From c62f0cb6ff61ed427a57a4be23e6d423e7bc1860 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Wed, 6 Nov 2019 13:24:50 +1030
Subject: [PATCH] sphinx: fix potential data leak.

https://github.com/lightningnetwork/lightning-rfc/pull/697
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html

We generate it from an hmac using the session secret.  It's not
clear that this will be useful for reproducing test vectors though,
since we don't generate the first 66 bytes, which is what the
spec says to do.

Reported-by: @roasbeef
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 common/sphinx.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/common/sphinx.c b/common/sphinx.c
index af2f96a76..5fe79a2f8 100644
--- a/common/sphinx.c
+++ b/common/sphinx.c
@@ -511,6 +511,7 @@ struct onionpacket *create_onionpacket(
 			      sphinx_hop_size(&sp->hops[num_hops - 1]);
 	u8 filler[fillerSize];
 	struct keyset keys;
+	u8 padkey[KEY_LEN];
 	u8 nexthmac[HMAC_SIZE];
 	u8 stream[ROUTING_INFO_SIZE];
 	struct hop_params *params;
@@ -529,7 +530,16 @@ struct onionpacket *create_onionpacket(
 	}
 	packet->version = 0;
 	memset(nexthmac, 0, HMAC_SIZE);
-	memset(packet->routinginfo, 0, ROUTING_INFO_SIZE);
+
+	/* BOLT-e116441ee836447ac3f24cdca62bac1e0f223d5f #4:
+	 *
+	 * The packet is initialized with 1366 _random_ bytes derived from a
+	 * CSPRNG.
+	 */
+	/* Note that this is just hop_payloads: the rest of the packet is
+	 * overwritten below or above anyway. */
+	generate_key(padkey, "pad", 3, sp->session_key->data);
+	generate_cipher_stream(stream, padkey, ROUTING_INFO_SIZE);
 
 	generate_header_padding(filler, sizeof(filler), sp, params);