X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=lightning%2Fsrc%2Fln%2Fchannel.rs;h=2da743033d3596f5176b17ee6b864f8fa7416679;hb=4c8dc2c2a0b9589298d937bf16061ae0ac99b31e;hp=9b47770f120310cce58cc01bc4ab63d1a679b590;hpb=abf6564a44ad58ccb0d5d3181b94cb7113c6e8ff;p=rust-lightning diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs index 9b47770f..2da74303 100644 --- a/lightning/src/ln/channel.rs +++ b/lightning/src/ln/channel.rs @@ -39,7 +39,7 @@ use util::events::ClosureReason; use util::ser::{Readable, ReadableArgs, Writeable, Writer, VecWriter}; use util::logger::Logger; use util::errors::APIError; -use util::config::{UserConfig, LegacyChannelConfig, ChannelHandshakeConfig, ChannelHandshakeLimits}; +use util::config::{UserConfig, ChannelConfig, LegacyChannelConfig, ChannelHandshakeConfig, ChannelHandshakeLimits}; use util::scid_utils::scid_from_parts; use io; @@ -482,6 +482,16 @@ pub(crate) const CONCURRENT_INBOUND_HTLC_FEE_BUFFER: u32 = 2; /// transaction (not counting the value of the HTLCs themselves). pub(crate) const MIN_AFFORDABLE_HTLC_COUNT: usize = 4; +/// When a [`Channel`] has its [`ChannelConfig`] updated, its existing one is stashed for up to this +/// number of ticks to allow forwarding HTLCs by nodes that have yet to receive the new +/// ChannelUpdate prompted by the config update. This value was determined as follows: +/// +/// * The expected interval between ticks (1 minute). +/// * The average convergence delay of updates across the network, i.e., ~300 seconds on average +/// for a node to see an update as seen on ``. +/// * `EXPIRE_PREV_CONFIG_TICKS` = convergence_delay / tick_interval +pub(crate) const EXPIRE_PREV_CONFIG_TICKS: usize = 5; + // TODO: We should refactor this to be an Inbound/OutboundChannel until initial setup handshaking // has been completed, and then turn into a Channel to get compiler-time enforcement of things like // calling channel_id() before we're set up or things like get_outbound_funding_signed on an @@ -490,11 +500,13 @@ pub(crate) const MIN_AFFORDABLE_HTLC_COUNT: usize = 4; // Holder designates channel data owned for the benefice of the user client. // Counterparty designates channel data owned by the another channel participant entity. pub(super) struct Channel { - #[cfg(any(test, feature = "_test_utils"))] - pub(crate) config: LegacyChannelConfig, - #[cfg(not(any(test, feature = "_test_utils")))] config: LegacyChannelConfig, + // Track the previous `ChannelConfig` so that we can continue forwarding HTLCs that were + // constructed using it. The second element in the tuple corresponds to the number of ticks that + // have elapsed since the update occurred. + prev_config: Option<(ChannelConfig, usize)>, + inbound_handshake_limits_override: Option, user_id: u64, @@ -790,7 +802,6 @@ pub(super) enum ChannelError { Ignore(String), Warn(String), Close(String), - CloseDelayBroadcast(String), } impl fmt::Debug for ChannelError { @@ -799,7 +810,6 @@ impl fmt::Debug for ChannelError { &ChannelError::Ignore(ref e) => write!(f, "Ignore : {}", e), &ChannelError::Warn(ref e) => write!(f, "Warn : {}", e), &ChannelError::Close(ref e) => write!(f, "Close : {}", e), - &ChannelError::CloseDelayBroadcast(ref e) => write!(f, "CloseDelayBroadcast : {}", e) } } } @@ -937,6 +947,8 @@ impl Channel { commit_upfront_shutdown_pubkey: config.channel_handshake_config.commit_upfront_shutdown_pubkey, }, + prev_config: None, + inbound_handshake_limits_override: Some(config.channel_handshake_limits.clone()), channel_id: keys_provider.get_secure_random_bytes(), @@ -1264,6 +1276,8 @@ impl Channel { commit_upfront_shutdown_pubkey: config.channel_handshake_config.commit_upfront_shutdown_pubkey, }, + prev_config: None, + inbound_handshake_limits_override: None, channel_id: msg.temporary_channel_id, @@ -3783,6 +3797,11 @@ impl Channel { /// May panic if some calls other than message-handling calls (which will all Err immediately) /// have been called between remove_uncommitted_htlcs_and_mark_paused and this call. + /// + /// Some links printed in log lines are included here to check them during build (when run with + /// `cargo doc --document-private-items`): + /// [`super::channelmanager::ChannelManager::force_close_without_broadcasting_txn`] and + /// [`super::channelmanager::ChannelManager::force_close_all_channels_without_broadcasting_txn`]. pub fn channel_reestablish(&mut self, msg: &msgs::ChannelReestablish, logger: &L, node_pk: PublicKey, genesis_block_hash: BlockHash, best_block: &BestBlock) -> Result where L::Target: Logger { @@ -3808,9 +3827,20 @@ impl Channel { return Err(ChannelError::Close("Peer sent a garbage channel_reestablish with secret key not matching the commitment height provided".to_owned())); } if msg.next_remote_commitment_number > INITIAL_COMMITMENT_NUMBER - self.cur_holder_commitment_transaction_number { - return Err(ChannelError::CloseDelayBroadcast( - "We have fallen behind - we have received proof that if we broadcast remote is going to claim our funds - we can't do any automated broadcasting".to_owned() - )); + macro_rules! log_and_panic { + ($err_msg: expr) => { + log_error!(logger, $err_msg, log_bytes!(self.channel_id), log_pubkey!(self.counterparty_node_id)); + panic!($err_msg, log_bytes!(self.channel_id), log_pubkey!(self.counterparty_node_id)); + } + } + log_and_panic!("We have fallen behind - we have received proof that if we broadcast our counterparty is going to claim all our funds.\n\ + This implies you have restarted with lost ChannelMonitor and ChannelManager state, the first of which is a violation of the LDK chain::Watch requirements.\n\ + More specifically, this means you have a bug in your implementation that can cause loss of funds, or you are running with an old backup, which is unsafe.\n\ + If you have restored from an old backup and wish to force-close channels and return to operation, you should start up, call\n\ + ChannelManager::force_close_without_broadcasting_txn on channel {} with counterparty {} or\n\ + ChannelManager::force_close_all_channels_without_broadcasting_txn, then reconnect to peer(s).\n\ + Note that due to a long-standing bug in lnd you may have to reach out to peers running lnd-based nodes to ask them to manually force-close channels\n\ + See https://github.com/lightningdevkit/rust-lightning/issues/1565 for more info."); } }, OptionalField::Absent => {} @@ -3917,7 +3947,7 @@ impl Channel { // now! match self.free_holding_cell_htlcs(logger) { Err(ChannelError::Close(msg)) => Err(ChannelError::Close(msg)), - Err(ChannelError::Warn(_)) | Err(ChannelError::Ignore(_)) | Err(ChannelError::CloseDelayBroadcast(_)) => + Err(ChannelError::Warn(_)) | Err(ChannelError::Ignore(_)) => panic!("Got non-channel-failing result from free_holding_cell_htlcs"), Ok((Some((commitment_update, monitor_update)), holding_cell_failed_htlcs)) => { Ok(ReestablishResponses { @@ -4491,6 +4521,84 @@ impl Channel { self.config.options.max_dust_htlc_exposure_msat } + /// Returns the previous [`ChannelConfig`] applied to this channel, if any. + pub fn prev_config(&self) -> Option { + self.prev_config.map(|prev_config| prev_config.0) + } + + /// Tracks the number of ticks elapsed since the previous [`ChannelConfig`] was updated. Once + /// [`EXPIRE_PREV_CONFIG_TICKS`] is reached, the previous config is considered expired and will + /// no longer be considered when forwarding HTLCs. + pub fn maybe_expire_prev_config(&mut self) { + if self.prev_config.is_none() { + return; + } + let prev_config = self.prev_config.as_mut().unwrap(); + prev_config.1 += 1; + if prev_config.1 == EXPIRE_PREV_CONFIG_TICKS { + self.prev_config = None; + } + } + + /// Returns the current [`ChannelConfig`] applied to the channel. + pub fn config(&self) -> ChannelConfig { + self.config.options + } + + /// Updates the channel's config. A bool is returned indicating whether the config update + /// applied resulted in a new ChannelUpdate message. + pub fn update_config(&mut self, config: &ChannelConfig) -> bool { + let did_channel_update = + self.config.options.forwarding_fee_proportional_millionths != config.forwarding_fee_proportional_millionths || + self.config.options.forwarding_fee_base_msat != config.forwarding_fee_base_msat || + self.config.options.cltv_expiry_delta != config.cltv_expiry_delta; + if did_channel_update { + self.prev_config = Some((self.config.options, 0)); + // Update the counter, which backs the ChannelUpdate timestamp, to allow the relay + // policy change to propagate throughout the network. + self.update_time_counter += 1; + } + self.config.options = *config; + did_channel_update + } + + fn internal_htlc_satisfies_config( + &self, htlc: &msgs::UpdateAddHTLC, amt_to_forward: u64, outgoing_cltv_value: u32, config: &ChannelConfig, + ) -> Result<(), (&'static str, u16)> { + let fee = amt_to_forward.checked_mul(config.forwarding_fee_proportional_millionths as u64) + .and_then(|prop_fee| (prop_fee / 1000000).checked_add(config.forwarding_fee_base_msat as u64)); + if fee.is_none() || htlc.amount_msat < fee.unwrap() || + (htlc.amount_msat - fee.unwrap()) < amt_to_forward { + return Err(( + "Prior hop has deviated from specified fees parameters or origin node has obsolete ones", + 0x1000 | 12, // fee_insufficient + )); + } + if (htlc.cltv_expiry as u64) < outgoing_cltv_value as u64 + config.cltv_expiry_delta as u64 { + return Err(( + "Forwarding node has tampered with the intended HTLC values or origin node has an obsolete cltv_expiry_delta", + 0x1000 | 13, // incorrect_cltv_expiry + )); + } + Ok(()) + } + + /// Determines whether the parameters of an incoming HTLC to be forwarded satisfy the channel's + /// [`ChannelConfig`]. This first looks at the channel's current [`ChannelConfig`], and if + /// unsuccessful, falls back to the previous one if one exists. + pub fn htlc_satisfies_config( + &self, htlc: &msgs::UpdateAddHTLC, amt_to_forward: u64, outgoing_cltv_value: u32, + ) -> Result<(), (&'static str, u16)> { + self.internal_htlc_satisfies_config(&htlc, amt_to_forward, outgoing_cltv_value, &self.config()) + .or_else(|err| { + if let Some(prev_config) = self.prev_config() { + self.internal_htlc_satisfies_config(htlc, amt_to_forward, outgoing_cltv_value, &prev_config) + } else { + Err(err) + } + }) + } + pub fn get_feerate(&self) -> u32 { self.feerate_per_kw } @@ -6339,6 +6447,8 @@ impl<'a, Signer: Sign, K: Deref> ReadableArgs<(&'a K, u32)> for Channel config: config.unwrap(), + prev_config: None, + // Note that we don't care about serializing handshake limits as we only ever serialize // channel data after the handshake has completed. inbound_handshake_limits_override: None, @@ -6473,6 +6583,7 @@ mod tests { use bitcoin::secp256k1::{Secp256k1, ecdsa::Signature}; use bitcoin::secp256k1::ffi::Signature as FFISignature; use bitcoin::secp256k1::{SecretKey,PublicKey}; + use bitcoin::secp256k1::ecdh::SharedSecret; use bitcoin::secp256k1::ecdsa::RecoverableSignature; use bitcoin::hashes::sha256::Hash as Sha256; use bitcoin::hashes::Hash; @@ -6511,6 +6622,7 @@ mod tests { type Signer = InMemorySigner; fn get_node_secret(&self, _recipient: Recipient) -> Result { panic!(); } + fn ecdh(&self, _recipient: Recipient, _other_key: &PublicKey, _tweak: Option<&[u8; 32]>) -> Result { panic!(); } fn get_inbound_payment_key_material(&self) -> KeyMaterial { panic!(); } fn get_destination_script(&self) -> Script { let secp_ctx = Secp256k1::signing_only();