channeld: don't calculate blinding shared secret, let lightningd do it.

It's a premature optimization, and it make modifications more complex.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

channeld/channeld.c

@@ -1491,11 +1491,7 @@ static void marshall_htlc_info(const tal_t *ctx,
 			memcpy(a.onion_routing_packet,
 			       htlc->routing,
 			       sizeof(a.onion_routing_packet));
-			if (htlc->blinding) {
-				a.blinding = htlc->blinding;
-				ecdh(a.blinding, &a.blinding_ss);
-			} else
-				a.blinding = NULL;
+			a.blinding = htlc->blinding;
 			a.fail_immediate = htlc->fail_immediate;
 			tal_arr_expand(added, a);
 		} else if (htlc->state == RCVD_REMOVE_COMMIT) {

common/blindedpath.c

@@ -196,6 +196,10 @@ static struct tlv_encrypted_data_tlv *decrypt_encmsg(const tal_t *ctx,
 	 * - if the `enctlv` is not a valid TLV...
 	 *   - MUST drop the message.
 	 */
+	/* Note: our parser consider nothing is a valid TLV, but decrypt_encmsg_raw
+	 * returns NULL if it couldn't decrypt. */
+	if (!cursor)
+		return NULL;
 	return fromwire_tlv_encrypted_data_tlv(ctx, &cursor, &maxlen);
 }
 

common/htlc_wire.c

@@ -82,7 +82,6 @@ void towire_added_htlc(u8 **pptr, const struct added_htlc *added)
 	if (added->blinding) {
 		towire_bool(pptr, true);
 		towire_pubkey(pptr, added->blinding);
-		towire_secret(pptr, &added->blinding_ss);
 	} else
 		towire_bool(pptr, false);
 	towire_bool(pptr, added->fail_immediate);
@@ -184,7 +183,6 @@ void fromwire_added_htlc(const u8 **cursor, size_t *max,
 	if (fromwire_bool(cursor, max)) {
 		added->blinding = tal(added, struct pubkey);
 		fromwire_pubkey(cursor, max, added->blinding);
-		fromwire_secret(cursor, max, &added->blinding_ss);
 	} else
 		added->blinding = NULL;
 	added->fail_immediate = fromwire_bool(cursor, max);

common/htlc_wire.h

@@ -16,10 +16,7 @@ struct added_htlc {
 	u32 cltv_expiry;
 	u8 onion_routing_packet[TOTAL_PACKET_SIZE(ROUTING_INFO_SIZE)];
 	bool fail_immediate;
-
-	/* If this is non-NULL, secret is the resulting shared secret */
 	struct pubkey *blinding;
-	struct secret blinding_ss;
 };
 
 /* This is how lightningd tells us about HTLCs which already exist at startup */

common/onion.c

@@ -110,7 +110,6 @@ u8 *onion_final_hop(const tal_t *ctx,
 struct onion_payload *onion_decode(const tal_t *ctx,
 				   const struct route_step *rs,
 				   const struct pubkey *blinding,
-				   const struct secret *blinding_ss,
 				   const u64 *accepted_extra_tlvs,
 				   u64 *failtlvtype,
 				   size_t *failtlvpos)

common/onion.h

@@ -45,7 +45,6 @@ u8 *onion_final_hop(const tal_t *ctx,
  * @rs: the route_step, whose raw_payload is of at least length
  *       onion_payload_length().
  * @blinding: the optional incoming blinding point.
- * @blinding_ss: the shared secret derived from @blinding (iff that's non-NULL)
  * @accepted_extra_tlvs: Allow these types to be in the TLV without failing
  * @failtlvtype: (out) the tlv type which failed to parse.
  * @failtlvpos: (out) the offset in the tlv which failed to parse.
@@ -55,7 +54,6 @@ u8 *onion_final_hop(const tal_t *ctx,
 struct onion_payload *onion_decode(const tal_t *ctx,
 				   const struct route_step *rs,
 				   const struct pubkey *blinding,
-				   const struct secret *blinding_ss,
 				   const u64 *accepted_extra_tlvs,
 				   u64 *failtlvtype,
 				   size_t *failtlvpos);

lightningd/htlc_end.c

@@ -130,7 +130,6 @@ struct htlc_in *new_htlc_in(const tal_t *ctx,
 			    const struct sha256 *payment_hash,
 			    const struct secret *shared_secret TAKES,
 			    const struct pubkey *blinding TAKES,
-			    const struct secret *blinding_ss,
 			    const u8 *onion_routing_packet,
 			    bool fail_immediate)
 {
@@ -145,10 +144,9 @@ struct htlc_in *new_htlc_in(const tal_t *ctx,
 	hin->status = NULL;
 	hin->fail_immediate = fail_immediate;
 	hin->shared_secret = tal_dup_or_null(hin, struct secret, shared_secret);
-	if (blinding) {
+	if (blinding)
 		hin->blinding = tal_dup(hin, struct pubkey, blinding);
-		hin->blinding_ss = *blinding_ss;
-	} else
+	else
 		hin->blinding = NULL;
 	memcpy(hin->onion_routing_packet, onion_routing_packet,
 	       sizeof(hin->onion_routing_packet));

lightningd/htlc_end.h

@@ -48,8 +48,6 @@ struct htlc_in {
 
 	/* If it was blinded. */
 	struct pubkey *blinding;
-	/* Only set if blinding != NULL */
-	struct secret blinding_ss;
 	/* true if we supplied the preimage */
 	bool *we_filled;
 	/* true if we immediately fail the htlc (too much dust) */
@@ -159,7 +157,6 @@ struct htlc_in *new_htlc_in(const tal_t *ctx,
 			    const struct sha256 *payment_hash,
 			    const struct secret *shared_secret TAKES,
 			    const struct pubkey *blinding TAKES,
-			    const struct secret *blinding_ss,
 			    const u8 *onion_routing_packet,
 			    bool fail_immediate);
 

lightningd/peer_htlcs.c

@@ -931,7 +931,7 @@ static bool htlc_accepted_hook_deserialize(struct htlc_accepted_hook_payload *re
 
 		rs->raw_payload = prepend_length(rs, take(payload));
 		request->payload = onion_decode(request, rs,
-						hin->blinding, &hin->blinding_ss,
+						hin->blinding,
 						ld->accept_extra_tlv_types,
 						&request->failtlvtype,
 						&request->failtlvpos);
@@ -1137,7 +1137,6 @@ htlc_accepted_hook_final(struct htlc_accepted_hook_payload *request STEALS)
 /* Apply tweak to ephemeral key if blinding is non-NULL, then do ECDH */
 static bool ecdh_maybe_blinding(const struct pubkey *ephemeral_key,
 				const struct pubkey *blinding,
-				const struct secret *blinding_ss,
 				struct secret *ss)
 {
 	struct pubkey point = *ephemeral_key;
@@ -1145,9 +1144,11 @@ static bool ecdh_maybe_blinding(const struct pubkey *ephemeral_key,
 #if EXPERIMENTAL_FEATURES
 	if (blinding) {
 		struct secret hmac;
+		struct secret blinding_ss;
 
+		ecdh(blinding, &blinding_ss);
 		/* b(i) = HMAC256("blinded_node_id", ss(i)) * k(i) */
-		subkey_from_hmac("blinded_node_id", blinding_ss, &hmac);
+		subkey_from_hmac("blinded_node_id", &blinding_ss, &hmac);
 
 		/* We instead tweak the *ephemeral* key from the onion and use
 		 * our normal privkey: since hsmd knows only how to ECDH with
@@ -1312,7 +1313,7 @@ static bool peer_accepted_htlc(const tal_t *ctx,
 
 	hook_payload->route_step = tal_steal(hook_payload, rs);
 	hook_payload->payload = onion_decode(hook_payload, rs,
-					     hin->blinding, &hin->blinding_ss,
+					     hin->blinding,
 					     ld->accept_extra_tlv_types,
 					     &hook_payload->failtlvtype,
 					     &hook_payload->failtlvpos);
@@ -2069,7 +2070,7 @@ static bool channel_added_their_htlc(struct channel *channel,
 			       &failcode);
 	if (op) {
 		if (!ecdh_maybe_blinding(&op->ephemeralkey,
-					 added->blinding, &added->blinding_ss,
+					 added->blinding,
 					 &shared_secret)) {
 			log_debug(channel->log, "htlc %"PRIu64
 				  ": can't tweak pubkey", added->id);
@@ -2082,7 +2083,7 @@ static bool channel_added_their_htlc(struct channel *channel,
 	hin = new_htlc_in(channel, channel, added->id, added->amount,
 			  added->cltv_expiry, &added->payment_hash,
 			  op ? &shared_secret : NULL,
-			  added->blinding, &added->blinding_ss,
+			  added->blinding,
 			  added->onion_routing_packet,
 			  added->fail_immediate);
 

wallet/test/run-wallet.c

@@ -550,7 +550,6 @@ enum watch_result onchaind_funding_spent(struct channel *channel UNNEEDED,
 struct onion_payload *onion_decode(const tal_t *ctx UNNEEDED,
 				   const struct route_step *rs UNNEEDED,
 				   const struct pubkey *blinding UNNEEDED,
-				   const struct secret *blinding_ss UNNEEDED,
 				   const u64 *accepted_extra_tlvs UNNEEDED,
 				   u64 *failtlvtype UNNEEDED,
 				   size_t *failtlvpos UNNEEDED)