bolt11.c (18381B)
1 // 2 // bolt11.c 3 // damus 4 // 5 // Created by William Casarin on 2022-10-18. 6 // 7 8 #include "bolt11.h" 9 10 //#include "address.h" 11 //#include "script.h" 12 #include "bech32.h" 13 #include "ccan/utf8/utf8.h" 14 #include "ccan/compiler//compiler.h" 15 #include "ccan/endian/endian.h" 16 #include "ccan/list/list.h" 17 #include "ccan/tal/str/str.h" 18 #include "ccan/tal/tal.h" 19 #include "node_id.h" 20 #include "bech32_util.h" 21 #include "bolt11.h" 22 #include "amount.h" 23 #include "ccan/array_size/array_size.h" 24 #include "ccan/structeq/structeq.h" 25 26 //#include "features.h" 27 #include <errno.h> 28 #include <inttypes.h> 29 #include <assert.h> 30 31 #define MSAT_PER_SAT ((u64)1000) 32 #define SAT_PER_BTC ((u64)100000000) 33 #define MSAT_PER_BTC (MSAT_PER_SAT * SAT_PER_BTC) 34 35 struct multiplier { 36 const char letter; 37 /* We can't represent p postfix to msat, so we multiply this by 10 */ 38 u64 m10; 39 }; 40 41 /* BOLT #11: 42 * 43 * The following `multiplier` letters are defined: 44 * 45 * * `m` (milli): multiply by 0.001 46 * * `u` (micro): multiply by 0.000001 47 * * `n` (nano): multiply by 0.000000001 48 * * `p` (pico): multiply by 0.000000000001 49 */ 50 static struct multiplier multipliers[] = { 51 { 'm', 10 * MSAT_PER_BTC / 1000 }, 52 { 'u', 10 * MSAT_PER_BTC / 1000000 }, 53 { 'n', 10 * MSAT_PER_BTC / 1000000000 }, 54 { 'p', 10 * MSAT_PER_BTC / 1000000000000ULL } 55 }; 56 57 /* If pad is false, we discard any bits which don't fit in the last byte. 58 * Otherwise we add an extra byte. Returns error string or NULL on success. */ 59 static const char *pull_bits(struct hash_u5 *hu5, 60 const u5 **data, size_t *data_len, 61 void *dst, size_t nbits, 62 bool pad) 63 { 64 size_t n5 = nbits / 5; 65 size_t len = 0; 66 67 if (nbits % 5) 68 n5++; 69 70 if (*data_len < n5) 71 return "truncated"; 72 if (!bech32_convert_bits(dst, &len, 8, *data, n5, 5, pad)) 73 return "non-zero trailing bits"; 74 if (hu5) 75 hash_u5(hu5, *data, n5); 76 *data += n5; 77 *data_len -= n5; 78 79 return NULL; 80 } 81 82 /* Helper for pulling a variable-length big-endian int. */ 83 static const char *pull_uint(struct hash_u5 *hu5, 84 const u5 **data, size_t *data_len, 85 u64 *val, size_t databits) 86 { 87 be64 be_val; 88 const char *err; 89 90 /* Too big. */ 91 if (databits > sizeof(be_val) * CHAR_BIT) 92 return "integer too large"; 93 err = pull_bits(hu5, data, data_len, &be_val, databits, true); 94 if (err) 95 return err; 96 if (databits == 0) 97 *val = 0; 98 else 99 *val = be64_to_cpu(be_val) >> 100 (sizeof(be_val) * CHAR_BIT - databits); 101 return NULL; 102 } 103 104 static void *pull_all(const tal_t *ctx, 105 struct hash_u5 *hu5, 106 const u5 **data, size_t *data_len, 107 bool pad, 108 const char **err) 109 { 110 void *ret; 111 size_t retlen; 112 113 if (pad) 114 retlen = (*data_len * 5 + 7) / 8; 115 else 116 retlen = (*data_len * 5) / 8; 117 118 ret = tal_arr(ctx, u8, retlen); 119 *err = pull_bits(hu5, data, data_len, ret, *data_len * 5, pad); 120 if (*err) 121 return tal_free(ret); 122 return ret; 123 } 124 125 /* Frees bolt11, returns NULL. */ 126 static struct bolt11 *decode_fail(struct bolt11 *b11, char **fail, 127 const char *fmt, ...) 128 PRINTF_FMT(3,4); 129 130 static struct bolt11 *decode_fail(struct bolt11 *b11, char **fail, 131 const char *fmt, ...) 132 { 133 va_list ap; 134 135 va_start(ap, fmt); 136 if (fail) 137 *fail = tal_vfmt(tal_parent(b11), fmt, ap); 138 va_end(ap); 139 return tal_free(b11); 140 } 141 142 /* 143 * These handle specific fields in the payment request; returning the problem 144 * if any, or NULL. 145 */ 146 static const char *unknown_field(struct bolt11 *b11, 147 struct hash_u5 *hu5, 148 const u5 **data, size_t *field_len, 149 u5 type) 150 { 151 const char *err; 152 153 tal_free(pull_all(NULL, hu5, data, field_len, true, &err)); 154 return err; 155 } 156 157 /* If field isn't expected length (in *bech32*!), call unknown_field. 158 * Otherwise copy into dst without padding, set have_flag if non-NULL. */ 159 static const char *pull_expected_length(struct bolt11 *b11, 160 struct hash_u5 *hu5, 161 const u5 **data, size_t *field_len, 162 size_t expected_length, 163 u5 type, 164 bool *have_flag, 165 void *dst) 166 { 167 if (*field_len != expected_length) 168 return unknown_field(b11, hu5, data, field_len, type); 169 170 if (have_flag) 171 *have_flag = true; 172 return pull_bits(hu5, data, field_len, dst, *field_len * 5, false); 173 } 174 175 /* BOLT #11: 176 * 177 * `p` (1): `data_length` 52. 256-bit SHA256 payment_hash. Preimage of this 178 * provides proof of payment 179 */ 180 static const char *decode_p(struct bolt11 *b11, 181 const struct feature_set *our_features, 182 struct hash_u5 *hu5, 183 const u5 **data, size_t *field_len, 184 bool *have_p) 185 { 186 struct sha256 payment_hash; 187 /* BOLT #11: 188 * 189 * A payer... SHOULD use the first `p` field that it did NOT 190 * skip as the payment hash. 191 */ 192 assert(!*have_p); 193 194 /* BOLT #11: 195 * 196 * A reader... MUST skip over unknown fields, OR an `f` field 197 * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do 198 * NOT have `data_length`s of 52, 52, 52 or 53, respectively. 199 */ 200 return pull_expected_length(b11, hu5, data, field_len, 52, 'p', 201 have_p, &payment_hash); 202 } 203 204 /* Check for valid UTF-8 */ 205 static bool utf8_check(const void *vbuf, size_t buflen) 206 { 207 const u8 *buf = vbuf; 208 struct utf8_state utf8_state = UTF8_STATE_INIT; 209 bool need_more = false; 210 211 for (size_t i = 0; i < buflen; i++) { 212 if (!utf8_decode(&utf8_state, buf[i])) { 213 need_more = true; 214 continue; 215 } 216 need_more = false; 217 if (errno != 0) 218 return false; 219 } 220 return !need_more; 221 } 222 223 static char *utf8_str(const tal_t *ctx, const u8 *buf TAKES, size_t buflen) 224 { 225 char *ret; 226 227 if (!utf8_check(buf, buflen)) { 228 if (taken(buf)) 229 tal_free(buf); 230 return NULL; 231 } 232 233 /* Add one for nul term */ 234 ret = tal_dup_arr(ctx, char, (const char *)buf, buflen, 1); 235 ret[buflen] = '\0'; 236 return ret; 237 } 238 239 /* BOLT #11: 240 * 241 * `d` (13): `data_length` variable. Short description of purpose of payment 242 * (UTF-8), e.g. '1 cup of coffee' or 'ナンセンス 1杯' 243 */ 244 static const char *decode_d(struct bolt11 *b11, 245 const struct feature_set *our_features, 246 struct hash_u5 *hu5, 247 const u5 **data, size_t *field_len, 248 bool *have_d) 249 { 250 u8 *desc; 251 const char *err; 252 253 assert(!*have_d); 254 desc = pull_all(NULL, hu5, data, field_len, false, &err); 255 if (!desc) 256 return err; 257 258 *have_d = true; 259 b11->description = utf8_str(b11, take(desc), tal_bytelen(desc)); 260 if (b11->description) 261 return NULL; 262 263 return tal_fmt(b11, "d: invalid utf8"); 264 } 265 266 /* BOLT #11: 267 * 268 * `h` (23): `data_length` 52. 256-bit description of purpose of payment 269 * (SHA256). This is used to commit to an associated description that is over 270 * 639 bytes, but the transport mechanism for the description in that case is 271 * transport specific and not defined here. 272 */ 273 static const char *decode_h(struct bolt11 *b11, 274 const struct feature_set *our_features, 275 struct hash_u5 *hu5, 276 const u5 **data, size_t *field_len, 277 bool *have_h) 278 { 279 const char *err; 280 struct sha256 hash; 281 282 assert(!*have_h); 283 /* BOLT #11: 284 * 285 * A reader... MUST skip over unknown fields, OR an `f` field 286 * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do 287 * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ 288 err = pull_expected_length(b11, hu5, data, field_len, 52, 'h', 289 have_h, &hash); 290 291 /* If that gave us the hash, store it */ 292 if (*have_h) 293 b11->description_hash = tal_dup(b11, struct sha256, &hash); 294 return err; 295 } 296 297 /* BOLT #11: 298 * 299 * `x` (6): `data_length` variable. `expiry` time in seconds 300 * (big-endian). Default is 3600 (1 hour) if not specified. 301 */ 302 #define DEFAULT_X 3600 303 static const char *decode_x(struct bolt11 *b11, 304 const struct feature_set *our_features, 305 struct hash_u5 *hu5, 306 const u5 **data, size_t *field_len, 307 bool *have_x) 308 { 309 const char *err; 310 311 assert(!*have_x); 312 313 /* FIXME: Put upper limit in bolt 11 */ 314 err = pull_uint(hu5, data, field_len, &b11->expiry, *field_len * 5); 315 if (err) 316 return tal_fmt(b11, "x: %s", err); 317 318 *have_x = true; 319 return NULL; 320 } 321 322 static struct bolt11 *new_bolt11(const tal_t *ctx, 323 const struct amount_msat *msat TAKES) 324 { 325 struct bolt11 *b11 = tal(ctx, struct bolt11); 326 327 b11->description = NULL; 328 b11->description_hash = NULL; 329 b11->msat = NULL; 330 b11->expiry = DEFAULT_X; 331 332 if (msat) 333 b11->msat = tal_dup(b11, struct amount_msat, msat); 334 return b11; 335 } 336 337 struct decoder { 338 /* What BOLT11 letter this is */ 339 const char letter; 340 /* If false, then any dups get treated as "unknown" fields */ 341 bool allow_duplicates; 342 /* Routine to decode: returns NULL if it decodes ok, and 343 * sets *have_field = true if it is not an unknown form. 344 * Otherwise returns error string (literal or tal off b11). */ 345 const char *(*decode)(struct bolt11 *b11, 346 const struct feature_set *our_features, 347 struct hash_u5 *hu5, 348 const u5 **data, size_t *field_len, 349 bool *have_field); 350 }; 351 352 static const struct decoder decoders[] = { 353 /* BOLT #11: 354 * 355 * A payer... SHOULD use the first `p` field that it did NOT 356 * skip as the payment hash. 357 */ 358 { 'p', false, decode_p }, 359 { 'd', false, decode_d }, 360 { 'h', false, decode_h }, 361 { 'x', false, decode_x }, 362 }; 363 364 static const struct decoder *find_decoder(char c) 365 { 366 for (size_t i = 0; i < ARRAY_SIZE(decoders); i++) { 367 if (decoders[i].letter == c) 368 return decoders + i; 369 } 370 return NULL; 371 } 372 373 static bool bech32_decode_alloc(const tal_t *ctx, 374 const char **hrp_ret, 375 const u5 **data_ret, 376 size_t *data_len, 377 const char *str) 378 { 379 char *hrp = tal_arr(ctx, char, strlen(str) - 6); 380 u5 *data = tal_arr(ctx, u5, strlen(str) - 8); 381 382 if (bech32_decode(hrp, data, data_len, str, (size_t)-1) 383 != BECH32_ENCODING_BECH32) { 384 tal_free(hrp); 385 tal_free(data); 386 return false; 387 } 388 389 /* We needed temporaries because these are const */ 390 *hrp_ret = hrp; 391 *data_ret = data; 392 return true; 393 } 394 395 static bool has_lightning_prefix(const char *invstring) 396 { 397 /* BOLT #11: 398 * 399 * If a URI scheme is desired, the current recommendation is to either 400 * use 'lightning:' as a prefix before the BOLT-11 encoding */ 401 return (strstarts(invstring, "lightning:") || 402 strstarts(invstring, "LIGHTNING:")); 403 } 404 405 static char *str_lowering(const void *ctx, const char *string TAKES) 406 { 407 char *ret; 408 409 ret = tal_strdup(ctx, string); 410 for (char *p = ret; *p; p++) *p = tolower(*p); 411 return ret; 412 } 413 414 static const char *to_canonical_invstr(const tal_t *ctx, 415 const char *invstring) 416 { 417 if (has_lightning_prefix(invstring)) 418 invstring += strlen("lightning:"); 419 return str_lowering(ctx, invstring); 420 } 421 422 /* Extracts signature but does not check it. */ 423 static struct bolt11 *bolt11_decode_nosig(const tal_t *ctx, const char *str, 424 const struct feature_set *our_features, 425 struct sha256 *hash, 426 const u5 **sig, 427 bool *have_n, 428 char **fail) 429 { 430 const char *hrp, *prefix; 431 char *amountstr; 432 const u5 *data; 433 size_t data_len; 434 struct bolt11 *b11 = new_bolt11(ctx, NULL); 435 struct hash_u5 hu5; 436 const char *err; 437 /* We don't need all of these, but in theory we could have 32 types */ 438 bool have_field[32]; 439 440 memset(have_field, 0, sizeof(have_field)); 441 442 if (strlen(str) < 8) 443 return decode_fail(b11, fail, "Bad bech32 string"); 444 445 if (!bech32_decode_alloc(b11, &hrp, &data, &data_len, str)) 446 return decode_fail(b11, fail, "Bad bech32 string"); 447 448 /* For signature checking at the end. */ 449 hash_u5_init(&hu5, hrp); 450 451 /* BOLT #11: 452 * 453 * The human-readable part of a Lightning invoice consists of two sections: 454 * 1. `prefix`: `ln` + BIP-0173 currency prefix (e.g. `lnbc` for Bitcoin mainnet, 455 * `lntb` for Bitcoin testnet, `lntbs` for Bitcoin signet, and `lnbcrt` for Bitcoin regtest) 456 * 1. `amount`: optional number in that currency, followed by an optional 457 * `multiplier` letter. The unit encoded here is the 'social' convention of a payment unit -- in the case of Bitcoin the unit is 'bitcoin' NOT satoshis. 458 */ 459 prefix = tal_strndup(b11, hrp, strcspn(hrp, "0123456789")); 460 461 /* BOLT #11: 462 * 463 * A reader...if it does NOT understand the `prefix`... MUST fail the payment. 464 */ 465 if (!strstarts(prefix, "ln")) 466 return decode_fail(b11, fail, 467 "Prefix '%s' does not start with ln", prefix); 468 469 /* BOLT #11: 470 * 471 * - if the `amount` is empty: 472 * */ 473 amountstr = tal_strdup(b11, hrp + strlen(prefix)); 474 if (streq(amountstr, "")) { 475 /* BOLT #11: 476 * 477 * - SHOULD indicate to the payer that amount is unspecified. 478 */ 479 b11->msat = NULL; 480 } else { 481 u64 m10 = 10 * MSAT_PER_BTC; /* Pico satoshis in a Bitcoin */ 482 u64 amount; 483 char *end; 484 485 /* Gather and trim multiplier */ 486 end = amountstr + strlen(amountstr)-1; 487 for (size_t i = 0; i < ARRAY_SIZE(multipliers); i++) { 488 if (*end == multipliers[i].letter) { 489 m10 = multipliers[i].m10; 490 *end = '\0'; 491 break; 492 } 493 } 494 495 /* BOLT #11: 496 * 497 * if `amount` contains a non-digit OR is followed by 498 * anything except a `multiplier` (see table above)... MUST fail the 499 * payment. 500 **/ 501 amount = strtoull(amountstr, &end, 10); 502 if (amount == ULLONG_MAX && errno == ERANGE) 503 return decode_fail(b11, fail, 504 "Invalid amount '%s'", amountstr); 505 if (!*amountstr || *end) 506 return decode_fail(b11, fail, 507 "Invalid amount postfix '%s'", end); 508 509 /* BOLT #11: 510 * 511 * if the `multiplier` is present... MUST multiply 512 * `amount` by the `multiplier` value to derive the 513 * amount required for payment. 514 */ 515 b11->msat = tal(b11, struct amount_msat); 516 /* BOLT #11: 517 * 518 * - if multiplier is `p` and the last decimal of `amount` is 519 * not 0: 520 * - MUST fail the payment. 521 */ 522 if (amount * m10 % 10 != 0) 523 return decode_fail(b11, fail, 524 "Invalid sub-millisatoshi amount" 525 " '%sp'", amountstr); 526 527 *b11->msat = amount_msat(amount * m10 / 10); 528 } 529 530 /* BOLT #11: 531 * 532 * The data part of a Lightning invoice consists of multiple sections: 533 * 534 * 1. `timestamp`: seconds-since-1970 (35 bits, big-endian) 535 * 1. zero or more tagged parts 536 * 1. `signature`: Bitcoin-style signature of above (520 bits) 537 */ 538 err = pull_uint(&hu5, &data, &data_len, &b11->timestamp, 35); 539 if (err) 540 return decode_fail(b11, fail, 541 "Can't get 35-bit timestamp: %s", err); 542 543 while (data_len > 520 / 5) { 544 const char *problem = NULL; 545 u64 type, field_len64; 546 size_t field_len; 547 const struct decoder *decoder; 548 549 /* BOLT #11: 550 * 551 * Each Tagged Field is of the form: 552 * 553 * 1. `type` (5 bits) 554 * 1. `data_length` (10 bits, big-endian) 555 * 1. `data` (`data_length` x 5 bits) 556 */ 557 err = pull_uint(&hu5, &data, &data_len, &type, 5); 558 if (err) 559 return decode_fail(b11, fail, 560 "Can't get tag: %s", err); 561 err = pull_uint(&hu5, &data, &data_len, &field_len64, 10); 562 if (err) 563 return decode_fail(b11, fail, 564 "Can't get length: %s", err); 565 566 /* Can't exceed total data remaining. */ 567 if (field_len64 > data_len) 568 return decode_fail(b11, fail, "%c: truncated", 569 bech32_charset[type]); 570 571 /* These are different types on 32 bit! But since data_len is 572 * also size_t, above check ensures this will fit. */ 573 field_len = field_len64; 574 assert(field_len == field_len64); 575 576 /* Do this now: the decode function fixes up the data ptr */ 577 data_len -= field_len; 578 579 decoder = find_decoder(bech32_charset[type]); 580 if (!decoder || (have_field[type] && !decoder->allow_duplicates)) { 581 problem = unknown_field(b11, &hu5, &data, &field_len, 582 bech32_charset[type]); 583 } else { 584 problem = decoder->decode(b11, our_features, &hu5, 585 &data, &field_len, &have_field[type]); 586 } 587 if (problem) 588 return decode_fail(b11, fail, "%s", problem); 589 if (field_len) 590 return decode_fail(b11, fail, "%c: extra %zu bytes", 591 bech32_charset[type], field_len); 592 } 593 594 if (!have_field[bech32_charset_rev['p']]) 595 return decode_fail(b11, fail, "No valid 'p' field found"); 596 597 /* BOLT #11: 598 * A writer: 599 *... 600 * - MUST include either exactly one `d` or exactly one `h` field. 601 */ 602 /* FIXME: It doesn't actually say the reader must check though! */ 603 if (!have_field[bech32_charset_rev['d']] 604 && !have_field[bech32_charset_rev['h']]) 605 return decode_fail(b11, fail, 606 "must have either 'd' or 'h' field"); 607 608 hash_u5_done(&hu5, hash); 609 *sig = tal_dup_arr(ctx, u5, data, data_len, 0); 610 611 *have_n = have_field[bech32_charset_rev['n']]; 612 return b11; 613 } 614 615 struct bolt11 *bolt11_decode_minimal(const tal_t *ctx, const char *str, 616 char **fail) 617 { 618 const u5 *sigdata; 619 struct sha256 hash; 620 bool have_n; 621 622 str = to_canonical_invstr(ctx, str); 623 return bolt11_decode_nosig(ctx, str, NULL, &hash, &sigdata, &have_n, 624 fail); 625 }