Authenticate InvoiceRequest using OfferContext

jkczyz · jkczyz · commit c7afd5cadb67 · 2024-07-09T13:49:07.000-05:00
When an InvoiceRequest is handled with an OfferContext, use the
containing nonce to verify that it is for a valid Offer. Otherwise, fall
back to using Offer::metadata, which also contains the nonce. The latter
is useful for supporting offers without blinded paths or those created
prior to including an OffersContext in their blinded paths.
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -10520,17 +10520,31 @@ where
 					Some(responder) => responder,
 					None => return ResponseInstruction::NoResponse,
 				};
+
+				let nonce = match context {
+					OffersContext::Unknown {} if invoice_request.metadata().is_some() => None,
+					OffersContext::InvoiceRequest { nonce } => Some(nonce),
+					_ => return ResponseInstruction::NoResponse,
+				};
+
 				let amount_msats = match InvoiceBuilder::<DerivedSigningPubkey>::amount_msats(
 					&invoice_request
 				) {
 					Ok(amount_msats) => amount_msats,
 					Err(error) => return responder.respond(OffersMessage::InvoiceError(error.into())),
 				};
-				let invoice_request = match invoice_request.verify(expanded_key, secp_ctx) {
-					Ok(invoice_request) => invoice_request,
-					Err(()) => {
-						let error = Bolt12SemanticError::InvalidMetadata;
-						return responder.respond(OffersMessage::InvoiceError(error.into()));
+
+				let invoice_request = match nonce {
+					Some(nonce) => match invoice_request.verify_using_nonce(nonce, expanded_key, secp_ctx) {
+						Ok(invoice_request) => invoice_request,
+						Err(()) => return ResponseInstruction::NoResponse,
+					},
+					None => match invoice_request.verify(expanded_key, secp_ctx) {
+						Ok(invoice_request) => invoice_request,
+						Err(()) => {
+							let error = Bolt12SemanticError::InvalidMetadata;
+							return responder.respond(OffersMessage::InvoiceError(error.into()));
+						},
 					},
 				};
 
diff --git a/lightning/src/ln/peer_handler.rs b/lightning/src/ln/peer_handler.rs
@@ -18,8 +18,8 @@
 use bitcoin::blockdata::constants::ChainHash;
 use bitcoin::secp256k1::{self, Secp256k1, SecretKey, PublicKey};
 
-use crate::blinded_path::message::OffersContext;
 use crate::sign::{NodeSigner, Recipient};
+use crate::blinded_path::message::OffersContext;
 use crate::events::{MessageSendEvent, MessageSendEventsProvider};
 use crate::ln::types::ChannelId;
 use crate::ln::features::{InitFeatures, NodeFeatures};
