Skip to content

Commit e91090a

Browse files
committed
Refer to payment info as info in inbound_payment not metadata
`payment_metadata` is a separate concept at the BOLT 11 layer (similar to payment secret, but arbitrary-sized) and at the BOLT 12 layer, so referring to payment information as "payment metadata" is confusing. Instead, use simply "payment info".
1 parent c2955a0 commit e91090a

1 file changed

Lines changed: 62 additions & 65 deletions

File tree

lightning/src/ln/inbound_payment.rs

Lines changed: 62 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,10 @@ use crate::util::logger::Logger;
2828
use crate::prelude::*;
2929

3030
pub(crate) const IV_LEN: usize = 16;
31-
const METADATA_LEN: usize = 16;
32-
const METADATA_KEY_LEN: usize = 32;
31+
const INFO_LEN: usize = 16;
32+
const INFO_KEY_LEN: usize = 32;
3333
const AMT_MSAT_LEN: usize = 8;
34-
// Used to shift the payment type bits to take up the top 3 bits of the metadata bytes, or to
34+
// Used to shift the payment type bits to take up the top 3 bits of the info bytes, or to
3535
// retrieve said payment type bits.
3636
const METHOD_TYPE_OFFSET: usize = 5;
3737

@@ -40,20 +40,20 @@ const METHOD_TYPE_OFFSET: usize = 5;
4040
/// [`NodeSigner::get_expanded_key`]: crate::sign::NodeSigner::get_expanded_key
4141
#[derive(Hash, Copy, Clone, PartialEq, Eq, Debug)]
4242
pub struct ExpandedKey {
43-
/// The key used to encrypt the bytes containing the payment metadata (i.e. the amount and
43+
/// The key used to encrypt the bytes containing the payment info (i.e. the amount and
4444
/// expiry, included for payment verification on decryption).
45-
metadata_key: [u8; 32],
46-
/// The key used to authenticate an LDK-provided payment hash and metadata as previously
45+
info_key: [u8; 32],
46+
/// The key used to authenticate an LDK-provided payment hash and info as previously
4747
/// registered with LDK.
4848
ldk_pmt_hash_key: [u8; 32],
49-
/// The key used to authenticate a user-provided payment hash and metadata as previously
49+
/// The key used to authenticate a user-provided payment hash and info as previously
5050
/// registered with LDK.
5151
user_pmt_hash_key: [u8; 32],
5252
/// The base key used to derive signing keys and authenticate messages for BOLT 12 Offers.
5353
offers_base_key: [u8; 32],
5454
/// The key used to encrypt message metadata for BOLT 12 Offers.
5555
offers_encryption_key: [u8; 32],
56-
/// The key used to authenticate spontaneous payments' metadata as previously registered with LDK
56+
/// The key used to authenticate spontaneous payments' info as previously registered with LDK
5757
/// for inclusion in a blinded path.
5858
spontaneous_pmt_key: [u8; 32],
5959
/// The key used to authenticate phantom-node-shared blinded paths as generated by us. Note
@@ -68,7 +68,7 @@ impl ExpandedKey {
6868
/// It is recommended to cache this value and not regenerate it for each new inbound payment.
6969
pub fn new(key_material: [u8; 32]) -> ExpandedKey {
7070
let (
71-
metadata_key,
71+
info_key,
7272
ldk_pmt_hash_key,
7373
user_pmt_hash_key,
7474
offers_base_key,
@@ -77,7 +77,7 @@ impl ExpandedKey {
7777
phantom_node_blinded_path_key,
7878
) = hkdf_extract_expand_7x(b"LDK Inbound Payment Key Expansion", &key_material);
7979
Self {
80-
metadata_key,
80+
info_key,
8181
ldk_pmt_hash_key,
8282
user_pmt_hash_key,
8383
offers_base_key,
@@ -133,7 +133,7 @@ impl Method {
133133
}
134134
}
135135

136-
fn min_final_cltv_expiry_delta_from_metadata(bytes: [u8; METADATA_LEN]) -> u16 {
136+
fn min_final_cltv_expiry_delta_from_info(bytes: [u8; INFO_LEN]) -> u16 {
137137
let expiry_bytes = &bytes[AMT_MSAT_LEN..];
138138
u16::from_be_bytes([expiry_bytes[0], expiry_bytes[1]])
139139
}
@@ -156,7 +156,7 @@ pub fn create<ES: EntropySource>(
156156
keys: &ExpandedKey, min_value_msat: Option<u64>, invoice_expiry_delta_secs: u32,
157157
entropy_source: &ES, current_time: u64, min_final_cltv_expiry_delta: Option<u16>,
158158
) -> Result<(PaymentHash, PaymentSecret), ()> {
159-
let metadata_bytes = construct_metadata_bytes(
159+
let info_bytes = construct_info_bytes(
160160
min_value_msat,
161161
if min_final_cltv_expiry_delta.is_some() {
162162
Method::LdkPaymentHashCustomFinalCltv
@@ -174,11 +174,11 @@ pub fn create<ES: EntropySource>(
174174

175175
let mut hmac = HmacEngine::<Sha256>::new(&keys.ldk_pmt_hash_key);
176176
hmac.input(&iv_bytes);
177-
hmac.input(&metadata_bytes);
177+
hmac.input(&info_bytes);
178178
let payment_preimage_bytes = Hmac::from_engine(hmac).to_byte_array();
179179

180180
let ldk_pmt_hash = PaymentHash(Sha256::hash(&payment_preimage_bytes).to_byte_array());
181-
let payment_secret = construct_payment_secret(&iv_bytes, &metadata_bytes, &keys.metadata_key);
181+
let payment_secret = construct_payment_secret(&iv_bytes, &info_bytes, &keys.info_key);
182182
Ok((ldk_pmt_hash, payment_secret))
183183
}
184184

@@ -196,7 +196,7 @@ pub fn create_from_hash(
196196
keys: &ExpandedKey, min_value_msat: Option<u64>, payment_hash: PaymentHash,
197197
invoice_expiry_delta_secs: u32, current_time: u64, min_final_cltv_expiry_delta: Option<u16>,
198198
) -> Result<PaymentSecret, ()> {
199-
let metadata_bytes = construct_metadata_bytes(
199+
let info_bytes = construct_info_bytes(
200200
min_value_msat,
201201
if min_final_cltv_expiry_delta.is_some() {
202202
Method::UserPaymentHashCustomFinalCltv
@@ -209,21 +209,21 @@ pub fn create_from_hash(
209209
)?;
210210

211211
let mut hmac = HmacEngine::<Sha256>::new(&keys.user_pmt_hash_key);
212-
hmac.input(&metadata_bytes);
212+
hmac.input(&info_bytes);
213213
hmac.input(&payment_hash.0);
214214
let hmac_bytes = Hmac::from_engine(hmac).to_byte_array();
215215

216216
let mut iv_bytes = [0 as u8; IV_LEN];
217217
iv_bytes.copy_from_slice(&hmac_bytes[..IV_LEN]);
218218

219-
Ok(construct_payment_secret(&iv_bytes, &metadata_bytes, &keys.metadata_key))
219+
Ok(construct_payment_secret(&iv_bytes, &info_bytes, &keys.info_key))
220220
}
221221

222222
pub(crate) fn create_for_spontaneous_payment(
223223
keys: &ExpandedKey, min_value_msat: Option<u64>, invoice_expiry_delta_secs: u32,
224224
current_time: u64, min_final_cltv_expiry_delta: Option<u16>,
225225
) -> Result<PaymentSecret, ()> {
226-
let metadata_bytes = construct_metadata_bytes(
226+
let info_bytes = construct_info_bytes(
227227
min_value_msat,
228228
Method::SpontaneousPayment,
229229
invoice_expiry_delta_secs,
@@ -232,13 +232,13 @@ pub(crate) fn create_for_spontaneous_payment(
232232
)?;
233233

234234
let mut hmac = HmacEngine::<Sha256>::new(&keys.spontaneous_pmt_key);
235-
hmac.input(&metadata_bytes);
235+
hmac.input(&info_bytes);
236236
let hmac_bytes = Hmac::from_engine(hmac).to_byte_array();
237237

238238
let mut iv_bytes = [0 as u8; IV_LEN];
239239
iv_bytes.copy_from_slice(&hmac_bytes[..IV_LEN]);
240240

241-
Ok(construct_payment_secret(&iv_bytes, &metadata_bytes, &keys.metadata_key))
241+
Ok(construct_payment_secret(&iv_bytes, &info_bytes, &keys.info_key))
242242
}
243243

244244
pub(crate) fn calculate_absolute_expiry(
@@ -252,10 +252,10 @@ pub(crate) fn calculate_absolute_expiry(
252252
highest_seen_timestamp + invoice_expiry_delta_secs as u64 + 7200
253253
}
254254

255-
fn construct_metadata_bytes(
255+
fn construct_info_bytes(
256256
min_value_msat: Option<u64>, payment_type: Method, invoice_expiry_delta_secs: u32,
257257
highest_seen_timestamp: u64, min_final_cltv_expiry_delta: Option<u16>,
258-
) -> Result<[u8; METADATA_LEN], ()> {
258+
) -> Result<[u8; INFO_LEN], ()> {
259259
if min_value_msat.is_some() && min_value_msat.unwrap() > MAX_VALUE_MSAT {
260260
return Err(());
261261
}
@@ -290,43 +290,42 @@ fn construct_metadata_bytes(
290290
expiry_bytes[1] |= bytes[1];
291291
}
292292

293-
let mut metadata_bytes: [u8; METADATA_LEN] = [0; METADATA_LEN];
293+
let mut info_bytes: [u8; INFO_LEN] = [0; INFO_LEN];
294294

295-
metadata_bytes[..AMT_MSAT_LEN].copy_from_slice(&min_amt_msat_bytes);
296-
metadata_bytes[AMT_MSAT_LEN..].copy_from_slice(&expiry_bytes);
295+
info_bytes[..AMT_MSAT_LEN].copy_from_slice(&min_amt_msat_bytes);
296+
info_bytes[AMT_MSAT_LEN..].copy_from_slice(&expiry_bytes);
297297

298-
Ok(metadata_bytes)
298+
Ok(info_bytes)
299299
}
300300

301301
fn construct_payment_secret(
302-
iv_bytes: &[u8; IV_LEN], metadata_bytes: &[u8; METADATA_LEN],
303-
metadata_key: &[u8; METADATA_KEY_LEN],
302+
iv_bytes: &[u8; IV_LEN], info_bytes: &[u8; INFO_LEN], info_key: &[u8; INFO_KEY_LEN],
304303
) -> PaymentSecret {
305304
let mut payment_secret_bytes: [u8; 32] = [0; 32];
306-
let (iv_slice, encrypted_metadata_slice) = payment_secret_bytes.split_at_mut(IV_LEN);
305+
let (iv_slice, encrypted_info_slice) = payment_secret_bytes.split_at_mut(IV_LEN);
307306
iv_slice.copy_from_slice(iv_bytes);
308307

309-
encrypted_metadata_slice.copy_from_slice(metadata_bytes);
308+
encrypted_info_slice.copy_from_slice(info_bytes);
310309
ChaCha20::new_from_block(
311-
Key::new(*metadata_key),
310+
Key::new(*info_key),
312311
Nonce::new(iv_bytes[4..].try_into().unwrap()),
313312
u32::from_le_bytes(iv_bytes[..4].try_into().unwrap()),
314313
)
315-
.apply_keystream(encrypted_metadata_slice);
314+
.apply_keystream(encrypted_info_slice);
316315

317316
PaymentSecret(payment_secret_bytes)
318317
}
319318

320319
/// Check that an inbound payment's `payment_data` field is sane.
321320
///
322321
/// LDK does not store any data for pending inbound payments. Instead, we construct our payment
323-
/// secret (and, if supplied by LDK, our payment preimage) to include encrypted metadata about the
324-
/// payment.
322+
/// secret (and, if supplied by LDK, our payment preimage) to include encrypted information about
323+
/// the payment.
325324
///
326-
/// For payments without a custom `min_final_cltv_expiry_delta`, the metadata is constructed as:
325+
/// For payments without a custom `min_final_cltv_expiry_delta`, the payment info is:
327326
/// payment method (3 bits) || payment amount (8 bytes - 3 bits) || expiry (8 bytes)
328327
///
329-
/// For payments including a custom `min_final_cltv_expiry_delta`, the metadata is constructed as:
328+
/// For payments including a custom `min_final_cltv_expiry_delta`, the payment info is:
330329
/// payment method (3 bits) || payment amount (8 bytes - 3 bits) || min_final_cltv_expiry_delta (2 bytes) || expiry (6 bytes)
331330
///
332331
/// In both cases the result is then encrypted using a key derived from [`NodeSigner::get_expanded_key`].
@@ -339,14 +338,14 @@ fn construct_payment_secret(
339338
/// method is called, then the payment method bits mentioned above are represented internally as
340339
/// [`Method::LdkPaymentHash`]. If the latter, [`Method::UserPaymentHash`].
341340
///
342-
/// For the former method, the payment preimage is constructed as an HMAC of payment metadata and
343-
/// random bytes. Because the payment secret is also encoded with these random bytes and metadata
344-
/// (with the metadata encrypted with a block cipher), we're able to authenticate the preimage on
341+
/// For the former method, the payment preimage is constructed as an HMAC of payment info and
342+
/// random bytes. Because the payment secret is also encoded with these random bytes and info
343+
/// (with the info encrypted with a block cipher), we're able to authenticate the preimage on
345344
/// payment receipt.
346345
///
347346
/// For the latter, the payment secret instead contains an HMAC of the user-provided payment hash
348-
/// and payment metadata (encrypted with a block cipher), allowing us to authenticate the payment
349-
/// hash and metadata on payment receipt.
347+
/// and payment info (encrypted with a block cipher), allowing us to authenticate the payment
348+
/// hash and info on payment receipt.
350349
///
351350
/// See [`ExpandedKey`] docs for more info on the individual keys used.
352351
///
@@ -357,14 +356,13 @@ pub(super) fn verify<L: Logger>(
357356
payment_hash: PaymentHash, payment_data: &msgs::FinalOnionHopData, highest_seen_timestamp: u64,
358357
keys: &ExpandedKey, logger: &L,
359358
) -> Result<(Option<PaymentPreimage>, Option<u16>), ()> {
360-
let (iv_bytes, metadata_bytes) = decrypt_metadata(payment_data.payment_secret, keys);
359+
let (iv_bytes, info_bytes) = decrypt_info(payment_data.payment_secret, keys);
361360

362-
let payment_type_res =
363-
Method::from_bits((metadata_bytes[0] & 0b1110_0000) >> METHOD_TYPE_OFFSET);
361+
let payment_type_res = Method::from_bits((info_bytes[0] & 0b1110_0000) >> METHOD_TYPE_OFFSET);
364362
let mut amt_msat_bytes = [0; AMT_MSAT_LEN];
365-
let mut expiry_bytes = [0; METADATA_LEN - AMT_MSAT_LEN];
366-
amt_msat_bytes.copy_from_slice(&metadata_bytes[..AMT_MSAT_LEN]);
367-
expiry_bytes.copy_from_slice(&metadata_bytes[AMT_MSAT_LEN..]);
363+
let mut expiry_bytes = [0; INFO_LEN - AMT_MSAT_LEN];
364+
amt_msat_bytes.copy_from_slice(&info_bytes[..AMT_MSAT_LEN]);
365+
expiry_bytes.copy_from_slice(&info_bytes[AMT_MSAT_LEN..]);
368366
// Zero out the bits reserved to indicate the payment type.
369367
amt_msat_bytes[0] &= 0b00011111;
370368
let mut min_final_cltv_expiry_delta = None;
@@ -375,7 +373,7 @@ pub(super) fn verify<L: Logger>(
375373
match payment_type_res {
376374
Ok(Method::UserPaymentHash) | Ok(Method::UserPaymentHashCustomFinalCltv) => {
377375
let mut hmac = HmacEngine::<Sha256>::new(&keys.user_pmt_hash_key);
378-
hmac.input(&metadata_bytes[..]);
376+
hmac.input(&info_bytes[..]);
379377
hmac.input(&payment_hash.0);
380378
if !fixed_time_eq(
381379
&iv_bytes,
@@ -390,7 +388,7 @@ pub(super) fn verify<L: Logger>(
390388
}
391389
},
392390
Ok(Method::LdkPaymentHash) | Ok(Method::LdkPaymentHashCustomFinalCltv) => {
393-
match derive_ldk_payment_preimage(payment_hash, &iv_bytes, &metadata_bytes, keys) {
391+
match derive_ldk_payment_preimage(payment_hash, &iv_bytes, &info_bytes, keys) {
394392
Ok(preimage) => payment_preimage = Some(preimage),
395393
Err(bad_preimage_bytes) => {
396394
log_trace!(
@@ -405,7 +403,7 @@ pub(super) fn verify<L: Logger>(
405403
},
406404
Ok(Method::SpontaneousPayment) => {
407405
let mut hmac = HmacEngine::<Sha256>::new(&keys.spontaneous_pmt_key);
408-
hmac.input(&metadata_bytes[..]);
406+
hmac.input(&info_bytes[..]);
409407
if !fixed_time_eq(
410408
&iv_bytes,
411409
&Hmac::from_engine(hmac).to_byte_array().split_at_mut(IV_LEN).0,
@@ -427,8 +425,7 @@ pub(super) fn verify<L: Logger>(
427425

428426
match payment_type_res {
429427
Ok(Method::UserPaymentHashCustomFinalCltv) | Ok(Method::LdkPaymentHashCustomFinalCltv) => {
430-
min_final_cltv_expiry_delta =
431-
Some(min_final_cltv_expiry_delta_from_metadata(metadata_bytes));
428+
min_final_cltv_expiry_delta = Some(min_final_cltv_expiry_delta_from_info(info_bytes));
432429
// Zero out first two bytes of expiry reserved for `min_final_cltv_expiry_delta`.
433430
expiry_bytes[0] &= 0;
434431
expiry_bytes[1] &= 0;
@@ -455,11 +452,11 @@ pub(super) fn verify<L: Logger>(
455452
pub(super) fn get_payment_preimage(
456453
payment_hash: PaymentHash, payment_secret: PaymentSecret, keys: &ExpandedKey,
457454
) -> Result<PaymentPreimage, APIError> {
458-
let (iv_bytes, metadata_bytes) = decrypt_metadata(payment_secret, keys);
455+
let (iv_bytes, info_bytes) = decrypt_info(payment_secret, keys);
459456

460-
match Method::from_bits((metadata_bytes[0] & 0b1110_0000) >> METHOD_TYPE_OFFSET) {
457+
match Method::from_bits((info_bytes[0] & 0b1110_0000) >> METHOD_TYPE_OFFSET) {
461458
Ok(Method::LdkPaymentHash) | Ok(Method::LdkPaymentHashCustomFinalCltv) => {
462-
derive_ldk_payment_preimage(payment_hash, &iv_bytes, &metadata_bytes, keys).map_err(
459+
derive_ldk_payment_preimage(payment_hash, &iv_bytes, &info_bytes, keys).map_err(
463460
|bad_preimage_bytes| APIError::APIMisuseError {
464461
err: format!(
465462
"Payment hash {} did not match decoded preimage {}",
@@ -484,34 +481,34 @@ pub(super) fn get_payment_preimage(
484481
}
485482
}
486483

487-
fn decrypt_metadata(
484+
fn decrypt_info(
488485
payment_secret: PaymentSecret, keys: &ExpandedKey,
489-
) -> ([u8; IV_LEN], [u8; METADATA_LEN]) {
486+
) -> ([u8; IV_LEN], [u8; INFO_LEN]) {
490487
let mut iv_bytes = [0; IV_LEN];
491-
let (iv_slice, encrypted_metadata_bytes) = payment_secret.0.split_at(IV_LEN);
488+
let (iv_slice, encrypted_info_bytes) = payment_secret.0.split_at(IV_LEN);
492489
iv_bytes.copy_from_slice(iv_slice);
493490

494-
let mut metadata_bytes: [u8; METADATA_LEN] = [0; METADATA_LEN];
495-
metadata_bytes.copy_from_slice(encrypted_metadata_bytes);
491+
let mut info_bytes: [u8; INFO_LEN] = [0; INFO_LEN];
492+
info_bytes.copy_from_slice(encrypted_info_bytes);
496493
ChaCha20::new_from_block(
497-
Key::new(keys.metadata_key),
494+
Key::new(keys.info_key),
498495
Nonce::new(iv_bytes[4..].try_into().unwrap()),
499496
u32::from_le_bytes(iv_bytes[..4].try_into().unwrap()),
500497
)
501-
.apply_keystream(&mut metadata_bytes);
498+
.apply_keystream(&mut info_bytes);
502499

503-
(iv_bytes, metadata_bytes)
500+
(iv_bytes, info_bytes)
504501
}
505502

506503
// Errors if the payment preimage doesn't match `payment_hash`. Returns the bad preimage bytes in
507504
// this case.
508505
fn derive_ldk_payment_preimage(
509-
payment_hash: PaymentHash, iv_bytes: &[u8; IV_LEN], metadata_bytes: &[u8; METADATA_LEN],
506+
payment_hash: PaymentHash, iv_bytes: &[u8; IV_LEN], info_bytes: &[u8; INFO_LEN],
510507
keys: &ExpandedKey,
511508
) -> Result<PaymentPreimage, [u8; 32]> {
512509
let mut hmac = HmacEngine::<Sha256>::new(&keys.ldk_pmt_hash_key);
513510
hmac.input(iv_bytes);
514-
hmac.input(metadata_bytes);
511+
hmac.input(info_bytes);
515512
let decoded_payment_preimage = Hmac::from_engine(hmac).to_byte_array();
516513
if !fixed_time_eq(&payment_hash.0, &Sha256::hash(&decoded_payment_preimage).to_byte_array()) {
517514
return Err(decoded_payment_preimage);

0 commit comments

Comments
 (0)