Support invoice expiry over a year

jkczyz · jkczyz · commit f805e2b67d23 · 2022-01-21T17:38:30.000-06:00
The lightning-invoice crate represents timestamps as Duration since the
UNIX epoch rather than a SystemTime. Therefore, internal calculations
are in terms of u64-based Durations. This allows for relaxing the one
year maximum expiry.
diff --git a/lightning-invoice/src/lib.rs b/lightning-invoice/src/lib.rs
@@ -85,14 +85,16 @@ mod sync;
 
 pub use de::{ParseError, ParseOrSemanticError};
 
-// TODO: fix before 2037 (see rust PR #55527)
-/// Defines the maximum UNIX timestamp that can be represented as `SystemTime`. This is checked by
-/// one of the unit tests, please run them.
-const SYSTEM_TIME_MAX_UNIX_TIMESTAMP: u64 = core::i32::MAX as u64;
+/// The maximum timestamp that can be represented as a [`Duration`] since the UNIX epoch while
+/// allowing for adding an expiry without overflowing.
+const MAX_TIMESTAMP: u64 = core::i64::MAX as u64;
 
-/// Allow the expiry time to be up to one year. Since this reduces the range of possible timestamps
-/// it should be rather low as long as we still have to support 32bit time representations
-const MAX_EXPIRY_TIME: u64 = 60 * 60 * 24 * 356;
+/// The maximum expiry allowed, represented as a [`Duration`] since the invoice timestamp.
+const MAX_EXPIRY_TIME: u64 = (core::i64::MAX) as u64 + 1;
+
+/// Assert that the maximum expiry represented as a [`Duration`] since the UNIX epoch does not
+/// exceed [`u64::MAX`].
+const _MAX_EXPIRY_TIMESTAMP: u64 = MAX_TIMESTAMP + MAX_EXPIRY_TIME;
 
 /// Default expiry time as defined by [BOLT 11].
 ///
@@ -108,67 +110,6 @@ pub const DEFAULT_EXPIRY_TIME: u64 = 3600;
 /// [`MIN_FINAL_CLTV_EXPIRY`]: lightning::ln::channelmanager::MIN_FINAL_CLTV_EXPIRY
 pub const DEFAULT_MIN_FINAL_CLTV_EXPIRY: u64 = 18;
 
-/// This function is used as a static assert for the size of `SystemTime`. If the crate fails to
-/// compile due to it this indicates that your system uses unexpected bounds for `SystemTime`. You
-/// can remove this functions and run the test `test_system_time_bounds_assumptions`. In any case,
-/// please open an issue. If all tests pass you should be able to use this library safely by just
-/// removing this function till we patch it accordingly.
-#[cfg(feature = "std")]
-fn __system_time_size_check() {
-	// Use 2 * sizeof(u64) as expected size since the expected underlying implementation is storing
-	// a `Duration` since `SystemTime::UNIX_EPOCH`.
-	unsafe { let _ = core::mem::transmute_copy::<SystemTime, [u8; 16]>(&SystemTime::UNIX_EPOCH); }
-}
-
-
-/// **Call this function on startup to ensure that all assumptions about the platform are valid.**
-///
-/// Unfortunately we have to make assumptions about the upper bounds of the `SystemTime` type on
-/// your platform which we can't fully verify at compile time and which isn't part of it's contract.
-/// To our best knowledge our assumptions hold for all platforms officially supported by rust, but
-/// since this check is fast we recommend to do it anyway.
-///
-/// If this function fails this is considered a bug. Please open an issue describing your
-/// platform and stating your current system time.
-///
-/// Note that this currently does nothing in `no_std` environments, because they don't have
-/// a `SystemTime` implementation.
-///
-/// # Panics
-/// If the check fails this function panics. By calling this function on startup you ensure that
-/// this wont happen at an arbitrary later point in time.
-pub fn check_platform() {
-	#[cfg(feature = "std")]
-	check_system_time_bounds();
-}
-
-#[cfg(feature = "std")]
-fn check_system_time_bounds() {
-	// The upper and lower bounds of `SystemTime` are not part of its public contract and are
-	// platform specific. That's why we have to test if our assumptions regarding these bounds
-	// hold on the target platform.
-	//
-	// If this test fails on your platform, please don't use the library and open an issue
-	// instead so we can resolve the situation. Currently this library is tested on:
-	//   * Linux (64bit)
-	let fail_date = SystemTime::UNIX_EPOCH + Duration::from_secs(SYSTEM_TIME_MAX_UNIX_TIMESTAMP);
-	let year = Duration::from_secs(60 * 60 * 24 * 365);
-
-	// Make sure that the library will keep working for another year
-	assert!(fail_date.duration_since(SystemTime::now()).unwrap() > year);
-
-	let max_ts = PositiveTimestamp::from_unix_timestamp(
-		SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME
-	).unwrap();
-	let max_exp = ::ExpiryTime::from_seconds(MAX_EXPIRY_TIME).unwrap();
-
-	assert_eq!(
-		(max_ts.as_time() + *max_exp.as_duration()).duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(),
-		SYSTEM_TIME_MAX_UNIX_TIMESTAMP
-	);
-}
-
-
 /// Builder for `Invoice`s. It's the most convenient and advised way to use this library. It ensures
 /// that only a semantically and syntactically correct Invoice can be built using it.
 ///
@@ -447,8 +388,7 @@ pub struct PayeePubKey(pub PublicKey);
 ///
 /// # Invariants
 /// The number of seconds this expiry time represents has to be in the range
-/// `0...(SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME)` to avoid overflows when adding it to a
-/// timestamp
+/// `0...MAX_EXPIRY_TIME` to avoid overflows when adding it to a timestamp.
 #[derive(Clone, Debug, Hash, Eq, PartialEq)]
 pub struct ExpiryTime(Duration);
 
@@ -1003,32 +943,34 @@ impl RawInvoice {
 }
 
 impl PositiveTimestamp {
-	/// Create a new `PositiveTimestamp` from a unix timestamp in the Range
-	/// `0...SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME`, otherwise return a
-	/// `CreationError::TimestampOutOfBounds`.
+	/// Creates a `PositiveTimestamp` from a unix timestamp in the range `0...MAX_TIMESTAMP`.
+	///
+	/// Otherwise, returns a [`CreationError::TimestampOutOfBounds`].
 	pub fn from_unix_timestamp(unix_seconds: u64) -> Result<Self, CreationError> {
-		if unix_seconds > SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME {
+		if unix_seconds > MAX_TIMESTAMP {
 			Err(CreationError::TimestampOutOfBounds)
 		} else {
 			Ok(PositiveTimestamp(Duration::from_secs(unix_seconds)))
 		}
 	}
 
-	/// Create a new `PositiveTimestamp` from a `SystemTime` with a corresponding unix timestamp in
-	/// the range `0...SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME`, otherwise return a
-	/// `CreationError::TimestampOutOfBounds`.
+	/// Creates a `PositiveTimestamp` from a [`SystemTime`] with a corresponding unix timestamp in
+	/// the range `0...MAX_TIMESTAMP`.
+	///
+	/// Otherwise, returns a [`CreationError::TimestampOutOfBounds`].
 	#[cfg(feature = "std")]
 	pub fn from_system_time(time: SystemTime) -> Result<Self, CreationError> {
 		time.duration_since(SystemTime::UNIX_EPOCH)
 			.map(Self::from_duration_since_epoch)
 			.unwrap_or(Err(CreationError::TimestampOutOfBounds))
 	}
 
-	/// Create a new `PositiveTimestamp` from a `Duration` since the UNIX epoch in
-	/// the range `0...SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME`, otherwise return a
-	/// `CreationError::TimestampOutOfBounds`.
+	/// Creates a `PositiveTimestamp` from a [`Duration`] since the UNIX epoch in the range
+	/// `0...MAX_TIMESTAMP`.
+	///
+	/// Otherwise, returns a [`CreationError::TimestampOutOfBounds`].
 	pub fn from_duration_since_epoch(duration: Duration) -> Result<Self, CreationError> {
-		if duration.as_secs() <= SYSTEM_TIME_MAX_UNIX_TIMESTAMP - MAX_EXPIRY_TIME {
+		if duration.as_secs() <= MAX_TIMESTAMP {
 			Ok(PositiveTimestamp(duration))
 		} else {
 			Err(CreationError::TimestampOutOfBounds)
@@ -1399,7 +1341,7 @@ impl Deref for PayeePubKey {
 
 impl ExpiryTime {
 	/// Construct an `ExpiryTime` from seconds. If there exists a `PositiveTimestamp` which would
-	/// overflow on adding the `EpiryTime` to it then this function will return a
+	/// overflow on adding the `ExpiryTime` to it then this function will return a
 	/// `CreationError::ExpiryTimeOutOfBounds`.
 	pub fn from_seconds(seconds: u64) -> Result<ExpiryTime, CreationError> {
 		if seconds <= MAX_EXPIRY_TIME {
@@ -1410,7 +1352,7 @@ impl ExpiryTime {
 	}
 
 	/// Construct an `ExpiryTime` from a `Duration`. If there exists a `PositiveTimestamp` which
-	/// would overflow on adding the `EpiryTime` to it then this function will return a
+	/// would overflow on adding the `ExpiryTime` to it then this function will return a
 	/// `CreationError::ExpiryTimeOutOfBounds`.
 	pub fn from_duration(duration: Duration) -> Result<ExpiryTime, CreationError> {
 		if duration.as_secs() <= MAX_EXPIRY_TIME {
@@ -1594,10 +1536,8 @@ mod test {
 
 	#[test]
 	fn test_system_time_bounds_assumptions() {
-		::check_platform();
-
 		assert_eq!(
-			::PositiveTimestamp::from_unix_timestamp(::SYSTEM_TIME_MAX_UNIX_TIMESTAMP + 1),
+			::PositiveTimestamp::from_unix_timestamp(::MAX_TIMESTAMP + 1),
 			Err(::CreationError::TimestampOutOfBounds)
 		);
 
