X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=lightning%2Fsrc%2Fln%2Fchannel.rs;h=e2a19618be52c4eaace19472cbdbf1a72d6800ef;hb=a265f1e97a9eff25b3418daf4b12fc9c6ad4c036;hp=0ada482f3679563b98de11a861ee9a9d9caf6080;hpb=177810b1522833f85b8b1c422a455e736afe3676;p=rust-lightning

diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
index 0ada482f..e2a19618 100644
--- a/lightning/src/ln/channel.rs
+++ b/lightning/src/ln/channel.rs
@@ -255,8 +255,6 @@ enum ChannelState {
 	RemoteShutdownSent = 1 << 10,
 	/// Flag which is set on ChannelFunded or FundingSent after sending a shutdown message. At this
 	/// point, we may not add any new HTLCs to the channel.
-	/// TODO: Investigate some kind of timeout mechanism by which point the remote end must provide
-	/// us their shutdown.
 	LocalShutdownSent = 1 << 11,
 	/// We've successfully negotiated a closing_signed dance. At this point ChannelManager is about
 	/// to drop us, but we store this anyway.
@@ -454,7 +452,6 @@ pub(super) struct Channel<Signer: Sign> {
 	counterparty_max_commitment_tx_output: Mutex<(u64, u64)>,
 
 	last_sent_closing_fee: Option<(u64, Signature)>, // (fee, holder_sig)
-	closing_fee_limits: Option<(u64, u64)>,
 	target_closing_feerate_sats_per_kw: Option<u32>,
 
 	/// If our counterparty sent us a closing_signed while we were waiting for a `ChannelMonitor`
@@ -462,6 +459,13 @@ pub(super) struct Channel<Signer: Sign> {
 	/// closing_signed message and handling it in `maybe_propose_closing_signed`.
 	pending_counterparty_closing_signed: Option<msgs::ClosingSigned>,
 
+	/// The minimum and maximum absolute fee we are willing to place on the closing transaction.
+	/// These are set once we reach `closing_negotiation_ready`.
+	#[cfg(test)]
+	pub(crate) closing_fee_limits: Option<(u64, u64)>,
+	#[cfg(not(test))]
+	closing_fee_limits: Option<(u64, u64)>,
+
 	/// The hash of the block in which the funding transaction was included.
 	funding_tx_confirmed_in: Option<BlockHash>,
 	funding_tx_confirmation_height: u32,
@@ -503,6 +507,13 @@ pub(super) struct Channel<Signer: Sign> {
 	commitment_secrets: CounterpartyCommitmentSecrets,
 
 	channel_update_status: ChannelUpdateStatus,
+	/// Once we reach `closing_negotiation_ready`, we set this, indicating if closing_signed does
+	/// not complete within a single timer tick (one minute), we should force-close the channel.
+	/// This prevents us from keeping unusable channels around forever if our counterparty wishes
+	/// to DoS us.
+	/// Note that this field is reset to false on deserialization to give us a chance to connect to
+	/// our peer and start the closing_signed negotiation fresh.
+	closing_signed_in_flight: bool,
 
 	/// Our counterparty's channel_announcement signatures provided in announcement_signatures.
 	/// This can be used to rebroadcast the channel_announcement message later.
@@ -740,6 +751,7 @@ impl<Signer: Sign> Channel<Signer> {
 			commitment_secrets: CounterpartyCommitmentSecrets::new(),
 
 			channel_update_status: ChannelUpdateStatus::Enabled,
+			closing_signed_in_flight: false,
 
 			announcement_sigs: None,
 
@@ -1006,6 +1018,7 @@ impl<Signer: Sign> Channel<Signer> {
 			commitment_secrets: CounterpartyCommitmentSecrets::new(),
 
 			channel_update_status: ChannelUpdateStatus::Enabled,
+			closing_signed_in_flight: false,
 
 			announcement_sigs: None,
 
@@ -1778,6 +1791,9 @@ impl<Signer: Sign> Channel<Signer> {
 			self.counterparty_funding_pubkey()
 		);
 
+		self.holder_signer.validate_holder_commitment(&holder_commitment_tx)
+			.map_err(|_| ChannelError::Close("Failed to validate our commitment".to_owned()))?;
+
 		// Now that we're past error-generating stuff, update our local state:
 
 		let funding_redeemscript = self.get_funding_redeemscript();
@@ -1852,6 +1868,9 @@ impl<Signer: Sign> Channel<Signer> {
 			self.counterparty_funding_pubkey()
 		);
 
+		self.holder_signer.validate_holder_commitment(&holder_commitment_tx)
+			.map_err(|_| ChannelError::Close("Failed to validate our commitment".to_owned()))?;
+
 
 		let funding_redeemscript = self.get_funding_redeemscript();
 		let funding_txo = self.get_funding_txo().unwrap();
@@ -2489,6 +2508,8 @@ impl<Signer: Sign> Channel<Signer> {
 		);
 
 		let next_per_commitment_point = self.holder_signer.get_per_commitment_point(self.cur_holder_commitment_transaction_number - 1, &self.secp_ctx);
+		self.holder_signer.validate_holder_commitment(&holder_commitment_tx)
+			.map_err(|_| (None, ChannelError::Close("Failed to validate our commitment".to_owned())))?;
 		let per_commitment_secret = self.holder_signer.release_commitment_secret(self.cur_holder_commitment_transaction_number + 1);
 
 		// Update state now that we've passed all the can-fail calls...
@@ -2725,8 +2746,10 @@ impl<Signer: Sign> Channel<Signer> {
 			return Err(ChannelError::Close("Peer sent revoke_and_ack after we'd started exchanging closing_signeds".to_owned()));
 		}
 
+		let secret = secp_check!(SecretKey::from_slice(&msg.per_commitment_secret), "Peer provided an invalid per_commitment_secret".to_owned());
+
 		if let Some(counterparty_prev_commitment_point) = self.counterparty_prev_commitment_point {
-			if PublicKey::from_secret_key(&self.secp_ctx, &secp_check!(SecretKey::from_slice(&msg.per_commitment_secret), "Peer provided an invalid per_commitment_secret".to_owned())) != counterparty_prev_commitment_point {
+			if PublicKey::from_secret_key(&self.secp_ctx, &secret) != counterparty_prev_commitment_point {
 				return Err(ChannelError::Close("Got a revoke commitment secret which didn't correspond to their current pubkey".to_owned()));
 			}
 		}
@@ -2748,6 +2771,11 @@ impl<Signer: Sign> Channel<Signer> {
 			*self.next_remote_commitment_tx_fee_info_cached.lock().unwrap() = None;
 		}
 
+		self.holder_signer.validate_counterparty_revocation(
+			self.cur_counterparty_commitment_transaction_number + 1,
+			&secret
+		).map_err(|_| ChannelError::Close("Failed to validate revocation from peer".to_owned()))?;
+
 		self.commitment_secrets.provide_secret(self.cur_counterparty_commitment_transaction_number + 1, msg.per_commitment_secret)
 			.map_err(|_| ChannelError::Close("Previous secrets did not match new one".to_owned()))?;
 		self.latest_monitor_update_id += 1;
@@ -3413,16 +3441,38 @@ impl<Signer: Sign> Channel<Signer> {
 		self.closing_fee_limits.clone().unwrap()
 	}
 
+	/// Returns true if we're ready to commence the closing_signed negotiation phase. This is true
+	/// after both sides have exchanged a `shutdown` message and all HTLCs have been drained. At
+	/// this point if we're the funder we should send the initial closing_signed, and in any case
+	/// shutdown should complete within a reasonable timeframe.
+	fn closing_negotiation_ready(&self) -> bool {
+		self.pending_inbound_htlcs.is_empty() && self.pending_outbound_htlcs.is_empty() &&
+			self.channel_state &
+				(BOTH_SIDES_SHUTDOWN_MASK | ChannelState::AwaitingRemoteRevoke as u32 |
+				 ChannelState::PeerDisconnected as u32 | ChannelState::MonitorUpdateFailed as u32)
+				== BOTH_SIDES_SHUTDOWN_MASK &&
+			self.pending_update_fee.is_none()
+	}
+
+	/// Checks if the closing_signed negotiation is making appropriate progress, possibly returning
+	/// an Err if no progress is being made and the channel should be force-closed instead.
+	/// Should be called on a one-minute timer.
+	pub fn timer_check_closing_negotiation_progress(&mut self) -> Result<(), ChannelError> {
+		if self.closing_negotiation_ready() {
+			if self.closing_signed_in_flight {
+				return Err(ChannelError::Close("closing_signed negotiation failed to finish within two timer ticks".to_owned()));
+			} else {
+				self.closing_signed_in_flight = true;
+			}
+		}
+		Ok(())
+	}
+
 	pub fn maybe_propose_closing_signed<F: Deref, L: Deref>(&mut self, fee_estimator: &F, logger: &L)
 		-> Result<(Option<msgs::ClosingSigned>, Option<Transaction>), ChannelError>
 		where F::Target: FeeEstimator, L::Target: Logger
 	{
-		if !self.pending_inbound_htlcs.is_empty() || !self.pending_outbound_htlcs.is_empty() ||
-				self.channel_state &
-					(BOTH_SIDES_SHUTDOWN_MASK | ChannelState::AwaitingRemoteRevoke as u32 |
-					 ChannelState::PeerDisconnected as u32 | ChannelState::MonitorUpdateFailed as u32)
-				!= BOTH_SIDES_SHUTDOWN_MASK ||
-				self.last_sent_closing_fee.is_some() || self.pending_update_fee.is_some() {
+		if self.last_sent_closing_fee.is_some() || !self.closing_negotiation_ready() {
 			return Ok((None, None));
 		}
 
@@ -3600,7 +3650,7 @@ impl<Signer: Sign> Channel<Signer> {
 		let funding_redeemscript = self.get_funding_redeemscript();
 		let (mut closing_tx, used_total_fee) = self.build_closing_transaction(msg.fee_satoshis, false);
 		if used_total_fee != msg.fee_satoshis {
-			return Err(ChannelError::Close(format!("Remote sent us a closing_signed with a fee greater than the value they can claim. Fee in message: {}", msg.fee_satoshis)));
+			return Err(ChannelError::Close(format!("Remote sent us a closing_signed with a fee other than the value they can claim. Fee in message: {}. Actual closing tx fee: {}", msg.fee_satoshis, used_total_fee)));
 		}
 		let mut sighash = hash_to_message!(&bip143::SigHashCache::new(&closing_tx).signature_hash(0, &funding_redeemscript, self.channel_value_satoshis, SigHashType::All)[..]);
 
@@ -5463,6 +5513,7 @@ impl<'a, Signer: Sign, K: Deref> ReadableArgs<&'a K> for Channel<Signer>
 			commitment_secrets,
 
 			channel_update_status,
+			closing_signed_in_flight: false,
 
 			announcement_sigs,