/// generating message events for the net layer to claim the payment, if possible. Thus, you
/// should probably kick the net layer to go send messages if this returns true!
///
+ /// You must specify the expected amounts for this HTLC, and we will only claim HTLCs
+ /// available within a few percent of the expected amount. This is critical for several
+ /// reasons : a) it avoids providing senders with `proof-of-payment` (in the form of the
+ /// payment_preimage without having provided the full value and b) it avoids certain
+ /// privacy-breaking recipient-probing attacks which may reveal payment activity to
+ /// motivated attackers.
+ ///
/// May panic if called except in response to a PaymentReceived event.
- pub fn claim_funds(&self, payment_preimage: PaymentPreimage) -> bool {
+ pub fn claim_funds(&self, payment_preimage: PaymentPreimage, expected_amount: u64) -> bool {
let payment_hash = PaymentHash(Sha256::hash(&payment_preimage.0).into_inner());
let _ = self.total_consistency_lock.read().unwrap();
let mut channel_state = Some(self.channel_state.lock().unwrap());
let removed_source = channel_state.as_mut().unwrap().claimable_htlcs.remove(&payment_hash);
if let Some(mut sources) = removed_source {
- // TODO: We should require the user specify the expected amount so that we can claim
- // only payments for the correct amount, and reject payments for incorrect amounts
- // (which are probably middle nodes probing to break our privacy).
- for (_, htlc_with_hash) in sources.drain(..) {
+ for (received_amount, htlc_with_hash) in sources.drain(..) {
if channel_state.is_none() { channel_state = Some(self.channel_state.lock().unwrap()); }
- self.claim_funds_internal(channel_state.take().unwrap(), HTLCSource::PreviousHopData(htlc_with_hash), payment_preimage);
+ if received_amount < expected_amount || received_amount > expected_amount * 2 {
+ let mut htlc_msat_data = byte_utils::be64_to_array(received_amount).to_vec();
+ let mut height_data = byte_utils::be32_to_array(self.latest_block_height.load(Ordering::Acquire) as u32).to_vec();
+ htlc_msat_data.append(&mut height_data);
+ self.fail_htlc_backwards_internal(channel_state.take().unwrap(),
+ HTLCSource::PreviousHopData(htlc_with_hash), &payment_hash,
+ HTLCFailReason::Reason { failure_code: 0x4000|15, data: htlc_msat_data });
+ } else {
+ self.claim_funds_internal(channel_state.take().unwrap(), HTLCSource::PreviousHopData(htlc_with_hash), payment_preimage);
+ }
}
true
} else { false }
}
try_chan_entry!(self, chan.get_mut().funding_locked(&msg), channel_state, chan);
if let Some(announcement_sigs) = self.get_announcement_sigs(chan.get()) {
+ // If we see locking block before receiving remote funding_locked, we broadcast our
+ // announcement_sigs at remote funding_locked reception. If we receive remote
+ // funding_locked before seeing locking block, we broadcast our announcement_sigs at locking
+ // block connection. We should guanrantee to broadcast announcement_sigs to our peer whatever
+ // the order of the events but our peer may not receive it due to disconnection. The specs
+ // lacking an acknowledgement for announcement_sigs we may have to re-send them at peer
+ // connection in the future if simultaneous misses by both peers due to network/hardware
+ // failures is an issue. Note, to achieve its goal, only one of the announcement_sigs needs
+ // to be received, from then sigs are going to be flood to the whole network.
channel_state.pending_msg_events.push(events::MessageSendEvent::SendAnnouncementSignatures {
node_id: their_node_id.clone(),
msg: announcement_sigs,
projects / rust-lightning / blobdiff