1 #include "config.h"
2 #include <assert.h>
3 #include <ccan/err/err.h>
4 #include <ccan/opt/opt.h>
5 #include <ccan/str/hex/hex.h>
6 #include <common/blinding.h>
7 #include <common/ecdh.h>
8 #include <common/setup.h>
9 #include <common/sphinx.h>
10 #include <common/type_to_string.h>
11 #include <common/version.h>
12 #include <secp256k1_ecdh.h>
13 #include <sodium/crypto_aead_chacha20poly1305.h>
14 #include <stdio.h>
15
16 static bool simpleout = false;
17
18 /* Tal wrappers for opt. */
opt_allocfn(size_t size)19 static void *opt_allocfn(size_t size)
20 {
21 return tal_arr_label(NULL, char, size, TAL_LABEL("opt_allocfn", ""));
22 }
23
tal_reallocfn(void * ptr,size_t size)24 static void *tal_reallocfn(void *ptr, size_t size)
25 {
26 if (!ptr)
27 return opt_allocfn(size);
28 tal_resize_(&ptr, 1, size, false);
29 return ptr;
30 }
31
tal_freefn(void * ptr)32 static void tal_freefn(void *ptr)
33 {
34 tal_free(ptr);
35 }
36
37 /* We don't actually use this, but common/onion needs it */
ecdh(const struct pubkey * point,struct secret * ss)38 void ecdh(const struct pubkey *point, struct secret *ss)
39 {
40 abort();
41 }
42
main(int argc,char ** argv)43 int main(int argc, char **argv)
44 {
45 bool first = false;
46
47 common_setup(argv[0]);
48
49 opt_set_alloc(opt_allocfn, tal_reallocfn, tal_freefn);
50 opt_register_noarg("--help|-h", opt_usage_and_exit,
51 "\n\n\tcreate <nodeid>[/<scid>]...\n"
52 "\tunwrap <privkey> <onion> <blinding>\n",
53 "Show this message");
54 opt_register_noarg("--first-node", opt_set_bool, &first,
55 "Don't try to tweak key to unwrap onion");
56 opt_register_noarg("--simple-output", opt_set_bool, &simpleout,
57 "Output values without prefixes, one per line");
58 opt_register_version();
59
60 opt_parse(&argc, argv, opt_log_stderr_exit);
61
62 if (argc < 2)
63 errx(1, "You must specify create or unwrap");
64 if (streq(argv[1], "create")) {
65 struct privkey e;
66 struct pubkey *pk_e, *b, *nodes;
67 struct short_channel_id **scids;
68 struct secret *rho;
69 size_t num = argc - 2;
70
71 if (argc < 3)
72 errx(1, "create requires at least one nodeid");
73
74 /* P(i) */
75 nodes = tal_arr(tmpctx, struct pubkey, num);
76 /* E(i) */
77 pk_e = tal_arr(tmpctx, struct pubkey, num);
78 /* B(i) */
79 b = tal_arr(tmpctx, struct pubkey, num);
80 /* rho(i) */
81 rho = tal_arr(tmpctx, struct secret, num);
82
83 scids = tal_arr(tmpctx, struct short_channel_id *, num);
84 /* Randomness, chosen with a fair dice roll! */
85 memset(&e, 6, sizeof(e));
86 if (!pubkey_from_privkey(&e, &pk_e[0]))
87 abort();
88
89 for (size_t i = 0; i < num; i++) {
90 struct secret ss;
91 struct secret hmac;
92 struct sha256 h;
93 const char *slash;
94
95 if (!pubkey_from_hexstr(argv[2+i],
96 strcspn(argv[2+i], "/"),
97 &nodes[i]))
98 errx(1, "%s not a valid pubkey", argv[2+i]);
99
100 slash = strchr(argv[2+i], '/');
101 if (slash) {
102 scids[i] = tal(scids, struct short_channel_id);
103 if (!short_channel_id_from_str(slash+1,
104 strlen(slash+1),
105 scids[i]))
106 errx(1, "%s is not a valid scids",
107 slash + 1);
108 } else
109 scids[i] = NULL;
110 if (secp256k1_ecdh(secp256k1_ctx, ss.data,
111 &nodes[i].pubkey, e.secret.data, NULL, NULL) != 1)
112 abort();
113
114 subkey_from_hmac("blinded_node_id", &ss, &hmac);
115 b[i] = nodes[i];
116 if (i != 0) {
117 if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx,
118 &b[i].pubkey, hmac.data) != 1)
119 abort();
120 }
121 subkey_from_hmac("rho", &ss, &rho[i]);
122 blinding_hash_e_and_ss(&pk_e[i], &ss, &h);
123 if (i != num-1)
124 blinding_next_pubkey(&pk_e[i], &h,
125 &pk_e[i+1]);
126 blinding_next_privkey(&e, &h, &e);
127 }
128
129 /* Print initial blinding factor */
130 if (simpleout)
131 printf("%s\n",
132 type_to_string(tmpctx, struct pubkey, &pk_e[0]));
133 else
134 printf("Blinding: %s\n",
135 type_to_string(tmpctx, struct pubkey, &pk_e[0]));
136
137 for (size_t i = 0; i < num - 1; i++) {
138 u8 *p;
139 u8 buf[BIGSIZE_MAX_LEN];
140 const unsigned char npub[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
141 struct tlv_onionmsg_payload *outer;
142 struct tlv_encmsg_tlvs *inner;
143 int ret;
144
145 /* Inner is encrypted */
146 inner = tlv_encmsg_tlvs_new(tmpctx);
147 /* Use scid if they provided one */
148 if (scids[i]) {
149 inner->obs_next_short_channel_id
150 = tal_dup(inner, struct short_channel_id,
151 scids[i]);
152 } else {
153 inner->next_node_id
154 = tal_dup(inner, struct pubkey, &nodes[i+1]);
155 }
156 p = tal_arr(tmpctx, u8, 0);
157 towire_encmsg_tlvs(&p, inner);
158
159 outer = tlv_onionmsg_payload_new(tmpctx);
160 outer->enctlv = tal_arr(outer, u8, tal_count(p)
161 + crypto_aead_chacha20poly1305_ietf_ABYTES);
162 ret = crypto_aead_chacha20poly1305_ietf_encrypt(outer->enctlv, NULL,
163 p,
164 tal_bytelen(p),
165 NULL, 0,
166 NULL, npub,
167 rho[i].data);
168 assert(ret == 0);
169
170 p = tal_arr(tmpctx, u8, 0);
171 towire_onionmsg_payload(&p, outer);
172 ret = bigsize_put(buf, tal_bytelen(p));
173
174 if (simpleout) {
175 printf("%s\n%s\n",
176 type_to_string(tmpctx, struct pubkey,
177 &b[i]),
178 tal_hex(tmpctx, outer->enctlv));
179 } else {
180 /* devtools/onion wants length explicitly prepended */
181 printf("%s/%.*s%s ",
182 type_to_string(tmpctx, struct pubkey,
183 &b[i]),
184 ret * 2,
185 tal_hexstr(tmpctx, buf, ret),
186 tal_hex(tmpctx, p));
187 }
188 }
189 /* No payload for last node */
190 if (simpleout)
191 printf("%s\n",
192 type_to_string(tmpctx, struct pubkey, &b[num-1]));
193 else
194 printf("%s/00\n",
195 type_to_string(tmpctx, struct pubkey, &b[num-1]));
196 } else if (streq(argv[1], "unwrap")) {
197 struct privkey privkey;
198 struct pubkey blinding;
199 u8 onion[TOTAL_PACKET_SIZE(ROUTING_INFO_SIZE)], *dec;
200 struct onionpacket *op;
201 struct secret ss, onion_ss;
202 struct secret hmac, rho;
203 struct route_step *rs;
204 const u8 *cursor;
205 struct tlv_onionmsg_payload *outer;
206 size_t max, len;
207 struct pubkey res;
208 struct sha256 h;
209 int ret;
210 enum onion_wire failcode;
211 const unsigned char npub[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
212
213 if (argc != 5)
214 errx(1, "unwrap requires privkey, onion and blinding");
215
216 if (!hex_decode(argv[2], strlen(argv[2]), &privkey,
217 sizeof(privkey)))
218 errx(1, "Invalid private key hex '%s'", argv[2]);
219
220 if (!hex_decode(argv[3], strlen(argv[3]), onion,
221 sizeof(onion)))
222 errx(1, "Invalid onion %s", argv[3]);
223
224 if (!pubkey_from_hexstr(argv[4], strlen(argv[4]), &blinding))
225 errx(1, "Invalid blinding %s", argv[4]);
226
227 op = parse_onionpacket(tmpctx, onion, sizeof(onion), &failcode);
228 if (!op)
229 errx(1, "Unparsable onion");
230
231 /* ss(r) = H(k(r) * E(r)) */
232 if (secp256k1_ecdh(secp256k1_ctx, ss.data, &blinding.pubkey,
233 privkey.secret.data, NULL, NULL) != 1)
234 abort();
235
236 subkey_from_hmac("rho", &ss, &rho);
237
238 /* b(i) = HMAC256("blinded_node_id", ss(i)) * k(i) */
239 subkey_from_hmac("blinded_node_id", &ss, &hmac);
240
241 /* We instead tweak the *ephemeral* key from the onion
242 * and use our raw privkey: this models how lightningd
243 * will do it, since hsmd knows only how to ECDH with
244 * our real key */
245 res = op->ephemeralkey;
246 if (!first) {
247 if (secp256k1_ec_pubkey_tweak_mul(secp256k1_ctx,
248 &res.pubkey,
249 hmac.data) != 1)
250 abort();
251 }
252
253 if (secp256k1_ecdh(secp256k1_ctx, onion_ss.data,
254 &res.pubkey,
255 privkey.secret.data, NULL, NULL) != 1)
256 abort();
257
258 rs = process_onionpacket(tmpctx, op, &onion_ss, NULL, 0, false);
259 if (!rs)
260 errx(1, "Could not process onionpacket");
261
262 cursor = rs->raw_payload;
263 max = tal_bytelen(cursor);
264 len = fromwire_bigsize(&cursor, &max);
265
266 /* Always true since we're non-legacy */
267 assert(len == max);
268 outer = tlv_onionmsg_payload_new(tmpctx);
269 if (!fromwire_onionmsg_payload(&cursor, &max, outer))
270 errx(1, "Invalid payload %s",
271 tal_hex(tmpctx, rs->raw_payload));
272
273 if (rs->nextcase == ONION_END) {
274 printf("TERMINAL\n");
275 return 0;
276 }
277
278 /* Look for enctlv */
279 if (!outer->enctlv)
280 errx(1, "No enctlv field");
281
282 if (tal_bytelen(outer->enctlv)
283 < crypto_aead_chacha20poly1305_ietf_ABYTES)
284 errx(1, "enctlv field too short");
285
286 dec = tal_arr(tmpctx, u8,
287 tal_bytelen(outer->enctlv)
288 - crypto_aead_chacha20poly1305_ietf_ABYTES);
289 ret = crypto_aead_chacha20poly1305_ietf_decrypt(dec, NULL,
290 NULL,
291 outer->enctlv,
292 tal_bytelen(outer->enctlv),
293 NULL, 0,
294 npub,
295 rho.data);
296 if (ret != 0)
297 errx(1, "Failed to decrypt enctlv field");
298
299 printf("Contents: %s\n", tal_hex(tmpctx, dec));
300
301 /* E(i-1) = H(E(i) || ss(i)) * E(i) */
302 blinding_hash_e_and_ss(&blinding, &ss, &h);
303 blinding_next_pubkey(&blinding, &h, &res);
304 printf("Next blinding: %s\n",
305 type_to_string(tmpctx, struct pubkey, &res));
306 printf("Next onion: %s\n", tal_hex(tmpctx, serialize_onionpacket(tmpctx, rs->next)));
307 } else
308 errx(1, "Either create or unwrap!");
309
310 common_shutdown();
311 }
312