Add HMAC, and nonce to OffersContext::InboundPayment

Introduce HMAC and nonce calculation when sending Invoice with
reply path, so that if we receive InvoiceError back for the
corresponding Invoice we can verify the payment hash before logging it.

Author: shaavan

lightning/src/blinded_path/message.rs

@@ -347,6 +347,19 @@ pub enum OffersContext {
 		///
 		/// [`Bolt12Invoice::payment_hash`]: crate::offers::invoice::Bolt12Invoice::payment_hash
 		payment_hash: PaymentHash,
+
+		/// A nonce used for authenticating that a received [`InvoiceError`] is for a valid
+		/// sent [`Bolt12Invoice`].
+		///
+		/// [`InvoiceError`]: crate::offers::invoice_error::InvoiceError
+		/// [`Bolt12Invoice`]: crate::offers::invoice::Bolt12Invoice
+		nonce: Nonce,
+
+		/// Authentication code for the [`PaymentHash`], which should be checked when the context is
+		/// used to log the received [`InvoiceError`].
+		///
+		/// [`InvoiceError`]: crate::offers::invoice_error::InvoiceError
+		hmac: Hmac<Sha256>,
 	},
 }
 
@@ -366,6 +379,8 @@ impl_writeable_tlv_based_enum!(OffersContext,
 	},
 	(2, InboundPayment) => {
 		(0, payment_hash, required),
+		(1, nonce, required),
+		(2, hmac, required)
 	},
 );
 

lightning/src/ln/channelmanager.rs

@@ -9226,8 +9226,10 @@ where
 				let builder: InvoiceBuilder<DerivedSigningPubkey> = builder.into();
 				let invoice = builder.allow_mpp().build_and_sign(secp_ctx)?;
 
+				let nonce = Nonce::from_entropy_source(entropy);
+				let hmac = payment_hash.hmac_for_offer_payment(nonce, expanded_key);
 				let context = OffersContext::InboundPayment {
-					payment_hash: invoice.payment_hash(),
+					payment_hash: invoice.payment_hash(), nonce, hmac
 				};
 				let reply_paths = self.create_blinded_paths(context)
 					.map_err(|_| Bolt12SemanticError::MissingPaths)?;
@@ -10987,7 +10989,12 @@ where
 			},
 			OffersMessage::InvoiceError(invoice_error) => {
 				let payment_hash = match context {
-					Some(OffersContext::InboundPayment { payment_hash }) => Some(payment_hash),
+					Some(OffersContext::InboundPayment { payment_hash, nonce, hmac }) => {
+						match payment_hash.verify(hmac, nonce, expanded_key) {
+							Ok(_) => Some(payment_hash),
+							Err(_) => None,
+						}
+					},
 					_ => None,
 				};