sphinx: fix potential data leak.

lightning/bolts#697 https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-November/002288.html We generate it from an hmac using the session secret. It's not clear that this will be useful for reproducing test vectors though, since we don't generate the first 66 bytes, which is what the spec says to do. Reported-by: @Roasbeef Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
ElementsProject · Nov 8, 2019 · c62f0cb · c62f0cb
1 parent 2081237
commit c62f0cb
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/common/sphinx.c b/common/sphinx.c
@@ -511,6 +511,7 @@ struct onionpacket *create_onionpacket(
 			      sphinx_hop_size(&sp->hops[num_hops - 1]);
 	u8 filler[fillerSize];
 	struct keyset keys;
+	u8 padkey[KEY_LEN];
 	u8 nexthmac[HMAC_SIZE];
 	u8 stream[ROUTING_INFO_SIZE];
 	struct hop_params *params;
@@ -529,7 +530,16 @@ struct onionpacket *create_onionpacket(
 	}
 	packet->version = 0;
 	memset(nexthmac, 0, HMAC_SIZE);
-	memset(packet->routinginfo, 0, ROUTING_INFO_SIZE);
+
+	/* BOLT-e116441ee836447ac3f24cdca62bac1e0f223d5f #4:
+	 *
+	 * The packet is initialized with 1366 _random_ bytes derived from a
+	 * CSPRNG.
+	 */
+	/* Note that this is just hop_payloads: the rest of the packet is
+	 * overwritten below or above anyway. */
+	generate_key(padkey, "pad", 3, sp->session_key->data);
+	generate_cipher_stream(stream, padkey, ROUTING_INFO_SIZE);
 
 	generate_header_padding(filler, sizeof(filler), sp, params);