1 //! The logic to monitor for on-chain transactions and create the relevant claim responses lives
4 //! ChannelMonitor objects are generated by ChannelManager in response to relevant
5 //! messages/actions, and MUST be persisted to disk (and, preferably, remotely) before progress can
6 //! be made in responding to certain messages, see [`chain::Watch`] for more.
8 //! Note that ChannelMonitors are an important part of the lightning trust model and a copy of the
9 //! latest ChannelMonitor must always be actively monitoring for chain updates (and no out-of-date
10 //! ChannelMonitors should do so). Thus, if you're building rust-lightning into an HSM or other
11 //! security-domain-separated system design, you should consider having multiple paths for
12 //! ChannelMonitors to get out of the HSM and onto monitoring devices.
14 //! [`chain::Watch`]: ../trait.Watch.html
17 use bitcoin::hashes::Hash;
18 use crate::c_types::*;
21 use lightning::chain::channelmonitor::ChannelMonitorUpdate as nativeChannelMonitorUpdateImport;
22 type nativeChannelMonitorUpdate = nativeChannelMonitorUpdateImport;
24 /// An update generated by the underlying Channel itself which contains some new information the
25 /// ChannelMonitor should be made aware of.
28 pub struct ChannelMonitorUpdate {
29 /// Nearly everyhwere, inner must be non-null, however in places where
30 /// the Rust equivalent takes an Option, it may be set to null to indicate None.
31 pub inner: *mut nativeChannelMonitorUpdate,
35 impl Drop for ChannelMonitorUpdate {
37 if self.is_owned && !self.inner.is_null() {
38 let _ = unsafe { Box::from_raw(self.inner) };
43 pub extern "C" fn ChannelMonitorUpdate_free(this_ptr: ChannelMonitorUpdate) { }
45 /// Used only if an object of this type is returned as a trait impl by a method
46 extern "C" fn ChannelMonitorUpdate_free_void(this_ptr: *mut c_void) {
47 unsafe { let _ = Box::from_raw(this_ptr as *mut nativeChannelMonitorUpdate); }
50 /// When moving out of the pointer, we have to ensure we aren't a reference, this makes that easy
51 impl ChannelMonitorUpdate {
52 pub(crate) fn take_ptr(mut self) -> *mut nativeChannelMonitorUpdate {
53 assert!(self.is_owned);
55 self.inner = std::ptr::null_mut();
59 impl Clone for ChannelMonitorUpdate {
60 fn clone(&self) -> Self {
62 inner: Box::into_raw(Box::new(unsafe { &*self.inner }.clone())),
68 /// Used only if an object of this type is returned as a trait impl by a method
69 pub(crate) extern "C" fn ChannelMonitorUpdate_clone_void(this_ptr: *const c_void) -> *mut c_void {
70 Box::into_raw(Box::new(unsafe { (*(this_ptr as *mut nativeChannelMonitorUpdate)).clone() })) as *mut c_void
72 /// The sequence number of this update. Updates *must* be replayed in-order according to this
73 /// sequence number (and updates may panic if they are not). The update_id values are strictly
74 /// increasing and increase by one for each new update.
76 /// This sequence number is also used to track up to which points updates which returned
77 /// ChannelMonitorUpdateErr::TemporaryFailure have been applied to all copies of a given
78 /// ChannelMonitor when ChannelManager::channel_monitor_updated is called.
80 pub extern "C" fn ChannelMonitorUpdate_get_update_id(this_ptr: &ChannelMonitorUpdate) -> u64 {
81 let mut inner_val = &mut unsafe { &mut *this_ptr.inner }.update_id;
84 /// The sequence number of this update. Updates *must* be replayed in-order according to this
85 /// sequence number (and updates may panic if they are not). The update_id values are strictly
86 /// increasing and increase by one for each new update.
88 /// This sequence number is also used to track up to which points updates which returned
89 /// ChannelMonitorUpdateErr::TemporaryFailure have been applied to all copies of a given
90 /// ChannelMonitor when ChannelManager::channel_monitor_updated is called.
92 pub extern "C" fn ChannelMonitorUpdate_set_update_id(this_ptr: &mut ChannelMonitorUpdate, mut val: u64) {
93 unsafe { &mut *this_ptr.inner }.update_id = val;
96 pub extern "C" fn ChannelMonitorUpdate_write(obj: *const ChannelMonitorUpdate) -> crate::c_types::derived::CVec_u8Z {
97 crate::c_types::serialize_obj(unsafe { &(*(*obj).inner) })
100 pub extern "C" fn ChannelMonitorUpdate_read(ser: crate::c_types::u8slice) -> ChannelMonitorUpdate {
101 if let Ok(res) = crate::c_types::deserialize_obj(ser) {
102 ChannelMonitorUpdate { inner: Box::into_raw(Box::new(res)), is_owned: true }
104 ChannelMonitorUpdate { inner: std::ptr::null_mut(), is_owned: true }
107 /// An error enum representing a failure to persist a channel monitor update.
111 pub enum ChannelMonitorUpdateErr {
112 /// Used to indicate a temporary failure (eg connection to a watchtower or remote backup of
113 /// our state failed, but is expected to succeed at some point in the future).
115 /// Such a failure will \"freeze\" a channel, preventing us from revoking old states or
116 /// submitting new commitment transactions to the counterparty. Once the update(s) which failed
117 /// have been successfully applied, ChannelManager::channel_monitor_updated can be used to
118 /// restore the channel to an operational state.
120 /// Note that a given ChannelManager will *never* re-generate a given ChannelMonitorUpdate. If
121 /// you return a TemporaryFailure you must ensure that it is written to disk safely before
122 /// writing out the latest ChannelManager state.
124 /// Even when a channel has been \"frozen\" updates to the ChannelMonitor can continue to occur
125 /// (eg if an inbound HTLC which we forwarded was claimed upstream resulting in us attempting
126 /// to claim it on this channel) and those updates must be applied wherever they can be. At
127 /// least one such updated ChannelMonitor must be persisted otherwise PermanentFailure should
128 /// be returned to get things on-chain ASAP using only the in-memory copy. Obviously updates to
129 /// the channel which would invalidate previous ChannelMonitors are not made when a channel has
132 /// Note that even if updates made after TemporaryFailure succeed you must still call
133 /// channel_monitor_updated to ensure you have the latest monitor and re-enable normal channel
136 /// Note that the update being processed here will not be replayed for you when you call
137 /// ChannelManager::channel_monitor_updated, so you must store the update itself along
138 /// with the persisted ChannelMonitor on your own local disk prior to returning a
139 /// TemporaryFailure. You may, of course, employ a journaling approach, storing only the
140 /// ChannelMonitorUpdate on disk without updating the monitor itself, replaying the journal at
143 /// For deployments where a copy of ChannelMonitors and other local state are backed up in a
144 /// remote location (with local copies persisted immediately), it is anticipated that all
145 /// updates will return TemporaryFailure until the remote copies could be updated.
147 /// Used to indicate no further channel monitor updates will be allowed (eg we've moved on to a
148 /// different watchtower and cannot update with all watchtowers that were previously informed
149 /// of this channel).
151 /// At reception of this error, ChannelManager will force-close the channel and return at
152 /// least a final ChannelMonitorUpdate::ChannelForceClosed which must be delivered to at
153 /// least one ChannelMonitor copy. Revocation secret MUST NOT be released and offchain channel
154 /// update must be rejected.
156 /// This failure may also signal a failure to update the local persisted copy of one of
157 /// the channel monitor instance.
159 /// Note that even when you fail a holder commitment transaction update, you must store the
160 /// update to ensure you can claim from it in case of a duplicate copy of this ChannelMonitor
161 /// broadcasts it (e.g distributed channel-monitor deployment)
163 /// In case of distributed watchtowers deployment, the new version must be written to disk, as
164 /// state may have been stored but rejected due to a block forcing a commitment broadcast. This
165 /// storage is used to claim outputs of rejected state confirmed onchain by another watchtower,
166 /// lagging behind on block processing.
169 use lightning::chain::channelmonitor::ChannelMonitorUpdateErr as nativeChannelMonitorUpdateErr;
170 impl ChannelMonitorUpdateErr {
172 pub(crate) fn to_native(&self) -> nativeChannelMonitorUpdateErr {
174 ChannelMonitorUpdateErr::TemporaryFailure => nativeChannelMonitorUpdateErr::TemporaryFailure,
175 ChannelMonitorUpdateErr::PermanentFailure => nativeChannelMonitorUpdateErr::PermanentFailure,
179 pub(crate) fn into_native(self) -> nativeChannelMonitorUpdateErr {
181 ChannelMonitorUpdateErr::TemporaryFailure => nativeChannelMonitorUpdateErr::TemporaryFailure,
182 ChannelMonitorUpdateErr::PermanentFailure => nativeChannelMonitorUpdateErr::PermanentFailure,
186 pub(crate) fn from_native(native: &nativeChannelMonitorUpdateErr) -> Self {
188 nativeChannelMonitorUpdateErr::TemporaryFailure => ChannelMonitorUpdateErr::TemporaryFailure,
189 nativeChannelMonitorUpdateErr::PermanentFailure => ChannelMonitorUpdateErr::PermanentFailure,
193 pub(crate) fn native_into(native: nativeChannelMonitorUpdateErr) -> Self {
195 nativeChannelMonitorUpdateErr::TemporaryFailure => ChannelMonitorUpdateErr::TemporaryFailure,
196 nativeChannelMonitorUpdateErr::PermanentFailure => ChannelMonitorUpdateErr::PermanentFailure,
201 use lightning::chain::channelmonitor::MonitorUpdateError as nativeMonitorUpdateErrorImport;
202 type nativeMonitorUpdateError = nativeMonitorUpdateErrorImport;
204 /// General Err type for ChannelMonitor actions. Generally, this implies that the data provided is
205 /// inconsistent with the ChannelMonitor being called. eg for ChannelMonitor::update_monitor this
206 /// means you tried to update a monitor for a different channel or the ChannelMonitorUpdate was
208 /// Contains a human-readable error message.
211 pub struct MonitorUpdateError {
212 /// Nearly everyhwere, inner must be non-null, however in places where
213 /// the Rust equivalent takes an Option, it may be set to null to indicate None.
214 pub inner: *mut nativeMonitorUpdateError,
218 impl Drop for MonitorUpdateError {
220 if self.is_owned && !self.inner.is_null() {
221 let _ = unsafe { Box::from_raw(self.inner) };
226 pub extern "C" fn MonitorUpdateError_free(this_ptr: MonitorUpdateError) { }
228 /// Used only if an object of this type is returned as a trait impl by a method
229 extern "C" fn MonitorUpdateError_free_void(this_ptr: *mut c_void) {
230 unsafe { let _ = Box::from_raw(this_ptr as *mut nativeMonitorUpdateError); }
233 /// When moving out of the pointer, we have to ensure we aren't a reference, this makes that easy
234 impl MonitorUpdateError {
235 pub(crate) fn take_ptr(mut self) -> *mut nativeMonitorUpdateError {
236 assert!(self.is_owned);
237 let ret = self.inner;
238 self.inner = std::ptr::null_mut();
243 use lightning::chain::channelmonitor::MonitorEvent as nativeMonitorEventImport;
244 type nativeMonitorEvent = nativeMonitorEventImport;
246 /// An event to be processed by the ChannelManager.
249 pub struct MonitorEvent {
250 /// Nearly everyhwere, inner must be non-null, however in places where
251 /// the Rust equivalent takes an Option, it may be set to null to indicate None.
252 pub inner: *mut nativeMonitorEvent,
256 impl Drop for MonitorEvent {
258 if self.is_owned && !self.inner.is_null() {
259 let _ = unsafe { Box::from_raw(self.inner) };
264 pub extern "C" fn MonitorEvent_free(this_ptr: MonitorEvent) { }
266 /// Used only if an object of this type is returned as a trait impl by a method
267 extern "C" fn MonitorEvent_free_void(this_ptr: *mut c_void) {
268 unsafe { let _ = Box::from_raw(this_ptr as *mut nativeMonitorEvent); }
271 /// When moving out of the pointer, we have to ensure we aren't a reference, this makes that easy
273 pub(crate) fn take_ptr(mut self) -> *mut nativeMonitorEvent {
274 assert!(self.is_owned);
275 let ret = self.inner;
276 self.inner = std::ptr::null_mut();
281 use lightning::chain::channelmonitor::HTLCUpdate as nativeHTLCUpdateImport;
282 type nativeHTLCUpdate = nativeHTLCUpdateImport;
284 /// Simple structure sent back by `chain::Watch` when an HTLC from a forward channel is detected on
285 /// chain. Used to update the corresponding HTLC in the backward channel. Failing to pass the
286 /// preimage claim backward will lead to loss of funds.
288 /// [`chain::Watch`]: ../trait.Watch.html
291 pub struct HTLCUpdate {
292 /// Nearly everyhwere, inner must be non-null, however in places where
293 /// the Rust equivalent takes an Option, it may be set to null to indicate None.
294 pub inner: *mut nativeHTLCUpdate,
298 impl Drop for HTLCUpdate {
300 if self.is_owned && !self.inner.is_null() {
301 let _ = unsafe { Box::from_raw(self.inner) };
306 pub extern "C" fn HTLCUpdate_free(this_ptr: HTLCUpdate) { }
308 /// Used only if an object of this type is returned as a trait impl by a method
309 extern "C" fn HTLCUpdate_free_void(this_ptr: *mut c_void) {
310 unsafe { let _ = Box::from_raw(this_ptr as *mut nativeHTLCUpdate); }
313 /// When moving out of the pointer, we have to ensure we aren't a reference, this makes that easy
315 pub(crate) fn take_ptr(mut self) -> *mut nativeHTLCUpdate {
316 assert!(self.is_owned);
317 let ret = self.inner;
318 self.inner = std::ptr::null_mut();
322 impl Clone for HTLCUpdate {
323 fn clone(&self) -> Self {
325 inner: Box::into_raw(Box::new(unsafe { &*self.inner }.clone())),
331 /// Used only if an object of this type is returned as a trait impl by a method
332 pub(crate) extern "C" fn HTLCUpdate_clone_void(this_ptr: *const c_void) -> *mut c_void {
333 Box::into_raw(Box::new(unsafe { (*(this_ptr as *mut nativeHTLCUpdate)).clone() })) as *mut c_void
336 pub extern "C" fn HTLCUpdate_write(obj: *const HTLCUpdate) -> crate::c_types::derived::CVec_u8Z {
337 crate::c_types::serialize_obj(unsafe { &(*(*obj).inner) })
340 pub extern "C" fn HTLCUpdate_read(ser: crate::c_types::u8slice) -> HTLCUpdate {
341 if let Ok(res) = crate::c_types::deserialize_obj(ser) {
342 HTLCUpdate { inner: Box::into_raw(Box::new(res)), is_owned: true }
344 HTLCUpdate { inner: std::ptr::null_mut(), is_owned: true }
348 use lightning::chain::channelmonitor::ChannelMonitor as nativeChannelMonitorImport;
349 type nativeChannelMonitor = nativeChannelMonitorImport<crate::chain::keysinterface::ChannelKeys>;
351 /// A ChannelMonitor handles chain events (blocks connected and disconnected) and generates
352 /// on-chain transactions to ensure no loss of funds occurs.
354 /// You MUST ensure that no ChannelMonitors for a given channel anywhere contain out-of-date
355 /// information and are actively monitoring the chain.
357 /// Pending Events or updated HTLCs which have not yet been read out by
358 /// get_and_clear_pending_monitor_events or get_and_clear_pending_events are serialized to disk and
359 /// reloaded at deserialize-time. Thus, you must ensure that, when handling events, all events
360 /// gotten are fully handled before re-serializing the new state.
363 pub struct ChannelMonitor {
364 /// Nearly everyhwere, inner must be non-null, however in places where
365 /// the Rust equivalent takes an Option, it may be set to null to indicate None.
366 pub inner: *mut nativeChannelMonitor,
370 impl Drop for ChannelMonitor {
372 if self.is_owned && !self.inner.is_null() {
373 let _ = unsafe { Box::from_raw(self.inner) };
378 pub extern "C" fn ChannelMonitor_free(this_ptr: ChannelMonitor) { }
380 /// Used only if an object of this type is returned as a trait impl by a method
381 extern "C" fn ChannelMonitor_free_void(this_ptr: *mut c_void) {
382 unsafe { let _ = Box::from_raw(this_ptr as *mut nativeChannelMonitor); }
385 /// When moving out of the pointer, we have to ensure we aren't a reference, this makes that easy
386 impl ChannelMonitor {
387 pub(crate) fn take_ptr(mut self) -> *mut nativeChannelMonitor {
388 assert!(self.is_owned);
389 let ret = self.inner;
390 self.inner = std::ptr::null_mut();
394 /// Updates a ChannelMonitor on the basis of some new information provided by the Channel
397 /// panics if the given update is not the next update by update_id.
400 pub extern "C" fn ChannelMonitor_update_monitor(this_arg: &mut ChannelMonitor, mut updates: crate::chain::channelmonitor::ChannelMonitorUpdate, broadcaster: &crate::chain::chaininterface::BroadcasterInterface, logger: &crate::util::logger::Logger) -> crate::c_types::derived::CResult_NoneMonitorUpdateErrorZ {
401 let mut ret = unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.update_monitor(*unsafe { Box::from_raw(updates.take_ptr()) }, broadcaster, logger);
402 let mut local_ret = match ret { Ok(mut o) => crate::c_types::CResultTempl::ok( { 0u8 /*o*/ }), Err(mut e) => crate::c_types::CResultTempl::err( { crate::chain::channelmonitor::MonitorUpdateError { inner: Box::into_raw(Box::new(e)), is_owned: true } }) };
406 /// Gets the update_id from the latest ChannelMonitorUpdate which was applied to this
410 pub extern "C" fn ChannelMonitor_get_latest_update_id(this_arg: &ChannelMonitor) -> u64 {
411 let mut ret = unsafe { &*this_arg.inner }.get_latest_update_id();
415 /// Gets the funding transaction outpoint of the channel this ChannelMonitor is monitoring for.
418 pub extern "C" fn ChannelMonitor_get_funding_txo(this_arg: &ChannelMonitor) -> crate::c_types::derived::C2Tuple_OutPointScriptZ {
419 let mut ret = unsafe { &*this_arg.inner }.get_funding_txo();
420 let (ref orig_ret_0, ref orig_ret_1) = ret; let mut local_ret = (crate::chain::transaction::OutPoint { inner: unsafe { ( (&(*orig_ret_0) as *const _) as *mut _) }, is_owned: false }, orig_ret_1.clone().into_bytes().into()).into();
424 /// Get the list of HTLCs who's status has been updated on chain. This should be called by
425 /// ChannelManager via [`chain::Watch::release_pending_monitor_events`].
427 /// [`chain::Watch::release_pending_monitor_events`]: ../trait.Watch.html#tymethod.release_pending_monitor_events
430 pub extern "C" fn ChannelMonitor_get_and_clear_pending_monitor_events(this_arg: &mut ChannelMonitor) -> crate::c_types::derived::CVec_MonitorEventZ {
431 let mut ret = unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.get_and_clear_pending_monitor_events();
432 let mut local_ret = Vec::new(); for item in ret.drain(..) { local_ret.push( { crate::chain::channelmonitor::MonitorEvent { inner: Box::into_raw(Box::new(item)), is_owned: true } }); };
436 /// Gets the list of pending events which were generated by previous actions, clearing the list
439 /// This is called by ChainMonitor::get_and_clear_pending_events() and is equivalent to
440 /// EventsProvider::get_and_clear_pending_events() except that it requires &mut self as we do
441 /// no internal locking in ChannelMonitors.
444 pub extern "C" fn ChannelMonitor_get_and_clear_pending_events(this_arg: &mut ChannelMonitor) -> crate::c_types::derived::CVec_EventZ {
445 let mut ret = unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.get_and_clear_pending_events();
446 let mut local_ret = Vec::new(); for item in ret.drain(..) { local_ret.push( { crate::util::events::Event::native_into(item) }); };
450 /// Used by ChannelManager deserialization to broadcast the latest holder state if its copy of
451 /// the Channel was out-of-date. You may use it to get a broadcastable holder toxic tx in case of
452 /// fallen-behind, i.e when receiving a channel_reestablish with a proof that our counterparty side knows
453 /// a higher revocation secret than the holder commitment number we are aware of. Broadcasting these
454 /// transactions are UNSAFE, as they allow counterparty side to punish you. Nevertheless you may want to
455 /// broadcast them if counterparty don't close channel with his higher commitment transaction after a
456 /// substantial amount of time (a month or even a year) to get back funds. Best may be to contact
457 /// out-of-band the other node operator to coordinate with him if option is available to you.
458 /// In any-case, choice is up to the user.
461 pub extern "C" fn ChannelMonitor_get_latest_holder_commitment_txn(this_arg: &mut ChannelMonitor, logger: &crate::util::logger::Logger) -> crate::c_types::derived::CVec_TransactionZ {
462 let mut ret = unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.get_latest_holder_commitment_txn(logger);
463 let mut local_ret = Vec::new(); for item in ret.drain(..) { local_ret.push( { let mut local_ret_0 = ::bitcoin::consensus::encode::serialize(&item); crate::c_types::Transaction::from_vec(local_ret_0) }); };
467 /// Processes transactions in a newly connected block, which may result in any of the following:
468 /// - update the monitor's state against resolved HTLCs
469 /// - punish the counterparty in the case of seeing a revoked commitment transaction
470 /// - force close the channel and claim/timeout incoming/outgoing HTLCs if near expiration
471 /// - detect settled outputs for later spending
472 /// - schedule and bump any in-flight claims
474 /// Returns any new outputs to watch from `txdata`; after called, these are also included in
475 /// [`get_outputs_to_watch`].
477 /// [`get_outputs_to_watch`]: #method.get_outputs_to_watch
480 pub extern "C" fn ChannelMonitor_block_connected(this_arg: &mut ChannelMonitor, header: *const [u8; 80], mut txdata: crate::c_types::derived::CVec_C2Tuple_usizeTransactionZZ, mut height: u32, mut broadcaster: crate::chain::chaininterface::BroadcasterInterface, mut fee_estimator: crate::chain::chaininterface::FeeEstimator, mut logger: crate::util::logger::Logger) -> crate::c_types::derived::CVec_C2Tuple_TxidCVec_TxOutZZZ {
481 let mut local_txdata = Vec::new(); for mut item in txdata.into_rust().drain(..) { local_txdata.push( { let (mut orig_txdata_0_0, mut orig_txdata_0_1) = item.to_rust(); let mut local_txdata_0 = (orig_txdata_0_0, orig_txdata_0_1.into_bitcoin()); local_txdata_0 }); };
482 let mut ret = unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.block_connected(&::bitcoin::consensus::encode::deserialize(unsafe { &*header }).unwrap(), &local_txdata.iter().map(|(a, b)| (*a, b)).collect::<Vec<_>>()[..], height, broadcaster, fee_estimator, logger);
483 let mut local_ret = Vec::new(); for item in ret.drain(..) { local_ret.push( { let (mut orig_ret_0_0, mut orig_ret_0_1) = item; let mut local_orig_ret_0_1 = Vec::new(); for item in orig_ret_0_1.drain(..) { local_orig_ret_0_1.push( { crate::c_types::TxOut::from_rust(item) }); }; let mut local_ret_0 = (crate::c_types::ThirtyTwoBytes { data: orig_ret_0_0.into_inner() }, local_orig_ret_0_1.into()).into(); local_ret_0 }); };
487 /// Determines if the disconnected block contained any transactions of interest and updates
490 pub extern "C" fn ChannelMonitor_block_disconnected(this_arg: &mut ChannelMonitor, header: *const [u8; 80], mut height: u32, mut broadcaster: crate::chain::chaininterface::BroadcasterInterface, mut fee_estimator: crate::chain::chaininterface::FeeEstimator, mut logger: crate::util::logger::Logger) {
491 unsafe { &mut (*(this_arg.inner as *mut nativeChannelMonitor)) }.block_disconnected(&::bitcoin::consensus::encode::deserialize(unsafe { &*header }).unwrap(), height, broadcaster, fee_estimator, logger)