Reject unknown TLVs in blinded payment payloads

[officialasishkumar]

Fixes #4442.

Blinded payment payload decoding still applied the normal odd/even TLV handling, which let unexpected outer custom TLVs and unknown encrypted blinded TLVs slip through on blinded paths. This tightens both layers so blinded payloads now reject non-allowlisted TLVs instead of silently ignoring them.

The test updates keep the behavioral coverage aligned with the new decoding rules: the blinded payment flow now expects the recipient to reject custom TLVs on a blinded path, and the max-path-length tests stay focused on sender-side sizing logic.

Testing:

• cargo test -p lightning custom_tlvs_to_blinded_path
• cargo test -p lightning unknown_odd
• cargo test -p lightning one_hop_blinded_path_with_custom_tlv
• cargo test -p lightning blinded_path_with_custom_tlv

[ldk-reviews-bot]

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

I've completed a thorough re-review of all files and hunks in this PR. I verified:

1. Inner encrypted TLV callbacks in BlindedPaymentTlvs::read and BlindedTrampolineTlvs::read - correctly handle padding (type 1), reject unknown odd types, and defer unknown even types to the macro's default rejection.

2. Outer onion TLV tracking in InboundOnionPayload::read and InboundTrampolinePayload::read - has_unknown_odd_tlvs correctly flags unknown odd types < 65536, has_disallowed_blinded_tlvs correctly combines with custom TLVs check, and all blinded path variants (Forward, Dummy, Receive for payment; Forward, Receive for trampoline) are guarded.

3. TrampolineEntrypoint early return (line 3841) correctly skips the blinded TLV check since it's not a blinded path hop.

4. Non-blinded paths remain unaffected - unknown odd types still silently skipped, custom TLVs still collected.

5. New macro _init_and_read_tlv_stream_with_custom_tlv_decode correctly mirrors the pattern of _init_and_read_tlv_stream and properly uses the non-exported decode_tlv_stream_with_custom_tlv_decode! without $crate::.

6. Spec test vector - Bob's encrypted payload contains type 561 (odd, unknown). With blinding_point: None on the update_add_msg, the decode error correctly produces HTLCFailureMsg::Relay + InvalidOnionPayload.

7. Test TLV ordering - all appended test TLVs maintain monotonic ordering (65541 > 65539/65537, 21 > 18).

8. PaymentId uniqueness in max_payment_path_len_tests - necessary since payments are no longer claimed between sends.

No issues found.

[TheBlueMatt]

thanks!

[TheBlueMatt]

nit you can drop this line (similar below), returning Ok(false) universally is fine.

[officialasishkumar]

Done, dropped the return Ok(true) lines in both places and now returning Ok(false) universally.

[TheBlueMatt]

Please add a new macro for this rather than breaking it out.

[officialasishkumar]

Added _init_and_read_tlv_stream_with_custom_tlv_decode macro in ser_macros.rs that combines _init_tlv_field_var + decode_tlv_stream_with_custom_tlv_decode, following the same pattern as _init_and_read_tlv_stream. Both BlindedPaymentTlvs and BlindedTrampolineTlvs now use it.