Add support for authenticating forwarding blinded path contexts

In the previous commit we added support for authenticating received
blinded paths by using an additional secret as the AAD in the MAC.

Here, we extend this to support authenticating blinded path
contexts received for forwarding, allowing us to authenticate dummy
hops added as padding. This will allow us to prevent a DoS attack
where someone could create a blinded path which has many forwarding
hops all for us as fictitious dummy hops, requiring us to decrypt
many times only to find no useful onion message.

Author: TheBlueMatt

lightning/src/onion_message/messenger.rs

@@ -1120,17 +1120,31 @@ where
 			},
 		},
 		Ok((
-			Payload::Forward(ForwardControlTlvs::Unblinded(ForwardTlvs {
-				next_hop,
-				next_blinding_override,
-			})),
+			Payload::Forward {
+				control_tlvs: ForwardControlTlvs::Unblinded(ForwardTlvs {
+					next_hop,
+					next_blinding_override,
+				}),
+				control_tlvs_authenticated,
+			},
 			Some((next_hop_hmac, new_packet_bytes)),
 		)) => {
 			// TODO: we need to check whether `next_hop` is our node, in which case this is a dummy
 			// blinded hop and this onion message is destined for us. In this situation, we should keep
 			// unwrapping the onion layers to get to the final payload. Since we don't have the option
 			// of creating blinded paths with dummy hops currently, we should be ok to not handle this
 			// for now.
+			if control_tlvs_authenticated {
+				// TODO: When we start adding dummy hops, we should require the use of
+				// authenticated control TLVs, as it prevents a DoS attack where someone builds a
+				// blinded path to us which requires we decode hundreds of dummy hops only to find
+				// that we don't actually have a message inside to read.
+				// However, we should never accept a `control_tlvs_authenticated` packet which is
+				// *not* a dummy blinded hop we added, though it shouldn't be possible to reach in
+				// any case.
+				log_trace!(logger, "Received an authenticated to-forward onion message");
+				return Err(())
+			}
 			let packet_pubkey = msg.onion_routing_packet.public_key;
 			let new_pubkey_opt =
 				onion_utils::next_hop_pubkey(&secp_ctx, packet_pubkey, &onion_decode_ss);
@@ -2251,10 +2265,13 @@ fn packet_payloads_and_keys<
 			if num_unblinded_hops != 0 && unblinded_path_idx < num_unblinded_hops {
 				if let Some(ss) = prev_control_tlvs_ss.take() {
 					payloads.push((
-						Payload::Forward(ForwardControlTlvs::Unblinded(ForwardTlvs {
-							next_hop: NextMessageHop::NodeId(unblinded_pk_opt.unwrap()),
-							next_blinding_override: None,
-						})),
+						Payload::Forward {
+							control_tlvs: ForwardControlTlvs::Unblinded(ForwardTlvs {
+								next_hop: NextMessageHop::NodeId(unblinded_pk_opt.unwrap()),
+								next_blinding_override: None,
+							}),
+							control_tlvs_authenticated: false,
+						},
 						ss,
 					));
 				}
@@ -2263,17 +2280,23 @@ fn packet_payloads_and_keys<
 			} else if let Some((intro_node_id, blinding_pt)) = intro_node_id_blinding_pt.take() {
 				if let Some(control_tlvs_ss) = prev_control_tlvs_ss.take() {
 					payloads.push((
-						Payload::Forward(ForwardControlTlvs::Unblinded(ForwardTlvs {
-							next_hop: NextMessageHop::NodeId(intro_node_id),
-							next_blinding_override: Some(blinding_pt),
-						})),
+						Payload::Forward {
+							control_tlvs: ForwardControlTlvs::Unblinded(ForwardTlvs {
+								next_hop: NextMessageHop::NodeId(intro_node_id),
+								next_blinding_override: Some(blinding_pt),
+							}),
+							control_tlvs_authenticated: false,
+						},
 						control_tlvs_ss,
 					));
 				}
 			}
 			if blinded_path_idx < num_blinded_hops.saturating_sub(1) && enc_payload_opt.is_some() {
 				payloads.push((
-					Payload::Forward(ForwardControlTlvs::Blinded(enc_payload_opt.unwrap())),
+					Payload::Forward {
+						control_tlvs: ForwardControlTlvs::Blinded(enc_payload_opt.unwrap()),
+						control_tlvs_authenticated: false,
+					},
 					control_tlvs_ss,
 				));
 				blinded_path_idx += 1;

lightning/src/onion_message/packet.rs

@@ -110,7 +110,16 @@ impl LengthReadable for Packet {
 /// message content itself, such as an invoice request.
 pub(super) enum Payload<T: OnionMessageContents> {
 	/// This payload is for an intermediate hop.
-	Forward(ForwardControlTlvs),
+	Forward {
+		/// The [`ReceiveControlTlvs`] were authenticated with the additional key which was
+		/// provided to [`ReadableArgs::read`].
+		///
+		/// This should not happen for blinded paths built by any node but us (i.e. messages
+		/// forwarded through us to other nodes), but can be used to authenticate extra hops added
+		/// to a blinded path as padding.
+		control_tlvs_authenticated: bool,
+		control_tlvs: ForwardControlTlvs,
+	},
 	/// This payload is for the final hop.
 	Receive {
 		/// The [`ReceiveControlTlvs`] were authenticated with the additional key which was
@@ -220,7 +229,10 @@ pub(super) enum ReceiveControlTlvs {
 impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 	fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
 		match &self.0 {
-			Payload::Forward(ForwardControlTlvs::Blinded(encrypted_bytes)) => {
+			Payload::Forward {
+				control_tlvs: ForwardControlTlvs::Blinded(encrypted_bytes),
+				control_tlvs_authenticated: _,
+			} => {
 				_encode_varint_length_prefixed_tlv!(w, { (4, encrypted_bytes, required_vec) })
 			},
 			Payload::Receive {
@@ -235,7 +247,10 @@ impl<T: OnionMessageContents> Writeable for (Payload<T>, [u8; 32]) {
 					(message.tlv_type(), message, required)
 				})
 			},
-			Payload::Forward(ForwardControlTlvs::Unblinded(control_tlvs)) => {
+			Payload::Forward {
+				control_tlvs: ForwardControlTlvs::Unblinded(control_tlvs),
+				control_tlvs_authenticated: _,
+			} => {
 				let write_adapter = ChaChaPolyWriteAdapter::new(self.1, &control_tlvs);
 				_encode_varint_length_prefixed_tlv!(w, { (4, write_adapter, required) })
 			},
@@ -314,7 +329,10 @@ impl<H: CustomOnionMessageHandler + ?Sized, L: Logger + ?Sized> ReadableArgs<(Sh
 				if used_aad || message_type.is_some() {
 					return Err(DecodeError::InvalidValue);
 				}
-				Ok(Payload::Forward(ForwardControlTlvs::Unblinded(tlvs)))
+				Ok(Payload::Forward {
+					control_tlvs: ForwardControlTlvs::Unblinded(tlvs),
+					control_tlvs_authenticated: used_aad,
+				})
 			},
 			Some(ChaChaDualPolyReadAdapter { readable: ControlTlvs::Receive(tlvs), used_aad }) => {
 				Ok(Payload::Receive {