To match the local signatures found in test vectors, we must make sure
we don't use any additional randomess when generating signatures, as
we'll arrive at a different signature otherwise.
Generate local signatures with additional randomness
Previously, our local signatures would always be deterministic, whether
we'd grind for low R value signatures or not. For peers supporting
SegWit, Bitcoin Core will generally use a transaction's witness-txid, as
opposed to its txid, to advertise transactions. Therefore, to ensure a
transaction has the best chance to propagate across node mempools in the
network, each of its broadcast attempts should have a unique/distinct
witness-txid, which we can achieve by introducing random nonce data when
generating local signatures, such that they are no longer deterministic.
Now that we leverage a package's `height_timer` even for untractable
packages, there's no need to have it be an `Option` anymore. We aim to
not break compatibility by keeping the deserialization of such as an
`option`, and use the package's `height_original` when not present. This
allows us to retry packages from older `ChannelMonitor` versions that
have had a failed initial package broadcast.
Use existing height timer to retry untractable packages
Untractable packages are those which cannot have their fees updated once
signed, hence why they weren't retried. There's no harm in retrying
these packages by simply re-broadcasting them though, as the fee market
could have spontaneously spiked when we first broadcast it, leading to
our transaction not propagating throughout node mempools unless
broadcast manually.
Matt Corallo [Fri, 7 Apr 2023 20:48:01 +0000 (20:48 +0000)]
Expose the `RecipientOnionFields` in `Event::PaymentClaimable`
This finally completes the piping of the `payment_metadata` from
from the BOLT11 invoice on the sending side all the way through the
onion sending + receiving ends to the user on the receive events.
Matt Corallo [Fri, 7 Apr 2023 20:43:54 +0000 (20:43 +0000)]
Pipe received `payment_metadata` through the HTLC receipt pipeline
When we receive an HTLC, we want to pass the `payment_metadata`
through to the `PaymentClaimable` event. This does most of the
internal refactoring required to do so - storing a
`RecipientOnionFields` in the inbound HTLC tracking structs,
including the `payment_metadata`.
In the future this struct will allow us to do MPP keysend receipts
(as it now stores an Optional `payment_secret` for all inbound
payments) as well as custom TLV receipts (as the struct is
extensible to store additional fields and the internal API supports
filtering for fields which are consistent across HTLCs).
Matt Corallo [Fri, 7 Apr 2023 20:41:53 +0000 (20:41 +0000)]
`continue` automatically after `fail_htlc` in receiving an HTLC
If we receive an HTLC and are processing it a potential MPP part,
we always continue in the per-HTLC loop if we call the `fail_htlc`
macro, thus its nice to actually do the `continue` therein rather
than at the callsites.
Matt Corallo [Wed, 19 Apr 2023 14:51:45 +0000 (14:51 +0000)]
Add a debug_assert the newly-documented (but existing) requirement
If we add an entry to `claimable_payments` we have to ensure we
actually accept the HTLC we're considering, otherwise we'll end up
with an empty `claimable_payments` entry.
Matt Corallo [Fri, 24 Mar 2023 01:31:14 +0000 (01:31 +0000)]
Add a `payment_metadata` field to `RecipientOnionFields`
This adds the new `payment_metadata` to `RecipientOnionFields`,
passing the metadata from BOLT11 invoices through the send pipeline
and finally copying them info the onion when sending HTLCs.
This completes send-side support for the new payment metadata
feature.
Matt Corallo [Tue, 21 Dec 2021 06:03:07 +0000 (06:03 +0000)]
Support setting the new payment metadata field in invoices
This adds support for setting the new payment metadata field in
BOLT11 invoices, using a new type flag on the builder to enforce
transition correctness.
We allow users to set the payment metadata as either optional or
required, defaulting to optional so that invoice parsing does not
fail if the sender does not support payment metadata fields.
Matt Corallo [Tue, 21 Dec 2021 05:25:18 +0000 (05:25 +0000)]
Support reading the new `payment_metadata` field in invoices
This adds support for reading the new `PaymentMetadata` BOLT11
invoice field, giving us access to the `Vec<u8>` storing arbitrary
bytes we have to send to the recipient.
Matt Corallo [Mon, 17 Apr 2023 23:09:11 +0000 (23:09 +0000)]
Only disable channels ~10 min after disconnect, rather than one
We correctly send out a gossip channel disable update after one
full time tick being down (1-2 minutes). This is pretty nice in
that it avoids nodes trying to route through our nodes too often
if they're down. Other nodes have a much longer time window,
causing them to have much less aggressive channel disables. Sadly,
at one minute it's not super uncommon for tor nodes to get disabled
(once a day or so on two nodes I looked at), and this causes the
lightning terminal scorer to consider the LDK node unstable (even
though it's the one doing the disabling - so is online). This
causes user frustration and makes LDK look bad (even though it's
probably failing fewer payments).
Given this, and future switches to block-based `channel_update`
timestamp fields, it makes sense to go ahead and switch to delaying
channel disable announcements for 10 minutes. This puts us more in
line with other implementations and reduces gossip spam, at the
cost of less reliable payments.
Fixes #2175, at least the currently visible parts.
Matt Corallo [Mon, 17 Apr 2023 22:59:18 +0000 (22:59 +0000)]
Set `channel_update` disable bit based on staged even for onions
When generating a `channel_update` either in response to a fee
configuration change or an HTLC failure, we currently poll the
channel to check if the peer's connected when setting the disabled
bit in the `channel_update`. This could cause cases where we set
the disable bit even though the peer *just* disconnected, and don't
generate a followup broadcast `channel_update` with the disabled
bit unset.
While a node generally shouldn't rebroadcast a `channel_update` it
received in an onion, there's nothing inherently stopping them from
doing so. Obviously in the fee-update case we expect the message to
propagate.
Luckily, since we already "stage" disable-changed updates, we can
check the staged state and use that to set the disabled bit in all
`channel_update` cases.
At times, PRs can go through multiple pushes in a short amount of time,
spawning a workflow run for each. Most of the time, there's no need to
let the previous jobs running if the code itself has changed (e.g., via
a force push), and we'd benefit from having those slots be used by other
PRs/branches instead.
Matt Corallo [Sun, 16 Apr 2023 21:57:20 +0000 (21:57 +0000)]
Fix deserialization of u16 arrays
u16 arrays are used in the historical liquidity range tracker.
Previously, we read them without applying the stride multiple,
reading bytes repeatedly and at an offset, corrupting data as we
go.
This applies the correct stride multiplayer fixing the issue.
Matt Corallo [Fri, 17 Mar 2023 20:50:19 +0000 (20:50 +0000)]
Introduce traits to make test utils generic across the `CM` Holder
In our test utilities, we generally refer to a `Node` struct which
holds a `ChannelManager` and a number of other structs. However, we
use the same utilities in benchmarking, where we have a different
`Node`-like struct. This made moving from macros to functions
entirely impossible, as we end up needing multiple types in a given
context.
Thus, here, we take the pain and introduce some wrapper traits
which encapsulte what we need from `Node`, swapping some of our
macros to functions.
Matt Corallo [Sun, 9 Apr 2023 01:43:39 +0000 (01:43 +0000)]
Remove a race-y debug assertion in new channel update handling
In 6090d9e6a862a2010eb80be56b7449947bc08374 we swapped out old
debug assertions that checked that a lock was `try_lock`able to
test that certain locks weren't held when we needed to be able to
take them in some near branch. However, another slipped in after in
the `ChannelMonitorUpdate` handling rework, which is replaced with
the new debug assertions here.
Use signal for handling ChannelPending in test_background_event_handling
This fixes two potential panics within the test if the
`BackgroundProcessor` for `nodes[0]` consumed the `ChannelPending` event
prior to us consuming it manually in `end_open_channel`. The first panic
would happen within the event handler, since `ChannelPending` was not
being handled. The second panic would happen upon expecting the
`ChannelPending` event after handling `nodes[1]`'s `funding_signed` if
the `BackgroundProcessor` handled the event first. To ensure we still
reliably receive a `ChannelPending` event once possible, we let the
`BackgroundProcessor` consume the event and notify it.
Matt Corallo [Tue, 4 Apr 2023 04:21:45 +0000 (04:21 +0000)]
Add a `claim_deadline` field to `PaymentClaimable` with guarantees
Now that we guarantee `claim_payment` will always succeed we have
to let the user know what the deadline is. We still fail payments
if they haven't been claimed in time, which we now expose in
`PaymentClaimable`.
Matt Corallo [Sat, 1 Apr 2023 19:22:22 +0000 (19:22 +0000)]
Avoid holding a `per_peer_state` lock while claiming from a monitor
There's no reason to hold a lock on `per_peer_state` while we're
claiming from a since-closed channel via a `ChannelMonitorUpdate`,
which we stop doing here.
Matt Corallo [Thu, 6 Apr 2023 02:35:37 +0000 (02:35 +0000)]
Test for extra locks held in `handle_error` unconditionally
`handle_error` must be called without `per_peer_state` mutex or
`pending_events` mutex locks held or we may risk deadlocks.
Previously we checked this in debug builds in the error path, but
not in the success path.
As it turns out, `funding_transaction_generated`'s error path does
hold a `per_peer_state` lock, which we fix here as well as move the
tests to happen unconditionally.
Matt Corallo [Fri, 24 Mar 2023 05:32:56 +0000 (05:32 +0000)]
Pipe the new `RecipientOnionFields` through send pipeline
This passes the new `RecipientOnionFields` through the internal
sending APIs, ensuring we have access to the full struct when we
go to construct the sending onion so that we can include any new
fields added there.
Matt Corallo [Fri, 24 Mar 2023 01:19:20 +0000 (01:19 +0000)]
Add a `RecipientOnionFields` argument to spontaneous payment sends
While most lightning nodes don't (currently) support providing a
payment secret or payment metadata for spontaneous payments,
there's no specific technical reason why we shouldn't support
sending those fields to a recipient.
Further, when we eventually move to allowing custom TLV entries in
the recipient's onion TLV stream, we'll want to support it for
spontaneous payments as well.
Here we simply add the new `RecipientOnionFields` struct as an
argument to the spontaneous payment send methods. We don't yet
plumb it through the payment sending logic, which will come when we
plumb the new struct through the sending logic to replace the
existing payment secret arguments.
Matt Corallo [Wed, 22 Mar 2023 21:48:22 +0000 (21:48 +0000)]
Replace `PaymentSecret` with `RecipientOnionFields` in the pub API
This moves the public payment sending API from passing an explicit
`PaymentSecret` to a new `RecipientOnionFields` struct (which
currently only contains the `PaymentSecret`). This gives us
substantial additional flexibility as we look at add both
`PaymentMetadata`, a new (well, year-or-two-old) BOLT11 invoice
extension to provide additional data sent to the recipient.
In the future, we should also add the ability to add custom TLV
entries in the `RecipientOnionFields` struct.
Matt Corallo [Wed, 22 Mar 2023 19:15:52 +0000 (19:15 +0000)]
Remove the `PaymentSecret` field from `HTLCSource::OutboundRoute`
Many of the fields in `HTLCSource::OutboundRoute` are used to
rebuild the pending-outbound-payment map on reload if the
`ChannelManager` was not serialized though `ChannelMonitor`(s)
were after an HTLC was sent. As of 0.0.114, however, such payments
are not retryable without allowing them to fail and doing a full,
fresh, send.
Thus, some of the fields can be safely removed - we only really
care about having enough information to provide the user a failure
event, not being able to retry.
Here we drop one such field - the `payment_secret`, making our
`ChannelMonitorUpdate`s another handful of bytes smaller.
Matt Corallo [Tue, 4 Apr 2023 04:12:55 +0000 (04:12 +0000)]
Allow claiming a payment if a channel with an HTLC has closed
Previously, LDK would refuse to claim a payment if a channel on
which the payment was received had been closed between when the
HTLC was received and when we went to claim it. This makes sense in
the payment case - why pay an on-chain fee to claim the HTLC when
presumably the sender may retry later. Long ago it also reduced
total code in the claim pipeline.
However, this doesn't make sense if you're trying to do an atomic
swap or some other protocol that requires atomicity with some other
action - if your money got claimed elsewhere you need to be able to
claim the HTLC in lightning no matter what. Further, this is an
over-optimization - there should be a very, very low likelihood
that a channel closes between when we receive the last HTLC for a
payment and the user goes to claim the payment. Since we now have
code to handle this anyway we should allow it.
Matt Corallo [Mon, 3 Apr 2023 20:15:04 +0000 (20:15 +0000)]
Ensure `background-processor` exits after any sleep future says to
If the user's sleep future passed to an async background processor
only returns true for exiting once and then reverts back to false,
we should exit anyway when we get a chance to. We do to this here
by always ensuring we check the exit flag even when only polling
sleep futures with no intent to (yet) exit. This is utilized in the
tests added in the coming commit(s).
Matt Corallo [Mon, 3 Apr 2023 20:11:30 +0000 (20:11 +0000)]
Don't immediately exit BP if `ChannelManager` is persistable
If `ChannelManager` is persistable before the async background
processor even starts, it may not even get around to overwriting
the `should_exit` flag before testing it, and the default value is
(incorrectly) true, causing an immediate unconditional exit.
Matt Corallo [Mon, 3 Apr 2023 18:38:26 +0000 (18:38 +0000)]
Make `lightning-background-processor` test failures more debugable
Instead of asserting a `Result` `is_ok`, we should always simply
`unwrap` to get a backgrace, and we should avoid doing so if the
thread is already panicking.
projects / rust-lightning / log