WIP: Authenticate invoice requests

Author: jkczyz

lightning/src/ln/channelmanager.rs

@@ -10257,7 +10257,7 @@ where
 	R::Target: Router,
 	L::Target: Logger,
 {
-	fn handle_message(&self, message: OffersMessage, responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
+	fn handle_message(&self, message: OffersMessage, context: OffersContext, responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
 		let secp_ctx = &self.secp_ctx;
 		let expanded_key = &self.inbound_payment_key;
 
@@ -10267,17 +10267,31 @@ where
 					Some(responder) => responder,
 					None => return ResponseInstruction::NoResponse,
 				};
+
+				let nonce = match context {
+					OffersContext::Unknown {} if invoice_request.metadata().is_some() => None,
+					OffersContext::InvoiceRequest { nonce } => Some(nonce),
+					_ => return ResponseInstruction::NoResponse,
+				};
+
 				let amount_msats = match InvoiceBuilder::<DerivedSigningPubkey>::amount_msats(
 					&invoice_request
 				) {
 					Ok(amount_msats) => amount_msats,
 					Err(error) => return responder.respond(OffersMessage::InvoiceError(error.into())),
 				};
-				let invoice_request = match invoice_request.verify(expanded_key, secp_ctx) {
-					Ok(invoice_request) => invoice_request,
-					Err(()) => {
-						let error = Bolt12SemanticError::InvalidMetadata;
-						return responder.respond(OffersMessage::InvoiceError(error.into()));
+
+				let invoice_request = match nonce {
+					Some(nonce) => match invoice_request.verify_using_nonce(nonce, expanded_key, secp_ctx) {
+						Ok(invoice_request) => invoice_request,
+						Err(()) => return ResponseInstruction::NoResponse,
+					},
+					None => match invoice_request.verify(expanded_key, secp_ctx) {
+						Ok(invoice_request) => invoice_request,
+						Err(()) => {
+							let error = Bolt12SemanticError::InvalidMetadata;
+							return responder.respond(OffersMessage::InvoiceError(error.into()));
+						},
 					},
 				};
 

lightning/src/ln/peer_handler.rs

@@ -19,6 +19,7 @@ use bitcoin::blockdata::constants::ChainHash;
 use bitcoin::secp256k1::{self, Secp256k1, SecretKey, PublicKey};
 
 use crate::sign::{NodeSigner, Recipient};
+use crate::blinded_path::message::OffersContext;
 use crate::events::{MessageSendEvent, MessageSendEventsProvider};
 use crate::ln::types::ChannelId;
 use crate::ln::features::{InitFeatures, NodeFeatures};
@@ -145,7 +146,7 @@ impl OnionMessageHandler for IgnoringMessageHandler {
 }
 
 impl OffersMessageHandler for IgnoringMessageHandler {
-	fn handle_message(&self, _message: OffersMessage, _responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
+	fn handle_message(&self, _message: OffersMessage, _context: OffersContext, _responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
 		ResponseInstruction::NoResponse
 	}
 }

lightning/src/onion_message/functional_tests.rs

@@ -10,7 +10,7 @@
 //! Onion message testing and test utilities live here.
 
 use crate::blinded_path::{BlindedPath, EmptyNodeIdLookUp};
-use crate::blinded_path::message::ForwardNode;
+use crate::blinded_path::message::{ForwardNode, OffersContext};
 use crate::events::{Event, EventsProvider};
 use crate::ln::features::{ChannelFeatures, InitFeatures};
 use crate::ln::msgs::{self, DecodeError, OnionMessageHandler};
@@ -76,7 +76,7 @@ impl Drop for MessengerNode {
 struct TestOffersMessageHandler {}
 
 impl OffersMessageHandler for TestOffersMessageHandler {
-	fn handle_message(&self, _message: OffersMessage, _responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
+	fn handle_message(&self, _message: OffersMessage, _context: OffersContext, _responder: Option<Responder>) -> ResponseInstruction<OffersMessage> {
 		ResponseInstruction::NoResponse
 	}
 }

lightning/src/onion_message/messenger.rs

@@ -16,7 +16,7 @@ use bitcoin::hashes::sha256::Hash as Sha256;
 use bitcoin::secp256k1::{self, PublicKey, Scalar, Secp256k1, SecretKey};
 
 use crate::blinded_path::{BlindedPath, IntroductionNode, NextMessageHop, NodeIdLookUp};
-use crate::blinded_path::message::{advance_path_by_one, ForwardNode, ForwardTlvs, ReceiveTlvs};
+use crate::blinded_path::message::{advance_path_by_one, ForwardNode, ForwardTlvs, OffersContext, ReceiveTlvs};
 use crate::blinded_path::utils;
 use crate::events::{Event, EventHandler, EventsProvider};
 use crate::sign::{EntropySource, NodeSigner, Recipient};
@@ -1451,7 +1451,7 @@ where
 				);
 				match message {
 					ParsedOnionMessageContents::Offers(msg) => {
-						let response_instructions = self.offers_handler.handle_message(msg, responder);
+						let response_instructions = self.offers_handler.handle_message(msg, OffersContext::Unknown {}, responder);
 						let _ = self.handle_onion_message_response(response_instructions);
 					},
 					#[cfg(async_payments)]

lightning/src/onion_message/offers.rs

@@ -10,6 +10,7 @@
 //! Message handling for BOLT 12 Offers.
 
 use core::fmt;
+use crate::blinded_path::message::OffersContext;
 use crate::io::{self, Read};
 use crate::ln::msgs::DecodeError;
 use crate::offers::invoice_error::InvoiceError;
@@ -44,7 +45,7 @@ pub trait OffersMessageHandler {
 	/// The returned [`OffersMessage`], if any, is enqueued to be sent by [`OnionMessenger`].
 	///
 	/// [`OnionMessenger`]: crate::onion_message::messenger::OnionMessenger
-	fn handle_message(&self, message: OffersMessage, responder: Option<Responder>) -> ResponseInstruction<OffersMessage>;
+	fn handle_message(&self, message: OffersMessage, context: OffersContext, responder: Option<Responder>) -> ResponseInstruction<OffersMessage>;
 
 	/// Releases any [`OffersMessage`]s that need to be sent.
 	///