Authenticate InvoiceError messages

[jkczyz]

Before abandoning a payment when receiving an InvoiceError, verify that the PaymentId included in the OffersContext with the included HMAC. This prevents a malicious actor sending an InvoiceError with a known payment id from abandoning our payment.

Based on #3202

Fixes #3166
Fixes #3167

[codecov]

Codecov Report

Attention: Patch coverage is 85.86572% with 40 lines in your changes missing coverage. Please review.

Project coverage is 89.74%. Comparing base (5ab40b2) to head (075a2e3).
Report is 20 commits behind head on main.

Files	Patch %	Lines
lightning/src/events/mod.rs	0.00%	22 Missing ⚠️
lightning/src/ln/channelmanager.rs	82.50%	4 Missing and 3 partials ⚠️
lightning/src/ln/offers_tests.rs	95.65%	5 Missing ⚠️
lightning/src/ln/outbound_payment.rs	94.23%	0 Missing and 3 partials ⚠️
lightning/src/ln/functional_test_utils.rs	0.00%	0 Missing and 2 partials ⚠️
lightning/src/util/ser.rs	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3192      +/-   ##
==========================================
- Coverage   89.75%   89.74%   -0.02%     
==========================================
  Files         123      123              
  Lines      102158   102330     +172     
  Branches   102158   102330     +172     
==========================================
+ Hits        91695    91833     +138     
- Misses       7773     7802      +29     
- Partials     2690     2695       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jkczyz]

@TheBlueMatt @valentinewallace Need your opinions on Event::InvoiceRequestFailed. A payment in state AwaitingInvoice, may be abandoned for the following reasons:

• Timeout waiting on the invoice
• Explicitly abandoned by the user
• Invoice contains unknown required features
• Recipient sends back InvoiceError

Currently, the first two generate Event::InvoiceRequestFailed.

In this PR, we transition to state InvoiceReceived before checking the features, so that it will instead generate an Event::PaymentFailed. Note, we can only use Event::PaymentFailed when we have a PaymentHash.

Abandoning for the InvoiceError case requires us to give a PaymentFailureReason. But the reason in practice is ignored by PendingOutboundPayments::abandon_payment when in state AwaitingInvoice.

Do we care that reason is ignored and never finds it way to the user in Event::InvoiceRequestFailed? Should we add a reason to that event? And if so, should it be PaymentFailureReason or a dedicated type? If a dedicated type, I'm not sure how PendingOutboundPayments::abandon_payment would work when called for a payment in the wrong state. But re-using PaymentFailureReason instead means that some reasons aren't applicable for either event.

Or maybe we just add an Option<InvoiceError> to Event::InvoiceRequestFailed? Though when None that doesn't differentiate timeout from user-abandoned, which is currently the case.

Thoughts?

[TheBlueMatt]

Need your opinions on Event::InvoiceRequestFailed

I mean the only reason for the distinction between the two events is that we need a PaymentHash for the payment failed one, so I don't feel super strongly about making sure there's too much of a logical distinction between the two - we expect users to largely handle them the same.

Do we care that reason is ignored and never finds it way to the user in Event::InvoiceRequestFailed? Should we add a reason to that event? And if so, should it be PaymentFailureReason or a dedicated type? If a dedicated type, I'm not sure how PendingOutboundPayments::abandon_payment would work when called for a payment in the wrong state. But re-using PaymentFailureReason instead means that some reasons aren't applicable for either event.

I'm starting to think we should make the hash optional in PaymentFailed and stick with that, but absent that, it seems like we could give users the same error type so that they could delegate to some common method to handle both cases? I'm not sure its that critical, though, honestly - there's not gonna be much in the way of programatic differences in how these events are handled, its really just them giving some kind of string to the operator/log. As far as the UX cares, the payment failed, and the reason is some technical garbage that isn't really useful to a human.

[jkczyz]

I'm starting to think we should make the hash optional in PaymentFailed and stick with that, but absent that, it seems like we could give users the same error type so that they could delegate to some common method to handle both cases?

Ended up making the payment hash optional in PaymentFailed and removing InvoiceRequestFailed. I agree that this approach is best.

[TheBlueMatt]

No, it'll cause reading the event to fail with DecodeError::InvalidValue :(. We should have done impl_writeable_tlv_based_enum_upgradable for PaymentFailureReason (we still should for the next added reason, but it won't help downgrades to 123).

[jkczyz]

Went ahead and changed this to impl_writeable_tlv_based_enum_upgradable.

[TheBlueMatt]

I'm pretty meh on breaking downgrades for payment failures here (causing DecodeError::InvalidValue). Instead, maybe we write 0s (and drop all-0s on the read end, and also then reject sending payments with all-0 payment hashes in ChannelManager/outbound_payments, or write some other "no payment_hash" flag) and document it in the release notes?

[jkczyz]

Done

[valentinewallace]

Needs rebase

[jkczyz]

Feedback addressed.

Needs rebase

@TheBlueMatt Will rebase whenever you are good.

[TheBlueMatt]

Feel free to rebase!

[TheBlueMatt]

I'm pretty meh on the idea that users might upgrade, use bolt12, and suddenly be unable to downgrade even one version. Not entirely sure what to do about it, though - we could delay this part of the patch for a release, or we could write the PaymentFailureReason twice, once with these versions in a new TLV and once without, mapping them to UnexpectedError or whatever.

[jkczyz]

Went ahead and wrote the reason twice. UnexpectedError would be a misleading, IMO, though. Used None instead, but let me know if there was some other alternative you were thinking about.

[TheBlueMatt]

Hmm, I suppose None is fine, but its a bit annoying to suddenly have no reason when the docs on 123 say that its "only None for events generated by versions prior to 0.0.115". I guess for InvoiceRequestRejected we could easily just say RecipientRejected, but InvoiceRequestExpired is tougher...maybe RetriesExhausted?

[jkczyz]

Hmm... UnknownRequiredFeatures also needs to map to something.

[TheBlueMatt]

RecipientRejected, I assume - they would have rejected a payment that has unknown features in the onion so...?

[jkczyz]

Here it is us -- the payer -- rejecting an invoice for an outbound payment.

[TheBlueMatt]

Yea but the principle is the same - we have some issue causing us to be unable to talk to the intended recipient so cannot pay. RecipientRejected makes sense imo as it's also the most final - "don't bother trying this again cause they already said they won't accept it"

[jkczyz]

Gotcha. Updated now.

[valentinewallace]

Could you help me understand why we need this input in addition to IV_BYTES in hmac_for_payment_id?

[jkczyz]

May not be necessary actually. Though, if in the future we hmac some other type of data, then we may want to differentiate it with another input. Happy to drop it if you and @TheBlueMatt don't think it is necessary.

[TheBlueMatt]

No reason not to have it IMO 🤷

[valentinewallace]

It looks like if someone downgraded after writing a zeroed out payment hash, then upgraded again, their event would then contain a payment_hash: Some(PaymentHash([0; 32])), IIUC. I think we could prevent that by omitting this invoice_received field and explicitly detecting a zeroed out payment hash instead.

[jkczyz]

Yeah, not sure how concerning that is but went ahead with your alternative.

@TheBlueMatt I'm not checking in ChannelManager for such a payment hash when sending. Seems in such a rare scenario it would be better to check the reason to determine whether the 0-payment_hash should be included in the event when reading. Maybe there some obscure upgrade-downgrade-upgrade scenario I'm not thinking about. But I'm not sure if it's worth adding some complex checking if the worse case is dropping the 0-payment_hash.

[TheBlueMatt]

Maybe we keep the old code writing the extra flag but then drop 0 payment hash if its missing? While people shouldn't be paying 0 payment hashes, its a bit weird that the payment hash will dissapear on you if you try to pay one because your counterparty made one up.

[jkczyz]

Updated accordingly, IIUC.

[jkczyz]

Went ahead and wrote the reason twice. UnexpectedError would be a misleading, IMO, though. Used None instead, but let me know if there was some other alternative you were thinking about.

[jkczyz]

Yeah, not sure how concerning that is but went ahead with your alternative.

@TheBlueMatt I'm not checking in ChannelManager for such a payment hash when sending. Seems in such a rare scenario it would be better to check the reason to determine whether the 0-payment_hash should be included in the event when reading. Maybe there some obscure upgrade-downgrade-upgrade scenario I'm not thinking about. But I'm not sure if it's worth adding some complex checking if the worse case is dropping the 0-payment_hash.

[jkczyz]

@TheBlueMatt This nonce is used both for the hmac and in the payer metadata. Is this ok?

[TheBlueMatt]

I think that's okay, they both use different IVs (and different algorithms) so it should be okay.

[jkczyz]

May not be necessary actually. Though, if in the future we hmac some other type of data, then we may want to differentiate it with another input. Happy to drop it if you and @TheBlueMatt don't think it is necessary.

[TheBlueMatt]

technically with the current implementation if you downgrade to pre-0.0.124 with a reason that was added after you also get None.

Suggested change

	/// was removed in 0.0.124, or when downgrading to 0.0.124 or later with a reason that was
	/// or when downgrading with a reason that was

[jkczyz]

Yep, removed "to 0.0.124 or later".

However, the first part, "which was removed in 0.0.124", is a non-restrictive clause; that is, the sentence has the same meaning with or without it. It's simply used to note when the event was removed from the codebase. Updated to use a parenthetical to make it clearer.

[TheBlueMatt]

Maybe we keep the old code writing the extra flag but then drop 0 payment hash if its missing? While people shouldn't be paying 0 payment hashes, its a bit weird that the payment hash will dissapear on you if you try to pay one because your counterparty made one up.

[valentinewallace]

LGTM

[valentinewallace]

Doesn't matter much, but it would make more sense to write this as required since we always write it

[jkczyz]

Option let's us handle the scenario described here: #3192 (comment). If it's required, then we would fail when re-upgrading.

[valentinewallace]

We should def make it Optional on read, but on writing it's fine to make it required since we always write it (there's no difference between required and an option where we always write).

[jkczyz]

Ah, I see. Done.

[jkczyz]

Squashed

[TheBlueMatt]

Ugh, needs a somewhat trivial rebase cause features.rs moved (and I guess git is dumb :( )

[TheBlueMatt]

Okay, one more nit to just fix (+ squash) on rebase, otherwise LGTM!

[TheBlueMatt]

Couldn't we set this to Some(InvoiceRequestExpired)?

[jkczyz]

Done

[valentinewallace]

LGTM after rebase

[jkczyz]

Rebased