref()), - }) + OnionSharedSecretIter::new(hops_path.iter(), session_key, secp_ctx) + .map(|shared_secret| ForwardKeys::new(&shared_secret)) .collect() } @@ -505,52 +669,11 @@ fn construct_onion_packet( }) } -/// Creates a new onion packet internally. -/// -/// - `onion_packet_len`: The length of the onion packet. The packet has the same size for each hop. -/// - `hops_path`: The public keys for each hop. These are _y_i in the specification. -/// - `session_key`: The ephemeral secret key for the onion packet. It must be generated securely using a random process. -/// This is _x_ in the specification. -/// - `hops_data`: The unencrypted data for each hop. **Attention** that the data for each hop will be concatenated with -/// the remaining encrypted data. To extract the data, the receiver must know the data length. For example, the hops -/// data can include its length at the beginning. These are _m_i in the specification. -/// - `assoc_data`: The associated data. It will not be included in the packet itself but will be covered by the packet's -/// HMAC. This allows each hop to verify that the associated data has not been tampered with. This is _A_ in the -/// specification. -pub fn new_onion_packet( - packet_data_len: usize, - hops_path: Vec, - session_key: SecretKey, - hops_data: Vec>, - assoc_data: Option>, -) -> Result { - if hops_path.len() != hops_data.len() { - return Err(SphinxError::HopsLenMismatch); - } - if hops_path.is_empty() { - return Err(SphinxError::HopsIsEmpty); - } - - let secp_ctx = Secp256k1::new(); - let hops_keys = derive_hops_forward_keys(&hops_path, session_key, &secp_ctx); - let pad_key = derive_key(HMAC_KEY_PAD, &session_key.secret_bytes()); - let packet_data = generate_padding_data(packet_data_len, &pad_key); - let filler = generate_filler(packet_data_len, &hops_keys, &hops_data)?; - - construct_onion_packet( - packet_data, - session_key.public_key(&secp_ctx), - &hops_keys, - &hops_data, - assoc_data, - filler, - ) -} - #[cfg(test)] mod tests { use super::*; use hex_conservative::prelude::*; + use std::str::FromStr; const PACKET_DATA_LEN: usize = 1300; fn get_test_session_key() -> SecretKey { @@ -559,14 +682,14 @@ mod tests { fn get_test_hops_path() -> Vec { vec![ - Vec::from_hex("02eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619"), - Vec::from_hex("0324653eac434488002cc06bbfb7f10fe18991e35f9fe4302dbea6d2353dc0ab1c"), - Vec::from_hex("027f31ebc5462c1fdce1b737ecff52d37d75dea43ce11c74d25aa297165faa2007"), - Vec::from_hex("032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991"), - Vec::from_hex("02edabbd16b41c8371b92ef2f04c1185b4f03b6dcd52ba9b78d9d7c89c8f221145"), + "02eec7245d6b7d2ccb30380bfbe2a3648cd7a942653f5aa340edcea1f283686619", + "0324653eac434488002cc06bbfb7f10fe18991e35f9fe4302dbea6d2353dc0ab1c", + "027f31ebc5462c1fdce1b737ecff52d37d75dea43ce11c74d25aa297165faa2007", + "032c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991", + "02edabbd16b41c8371b92ef2f04c1185b4f03b6dcd52ba9b78d9d7c89c8f221145", ] .into_iter() - .map(|pk| PublicKey::from_slice(&pk.unwrap()).expect("33 bytes, valid pubkey")) + .map(|pk| PublicKey::from_str(pk).expect("33 bytes, valid pubkey")) .collect() } @@ -674,7 +797,8 @@ mod tests { } #[test] - fn test_new_onion_packet() { + fn test_create_onion_packet() { + let secp = Secp256k1::new(); let hops_path = get_test_hops_path(); let session_key = get_test_session_key(); let hops_data = vec![ @@ -686,12 +810,13 @@ mod tests { ]; let assoc_data = vec![0x42u8; 32]; - let packet = new_onion_packet( - PACKET_DATA_LEN, - hops_path, + let packet = OnionPacket::create( session_key, + hops_path, hops_data, Some(assoc_data), + PACKET_DATA_LEN, + &secp, ) .unwrap(); let packet_bytes = packet.into_bytes(); @@ -715,12 +840,13 @@ mod tests { let get_length = |packet_data: &[u8]| Some(packet_data[0] as usize + 1); let assoc_data = vec![0x42u8; 32]; - let packet = new_onion_packet( - 2000, - hops_path, + let packet = OnionPacket::create( session_key, + hops_path, hops_data.clone(), Some(assoc_data.clone()), + 2000, + &secp, ) .expect("new onion packet"); @@ -771,4 +897,116 @@ mod tests { let (data, _packet) = res.unwrap(); assert_eq!(data, hops_data[2]); } + + #[test] + fn test_create_onion_error_packet() { + let secp = Secp256k1::new(); + let hops_path = get_test_hops_path(); + let session_key = get_test_session_key(); + let hops_ss: Vec<_> = + OnionSharedSecretIter::new(hops_path.iter(), session_key, &secp).collect(); + let error_payload = >::from_hex("0002200200fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000").expect("valid hex"); + + let onion_packet_1 = OnionErrorPacket::create(&hops_ss[4], error_payload); + let expected_hex = "a5e6bd0c74cb347f10cce367f949098f2457d14c046fd8a22cb96efb30b0fdcda8cb9168b50f2fd45edd73c1b0c8b33002df376801ff58aaa94000bf8a86f92620f343baef38a580102395ae3abf9128d1047a0736ff9b83d456740ebbb4aeb3aa9737f18fb4afb4aa074fb26c4d702f42968888550a3bded8c05247e045b866baef0499f079fdaeef6538f31d44deafffdfd3afa2fb4ca9082b8f1c465371a9894dd8c243fb4847e004f5256b3e90e2edde4c9fb3082ddfe4d1e734cacd96ef0706bf63c9984e22dc98851bcccd1c3494351feb458c9c6af41c0044bea3c47552b1d992ae542b17a2d0bba1a096c78d169034ecb55b6e3a7263c26017f033031228833c1daefc0dedb8cf7c3e37c9c37ebfe42f3225c326e8bcfd338804c145b16e34e4"; + assert_eq!( + onion_packet_1.clone().into_bytes().to_lower_hex_string(), + expected_hex + ); + + let onion_packet_2 = onion_packet_1.xor_cipher_stream(&hops_ss[3]); + let expected_hex = "c49a1ce81680f78f5f2000cda36268de34a3f0a0662f55b4e837c83a8773c22aa081bab1616a0011585323930fa5b9fae0c85770a2279ff59ec427ad1bbff9001c0cd1497004bd2a0f68b50704cf6d6a4bf3c8b6a0833399a24b3456961ba00736785112594f65b6b2d44d9f5ea4e49b5e1ec2af978cbe31c67114440ac51a62081df0ed46d4a3df295da0b0fe25c0115019f03f15ec86fabb4c852f83449e812f141a9395b3f70b766ebbd4ec2fae2b6955bd8f32684c15abfe8fd3a6261e52650e8807a92158d9f1463261a925e4bfba44bd20b166d532f0017185c3a6ac7957adefe45559e3072c8dc35abeba835a8cb01a71a15c736911126f27d46a36168ca5ef7dccd4e2886212602b181463e0dd30185c96348f9743a02aca8ec27c0b90dca270"; + assert_eq!( + onion_packet_2.clone().into_bytes().to_lower_hex_string(), + expected_hex + ); + + let onion_packet_3 = onion_packet_2.xor_cipher_stream(&hops_ss[2]); + let expected_hex = "a5d3e8634cfe78b2307d87c6d90be6fe7855b4f2cc9b1dfb19e92e4b79103f61ff9ac25f412ddfb7466e74f81b3e545563cdd8f5524dae873de61d7bdfccd496af2584930d2b566b4f8d3881f8c043df92224f38cf094cfc09d92655989531524593ec6d6caec1863bdfaa79229b5020acc034cd6deeea1021c50586947b9b8e6faa83b81fbfa6133c0af5d6b07c017f7158fa94f0d206baf12dda6b68f785b773b360fd0497e16cc402d779c8d48d0fa6315536ef0660f3f4e1865f5b38ea49c7da4fd959de4e83ff3ab686f059a45c65ba2af4a6a79166aa0f496bf04d06987b6d2ea205bdb0d347718b9aeff5b61dfff344993a275b79717cd815b6ad4c0beb568c4ac9c36ff1c315ec1119a1993c4b61e6eaa0375e0aaf738ac691abd3263bf937e3"; + assert_eq!( + onion_packet_3.clone().into_bytes().to_lower_hex_string(), + expected_hex + ); + + let onion_packet_4 = onion_packet_3.xor_cipher_stream(&hops_ss[1]); + let expected_hex = "aac3200c4968f56b21f53e5e374e3a2383ad2b1b6501bbcc45abc31e59b26881b7dfadbb56ec8dae8857add94e6702fb4c3a4de22e2e669e1ed926b04447fc73034bb730f4932acd62727b75348a648a1128744657ca6a4e713b9b646c3ca66cac02cdab44dd3439890ef3aaf61708714f7375349b8da541b2548d452d84de7084bb95b3ac2345201d624d31f4d52078aa0fa05a88b4e20202bd2b86ac5b52919ea305a8949de95e935eed0319cf3cf19ebea61d76ba92532497fcdc9411d06bcd4275094d0a4a3c5d3a945e43305a5a9256e333e1f64dbca5fcd4e03a39b9012d197506e06f29339dfee3331995b21615337ae060233d39befea925cc262873e0530408e6990f1cbd233a150ef7b004ff6166c70c68d9f8c853c1abca640b8660db2921"; + assert_eq!( + onion_packet_4.clone().into_bytes().to_lower_hex_string(), + expected_hex + ); + + let onion_packet_5 = onion_packet_4.xor_cipher_stream(&hops_ss[0]); + let expected_hex = "9c5add3963fc7f6ed7f148623c84134b5647e1306419dbe2174e523fa9e2fbed3a06a19f899145610741c83ad40b7712aefaddec8c6baf7325d92ea4ca4d1df8bce517f7e54554608bf2bd8071a4f52a7a2f7ffbb1413edad81eeea5785aa9d990f2865dc23b4bc3c301a94eec4eabebca66be5cf638f693ec256aec514620cc28ee4a94bd9565bc4d4962b9d3641d4278fb319ed2b84de5b665f307a2db0f7fbb757366067d88c50f7e829138fde4f78d39b5b5802f1b92a8a820865af5cc79f9f30bc3f461c66af95d13e5e1f0381c184572a91dee1c849048a647a1158cf884064deddbf1b0b88dfe2f791428d0ba0f6fb2f04e14081f69165ae66d9297c118f0907705c9c4954a199bae0bb96fad763d690e7daa6cfda59ba7f2c8d11448b604d12d"; + assert_eq!( + onion_packet_5.into_bytes().to_lower_hex_string(), + expected_hex + ); + } + + fn parse_lightning_error_packet_data(payload: &[u8]) -> Option> { + (payload.len() >= 2).then_some(())?; + let message_len = u16::from_be_bytes(payload[0..2].try_into().unwrap()) as usize; + + (payload.len() >= message_len + 4).then_some(())?; + let pad_len = u16::from_be_bytes( + payload[(message_len + 2)..(message_len + 4)] + .try_into() + .unwrap(), + ) as usize; + + (payload.len() == message_len + pad_len + 4).then(|| payload[2..(2 + message_len)].to_vec()) + } + + #[test] + fn test_parse_onion_error_packet() { + let secp = Secp256k1::new(); + let hops_path = get_test_hops_path(); + let session_key = get_test_session_key(); + let hops_ss: Vec<_> = + OnionSharedSecretIter::new(hops_path.iter(), session_key, &secp).collect(); + let error_payload = >::from_hex("0002200200fe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000").expect("valid hex"); + + { + // from the first hop + let packet = OnionErrorPacket::create(&hops_ss[0], error_payload.clone()); + let error = packet.parse( + hops_path.clone(), + session_key, + parse_lightning_error_packet_data, + ); + assert!(error.is_some()); + let (error, public_key) = error.unwrap(); + assert_eq!(error, vec![0x20, 0x02]); + assert_eq!(public_key, hops_path[0]); + } + + { + // from the last hop + let packet = OnionErrorPacket::create(&hops_ss[4], error_payload.clone()) + .xor_cipher_stream(&hops_ss[3]) + .xor_cipher_stream(&hops_ss[2]) + .xor_cipher_stream(&hops_ss[1]) + .xor_cipher_stream(&hops_ss[0]); + let error = packet.parse( + hops_path.clone(), + session_key, + parse_lightning_error_packet_data, + ); + assert!(error.is_some()); + let (error, public_key) = error.unwrap(); + assert_eq!(error, vec![0x20, 0x02]); + assert_eq!(public_key, hops_path[4]); + } + + { + // invalid packet. The packet should be encrypted by the first hop but not. + let packet = OnionErrorPacket::create(&hops_ss[1], error_payload.clone()); + let error = packet.parse( + hops_path.clone(), + session_key, + parse_lightning_error_packet_data, + ); + assert!(error.is_none()); + } + } }