Elide nonce from payer metadata

InvoiceRequest and Refund have payer_metadata which consists of an
encrypted payment id and a nonce used to derive its signing keys and
authenticate any corresponding invoices. Now that the blinded paths
include this data in their OffersContext, remove the nonce as it is now
redundant. Keep the encrypted payment id as some data is needed in the
payer metadata according to the spec. This saves space and prevents
de-anonymization attacks as along as the nonce isn't revealed.

Author: jkczyz

lightning/src/ln/channelmanager.rs

@@ -4106,15 +4106,35 @@ where
 	/// whether or not the payment was successful.
 	///
 	/// [timer tick]: Self::timer_tick_occurred
-	pub fn send_payment_for_bolt12_invoice(&self, invoice: &Bolt12Invoice) -> Result<(), Bolt12PaymentError> {
-		let secp_ctx = &self.secp_ctx;
-		let expanded_key = &self.inbound_payment_key;
-		match invoice.verify(expanded_key, secp_ctx) {
+	pub fn send_payment_for_bolt12_invoice(
+		&self, invoice: &Bolt12Invoice, context: &OffersContext,
+	) -> Result<(), Bolt12PaymentError> {
+		match self.verify_bolt12_invoice(invoice, context) {
 			Ok(payment_id) => self.send_payment_for_verified_bolt12_invoice(invoice, payment_id),
 			Err(()) => Err(Bolt12PaymentError::UnexpectedInvoice),
 		}
 	}
 
+	fn verify_bolt12_invoice(
+		&self, invoice: &Bolt12Invoice, context: &OffersContext,
+	) -> Result<PaymentId, ()> {
+		let secp_ctx = &self.secp_ctx;
+		let expanded_key = &self.inbound_payment_key;
+
+		match context {
+			OffersContext::Unknown {} if invoice.is_for_refund_without_paths() => {
+				invoice.verify(expanded_key, secp_ctx)
+			},
+			OffersContext::OutboundPayment { payment_id, nonce } => {
+				invoice
+					.verify_using_payer_data(*payment_id, *nonce, expanded_key, secp_ctx)
+					.then(|| *payment_id)
+					.ok_or(())
+			},
+			_ => Err(()),
+		}
+	}
+
 	fn send_payment_for_verified_bolt12_invoice(&self, invoice: &Bolt12Invoice, payment_id: PaymentId) -> Result<(), Bolt12PaymentError> {
 		let best_block_height = self.best_block.read().unwrap().height;
 		let _persistence_guard = PersistenceNotifierGuard::notify_on_drop(self);
@@ -10644,24 +10664,9 @@ where
 				}
 			},
 			OffersMessage::Invoice(invoice) => {
-				let payer_data = match context {
-					OffersContext::Unknown {} if invoice.is_for_refund_without_paths() => None,
-					OffersContext::OutboundPayment { payment_id, nonce } => Some((payment_id, nonce)),
-					_ => return ResponseInstruction::NoResponse,
-				};
-
-				let payment_id = match payer_data {
-					Some((payment_id, nonce)) => {
-						if invoice.verify_using_payer_data(payment_id, nonce, expanded_key, secp_ctx) {
-							payment_id
-						} else {
-							return ResponseInstruction::NoResponse;
-						}
-					},
-					None => match invoice.verify(expanded_key, secp_ctx) {
-						Ok(payment_id) => payment_id,
-						Err(()) => return ResponseInstruction::NoResponse,
-					},
+				let payment_id = match self.verify_bolt12_invoice(&invoice, &context) {
+					Ok(payment_id) => payment_id,
+					Err(()) => return ResponseInstruction::NoResponse,
 				};
 
 				let result = {

lightning/src/ln/offers_tests.rs

@@ -1085,10 +1085,10 @@ fn pays_bolt12_invoice_asynchronously() {
 	let onion_message = alice.onion_messenger.next_onion_message_for_peer(bob_id).unwrap();
 	bob.onion_messenger.handle_onion_message(&alice_id, &onion_message);
 
-	let invoice = match get_event!(bob, Event::InvoiceReceived) {
-		Event::InvoiceReceived { payment_id: actual_payment_id, invoice, .. } => {
+	let (invoice, context) = match get_event!(bob, Event::InvoiceReceived) {
+		Event::InvoiceReceived { payment_id: actual_payment_id, invoice, context, .. } => {
 			assert_eq!(actual_payment_id, payment_id);
-			invoice
+			(invoice, context)
 		},
 		_ => panic!("No Event::InvoiceReceived"),
 	};
@@ -1099,9 +1099,9 @@ fn pays_bolt12_invoice_asynchronously() {
 		assert_eq!(path.introduction_node, IntroductionNode::NodeId(alice_id));
 	}
 
-	assert!(bob.node.send_payment_for_bolt12_invoice(&invoice).is_ok());
+	assert!(bob.node.send_payment_for_bolt12_invoice(&invoice, &context).is_ok());
 	assert_eq!(
-		bob.node.send_payment_for_bolt12_invoice(&invoice),
+		bob.node.send_payment_for_bolt12_invoice(&invoice, &context),
 		Err(Bolt12PaymentError::DuplicateInvoice),
 	);
 
@@ -1112,7 +1112,7 @@ fn pays_bolt12_invoice_asynchronously() {
 	expect_recent_payment!(bob, RecentPaymentDetails::Fulfilled, payment_id);
 
 	assert_eq!(
-		bob.node.send_payment_for_bolt12_invoice(&invoice),
+		bob.node.send_payment_for_bolt12_invoice(&invoice, &context),
 		Err(Bolt12PaymentError::DuplicateInvoice),
 	);
 
@@ -1121,7 +1121,7 @@ fn pays_bolt12_invoice_asynchronously() {
 	}
 
 	assert_eq!(
-		bob.node.send_payment_for_bolt12_invoice(&invoice),
+		bob.node.send_payment_for_bolt12_invoice(&invoice, &context),
 		Err(Bolt12PaymentError::UnexpectedInvoice),
 	);
 }

lightning/src/offers/invoice_request.rs

@@ -1487,10 +1487,6 @@ mod tests {
 			.unwrap()
 			.build().unwrap()
 			.sign(recipient_sign).unwrap();
-		match invoice.verify(&expanded_key, &secp_ctx) {
-			Ok(payment_id) => assert_eq!(payment_id, PaymentId([1; 32])),
-			Err(()) => panic!("verification failed"),
-		}
 		assert!(invoice.verify_using_payer_data(payment_id, nonce, &expanded_key, &secp_ctx));
 
 		// Fails verification with altered fields

lightning/src/offers/refund.rs

@@ -1107,10 +1107,6 @@ mod tests {
 			.unwrap()
 			.build().unwrap()
 			.sign(recipient_sign).unwrap();
-		match invoice.verify(&expanded_key, &secp_ctx) {
-			Ok(payment_id) => assert_eq!(payment_id, PaymentId([1; 32])),
-			Err(()) => panic!("verification failed"),
-		}
 		assert!(invoice.verify_using_payer_data(payment_id, nonce, &expanded_key, &secp_ctx));
 
 		// Fails verification with altered fields

lightning/src/offers/signer.rs

@@ -249,8 +249,7 @@ impl MetadataMaterial {
 		self.hmac.input(DERIVED_METADATA_AND_KEYS_HMAC_INPUT);
 		self.maybe_include_encrypted_payment_id();
 
-		let mut bytes = self.encrypted_payment_id.map(|id| id.to_vec()).unwrap_or(vec![]);
-		bytes.extend_from_slice(self.nonce.as_slice());
+		let bytes = self.encrypted_payment_id.map(|id| id.to_vec()).unwrap_or(vec![]);
 
 		let hmac = Hmac::from_engine(self.hmac);
 		let privkey = SecretKey::from_slice(hmac.as_byte_array()).unwrap();