multi: Support custom size onion packets

Onion messages allow for payloads that exceed 1300 bytes, in which case
the payload should become 32768 bytes. This commit introduces support
for those custom size packets and the tests for this feature.

NewOnionPacket now allows for a final variadic argument payloadSizes.
The sizes passed are then compared to the actual payload size of the
entire path, and the first value that fits the actual payload size will
then be used as the size of the routing info. We use this to fix the
size of onion messages at 1300 or 32768 bytes as suggested by BOLT-0004
but it can be used to fix the size at any value. If no values are passed
the func defaults to MaxRoutingPayloadSize.

MaxRoutingPayloadSize and MaxOnionMessagePayloadSize are exposed to
facilitate easy usage of this library.

sphinx_test now has a helper function to create onion messages of a
specified length. This helper is then used to test the handling of
packets larger than 1300 bytes specifically for onion messages.

Author: gijswijs

cmd/main.go

@@ -70,6 +70,13 @@ func main() {
 						"data.",
 					Value: defaultHopDataPath,
 				},
+				cli.IntFlag{
+					Name: "payload-size",
+					Usage: "The size for a payload for a " +
+						"single hop. Defaults to the " +
+						"max routing payload size",
+					Value: sphinx.MaxRoutingPayloadSize,
+				},
 			},
 		},
 		{
@@ -203,8 +210,10 @@ func generate(ctx *cli.Context) error {
 		return fmt.Errorf("could not peel onion spec: %v", err)
 	}
 
+	payloadSize := ctx.Int("payload-size")
 	msg, err := sphinx.NewOnionPacket(
 		path, sessionKey, assocData, sphinx.DeterministicPacketFiller,
+		sphinx.WithMaxPayloadSize(payloadSize),
 	)
 	if err != nil {
 		return fmt.Errorf("error creating message: %v", err)

error.go

@@ -24,9 +24,35 @@ var (
 	ErrInvalidOnionKey = fmt.Errorf("invalid onion key: pubkey isn't on " +
 		"secp256k1 curve")
 
-	// ErrLogEntryNotFound is an error returned when a packet lookup in a replay
-	// log fails because it is missing.
-	ErrLogEntryNotFound = fmt.Errorf("sphinx packet is not in log")
+	// ErrLogEntryNotFound is an error returned when a packet lookup in a
+	// replay log fails because it is missing.
+	ErrLogEntryNotFound = errors.New("sphinx packet is not in log")
+
+	// ErrPayloadSizeExceeded is returned when the payload size exceeds the
+	// configured payload size of the onion packet.
+	ErrPayloadSizeExceeded = errors.New("max payload size exceeded")
+
+	// ErrSharedSecretDerivation is returned when we fail to derive the
+	// shared secret for a hop.
+	ErrSharedSecretDerivation = errors.New("error generating shared secret")
+
+	// ErrMissingHMAC is returned when the onion packet is too small to
+	// contain a valid HMAC.
+	ErrMissingHMAC = errors.New("onion packet is too small, missing HMAC")
+
+	// ErrNegativeRoutingInfoSize is returned when a negative routing info
+	// size is specified in the Sphinx configuration.
+	ErrNegativeRoutingInfoSize = errors.New("routing info size must be " +
+		"non-negative")
+
+	// ErrNegativePayloadSize is returned when a negative payload size is
+	// specified in the Sphinx configuration.
+	ErrNegativePayloadSize = errors.New("payload size must be " +
+		"non-negative")
+
+	// ErrZeroHops is returned when attempting to create a route with zero
+	// hops.
+	ErrZeroHops = errors.New("route of length zero passed in")
 
 	// ErrIOReadFull is returned when an io read full operation fails.
 	ErrIOReadFull = errors.New("io read full error")

packetfiller.go

@@ -12,16 +12,17 @@ import (
 // in order to ensure we don't leak information on the true route length to the
 // receiver. The packet filler may also use the session key to generate a set
 // of filler bytes if it wishes to be deterministic.
-type PacketFiller func(*btcec.PrivateKey, *[routingInfoSize]byte) error
+type PacketFiller func(*btcec.PrivateKey, []byte) error
 
 // RandPacketFiller is a packet filler that reads a set of random bytes from a
 // CSPRNG.
-func RandPacketFiller(_ *btcec.PrivateKey, mixHeader *[routingInfoSize]byte) error {
+func RandPacketFiller(_ *btcec.PrivateKey, mixHeader []byte) error {
 	// Read out random bytes to fill out the rest of the starting packet
 	// after the hop payload for the final node. This mitigates a privacy
 	// leak that may reveal a lower bound on the true path length to the
 	// receiver.
-	if _, err := rand.Read(mixHeader[:]); err != nil {
+	_, err := rand.Read(mixHeader)
+	if err != nil {
 		return err
 	}
 
@@ -31,15 +32,15 @@ func RandPacketFiller(_ *btcec.PrivateKey, mixHeader *[routingInfoSize]byte) err
 // BlankPacketFiller is a packet filler that doesn't attempt to fill out the
 // packet at all. It should ONLY be used for generating test vectors or other
 // instances that required deterministic packet generation.
-func BlankPacketFiller(_ *btcec.PrivateKey, _ *[routingInfoSize]byte) error {
+func BlankPacketFiller(_ *btcec.PrivateKey, _ []byte) error {
 	return nil
 }
 
 // DeterministicPacketFiller is a packet filler that generates a deterministic
 // set of filler bytes by using chacha20 with a key derived from the session
 // key.
 func DeterministicPacketFiller(sessionKey *btcec.PrivateKey,
-	mixHeader *[routingInfoSize]byte) error {
+	mixHeader []byte) error {
 
 	// First, we'll generate a new key that'll be used to generate some
 	// random bytes for our padding purposes. To derive this new key, we
@@ -55,7 +56,8 @@ func DeterministicPacketFiller(sessionKey *btcec.PrivateKey,
 	if err != nil {
 		return err
 	}
-	padCipher.XORKeyStream(mixHeader[:], mixHeader[:])
+
+	padCipher.XORKeyStream(mixHeader, mixHeader)
 
 	return nil
 }