common/bolt11: Fix BOLT11 hash calculation for unknown fallback address versions

[erickcestari]

When processing BOLT11 invoices containing unknown fallback address versions (discovered using bitcoinfuzz differential fuzzing), the hash calculation produces different results across Lightning implementations (Lnd vs CLightning):

The example invoice is decoded differently by Lnd and CLightning.

lnbc1qqqqqqg9qqsqqsqqsqqdqqpp5s7zxqqqqqqqqqqqqqqqdqqqqqqqqqqqqqqqqqqqqq8qqq9qqqqqqfq95xw7tfpp35qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqcqpjqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqyqyqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq5s846z

This results in different recipient pubkeys:

LND: 03027be81b41bdfda1ded1f4e0dd5a997635ad325a6e119f414a92fe78c86a45cf
CLightning: 03e6b1f437d1984a58e4192289e8e0f21e2bbcd863dc43374037e61621abb8d1de

The difference occurs in the hash calculation which affects signature verification.

Root Cause

The issue occurs in the fallback address processing (decode_f function). When an unknown version is encountered in the fallback address field, the current implementation incorrectly includes the version bytes in the hash calculation before determining whether it's a known or unknown version. Then, when delegating to the unknown_field handler, the version bytes get included in the hash calculation a second time, resulting in inconsistent hash values across implementations.

Solution

The fix separates the version reading from the hash commitment:

• First reads the version without committing it to the hash
• For unknown versions, properly delegates to the unknown_field handler
• For known versions (17, 18, or < 17), processes them normally with proper hash calculation

CI Failure Details

The issue was caught by bitcoinfuzz in CI with the following error:

Invoice deserialization failed for lnbc1qqqqqqg9qqsqqsqqsqqdqqpp5s7zxqqqqqqqqqqqqqqqdqqqqqqqqqqqqqqqqqqqqq8qqq9qqqqqqfq95xw7tfpp35qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqcqpjqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqyqyqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq5s846z
bitcoinfuzz: driver.cpp:125: void bitcoinfuzz::Driver::InvoiceDeserializationTarget(std::span<const uint8_t>) const: Assertion `*res == *last_response' failed.
==38107== ERROR: libFuzzer: deadly signal
Module: Lnd
Result: HASH=878460000000000000000000d000000000000000000000000001c00014000000;AMOUNT=0;DESCRIPTION=;RECIPIENT=03027be81b41bdfda1ded1f4e0dd5a997635ad325a6e119f414a92fe78c86a45cf;EXPIRY=3600;TIMESTAMP=8;ROUTING_HINTS=0;MIN_CLTV=18
Module: CLightning
Result: HASH=878460000000000000000000d000000000000000000000000001c00014000000;AMOUNT=0;DESCRIPTION=;RECIPIENT=03e6b1f437d1984a58e4192289e8e0f21e2bbcd863dc43374037e61621abb8d1de;EXPIRY=3600;TIMESTAMP=8;ROUTING_HINTS=0;MIN_CLTV=18

See full details at: https://github.com/bitcoinfuzz/bitcoinfuzz/actions/runs/15113684421/job/42478878043#step:33:58