bolt11.c (18363B)
1 // 2 // bolt11.c 3 // damus 4 // 5 // Created by William Casarin on 2022-10-18. 6 // 7 8 #include "bolt11.h" 9 10 //#include "address.h" 11 //#include "script.h" 12 #include "bech32.h" 13 #include "ccan/utf8/utf8.h" 14 #include "ccan/compiler//compiler.h" 15 #include "ccan/endian/endian.h" 16 #include "ccan/list/list.h" 17 #include "ccan/tal/str/str.h" 18 #include "ccan/tal/tal.h" 19 #include "node_id.h" 20 #include "bech32_util.h" 21 #include "bolt11.h" 22 #include "amount.h" 23 #include "ccan/array_size/array_size.h" 24 #include "ccan/structeq/structeq.h" 25 26 //#include "features.h" 27 #include <errno.h> 28 #include <inttypes.h> 29 #include <assert.h> 30 31 #define MSAT_PER_SAT ((u64)1000) 32 #define SAT_PER_BTC ((u64)100000000) 33 #define MSAT_PER_BTC (MSAT_PER_SAT * SAT_PER_BTC) 34 35 struct multiplier { 36 const char letter; 37 /* We can't represent p postfix to msat, so we multiply this by 10 */ 38 u64 m10; 39 }; 40 41 /* BOLT #11: 42 * 43 * The following `multiplier` letters are defined: 44 * 45 * * `m` (milli): multiply by 0.001 46 * * `u` (micro): multiply by 0.000001 47 * * `n` (nano): multiply by 0.000000001 48 * * `p` (pico): multiply by 0.000000000001 49 */ 50 static struct multiplier multipliers[] = { 51 { 'm', 10 * MSAT_PER_BTC / 1000 }, 52 { 'u', 10 * MSAT_PER_BTC / 1000000 }, 53 { 'n', 10 * MSAT_PER_BTC / 1000000000 }, 54 { 'p', 10 * MSAT_PER_BTC / 1000000000000ULL } 55 }; 56 57 /* If pad is false, we discard any bits which don't fit in the last byte. 58 * Otherwise we add an extra byte. Returns error string or NULL on success. */ 59 static const char *pull_bits(struct hash_u5 *hu5, 60 const u5 **data, size_t *data_len, 61 void *dst, size_t nbits, 62 bool pad) 63 { 64 size_t n5 = nbits / 5; 65 size_t len = 0; 66 67 if (nbits % 5) 68 n5++; 69 70 if (*data_len < n5) 71 return "truncated"; 72 if (!bech32_convert_bits(dst, &len, 8, *data, n5, 5, pad)) 73 return "non-zero trailing bits"; 74 if (hu5) 75 hash_u5(hu5, *data, n5); 76 *data += n5; 77 *data_len -= n5; 78 79 return NULL; 80 } 81 82 /* Helper for pulling a variable-length big-endian int. */ 83 static const char *pull_uint(struct hash_u5 *hu5, 84 const u5 **data, size_t *data_len, 85 u64 *val, size_t databits) 86 { 87 be64 be_val; 88 const char *err; 89 90 /* Too big. */ 91 if (databits > sizeof(be_val) * CHAR_BIT) 92 return "integer too large"; 93 err = pull_bits(hu5, data, data_len, &be_val, databits, true); 94 if (err) 95 return err; 96 if (databits == 0) 97 *val = 0; 98 else 99 *val = be64_to_cpu(be_val) >> 100 (sizeof(be_val) * CHAR_BIT - databits); 101 return NULL; 102 } 103 104 static void *pull_all(const tal_t *ctx, 105 struct hash_u5 *hu5, 106 const u5 **data, size_t *data_len, 107 bool pad, 108 const char **err) 109 { 110 void *ret; 111 size_t retlen; 112 113 if (pad) 114 retlen = (*data_len * 5 + 7) / 8; 115 else 116 retlen = (*data_len * 5) / 8; 117 118 ret = tal_arr(ctx, u8, retlen); 119 *err = pull_bits(hu5, data, data_len, ret, *data_len * 5, pad); 120 if (*err) 121 return tal_free(ret); 122 return ret; 123 } 124 125 /* Frees bolt11, returns NULL. */ 126 static struct bolt11 *decode_fail(struct bolt11 *b11, char **fail, 127 const char *fmt, ...) 128 PRINTF_FMT(3,4); 129 130 static struct bolt11 *decode_fail(struct bolt11 *b11, char **fail, 131 const char *fmt, ...) 132 { 133 va_list ap; 134 135 va_start(ap, fmt); 136 *fail = tal_vfmt(tal_parent(b11), fmt, ap); 137 va_end(ap); 138 return tal_free(b11); 139 } 140 141 /* 142 * These handle specific fields in the payment request; returning the problem 143 * if any, or NULL. 144 */ 145 static const char *unknown_field(struct bolt11 *b11, 146 struct hash_u5 *hu5, 147 const u5 **data, size_t *field_len, 148 u5 type) 149 { 150 const char *err; 151 152 tal_free(pull_all(NULL, hu5, data, field_len, true, &err)); 153 return err; 154 } 155 156 /* If field isn't expected length (in *bech32*!), call unknown_field. 157 * Otherwise copy into dst without padding, set have_flag if non-NULL. */ 158 static const char *pull_expected_length(struct bolt11 *b11, 159 struct hash_u5 *hu5, 160 const u5 **data, size_t *field_len, 161 size_t expected_length, 162 u5 type, 163 bool *have_flag, 164 void *dst) 165 { 166 if (*field_len != expected_length) 167 return unknown_field(b11, hu5, data, field_len, type); 168 169 if (have_flag) 170 *have_flag = true; 171 return pull_bits(hu5, data, field_len, dst, *field_len * 5, false); 172 } 173 174 /* BOLT #11: 175 * 176 * `p` (1): `data_length` 52. 256-bit SHA256 payment_hash. Preimage of this 177 * provides proof of payment 178 */ 179 static const char *decode_p(struct bolt11 *b11, 180 const struct feature_set *our_features, 181 struct hash_u5 *hu5, 182 const u5 **data, size_t *field_len, 183 bool *have_p) 184 { 185 struct sha256 payment_hash; 186 /* BOLT #11: 187 * 188 * A payer... SHOULD use the first `p` field that it did NOT 189 * skip as the payment hash. 190 */ 191 assert(!*have_p); 192 193 /* BOLT #11: 194 * 195 * A reader... MUST skip over unknown fields, OR an `f` field 196 * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do 197 * NOT have `data_length`s of 52, 52, 52 or 53, respectively. 198 */ 199 return pull_expected_length(b11, hu5, data, field_len, 52, 'p', 200 have_p, &payment_hash); 201 } 202 203 /* Check for valid UTF-8 */ 204 static bool utf8_check(const void *vbuf, size_t buflen) 205 { 206 const u8 *buf = vbuf; 207 struct utf8_state utf8_state = UTF8_STATE_INIT; 208 bool need_more = false; 209 210 for (size_t i = 0; i < buflen; i++) { 211 if (!utf8_decode(&utf8_state, buf[i])) { 212 need_more = true; 213 continue; 214 } 215 need_more = false; 216 if (errno != 0) 217 return false; 218 } 219 return !need_more; 220 } 221 222 static char *utf8_str(const tal_t *ctx, const u8 *buf TAKES, size_t buflen) 223 { 224 char *ret; 225 226 if (!utf8_check(buf, buflen)) { 227 if (taken(buf)) 228 tal_free(buf); 229 return NULL; 230 } 231 232 /* Add one for nul term */ 233 ret = tal_dup_arr(ctx, char, (const char *)buf, buflen, 1); 234 ret[buflen] = '\0'; 235 return ret; 236 } 237 238 /* BOLT #11: 239 * 240 * `d` (13): `data_length` variable. Short description of purpose of payment 241 * (UTF-8), e.g. '1 cup of coffee' or 'ナンセンス 1杯' 242 */ 243 static const char *decode_d(struct bolt11 *b11, 244 const struct feature_set *our_features, 245 struct hash_u5 *hu5, 246 const u5 **data, size_t *field_len, 247 bool *have_d) 248 { 249 u8 *desc; 250 const char *err; 251 252 assert(!*have_d); 253 desc = pull_all(NULL, hu5, data, field_len, false, &err); 254 if (!desc) 255 return err; 256 257 *have_d = true; 258 b11->description = utf8_str(b11, take(desc), tal_bytelen(desc)); 259 if (b11->description) 260 return NULL; 261 262 return tal_fmt(b11, "d: invalid utf8"); 263 } 264 265 /* BOLT #11: 266 * 267 * `h` (23): `data_length` 52. 256-bit description of purpose of payment 268 * (SHA256). This is used to commit to an associated description that is over 269 * 639 bytes, but the transport mechanism for the description in that case is 270 * transport specific and not defined here. 271 */ 272 static const char *decode_h(struct bolt11 *b11, 273 const struct feature_set *our_features, 274 struct hash_u5 *hu5, 275 const u5 **data, size_t *field_len, 276 bool *have_h) 277 { 278 const char *err; 279 struct sha256 hash; 280 281 assert(!*have_h); 282 /* BOLT #11: 283 * 284 * A reader... MUST skip over unknown fields, OR an `f` field 285 * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do 286 * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ 287 err = pull_expected_length(b11, hu5, data, field_len, 52, 'h', 288 have_h, &hash); 289 290 /* If that gave us the hash, store it */ 291 if (*have_h) 292 b11->description_hash = tal_dup(b11, struct sha256, &hash); 293 return err; 294 } 295 296 /* BOLT #11: 297 * 298 * `x` (6): `data_length` variable. `expiry` time in seconds 299 * (big-endian). Default is 3600 (1 hour) if not specified. 300 */ 301 #define DEFAULT_X 3600 302 static const char *decode_x(struct bolt11 *b11, 303 const struct feature_set *our_features, 304 struct hash_u5 *hu5, 305 const u5 **data, size_t *field_len, 306 bool *have_x) 307 { 308 const char *err; 309 310 assert(!*have_x); 311 312 /* FIXME: Put upper limit in bolt 11 */ 313 err = pull_uint(hu5, data, field_len, &b11->expiry, *field_len * 5); 314 if (err) 315 return tal_fmt(b11, "x: %s", err); 316 317 *have_x = true; 318 return NULL; 319 } 320 321 static struct bolt11 *new_bolt11(const tal_t *ctx, 322 const struct amount_msat *msat TAKES) 323 { 324 struct bolt11 *b11 = tal(ctx, struct bolt11); 325 326 b11->description = NULL; 327 b11->description_hash = NULL; 328 b11->msat = NULL; 329 b11->expiry = DEFAULT_X; 330 331 if (msat) 332 b11->msat = tal_dup(b11, struct amount_msat, msat); 333 return b11; 334 } 335 336 struct decoder { 337 /* What BOLT11 letter this is */ 338 const char letter; 339 /* If false, then any dups get treated as "unknown" fields */ 340 bool allow_duplicates; 341 /* Routine to decode: returns NULL if it decodes ok, and 342 * sets *have_field = true if it is not an unknown form. 343 * Otherwise returns error string (literal or tal off b11). */ 344 const char *(*decode)(struct bolt11 *b11, 345 const struct feature_set *our_features, 346 struct hash_u5 *hu5, 347 const u5 **data, size_t *field_len, 348 bool *have_field); 349 }; 350 351 static const struct decoder decoders[] = { 352 /* BOLT #11: 353 * 354 * A payer... SHOULD use the first `p` field that it did NOT 355 * skip as the payment hash. 356 */ 357 { 'p', false, decode_p }, 358 { 'd', false, decode_d }, 359 { 'h', false, decode_h }, 360 { 'x', false, decode_x }, 361 }; 362 363 static const struct decoder *find_decoder(char c) 364 { 365 for (size_t i = 0; i < ARRAY_SIZE(decoders); i++) { 366 if (decoders[i].letter == c) 367 return decoders + i; 368 } 369 return NULL; 370 } 371 372 static bool bech32_decode_alloc(const tal_t *ctx, 373 const char **hrp_ret, 374 const u5 **data_ret, 375 size_t *data_len, 376 const char *str) 377 { 378 char *hrp = tal_arr(ctx, char, strlen(str) - 6); 379 u5 *data = tal_arr(ctx, u5, strlen(str) - 8); 380 381 if (bech32_decode(hrp, data, data_len, str, (size_t)-1) 382 != BECH32_ENCODING_BECH32) { 383 tal_free(hrp); 384 tal_free(data); 385 return false; 386 } 387 388 /* We needed temporaries because these are const */ 389 *hrp_ret = hrp; 390 *data_ret = data; 391 return true; 392 } 393 394 static bool has_lightning_prefix(const char *invstring) 395 { 396 /* BOLT #11: 397 * 398 * If a URI scheme is desired, the current recommendation is to either 399 * use 'lightning:' as a prefix before the BOLT-11 encoding */ 400 return (strstarts(invstring, "lightning:") || 401 strstarts(invstring, "LIGHTNING:")); 402 } 403 404 static char *str_lowering(const void *ctx, const char *string TAKES) 405 { 406 char *ret; 407 408 ret = tal_strdup(ctx, string); 409 for (char *p = ret; *p; p++) *p = tolower(*p); 410 return ret; 411 } 412 413 static const char *to_canonical_invstr(const tal_t *ctx, 414 const char *invstring) 415 { 416 if (has_lightning_prefix(invstring)) 417 invstring += strlen("lightning:"); 418 return str_lowering(ctx, invstring); 419 } 420 421 /* Extracts signature but does not check it. */ 422 static struct bolt11 *bolt11_decode_nosig(const tal_t *ctx, const char *str, 423 const struct feature_set *our_features, 424 struct sha256 *hash, 425 const u5 **sig, 426 bool *have_n, 427 char **fail) 428 { 429 const char *hrp, *prefix; 430 char *amountstr; 431 const u5 *data; 432 size_t data_len; 433 struct bolt11 *b11 = new_bolt11(ctx, NULL); 434 struct hash_u5 hu5; 435 const char *err; 436 /* We don't need all of these, but in theory we could have 32 types */ 437 bool have_field[32]; 438 439 memset(have_field, 0, sizeof(have_field)); 440 441 if (strlen(str) < 8) 442 return decode_fail(b11, fail, "Bad bech32 string"); 443 444 if (!bech32_decode_alloc(b11, &hrp, &data, &data_len, str)) 445 return decode_fail(b11, fail, "Bad bech32 string"); 446 447 /* For signature checking at the end. */ 448 hash_u5_init(&hu5, hrp); 449 450 /* BOLT #11: 451 * 452 * The human-readable part of a Lightning invoice consists of two sections: 453 * 1. `prefix`: `ln` + BIP-0173 currency prefix (e.g. `lnbc` for Bitcoin mainnet, 454 * `lntb` for Bitcoin testnet, `lntbs` for Bitcoin signet, and `lnbcrt` for Bitcoin regtest) 455 * 1. `amount`: optional number in that currency, followed by an optional 456 * `multiplier` letter. The unit encoded here is the 'social' convention of a payment unit -- in the case of Bitcoin the unit is 'bitcoin' NOT satoshis. 457 */ 458 prefix = tal_strndup(b11, hrp, strcspn(hrp, "0123456789")); 459 460 /* BOLT #11: 461 * 462 * A reader...if it does NOT understand the `prefix`... MUST fail the payment. 463 */ 464 if (!strstarts(prefix, "ln")) 465 return decode_fail(b11, fail, 466 "Prefix '%s' does not start with ln", prefix); 467 468 /* BOLT #11: 469 * 470 * - if the `amount` is empty: 471 * */ 472 amountstr = tal_strdup(b11, hrp + strlen(prefix)); 473 if (streq(amountstr, "")) { 474 /* BOLT #11: 475 * 476 * - SHOULD indicate to the payer that amount is unspecified. 477 */ 478 b11->msat = NULL; 479 } else { 480 u64 m10 = 10 * MSAT_PER_BTC; /* Pico satoshis in a Bitcoin */ 481 u64 amount; 482 char *end; 483 484 /* Gather and trim multiplier */ 485 end = amountstr + strlen(amountstr)-1; 486 for (size_t i = 0; i < ARRAY_SIZE(multipliers); i++) { 487 if (*end == multipliers[i].letter) { 488 m10 = multipliers[i].m10; 489 *end = '\0'; 490 break; 491 } 492 } 493 494 /* BOLT #11: 495 * 496 * if `amount` contains a non-digit OR is followed by 497 * anything except a `multiplier` (see table above)... MUST fail the 498 * payment. 499 **/ 500 amount = strtoull(amountstr, &end, 10); 501 if (amount == ULLONG_MAX && errno == ERANGE) 502 return decode_fail(b11, fail, 503 "Invalid amount '%s'", amountstr); 504 if (!*amountstr || *end) 505 return decode_fail(b11, fail, 506 "Invalid amount postfix '%s'", end); 507 508 /* BOLT #11: 509 * 510 * if the `multiplier` is present... MUST multiply 511 * `amount` by the `multiplier` value to derive the 512 * amount required for payment. 513 */ 514 b11->msat = tal(b11, struct amount_msat); 515 /* BOLT #11: 516 * 517 * - if multiplier is `p` and the last decimal of `amount` is 518 * not 0: 519 * - MUST fail the payment. 520 */ 521 if (amount * m10 % 10 != 0) 522 return decode_fail(b11, fail, 523 "Invalid sub-millisatoshi amount" 524 " '%sp'", amountstr); 525 526 *b11->msat = amount_msat(amount * m10 / 10); 527 } 528 529 /* BOLT #11: 530 * 531 * The data part of a Lightning invoice consists of multiple sections: 532 * 533 * 1. `timestamp`: seconds-since-1970 (35 bits, big-endian) 534 * 1. zero or more tagged parts 535 * 1. `signature`: Bitcoin-style signature of above (520 bits) 536 */ 537 err = pull_uint(&hu5, &data, &data_len, &b11->timestamp, 35); 538 if (err) 539 return decode_fail(b11, fail, 540 "Can't get 35-bit timestamp: %s", err); 541 542 while (data_len > 520 / 5) { 543 const char *problem = NULL; 544 u64 type, field_len64; 545 size_t field_len; 546 const struct decoder *decoder; 547 548 /* BOLT #11: 549 * 550 * Each Tagged Field is of the form: 551 * 552 * 1. `type` (5 bits) 553 * 1. `data_length` (10 bits, big-endian) 554 * 1. `data` (`data_length` x 5 bits) 555 */ 556 err = pull_uint(&hu5, &data, &data_len, &type, 5); 557 if (err) 558 return decode_fail(b11, fail, 559 "Can't get tag: %s", err); 560 err = pull_uint(&hu5, &data, &data_len, &field_len64, 10); 561 if (err) 562 return decode_fail(b11, fail, 563 "Can't get length: %s", err); 564 565 /* Can't exceed total data remaining. */ 566 if (field_len64 > data_len) 567 return decode_fail(b11, fail, "%c: truncated", 568 bech32_charset[type]); 569 570 /* These are different types on 32 bit! But since data_len is 571 * also size_t, above check ensures this will fit. */ 572 field_len = field_len64; 573 assert(field_len == field_len64); 574 575 /* Do this now: the decode function fixes up the data ptr */ 576 data_len -= field_len; 577 578 decoder = find_decoder(bech32_charset[type]); 579 if (!decoder || (have_field[type] && !decoder->allow_duplicates)) { 580 problem = unknown_field(b11, &hu5, &data, &field_len, 581 bech32_charset[type]); 582 } else { 583 problem = decoder->decode(b11, our_features, &hu5, 584 &data, &field_len, &have_field[type]); 585 } 586 if (problem) 587 return decode_fail(b11, fail, "%s", problem); 588 if (field_len) 589 return decode_fail(b11, fail, "%c: extra %zu bytes", 590 bech32_charset[type], field_len); 591 } 592 593 if (!have_field[bech32_charset_rev['p']]) 594 return decode_fail(b11, fail, "No valid 'p' field found"); 595 596 /* BOLT #11: 597 * A writer: 598 *... 599 * - MUST include either exactly one `d` or exactly one `h` field. 600 */ 601 /* FIXME: It doesn't actually say the reader must check though! */ 602 if (!have_field[bech32_charset_rev['d']] 603 && !have_field[bech32_charset_rev['h']]) 604 return decode_fail(b11, fail, 605 "must have either 'd' or 'h' field"); 606 607 hash_u5_done(&hu5, hash); 608 *sig = tal_dup_arr(ctx, u5, data, data_len, 0); 609 610 *have_n = have_field[bech32_charset_rev['n']]; 611 return b11; 612 } 613 614 struct bolt11 *bolt11_decode_minimal(const tal_t *ctx, const char *str, 615 char **fail) 616 { 617 const u5 *sigdata; 618 struct sha256 hash; 619 bool have_n; 620 621 str = to_canonical_invstr(ctx, str); 622 return bolt11_decode_nosig(ctx, str, NULL, &hash, &sigdata, &have_n, 623 fail); 624 }