multi: Support jumbo size om packets

Onion messages allow for payloads that exceed 1300 bytes, in which case
the payload should become 32768 bytes. This commit introduces support
for those jumbo packets.

Author: gijswijs

cmd/main.go

@@ -70,6 +70,12 @@ func main() {
 						"data.",
 					Value: defaultHopDataPath,
 				},
+				cli.BoolFlag{
+					Name: "onion-message",
+					Usage: "Create an onion message " +
+						"packet rather than a " +
+						"payment onion.",
+				},
 			},
 		},
 		{
@@ -203,8 +209,14 @@ func generate(ctx *cli.Context) error {
 		return fmt.Errorf("could not peel onion spec: %v", err)
 	}
 
+	var onionOpts []sphinx.OnionPacketOption
+	if ctx.Bool("onion-message") {
+		onionOpts = append(onionOpts, sphinx.WithOnionMessage())
+	}
+
 	msg, err := sphinx.NewOnionPacket(
 		path, sessionKey, assocData, sphinx.DeterministicPacketFiller,
+		onionOpts...,
 	)
 	if err != nil {
 		return fmt.Errorf("error creating message: %v", err)

packetfiller.go

@@ -12,16 +12,16 @@ import (
 // in order to ensure we don't leak information on the true route length to the
 // receiver. The packet filler may also use the session key to generate a set
 // of filler bytes if it wishes to be deterministic.
-type PacketFiller func(*btcec.PrivateKey, *[routingInfoSize]byte) error
+type PacketFiller func(*btcec.PrivateKey, []byte) error
 
 // RandPacketFiller is a packet filler that reads a set of random bytes from a
 // CSPRNG.
-func RandPacketFiller(_ *btcec.PrivateKey, mixHeader *[routingInfoSize]byte) error {
+func RandPacketFiller(_ *btcec.PrivateKey, mixHeader []byte) error {
 	// Read out random bytes to fill out the rest of the starting packet
 	// after the hop payload for the final node. This mitigates a privacy
 	// leak that may reveal a lower bound on the true path length to the
 	// receiver.
-	if _, err := rand.Read(mixHeader[:]); err != nil {
+	if _, err := rand.Read(mixHeader); err != nil {
 		return err
 	}
 
@@ -31,15 +31,15 @@ func RandPacketFiller(_ *btcec.PrivateKey, mixHeader *[routingInfoSize]byte) err
 // BlankPacketFiller is a packet filler that doesn't attempt to fill out the
 // packet at all. It should ONLY be used for generating test vectors or other
 // instances that required deterministic packet generation.
-func BlankPacketFiller(_ *btcec.PrivateKey, _ *[routingInfoSize]byte) error {
+func BlankPacketFiller(_ *btcec.PrivateKey, _ []byte) error {
 	return nil
 }
 
 // DeterministicPacketFiller is a packet filler that generates a deterministic
 // set of filler bytes by using chacha20 with a key derived from the session
 // key.
 func DeterministicPacketFiller(sessionKey *btcec.PrivateKey,
-	mixHeader *[routingInfoSize]byte) error {
+	mixHeader []byte) error {
 
 	// First, we'll generate a new key that'll be used to generate some
 	// random bytes for our padding purposes. To derive this new key, we
@@ -55,7 +55,7 @@ func DeterministicPacketFiller(sessionKey *btcec.PrivateKey,
 	if err != nil {
 		return err
 	}
-	padCipher.XORKeyStream(mixHeader[:], mixHeader[:])
+	padCipher.XORKeyStream(mixHeader, mixHeader)
 
 	return nil
 }

sphinx.go

@@ -41,26 +41,13 @@ const (
 	LegacyHopDataSize = (RealmByteSize + AddressSize + AmtForwardSize +
 		OutgoingCLTVSize + NumPaddingBytes + HMACSize)
 
-	// MaxPayloadSize is the maximum size a payload for a single hop can be.
-	// This is the worst case scenario of a single hop, consuming all
-	// available space. We need to know this in order to generate a
-	// sufficiently long stream of pseudo-random bytes when
-	// encrypting/decrypting the payload.
-	MaxPayloadSize = routingInfoSize
-
-	// routingInfoSize is the fixed size of the the routing info. This
-	// consists of a addressSize byte address and a HMACSize byte HMAC for
-	// each hop of the route, the first pair in cleartext and the following
-	// pairs increasingly obfuscated. If not all space is used up, the
-	// remainder is padded with null-bytes, also obfuscated.
-	routingInfoSize = 1300
-
-	// numStreamBytes is the number of bytes produced by our CSPRG for the
-	// key stream implementing our stream cipher to encrypt/decrypt the mix
-	// header. The MaxPayloadSize bytes at the end are used to
-	// encrypt/decrypt the fillers when processing the packet of generating
-	// the HMACs when creating the packet.
-	numStreamBytes = routingInfoSize * 2
+	// StandardRoutingInfoSize is the size of the routing info for a standard
+	// onion packet.
+	StandardRoutingInfoSize = 1300
+
+	// JumboRoutingInfoSize is the size of the routing info for a jumbo
+	// onion packet.
+	JumboRoutingInfoSize = 32768
 
 	// keyLen is the length of the keys used to generate cipher streams and
 	// encrypt payloads. Since we use SHA256 to generate the keys, the
@@ -72,8 +59,15 @@ const (
 )
 
 var (
-	ErrMaxRoutingInfoSizeExceeded = fmt.Errorf(
-		"max routing info size of %v bytes exceeded", routingInfoSize)
+	ErrStandardRoutingInfoSizeExceeded = fmt.Errorf(
+		"max routing info size of %v bytes exceeded",
+		StandardRoutingInfoSize,
+	)
+
+	ErrJumboRoutingInfoSizeExceeded = fmt.Errorf(
+		"max onion message routing info size of %v bytes exceeded",
+		JumboRoutingInfoSize,
+	)
 )
 
 // OnionPacket is the onion wrapped hop-to-hop routing information necessary to
@@ -102,7 +96,7 @@ type OnionPacket struct {
 	// RoutingInfo is the full routing information for this onion packet.
 	// This encodes all the forwarding instructions for this current hop
 	// and all the hops in the route.
-	RoutingInfo [routingInfoSize]byte
+	RoutingInfo []byte
 
 	// HeaderMAC is an HMAC computed with the shared secret of the routing
 	// data and the associated data for this route. Including the
@@ -190,14 +184,54 @@ func generateSharedSecrets(paymentPath []*btcec.PublicKey,
 	return hopSharedSecrets, lastEphemeralPubKey, nil
 }
 
+// onionPacketCfg is a struct that holds the configuration for creating a new
+// onion packet.
+type onionPacketCfg struct {
+	isOnionMessage bool
+}
+
+// OnionPacketOption is a function that can be used to modify the onion packet
+// configuration.
+type OnionPacketOption func(*onionPacketCfg)
+
+// WithOnionMessage is a functional option that signals that the onion packet
+// being created is an onion message.
+func WithOnionMessage() OnionPacketOption {
+	return func(cfg *onionPacketCfg) {
+		cfg.isOnionMessage = true
+	}
+}
+
 // NewOnionPacket creates a new onion packet which is capable of obliviously
 // routing a message through the mix-net path outline by 'paymentPath'.
 func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
-	assocData []byte, pktFiller PacketFiller) (*OnionPacket, error) {
+	assocData []byte, pktFiller PacketFiller,
+	opts ...OnionPacketOption) (*OnionPacket, error) {
+
+	cfg := &onionPacketCfg{}
+	for _, o := range opts {
+		o(cfg)
+	}
+
+	totalPayloadSize := paymentPath.TotalPayloadSize()
+
+	var routingInfoLen int
+	maxRoutingInfoErr := ErrStandardRoutingInfoSizeExceeded
+	if cfg.isOnionMessage {
+		switch {
+		case totalPayloadSize <= StandardRoutingInfoSize:
+			routingInfoLen = StandardRoutingInfoSize
+		default:
+			routingInfoLen = JumboRoutingInfoSize
+			maxRoutingInfoErr = ErrJumboRoutingInfoSizeExceeded
+		}
+	} else {
+		routingInfoLen = StandardRoutingInfoSize
+	}
 
 	// Check whether total payload size doesn't exceed the hard maximum.
-	if paymentPath.TotalPayloadSize() > routingInfoSize {
-		return nil, ErrMaxRoutingInfoSizeExceeded
+	if totalPayloadSize > routingInfoLen {
+		return nil, maxRoutingInfoErr
 	}
 
 	// If we don't actually have a partially populated route, then we'll
@@ -207,6 +241,20 @@ func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
 		return nil, fmt.Errorf("route of length zero passed in")
 	}
 
+	// Before we proceed, we'll check that the payload types of each hop
+	// in the payment path match the type of onion packet we're creating.
+	for i := 0; i < numHops; i++ {
+		hopPayload := (*paymentPath)[i].HopPayload
+		isLegacy := hopPayload.Type == PayloadLegacy
+
+		// If this is an onion message, we only expect TLV
+		// payloads.
+		if cfg.isOnionMessage && isLegacy {
+			return nil, fmt.Errorf("hop %d has legacy payload, "+
+				"but onion messages require TLV", i)
+		}
+	}
+
 	// We'll force the caller to provide a packet filler, as otherwise we
 	// may default to an insecure filling method (which should only really
 	// be used to generate test vectors).
@@ -222,18 +270,20 @@ func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
 	}
 
 	// Generate the padding, called "filler strings" in the paper.
-	filler := generateHeaderPadding("rho", paymentPath, hopSharedSecrets)
+	filler := generateHeaderPadding(
+		"rho", paymentPath, hopSharedSecrets, routingInfoLen,
+	)
 
 	// Allocate zero'd out byte slices to store the final mix header packet
 	// and the hmac for each hop.
 	var (
-		mixHeader     [routingInfoSize]byte
+		mixHeader     = make([]byte, routingInfoLen)
 		nextHmac      [HMACSize]byte
 		hopPayloadBuf bytes.Buffer
 	)
 
 	// Fill the packet using the caller specified methodology.
-	if err := pktFiller(sessionKey, &mixHeader); err != nil {
+	if err := pktFiller(sessionKey, mixHeader); err != nil {
 		return nil, err
 	}
 
@@ -254,26 +304,26 @@ func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
 		// Next, using the key dedicated for our stream cipher, we'll
 		// generate enough bytes to obfuscate this layer of the onion
 		// packet.
-		streamBytes := generateCipherStream(rhoKey, routingInfoSize)
+		streamBytes := generateCipherStream(rhoKey, uint(routingInfoLen))
 		payload := paymentPath[i].HopPayload
 
 		// Before we assemble the packet, we'll shift the current
 		// mix-header to the right in order to make room for this next
 		// per-hop data.
 		shiftSize := payload.NumBytes()
-		rightShift(mixHeader[:], shiftSize)
+		rightShift(mixHeader, shiftSize)
 
 		err := payload.Encode(&hopPayloadBuf)
 		if err != nil {
 			return nil, err
 		}
 
-		copy(mixHeader[:], hopPayloadBuf.Bytes())
+		copy(mixHeader, hopPayloadBuf.Bytes())
 
 		// Once the packet for this hop has been assembled, we'll
 		// re-encrypt the packet by XOR'ing with a stream of bytes
 		// generated using our shared secret.
-		xor(mixHeader[:], mixHeader[:], streamBytes[:])
+		xor(mixHeader, mixHeader, streamBytes)
 
 		// If this is the "last" hop, then we'll override the tail of
 		// the hop data.
@@ -285,7 +335,7 @@ func NewOnionPacket(paymentPath *PaymentPath, sessionKey *btcec.PrivateKey,
 		// calculating the MAC, we'll also include the optional
 		// associated data which can allow higher level applications to
 		// prevent replay attacks.
-		packet := append(mixHeader[:], assocData...)
+		packet := append(mixHeader, assocData...)
 		nextHmac = calcMac(muKey, packet)
 
 		hopPayloadBuf.Reset()
@@ -322,7 +372,8 @@ func rightShift(slice []byte, num int) {
 // leaving only the original "filler" bytes produced by this function at the
 // last hop.  Using this methodology, the size of the field stays constant at
 // each hop.
-func generateHeaderPadding(key string, path *PaymentPath, sharedSecrets []Hash256) []byte {
+func generateHeaderPadding(key string, path *PaymentPath,
+	sharedSecrets []Hash256, routingInfoLen int) []byte {
 	numHops := path.TrueRouteLength()
 
 	// We have to generate a filler that matches all but the last hop (the
@@ -332,18 +383,18 @@ func generateHeaderPadding(key string, path *PaymentPath, sharedSecrets []Hash25
 
 	for i := 0; i < numHops-1; i++ {
 		// Sum up how many frames were used by prior hops.
-		fillerStart := routingInfoSize
+		fillerStart := routingInfoLen
 		for _, p := range path[:i] {
 			fillerStart -= p.HopPayload.NumBytes()
 		}
 
 		// The filler is the part dangling off of the end of the
 		// routingInfo, so offset it from there, and use the current
 		// hop's frame count as its size.
-		fillerEnd := routingInfoSize + path[i].HopPayload.NumBytes()
+		fillerEnd := routingInfoLen + path[i].HopPayload.NumBytes()
 
 		streamKey := generateKey(key, &sharedSecrets[i])
-		streamBytes := generateCipherStream(streamKey, numStreamBytes)
+		streamBytes := generateCipherStream(streamKey, uint(routingInfoLen*2))
 
 		xor(filler, filler, streamBytes[fillerStart:fillerEnd])
 	}
@@ -365,7 +416,7 @@ func (f *OnionPacket) Encode(w io.Writer) error {
 		return err
 	}
 
-	if _, err := w.Write(f.RoutingInfo[:]); err != nil {
+	if _, err := w.Write(f.RoutingInfo); err != nil {
 		return err
 	}
 
@@ -404,14 +455,24 @@ func (f *OnionPacket) Decode(r io.Reader) error {
 		return ErrInvalidOnionKey
 	}
 
-	if _, err := io.ReadFull(r, f.RoutingInfo[:]); err != nil {
+	// To figure out the length of the routing info, we'll read all the
+	// remaining bytes from the reader.
+	routingInfoAndMAC, err := io.ReadAll(r)
+	if err != nil {
 		return err
 	}
 
-	if _, err := io.ReadFull(r, f.HeaderMAC[:]); err != nil {
-		return err
+	// The packet must have at least enough bytes for the HMAC.
+	if len(routingInfoAndMAC) < HMACSize {
+		return fmt.Errorf("onion packet is too small, missing HMAC")
 	}
 
+	// With the remainder of the packet read, we can now properly slice the
+	// routing information and the MAC.
+	routingInfoLen := len(routingInfoAndMAC) - HMACSize
+	f.RoutingInfo = routingInfoAndMAC[:routingInfoLen]
+	copy(f.HeaderMAC[:], routingInfoAndMAC[routingInfoLen:])
+
 	return nil
 }
 
@@ -644,11 +705,12 @@ func unwrapPacket(onionPkt *OnionPacket, sharedSecret *Hash256,
 	dhKey := onionPkt.EphemeralKey
 	routeInfo := onionPkt.RoutingInfo
 	headerMac := onionPkt.HeaderMAC
+	routingInfoLen := len(routeInfo)
 
 	// Using the derived shared secret, ensure the integrity of the routing
 	// information by checking the attached MAC without leaking timing
 	// information.
-	message := append(routeInfo[:], assocData...)
+	message := append(routeInfo, assocData...)
 	calculatedMac := calcMac(generateKey("mu", sharedSecret), message)
 	if !hmac.Equal(headerMac[:], calculatedMac[:]) {
 		return nil, nil, ErrInvalidOnionHMAC
@@ -658,13 +720,13 @@ func unwrapPacket(onionPkt *OnionPacket, sharedSecret *Hash256,
 	// layer off the routing info revealing the routing information for the
 	// next hop.
 	streamBytes := generateCipherStream(
-		generateKey("rho", sharedSecret), numStreamBytes,
+		generateKey("rho", sharedSecret), uint(routingInfoLen*2),
 	)
-	zeroBytes := bytes.Repeat([]byte{0}, MaxPayloadSize)
-	headerWithPadding := append(routeInfo[:], zeroBytes...)
+	zeroBytes := bytes.Repeat([]byte{0}, routingInfoLen)
+	headerWithPadding := append(routeInfo, zeroBytes...)
 
-	var hopInfo [numStreamBytes]byte
-	xor(hopInfo[:], headerWithPadding, streamBytes)
+	hopInfo := make([]byte, routingInfoLen*2)
+	xor(hopInfo, headerWithPadding, streamBytes)
 
 	// Randomize the DH group element for the next hop using the
 	// deterministic blinding factor.
@@ -675,15 +737,15 @@ func unwrapPacket(onionPkt *OnionPacket, sharedSecret *Hash256,
 	// out the payload so we can derive the specified forwarding
 	// instructions.
 	var hopPayload HopPayload
-	err := hopPayload.Decode(bytes.NewReader(hopInfo[:]), isOnionMessage)
+	err := hopPayload.Decode(bytes.NewReader(hopInfo), isOnionMessage)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	// With the necessary items extracted, we'll copy of the onion packet
 	// for the next node, snipping off our per-hop data.
-	var nextMixHeader [routingInfoSize]byte
-	copy(nextMixHeader[:], hopInfo[hopPayload.NumBytes():])
+	var nextMixHeader = make([]byte, routingInfoLen)
+	copy(nextMixHeader, hopInfo[hopPayload.NumBytes():])
 	innerPkt := &OnionPacket{
 		Version:      onionPkt.Version,
 		EphemeralKey: nextDHKey,