core-lightning/common/bolt12_merkle.c

#include "config.h"
#include <assert.h>
#include <ccan/cast/cast.h>
#include <ccan/ilog/ilog.h>
#include <ccan/mem/mem.h>
#include <common/bolt12_merkle.h>

#ifndef SUPERVERBOSE
#define SUPERVERBOSE(...)
#endif

/* BOLT-offers #12:
 * Each form is signed using one or more *signature TLV elements*: TLV
 * types 240 through 1000 (inclusive).
 */
static bool is_signature_field(const struct tlv_field *field)
{
	return field->numtype >= 240 && field->numtype <= 1000;
}

static void sha256_update_bigsize(struct sha256_ctx *ctx, u64 bigsize)
{
	u8 buf[BIGSIZE_MAX_LEN];
	size_t len;

	len = bigsize_put(buf, bigsize);
	SUPERVERBOSE("%s", tal_hexstr(tmpctx, buf, len));
	sha256_update(ctx, buf, len);
}

static void sha256_update_tlvfield(struct sha256_ctx *ctx,
				   const struct tlv_field *field)
{
	/* We don't keep it raw, so reconstruct. */
	sha256_update_bigsize(ctx, field->numtype);
	sha256_update_bigsize(ctx, field->length);
	SUPERVERBOSE("%s", tal_hexstr(tmpctx, field->value, field->length));
	sha256_update(ctx, field->value, field->length);
}

/* BOLT-offers #12:
 * Thus we define H(`tag`,`msg`) as SHA256(SHA256(`tag`) || SHA256(`tag`) || `msg`)*/
/* Create a sha256_ctx which has the tag part done. */
static void h_simpletag_ctx(struct sha256_ctx *sctx, const char *tag)
{
	struct sha256 sha;
	sha256(&sha, tag, strlen(tag));
	sha256_init(sctx);
	sha256_update(sctx, &sha, sizeof(sha));
	sha256_update(sctx, &sha, sizeof(sha));
	SUPERVERBOSE("tag=SHA256(%s) -> %s",
		     tal_hexstr(tmpctx, tag, strlen(tag)),
		     type_to_string(tmpctx, struct sha256, &sha));
}


/* BOLT-offers #12:
 * The Merkle tree's leaves are, in TLV-ascending order for each tlv:
 * 1. The H("LnLeaf",tlv).
 * 2. The H("LnNonce"||first-tlv,tlv-type) where first-tlv is the numerically-first TLV entry in the stream, and tlv-type is the "type" field (1-9 bytes) of the current tlv.
 */

/* Create a sha256_ctx which has the tag part done. */
static void h_lnnonce_ctx(struct sha256_ctx *sctx, const struct tlv_field *fields)
{
	struct sha256_ctx inner_sctx;
	struct sha256 sha;

	sha256_init(&inner_sctx);
	sha256_update(&inner_sctx, "LnNonce", 7);
	SUPERVERBOSE("tag=SHA256(%s", tal_hexstr(tmpctx, "LnNonce", 7));
	assert(tal_count(fields));
	sha256_update_tlvfield(&inner_sctx, &fields[0]);
	sha256_done(&inner_sctx, &sha);
	SUPERVERBOSE(") -> %s\n",
		     type_to_string(tmpctx, struct sha256, &sha));

	sha256_init(sctx);
	sha256_update(sctx, &sha, sizeof(sha));
	sha256_update(sctx, &sha, sizeof(sha));
}

/* Use h_lnnonce_ctx to create nonce */
static void calc_nonce(const struct sha256_ctx *lnnonce_ctx,
		       const struct tlv_field *field,
		       struct sha256 *hash)
{
	/* Copy context, to add field */
	struct sha256_ctx ctx = *lnnonce_ctx;

	SUPERVERBOSE("nonce: H(noncetag,");
	sha256_update_bigsize(&ctx, field->numtype);

	sha256_done(&ctx, hash);
	SUPERVERBOSE(") = %s\n", type_to_string(tmpctx, struct sha256, hash));
}

static void calc_lnleaf(const struct tlv_field *field, struct sha256 *hash)
{
	struct sha256_ctx sctx;

	SUPERVERBOSE("leaf: H(");
	h_simpletag_ctx(&sctx, "LnLeaf");
	SUPERVERBOSE(",");
	sha256_update_tlvfield(&sctx, field);
	sha256_done(&sctx, hash);
	SUPERVERBOSE(") -> %s\n", type_to_string(tmpctx, struct sha256, hash));
}

/* BOLT-offers #12:
 * The Merkle tree inner nodes are H("LnBranch", lesser-SHA256||greater-SHA256)
 */
static struct sha256 *merkle_pair(const tal_t *ctx,
				  const struct sha256 *a, const struct sha256 *b)
{
	struct sha256 *res;
	struct sha256_ctx sctx;

	/* Make sure a < b */
	if (memcmp(a->u.u8, b->u.u8, sizeof(a->u.u8)) > 0)
		return merkle_pair(ctx, b, a);

	SUPERVERBOSE("branch: H(");
	h_simpletag_ctx(&sctx, "LnBranch");
	SUPERVERBOSE(",%s %s",
		     tal_hexstr(tmpctx, a->u.u8, sizeof(a->u.u8)),
		     tal_hexstr(tmpctx, b->u.u8, sizeof(b->u.u8)));
	sha256_update(&sctx, a->u.u8, sizeof(a->u.u8));
	sha256_update(&sctx, b->u.u8, sizeof(b->u.u8));

	res = tal(ctx, struct sha256);
	sha256_done(&sctx, res);
	SUPERVERBOSE(") -> %s\n", type_to_string(tmpctx, struct sha256, res));
	return res;
}

static const struct sha256 *merkle_recurse(const struct sha256 **base,
					   const struct sha256 **arr, size_t len)
{
	const struct sha256 *left, *right;
	if (len == 1)
		return arr[0];

	SUPERVERBOSE("Merkle recurse [%zu - %zu] and [%zu - %zu]\n",
		     arr - base, arr + len / 2 - 1 - base,
		     arr + len / 2 - base, arr + len - 1 - base);
	left = merkle_recurse(base, arr, len / 2);
	right = merkle_recurse(base, arr + len / 2, len / 2);
	/* left is never NULL if right is not NULL */
	if (!right) {
		SUPERVERBOSE("[%zu - %zu] is NULL!\n",
			     arr + len / 2 - base, arr + len - base);
		return left;
	}
	return merkle_pair(base, left, right);
}

/* This is not the fastest way, but it is the most intuitive. */
void merkle_tlv(const struct tlv_field *fields, struct sha256 *merkle)
{
	struct sha256 **arr;
	struct sha256_ctx lnnonce_ctx;
	size_t n;

	SUPERVERBOSE("nonce tag:");
	h_lnnonce_ctx(&lnnonce_ctx, fields);

	/* We build an oversized power-of-2 symmentic tree, but with
	 * NULL nodes at the end.  When we recurse, we pass through
	 * NULL.  This is less efficient than calculating the
	 * power-of-2 split as we recurse, but simpler. */
	arr = tal_arrz(NULL, struct sha256 *,
		       1ULL << (ilog64(tal_count(fields)) + 1));

	n = 0;
	for (size_t i = 0; i < tal_count(fields); i++) {
		struct sha256 leaf, nonce;
		if (is_signature_field(&fields[i]))
			continue;
		calc_lnleaf(&fields[i], &leaf);
		calc_nonce(&lnnonce_ctx, &fields[i], &nonce);
		arr[n++] = merkle_pair(arr, &leaf, &nonce);
	}

	/* This should never happen, but define it a distinctive all-zeroes */
	if (n == 0)
		memset(merkle, 0, sizeof(*merkle));
	else
		*merkle = *merkle_recurse(cast_const2(const struct sha256 **, arr),
					  cast_const2(const struct sha256 **, arr),
					  tal_count(arr));
	tal_free(arr);
}

/* BOLT-offers #12:
 * All signatures are created as per
 * [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki)
 * and tagged as recommended there.  Thus we define H(`tag`,`msg`) as
 * SHA256(SHA256(`tag`) || SHA256(`tag`) || `msg`), and SIG(`tag`,`msg`,`key`)
 * as the signature of H(`tag`,`msg`) using `key`.
 *
 * Each form is signed using one or more *signature TLV elements*: TLV types
 * 240 through 1000 (inclusive).  For these, the tag is "lightning" ||
 * `messagename` || `fieldname`, and `msg` is the Merkle-root; "lightning" is
 * the literal 9-byte ASCII string, `messagename` is the name of the TLV
 * stream being signed (i.e. "invoice_request" or "invoice") and the
 * `fieldname` is the TLV field containing the signature (e.g. "signature").
 */
void sighash_from_merkle(const char *messagename,
			 const char *fieldname,
			 const struct sha256 *merkle,
			 struct sha256 *sighash)
{
	struct sha256_ctx sctx;

	bip340_sighash_init(&sctx, "lightning", messagename, fieldname);
	sha256_update(&sctx, merkle, sizeof(*merkle));
	sha256_done(&sctx, sighash);
}

/* We use the SHA(pubkey | publictweak); so reader cannot figure out the
 * tweak and derive the base key.
 */
void payer_key_tweak(const struct pubkey *bolt12,
		     const u8 *publictweak, size_t publictweaklen,
		     struct sha256 *tweak)
{
	u8 rawkey[PUBKEY_CMPR_LEN];
	struct sha256_ctx sha;

	pubkey_to_der(rawkey, bolt12);

	sha256_init(&sha);
	sha256_update(&sha, rawkey, sizeof(rawkey));
	sha256_update(&sha,
		      memcheck(publictweak, publictweaklen),
		      publictweaklen);
	sha256_done(&sha, tweak);
}