sphinx: Implemented sphinx onion routing

Implements a spec-compliant sphinx onion routing format. The format has
been cross-checked with the go implementation
cdecker/lightning-onion@b9e117e.

Makefile

@@ -25,7 +25,8 @@ FEATURES := $(BITCOIN_FEATURES)
 TEST_PROGRAMS :=				\
 	test/onion_key				\
 	test/test_protocol			\
-	test/test_onion
+	test/test_onion				\
+	test/test_sphinx
 
 BITCOIN_SRC :=					\
 	bitcoin/base58.c			\
@@ -38,6 +39,7 @@ BITCOIN_SRC :=					\
 	bitcoin/signature.c			\
 	bitcoin/tx.c				\
 	bitcoin/varint.c
+
 BITCOIN_OBJS := $(BITCOIN_SRC:.c=.o)
 
 CORE_SRC :=					\

daemon/sphinx.c

@@ -0,0 +1,526 @@
+#include "sphinx.h"
+#include <assert.h>
+
+#include <ccan/crypto/ripemd160/ripemd160.h>
+#include <ccan/crypto/sha256/sha256.h>
+#include <ccan/mem/mem.h>
+
+#include <err.h>
+
+#include <sodium/crypto_auth_hmacsha256.h>
+#include <sodium/crypto_stream_chacha20.h>
+
+#define BLINDING_FACTOR_SIZE 32
+#define SHARED_SECRET_SIZE 32
+#define NUM_STREAM_BYTES (2 * NUM_MAX_HOPS + 2) * SECURITY_PARAMETER
+#define KEY_LEN 32
+
+struct hop_params {
+	u8 secret[SHARED_SECRET_SIZE];
+	u8 blind[BLINDING_FACTOR_SIZE];
+	secp256k1_pubkey ephemeralkey;
+};
+
+struct keyset {
+	u8 pi[KEY_LEN];
+	u8 mu[KEY_LEN];
+	u8 rho[KEY_LEN];
+	u8 gamma[KEY_LEN];
+};
+
+/* Small helper to append data to a buffer and update the position
+ * into the buffer
+ */
+static void write_buffer(u8 *dst, const void *src, const size_t len, int *pos)
+{
+	memcpy(dst + *pos, src, len);
+	*pos += len;
+}
+
+/* Read len bytes from the source at position pos into dst and update
+ * the position pos accordingly.
+ */
+static void read_buffer(void *dst, const u8 *src, const size_t len, int *pos)
+{
+	memcpy(dst, src + *pos, len);
+	*pos += len;
+}
+
+u8 *serialize_onionpacket(
+	const tal_t *ctx,
+	const secp256k1_context *secpctx,
+	const struct onionpacket *m)
+{
+	u8 *dst = tal_arr(ctx, u8, TOTAL_PACKET_SIZE);
+
+	u8 der[33];
+	size_t outputlen = 33;
+	int p = 0;
+
+	secp256k1_ec_pubkey_serialize(secpctx,
+				      der,
+				      &outputlen,
+				      &m->ephemeralkey,
+				      SECP256K1_EC_COMPRESSED);
+
+	write_buffer(dst, &m->version, 1, &p);
+	write_buffer(dst, der, outputlen, &p);
+	write_buffer(dst, m->mac, sizeof(m->mac), &p);
+	write_buffer(dst, m->routinginfo, ROUTING_INFO_SIZE, &p);
+	write_buffer(dst, m->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE, &p);
+	write_buffer(dst, m->payload, MESSAGE_SIZE, &p);
+	return dst;
+}
+
+struct onionpacket *parse_onionpacket(
+	const tal_t *ctx,
+	const secp256k1_context *secpctx,
+	const void *src,
+	const size_t srclen
+	)
+{
+	struct onionpacket *m;
+	int p = 0;
+	u8 rawEphemeralkey[33];
+
+	if (srclen != TOTAL_PACKET_SIZE)
+		return NULL;
+
+	m = talz(ctx, struct onionpacket);
+
+	read_buffer(&m->version, src, 1, &p);
+	if (m->version != 0x01) {
+		// FIXME add logging
+		return NULL;
+	}
+	read_buffer(rawEphemeralkey, src, 33, &p);
+
+	if (secp256k1_ec_pubkey_parse(secpctx, &m->ephemeralkey, rawEphemeralkey, 33) != 1)
+		return NULL;
+
+	read_buffer(&m->mac, src, 20, &p);
+	read_buffer(&m->routinginfo, src, ROUTING_INFO_SIZE, &p);
+	read_buffer(&m->hoppayloads, src, TOTAL_HOP_PAYLOAD_SIZE, &p);
+	read_buffer(m->payload, src, MESSAGE_SIZE, &p);
+	return m;
+}
+
+static struct hoppayload *parse_hoppayload(const tal_t *ctx, u8 *src)
+{
+	int p = 0;
+	struct hoppayload *result = talz(ctx, struct hoppayload);
+
+	read_buffer(&result->realm, src, sizeof(&result->realm), &p);
+	read_buffer(&result->amount, src, sizeof(&result->amount), &p);
+	read_buffer(&result->remainder, src, sizeof(&result->remainder), &p);
+	return result;
+}
+
+static void serialize_hoppayload(u8 *dst, struct hoppayload *hp)
+{
+	int p = 0;
+
+	write_buffer(dst, &hp->realm, sizeof(&hp->realm), &p);
+	write_buffer(dst, &hp->amount, sizeof(&hp->amount), &p);
+	write_buffer(dst, &hp->remainder, sizeof(&hp->remainder), &p);
+}
+
+
+static void xorbytes(uint8_t *d, const uint8_t *a, const uint8_t *b, size_t len)
+{
+	size_t i = 0;
+
+	for (i = 0; i < len; i++)
+		d[i] = a[i] ^ b[i];
+}
+
+/*
+ * Encrypt a message `m` of length `mlen` with key `key` and store the
+ * ciphertext in `c`. `c` must be pre-allocated to at least `mlen` bytes.
+ */
+static void stream_encrypt(void *c, const void *m, const size_t mlen, const u8 *key)
+{
+	u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+
+	memcheck(c, mlen);
+	crypto_stream_chacha20_xor(c, m, mlen, nonce, key);
+}
+
+/*
+ * Decrypt a ciphertext `c` of length `clen` with key `key` and store the
+ * cleartext in `m`. `m` must be pre-allocated to at least `clen` bytes.
+ */
+static void stream_decrypt(void *m, const void *c, const size_t clen, const u8 *key)
+{
+	stream_encrypt(m, c, clen, key);
+}
+
+/*
+ * Generate a pseudo-random byte stream of length `dstlen` from key `k` and
+ * store it in `dst`. `dst must be at least `dstlen` bytes long.
+ */
+static void generate_cipher_stream(void *dst, const u8 *k, size_t dstlen)
+{
+	u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+
+	crypto_stream_chacha20(dst, dstlen, nonce, k);
+}
+
+static bool compute_hmac(
+	void *dst,
+	const void *src,
+	size_t len,
+	const void *key,
+	size_t keylen)
+{
+	crypto_auth_hmacsha256_state state;
+
+	crypto_auth_hmacsha256_init(&state, key, keylen);
+	crypto_auth_hmacsha256_update(&state, memcheck(src, len), len);
+	crypto_auth_hmacsha256_final(&state, dst);
+	return true;
+}
+
+static void compute_packet_hmac(struct onionpacket *packet, u8 *mukey, u8 *hmac)
+{
+	u8 mactemp[ROUTING_INFO_SIZE + TOTAL_HOP_PAYLOAD_SIZE + MESSAGE_SIZE];
+
+	memcpy(mactemp, packet->routinginfo, ROUTING_INFO_SIZE);
+	memcpy(mactemp + ROUTING_INFO_SIZE, packet->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE);
+	memcpy(mactemp + ROUTING_INFO_SIZE + TOTAL_HOP_PAYLOAD_SIZE, packet->payload, sizeof(packet->payload));
+	compute_hmac(hmac, mactemp, sizeof(mactemp), mukey, KEY_LEN);
+}
+
+static bool generate_key(void *k, const char *t, u8 tlen, const u8 *s)
+{
+	return compute_hmac(k, s, KEY_LEN, t, tlen);
+}
+
+static bool generate_header_padding(
+	void *dst, size_t dstlen,
+	const size_t hopsize,
+	const char *keytype,
+	size_t keytypelen,
+	const u8 numhops,
+	struct hop_params *params
+	)
+{
+	int i;
+	u8 cipher_stream[(NUM_MAX_HOPS + 1) * hopsize];
+	u8 key[KEY_LEN];
+
+	memset(dst, 0, dstlen);
+	for (i = 1; i < numhops; i++) {
+		if (!generate_key(&key, keytype, keytypelen, params[i - 1].secret))
+			return false;
+
+		generate_cipher_stream(cipher_stream, key, sizeof(cipher_stream));
+		int pos = ((NUM_MAX_HOPS - i) + 1) * hopsize;
+		xorbytes(dst, dst, cipher_stream + pos, sizeof(cipher_stream) - pos);
+	}
+	return true;
+}
+
+static void compute_blinding_factor(secp256k1_context *secpctx,
+				    secp256k1_pubkey *key,
+				    u8 sharedsecret[SHARED_SECRET_SIZE],
+				    u8 res[BLINDING_FACTOR_SIZE])
+{
+	struct sha256_ctx ctx;
+	u8 der[33];
+	size_t outputlen = 33;
+	struct sha256 temp;
+
+	secp256k1_ec_pubkey_serialize(secpctx, der, &outputlen, key,
+				      SECP256K1_EC_COMPRESSED);
+	sha256_init(&ctx);
+	sha256_update(&ctx, der, sizeof(der));
+	sha256_update(&ctx, sharedsecret, SHARED_SECRET_SIZE);
+	sha256_done(&ctx, &temp);
+	memcpy(res, &temp, 32);
+}
+
+static bool blind_group_element(
+	secp256k1_context *secpctx,
+	secp256k1_pubkey *blindedelement,
+	secp256k1_pubkey *pubkey,
+	u8 blind[BLINDING_FACTOR_SIZE])
+{
+	/* tweak_mul is inplace so copy first. */
+	if (pubkey != blindedelement)
+		memcpy(blindedelement, pubkey, sizeof(secp256k1_pubkey));
+	if (secp256k1_ec_pubkey_tweak_mul(secpctx, blindedelement, blind) != 1)
+		return false;
+	return true;
+}
+
+static bool create_shared_secret(
+	secp256k1_context *secpctx,
+	u8 *secret,
+	const secp256k1_pubkey *pubkey,
+	const u8 *sessionkey)
+{
+	/* Need to copy since tweak is in-place */
+	secp256k1_pubkey pkcopy;
+	u8 ecres[33];
+
+	memcpy(&pkcopy, pubkey, sizeof(pkcopy));
+
+	if (secp256k1_ec_pubkey_tweak_mul(secpctx, &pkcopy, sessionkey) != 1)
+		return false;
+
+	/* Serialize and strip first byte, this gives us the X coordinate */
+	size_t outputlen = 33;
+	secp256k1_ec_pubkey_serialize(secpctx, ecres, &outputlen,
+				      &pkcopy, SECP256K1_EC_COMPRESSED);
+	struct sha256 h;
+	sha256(&h, ecres + 1, sizeof(ecres) - 1);
+	memcpy(secret, &h, sizeof(h));
+	return true;
+}
+
+void pubkey_hash160(
+	const secp256k1_context *secpctx,
+	u8 *dst,
+	const struct pubkey *pubkey)
+{
+	struct ripemd160 r;
+	struct sha256 h;
+	u8 der[33];
+	size_t outputlen = 33;
+
+	secp256k1_ec_pubkey_serialize(secpctx,
+				      der,
+				      &outputlen,
+				      &pubkey->pubkey,
+				      SECP256K1_EC_COMPRESSED);
+	sha256(&h, der, sizeof(der));
+	ripemd160(&r, h.u.u8, sizeof(h));
+
+	memcpy(dst, r.u.u8, sizeof(r));
+}
+
+static void generate_key_set(u8 secret[SHARED_SECRET_SIZE], struct keyset *keys)
+{
+	generate_key(keys->rho, "rho", 3, secret);
+	generate_key(keys->pi, "pi", 2, secret);
+	generate_key(keys->mu, "mu", 2, secret);
+	generate_key(keys->gamma, "gamma", 5, secret);
+}
+
+static struct hop_params *generate_hop_params(
+	const tal_t *ctx,
+	secp256k1_context *secpctx,
+	const u8 *sessionkey,
+	struct pubkey path[])
+{
+	int i, j, num_hops = tal_count(path);
+	secp256k1_pubkey temp;
+	u8 blind[BLINDING_FACTOR_SIZE];
+	struct hop_params *params = tal_arr(ctx, struct hop_params, num_hops);
+
+	/* Initialize the first hop with the raw information */
+	if (secp256k1_ec_pubkey_create(
+		    secpctx, &params[0].ephemeralkey, sessionkey) != 1)
+		return NULL;
+
+	if (!create_shared_secret(
+		    secpctx, params[0].secret, &path[0].pubkey, sessionkey))
+		return NULL;
+
+	compute_blinding_factor(
+		secpctx, &params[0].ephemeralkey, params[0].secret,
+		params[0].blind);
+
+	/* Recursively compute all following ephemeral public keys,
+	 * secrets and blinding factors
+	 */
+	for (i = 1; i < num_hops; i++) {
+		if (!blind_group_element(
+			    secpctx, &params[i].ephemeralkey,
+			    &params[i - 1].ephemeralkey,
+			    params[i - 1].blind))
+			return NULL;
+
+		/* Blind this hop's point with all previous blinding factors
+		 * Order is indifferent, multiplication is commutative.
+		 */
+		memcpy(&blind, sessionkey, 32);
+		memcpy(&temp, &path[i], sizeof(temp));
+		if (!blind_group_element(secpctx, &temp, &temp, blind))
+			return NULL;
+		for (j = 0; j < i; j++)
+			if (!blind_group_element(
+				    secpctx,
+				    &temp,
+				    &temp,
+				    params[j].blind))
+				return NULL;
+
+		/* Now hash temp and store it. This requires us to
+		 * DER-serialize first and then skip the sign byte.
+		 */
+		u8 der[33];
+		size_t outputlen = 33;
+		secp256k1_ec_pubkey_serialize(
+			secpctx, der, &outputlen, &temp,
+			SECP256K1_EC_COMPRESSED);
+		struct sha256 h;
+		sha256(&h, der + 1, sizeof(der) - 1);
+		memcpy(&params[i].secret, &h, sizeof(h));
+
+		compute_blinding_factor(
+			secpctx, &params[i].ephemeralkey,
+			params[i].secret, params[i].blind);
+	}
+	return params;
+}
+
+struct onionpacket *create_onionpacket(
+	const tal_t *ctx,
+	secp256k1_context *secpctx,
+	struct pubkey *path,
+	struct hoppayload hoppayloads[],
+	const u8 *sessionkey,
+	const u8 *message,
+	const size_t messagelen
+	)
+{
+	struct onionpacket *packet = talz(ctx, struct onionpacket);
+	int i, num_hops = tal_count(path);
+	u8 filler[2 * (num_hops - 1) * SECURITY_PARAMETER];
+	u8 hopfiller[(num_hops - 1) * HOP_PAYLOAD_SIZE];
+	struct keyset keys;
+	u8 nextaddr[20], nexthmac[SECURITY_PARAMETER];
+	u8 stream[ROUTING_INFO_SIZE], hopstream[TOTAL_HOP_PAYLOAD_SIZE];
+	struct hop_params *params = generate_hop_params(ctx, secpctx, sessionkey, path);
+	u8 binhoppayloads[tal_count(path)][HOP_PAYLOAD_SIZE];
+
+	for (i = 0; i < num_hops; i++)
+		serialize_hoppayload(binhoppayloads[i], &hoppayloads[i]);
+
+	if (MESSAGE_SIZE > messagelen) {
+		memset(&packet->hoppayloads, 0, TOTAL_HOP_PAYLOAD_SIZE);
+		memset(&packet->payload, 0xFF, MESSAGE_SIZE);
+		memcpy(&packet->payload, message, messagelen);
+		packet->payload[messagelen] = 0x7f;
+	}
+
+	if (!params)
+		return NULL;
+	packet->version = 1;
+	memset(nextaddr, 0, 20);
+	memset(nexthmac, 0, 20);
+	memset(packet->routinginfo, 0, ROUTING_INFO_SIZE);
+
+	generate_header_padding(filler, sizeof(filler), 2 * SECURITY_PARAMETER,
+				"rho", 3, num_hops, params);
+	generate_header_padding(hopfiller, sizeof(hopfiller), HOP_PAYLOAD_SIZE,
+				"gamma", 5, num_hops, params);
+
+	for (i = num_hops - 1; i >= 0; i--) {
+		generate_key_set(params[i].secret, &keys);
+		generate_cipher_stream(stream, keys.rho, ROUTING_INFO_SIZE);
+
+		/* Rightshift mix-header by 2*SECURITY_PARAMETER */
+		memmove(packet->routinginfo + 2 * SECURITY_PARAMETER, packet->routinginfo,
+			ROUTING_INFO_SIZE - 2 * SECURITY_PARAMETER);
+		memcpy(packet->routinginfo, nextaddr, SECURITY_PARAMETER);
+		memcpy(packet->routinginfo + SECURITY_PARAMETER, nexthmac, SECURITY_PARAMETER);
+		xorbytes(packet->routinginfo, packet->routinginfo, stream, ROUTING_INFO_SIZE);
+
+		/* Rightshift hop-payloads and obfuscate */
+		memmove(packet->hoppayloads + HOP_PAYLOAD_SIZE, packet->hoppayloads,
+			TOTAL_HOP_PAYLOAD_SIZE - HOP_PAYLOAD_SIZE);
+		memcpy(packet->hoppayloads, binhoppayloads[i], HOP_PAYLOAD_SIZE);
+		generate_cipher_stream(hopstream, keys.gamma, TOTAL_HOP_PAYLOAD_SIZE);
+		xorbytes(packet->hoppayloads, packet->hoppayloads, hopstream,
+			 TOTAL_HOP_PAYLOAD_SIZE);
+
+		if (i == num_hops - 1) {
+			size_t len = (NUM_MAX_HOPS - num_hops + 1) * 2 * SECURITY_PARAMETER;
+			memcpy(packet->routinginfo + len, filler, sizeof(filler));
+			len = (NUM_MAX_HOPS - num_hops + 1) * HOP_PAYLOAD_SIZE;
+			memcpy(packet->hoppayloads + len, hopfiller, sizeof(hopfiller));
+		}
+
+		/* Obfuscate end-to-end payload */
+		stream_encrypt(packet->payload, packet->payload, sizeof(packet->payload), keys.pi);
+
+		compute_packet_hmac(packet, keys.mu, nexthmac);
+		pubkey_hash160(secpctx, nextaddr, &path[i]);
+	}
+	memcpy(packet->mac, nexthmac, sizeof(nexthmac));
+	memcpy(&packet->ephemeralkey, &params[0].ephemeralkey, sizeof(secp256k1_pubkey));
+	return packet;
+}
+
+/*
+ * Given a onionpacket msg extract the information for the current
+ * node and unwrap the remainder so that the node can forward it.
+ */
+struct route_step *process_onionpacket(
+	const tal_t *ctx,
+	secp256k1_context *secpctx,
+	struct onionpacket *msg,
+	struct privkey *hop_privkey
+	)
+{
+	struct route_step *step = talz(ctx, struct route_step);
+	u8 secret[SHARED_SECRET_SIZE];
+	u8 hmac[20];
+	struct keyset keys;
+	u8 paddedhoppayloads[TOTAL_HOP_PAYLOAD_SIZE + HOP_PAYLOAD_SIZE];
+	u8 hopstream[TOTAL_HOP_PAYLOAD_SIZE + HOP_PAYLOAD_SIZE];
+	u8 blind[BLINDING_FACTOR_SIZE];
+	u8 stream[NUM_STREAM_BYTES];
+	u8 paddedheader[ROUTING_INFO_SIZE + 2 * SECURITY_PARAMETER];
+
+	step->next = talz(ctx, struct onionpacket);
+	step->next->version = msg->version;
+	create_shared_secret(secpctx, secret, &msg->ephemeralkey, hop_privkey->secret);
+	generate_key_set(secret, &keys);
+
+	compute_packet_hmac(msg, keys.mu, hmac);
+
+	if (memcmp(msg->mac, hmac, sizeof(hmac)) != 0) {
+		warnx("Computed MAC does not match expected MAC, the message was modified.");
+		return NULL;
+	}
+
+	//FIXME:store seen secrets to avoid replay attacks
+	generate_cipher_stream(stream, keys.rho, sizeof(stream));
+
+	memset(paddedheader, 0, sizeof(paddedheader));
+	memcpy(paddedheader, msg->routinginfo, ROUTING_INFO_SIZE);
+	xorbytes(paddedheader, paddedheader, stream, sizeof(stream));
+
+	/* Extract the per-hop payload */
+	generate_cipher_stream(hopstream, keys.gamma, sizeof(hopstream));
+
+	memset(paddedhoppayloads, 0, sizeof(paddedhoppayloads));
+	memcpy(paddedhoppayloads, msg->hoppayloads, TOTAL_HOP_PAYLOAD_SIZE);
+	xorbytes(paddedhoppayloads, paddedhoppayloads, hopstream, sizeof(hopstream));
+	step->hoppayload = parse_hoppayload(step, paddedhoppayloads);
+	memcpy(&step->next->hoppayloads, paddedhoppayloads + HOP_PAYLOAD_SIZE,
+	       TOTAL_HOP_PAYLOAD_SIZE);
+
+	compute_blinding_factor(secpctx, &msg->ephemeralkey, secret, blind);
+	if (!blind_group_element(secpctx, &step->next->ephemeralkey, &msg->ephemeralkey, blind))
+		return NULL;
+	memcpy(&step->next->nexthop, paddedheader, SECURITY_PARAMETER);
+	memcpy(&step->next->mac,
+	       paddedheader + SECURITY_PARAMETER,
+	       SECURITY_PARAMETER);
+
+	stream_decrypt(step->next->payload, msg->payload, sizeof(msg->payload), keys.pi);
+	memcpy(&step->next->routinginfo, paddedheader + 2 * SECURITY_PARAMETER, ROUTING_INFO_SIZE);
+
+	if (memeqzero(step->next->mac, sizeof(&step->next->mac))) {
+		step->nextcase = ONION_END;
+	} else {
+		step->nextcase = ONION_FORWARD;
+	}
+
+	return step;
+}

daemon/sphinx.h

@@ -0,0 +1,126 @@
+#ifndef LIGHTNING_DAEMON_SPHINX_H
+#define LIGHTNING_DAEMON_SPHINX_H
+
+#include "config.h"
+#include "bitcoin/privkey.h"
+#include "bitcoin/pubkey.h"
+
+#include <ccan/short_types/short_types.h>
+#include <ccan/tal/tal.h>
+#include <secp256k1.h>
+#include <sodium/randombytes.h>
+
+#define SECURITY_PARAMETER 20
+#define NUM_MAX_HOPS 20
+#define HOP_PAYLOAD_SIZE 20
+#define TOTAL_HOP_PAYLOAD_SIZE NUM_MAX_HOPS * HOP_PAYLOAD_SIZE
+#define MESSAGE_SIZE 0
+#define ROUTING_INFO_SIZE 2 * NUM_MAX_HOPS * SECURITY_PARAMETER
+#define TOTAL_PACKET_SIZE 1 + 33 + SECURITY_PARAMETER + ROUTING_INFO_SIZE + \
+	TOTAL_HOP_PAYLOAD_SIZE + MESSAGE_SIZE
+
+struct onionpacket {
+	/* Cleartext information */
+	u8 version;
+	u8 nexthop[20];
+	u8 mac[20];
+	secp256k1_pubkey ephemeralkey;
+
+	/* Encrypted information */
+	u8 routinginfo[ROUTING_INFO_SIZE];
+	u8 hoppayloads[TOTAL_HOP_PAYLOAD_SIZE];
+	u8 payload[MESSAGE_SIZE];
+};
+
+enum route_next_case {
+	ONION_END = 0,
+	ONION_FORWARD = 1,
+};
+
+struct hoppayload {
+	u8 realm;
+	u64 amount;
+	u8 remainder[11];
+};
+
+struct route_step {
+	enum route_next_case nextcase;
+	struct onionpacket *next;
+	u8 *payload;
+	struct hoppayload *hoppayload;
+};
+
+/**
+ * create_onionpacket - Create a new onionpacket that can be routed
+ * over a path of intermediate nodes.
+ *
+ * @ctx: tal context to allocate from
+ * @secpctx: the secp256k1_context for EC operations
+ * @path: public keys of nodes along the path.
+ * @hoppayloads: payloads destined for individual hosts (limited to
+ *    HOP_PAYLOAD_SIZE bytes)
+ * @num_hops: path length in nodes
+ * @sessionkey: 20 byte random session key to derive secrets from
+ * @message: end-to-end payload destined for the final recipient
+ * @messagelen: length of @message
+ */
+struct onionpacket *create_onionpacket(
+	const tal_t * ctx,
+	secp256k1_context * secpctx,
+	struct pubkey path[],
+	struct hoppayload hoppayloads[],
+	const u8 * sessionkey,
+	const u8 * message,
+	const size_t messagelen
+	);
+
+/**
+ * process_onionpacket - process an incoming packet by stripping one
+ * onion layer and return the packet for the next hop.
+ *
+ * @ctx: tal context to allocate from
+ * @secpctx: the secp256k1_context for EC operations
+ * @packet: incoming packet being processed
+ * @hop_privkey: the processing node's private key to decrypt the packet
+ * @hoppayload: the per-hop payload destined for the processing node.
+ */
+struct route_step *process_onionpacket(
+	const tal_t * ctx,
+	secp256k1_context * secpctx,
+	struct onionpacket *packet,
+	struct privkey *hop_privkey
+	);
+
+/**
+ * serialize_onionpacket - Serialize an onionpacket to a buffer.
+ *
+ * @ctx: tal context to allocate from
+ * @secpctx: the secp256k1_context for EC operations
+ * @packet: the packet to serialize
+ */
+u8 *serialize_onionpacket(
+	const tal_t *ctx,
+	const secp256k1_context *secpctx,
+	const struct onionpacket *packet);
+
+/**
+ * parese_onionpacket - Parse an onionpacket from a buffer.
+ *
+ * @ctx: tal context to allocate from
+ * @secpctx: the secp256k1_context for EC operations
+ * @src: buffer to read the packet from
+ * @srclen: length of the @src
+ */
+struct onionpacket *parse_onionpacket(
+	const tal_t *ctx,
+	const secp256k1_context *secpctx,
+	const void *src,
+	const size_t srclen
+	);
+
+void pubkey_hash160(
+	const secp256k1_context *secpctx,
+	u8 *dst,
+	const struct pubkey *pubkey);
+
+#endif /* LIGHTNING_DAEMON_SPHINX_H */

test/test_sphinx.c

@@ -0,0 +1,106 @@
+#include <secp256k1.h>
+#include <ccan/opt/opt.h>
+#include <ccan/short_types/short_types.h>
+#include <string.h>
+#include <ccan/str/hex/hex.h>
+#include <ccan/read_write_all/read_write_all.h>
+#include <err.h>
+#include <stdio.h>
+#include <assert.h>
+#include <unistd.h>
+
+#include "daemon/sphinx.h"
+#include "daemon/sphinx.c"
+
+int main(int argc, char **argv)
+{
+	bool generate = false, decode = false;
+	secp256k1_context *secpctx = secp256k1_context_create(
+		SECP256K1_CONTEXT_VERIFY | SECP256K1_CONTEXT_SIGN);
+	const tal_t *ctx = talz(NULL, tal_t);
+
+	opt_register_noarg("--help|-h", opt_usage_and_exit,
+			   "--generate <pubkey1> <pubkey2>... OR\n"
+			   "--decode <privkey>\n"
+			   "Either create an onion message, or decode one step",
+			   "Print this message.");
+	opt_register_noarg("--generate",
+			   opt_set_bool, &generate,
+			   "Generate onion through the given hex pubkeys");
+	opt_register_noarg("--decode",
+			   opt_set_bool, &decode,
+			   "Decode onion from stdin given the private key");
+
+	opt_parse(&argc, argv, opt_log_stderr_exit);
+
+	if (generate) {
+		int num_hops = argc - 1;
+		struct pubkey *path = tal_arr(ctx, struct pubkey, num_hops);
+		u8 privkeys[argc - 1][32];
+		u8 sessionkey[32];
+
+		memset(&sessionkey, 'A', sizeof(sessionkey));
+
+		int i;
+		for (i = 0; i < num_hops; i++) {
+			hex_decode(argv[1 + i], 66, privkeys[i], 33);
+			if (secp256k1_ec_pubkey_create(secpctx, &path[i].pubkey, privkeys[i]) != 1)
+				return 1;
+		}
+
+		struct hoppayload *hoppayloads = tal_arr(ctx, struct hoppayload, num_hops);
+		for (i=0; i<num_hops; i++)
+			memset(&hoppayloads[i], 'A', sizeof(hoppayloads[i]));
+
+		struct onionpacket *res = create_onionpacket(ctx, secpctx,
+				   path,
+				   hoppayloads,
+				   sessionkey,
+				   (u8*)"testing",
+				   7);
+
+		u8 *serialized = serialize_onionpacket(ctx, secpctx, res);
+		if (!serialized)
+			errx(1, "Error serializing message.");
+
+		char hextemp[2 * tal_count(serialized) + 1];
+		hex_encode(serialized, tal_count(serialized), hextemp, sizeof(hextemp));
+		printf("%s\n", hextemp);
+
+	} else if (decode) {
+		struct route_step *step;
+		struct onionpacket *msg;
+		struct privkey seckey;
+		const tal_t *ctx = talz(NULL, tal_t);
+		u8 serialized[TOTAL_PACKET_SIZE];
+		char hextemp[2 * sizeof(serialized) + 1];
+		memset(hextemp, 0, sizeof(hextemp));
+
+		if (argc != 2)
+			opt_usage_exit_fail("Expect a privkey with --decode");
+		if (!hex_decode(argv[1], strlen(argv[1]), &seckey, sizeof(seckey)))
+			errx(1, "Invalid private key hex '%s'", argv[1]);
+		if (!read_all(STDIN_FILENO, hextemp, sizeof(hextemp)))
+			errx(1, "Reading in onion");
+		hex_decode(hextemp, sizeof(hextemp), serialized, sizeof(serialized));
+
+		msg = parse_onionpacket(ctx, secpctx, serialized, sizeof(serialized));
+		if (!msg)
+			errx(1, "Error parsing message.");
+
+		step = process_onionpacket(ctx, secpctx, msg, &seckey);
+
+		if (!step->next)
+			errx(1, "Error processing message.");
+
+		u8 *ser = serialize_onionpacket(ctx, secpctx, step->next);
+		if (!ser)
+			errx(1, "Error serializing message.");
+
+		hex_encode(ser, tal_count(ser), hextemp, sizeof(hextemp));
+		printf("%s\n", hextemp);
+	}
+	secp256k1_context_destroy(secpctx);
+	tal_free(ctx);
+	return 0;
+}