X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=CHANGELOG.md;h=3e473a22a1cd0b86fe1dc18d0c1c0f98ff58f6d2;hb=9ac9d8e19f1b4768e53770907b9fafbb3cbce895;hp=80745291a0e6722a01b77a8e67dede699a79bc76;hpb=4bb81ff5942749077613827d6807b64230ecbcd5;p=rust-lightning diff --git a/CHANGELOG.md b/CHANGELOG.md index 80745291..3e473a22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,1680 @@ +# 0.0.121 - Jan 22, 2024 - "Unwraps are Bad" + +## Bug Fixes + * Fix a deadlock when calling `batch_funding_transaction_generated` with + invalid input (#2841). + +## Security +0.0.121 fixes a denial-of-service vulnerability which is reachable from +untrusted input from peers in rare cases if we have a public channel or in +common cases if `P2PGossipSync` is used. + * A peer that failed to complete its handshake would cause a reachable + `unwrap` in LDK since 0.0.119 when LDK attempts to broadcast gossip to all + peers (#2842). + +In total, this release features 4 files changed, 52 insertions, 10 +deletions in 4 commits from 2 authors, in alphabetical order: + * Jeffrey Czyz + * Matt Corallo + +# 0.0.120 - Jan 17, 2024 - "Unblinded Fuzzers" + +## API Updates + * The `PeerManager` bound on `UtxoLookup` was removed entirely. This enables + use of `UtxoLookup` in cases broken in 0.0.119 by #2773 (#2822). + * LDK now exposes and fully implements the route blinding feature (#2812). + * The `lightning-transaction-sync` crate no longer relies on system time + without the `time` feature (#2799, #2817). + * `lightning::onion_message`'s module layout has changed (#2821). + * `Event::ChannelClosed` now includes the `channel_funding_txo` (#2800). + * `CandidateRouteHop` variants were destructured into individual structs, + hiding some fields which were not generally consumable (#2802). + +## Bug Fixes + * Fixed a rare issue where `lightning-net-tokio` may not fully flush its send + buffer, leading to connection hangs (#2832). + * Fixed a panic which may occur when connecting to a peer if we opened a second + channel with that peer while they were disconnected (#2808). + * Retries for a payment which previously failed in a blinded path will now + always use an alternative blinded path (#2818). + * `Feature`'s `Eq` and `Hash` implementation now ignore dummy bytes (#2808). + * Some missing `DiscardFunding` or `ChannelClosed` events are now generated in + rare funding-related failures (#2809). + * Fixed a privacy issue in blinded path generation where the real + `cltv_expiry_delta` would be exposed to senders (#2831). + +## Security +0.0.120 fixes a denial-of-service vulnerability which is reachable from +untrusted input from peers if the `UserConfig::manually_accept_inbound_channels` +option is enabled. + * A peer that sent an `open_channel` message with the `channel_type` field + unfilled would trigger a reachable `unwrap` since LDK 0.0.117 (#2808). + * In protocols where a funding output is shared with our counterparty before + it is given to LDK, a malicious peer could have caused a reachable panic + by reusing the same funding info in (#2809). + +In total, this release features 67 files changed, 3016 insertions, 2473 +deletions in 79 commits from 9 authors, in alphabetical order: + * Elias Rohrer + * Jeffrey Czyz + * José A.P + * Matt Corallo + * Tibo-lg + * Valentine Wallace + * benthecarman + * optout + * shuoer86 + +# 0.0.119 - Dec 15, 2023 - "Spring Cleaning for Christmas" + +## API Updates + * The LDK crate ecosystem MSRV has been increased to 1.63 (#2681). + * The `bitcoin` dependency has been updated to version 0.30 (#2740). + * `lightning-invoice::payment::*` have been replaced with parameter generation + via `payment_parameters_from[_zero_amount]_invoice` (#2727). + * `{CoinSelection,Wallet}Source::sign_tx` are now `sign_psbt`, providing more + information, incl spent outputs, about the transaction being signed (#2775). + * Logger `Record`s now include `channel_id` and `peer_id` fields. These are + opportunistically filled in when a log record is specific to a given channel + and/or peer, and may occasionally be spuriously empty (#2314). + * When handling send or reply onion messages (e.g. for BOLT12 payments), a new + `Event::ConnectionNeeded` may be raised, indicating a direct connection + should be made to a payee or an introduction point. This event is expected to + be removed once onion message forwarding is widespread in the network (#2723) + * Scoring data decay now happens via `ScoreUpDate::time_passed`, called from + `lightning-background-processor`. `process_events_async` now takes a new + time-fetch function, and `ScoreUpDate` methods now take the current time as a + `Duration` argument. This avoids fetching time during pathfinding (#2656). + * Receiving payments to multi-hop blinded paths is now supported (#2688). + * `MessageRouter` and `Router` now feature methods to generate blinded paths to + the local node for incoming messages and payments. `Router` now extends + `MessageRouter`, and both are used in `ChannelManager` when processing or + creating BOLT12 structures to generate multi-hop blinded paths (#1781). + * `lightning-transaction-sync` now supports Electrum-based sync (#2685). + * `Confirm::get_relevant_txids` now returns the height at which a transaction + was confirmed. This can be used to assist in reorg detection (#2685). + * `ConfirmationTarget::MaxAllowedNonAnchorChannelRemoteFee` has been removed. + Non-anchor channel feerates are bounded indirectly through + `ChannelConfig::max_dust_htlc_exposure` (#2696). + * `lightning-invoice` `Description`s now rely on `UntrustedString` for + sanitization (#2730). + * `ScoreLookUp::channel_penalty_msat` now uses `CandidateRouteHop` (#2551). + * The `EcdsaChannelSigner` trait was moved to `lightning::sign::ecdsa` (#2512). + * `SignerProvider::get_destination_script` now takes `channel_keys_id` (#2744) + * `SpendableOutputDescriptor::StaticOutput` now has `channel_keys_id` (#2749). + * `EcdsaChannelSigner::sign_counterparty_commitment` now takes HTLC preimages + for both inbound and outbound HTLCs (#2753). + * `ClaimedHTLC` now includes a `counterparty_skimmed_fee_msat` field (#2715). + * `peel_payment_onion` was added to decode an encrypted onion for a payment + without receiving an HTLC. This allows for stateless verification of if a + theoretical payment would be accepted prior to receipt (#2700). + * `create_payment_onion` was added to construct an encrypted onion for a + payment path without sending an HTLC immediately (#2677). + * Various keys used in channels are now wrapped to provide type-safety for + specific usages of the keys (#2675). + * `TaggedHash` now includes the raw `tag` and `merkle_root` (#2687). + * `Offer::is_expired_no_std` was added (#2689). + * `PaymentPurpose::preimage()` was added (#2768). + * `temporary_channel_id` can now be specified in `create_channel` (#2699). + * Wire definitions for splicing messages were added (#2544). + * Various `lightning-invoice` structs now impl `Display`, now have pub fields, + or impl `From` (#2730). + * The `Hash` trait is now implemented for more structs, incl P2P msgs (#2716). + +## Performance Improvements + * Memory allocations (though not memory usage) have been substantially reduced, + meaning less overhead and hopefully less memory fragmentation (#2708, #2779). + +## Bug Fixes + * Since 0.0.117, calling `close_channel*` on a channel which has not yet been + funded would previously result in an infinite loop and hang (#2760). + * Since 0.0.116, sending payments requiring data in the onion for the recipient + which was too large for the onion may have caused corruption which resulted + in payment failure (#2752). + * Cooperative channel closure on channels with remaining output HTLCs may have + spuriously force-closed (#2529). + * In LDK versions 0.0.116 through 0.0.118, in rare cases where skimmed fees are + present on shutdown the `ChannelManager` may fail to deserialize (#2735). + * `ChannelConfig::max_dust_exposure` values which, converted to absolute fees, + exceeded 2^63 - 1 would result in an overflow and could lead to spurious + payment failures or channel closures (#2722). + * In cases where LDK is operating with provably-stale state, it panics to + avoid funds loss. This may not have happened in cases where LDK was behind + only exactly one state, leading instead to a revoked broadcast and funds + loss (#2721). + * Fixed a bug where decoding `Txid`s from Bitcoin Core JSON-RPC responses using + `lightning-block-sync` would not properly byte-swap the hash. Note that LDK + does not use this API internally (#2796). + +## Backwards Compatibility + * `ChannelManager`s written with LDK 0.0.119 are no longer readable by versions + of LDK prior to 0.0.113. Users wishing to downgrade to LDK 0.0.112 or before + can read an 0.0.119-serialized `ChannelManager` with a version of LDK from + 0.0.113 to 0.0.118, re-serialize it, and then downgrade (#2708). + * Nodes that upgrade to 0.0.119 and subsequently downgrade after receiving a + payment to a blinded path may leak recipient information if one or more of + those HTLCs later fails (#2688). + * Similarly, forwarding a blinded HTLC and subsequently downgrading to an LDK + version prior to 0.0.119 may result in leaking the path information to the + payment sender (#2540). + +In total, this release features 148 files changed, 13780 insertions, 6279 +deletions in 280 commits from 22 authors, in alphabetical order: + * Arik Sosman + * Chris Waterson + * Elias Rohrer + * Evan Feenstra + * Gursharan Singh + * Jeffrey Czyz + * John Cantrell + * Lalitmohansharma1 + * Matt Corallo + * Matthew Rheaume + * Orbital + * Rachel Malonson + * Valentine Wallace + * Willem Van Lint + * Wilmer Paulino + * alexanderwiederin + * benthecarman + * henghonglee + * jbesraa + * olegkubrakov + * optout + * shaavan + + +# 0.0.118 - Oct 23, 2023 - "Just the Twelve Sinks" + +## API Updates + * BOLT12 sending and receiving is now supported as an alpha feature. You may + run into unexpected issues and will need to have a direct connection with + the offer's blinded path introduction points as messages are not yet routed. + We are seeking feedback from early testers (#2578, #2039). + * `ConfirmationTarget` has been rewritten to provide information about the + specific use LDK needs the feerate estimate for, rather than the generic + low-, medium-, and high-priority estimates. This allows LDK users to more + accurately target their feerate estimates (#2660). For those wishing to + retain their existing behavior, see the table below for conversion. + * `ChainHash` is now used in place of `BlockHash` where it represents the + genesis block (#2662). + * `lightning-invoice` payment utilities now take a `Deref` to + `AChannelManager` (#2652). + * `peel_onion` is provided to statelessly decode an `OnionMessage` (#2599). + * `ToSocketAddrs` + `Display` are now impl'd for `SocketAddress` (#2636, #2670) + * `Display` is now implemented for `OutPoint` (#2649). + * `Features::from_be_bytes` is now provided (#2640). + +For those moving to the new `ConfirmationTarget`, the new variants in terms of +the old mempool/low/medium/high priorities are as follows: + * `OnChainSweep` = `HighPriority` + * `MaxAllowedNonAnchorChannelRemoteFee` = `max(25 * 250, HighPriority * 10)` + * `MinAllowedAnchorChannelRemoteFee` = `MempoolMinimum` + * `MinAllowedNonAnchorChannelRemoteFee` = `Background - 250` + * `AnchorChannelFee` = `Background` + * `NonAnchorChannelFee` = `Normal` + * `ChannelCloseMinimum` = `Background` + +## Bug Fixes + * Calling `ChannelManager::close_channel[_with_feerate_and_script]` on a + channel which did not exist would immediately hang holding several key + `ChannelManager`-internal locks (#2657). + * Channel information updates received from a failing HTLC are no longer + applied to our `NetworkGraph`. This prevents a node which we attempted to + route a payment through from being able to learn the sender of the payment. + In some rare cases, this may result in marginally reduced payment success + rates (#2666). + * Anchor outputs are now properly considered when calculating the amount + available to send in HTLCs. This can prevent force-closes in anchor channels + when sending payments which overflow the available balance (#2674). + * A peer that sends an `update_fulfill_htlc` message for a forwarded HTLC, + then reconnects prior to sending a `commitment_signed` (thus retransmitting + their `update_fulfill_htlc`) may result in the channel stalling and being + unable to make progress (#2661). + * In exceedingly rare circumstances, messages intended to be sent to a peer + prior to reconnection can be sent after reconnection. This could result in + undefined channel state and force-closes (#2663). + +## Backwards Compatibility + + * Creating a blinded path to receive a payment then downgrading to LDK prior to + 0.0.117 may result in failure to receive the payment (#2413). + * Calling `ChannelManager::pay_for_offer` or + `ChannelManager::create_refund_builder` may prevent downgrading to LDK prior + to 0.0.118 until the payment times out and has been removed (#2039). + +## Node Compatibility + * LDK now sends a bogus `channel_reestablish` message to peers when they ask to + resume an unknown channel. This should cause LND nodes to force-close and + broadcast the latest channel state to the chain. In order to trigger this + when we wish to force-close a channel, LDK now disconnects immediately after + sending a channel-closing `error` message. This should result in cooperative + peers also working to confirm the latest commitment transaction when we wish + to force-close (#2658). + +## Security +0.0.118 expands mitigations against transaction cycling attacks to non-anchor +channels, though note that no mitigations which exist today are considered robust +to prevent the class of attacks. + * In order to mitigate against transaction cycling attacks, non-anchor HTLC + transactions are now properly re-signed before broadcasting (#2667). + +In total, this release features 61 files changed, 3470 insertions, 1503 +deletions in 85 commits from 12 authors, in alphabetical order: + * Antonio Yang + * Elias Rohrer + * Evan Feenstra + * Fedeparma74 + * Gursharan Singh + * Jeffrey Czyz + * Matt Corallo + * Sergi Delgado Segura + * Vladimir Fomene + * Wilmer Paulino + * benthecarman + * slanesuke + + +# 0.0.117 - Oct 3, 2023 - "Everything but the Twelve Sinks" + +## API Updates + * `ProbabilisticScorer`'s internal models have been substantially improved, + including better decaying (#1789), a more granular historical channel + liquidity tracker (#2176) and a now-default option to make our estimate for a + channel's current liquidity nonlinear in the channel's capacity (#2547). In + total, these changes should result in improved payment success rates at the + cost of slightly worse routefinding performance. + * Support for custom TLVs for recipients of HTLCs has been added (#2308). + * Support for generating transactions for third-party watchtowers has been + added to `ChannelMonitor/Update`s (#2337). + * `KVStorePersister` has been replaced with a more generic and featureful + `KVStore` interface (#2472). + * A new `MonitorUpdatingPersister` is provided which wraps a `KVStore` and + implements `Persist` by writing differential updates rather than full + `ChannelMonitor`s (#2359). + * Batch funding of outbound channels is now supported using the new + `ChannelManager::batch_funding_transaction_generated` method (#2486). + * `ChannelManager::send_preflight_probes` has been added to probe a payment's + potential paths while a user is providing approval for a payment (#2534). + * Fully asynchronous `ChannelMonitor` updating is available as an alpha + preview. There remain a few known but incredibly rare race conditions which + may lead to loss of funds (#2112, #2169, #2562). + * `ChannelMonitorUpdateStatus::PermanentFailure` has been removed in favor of a + new `ChannelMonitorUpdateStatus::UnrecoverableError`. The new variant panics + on use, rather than force-closing a channel in an unsafe manner, which the + previous variant did (#2562). Rather than panicking with the new variant, + users may wish to use the new asynchronous `ChannelMonitor` updating using + `ChannelMonitorUpdateStatus::InProgress`. + * `RouteParameters::max_total_routing_fee_msat` was added to limit the fees + paid when routing, defaulting to 1% + 50sats when using the new + `from_payment_params_and_value` constructor (#2417, #2603, #2604). + * Implementations of `UtxoSource` are now provided in `lightning-block-sync`. + Those running with a full node should use this to validate gossip (#2248). + * `LockableScore` now supports read locking for parallel routefinding (#2197). + * `ChannelMonitor::get_spendable_outputs` was added to allow for re-generation + of `SpendableOutputDescriptor`s for a channel after they were provided via + `Event::SpendableOutputs` (#2609, #2624). + * `[u8; 32]` has been replaced with a `ChannelId` newtype for chan ids (#2485). + * `NetAddress` was renamed `SocketAddress` (#2549) and `FromStr` impl'd (#2134) + * For `no-std` users, `parse_onion_address` was added which creates a + `NetAddress` from a "...onion" string and port (#2134, #2633). + * HTLC information is now provided in `Event::PaymentClaimed::htlcs` (#2478). + * The success probability used in historical penalties when scoring is now + available via `historical_estimated_payment_success_probability` (#2466). + * `RecentPaymentDetails::*::payment_id` has been added (#2567). + * `Route` now contains a `RouteParameters` rather than a `PaymentParameters`, + tracking the original arguments passed to routefinding (#2555). + * `Balance::*::claimable_amount_satoshis` was renamed `amount_satoshis` (#2460) + * `*Features::set_*_feature_bit` have been added for non-custom flags (#2522). + * `channel_id` was added to `SpendableOutputs` events (#2511). + * `counterparty_node_id` and `channel_capacity_sats` were added to + `ChannelClosed` events (#2387). + * `ChannelMonitor` now implements `Clone` for `Clone`able signers (#2448). + * `create_onion_message` was added to build an onion message (#2583, #2595). + * `HTLCDescriptor` now implements `Writeable`/`Readable` (#2571). + * `SpendableOutputDescriptor` now implements `Hash` (#2602). + * `MonitorUpdateId` now implements `Debug` (#2594). + * `Payment{Hash,Id,Preimage}` now implement `Display` (#2492). + * `NodeSigner::sign_bolt12_invoice{,request}` were added for future use (#2432) + +## Backwards Compatibility + * Users migrating to the new `KVStore` can use a concatentation of + `[{primary_namespace}/[{secondary_namespace}/]]{key}` to build a key + compatible with the previous `KVStorePersister` interface (#2472). + * Downgrading after receipt of a payment with custom HTLC TLVs may result in + unintentionally accepting payments with TLVs you do not understand (#2308). + * `Route` objects (including pending payments) written by LDK versions prior + to 0.0.117 won't be retryable after being deserialized by LDK 0.0.117 or + above (#2555). + * Users of the `MonitorUpdatingPersister` can upgrade seamlessly from the + default `KVStore` `Persist` implementation, however the stored + `ChannelMonitor`s are deliberately unreadable by the default `Persist`. This + ensures the correct downgrade procedure is followed, which is: (#2359) + * First, make a backup copy of all channel state, + * then ensure all `ChannelMonitorUpdate`s stored are fully applied to the + relevant `ChannelMonitor`, + * finally, write each full `ChannelMonitor` using your new `Persist` impl. + +## Bug Fixes + * Anchor channels which were closed by a counterparty broadcasting its + commitment transaction (i.e. force-closing) would previously not generate a + `SpendableOutputs` event for our `to_remote` (i.e. non-HTLC-encumbered) + balance. Those with such balances available should fetch the missing + `SpendableOutputDescriptor`s using the new + `ChannelMonitor::get_spendable_outputs` method (#2605). + * Anchor channels may result in spurious or missing `Balance` entries for HTLC + balances (#2610). + * `ChannelManager::send_spontaneous_payment_with_retry` spuriously did not + provide the recipient with enough information to claim the payment, leading + to all spontaneous payments failing (#2475). + `send_spontaneous_payment_with_route` was unaffected. + * The `keysend` feature on node announcements was spuriously un-set in 0.0.112 + and has been re-enabled (#2465). + * Fixed several races which could lead to deadlock when force-closing a channel + (#2597). These races have not been seen in production. + * The `ChannelManager` is persisted substantially less when it has not changed, + leading to substantially less I/O traffic for it (#2521, #2617). + * Passing new block data to `ChainMonitor` no longer results in all other + monitor operations being blocked until it completes (#2528). + * When retrying payments, any excess amount sent to the recipient in order to + meet an `htlc_minimum` constraint on the path is now no longer included in + the amount we send in the retry (#2575). + * Several edge cases in route-finding around HTLC minimums were fixed which + could have caused invalid routes or panics when built with debug assertions + (#2570, #2575). + * Several edge cases in route-finding around HTLC minimums and route hints + were fixed which would spuriously result in no route found (#2575, #2604). + * The `user_channel_id` passed to `SignerProvider::generate_channel_keys_id` + for inbound channels is now correctly using the one passed to + `ChannelManager::accept_inbound_channel` rather than a default value (#2428). + * Users of `impl_writeable_tlv_based!` no longer have use requirements (#2506). + * No longer force-close channels when counterparties send a `channel_update` + with a bogus `htlc_minimum_msat`, which LND users can manually build (#2611). + +## Node Compatibility + * LDK now ignores `error` messages generated by LND in response to a + `shutdown` message, avoiding force-closes due to LND bug 6039. This may + lead to non-trivial bandwidth usage with LND peers exhibiting this bug + during the cooperative shutdown process (#2507). + +## Security +0.0.117 fixes several loss-of-funds vulnerabilities in anchor output channels, +support for which was added in 0.0.116, in reorg handling, and when accepting +channel(s) from counterparties which are miners. + * When a counterparty broadcasts their latest commitment transaction for a + channel with anchor outputs, we'd previously fail to build claiming + transactions against any HTLC outputs in that transaction. This could lead + to loss of funds if the counterparty is able to eventually claim the HTLC + after a timeout (#2606). + * Anchor channels HTLC claims on-chain previously spent the entire value of any + HTLCs as fee, which has now been fixed (#2587). + * If a channel is closed via an on-chain commitment transaction confirmation + with a pending outbound HTLC in the commitment transaction, followed by a + reorg which replaces the confirmed commitment transaction with a different + (but non-revoked) commitment transaction, all before we learn the payment + preimage for this HTLC, we may previously have not generated a proper + claiming transaction for the HTLC's value (#2623). + * 0.0.117 now correctly handles channels for which our counterparty funded the + channel with a coinbase transaction. As such transactions are not spendable + until they've reached 100 confirmations, this could have resulted in + accepting HTLC(s) which are not enforcible on-chain (#1924). + +In total, this release features 121 files changed, 20477 insertions, 8184 +deletions in 381 commits from 27 authors, in alphabetical order: + * Alec Chen + * Allan Douglas R. de Oliveira + * Antonio Yang + * Arik Sosman + * Chris Waterson + * David Caseria + * DhananjayPurohit + * Dom Zippilli + * Duncan Dean + * Elias Rohrer + * Erik De Smedt + * Evan Feenstra + * Gabor Szabo + * Gursharan Singh + * Jeffrey Czyz + * Joseph Goulden + * Lalitmohansharma1 + * Matt Corallo + * Rachel Malonson + * Sergi Delgado Segura + * Valentine Wallace + * Vladimir Fomene + * Willem Van Lint + * Wilmer Paulino + * benthecarman + * jbesraa + * optout + + +# 0.0.116 - Jul 21, 2023 - "Anchoring the Roadmap" + +## API Updates + + * Support for zero-HTLC-fee anchor output channels has been added and is now + considered beta (#2367). Users who set + `ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx` should be + prepared to handle the new `Event::BumpTransaction`, e.g. via the + `BumpTransactionEventHandler` (#2089). Note that in order to do so you must + ensure you always have a reserve of available unspent on-chain funds to use + for CPFP. LDK currently makes no attempt to ensure this for you. + * Users who set `ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx` + and wish to accept inbound anchor-based channels must do so manually by + setting `UserConfig::manually_accept_inbound_channels` (#2368). + * Support forwarding and accepting HTLCs with a reduced amount has been added, + to support LSPs skimming a fee on the penultimate hop (#2319). + * BOLT11 and BOLT12 Invoice and related types have been renamed to include a + BOLTNN prefix, ensuring uniqueness in `lightning{,-invoice}` crates (#2416). + * `Score`rs now have an associated type which represents a parameter passed + when calculating penalties. This allows for the same `Score`r to be used with + different penalty calculation parameters (#2237). + * `DefaultRouter` is no longer restrained to a `Mutex`-wrapped `Score`, + allowing it to be used in `no-std` builds (#2383). + * `CustomMessageHandler::provided_{node,init}_features` and various custom + feature bit methods on `*Features` were added (#2204). + * Keysend/push payments using MPP are now supported when receiving if + `UserConfig::accept_mpp_keysend` is set and when sending if specified in the + `PaymentParameters`. Note that not all recipients support this (#2156). + * A new `ConfirmationTarget::MempoolMinimum` has been added (#2415). + * `SpendableOutputDescriptor::to_psbt_input` was added (#2286). + * `ChannelManager::update_partial_channel_config` was added (#2330). + * `ChannelDetails::channel_shutdown_state` was added (#2347). + * The shutdown script can now be provided at shutdown time via + `ChannelManager::close_channel_with_feerate_and_script` (#2219). + * `BroadcasterInterface` now takes multiple transactions at once. While not + available today, in the future single calls should be passed to a full node + via a single batch/package transaction acceptance API (#2272). + * `Balance::claimable_amount_satoshis` was added (#2333). + * `payment_{hash,preimage}` have been added to some `Balance` variants (#2217). + * The `lightning::chain::keysinterface` is now `lightning::sign` (#2246). + * Routing to a blinded path has been implemented, though sending to such a + route is not yet supported in `ChannelManager` (#2120). + * `OffersMessageHandler` was added for offers-related onion messages (#2294). + * The `CustomMessageHandler` parameter to `PeerManager` has moved to + `MessageHandler` from `PeerManager::new` explicitly (#2249). + * Various P2P messages for dual funding channel establishment have been added, + though handling for them is not yet in `ChannelManager` (#1794) + * Script-fetching methods in `sign` interfaces can now return errors, see docs + for the implications of failing (#2213). + * The `data_loss_protect` option is now required when reading + `channel_reestablish` messages, as many others have done (#2253). + * `InFlightHtlcs::add_inflight_htlc` has been added (#2042). + * The `init` message `networks` field is now written and checked (#2329). + * `PeerManager` generics have been simplified with the introduction of the + `APeerManager` trait (#2249). + * `ParitalOrd` and `Ord` are now implemented for `Invoice` (#2279). + * `ParitalEq` and `Debug` are now implemented for `InMemorySigner` (#2328). + * `ParitalEq` and `Eq` are now implemented for `PaymentError` (#2316). + * `NetworkGraph::update_channel_from_announcement_no_lookup` was added (#2222). + * `lightning::routing::gossip::verify_{channel,node}_announcement` was added + (#2307). + +## Backwards Compatibility + * `PaymentParameters` written with blinded path info using LDK 0.0.115 will not + be readable in LDK 0.0.116, and vice versa. + * Forwarding less than `Event::HTLCIntercepted::expected_outbound_amount_msat` + in `ChannelManager::forward_intercepted_htlc` may prevent the + `ChannelManager` from being read by LDK prior to 0.0.116 (#2319) + * Setting `ChannelConfig::accept_underpaying_htlcs` may prevent the + `ChannelManager` from being read by LDK prior to 0.0.116 and un-setting the + parameter between restarts may lead to payment failures (#2319). + * `ChannelManager::create_inbound_payment{,_for_hash}_legacy` has been removed, + removing the ability to create inbound payments which are claimable after + downgrade to LDK 0.0.103 and prior. In the future handling such payments will + also be removed (#2351). + * Some fields required by LDK 0.0.103 and earlier are no longer written, thus + deserializing objects written by 0.0.116 with 0.0.103 may now fail (#2351). + +## Bug Fixes + * `ChannelDetails::next_outbound_htlc_limit_msat` was made substantially more + accurate and a corresponding `next_outbound_htlc_minimum_msat` was added. + This resolves issues where unpayable routes were generated due to + overestimation of the amount which is payable over one of our channels as + the first hop (#2312). + * A rare case where delays in processing `Event`s generated by + `ChannelMonitor`s could lead to loss of those events in case of an untimely + crash. This could lead to the loss of an `Event::SpendableOutputs` (#2369). + * Fixed a regression in 0.0.115 which caused `PendingHTLCsForwardable` events + to be missed when processing phantom node receives. This caused such + payments to be delayed until a further, unrelated HTLC came in (#2395). + * Peers which are unresponsive to channel messages for several timer ticks are + now disconnected to allow for on-reconnection state machine reset. This + works around some issues in LND prior to 16.3 which can cause channels to + hang and eventually force-close (#2293). + * `ChannelManager::new` now requires the current time (either from a recent + block header or the system clock), ensuring invoices created immediately + after startup aren't already expired (#2372). + * Resolved an issue where reading a `ProbabilisticScorer` on some platforms + (e.g. iOS) can lead to a panic (#2322). + * `ChannelConfig::max_dust_htlc_exposure` is now allowed to scale based on + current fees, and the default has been updated to do so. This substantially + reduces the chance of force-closure due to dust exposure. Note that existing + channels will retain their current value and you may wish to update the + value on your existing channels on upgrade (#2354). + * `PeerManager::process_events` no longer blocks in any case. This fixes a bug + where reentrancy from `PeerManager` into user code which eventually calls + `process_events` could lead to a deadlock (#2280). + * The persist timing of network graph and scoring in + `lightning-background-processor` has been tweaked to provide more reliable + persistence after updates to either (#2226). + * The number of route hints added to BOLT 11 invoices by the + `lightning-invoice::utils` builders has been reduced to three to ensure + invoices can be represented in scan-able QR codes (#2044). + * Fixed sending large onion messages, which would previously have resulted in + an HMAC error on the second hop (#2277). + * Fixed a memory leak that may occur when a `ChannelManager` or + `ChannelMonitor` is `drop`ed (#2233). + * A potential deadlock in calling `NetworkGraph::eq` was resolved (#2284). + * Fixed an overflow which prevented disconnecting peers in some minor cases + with more than 31 peers (#2245). + * Gossip messages with an unknown chain hash are now ignored (#2230). + * Rapid Gossip Sync processing now fails on an unknown chain hash (#2324). + * `RouteHintHop::htlc_maximum_msat` is now enforced. Note that BOLT11 route + hints do not have such a field so this code is generally unused (#2305). + +## Security +0.0.116 fixes a denial-of-service vulnerability which is reachable from +untrusted input from channel counterparties if a 0-conf channel exists with +that counterparty. + * A premature `announcement_signatures` message from a peer prior to a 0-conf + channel's funding transaction receiving any confirmations would panic in any + version since 0-conf channels were introduced (#2439). + +In total, this release features 142 files changed, 21033 insertions, 11066 +deletions in 327 commits from 21 authors, in alphabetical order: + * Alec Chen + * Andrei + * Antoine Riard + * Arik Sosman + * Chad Upjohn + * Daniel Granhão + * Duncan Dean + * Elias Rohrer + * Fred Walker + * Gleb Naumenko + * Jeffrey Czyz + * Martin Habovstiak + * Matt Corallo + * Tony Giorgio + * Valentine Wallace + * Vladimir Fomene + * Willem Van Lint + * Wilmer Paulino + * benthecarman + * ff + * henghonglee + + +# 0.0.115 - Apr 24, 2023 - "Rebroadcast the Bugfixes" + +## API Updates + * The MSRV of the main LDK crates has been increased to 1.48 (#2107). + * Attempting to claim an un-expired payment on a channel which has closed no + longer fails. The expiry time of payments is exposed via + `PaymentClaimable::claim_deadline` (#2148). + * `payment_metadata` is now supported in `Invoice` deserialization, sending, + and receiving (via a new `RecipientOnionFields` struct) (#2139, #2127). + * `Event::PaymentFailed` now exposes a failure reason (#2142). + * BOLT12 messages now support stateless generation and validation (#1989). + * The `NetworkGraph` is now pruned of stale data after RGS processing (#2161). + * Max inbound HTLCs in-flight can be changed in the handshake config (#2138). + * `lightning-transaction-sync` feature `esplora-async-https` was added (#2085). + * A `ChannelPending` event is now emitted after the initial handshake (#2098). + * `PaymentForwarded::outbound_amount_forwarded_msat` was added (#2136). + * `ChannelManager::list_channels_by_counterparty` was added (#2079). + * `ChannelDetails::feerate_sat_per_1000_weight` was added (#2094). + * `Invoice::fallback_addresses` was added to fetch `bitcoin` types (#2023). + * The offer/refund description is now exposed in `Invoice{,Request}` (#2206). + +## Backwards Compatibility + * Payments sent with the legacy `*_with_route` methods on LDK 0.0.115+ will no + longer be retryable via the LDK 0.0.114- `retry_payment` method (#2139). + * `Event::PaymentPathFailed::retry` was removed and will always be `None` for + payments initiated on 0.0.115 which fail on an earlier version (#2063). + * `Route`s and `PaymentParameters` with blinded path information will not be + readable on prior versions of LDK. Such objects are not currently constructed + by LDK, but may be when processing BOLT12 data in a coming release (#2146). + * Providing `ChannelMonitorUpdate`s generated by LDK 0.0.115 to a + `ChannelMonitor` on 0.0.114 or before may panic (#2059). Note that this is + in general unsupported, and included here only for completeness. + +## Bug Fixes + * Fixed a case where `process_events_async` may `poll` a `Future` which has + already completed (#2081). + * Fixed deserialization of `u16` arrays. This bug may have previously corrupted + the historical buckets in a `ProbabilisticScorer`. Users relying on the + historical buckets may wish to wipe their scorer on upgrade to remove corrupt + data rather than waiting on it to decay (#2191). + * The `process_events_async` task is now `Send` and can thus be polled on a + multi-threaded runtime (#2199). + * Fixed a missing macro export causing + `impl_writeable_tlv_based_enum{,_upgradable}` calls to not compile (#2091). + * Fixed compilation of `lightning-invoice` with both `no-std` and serde (#2187) + * Fix an issue where the `background-processor` would not wake when a + `ChannelMonitorUpdate` completed asynchronously, causing delays (#2090). + * Fix an issue where `process_events_async` would exit immediately (#2145). + * `Router` calls from the `ChannelManager` now call `find_route_with_id` rather + than `find_route`, as was intended and described in the API (#2092). + * Ensure `process_events_async` always exits if any sleep future returns true, + not just if all sleep futures repeatedly return true (#2145). + * `channel_update` messages no longer set the disable bit unless the peer has + been disconnected for some time. This should resolve cases where channels are + disabled for extended periods of time (#2198). + * We no longer remove CLN nodes from the network graph for violating the BOLT + spec in some cases after failing to pay through them (#2220). + * Fixed a debug assertion which may panic under heavy load (#2172). + * `CounterpartyForceClosed::peer_msg` is now wrapped in UntrustedString (#2114) + * Fixed a potential deadlock in `funding_transaction_generated` (#2158). + +## Security + * Transaction re-broadcasting is now substantially more aggressive, including a + new regular rebroadcast feature called on a timer from the + `background-processor` or from `ChainMonitor::rebroadcast_pending_claims`. + This should substantially increase transaction confirmation reliability + without relying on downstream `TransactionBroadcaster` implementations for + rebroadcasting (#2203, #2205, #2208). + * Implemented the changes from BOLT PRs #1031, #1032, and #1040 which resolve a + privacy vulnerability which allows an intermediate node on the path to + discover the final destination for a payment (#2062). + +In total, this release features 110 files changed, 11928 insertions, 6368 +deletions in 215 commits from 21 authors, in alphabetical order: + * Advait + * Alan Cohen + * Alec Chen + * Allan Douglas R. de Oliveira + * Arik Sosman + * Elias Rohrer + * Evan Feenstra + * Jeffrey Czyz + * John Cantrell + * Lucas Soriano del Pino + * Marc Tyndel + * Matt Corallo + * Paul Miller + * Steven + * Steven Williamson + * Steven Zhao + * Tony Giorgio + * Valentine Wallace + * Wilmer Paulino + * benthecarman + * munjesi + + +# 0.0.114 - Mar 3, 2023 - "Faster Async BOLT12 Retries" + +## API Updates + * `InvoicePayer` has been removed and its features moved directly into + `ChannelManager`. As such it now requires a simplified `Router` and supports + `send_payment_with_retry` (and friends). `ChannelManager::retry_payment` was + removed in favor of the automated retries. Invoice payment utilities in + `lightning-invoice` now call the new code (#1812, #1916, #1929, #2007, etc). + * `Sign`/`BaseSign` has been renamed `ChannelSigner`, with `EcdsaChannelSigner` + split out in anticipation of future schnorr/taproot support (#1967). + * The catch-all `KeysInterface` was split into `EntropySource`, `NodeSigner`, + and `SignerProvider`. `KeysManager` implements all three (#1910, #1930). + * `KeysInterface::get_node_secret` is now `KeysManager::get_node_secret_key` + and is no longer required for external signers (#1951, #2070). + * A `lightning-transaction-sync` crate has been added which implements keeping + LDK in sync with the chain via an esplora server (#1870). Note that it can + only be used on nodes that *never* ran a previous version of LDK. + * `Score` is updated in `BackgroundProcessor` instead of via `Router` (#1996). + * `ChainAccess::get_utxo` (now `UtxoAccess`) can now be resolved async (#1980). + * BOLT12 `Offer`, `InvoiceRequest`, `Invoice` and `Refund` structs as well as + associated builders have been added. Such invoices cannot yet be paid due to + missing support for blinded path payments (#1927, #1908, #1926). + * A `lightning-custom-message` crate has been added to make combining multiple + custom messages into one enum/handler easier (#1832). + * `Event::PaymentPathFailed` is now generated for failure to send an HTLC + over the first hop on our local channel (#2014, #2043). + * `lightning-net-tokio` no longer requires an `Arc` on `PeerManager` (#1968). + * `ChannelManager::list_recent_payments` was added (#1873). + * `lightning-background-processor` `std` is now optional in async mode (#1962). + * `create_phantom_invoice` can now be used in `no-std` (#1985). + * The required final CLTV delta on inbound payments is now configurable (#1878) + * bitcoind RPC error code and message are now surfaced in `block-sync` (#2057). + * Get `historical_estimated_channel_liquidity_probabilities` was added (#1961). + * `ChannelManager::fail_htlc_backwards_with_reason` was added (#1948). + * Macros which implement serialization using TLVs or straight writing of struct + fields are now public (#1823, #1976, #1977). + +## Backwards Compatibility + * Any inbound payments with a custom final CLTV delta will be rejected by LDK + if you downgrade prior to receipt (#1878). + * `Event::PaymentPathFailed::network_update` will always be `None` if an + 0.0.114-generated event is read by a prior version of LDK (#2043). + * `Event::PaymentPathFailed::all_paths_failed` will always be false if an + 0.0.114-generated event is read by a prior version of LDK. Users who rely on + it to determine payment retries should migrate to `Event::PaymentFailed`, in + a separate release prior to upgrading to LDK 0.0.114 if downgrading is + supported (#2043). + +## Performance Improvements + * Channel data is now stored per-peer and channel updates across multiple + peers can be operated on simultaneously (#1507). + * Routefinding is roughly 1.5x faster (#1799). + * Deserializing a `NetworkGraph` is roughly 6x faster (#2016). + * Memory usage for a `NetworkGraph` has been reduced substantially (#2040). + * `KeysInterface::get_secure_random_bytes` is roughly 200x faster (#1974). + +## Bug Fixes + * Fixed a bug where a delay in processing a `PaymentSent` event longer than the + time taken to persist a `ChannelMonitor` update, when occurring immediately + prior to a crash, may result in the `PaymentSent` event being lost (#2048). + * Fixed spurious rejections of rapid gossip sync data when the graph has been + updated by other means between gossip syncs (#2046). + * Fixed a panic in `KeysManager` when the high bit of `starting_time_nanos` + is set (#1935). + * Resolved an issue where the `ChannelManager::get_persistable_update_future` + future would fail to wake until a second notification occurs (#2064). + * Resolved a memory leak when using `ChannelManager::send_probe` (#2037). + * Fixed a deadlock on some platforms at least when using async `ChannelMonitor` + updating (#2006). + * Removed debug-only assertions which were reachable in threaded code (#1964). + * In some cases when payment sending fails on our local channel retries no + longer take the same path and thus never succeed (#2014). + * Retries for spontaneous payments have been fixed (#2002). + * Return an `Err` if `lightning-persister` fails to read the directory listing + rather than panicing (#1943). + * `peer_disconnected` will now never be called without `peer_connected` (#2035) + +## Security +0.0.114 fixes several denial-of-service vulnerabilities which are reachable from +untrusted input from channel counterparties or in deployments accepting inbound +connections or channels. It also fixes a denial-of-service vulnerability in rare +cases in the route finding logic. + * The number of pending un-funded channels as well as peers without funded + channels is now limited to avoid denial of service (#1988). + * A second `channel_ready` message received immediately after the first could + lead to a spurious panic (#2071). This issue was introduced with 0conf + support in LDK 0.0.107. + * A division-by-zero issue was fixed in the `ProbabilisticScorer` if the amount + being sent (including previous-hop fees) is equal to a channel's capacity + while walking the graph (#2072). The division-by-zero was introduced with + historical data tracking in LDK 0.0.112. + +In total, this release features 130 files changed, 21457 insertions, 10113 +deletions in 343 commits from 18 authors, in alphabetical order: + * Alec Chen + * Allan Douglas R. de Oliveira + * Andrei + * Arik Sosman + * Daniel Granhão + * Duncan Dean + * Elias Rohrer + * Jeffrey Czyz + * John Cantrell + * Kurtsley + * Matt Corallo + * Max Fang + * Omer Yacine + * Valentine Wallace + * Viktor Tigerström + * Wilmer Paulino + * benthecarman + * jurvis + + +# 0.0.113 - Dec 16, 2022 - "Big Movement Intercepted" + +## API Updates + * `ChannelManager::send_payment` now takes an explicit `PaymentId` which is a + loose idempotency token. See `send_payment` docs for more (#1761, #1826). + * HTLCs bound for SCIDs from `ChannelManager::get_intercept_scid` are now + intercepted and can be forwarded manually over any channel (#1835, #1893). + * `Confirm::get_relevant_txids` now returns a `BlockHash`, expanding the set + of cases where `transaction_unconfirmed` must be called, see docs (#1796). + * Pending outbound payments are no longer automatically timed-out a few blocks + after failure. Thus, in order to avoid leaking memory, you MUST call + `ChannelManager::abandon_payment` when you no longer wish to retry (#1761). + * `ChannelManager::abandon_payment` docs were updated to note that the payment + may return to pending after a restart if no persistence occurs (#1907). + * `Event::PaymentReceived` has been renamed `Event::PaymentClaimable` (#1891). + * `Event` handling is now optionally async for Rust users (#1787). + * `user_channel_id` is now a `u128` and random for inbound channels (#1790). + * A new `ChannelReady` event is generated whenever a channel becomes ready to + be used, i.e., after both sides sent the `channel_ready` message (#1743). + * `NetworkGraph` now prunes channels where either node is offline for 2 weeks + and refuses to accept re-announcements of pruned channels (#1735). + * Onion messages are now read in `CustomOnionMessageHandler` rather than via + `MaybeReadableArgs` (#1809). + * Added a new util to generate an invoice with a custom hash (#1894) - +`create_invoice_from_channelmanager_and_duration_since_epoch_with_payment_hash` + * `Sign`ers are now by default re-derived using `KeysInterface`'s new + `derive_channel_signer` rather than `read_chan_signer` (#1867). + * `Confirm::transactions_confirmed` is now idempotent (#1861). + * `ChannelManager::compute_inflight_htlcs` has been added to fetch in-flight + HTLCs for scoring. Note that `InvoicePayer` does this for you (#1830). + * Added `PaymentClaimable::via_channel_id` (#1856). + * Added the `node_id` (phantom or regular) to payment events (#1766). + * Added the funding transaction `confirmations` to `ChannelDetails` (#1856). + * `BlindedRoute` has been renamed `BlindedPath` (#1918). + * Support for the BOLT 4 "legacy" onion format has been removed, in line with + its removal in the spec and vanishingly rare use (#1413). + * `ChainMonitor::list_pending_monitor_updates` was added (#1834). + * Signing for non-zero-fee anchor commitments is supported again (#1828). + * Several helpers for transaction matching and generation are now pub (#1839). + +## Bug Fixes + * Fixed a rare race where a crash may result in a pending HTLC not being + failed backwards, leading to a force-closure by our counterparty (#1857). + * Avoid incorrectly assigning a lower-bound on channel liquidity when routing + fails due to a closed channel earlier in the path (#1817). + * If a counterparty increases the channel fee, but not enough per our own fee + estimator, we no longer force-close the channel (#1852). + * Several bugs in the `lightning-background-processor` `future` feature were + fixed, including requirements doc corrections (#1843, #1845, #1851). + * Some failure messages sent back when failing an HTLC were corrected (#1895). + * `rapid-gossip-sync` no longer errors if an update is applied duplicatively + or in rare cases when the graph is updated from payment failures (#1833). + * Sending onion messages to a blinded path in which we're the introduction + node no longer fails (#1791). + +## Backwards Compatibility + * No `ChannelReady` events will be generated for previously existing channels, + including those which become ready after upgrading to 0.0.113 (#1743). + * Once `UserConfig::accept_intercept_htlcs` is set, downgrades to LDK versions + prior to 0.0.113 are not supported (#1835). + * Existing payments may see a `PaymentClaimable::user_channel_id` of 0 (#1856) + * When downgrading to a version of LDK prior to 0.0.113 when there are + resolved payments waiting for a small timeout, the payments may not be + removed, preventing payments with the same `PaymentId` (#1761). + +In total, this release features 76 files changed, 11639 insertions, 6067 +deletions in 210 commits from 18 authors, in alphabetical order: + * Antoine Riard + * Arik Sosman + * Devrandom + * Duncan Dean + * Elias Rohrer + * Gleb Naumenko + * Jeffrey Czyz + * John Cantrell + * Matt Corallo + * Tee8z + * Tobin C. Harding + * Tristan F + * Valentine Wallace + * Viktor Tigerström + * Wilmer Paulino + * benthecarman + * jurvis + * ssbright + + +# 0.0.112 - Oct 25, 2022 - "History Matters" + +## API Updates + * `Result<(), ChannelMonitorUpdateErr>` return values have been replaced with + a `ChannelMonitorUpdateStatus` trinary enum. This better denotes that + `ChannelMonitorUpdateStatus::InProgress` is not an error, but asynchronous + persistence of a monitor update. Note that asynchronous persistence still + has some edge cases and is not yet recommended for production (#1106). + * `ChannelMonitor` persistence failure no longer automatically broadcasts the + latest commitment transaction. See the + `ChannelMonitorUpdateStatus::PermanentFailure` docs for more info (#1106). + * `*Features::known` has been replaced with individual + `*MessageHandler::provided_*_features` methods (#1707). + * `OnionMessenger` now takes a `CustomOnionMessageHandler` implementation, + allowing you to send and receive custom onion messages (#1748). + * `ProbabilisticScorer` now tracks the historical distribution of liquidity + estimates for channels. See new `historical_*` parameters in + `ProbabilisticScoringParameters` for more details (#1625). + * `lightning-block-sync`'s `BlockSource` trait now supports BIP 157/158 + filtering clients by returning only header data for some blocks (#1706). + * `lightning-invoice`'s `Router` trait now accepts an `InFlightHtlcs` to + ensure we do not over-use a remote channel's funds during routing (#1694). + Note that this was previously backported to 0.0.111 for bindings users. + * `NetworkGraph::remove_stale_channels` has been renamed + `NetworkGraph::remove_stale_channels_and_tracking` as `NetworkGraph` now + refuses to re-add nodes and channels that were recently removed (#1649). + * The `lightning-rapid-gossip-sync` crate now supports `no-std` (#1708). + * The default `ProbabilisticScoringParameters::liquidity_offset_half_life` has + been increased to six hours from one (#1754). + * All commitment transaction building logic for anchor outputs now assumes the + no-HTLC-tx-fee variant (#1685). + * A number of missing `Eq` implementations were added (#1763). + +## Bug Fixes + * `lightning-background-processor` now builds without error with the `futures` + feature (#1744). + * `ChannelManager::get_persistable_update_future`'s returned `Future` has been + corrected to not fail to be awoken in some cases (#1758). + * Asynchronously performing the initial `ChannelMonitor` persistence is now + safe (#1678). + * Redundantly applying rapid gossip sync updates no longer `Err`s (#1764). + * Nodes which inform us via payment failures that they should no longer be + used are now removed from the network graph. Some LND nodes spuriously + generate this error and may remove themselves from our graph (#1649). + +In total, this release features 134 files changed, 6598 insertions, 4370 +deletions in 109 commits from 13 authors, in alphabetical order: + * Duncan Dean + * Elias Rohrer + * Gabriel Comte + * Gursharan Singh + * Jeffrey Czyz + * Jurvis Tan + * Matt Corallo + * Max Fang + * Paul Miller + * Valentine Wallace + * Viktor Tigerström + * Wilmer Paulino + * acid-bit + +# 0.0.111 - Sep 12, 2022 - "Saturated with Messages" + +## API Updates + * Support for relaying onion messages has been added via a new + `OnionMessenger` struct when passed as the `OnionMessageHandler` to a + `PeerManager`. Pre-encoded onion messages can also be sent and received + (#1503, #1650, #1652, #1688). + * Rate-limiting of outbound gossip syncs has been rewritten to utilize less + buffering inside LDK. The new rate-limiting is also used for onion messages + to avoid delaying other messages (#1604. #1660, #1683). + * Rather than spawning a full OS thread, `lightning-background-processor` has + a new `process_events_async` method which takes the place of a + `BackgroundProcessor` for those using Rust's async (#1657). + * `ChannelManager::get_persistable_update_future` has been added to block on + a ChannelManager needing re-persistence in a Rust async environment (#1657). + * The `Filter::register_output` return value has been removed, as it was + very difficult to correctly implement (i.e., without blocking). Users + previously using it should instead pass dependent transactions in via + additional `chain::Confirm::transactions_confirmed` calls (#1663). + * `ChannelHandshakeConfig::their_channel_reserve_proportional_millionths` has + been added to allow configuring counterparty reserve values (#1619). + * `KeysInterface::ecdh` has been added as an ECDH oracle (#1503, #1658). + * The `rust-bitcoin` dependency has been updated 0.29 (#1658). + * The `bitcoin_hashes` dependency has been updated 0.11 (#1677). + * `ChannelManager::broadcast_node_announcement` has been moved to + `PeerManager` (#1699). + * `channel_` and `node_announcement`s are now rebroadcast automatically to all + new peers which connect (#1699). + * `{Init,Node}Features` sent to peers/broadcasted are now fetched via the + various `*MessageHandler` traits, rather than hard-coded (#1701, #1688). + * `Event::PaymentPathFailed::rejected_by_dest` has been renamed + `payment_failed_permanently` (#1702). + * `Invoice` now derives the std `Hash` trait (#1575). + * `{Signed,}RawInvoice::hash` have been renamed `signable_hash` (#1714). + * `chain::AccessError` now derives the std `Debug` trait (#1709). + * `ReadOnlyNetworkGraph::list_{channels,nodes}` have been added largely for + users of downstream bindings (#1651). + * `ChannelMonitor::get_counterparty_node_id` is now available (#1635). + +## Bug Fixes + * The script compared with that returned from `chain::Access` was incorrect + ~half of the time, causing spurious gossip rejection (#1666). + * Pending in-flight HTLCs are now considered when calculating new routes, + ensuring, e.g. MPP retries do not take known-saturated paths (#1643). + * Counterparty-revoked outputs are now included in `get_claimable_balance` + output via a new `Balance::CounterpartyRevokedOutputClaimable` (#1495). + * Inbound HTLCs for which we do not (yet) have a preimage are now included in + `get_claimable_balance` via a `Balance::MaybePreimageClaimableHTLC` (#1673). + * Probes that fail prior to being sent over their first hop are correctly + failed with a `Event::ProbeFailed` rather than a `PaymentPathFailed` (#1704). + * Pending `Event::HTLCHandlingFailed`s are no longer lost on restart (#1700). + * HTLCs that fail prior to being sent over their first hop are now marked as + retryable via `!PaymentPathFailed::payment_failed_permanently` (#1702). + * Dust HTLCs are now considered failed in the payment tracking logic after the + commitment transaction confirms, allowing retry on restart (#1691). + * On machines with buggy "monotonic" clocks, LDK will no longer panic if time + goes backwards (#1692). + +## Backwards Compatibility + * The new `current_time` argument to `PeerManager` constructors must be set to + a UNIX timestamp for upgraded nodes; new nodes may use a counter (#1699). + * `Balance::CounterpartyRevokedOutputClaimable` will never be generated for + channels that were observed to go on-chain with LDK versions prior to + 0.0.111 (#1495). + * `ChannelMonitor::get_counterparty_node_id` will return `None` for all + channels opened on a version of LDK prior to 0.0.110 (#1635). + * Setting `their_channel_reserve_proportional_millionths` to any value other + than the default will cause LDK versions prior to 0.0.104 to be unable to + read the serialized `ChannelManager` (#1619). + +## Security +0.0.111 fixes a denial-of-service vulnerability which is reachable from +untrusted input in deployments accepting 0conf channels, or via a race-condition +in deployments creating outbound 0conf channels. + + * LDK versions prior to 0.0.111 may spuriously panic when receiving a block if + they are awaiting the construction of a funding transaction for a 0-conf + channel (#1711). 0-conf support was added in LDK version 0.0.107. + +In total, this release features 84 files changed, 6306 insertions, 1960 +deletions in 121 commits from 11 authors, in alphabetical order: + * Arik Sosman + * Devrandom + * Duncan Dean + * Elias Rohrer + * Gursharan Singh + * Matt Corallo + * NicolaLS + * Valentine Wallace + * Viktor Tigerström + * jurvis + * ok300 + + +# 0.0.110 - 2022-07-26 - "Routing, With a Vengeance" + +## API Updates + * `ChannelManager::send_probe` and `Score::probe_{failed,successful}` have + been added to make probing more explicit, as well as new + `Event::Probe{Failed,Successful}` events (#1567). + * `ProbabilisticScoringParameters::banned_nodes` has been renamed + `manual_node_penalties` and changed to take msat penalties (#1592). + * Per-payment tracking of failed paths was added to enable configuration of + `ProbabilisticScoringParameters::considered_impossible_penalty_msat` (#1600) + * `ProbabilisticScoringParameters::base_penalty_amount_multiplier_msat` was + added to allow a penalty that is only amount-dependent (#1617). + * `ProbabilisticScoringParameters::amount_penalty_multiplier_msat` was renamed + `liquidity_penalty_amount_multiplier_msat` (#1617). + * A new `Event::HTLCHandlingFailed` has been added which provides visibility + into failures to forward/claim accepted HTLCs (#1403). + * Support has been added for DNS hostnames in the `NetAddress` type, see + [BOLT PR #911](https://github.com/lightning/bolts/pull/911) (#1553). + * `GossipSync` now has `rapid`, `p2p`, and `none` constructors (#1618). + * `lightning-net-tokio` no longer requires types to be in `Arc`s (#1623). + * The `htlc_maximum_msat` field is now required in `ChannelUpdate` gossip + messages. In tests this rejects < 1% of channels (#1519). + * `ReadOnlyNetworkGraph::{channel,node}` have been added to query for + individual channel/node data, primarily for bindings users (#1543). + * `FeeEstimator` implementations are now wrapped internally to ensure values + below 253 sats/kW are never used (#1552). + * Route selection no longer attempts to randomize path selection. This is + unlikely to lead to a material change in the paths selected (#1610). + +## Bug Fixes + * Fixed a panic when deserializing `ChannelDetails` objects (#1588). + * When routing, channels are no longer fully saturated before MPP splits are + generated, instead a configuration knob was added as + `PaymentParameters::max_channel_saturation_power_of_half` (#1605). + * Fixed a panic which occurred in `ProbabilisticScorer` when wallclock time + goes backwards across a restart (#1603). + +## Serialization Compatibility + * All new fields are ignored by prior versions of LDK. All new fields are not + present when reading objects serialized by prior versions of LDK. + * Channel information written in the `NetworkGraph` which is missing + `htlc_maximum_msat` may be dropped on deserialization (#1519). + * Similarly, node information written in the `NetworkGraph` which contains an + invalid hostname may be dropped on deserialization (#1519). + +In total, this release features 79 files changed, 2935 insertions, 1363 +deletions in 52 commits from 9 authors, in alphabetical order: + * Duncan Dean + * Elias Rohrer + * Jeffrey Czyz + * Matt Corallo + * Max Fang + * Viktor Tigerström + * Willem Van Lint + * Wilmer Paulino + * jurvis + +# 0.0.109 - 2022-07-01 - "The Kitchen Sink" + +## API Updates + * `ChannelManager::update_channel_config` has been added to allow the fields + in `ChannelConfig` to be changed in a given channel after open (#1527). + * If we reconnect to a peer which proves we have a stale channel state, rather + than force-closing we will instead panic to provide an opportunity to switch + to the latest state and continue operating without channel loss (#1564). + * A `NodeAlias` struct has been added which handles string sanitization for + node aliases via the `Display` trait (#1544). + * `ProbabilisticScoringParameters` now has a `banned_nodes` set which we will + never route through during path finding (#1550). + * `ProbabilisticScoringParameters` now offers an `anti_probing_penalty_msat` + option to prefer channels which afford better privacy when routing (#1555). + * `ProbabilisticScorer` now provides access to its estimated liquidity range + for a given channel via `estimated_channel_liquidity_range` (#1549). + * `ChannelManager::force_close_channel` has been renamed + `force_close_broadcasting_latest_txn` and + `force_close_without_broadcasting_txn` has been added (#1564). + * Options which cannot be changed at runtime have been moved from + `ChannelConfig` to `ChannelHandshakeConfig` (#1529). + * `find_route` takes `&NetworkGraph` instead of `ReadOnlyNetworkGraph (#1583). + * `ChannelDetails` now contains a copy of the current `ChannelConfig` (#1527). + * The `lightning-invoice` crate now optionally depends on `serde`, with + `Invoice` implementing `serde::{Deserialize,Serialize}` if enabled (#1548). + * Several fields in `UserConfig` have been renamed for clarity (#1540). + +## Bug Fixes + * `find_route` no longer selects routes with more than + `PaymentParameters::max_mpp_path_count` paths, and + `ChannelManager::send_payment` no longer refuses to send along routes with + more than ten paths (#1526). + * Fixed two cases where HTLCs pending at the time a counterparty broadcasts a + revoked commitment transaction are considered resolved prior to their actual + resolution on-chain, possibly passing the update to another channel (#1486). + * HTLCs which are relayed through LDK may now have a total expiry time two + weeks in the future, up from one, reducing forwarding failures (#1532). + +## Serialization Compatibility + * All new fields are ignored by prior versions of LDK. All new fields are not + present when reading objects serialized by prior versions of LDK. + * `ChannelConfig`'s serialization format has changed and is not compatible + with any previous version of LDK. Attempts to read values written by a + previous version of LDK will fail and attempts to read newly written objects + using a previous version of LDK will fail. It is not expected that users are + serializing `ChannelConfig` using the LDK serialization API, however, if a + backward compatibility wrapper is required, please open an issue. + +## Security +0.0.109 fixes a denial-of-service vulnerability which is reachable from +untrusted input in some application deployments. + + * Third parties which are allowed to open channels with an LDK-based node may + fund a channel with a bogus and maliciously-crafted transaction which, when + spent, can cause a panic in the channel's corresponding `ChannelMonitor`. + Such a channel is never usable as it cannot be funded with a funding + transaction which matches the required output script, allowing the + `ChannelMonitor` for such channels to be safely purged as a workaround on + previous versions of LDK. Thanks to Eugene Siegel for reporting this issue. + +In total, this release features 32 files changed, 1948 insertions, 532 +deletions in 33 commits from 9 authors, in alphabetical order: + * Antoine Riard + * Daniel Granhão + * Elias Rohrer + * Jeffrey Czyz + * Matt Corallo + * Matt Faltyn + * NicolaLS + * Valentine Wallace + * Wilmer Paulino + + +# 0.0.108 - 2022-06-10 - "You Wanted It To Build?! Why Didn't You Say So?" + +## Bug Fixes + * Fixed `lightning-background-processor` build in release mode. + +In total, this release features 9 files changed, 120 insertions, 74 +deletions in 5 commits from 4 authors, in alphabetical order: + * Elias Rohrer + * Matt Corallo + * Max Fang + * Viktor Tigerström + +# 0.0.107 - 2022-06-08 - "BlueWallet's Wishlist" + +## API Updates + * Channels larger than 16777215 sats (Wumbo!) are now supported and can be + enabled for inbound channels using + `ChannelHandshakeLimits::max_funding_satoshis` (#1425). + * Support for feature `option_zeroconf`, allowing immediate forwarding of + payments after channel opening. This is configured for outbound channels + using `ChannelHandshakeLimits::trust_own_funding_0conf` whereas + `ChannelManager::accept_inbound_channel_from_trusted_peer_0conf` has to be + used for accepting inbound channels (#1401, #1505). + * `ChannelManager::claim_funds` no longer returns a `bool` to indicate success. + Instead, an `Event::PaymentClaimed` is generated if the claim was successful. + Likewise, `ChannelManager::fail_htlc_backwards` no longer has a return value + (#1434). + * `lightning-rapid-gossip-sync` is a new crate for syncing gossip data from a + server, primarily aimed at mobile devices (#1155). + * `RapidGossipSync` can be passed to `BackgroundProcessor` in order to persist + the `NetworkGraph` and handle `NetworkUpdate`s during event handling (#1433, + #1517). + * `NetGraphMsgHandler` has been renamed to `P2PGossipSync`, the `network_graph` + module has been renamed to `gossip`, and `NetworkUpdate::ChannelClosed` has + been renamed `NetworkUpdate::ChannelFailure` (#1159). + * Added a `filtered_block_connected` method to `chain::Listen` and a default + implementation of `block_connected` for those fetching filtered instead of + full blocks (#1453). + * The `lightning-block-sync` crate's `BlockSource` trait methods now take + `&self` instead of `&mut self` (#1307). + * `inbound_payment` module is now public to allow for creating invoices without + a `ChannelManager` (#1384). + * `lightning-block-sync`'s `init` and `poll` modules support `&dyn BlockSource` + which can be determined at runtime (#1423). + * `lightning-invoice` crate's `utils` now accept an expiration time (#1422, + #1474). + * `Event::PaymentForwarded` includes `prev_channel_id` and `next_channel_id` + (#1419, #1475). + * `chain::Watch::release_pending_monitor_events`' return type now associates + `MonitorEvent`s with funding `OutPoints` (#1475). + * `lightning-background-processor` crate's `Persister` trait has been moved to + `lightning` crate's `util::persist` module, which now has a general + `KVStorePersister` trait. Blanket implementations of `Persister` and + `chainmonitor::Persist` are given for types implementing `KVStorePersister`. + ` lightning-persister`'s `FilesystemPersister` implements `KVStorePersister` + (#1417). + * `ChannelDetails` and `ChannelCounterparty` include fields for HTLC minimum + and maximum values (#1378). + * Added a `max_inbound_htlc_value_in_flight_percent_of_channel` field to + `ChannelHandshakeConfig`, capping the total value of outstanding inbound + HTLCs for a channel (#1444). + * `ProbabilisticScorer` is parameterized by a `Logger`, which it uses to log + channel liquidity updates or lack thereof (#1405). + * `ChannelDetails` has an `outbound_htlc_limit_msat` field, which should be + used in routing instead of `outbound_capacity_msat` (#1435). + * `ProbabilisticScorer`'s channel liquidities can be logged via + `debug_log_liquidity_stats` (#1460). + * `BackgroundProcessor` now takes an optional `WriteableScore` which it will + persist using the `Persister` trait's new `persist_scorer` method (#1416). + * Upgraded to `bitcoin` crate version 0.28.1 (#1389). + * `ShutdownScript::new_witness_program` now takes a `WitnessVersion` instead of + a `NonZeroU8` (#1389). + * Channels will no longer be automatically force closed when the counterparty + is disconnected due to incompatibility (#1429). + * `ChannelManager` methods for funding, accepting, and closing channels now + take a `counterparty_node_id` parameter, which has also been added as a field + to `Event::FundingGenerationReady` (#1479, #1485). + * `InvoicePayer::new` now takes a `Retry` enum (replacing the `RetryAttempts` + struct), which supports both attempt- and timeout-based retrying (#1418). + * `Score::channel_penalty_msat` takes a `ChannelUsage` struct, which contains + the capacity as an `EffectiveCapacity` enum and any potential in-flight HTLC + value, rather than a single `u64`. Used by `ProbabilisticScorer` for more + accurate penalties (#1456). + * `build_route_from_hops` is a new function useful for constructing a `Route` + given a specific list of public keys (#1491). + * `FundingLocked` message has been renamed `ChannelReady`, and related + identifiers have been renamed accordingly (#1506). + * `core2::io` or `std::io` (depending on feature flags `no-std` or `std`) is + exported as a `lightning::io` module (#1504). + * The deprecated `Scorer` has been removed in favor or `ProbabilisticScorer` + (#1512). + +## Performance Improvements + * `lightning-persister` crate's `FilesystemPersister` is faster by 15x (#1404). + * Log gossip query messages at `GOSSIP` instead of `TRACE` to avoid + overwhelming default logging (#1421). + * `PeerManager` supports processing messages from different peers in parallel, + and this is taken advantage of in gossip processing (#1023). + * Greatly reduced per-channel and per-node memory usage due to upgrade of + `secp256k1` crate to 0.22.1 and `bitcoin` crate to 0.28.1 + * Reduced per-peer memory usage in `PeerManager` (#1472). + +## Spec Compliance + * `find_route` now assumes variable-length onions by default for nodes where + support for the feature is unknown (#1414). + * A `warn` message is now sent when receiving a `channel_reestablish` with an + old commitment transaction number rather than immediately force-closing the + channel (#1430). + * When a `channel_update` message is included in an onion error's `failuremsg`, + its message type is now encoded. Reading such messages is also supported + (#1465). + +## Bug Fixes + * Fixed a bug where crashing while persisting a `ChannelMonitorUpdate` for a + part of a multi-path payment could cause loss of funds due to a partial + payment claim on restart (#1434). + * `BackgroundProcessor` has been fixed to improve serialization reliability on + slow systems which can avoid force-closes (#1436). + * `gossip_timestamp_filter` filters are now honored when sending gossip to + peers (#1452). + * During a reorg, only force-close a channel if its funding transaction is + unconfirmed rather than as it loses confirmations (#1461). + * Fixed a rare panic in `lightning-net-tokio` when fetching a peer's socket + address after the connection has been closed caused by a race condition + (#1449). + * `find_route` will no longer return routes that would cause onion construction + to fail in some cases (#1476). + * `ProbabilisticScorer` uses more precision when approximating `log10` (#1406). + +## Serialization Compatibility + * All above new events/fields are ignored by prior clients. All above new + events/fields are not present when reading objects serialized by prior + versions of the library. + * `ChannelManager` serialization is no longer compatible with versions prior to + 0.0.99 (#1401). + * Channels with `option_zeroconf` feature enabled (not required for 0-conf + channel use) will be unreadable by versions prior to 0.0.107 (#1401, #1505). + +In total, this release features 96 files changed, 9304 insertions, 4503 +deletions in 153 commits from 18 authors, in alphabetical order: + * Arik Sosman + * Devrandom + * Duncan Dean + * Elias Rohrer + * Jeffrey Czyz + * John Cantrell + * John Corser + * Jurvis Tan + * Justin Moon + * KaFai Choi + * Matt Faltyn + * Matt Corallo + * Valentine Wallace + * Viktor Tigerström + * Vincenzo Palazzo + * atalw + * dependabot[bot] + * shamardy + + +# 0.0.106 - 2022-04-03 + +## API Updates + * Minimum supported rust version (MSRV) is now 1.41.1 (#1310). + * Lightning feature `option_scid_alias` is now supported and may be negotiated + when opening a channel with a peer. It can be configured via + `ChannelHandshakeConfig::negotiate_scid_privacy` and is off by default but + will be on by default in the future (#1351). + * `OpenChannelRequest` now has a `channel_type` field indicating the features + the channel will operate with and should be used to filter channels with + undesirable features (#1351). See the Serialization Compatibility section. + * `ChannelManager` supports sending and receiving short channel id aliases in + the `funding_locked` message. These are used when forwarding payments and + constructing invoice route hints for improved privacy. `ChannelDetails` has a + `inbound_scid_alias` field and a `get_inbound_payment_scid` method to support + the latter (#1311). + * `DefaultRouter` and `find_route` take an additional random seed to improve + privacy by adding a random CLTV expiry offset to each path's final hop. This + helps obscure the intended recipient from adversarial intermediate hops + (#1286). The seed is also used to randomize candidate paths during route + selection (#1359). + * The `lightning-block-sync` crate's `init::synchronize_listeners` method + interface has been relaxed to support multithreaded environments (#1349). + * `ChannelManager::create_inbound_payment_for_hash`'s documentation has been + corrected to remove the one-year restriction on `invoice_expiry_delta_secs`, + which is only applicable to the deprecated `create_inbound_payment_legacy` + and `create_inbound_payment_for_hash_legacy` methods (#1341). + * `Features` mutator methods now take `self` by reference instead of by value + (#1331). + * The CLTV of the last hop in a path is now included when comparing against + `RouteParameters::max_total_cltv_expiry_delta` (#1358). + * Invoice creation functions in `lightning-invoice` crate's `utils` module + include versions that accept a description hash instead of only a description + (#1361). + * `RoutingMessageHandler::sync_routing_table` has been renamed `peer_connected` + (#1368). + * `MessageSendEvent::SendGossipTimestampFilter` has been added to indicate that + a `gossip_timestamp_filter` should be sent (#1368). + * `PeerManager` takes an optional `NetAddress` in `new_outbound_connection` and + `new_inbound_connection`, which is used to report back the remote address to + the connecting peer in the `init` message (#1326). + * `ChannelManager::accept_inbound_channel` now takes a `user_channel_id`, which + is used in a similar manner as in outbound channels. (#1381). + * `BackgroundProcessor` now persists `NetworkGraph` on a timer and upon + shutdown as part of a new `Persister` trait, which also includes + `ChannelManager` persistence (#1376). + * `ProbabilisticScoringParameters` now has a `base_penalty_msat` option, which + default to 500 msats. It is applied at each hop to help avoid longer paths + (#1375). + * `ProbabilisticScoringParameters::liquidity_penalty_multiplier_msat`'s default + value is now 40,000 msats instead of 10,000 msats (#1375). + * The `lightning` crate has a `grind_signatures` feature used to produce + signatures with low r-values for more predictable transaction weight. This + feature is on by default (#1388). + * `ProbabilisticScoringParameters` now has a `amount_penalty_multiplier_msat` + option, which is used to further penalize large amounts (#1399). + * `PhantomRouteHints`, `FixedPenaltyScorer`, and `ScoringParameters` now + implement `Clone` (#1346). + +## Bug Fixes + * Fixed a compilation error in `ProbabilisticScorer` under `--feature=no-std` + (#1347). + * Invoice creation functions in `lightning-invoice` crate's `utils` module + filter invoice hints in order to limit the invoice size (#1325). + * Fixed a bug where a `funding_locked` message was delayed by a block if the + funding transaction was confirmed while offline, depending on the ordering + of `Confirm::transactions_confirmed` calls when brought back online (#1363). + * Fixed a bug in `NetGraphMsgHandler` where it didn't continue to receive + gossip messages from peers after initial connection (#1368, #1382). + * `ChannelManager::timer_tick_occurred` will now timeout a received multi-path + payment (MPP) after three ticks if not received in full instead of waiting + until near the HTLC timeout block(#1353). + * Fixed an issue with `find_route` causing it to be overly aggressive in using + MPP over channels to the same first hop (#1370). + * Reduced time spent processing `channel_update` messages by checking + signatures after checking if no newer messages have already been processed + (#1380). + * Fixed a few issues in `find_route` which caused preferring paths with a + higher cost (#1398). + * Fixed an issue in `ProbabilisticScorer` where a channel with not enough + liquidity could still be used when retrying a failed payment if it was on a + path with an overall lower cost (#1399). + +## Serialization Compatibility + * Channels open with `option_scid_alias` negotiated will be incompatible with + prior releases (#1351). This may occur in the following cases: + * Outbound channels when `ChannelHandshakeConfig::negotiate_scid_privacy` is + enabled. + * Inbound channels when automatically accepted from an `OpenChannel` message + with a `channel_type` that has `ChannelTypeFeatures::supports_scid_privacy` + return true. See `UserConfig::accept_inbound_channels`. + * Inbound channels when manually accepted from an `OpenChannelRequest` with a + `channel_type` that has `ChannelTypeFeatures::supports_scid_privacy` return + true. See `UserConfig::manually_accept_inbound_channels`. + +In total, this release features 43 files changed, 4052 insertions, 1274 +deletions in 75 commits from 11 authors, in alphabetical order: + * Devrandom + * Duncan Dean + * Elias Rohrer + * Jeffrey Czyz + * Jurvis Tan + * Luiz Parreira + * Matt Corallo + * Omar Shamardy + * Viktor Tigerström + * dependabot[bot] + * psycho-pirate + + +# 0.0.105 - 2022-02-28 + +## API Updates + * `Phantom node` payments are now supported, allowing receipt of a payment on + any one of multiple nodes without any coordination across the nodes being + required. See the new `PhantomKeysManager`'s docs for more, as well as + requirements on `KeysInterface::get_inbound_payment_key_material` and + `lightning_invoice::utils::create_phantom_invoice` (#1199). + * In order to support phantom node payments, several `KeysInterface` methods + now accept a `Recipient` parameter to select between the local `node_id` and + a phantom-specific one. + * `ProbabilisticScorer`, a `Score` based on learning the current balances of + channels in the network, was added. It attempts to better capture payment + success probability than the existing `Scorer`, though may underperform on + nodes with low payment volume. We welcome feedback on performance (#1227). + * `Score::channel_penalty_msat` now always takes the channel value, instead of + an `Option` (#1227). + * `UserConfig::manually_accept_inbound_channels` was added which, when set, + generates a new `Event::OpenChannelRequest`, which allows manual acceptance + or rejection of incoming channels on a per-channel basis (#1281). + * `Payee` has been renamed to `PaymentParameters` (#1271). + * `PaymentParameters` now has a `max_total_cltv_expiry_delta` field. This + defaults to 1008 and limits the maximum amount of time an HTLC can be pending + before it will either fail or be claimed (#1234). + * The `lightning-invoice` crate now supports no-std environments. This required + numerous API changes around timestamp handling and std+no-std versions of + several methods that previously assumed knowledge of the time (#1223, #1230). + * `lightning-invoice` now supports parsing invoices with expiry times of more + than one year. This required changing the semantics of `ExpiryTime` (#1273). + * The `CounterpartyCommitmentSecrets` is now public, allowing external uses of + the `BOLT 3` secret storage scheme (#1299). + * Several `Sign` methods now receive HTLC preimages as proof of state + transition, see new documentation for more (#1251). + * `KeysInterface::sign_invoice` now provides the HRP and other invoice data + separately to make it simpler for external signers to parse (#1272). + * `Sign::sign_channel_announcement` now returns both the node's signature and + the per-channel signature. `InMemorySigner` now requires the node's secret + key in order to implement this (#1179). + * `ChannelManager` deserialization will now fail if the `KeysInterface` used + has a different `node_id` than the `ChannelManager` expects (#1250). + * A new `ErrorAction` variant was added to send `warning` messages (#1013). + * Several references to `chain::Listen` objects in `lightning-block-sync` no + longer require a mutable reference (#1304). + +## Bug Fixes + * Fixed a regression introduced in 0.0.104 where `ChannelManager`'s internal + locks could have an order violation leading to a deadlock (#1238). + * Fixed cases where slow code (including user I/O) could cause us to + disconnect peers with ping timeouts in `BackgroundProcessor` (#1269). + * Now persist the `ChannelManager` prior to `BackgroundProcessor` stopping, + preventing race conditions where channels are closed on startup even with a + clean shutdown. This requires that users stop network processing and + disconnect peers prior to `BackgroundProcessor` shutdown (#1253). + * Fields in `ChannelHandshakeLimits` provided via the `override_config` to + `create_channel` are now applied instead of the default config (#1292). + * Fixed the generation of documentation on docs.rs to include API surfaces + which are hidden behind feature flags (#1303). + * Added the `channel_type` field to `accept_channel` messages we send, which + may avoid some future compatibility issues with other nodes (#1314). + * Fixed a bug where, if a previous LDK run using `lightning-persister` crashed + while persisting updated data, we may have failed to initialize (#1332). + * Fixed a rare bug where having both pending inbound and outbound HTLCs on a + just-opened inbound channel could cause `ChannelDetails::balance_msat` to + underflow and be reported as large, or cause panics in debug mode (#1268). + * Moved more instances of verbose gossip logging from the `Trace` level to the + `Gossip` level (#1220). + * Delayed `announcement_signatures` until the channel has six confirmations, + slightly improving propagation of channel announcements (#1179). + * Several fixes in script and transaction weight calculations when anchor + outputs are enabled (#1229). + +## Serialization Compatibility + * Using `ChannelManager` data written by versions prior to 0.0.105 will result + in preimages for HTLCs that were pending at startup to be missing in calls + to `KeysInterface` methods (#1251). + * Any phantom invoice payments received on a node that is not upgraded to + 0.0.105 will fail with an "unknown channel" error. Further, downgrading to + 0.0.104 or before and then upgrading again will invalidate existing phantom + SCIDs which may be included in invoices (#1199). + +## Security +0.0.105 fixes two denial-of-service vulnerabilities which may be reachable from +untrusted input in certain application designs. + + * Route calculation spuriously panics when a routing decision is made for a + path where the second-to-last hop is a private channel, included due to a + multi-hop route hint in an invoice. + * `ChannelMonitor::get_claimable_balances` spuriously panics in some scenarios + when the LDK application's local commitment transaction is confirmed while + HTLCs are still pending resolution. + +In total, this release features 109 files changed, 7270 insertions, 2131 +deletions in 108 commits from 15 authors, in alphabetical order: + * Conor Okus + * Devrandom + * Elias Rohrer + * Jeffrey Czyz + * Jurvis Tan + * Ken Sedgwick + * Matt Corallo + * Naveen + * Tibo-lg + * Valentine Wallace + * Viktor Tigerström + * dependabot[bot] + * hackerrdave + * naveen + * vss96 + + +# 0.0.104 - 2021-12-17 + +## API Updates + * A `PaymentFailed` event is now provided to indicate a payment has failed + fully. This event is generated either after + `ChannelManager::abandon_payment` is called for a given payment, or the + payment times out, and there are no further pending HTLCs for the payment. + This event should be used to detect payment failure instead of + `PaymentPathFailed::all_paths_failed`, unless no payment retries occur via + `ChannelManager::retry_payment` (#1202). + * Payment secrets are now generated deterministically using material from + the new `KeysInterface::get_inbound_payment_key_material` (#1177). + * A `PaymentPathSuccessful` event has been added to ease passing success info + to a scorer, along with a `Score::payment_path_successful` method to accept + such info (#1178, #1197). + * `Score::channel_penalty_msat` has additional arguments describing the + channel's capacity and the HTLC amount being sent over the channel (#1166). + * A new log level `Gossip` has been added, which is used for verbose + information generated during network graph sync. Enabling the + `max_level_trace` feature or ignoring `Gossip` log entries reduces log + growth during initial start up from many GiB to several MiB (#1145). + * The `allow_wallclock_use` feature has been removed in favor of only using + the `std` and `no-std` features (#1212). + * `NetworkGraph` can now remove channels that we haven't heard updates for in + two weeks with `NetworkGraph::remove_stale_channels{,with_time}`. The first + is called automatically if a `NetGraphMsgHandler` is passed to + `BackgroundProcessor::start` (#1212). + * `InvoicePayer::pay_pubkey` was added to enable sending "keysend" payments to + supported recipients, using the `InvoicePayer` to handle retires (#1160). + * `user_payment_id` has been removed from `PaymentPurpose`, and + `ChannelManager::create_inbound_payment{,_for_hash}` (#1180). + * Updated documentation for several `ChannelManager` functions to remove stale + references to panics which no longer occur (#1201). + * The `Score` and `LockableScore` objects have moved into the + `routing::scoring` module instead of being in the `routing` module (#1166). + * The `Time` parameter to `ScorerWithTime` is no longer longer exposed, + instead being fixed based on the `std`/`no-std` feature (#1184). + * `ChannelDetails::balance_msat` was added to fetch a channel's balance + without subtracting the reserve values, lining up with on-chain claim amounts + less on-chain fees (#1203). + * An explicit `UserConfig::accept_inbound_channels` flag is now provided, + removing the need to set `min_funding_satoshis` to > 21 million BTC (#1173). + * Inbound channels that fail to see the funding transaction confirm within + 2016 blocks are automatically force-closed with + `ClosureReason::FundingTimedOut` (#1083). + * We now accept a channel_reserve value of 0 from counterparties, as it is + insecure for our counterparty but not us (#1163). + * `NetAddress::OnionV2` parsing was removed as version 2 onion services are no + longer supported in modern Tor (#1204). + * Generation and signing of anchor outputs is now supported in the + `KeysInterface`, though no support for them exists in the channel itself (#1176) + +## Bug Fixes + * Fixed a race condition in `InvoicePayer` where paths may be retried after + the retry count has been exceeded. In this case the + `Event::PaymentPathFailed::all_paths_failed` field is not a reliable payment + failure indicator. There was no acceptable alternative indicator, + `Event::PaymentFailed` as been added to provide one (#1202). + * Reduced the blocks-before-timeout we expect of outgoing HTLCs before + refusing to forward. This check was overly strict and resulted in refusing + to forward som HTLCs to a next hop that had a lower security threshold than + us (#1119). + * LDK no longer attempt to update the channel fee for outbound channels when + we cannot afford the new fee. This could have caused force-closure by our + channel counterparty (#1054). + * Fixed several bugs which may have prevented the reliable broadcast of our + own channel announcements and updates (#1169). + * Fixed a rare bug which may have resulted in spurious route finding failures + when using last-hop hints and MPP with large value payments (#1168). + * `KeysManager::spend_spendable_outputs` no longer adds a change output that + is below the dust threshold for non-standard change scripts (#1131). + * Fixed a minor memory leak when attempting to send a payment that fails due + to an error when updating the `ChannelMonitor` (#1143). + * Fixed a bug where a `FeeEstimator` that returns values rounded to the next + sat/vbyte may result in force-closures (#1208). + * Handle MPP timeout HTLC error codes, instead of considering the recipient to + have sent an invalid error, removing them from the network graph (#1148) + +## Serialization Compatibility + * All above new events/fields are ignored by prior clients. All above new + events/fields are not present when reading objects serialized by prior + versions of the library. + * Payment secrets are now generated deterministically. This reduces the memory + footprint for inbound payments, however, newly-generated inbound payments + using `ChannelManager::create_inbound_payment{,_for_hash}` will not be + receivable using versions prior to 0.0.104. + `ChannelManager::create_inbound_payment{,_for_hash}_legacy` are provided for + backwards compatibility (#1177). + * `PaymentPurpose::InvoicePayment::user_payment_id` will be 0 when reading + objects written with 0.0.104 when read by 0.0.103 and previous (#1180). + +In total, this release features 51 files changed, 5356 insertions, 2238 +deletions in 107 commits from 9 authors, in alphabetical order: + * Antoine Riard + * Conor Okus + * Devrandom + * Duncan Dean + * Elias Rohrer + * Jeffrey Czyz + * Ken Sedgwick + * Matt Corallo + * Valentine Wallace + + # 0.0.103 - 2021-11-02 ## API Updates @@ -250,7 +1927,7 @@ deletions in 89 commits from 12 authors, in alphabetical order: * vss96 -# 0.0.100 - 2021-08-17 +# 0.0.100 - 2021-08-17 - "Oh, so *that's* what's going on inside the box" ## API Updates * The `lightning` crate can now be built in no_std mode, making it easy to @@ -343,7 +2020,7 @@ In total, this release features 59 files changed, 5861 insertions, and 2082 deletions in 95 commits from 6 authors. -# 0.0.99 - 2021-07-09 +# 0.0.99 - 2021-07-09 - "It's a Bugz Life" ## API Updates @@ -414,7 +2091,7 @@ deletions in 95 commits from 6 authors. versions. If you have such a `ChannelManager` available, a simple patch will allow it to deserialize. Please file an issue if you need assistance (#973). -# 0.0.98 - 2021-06-11 +# 0.0.98 - 2021-06-11 - "It's ALIVVVVEEEEEEE" 0.0.98 should be considered a release candidate to the first alpha release of Rust-Lightning and the broader LDK. It represents several years of work