From: Antoine Riard Date: Sun, 18 Apr 2021 23:18:30 +0000 (-0400) Subject: Move onchain* to chain/ X-Git-Tag: v0.0.98~17^2~3 X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=4363f965d6da2b5252b3e2fef09354b8970a9fe1;p=rust-lightning Move onchain* to chain/ --- diff --git a/lightning/src/chain/channelmonitor.rs b/lightning/src/chain/channelmonitor.rs index f12c4fea6..de8268141 100644 --- a/lightning/src/chain/channelmonitor.rs +++ b/lightning/src/chain/channelmonitor.rs @@ -38,13 +38,13 @@ use ln::msgs::DecodeError; use ln::chan_utils; use ln::chan_utils::{CounterpartyCommitmentSecrets, HTLCOutputInCommitment, HTLCType, ChannelTransactionParameters, HolderCommitmentTransaction}; use ln::channelmanager::{BestBlock, HTLCSource}; -use ln::onchaintx::OnchainTxHandler; -use ln::package::{CounterpartyOfferedHTLCOutput, CounterpartyReceivedHTLCOutput, HolderFundingOutput, HolderHTLCOutput, PackageSolvingData, PackageTemplate, RevokedOutput, RevokedHTLCOutput}; use chain; use chain::WatchedOutput; use chain::chaininterface::{BroadcasterInterface, FeeEstimator}; use chain::transaction::{OutPoint, TransactionData}; use chain::keysinterface::{SpendableOutputDescriptor, StaticPaymentOutputDescriptor, DelayedPaymentOutputDescriptor, Sign, KeysInterface}; +use chain::onchaintx::OnchainTxHandler; +use chain::package::{CounterpartyOfferedHTLCOutput, CounterpartyReceivedHTLCOutput, HolderFundingOutput, HolderHTLCOutput, PackageSolvingData, PackageTemplate, RevokedOutput, RevokedHTLCOutput}; use chain::Filter; use util::logger::Logger; use util::ser::{Readable, ReadableArgs, MaybeReadable, Writer, Writeable, U48}; @@ -2900,12 +2900,10 @@ mod tests { use bitcoin::network::constants::Network; use hex; use chain::channelmonitor::ChannelMonitor; - use chain::onchain_utils::{WEIGHT_OFFERED_HTLC, WEIGHT_RECEIVED_HTLC, WEIGHT_REVOKED_OFFERED_HTLC, WEIGHT_REVOKED_RECEIVED_HTLC, WEIGHT_REVOKED_OUTPUT}; + use chain::package::{WEIGHT_OFFERED_HTLC, WEIGHT_RECEIVED_HTLC, WEIGHT_REVOKED_OFFERED_HTLC, WEIGHT_REVOKED_RECEIVED_HTLC, WEIGHT_REVOKED_OUTPUT}; use chain::transaction::OutPoint; use ln::{PaymentPreimage, PaymentHash}; use ln::channelmanager::BestBlock; - use ln::package; - use ln::package::InputDescriptors; use ln::chan_utils; use ln::chan_utils::{HTLCOutputInCommitment, ChannelPublicKeys, ChannelTransactionParameters, HolderCommitmentTransaction, CounterpartyChannelTransactionParameters}; use util::test_utils::{TestLogger, TestBroadcaster, TestFeeEstimator}; diff --git a/lightning/src/chain/mod.rs b/lightning/src/chain/mod.rs index 42c74da13..856a9e8af 100644 --- a/lightning/src/chain/mod.rs +++ b/lightning/src/chain/mod.rs @@ -23,6 +23,8 @@ pub mod chainmonitor; pub mod channelmonitor; pub mod transaction; pub mod keysinterface; +pub(crate) mod onchaintx; +pub(crate) mod package; /// An error when accessing the chain via [`Access`]. #[derive(Clone)] diff --git a/lightning/src/chain/onchaintx.rs b/lightning/src/chain/onchaintx.rs new file mode 100644 index 000000000..131caff7a --- /dev/null +++ b/lightning/src/chain/onchaintx.rs @@ -0,0 +1,747 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +//! The logic to build claims and bump in-flight transactions until confirmations. +//! +//! OnchainTxHandler objects are fully-part of ChannelMonitor and encapsulates all +//! building, tracking, bumping and notifications functions. + +use bitcoin::blockdata::transaction::Transaction; +use bitcoin::blockdata::transaction::OutPoint as BitcoinOutPoint; +use bitcoin::blockdata::script::Script; + +use bitcoin::hash_types::Txid; + +use bitcoin::secp256k1::{Secp256k1, Signature}; +use bitcoin::secp256k1; + +use ln::msgs::DecodeError; +use ln::PaymentPreimage; +use ln::chan_utils::{ChannelTransactionParameters, HolderCommitmentTransaction}; +use chain::chaininterface::{FeeEstimator, BroadcasterInterface}; +use chain::channelmonitor::{ANTI_REORG_DELAY, CLTV_SHARED_CLAIM_BUFFER}; +use chain::keysinterface::{Sign, KeysInterface}; +use chain::package::PackageTemplate; +use chain::package; +use util::logger::Logger; +use util::ser::{Readable, ReadableArgs, Writer, Writeable, VecWriter}; +use util::byte_utils; + +use std::collections::HashMap; +use core::cmp; +use core::ops::Deref; +use core::mem::replace; + +const MAX_ALLOC_SIZE: usize = 64*1024; + +/// An entry for an [`OnchainEvent`], stating the block height when the event was observed and the +/// transaction causing it. +/// +/// Used to determine when the on-chain event can be considered safe from a chain reorganization. +#[derive(PartialEq)] +struct OnchainEventEntry { + txid: Txid, + height: u32, + event: OnchainEvent, +} + +impl OnchainEventEntry { + fn confirmation_threshold(&self) -> u32 { + self.height + ANTI_REORG_DELAY - 1 + } + + fn has_reached_confirmation_threshold(&self, height: u32) -> bool { + height >= self.confirmation_threshold() + } +} + +/// Upon discovering of some classes of onchain tx by ChannelMonitor, we may have to take actions on it +/// once they mature to enough confirmations (ANTI_REORG_DELAY) +#[derive(PartialEq)] +enum OnchainEvent { + /// Outpoint under claim process by our own tx, once this one get enough confirmations, we remove it from + /// bump-txn candidate buffer. + Claim { + claim_request: Txid, + }, + /// Claim tx aggregate multiple claimable outpoints. One of the outpoint may be claimed by a counterparty party tx. + /// In this case, we need to drop the outpoint and regenerate a new claim tx. By safety, we keep tracking + /// the outpoint to be sure to resurect it back to the claim tx if reorgs happen. + ContentiousOutpoint { + package: PackageTemplate, + } +} + +impl Readable for Option>> { + fn read(reader: &mut R) -> Result { + match Readable::read(reader)? { + 0u8 => Ok(None), + 1u8 => { + let vlen: u64 = Readable::read(reader)?; + let mut ret = Vec::with_capacity(cmp::min(vlen as usize, MAX_ALLOC_SIZE / ::core::mem::size_of::>())); + for _ in 0..vlen { + ret.push(match Readable::read(reader)? { + 0u8 => None, + 1u8 => Some((::read(reader)? as usize, Readable::read(reader)?)), + _ => return Err(DecodeError::InvalidValue) + }); + } + Ok(Some(ret)) + }, + _ => Err(DecodeError::InvalidValue), + } + } +} + +impl Writeable for Option>> { + fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { + match self { + &Some(ref vec) => { + 1u8.write(writer)?; + (vec.len() as u64).write(writer)?; + for opt in vec.iter() { + match opt { + &Some((ref idx, ref sig)) => { + 1u8.write(writer)?; + (*idx as u64).write(writer)?; + sig.write(writer)?; + }, + &None => 0u8.write(writer)?, + } + } + }, + &None => 0u8.write(writer)?, + } + Ok(()) + } +} + + +/// OnchainTxHandler receives claiming requests, aggregates them if it's sound, broadcast and +/// do RBF bumping if possible. +pub struct OnchainTxHandler { + destination_script: Script, + holder_commitment: HolderCommitmentTransaction, + // holder_htlc_sigs and prev_holder_htlc_sigs are in the order as they appear in the commitment + // transaction outputs (hence the Option<>s inside the Vec). The first usize is the index in + // the set of HTLCs in the HolderCommitmentTransaction. + holder_htlc_sigs: Option>>, + prev_holder_commitment: Option, + prev_holder_htlc_sigs: Option>>, + + pub(super) signer: ChannelSigner, + pub(crate) channel_transaction_parameters: ChannelTransactionParameters, + + // Used to track claiming requests. If claim tx doesn't confirm before height timer expiration we need to bump + // it (RBF or CPFP). If an input has been part of an aggregate tx at first claim try, we need to keep it within + // another bumped aggregate tx to comply with RBF rules. We may have multiple claiming txn in the flight for the + // same set of outpoints. One of the outpoints may be spent by a transaction not issued by us. That's why at + // block connection we scan all inputs and if any of them is among a set of a claiming request we test for set + // equality between spending transaction and claim request. If true, it means transaction was one our claiming one + // after a security delay of 6 blocks we remove pending claim request. If false, it means transaction wasn't and + // we need to regenerate new claim request with reduced set of still-claimable outpoints. + // Key is identifier of the pending claim request, i.e the txid of the initial claiming transaction generated by + // us and is immutable until all outpoint of the claimable set are post-anti-reorg-delay solved. + // Entry is cache of elements need to generate a bumped claiming transaction (see ClaimTxBumpMaterial) + #[cfg(test)] // Used in functional_test to verify sanitization + pub(crate) pending_claim_requests: HashMap, + #[cfg(not(test))] + pending_claim_requests: HashMap, + + // Used to link outpoints claimed in a connected block to a pending claim request. + // Key is outpoint than monitor parsing has detected we have keys/scripts to claim + // Value is (pending claim request identifier, confirmation_block), identifier + // is txid of the initial claiming transaction and is immutable until outpoint is + // post-anti-reorg-delay solved, confirmaiton_block is used to erase entry if + // block with output gets disconnected. + #[cfg(test)] // Used in functional_test to verify sanitization + pub claimable_outpoints: HashMap, + #[cfg(not(test))] + claimable_outpoints: HashMap, + + onchain_events_awaiting_threshold_conf: Vec, + + latest_height: u32, + + pub(super) secp_ctx: Secp256k1, +} + +const SERIALIZATION_VERSION: u8 = 1; +const MIN_SERIALIZATION_VERSION: u8 = 1; + +impl OnchainTxHandler { + pub(crate) fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { + write_ver_prefix!(writer, SERIALIZATION_VERSION, MIN_SERIALIZATION_VERSION); + + self.destination_script.write(writer)?; + self.holder_commitment.write(writer)?; + self.holder_htlc_sigs.write(writer)?; + self.prev_holder_commitment.write(writer)?; + self.prev_holder_htlc_sigs.write(writer)?; + + self.channel_transaction_parameters.write(writer)?; + + let mut key_data = VecWriter(Vec::new()); + self.signer.write(&mut key_data)?; + assert!(key_data.0.len() < core::usize::MAX); + assert!(key_data.0.len() < core::u32::MAX as usize); + (key_data.0.len() as u32).write(writer)?; + writer.write_all(&key_data.0[..])?; + + writer.write_all(&byte_utils::be64_to_array(self.pending_claim_requests.len() as u64))?; + for (ref ancestor_claim_txid, request) in self.pending_claim_requests.iter() { + ancestor_claim_txid.write(writer)?; + request.write(writer)?; + } + + writer.write_all(&byte_utils::be64_to_array(self.claimable_outpoints.len() as u64))?; + for (ref outp, ref claim_and_height) in self.claimable_outpoints.iter() { + outp.write(writer)?; + claim_and_height.0.write(writer)?; + claim_and_height.1.write(writer)?; + } + + writer.write_all(&byte_utils::be64_to_array(self.onchain_events_awaiting_threshold_conf.len() as u64))?; + for ref entry in self.onchain_events_awaiting_threshold_conf.iter() { + entry.txid.write(writer)?; + writer.write_all(&byte_utils::be32_to_array(entry.height))?; + match entry.event { + OnchainEvent::Claim { ref claim_request } => { + writer.write_all(&[0; 1])?; + claim_request.write(writer)?; + }, + OnchainEvent::ContentiousOutpoint { ref package } => { + writer.write_all(&[1; 1])?; + package.write(writer)?; + } + } + } + self.latest_height.write(writer)?; + + write_tlv_fields!(writer, {}, {}); + Ok(()) + } +} + +impl<'a, K: KeysInterface> ReadableArgs<&'a K> for OnchainTxHandler { + fn read(reader: &mut R, keys_manager: &'a K) -> Result { + let _ver = read_ver_prefix!(reader, SERIALIZATION_VERSION); + + let destination_script = Readable::read(reader)?; + + let holder_commitment = Readable::read(reader)?; + let holder_htlc_sigs = Readable::read(reader)?; + let prev_holder_commitment = Readable::read(reader)?; + let prev_holder_htlc_sigs = Readable::read(reader)?; + + let channel_parameters = Readable::read(reader)?; + + let keys_len: u32 = Readable::read(reader)?; + let mut keys_data = Vec::with_capacity(cmp::min(keys_len as usize, MAX_ALLOC_SIZE)); + while keys_data.len() != keys_len as usize { + // Read 1KB at a time to avoid accidentally allocating 4GB on corrupted channel keys + let mut data = [0; 1024]; + let read_slice = &mut data[0..cmp::min(1024, keys_len as usize - keys_data.len())]; + reader.read_exact(read_slice)?; + keys_data.extend_from_slice(read_slice); + } + let signer = keys_manager.read_chan_signer(&keys_data)?; + + let pending_claim_requests_len: u64 = Readable::read(reader)?; + let mut pending_claim_requests = HashMap::with_capacity(cmp::min(pending_claim_requests_len as usize, MAX_ALLOC_SIZE / 128)); + for _ in 0..pending_claim_requests_len { + pending_claim_requests.insert(Readable::read(reader)?, Readable::read(reader)?); + } + + let claimable_outpoints_len: u64 = Readable::read(reader)?; + let mut claimable_outpoints = HashMap::with_capacity(cmp::min(pending_claim_requests_len as usize, MAX_ALLOC_SIZE / 128)); + for _ in 0..claimable_outpoints_len { + let outpoint = Readable::read(reader)?; + let ancestor_claim_txid = Readable::read(reader)?; + let height = Readable::read(reader)?; + claimable_outpoints.insert(outpoint, (ancestor_claim_txid, height)); + } + let waiting_threshold_conf_len: u64 = Readable::read(reader)?; + let mut onchain_events_awaiting_threshold_conf = Vec::with_capacity(cmp::min(waiting_threshold_conf_len as usize, MAX_ALLOC_SIZE / 128)); + for _ in 0..waiting_threshold_conf_len { + let txid = Readable::read(reader)?; + let height = Readable::read(reader)?; + let event = match ::read(reader)? { + 0 => { + let claim_request = Readable::read(reader)?; + OnchainEvent::Claim { + claim_request + } + }, + 1 => { + let package = Readable::read(reader)?; + OnchainEvent::ContentiousOutpoint { + package + } + } + _ => return Err(DecodeError::InvalidValue), + }; + onchain_events_awaiting_threshold_conf.push(OnchainEventEntry { txid, height, event }); + } + let latest_height = Readable::read(reader)?; + + read_tlv_fields!(reader, {}, {}); + + let mut secp_ctx = Secp256k1::new(); + secp_ctx.seeded_randomize(&keys_manager.get_secure_random_bytes()); + + Ok(OnchainTxHandler { + destination_script, + holder_commitment, + holder_htlc_sigs, + prev_holder_commitment, + prev_holder_htlc_sigs, + signer, + channel_transaction_parameters: channel_parameters, + claimable_outpoints, + pending_claim_requests, + onchain_events_awaiting_threshold_conf, + latest_height, + secp_ctx, + }) + } +} + +impl OnchainTxHandler { + pub(crate) fn new(destination_script: Script, signer: ChannelSigner, channel_parameters: ChannelTransactionParameters, holder_commitment: HolderCommitmentTransaction, secp_ctx: Secp256k1) -> Self { + OnchainTxHandler { + destination_script, + holder_commitment, + holder_htlc_sigs: None, + prev_holder_commitment: None, + prev_holder_htlc_sigs: None, + signer, + channel_transaction_parameters: channel_parameters, + pending_claim_requests: HashMap::new(), + claimable_outpoints: HashMap::new(), + onchain_events_awaiting_threshold_conf: Vec::new(), + latest_height: 0, + + secp_ctx, + } + } + + /// In LN, output claimed are time-sensitive, which means we have to spend them before reaching some timelock expiration. At in-channel + /// output detection, we generate a first version of a claim tx and associate to it a height timer. A height timer is an absolute block + /// height than once reached we should generate a new bumped "version" of the claim tx to be sure than we safely claim outputs before + /// than our counterparty can do it too. If timelock expires soon, height timer is going to be scale down in consequence to increase + /// frequency of the bump and so increase our bets of success. + fn get_height_timer(current_height: u32, timelock_expiration: u32) -> u32 { + if timelock_expiration <= current_height + 3 { + return current_height + 1 + } else if timelock_expiration - current_height <= 15 { + return current_height + 3 + } + current_height + 15 + } + + /// Lightning security model (i.e being able to redeem/timeout HTLC or penalize coutnerparty onchain) lays on the assumption of claim transactions getting confirmed before timelock expiration + /// (CSV or CLTV following cases). In case of high-fee spikes, claim tx may stuck in the mempool, so you need to bump its feerate quickly using Replace-By-Fee or Child-Pay-For-Parent. + /// Panics if there are signing errors, because signing operations in reaction to on-chain events + /// are not expected to fail, and if they do, we may lose funds. + fn generate_claim_tx(&mut self, height: u32, cached_request: &PackageTemplate, fee_estimator: &F, logger: &L) -> Option<(Option, u64, Transaction)> + where F::Target: FeeEstimator, + L::Target: Logger, + { + if cached_request.outpoints().len() == 0 { return None } // But don't prune pending claiming request yet, we may have to resurrect HTLCs + + // Compute new height timer to decide when we need to regenerate a new bumped version of the claim tx (if we + // didn't receive confirmation of it before, or not enough reorg-safe depth on top of it). + let new_timer = Some(Self::get_height_timer(height, cached_request.timelock())); + let amt = cached_request.package_amount(); + if cached_request.is_malleable() { + let predicted_weight = cached_request.package_weight(&self.destination_script); + if let Some((output_value, new_feerate)) = package::compute_output_value(predicted_weight, amt, cached_request.feerate(), fee_estimator, logger) { + assert!(new_feerate != 0); + + let transaction = cached_request.finalize_package(self, output_value, self.destination_script.clone(), logger).unwrap(); + log_trace!(logger, "...with timer {} and feerate {}", new_timer.unwrap(), new_feerate); + assert!(predicted_weight >= transaction.get_weight()); + return Some((new_timer, new_feerate, transaction)) + } + } else { + // Note: Currently, amounts of holder outputs spending witnesses aren't used + // as we can't malleate spending package to increase their feerate. This + // should change with the remaining anchor output patchset. + debug_assert!(amt == 0); + if let Some(transaction) = cached_request.finalize_package(self, amt, self.destination_script.clone(), logger) { + return Some((None, 0, transaction)); + } + } + None + } + + /// Upon channelmonitor.block_connected(..) or upon provision of a preimage on the forward link + /// for this channel, provide new relevant on-chain transactions and/or new claim requests. + /// Formerly this was named `block_connected`, but it is now also used for claiming an HTLC output + /// if we receive a preimage after force-close. + pub(crate) fn update_claims_view(&mut self, txn_matched: &[&Transaction], requests: Vec, latest_height: Option, broadcaster: &B, fee_estimator: &F, logger: &L) + where B::Target: BroadcasterInterface, + F::Target: FeeEstimator, + L::Target: Logger, + { + let height = match latest_height { + Some(h) => h, + None => self.latest_height, + }; + log_trace!(logger, "Updating claims view at height {} with {} matched transactions and {} claim requests", height, txn_matched.len(), requests.len()); + let mut preprocessed_requests = Vec::with_capacity(requests.len()); + let mut aggregated_request = None; + + // Try to aggregate outputs if their timelock expiration isn't imminent (package timelock + // <= CLTV_SHARED_CLAIM_BUFFER) and they don't require an immediate nLockTime (aggregable). + for req in requests { + // Don't claim a outpoint twice that would be bad for privacy and may uselessly lock a CPFP input for a while + if let Some(_) = self.claimable_outpoints.get(req.outpoints()[0]) { log_trace!(logger, "Bouncing off outpoint {}:{}, already registered its claiming request", req.outpoints()[0].txid, req.outpoints()[0].vout); } else { + log_trace!(logger, "Test if outpoint can be aggregated with expiration {} against {}", req.timelock(), height + CLTV_SHARED_CLAIM_BUFFER); + if req.timelock() <= height + CLTV_SHARED_CLAIM_BUFFER || !req.aggregable() { + // Don't aggregate if outpoint package timelock is soon or marked as non-aggregable + preprocessed_requests.push(req); + } else if aggregated_request.is_none() { + aggregated_request = Some(req); + } else { + aggregated_request.as_mut().unwrap().merge_package(req); + } + } + } + if let Some(req) = aggregated_request { + preprocessed_requests.push(req); + } + + // Generate claim transactions and track them to bump if necessary at + // height timer expiration (i.e in how many blocks we're going to take action). + for mut req in preprocessed_requests { + if let Some((new_timer, new_feerate, tx)) = self.generate_claim_tx(height, &req, &*fee_estimator, &*logger) { + req.set_timer(new_timer); + req.set_feerate(new_feerate); + let txid = tx.txid(); + for k in req.outpoints() { + log_trace!(logger, "Registering claiming request for {}:{}", k.txid, k.vout); + self.claimable_outpoints.insert(k.clone(), (txid, height)); + } + self.pending_claim_requests.insert(txid, req); + log_trace!(logger, "Broadcasting onchain {}", log_tx!(tx)); + broadcaster.broadcast_transaction(&tx); + } + } + + let mut bump_candidates = HashMap::new(); + for tx in txn_matched { + // Scan all input to verify is one of the outpoint spent is of interest for us + let mut claimed_outputs_material = Vec::new(); + for inp in &tx.input { + if let Some(first_claim_txid_height) = self.claimable_outpoints.get(&inp.previous_output) { + // If outpoint has claim request pending on it... + if let Some(request) = self.pending_claim_requests.get_mut(&first_claim_txid_height.0) { + //... we need to verify equality between transaction outpoints and claim request + // outpoints to know if transaction is the original claim or a bumped one issued + // by us. + let mut set_equality = true; + if request.outpoints().len() != tx.input.len() { + set_equality = false; + } else { + for (claim_inp, tx_inp) in request.outpoints().iter().zip(tx.input.iter()) { + if **claim_inp != tx_inp.previous_output { + set_equality = false; + } + } + } + + macro_rules! clean_claim_request_after_safety_delay { + () => { + let entry = OnchainEventEntry { + txid: tx.txid(), + height, + event: OnchainEvent::Claim { claim_request: first_claim_txid_height.0.clone() } + }; + if !self.onchain_events_awaiting_threshold_conf.contains(&entry) { + self.onchain_events_awaiting_threshold_conf.push(entry); + } + } + } + + // If this is our transaction (or our counterparty spent all the outputs + // before we could anyway with same inputs order than us), wait for + // ANTI_REORG_DELAY and clean the RBF tracking map. + if set_equality { + clean_claim_request_after_safety_delay!(); + } else { // If false, generate new claim request with update outpoint set + let mut at_least_one_drop = false; + for input in tx.input.iter() { + if let Some(package) = request.split_package(&input.previous_output) { + claimed_outputs_material.push(package); + at_least_one_drop = true; + } + // If there are no outpoints left to claim in this request, drop it entirely after ANTI_REORG_DELAY. + if request.outpoints().is_empty() { + clean_claim_request_after_safety_delay!(); + } + } + //TODO: recompute soonest_timelock to avoid wasting a bit on fees + if at_least_one_drop { + bump_candidates.insert(first_claim_txid_height.0.clone(), request.clone()); + } + } + break; //No need to iterate further, either tx is our or their + } else { + panic!("Inconsistencies between pending_claim_requests map and claimable_outpoints map"); + } + } + } + for package in claimed_outputs_material.drain(..) { + let entry = OnchainEventEntry { + txid: tx.txid(), + height, + event: OnchainEvent::ContentiousOutpoint { package }, + }; + if !self.onchain_events_awaiting_threshold_conf.contains(&entry) { + self.onchain_events_awaiting_threshold_conf.push(entry); + } + } + } + + // After security delay, either our claim tx got enough confs or outpoint is definetely out of reach + let onchain_events_awaiting_threshold_conf = + self.onchain_events_awaiting_threshold_conf.drain(..).collect::>(); + for entry in onchain_events_awaiting_threshold_conf { + if entry.has_reached_confirmation_threshold(height) { + match entry.event { + OnchainEvent::Claim { claim_request } => { + // We may remove a whole set of claim outpoints here, as these one may have + // been aggregated in a single tx and claimed so atomically + if let Some(request) = self.pending_claim_requests.remove(&claim_request) { + for outpoint in request.outpoints() { + self.claimable_outpoints.remove(&outpoint); + } + } + }, + OnchainEvent::ContentiousOutpoint { package } => { + self.claimable_outpoints.remove(&package.outpoints()[0]); + } + } + } else { + self.onchain_events_awaiting_threshold_conf.push(entry); + } + } + + // Check if any pending claim request must be rescheduled + for (first_claim_txid, ref request) in self.pending_claim_requests.iter() { + if let Some(h) = request.timer() { + if height >= h { + bump_candidates.insert(*first_claim_txid, (*request).clone()); + } + } + } + + // Build, bump and rebroadcast tx accordingly + log_trace!(logger, "Bumping {} candidates", bump_candidates.len()); + for (first_claim_txid, request) in bump_candidates.iter() { + if let Some((new_timer, new_feerate, bump_tx)) = self.generate_claim_tx(height, &request, &*fee_estimator, &*logger) { + log_trace!(logger, "Broadcasting onchain {}", log_tx!(bump_tx)); + broadcaster.broadcast_transaction(&bump_tx); + if let Some(request) = self.pending_claim_requests.get_mut(first_claim_txid) { + request.set_timer(new_timer); + request.set_feerate(new_feerate); + } + } + } + } + + pub(crate) fn transaction_unconfirmed( + &mut self, + txid: &Txid, + broadcaster: B, + fee_estimator: F, + logger: L, + ) where + B::Target: BroadcasterInterface, + F::Target: FeeEstimator, + L::Target: Logger, + { + let mut height = None; + for entry in self.onchain_events_awaiting_threshold_conf.iter() { + if entry.txid == *txid { + height = Some(entry.height); + break; + } + } + + if let Some(height) = height { + self.block_disconnected(height, broadcaster, fee_estimator, logger); + } + } + + pub(crate) fn block_disconnected(&mut self, height: u32, broadcaster: B, fee_estimator: F, logger: L) + where B::Target: BroadcasterInterface, + F::Target: FeeEstimator, + L::Target: Logger, + { + let mut bump_candidates = HashMap::new(); + let onchain_events_awaiting_threshold_conf = + self.onchain_events_awaiting_threshold_conf.drain(..).collect::>(); + for entry in onchain_events_awaiting_threshold_conf { + if entry.height >= height { + //- our claim tx on a commitment tx output + //- resurect outpoint back in its claimable set and regenerate tx + match entry.event { + OnchainEvent::ContentiousOutpoint { package } => { + if let Some(ancestor_claimable_txid) = self.claimable_outpoints.get(&package.outpoints()[0]) { + if let Some(request) = self.pending_claim_requests.get_mut(&ancestor_claimable_txid.0) { + request.merge_package(package); + // Using a HashMap guarantee us than if we have multiple outpoints getting + // resurrected only one bump claim tx is going to be broadcast + bump_candidates.insert(ancestor_claimable_txid.clone(), request.clone()); + } + } + }, + _ => {}, + } + } else { + self.onchain_events_awaiting_threshold_conf.push(entry); + } + } + for (_, request) in bump_candidates.iter_mut() { + if let Some((new_timer, new_feerate, bump_tx)) = self.generate_claim_tx(height, &request, &&*fee_estimator, &&*logger) { + request.set_timer(new_timer); + request.set_feerate(new_feerate); + log_info!(logger, "Broadcasting onchain {}", log_tx!(bump_tx)); + broadcaster.broadcast_transaction(&bump_tx); + } + } + for (ancestor_claim_txid, request) in bump_candidates.drain() { + self.pending_claim_requests.insert(ancestor_claim_txid.0, request); + } + //TODO: if we implement cross-block aggregated claim transaction we need to refresh set of outpoints and regenerate tx but + // right now if one of the outpoint get disconnected, just erase whole pending claim request. + let mut remove_request = Vec::new(); + self.claimable_outpoints.retain(|_, ref v| + if v.1 >= height { + remove_request.push(v.0.clone()); + false + } else { true }); + for req in remove_request { + self.pending_claim_requests.remove(&req); + } + } + + pub(crate) fn get_relevant_txids(&self) -> Vec { + let mut txids: Vec = self.onchain_events_awaiting_threshold_conf + .iter() + .map(|entry| entry.txid) + .collect(); + txids.sort_unstable(); + txids.dedup(); + txids + } + + pub(crate) fn provide_latest_holder_tx(&mut self, tx: HolderCommitmentTransaction) { + self.prev_holder_commitment = Some(replace(&mut self.holder_commitment, tx)); + self.holder_htlc_sigs = None; + } + + // Normally holder HTLCs are signed at the same time as the holder commitment tx. However, + // in some configurations, the holder commitment tx has been signed and broadcast by a + // ChannelMonitor replica, so we handle that case here. + fn sign_latest_holder_htlcs(&mut self) { + if self.holder_htlc_sigs.is_none() { + let (_sig, sigs) = self.signer.sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("sign holder commitment"); + self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, sigs)); + } + } + + // Normally only the latest commitment tx and HTLCs need to be signed. However, in some + // configurations we may have updated our holder commitment but a replica of the ChannelMonitor + // broadcast the previous one before we sync with it. We handle that case here. + fn sign_prev_holder_htlcs(&mut self) { + if self.prev_holder_htlc_sigs.is_none() { + if let Some(ref holder_commitment) = self.prev_holder_commitment { + let (_sig, sigs) = self.signer.sign_holder_commitment_and_htlcs(holder_commitment, &self.secp_ctx).expect("sign previous holder commitment"); + self.prev_holder_htlc_sigs = Some(Self::extract_holder_sigs(holder_commitment, sigs)); + } + } + } + + fn extract_holder_sigs(holder_commitment: &HolderCommitmentTransaction, sigs: Vec) -> Vec> { + let mut ret = Vec::new(); + for (htlc_idx, (holder_sig, htlc)) in sigs.iter().zip(holder_commitment.htlcs().iter()).enumerate() { + let tx_idx = htlc.transaction_output_index.unwrap(); + if ret.len() <= tx_idx as usize { ret.resize(tx_idx as usize + 1, None); } + ret[tx_idx as usize] = Some((htlc_idx, holder_sig.clone())); + } + ret + } + + //TODO: getting lastest holder transactions should be infallible and result in us "force-closing the channel", but we may + // have empty holder commitment transaction if a ChannelMonitor is asked to force-close just after Channel::get_outbound_funding_created, + // before providing a initial commitment transaction. For outbound channel, init ChannelMonitor at Channel::funding_signed, there is nothing + // to monitor before. + pub(crate) fn get_fully_signed_holder_tx(&mut self, funding_redeemscript: &Script) -> Transaction { + let (sig, htlc_sigs) = self.signer.sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("signing holder commitment"); + self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, htlc_sigs)); + self.holder_commitment.add_holder_sig(funding_redeemscript, sig) + } + + #[cfg(any(test, feature="unsafe_revoked_tx_signing"))] + pub(crate) fn get_fully_signed_copy_holder_tx(&mut self, funding_redeemscript: &Script) -> Transaction { + let (sig, htlc_sigs) = self.signer.unsafe_sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("sign holder commitment"); + self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, htlc_sigs)); + self.holder_commitment.add_holder_sig(funding_redeemscript, sig) + } + + pub(crate) fn get_fully_signed_htlc_tx(&mut self, outp: &::bitcoin::OutPoint, preimage: &Option) -> Option { + let mut htlc_tx = None; + let commitment_txid = self.holder_commitment.trust().txid(); + // Check if the HTLC spends from the current holder commitment + if commitment_txid == outp.txid { + self.sign_latest_holder_htlcs(); + if let &Some(ref htlc_sigs) = &self.holder_htlc_sigs { + let &(ref htlc_idx, ref htlc_sig) = htlc_sigs[outp.vout as usize].as_ref().unwrap(); + let trusted_tx = self.holder_commitment.trust(); + let counterparty_htlc_sig = self.holder_commitment.counterparty_htlc_sigs[*htlc_idx]; + htlc_tx = Some(trusted_tx + .get_signed_htlc_tx(&self.channel_transaction_parameters.as_holder_broadcastable(), *htlc_idx, &counterparty_htlc_sig, htlc_sig, preimage)); + } + } + // If the HTLC doesn't spend the current holder commitment, check if it spends the previous one + if htlc_tx.is_none() && self.prev_holder_commitment.is_some() { + let commitment_txid = self.prev_holder_commitment.as_ref().unwrap().trust().txid(); + if commitment_txid == outp.txid { + self.sign_prev_holder_htlcs(); + if let &Some(ref htlc_sigs) = &self.prev_holder_htlc_sigs { + let &(ref htlc_idx, ref htlc_sig) = htlc_sigs[outp.vout as usize].as_ref().unwrap(); + let holder_commitment = self.prev_holder_commitment.as_ref().unwrap(); + let trusted_tx = holder_commitment.trust(); + let counterparty_htlc_sig = holder_commitment.counterparty_htlc_sigs[*htlc_idx]; + htlc_tx = Some(trusted_tx + .get_signed_htlc_tx(&self.channel_transaction_parameters.as_holder_broadcastable(), *htlc_idx, &counterparty_htlc_sig, htlc_sig, preimage)); + } + } + } + htlc_tx + } + + #[cfg(any(test,feature = "unsafe_revoked_tx_signing"))] + pub(crate) fn unsafe_get_fully_signed_htlc_tx(&mut self, outp: &::bitcoin::OutPoint, preimage: &Option) -> Option { + let latest_had_sigs = self.holder_htlc_sigs.is_some(); + let prev_had_sigs = self.prev_holder_htlc_sigs.is_some(); + let ret = self.get_fully_signed_htlc_tx(outp, preimage); + if !latest_had_sigs { + self.holder_htlc_sigs = None; + } + if !prev_had_sigs { + self.prev_holder_htlc_sigs = None; + } + ret + } +} diff --git a/lightning/src/chain/package.rs b/lightning/src/chain/package.rs new file mode 100644 index 000000000..49a01ebff --- /dev/null +++ b/lightning/src/chain/package.rs @@ -0,0 +1,812 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +//! Various utilities to assemble claimable outpoints in package of one or more transactions. Those +//! packages are attached metadata, guiding their aggregable or fee-bumping re-schedule. This file +//! also includes witness weight computation and fee computation methods. + +use bitcoin::blockdata::constants::WITNESS_SCALE_FACTOR; +use bitcoin::blockdata::transaction::{TxOut,TxIn, Transaction, SigHashType}; +use bitcoin::blockdata::transaction::OutPoint as BitcoinOutPoint; +use bitcoin::blockdata::script::Script; + +use bitcoin::hash_types::Txid; + +use bitcoin::secp256k1::key::{SecretKey,PublicKey}; + +use ln::PaymentPreimage; +use ln::chan_utils::{TxCreationKeys, HTLCOutputInCommitment, HTLC_OUTPUT_IN_COMMITMENT_SIZE}; +use ln::chan_utils; +use ln::msgs::DecodeError; +use chain::chaininterface::{FeeEstimator, ConfirmationTarget, MIN_RELAY_FEE_SAT_PER_1000_WEIGHT}; +use chain::keysinterface::Sign; +use chain::onchaintx::OnchainTxHandler; +use util::byte_utils; +use util::logger::Logger; +use util::ser::{Readable, Writer, Writeable}; + +use std::cmp; +use std::mem; +use std::ops::Deref; + +const MAX_ALLOC_SIZE: usize = 64*1024; + + +// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script +pub(crate) const WEIGHT_REVOKED_OFFERED_HTLC: u64 = 1 + 1 + 73 + 1 + 33 + 1 + 133; +// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script +pub(crate) const WEIGHT_REVOKED_RECEIVED_HTLC: u64 = 1 + 1 + 73 + 1 + 33 + 1 + 139; +// number_of_witness_elements + sig_length + counterpartyhtlc_sig + preimage_length + preimage + witness_script_length + witness_script +pub(crate) const WEIGHT_OFFERED_HTLC: u64 = 1 + 1 + 73 + 1 + 32 + 1 + 133; +// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script +pub(crate) const WEIGHT_RECEIVED_HTLC: u64 = 1 + 1 + 73 + 1 + 1 + 1 + 139; +// number_of_witness_elements + sig_length + revocation_sig + true_length + op_true + witness_script_length + witness_script +pub(crate) const WEIGHT_REVOKED_OUTPUT: u64 = 1 + 1 + 73 + 1 + 1 + 1 + 77; + +/// A struct to describe a revoked output and corresponding information to generate a solving +/// witness spending a commitment `to_local` output or a second-stage HTLC transaction output. +/// +/// CSV and pubkeys are used as part of a witnessScript redeeming a balance output, amount is used +/// as part of the signature hash and revocation secret to generate a satisfying witness. +#[derive(Clone, PartialEq)] +pub(crate) struct RevokedOutput { + per_commitment_point: PublicKey, + counterparty_delayed_payment_base_key: PublicKey, + counterparty_htlc_base_key: PublicKey, + per_commitment_key: SecretKey, + weight: u64, + amount: u64, + on_counterparty_tx_csv: u16, +} + +impl RevokedOutput { + pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, per_commitment_key: SecretKey, amount: u64, on_counterparty_tx_csv: u16) -> Self { + RevokedOutput { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + per_commitment_key, + weight: WEIGHT_REVOKED_OUTPUT, + amount, + on_counterparty_tx_csv + } + } +} + +impl_writeable!(RevokedOutput, 33*3 + 32 + 8 + 8 + 2, { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + per_commitment_key, + weight, + amount, + on_counterparty_tx_csv +}); + +/// A struct to describe a revoked offered output and corresponding information to generate a +/// solving witness. +/// +/// HTLCOuputInCommitment (hash timelock, direction) and pubkeys are used to generate a suitable +/// witnessScript. +/// +/// CSV is used as part of a witnessScript redeeming a balance output, amount is used as part +/// of the signature hash and revocation secret to generate a satisfying witness. +#[derive(Clone, PartialEq)] +pub(crate) struct RevokedHTLCOutput { + per_commitment_point: PublicKey, + counterparty_delayed_payment_base_key: PublicKey, + counterparty_htlc_base_key: PublicKey, + per_commitment_key: SecretKey, + weight: u64, + amount: u64, + htlc: HTLCOutputInCommitment, +} + +impl RevokedHTLCOutput { + pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, per_commitment_key: SecretKey, amount: u64, htlc: HTLCOutputInCommitment) -> Self { + let weight = if htlc.offered { WEIGHT_REVOKED_OFFERED_HTLC } else { WEIGHT_REVOKED_RECEIVED_HTLC }; + RevokedHTLCOutput { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + per_commitment_key, + weight, + amount, + htlc + } + } +} + +impl_writeable!(RevokedHTLCOutput, 33*3 + 32 + 8 + 8 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + per_commitment_key, + weight, + amount, + htlc +}); + +/// A struct to describe a HTLC output on a counterparty commitment transaction. +/// +/// HTLCOutputInCommitment (hash, timelock, directon) and pubkeys are used to generate a suitable +/// witnessScript. +/// +/// The preimage is used as part of the witness. +#[derive(Clone, PartialEq)] +pub(crate) struct CounterpartyOfferedHTLCOutput { + per_commitment_point: PublicKey, + counterparty_delayed_payment_base_key: PublicKey, + counterparty_htlc_base_key: PublicKey, + preimage: PaymentPreimage, + htlc: HTLCOutputInCommitment +} + +impl CounterpartyOfferedHTLCOutput { + pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, preimage: PaymentPreimage, htlc: HTLCOutputInCommitment) -> Self { + CounterpartyOfferedHTLCOutput { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + preimage, + htlc + } + } +} + +impl_writeable!(CounterpartyOfferedHTLCOutput, 33*3 + 32 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + preimage, + htlc +}); + +/// A struct to describe a HTLC output on a counterparty commitment transaction. +/// +/// HTLCOutputInCommitment (hash, timelock, directon) and pubkeys are used to generate a suitable +/// witnessScript. +#[derive(Clone, PartialEq)] +pub(crate) struct CounterpartyReceivedHTLCOutput { + per_commitment_point: PublicKey, + counterparty_delayed_payment_base_key: PublicKey, + counterparty_htlc_base_key: PublicKey, + htlc: HTLCOutputInCommitment +} + +impl CounterpartyReceivedHTLCOutput { + pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, htlc: HTLCOutputInCommitment) -> Self { + CounterpartyReceivedHTLCOutput { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + htlc + } + } +} + +impl_writeable!(CounterpartyReceivedHTLCOutput, 33*3 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { + per_commitment_point, + counterparty_delayed_payment_base_key, + counterparty_htlc_base_key, + htlc +}); + +/// A struct to describe a HTLC output on holder commitment transaction. +/// +/// Either offered or received, the amount is always used as part of the bip143 sighash. +/// Preimage is only included as part of the witness in former case. +#[derive(Clone, PartialEq)] +pub(crate) struct HolderHTLCOutput { + preimage: Option, + amount: u64, +} + +impl HolderHTLCOutput { + pub(crate) fn build(preimage: Option, amount: u64) -> Self { + HolderHTLCOutput { + preimage, + amount + } + } +} + +impl_writeable!(HolderHTLCOutput, 0, { + preimage, + amount +}); + +/// A struct to describe the channel output on the funding transaction. +/// +/// witnessScript is used as part of the witness redeeming the funding utxo. +#[derive(Clone, PartialEq)] +pub(crate) struct HolderFundingOutput { + funding_redeemscript: Script, +} + +impl HolderFundingOutput { + pub(crate) fn build(funding_redeemscript: Script) -> Self { + HolderFundingOutput { + funding_redeemscript, + } + } +} + +impl_writeable!(HolderFundingOutput, 0, { + funding_redeemscript +}); + +/// A wrapper encapsulating all in-protocol differing outputs types. +/// +/// The generic API offers access to an outputs common attributes or allow transformation such as +/// finalizing an input claiming the output. +#[derive(Clone, PartialEq)] +pub(crate) enum PackageSolvingData { + RevokedOutput(RevokedOutput), + RevokedHTLCOutput(RevokedHTLCOutput), + CounterpartyOfferedHTLCOutput(CounterpartyOfferedHTLCOutput), + CounterpartyReceivedHTLCOutput(CounterpartyReceivedHTLCOutput), + HolderHTLCOutput(HolderHTLCOutput), + HolderFundingOutput(HolderFundingOutput), +} + +impl PackageSolvingData { + fn amount(&self) -> u64 { + let amt = match self { + PackageSolvingData::RevokedOutput(ref outp) => { outp.amount }, + PackageSolvingData::RevokedHTLCOutput(ref outp) => { outp.amount }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(ref outp) => { outp.htlc.amount_msat / 1000 }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(ref outp) => { outp.htlc.amount_msat / 1000 }, + // Note: Currently, amounts of holder outputs spending witnesses aren't used + // as we can't malleate spending package to increase their feerate. This + // should change with the remaining anchor output patchset. + PackageSolvingData::HolderHTLCOutput(..) => { 0 }, + PackageSolvingData::HolderFundingOutput(..) => { 0 }, + }; + amt + } + fn weight(&self) -> usize { + let weight = match self { + PackageSolvingData::RevokedOutput(ref outp) => { outp.weight as usize }, + PackageSolvingData::RevokedHTLCOutput(ref outp) => { outp.weight as usize }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { WEIGHT_OFFERED_HTLC as usize }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { WEIGHT_RECEIVED_HTLC as usize }, + // Note: Currently, weights of holder outputs spending witnesses aren't used + // as we can't malleate spending package to increase their feerate. This + // should change with the remaining anchor output patchset. + PackageSolvingData::HolderHTLCOutput(..) => { debug_assert!(false); 0 }, + PackageSolvingData::HolderFundingOutput(..) => { debug_assert!(false); 0 }, + }; + weight + } + fn is_compatible(&self, input: &PackageSolvingData) -> bool { + match self { + PackageSolvingData::RevokedOutput(..) => { + match input { + PackageSolvingData::RevokedHTLCOutput(..) => { true }, + PackageSolvingData::RevokedOutput(..) => { true }, + _ => { false } + } + }, + PackageSolvingData::RevokedHTLCOutput(..) => { + match input { + PackageSolvingData::RevokedOutput(..) => { true }, + PackageSolvingData::RevokedHTLCOutput(..) => { true }, + _ => { false } + } + }, + _ => { mem::discriminant(self) == mem::discriminant(&input) } + } + } + fn finalize_input(&self, bumped_tx: &mut Transaction, i: usize, onchain_handler: &mut OnchainTxHandler) -> bool { + match self { + PackageSolvingData::RevokedOutput(ref outp) => { + if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { + let witness_script = chan_utils::get_revokeable_redeemscript(&chan_keys.revocation_key, outp.on_counterparty_tx_csv, &chan_keys.broadcaster_delayed_payment_key); + //TODO: should we panic on signer failure ? + if let Ok(sig) = onchain_handler.signer.sign_justice_revoked_output(&bumped_tx, i, outp.amount, &outp.per_commitment_key, &onchain_handler.secp_ctx) { + bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); + bumped_tx.input[i].witness[0].push(SigHashType::All as u8); + bumped_tx.input[i].witness.push(vec!(1)); + bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); + } else { return false; } + } + }, + PackageSolvingData::RevokedHTLCOutput(ref outp) => { + if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { + let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); + //TODO: should we panic on signer failure ? + if let Ok(sig) = onchain_handler.signer.sign_justice_revoked_htlc(&bumped_tx, i, outp.amount, &outp.per_commitment_key, &outp.htlc, &onchain_handler.secp_ctx) { + bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); + bumped_tx.input[i].witness[0].push(SigHashType::All as u8); + bumped_tx.input[i].witness.push(chan_keys.revocation_key.clone().serialize().to_vec()); + bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); + } else { return false; } + } + }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(ref outp) => { + if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { + let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); + + if let Ok(sig) = onchain_handler.signer.sign_counterparty_htlc_transaction(&bumped_tx, i, &outp.htlc.amount_msat / 1000, &outp.per_commitment_point, &outp.htlc, &onchain_handler.secp_ctx) { + bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); + bumped_tx.input[i].witness[0].push(SigHashType::All as u8); + bumped_tx.input[i].witness.push(outp.preimage.0.to_vec()); + bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); + } + } + }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(ref outp) => { + if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { + let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); + + bumped_tx.lock_time = outp.htlc.cltv_expiry; // Right now we don't aggregate time-locked transaction, if we do we should set lock_time before to avoid breaking hash computation + if let Ok(sig) = onchain_handler.signer.sign_counterparty_htlc_transaction(&bumped_tx, i, &outp.htlc.amount_msat / 1000, &outp.per_commitment_point, &outp.htlc, &onchain_handler.secp_ctx) { + bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); + bumped_tx.input[i].witness[0].push(SigHashType::All as u8); + // Due to BIP146 (MINIMALIF) this must be a zero-length element to relay. + bumped_tx.input[i].witness.push(vec![]); + bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); + } + } + }, + _ => { panic!("API Error!"); } + } + true + } + fn get_finalized_tx(&self, outpoint: &BitcoinOutPoint, onchain_handler: &mut OnchainTxHandler) -> Option { + match self { + PackageSolvingData::HolderHTLCOutput(ref outp) => { return onchain_handler.get_fully_signed_htlc_tx(outpoint, &outp.preimage); } + PackageSolvingData::HolderFundingOutput(ref outp) => { return Some(onchain_handler.get_fully_signed_holder_tx(&outp.funding_redeemscript)); } + _ => { panic!("API Error!"); } + } + } +} + +impl Writeable for PackageSolvingData { + fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { + match self { + PackageSolvingData::RevokedOutput(ref revoked_outp) => { + 0u8.write(writer)?; + revoked_outp.write(writer)?; + }, + PackageSolvingData::RevokedHTLCOutput(ref revoked_outp) => { + 1u8.write(writer)?; + revoked_outp.write(writer)?; + }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(ref counterparty_outp) => { + 2u8.write(writer)?; + counterparty_outp.write(writer)?; + }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(ref counterparty_outp) => { + 3u8.write(writer)?; + counterparty_outp.write(writer)?; + }, + PackageSolvingData::HolderHTLCOutput(ref holder_outp) => { + 4u8.write(writer)?; + holder_outp.write(writer)?; + }, + PackageSolvingData::HolderFundingOutput(ref funding_outp) => { + 5u8.write(writer)?; + funding_outp.write(writer)?; + } + } + Ok(()) + } +} + +impl Readable for PackageSolvingData { + fn read(reader: &mut R) -> Result { + let byte = ::read(reader)?; + let solving_data = match byte { + 0 => { + PackageSolvingData::RevokedOutput(Readable::read(reader)?) + }, + 1 => { + PackageSolvingData::RevokedHTLCOutput(Readable::read(reader)?) + }, + 2 => { + PackageSolvingData::CounterpartyOfferedHTLCOutput(Readable::read(reader)?) + }, + 3 => { + PackageSolvingData::CounterpartyReceivedHTLCOutput(Readable::read(reader)?) + }, + 4 => { + PackageSolvingData::HolderHTLCOutput(Readable::read(reader)?) + }, + 5 => { + PackageSolvingData::HolderFundingOutput(Readable::read(reader)?) + } + _ => return Err(DecodeError::UnknownVersion) + }; + Ok(solving_data) + } +} + +/// A malleable package might be aggregated with other packages to save on fees. +/// A untractable package has been counter-signed and aggregable will break cached counterparty +/// signatures. +#[derive(Clone, PartialEq)] +pub(crate) enum PackageMalleability { + Malleable, + Untractable, +} + +/// A structure to describe a package content that is generated by ChannelMonitor and +/// used by OnchainTxHandler to generate and broadcast transactions settling onchain claims. +/// +/// A package is defined as one or more transactions claiming onchain outputs in reaction +/// to confirmation of a channel transaction. Those packages might be aggregated to save on +/// fees, if satisfaction of outputs's witnessScript let's us do so. +/// +/// As packages are time-sensitive, we fee-bump and rebroadcast them at scheduled intervals. +/// Failing to confirm a package translate as a loss of funds for the user. +#[derive(Clone, PartialEq)] +pub struct PackageTemplate { + // List of onchain outputs and solving data to generate satisfying witnesses. + inputs: Vec<(BitcoinOutPoint, PackageSolvingData)>, + // Packages are deemed as malleable if we have local knwoledge of at least one set of + // private keys yielding a satisfying witnesses. Malleability implies that we can aggregate + // packages among them to save on fees or rely on RBF to bump their feerates. + // Untractable packages have been counter-signed and thus imply that we can't aggregate + // them without breaking signatures. Fee-bumping strategy will also rely on CPFP. + malleability: PackageMalleability, + // Block height after which the earlier-output belonging to this package is mature for a + // competing claim by the counterparty. As our chain tip becomes nearer from the timelock, + // the fee-bumping frequency will increase. See `OnchainTxHandler::get_height_timer`. + soonest_conf_deadline: u32, + // Determines if this package can be aggregated. + // Timelocked outputs belonging to the same transaction might have differing + // satisfying heights. Picking up the later height among the output set would be a valid + // aggregable strategy but it comes with at least 2 trade-offs : + // * earlier-output fund are going to take longer to come back + // * CLTV delta backing up a corresponding HTLC on an upstream channel could be swallowed + // by the requirement of the later-output part of the set + // For now, we mark such timelocked outputs as non-aggregable, though we might introduce + // smarter aggregable strategy in the future. + aggregable: bool, + // Cache of package feerate committed at previous (re)broadcast. If bumping resources + // (either claimed output value or external utxo), it will keep increasing until holder + // or counterparty successful claim. + feerate_previous: u64, + // Cache of next height at which fee-bumping and rebroadcast will be attempted. In + // the future, we might abstract it to an observed mempool fluctuation. + height_timer: Option, + // Confirmation height of the claimed outputs set transaction. In case of reorg reaching + // it, we wipe out and forget the package. + height_original: u32, +} + +impl PackageTemplate { + pub(crate) fn is_malleable(&self) -> bool { + self.malleability == PackageMalleability::Malleable + } + pub(crate) fn timelock(&self) -> u32 { + self.soonest_conf_deadline + } + pub(crate) fn aggregable(&self) -> bool { + self.aggregable + } + pub(crate) fn feerate(&self) -> u64 { + self.feerate_previous + } + pub(crate) fn set_feerate(&mut self, new_feerate: u64) { + self.feerate_previous = new_feerate; + } + pub(crate) fn timer(&self) -> Option { + if let Some(ref timer) = self.height_timer { + return Some(*timer); + } + None + } + pub(crate) fn set_timer(&mut self, new_timer: Option) { + self.height_timer = new_timer; + } + pub(crate) fn outpoints(&self) -> Vec<&BitcoinOutPoint> { + self.inputs.iter().map(|(o, _)| o).collect() + } + pub(crate) fn split_package(&mut self, split_outp: &BitcoinOutPoint) -> Option { + match self.malleability { + PackageMalleability::Malleable => { + let mut split_package = None; + let timelock = self.soonest_conf_deadline; + let aggregable = self.aggregable; + let feerate_previous = self.feerate_previous; + let height_timer = self.height_timer; + let height_original = self.height_original; + self.inputs.retain(|outp| { + if *split_outp == outp.0 { + split_package = Some(PackageTemplate { + inputs: vec![(outp.0, outp.1.clone())], + malleability: PackageMalleability::Malleable, + soonest_conf_deadline: timelock, + aggregable, + feerate_previous, + height_timer, + height_original, + }); + return false; + } + return true; + }); + return split_package; + }, + _ => { + // Note, we may try to split on remote transaction for + // which we don't have a competing one (HTLC-Success before + // timelock expiration). This explain we don't panic! + // We should refactor OnchainTxHandler::block_connected to + // only test equality on competing claims. + return None; + } + } + } + pub(crate) fn merge_package(&mut self, mut merge_from: PackageTemplate) { + assert_eq!(self.height_original, merge_from.height_original); + if self.malleability == PackageMalleability::Untractable || merge_from.malleability == PackageMalleability::Untractable { + panic!("Merging template on untractable packages"); + } + if !self.aggregable || !merge_from.aggregable { + panic!("Merging non aggregatable packages"); + } + if let Some((_, lead_input)) = self.inputs.first() { + for (_, v) in merge_from.inputs.iter() { + if !lead_input.is_compatible(v) { panic!("Merging outputs from differing types !"); } + } + } else { panic!("Merging template on an empty package"); } + for (k, v) in merge_from.inputs.drain(..) { + self.inputs.push((k, v)); + } + //TODO: verify coverage and sanity? + if self.soonest_conf_deadline > merge_from.soonest_conf_deadline { + self.soonest_conf_deadline = merge_from.soonest_conf_deadline; + } + if self.feerate_previous > merge_from.feerate_previous { + self.feerate_previous = merge_from.feerate_previous; + } + self.height_timer = cmp::min(self.height_timer, merge_from.height_timer); + } + pub(crate) fn package_amount(&self) -> u64 { + let mut amounts = 0; + for (_, outp) in self.inputs.iter() { + amounts += outp.amount(); + } + amounts + } + pub(crate) fn package_weight(&self, destination_script: &Script) -> usize { + let mut inputs_weight = 0; + let mut witnesses_weight = 2; // count segwit flags + for (_, outp) in self.inputs.iter() { + // previous_out_point: 36 bytes ; var_int: 1 byte ; sequence: 4 bytes + inputs_weight += 41 * WITNESS_SCALE_FACTOR; + witnesses_weight += outp.weight(); + } + // version: 4 bytes ; count_tx_in: 1 byte ; count_tx_out: 1 byte ; lock_time: 4 bytes + let transaction_weight = 10 * WITNESS_SCALE_FACTOR; + // value: 8 bytes ; var_int: 1 byte ; pk_script: `destination_script.len()` + let output_weight = (8 + 1 + destination_script.len()) * WITNESS_SCALE_FACTOR; + inputs_weight + witnesses_weight + transaction_weight + output_weight + } + pub(crate) fn finalize_package(&self, onchain_handler: &mut OnchainTxHandler, value: u64, destination_script: Script, logger: &L) -> Option + where L::Target: Logger, + { + match self.malleability { + PackageMalleability::Malleable => { + let mut bumped_tx = Transaction { + version: 2, + lock_time: 0, + input: vec![], + output: vec![TxOut { + script_pubkey: destination_script, + value, + }], + }; + for (outpoint, _) in self.inputs.iter() { + bumped_tx.input.push(TxIn { + previous_output: *outpoint, + script_sig: Script::new(), + sequence: 0xfffffffd, + witness: Vec::new(), + }); + } + for (i, (outpoint, out)) in self.inputs.iter().enumerate() { + log_trace!(logger, "Adding claiming input for outpoint {}:{}", outpoint.txid, outpoint.vout); + if !out.finalize_input(&mut bumped_tx, i, onchain_handler) { return None; } + } + log_trace!(logger, "Finalized transaction {} ready to broadcast", bumped_tx.txid()); + return Some(bumped_tx); + }, + PackageMalleability::Untractable => { + if let Some((outpoint, outp)) = self.inputs.first() { + if let Some(final_tx) = outp.get_finalized_tx(outpoint, onchain_handler) { + log_trace!(logger, "Adding claiming input for outpoint {}:{}", outpoint.txid, outpoint.vout); + log_trace!(logger, "Finalized transaction {} ready to broadcast", final_tx.txid()); + return Some(final_tx); + } + return None; + } else { panic!("API Error: Package must not be inputs empty"); } + }, + } + } + pub (crate) fn build_package(txid: Txid, vout: u32, input_solving_data: PackageSolvingData, soonest_conf_deadline: u32, aggregable: bool, height_original: u32) -> Self { + let malleability = match input_solving_data { + PackageSolvingData::RevokedOutput(..) => { PackageMalleability::Malleable }, + PackageSolvingData::RevokedHTLCOutput(..) => { PackageMalleability::Malleable }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { PackageMalleability::Malleable }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { PackageMalleability::Malleable }, + PackageSolvingData::HolderHTLCOutput(..) => { PackageMalleability::Untractable }, + PackageSolvingData::HolderFundingOutput(..) => { PackageMalleability::Untractable }, + }; + let mut inputs = Vec::with_capacity(1); + inputs.push((BitcoinOutPoint { txid, vout }, input_solving_data)); + PackageTemplate { + inputs, + malleability, + soonest_conf_deadline, + aggregable, + feerate_previous: 0, + height_timer: None, + height_original, + } + } +} + +impl Writeable for PackageTemplate { + fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { + writer.write_all(&byte_utils::be64_to_array(self.inputs.len() as u64))?; + for (ref outpoint, ref rev_outp) in self.inputs.iter() { + outpoint.write(writer)?; + rev_outp.write(writer)?; + } + self.soonest_conf_deadline.write(writer)?; + self.feerate_previous.write(writer)?; + self.height_timer.write(writer)?; + self.height_original.write(writer)?; + Ok(()) + } +} + +impl Readable for PackageTemplate { + fn read(reader: &mut R) -> Result { + let inputs_count = ::read(reader)?; + let mut inputs: Vec<(BitcoinOutPoint, PackageSolvingData)> = Vec::with_capacity(cmp::min(inputs_count as usize, MAX_ALLOC_SIZE / 128)); + for _ in 0..inputs_count { + let outpoint = Readable::read(reader)?; + let rev_outp = Readable::read(reader)?; + inputs.push((outpoint, rev_outp)); + } + let (malleability, aggregable) = if let Some((_, lead_input)) = inputs.first() { + match lead_input { + PackageSolvingData::RevokedOutput(..) => { (PackageMalleability::Malleable, true) }, + PackageSolvingData::RevokedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, + PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, + PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { (PackageMalleability::Malleable, false) }, + PackageSolvingData::HolderHTLCOutput(..) => { (PackageMalleability::Untractable, false) }, + PackageSolvingData::HolderFundingOutput(..) => { (PackageMalleability::Untractable, false) }, + } + } else { return Err(DecodeError::InvalidValue); }; + let soonest_conf_deadline = Readable::read(reader)?; + let feerate_previous = Readable::read(reader)?; + let height_timer = Readable::read(reader)?; + let height_original = Readable::read(reader)?; + Ok(PackageTemplate { + inputs, + malleability, + soonest_conf_deadline, + aggregable, + feerate_previous, + height_timer, + height_original, + }) + } +} + +/// Attempt to propose a bumping fee for a transaction from its spent output's values and predicted +/// weight. We start with the highest priority feerate returned by the node's fee estimator then +/// fall-back to lower priorities until we have enough value available to suck from. +/// +/// If the proposed fee is less than the available spent output's values, we return the proposed +/// fee and the corresponding updated feerate. If the proposed fee is equal or more than the +/// available spent output's values, we return nothing +fn compute_fee_from_spent_amounts(input_amounts: u64, predicted_weight: usize, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> + where F::Target: FeeEstimator, + L::Target: Logger, +{ + let mut updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::HighPriority) as u64; + let mut fee = updated_feerate * (predicted_weight as u64) / 1000; + if input_amounts <= fee { + updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::Normal) as u64; + fee = updated_feerate * (predicted_weight as u64) / 1000; + if input_amounts <= fee { + updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::Background) as u64; + fee = updated_feerate * (predicted_weight as u64) / 1000; + if input_amounts <= fee { + log_error!(logger, "Failed to generate an on-chain punishment tx as even low priority fee ({} sat) was more than the entire claim balance ({} sat)", + fee, input_amounts); + None + } else { + log_warn!(logger, "Used low priority fee for on-chain punishment tx as high priority fee was more than the entire claim balance ({} sat)", + input_amounts); + Some((fee, updated_feerate)) + } + } else { + log_warn!(logger, "Used medium priority fee for on-chain punishment tx as high priority fee was more than the entire claim balance ({} sat)", + input_amounts); + Some((fee, updated_feerate)) + } + } else { + Some((fee, updated_feerate)) + } +} + +/// Attempt to propose a bumping fee for a transaction from its spent output's values and predicted +/// weight. If feerates proposed by the fee-estimator have been increasing since last fee-bumping +/// attempt, use them. Otherwise, blindly bump the feerate by 25% of the previous feerate. We also +/// verify that those bumping heuristics respect BIP125 rules 3) and 4) and if required adjust +/// the new fee to meet the RBF policy requirement. +fn feerate_bump(predicted_weight: usize, input_amounts: u64, previous_feerate: u64, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> + where F::Target: FeeEstimator, + L::Target: Logger, +{ + // If old feerate inferior to actual one given back by Fee Estimator, use it to compute new fee... + let new_fee = if let Some((new_fee, _)) = compute_fee_from_spent_amounts(input_amounts, predicted_weight, fee_estimator, logger) { + let updated_feerate = new_fee / (predicted_weight as u64 * 1000); + if updated_feerate > previous_feerate { + new_fee + } else { + // ...else just increase the previous feerate by 25% (because that's a nice number) + let new_fee = previous_feerate * (predicted_weight as u64) / 750; + if input_amounts <= new_fee { + log_trace!(logger, "Can't 25% bump new claiming tx, amount {} is too small", input_amounts); + return None; + } + new_fee + } + } else { + log_trace!(logger, "Can't new-estimation bump new claiming tx, amount {} is too small", input_amounts); + return None; + }; + + let previous_fee = previous_feerate * (predicted_weight as u64) / 1000; + let min_relay_fee = MIN_RELAY_FEE_SAT_PER_1000_WEIGHT * (predicted_weight as u64) / 1000; + // BIP 125 Opt-in Full Replace-by-Fee Signaling + // * 3. The replacement transaction pays an absolute fee of at least the sum paid by the original transactions. + // * 4. The replacement transaction must also pay for its own bandwidth at or above the rate set by the node's minimum relay fee setting. + let new_fee = if new_fee < previous_fee + min_relay_fee { + new_fee + previous_fee + min_relay_fee - new_fee + } else { + new_fee + }; + Some((new_fee, new_fee * 1000 / (predicted_weight as u64))) +} + +/// Deduce a new proposed fee from the claiming transaction output value. +/// If the new proposed fee is superior to the consumed outpoint's value, burn everything in miner's +/// fee to deter counterparties attacker. +pub(crate) fn compute_output_value(predicted_weight: usize, input_amounts: u64, previous_feerate: u64, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> + where F::Target: FeeEstimator, + L::Target: Logger, +{ + // If old feerate is 0, first iteration of this claim, use normal fee calculation + if previous_feerate != 0 { + if let Some((new_fee, feerate)) = feerate_bump(predicted_weight, input_amounts, previous_feerate, fee_estimator, logger) { + // If new computed fee is superior at the whole claimable amount burn all in fees + if new_fee > input_amounts { + return Some((0, feerate)); + } else { + return Some((input_amounts - new_fee, feerate)); + } + } + } else { + if let Some((new_fee, feerate)) = compute_fee_from_spent_amounts(input_amounts, predicted_weight, fee_estimator, logger) { + return Some((input_amounts - new_fee, feerate)); + } + } + None +} diff --git a/lightning/src/ln/mod.rs b/lightning/src/ln/mod.rs index e7123e0e2..3de0595d2 100644 --- a/lightning/src/ln/mod.rs +++ b/lightning/src/ln/mod.rs @@ -27,8 +27,6 @@ pub mod msgs; pub mod peer_handler; pub mod chan_utils; pub mod features; -pub mod onchaintx; -pub mod package; #[cfg(feature = "fuzztarget")] pub mod peer_channel_encryptor; diff --git a/lightning/src/ln/onchaintx.rs b/lightning/src/ln/onchaintx.rs deleted file mode 100644 index 65fedecd9..000000000 --- a/lightning/src/ln/onchaintx.rs +++ /dev/null @@ -1,747 +0,0 @@ -// This file is Copyright its original authors, visible in version control -// history. -// -// This file is licensed under the Apache License, Version 2.0 or the MIT license -// , at your option. -// You may not use this file except in accordance with one or both of these -// licenses. - -//! The logic to build claims and bump in-flight transactions until confirmations. -//! -//! OnchainTxHandler objects are fully-part of ChannelMonitor and encapsulates all -//! building, tracking, bumping and notifications functions. - -use bitcoin::blockdata::transaction::Transaction; -use bitcoin::blockdata::transaction::OutPoint as BitcoinOutPoint; -use bitcoin::blockdata::script::Script; - -use bitcoin::hash_types::Txid; - -use bitcoin::secp256k1::{Secp256k1, Signature}; -use bitcoin::secp256k1; - -use ln::msgs::DecodeError; -use ln::PaymentPreimage; -use ln::chan_utils::{ChannelTransactionParameters, HolderCommitmentTransaction}; -use ln::package; -use ln::package::PackageTemplate; -use chain::chaininterface::{FeeEstimator, BroadcasterInterface}; -use chain::channelmonitor::{ANTI_REORG_DELAY, CLTV_SHARED_CLAIM_BUFFER}; -use chain::keysinterface::{Sign, KeysInterface}; -use util::logger::Logger; -use util::ser::{Readable, ReadableArgs, Writer, Writeable, VecWriter}; -use util::byte_utils; - -use std::collections::HashMap; -use core::cmp; -use core::ops::Deref; -use core::mem::replace; - -const MAX_ALLOC_SIZE: usize = 64*1024; - -/// An entry for an [`OnchainEvent`], stating the block height when the event was observed and the -/// transaction causing it. -/// -/// Used to determine when the on-chain event can be considered safe from a chain reorganization. -#[derive(PartialEq)] -struct OnchainEventEntry { - txid: Txid, - height: u32, - event: OnchainEvent, -} - -impl OnchainEventEntry { - fn confirmation_threshold(&self) -> u32 { - self.height + ANTI_REORG_DELAY - 1 - } - - fn has_reached_confirmation_threshold(&self, height: u32) -> bool { - height >= self.confirmation_threshold() - } -} - -/// Upon discovering of some classes of onchain tx by ChannelMonitor, we may have to take actions on it -/// once they mature to enough confirmations (ANTI_REORG_DELAY) -#[derive(PartialEq)] -enum OnchainEvent { - /// Outpoint under claim process by our own tx, once this one get enough confirmations, we remove it from - /// bump-txn candidate buffer. - Claim { - claim_request: Txid, - }, - /// Claim tx aggregate multiple claimable outpoints. One of the outpoint may be claimed by a counterparty party tx. - /// In this case, we need to drop the outpoint and regenerate a new claim tx. By safety, we keep tracking - /// the outpoint to be sure to resurect it back to the claim tx if reorgs happen. - ContentiousOutpoint { - package: PackageTemplate, - } -} - -impl Readable for Option>> { - fn read(reader: &mut R) -> Result { - match Readable::read(reader)? { - 0u8 => Ok(None), - 1u8 => { - let vlen: u64 = Readable::read(reader)?; - let mut ret = Vec::with_capacity(cmp::min(vlen as usize, MAX_ALLOC_SIZE / ::core::mem::size_of::>())); - for _ in 0..vlen { - ret.push(match Readable::read(reader)? { - 0u8 => None, - 1u8 => Some((::read(reader)? as usize, Readable::read(reader)?)), - _ => return Err(DecodeError::InvalidValue) - }); - } - Ok(Some(ret)) - }, - _ => Err(DecodeError::InvalidValue), - } - } -} - -impl Writeable for Option>> { - fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { - match self { - &Some(ref vec) => { - 1u8.write(writer)?; - (vec.len() as u64).write(writer)?; - for opt in vec.iter() { - match opt { - &Some((ref idx, ref sig)) => { - 1u8.write(writer)?; - (*idx as u64).write(writer)?; - sig.write(writer)?; - }, - &None => 0u8.write(writer)?, - } - } - }, - &None => 0u8.write(writer)?, - } - Ok(()) - } -} - - -/// OnchainTxHandler receives claiming requests, aggregates them if it's sound, broadcast and -/// do RBF bumping if possible. -pub struct OnchainTxHandler { - destination_script: Script, - holder_commitment: HolderCommitmentTransaction, - // holder_htlc_sigs and prev_holder_htlc_sigs are in the order as they appear in the commitment - // transaction outputs (hence the Option<>s inside the Vec). The first usize is the index in - // the set of HTLCs in the HolderCommitmentTransaction. - holder_htlc_sigs: Option>>, - prev_holder_commitment: Option, - prev_holder_htlc_sigs: Option>>, - - pub(super) signer: ChannelSigner, - pub(crate) channel_transaction_parameters: ChannelTransactionParameters, - - // Used to track claiming requests. If claim tx doesn't confirm before height timer expiration we need to bump - // it (RBF or CPFP). If an input has been part of an aggregate tx at first claim try, we need to keep it within - // another bumped aggregate tx to comply with RBF rules. We may have multiple claiming txn in the flight for the - // same set of outpoints. One of the outpoints may be spent by a transaction not issued by us. That's why at - // block connection we scan all inputs and if any of them is among a set of a claiming request we test for set - // equality between spending transaction and claim request. If true, it means transaction was one our claiming one - // after a security delay of 6 blocks we remove pending claim request. If false, it means transaction wasn't and - // we need to regenerate new claim request with reduced set of still-claimable outpoints. - // Key is identifier of the pending claim request, i.e the txid of the initial claiming transaction generated by - // us and is immutable until all outpoint of the claimable set are post-anti-reorg-delay solved. - // Entry is cache of elements need to generate a bumped claiming transaction (see ClaimTxBumpMaterial) - #[cfg(test)] // Used in functional_test to verify sanitization - pub(crate) pending_claim_requests: HashMap, - #[cfg(not(test))] - pending_claim_requests: HashMap, - - // Used to link outpoints claimed in a connected block to a pending claim request. - // Key is outpoint than monitor parsing has detected we have keys/scripts to claim - // Value is (pending claim request identifier, confirmation_block), identifier - // is txid of the initial claiming transaction and is immutable until outpoint is - // post-anti-reorg-delay solved, confirmaiton_block is used to erase entry if - // block with output gets disconnected. - #[cfg(test)] // Used in functional_test to verify sanitization - pub claimable_outpoints: HashMap, - #[cfg(not(test))] - claimable_outpoints: HashMap, - - onchain_events_awaiting_threshold_conf: Vec, - - latest_height: u32, - - pub(super) secp_ctx: Secp256k1, -} - -const SERIALIZATION_VERSION: u8 = 1; -const MIN_SERIALIZATION_VERSION: u8 = 1; - -impl OnchainTxHandler { - pub(crate) fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { - write_ver_prefix!(writer, SERIALIZATION_VERSION, MIN_SERIALIZATION_VERSION); - - self.destination_script.write(writer)?; - self.holder_commitment.write(writer)?; - self.holder_htlc_sigs.write(writer)?; - self.prev_holder_commitment.write(writer)?; - self.prev_holder_htlc_sigs.write(writer)?; - - self.channel_transaction_parameters.write(writer)?; - - let mut key_data = VecWriter(Vec::new()); - self.signer.write(&mut key_data)?; - assert!(key_data.0.len() < core::usize::MAX); - assert!(key_data.0.len() < core::u32::MAX as usize); - (key_data.0.len() as u32).write(writer)?; - writer.write_all(&key_data.0[..])?; - - writer.write_all(&byte_utils::be64_to_array(self.pending_claim_requests.len() as u64))?; - for (ref ancestor_claim_txid, request) in self.pending_claim_requests.iter() { - ancestor_claim_txid.write(writer)?; - request.write(writer)?; - } - - writer.write_all(&byte_utils::be64_to_array(self.claimable_outpoints.len() as u64))?; - for (ref outp, ref claim_and_height) in self.claimable_outpoints.iter() { - outp.write(writer)?; - claim_and_height.0.write(writer)?; - claim_and_height.1.write(writer)?; - } - - writer.write_all(&byte_utils::be64_to_array(self.onchain_events_awaiting_threshold_conf.len() as u64))?; - for ref entry in self.onchain_events_awaiting_threshold_conf.iter() { - entry.txid.write(writer)?; - writer.write_all(&byte_utils::be32_to_array(entry.height))?; - match entry.event { - OnchainEvent::Claim { ref claim_request } => { - writer.write_all(&[0; 1])?; - claim_request.write(writer)?; - }, - OnchainEvent::ContentiousOutpoint { ref package } => { - writer.write_all(&[1; 1])?; - package.write(writer)?; - } - } - } - self.latest_height.write(writer)?; - - write_tlv_fields!(writer, {}, {}); - Ok(()) - } -} - -impl<'a, K: KeysInterface> ReadableArgs<&'a K> for OnchainTxHandler { - fn read(reader: &mut R, keys_manager: &'a K) -> Result { - let _ver = read_ver_prefix!(reader, SERIALIZATION_VERSION); - - let destination_script = Readable::read(reader)?; - - let holder_commitment = Readable::read(reader)?; - let holder_htlc_sigs = Readable::read(reader)?; - let prev_holder_commitment = Readable::read(reader)?; - let prev_holder_htlc_sigs = Readable::read(reader)?; - - let channel_parameters = Readable::read(reader)?; - - let keys_len: u32 = Readable::read(reader)?; - let mut keys_data = Vec::with_capacity(cmp::min(keys_len as usize, MAX_ALLOC_SIZE)); - while keys_data.len() != keys_len as usize { - // Read 1KB at a time to avoid accidentally allocating 4GB on corrupted channel keys - let mut data = [0; 1024]; - let read_slice = &mut data[0..cmp::min(1024, keys_len as usize - keys_data.len())]; - reader.read_exact(read_slice)?; - keys_data.extend_from_slice(read_slice); - } - let signer = keys_manager.read_chan_signer(&keys_data)?; - - let pending_claim_requests_len: u64 = Readable::read(reader)?; - let mut pending_claim_requests = HashMap::with_capacity(cmp::min(pending_claim_requests_len as usize, MAX_ALLOC_SIZE / 128)); - for _ in 0..pending_claim_requests_len { - pending_claim_requests.insert(Readable::read(reader)?, Readable::read(reader)?); - } - - let claimable_outpoints_len: u64 = Readable::read(reader)?; - let mut claimable_outpoints = HashMap::with_capacity(cmp::min(pending_claim_requests_len as usize, MAX_ALLOC_SIZE / 128)); - for _ in 0..claimable_outpoints_len { - let outpoint = Readable::read(reader)?; - let ancestor_claim_txid = Readable::read(reader)?; - let height = Readable::read(reader)?; - claimable_outpoints.insert(outpoint, (ancestor_claim_txid, height)); - } - let waiting_threshold_conf_len: u64 = Readable::read(reader)?; - let mut onchain_events_awaiting_threshold_conf = Vec::with_capacity(cmp::min(waiting_threshold_conf_len as usize, MAX_ALLOC_SIZE / 128)); - for _ in 0..waiting_threshold_conf_len { - let txid = Readable::read(reader)?; - let height = Readable::read(reader)?; - let event = match ::read(reader)? { - 0 => { - let claim_request = Readable::read(reader)?; - OnchainEvent::Claim { - claim_request - } - }, - 1 => { - let package = Readable::read(reader)?; - OnchainEvent::ContentiousOutpoint { - package - } - } - _ => return Err(DecodeError::InvalidValue), - }; - onchain_events_awaiting_threshold_conf.push(OnchainEventEntry { txid, height, event }); - } - let latest_height = Readable::read(reader)?; - - read_tlv_fields!(reader, {}, {}); - - let mut secp_ctx = Secp256k1::new(); - secp_ctx.seeded_randomize(&keys_manager.get_secure_random_bytes()); - - Ok(OnchainTxHandler { - destination_script, - holder_commitment, - holder_htlc_sigs, - prev_holder_commitment, - prev_holder_htlc_sigs, - signer, - channel_transaction_parameters: channel_parameters, - claimable_outpoints, - pending_claim_requests, - onchain_events_awaiting_threshold_conf, - latest_height, - secp_ctx, - }) - } -} - -impl OnchainTxHandler { - pub(crate) fn new(destination_script: Script, signer: ChannelSigner, channel_parameters: ChannelTransactionParameters, holder_commitment: HolderCommitmentTransaction, secp_ctx: Secp256k1) -> Self { - OnchainTxHandler { - destination_script, - holder_commitment, - holder_htlc_sigs: None, - prev_holder_commitment: None, - prev_holder_htlc_sigs: None, - signer, - channel_transaction_parameters: channel_parameters, - pending_claim_requests: HashMap::new(), - claimable_outpoints: HashMap::new(), - onchain_events_awaiting_threshold_conf: Vec::new(), - latest_height: 0, - - secp_ctx, - } - } - - /// In LN, output claimed are time-sensitive, which means we have to spend them before reaching some timelock expiration. At in-channel - /// output detection, we generate a first version of a claim tx and associate to it a height timer. A height timer is an absolute block - /// height than once reached we should generate a new bumped "version" of the claim tx to be sure than we safely claim outputs before - /// than our counterparty can do it too. If timelock expires soon, height timer is going to be scale down in consequence to increase - /// frequency of the bump and so increase our bets of success. - fn get_height_timer(current_height: u32, timelock_expiration: u32) -> u32 { - if timelock_expiration <= current_height + 3 { - return current_height + 1 - } else if timelock_expiration - current_height <= 15 { - return current_height + 3 - } - current_height + 15 - } - - /// Lightning security model (i.e being able to redeem/timeout HTLC or penalize coutnerparty onchain) lays on the assumption of claim transactions getting confirmed before timelock expiration - /// (CSV or CLTV following cases). In case of high-fee spikes, claim tx may stuck in the mempool, so you need to bump its feerate quickly using Replace-By-Fee or Child-Pay-For-Parent. - /// Panics if there are signing errors, because signing operations in reaction to on-chain events - /// are not expected to fail, and if they do, we may lose funds. - fn generate_claim_tx(&mut self, height: u32, cached_request: &PackageTemplate, fee_estimator: &F, logger: &L) -> Option<(Option, u64, Transaction)> - where F::Target: FeeEstimator, - L::Target: Logger, - { - if cached_request.outpoints().len() == 0 { return None } // But don't prune pending claiming request yet, we may have to resurrect HTLCs - - // Compute new height timer to decide when we need to regenerate a new bumped version of the claim tx (if we - // didn't receive confirmation of it before, or not enough reorg-safe depth on top of it). - let new_timer = Some(Self::get_height_timer(height, cached_request.timelock())); - let amt = cached_request.package_amount(); - if cached_request.is_malleable() { - let predicted_weight = cached_request.package_weight(&self.destination_script); - if let Some((output_value, new_feerate)) = package::compute_output_value(predicted_weight, amt, cached_request.feerate(), fee_estimator, logger) { - assert!(new_feerate != 0); - - let transaction = cached_request.finalize_package(self, output_value, self.destination_script.clone(), logger).unwrap(); - log_trace!(logger, "...with timer {} and feerate {}", new_timer.unwrap(), new_feerate); - assert!(predicted_weight >= transaction.get_weight()); - return Some((new_timer, new_feerate, transaction)) - } - } else { - // Note: Currently, amounts of holder outputs spending witnesses aren't used - // as we can't malleate spending package to increase their feerate. This - // should change with the remaining anchor output patchset. - debug_assert!(amt == 0); - if let Some(transaction) = cached_request.finalize_package(self, amt, self.destination_script.clone(), logger) { - return Some((None, 0, transaction)); - } - } - None - } - - /// Upon channelmonitor.block_connected(..) or upon provision of a preimage on the forward link - /// for this channel, provide new relevant on-chain transactions and/or new claim requests. - /// Formerly this was named `block_connected`, but it is now also used for claiming an HTLC output - /// if we receive a preimage after force-close. - pub(crate) fn update_claims_view(&mut self, txn_matched: &[&Transaction], requests: Vec, latest_height: Option, broadcaster: &B, fee_estimator: &F, logger: &L) - where B::Target: BroadcasterInterface, - F::Target: FeeEstimator, - L::Target: Logger, - { - let height = match latest_height { - Some(h) => h, - None => self.latest_height, - }; - log_trace!(logger, "Updating claims view at height {} with {} matched transactions and {} claim requests", height, txn_matched.len(), requests.len()); - let mut preprocessed_requests = Vec::with_capacity(requests.len()); - let mut aggregated_request = None; - - // Try to aggregate outputs if their timelock expiration isn't imminent (package timelock - // <= CLTV_SHARED_CLAIM_BUFFER) and they don't require an immediate nLockTime (aggregable). - for req in requests { - // Don't claim a outpoint twice that would be bad for privacy and may uselessly lock a CPFP input for a while - if let Some(_) = self.claimable_outpoints.get(req.outpoints()[0]) { log_trace!(logger, "Bouncing off outpoint {}:{}, already registered its claiming request", req.outpoints()[0].txid, req.outpoints()[0].vout); } else { - log_trace!(logger, "Test if outpoint can be aggregated with expiration {} against {}", req.timelock(), height + CLTV_SHARED_CLAIM_BUFFER); - if req.timelock() <= height + CLTV_SHARED_CLAIM_BUFFER || !req.aggregable() { - // Don't aggregate if outpoint package timelock is soon or marked as non-aggregable - preprocessed_requests.push(req); - } else if aggregated_request.is_none() { - aggregated_request = Some(req); - } else { - aggregated_request.as_mut().unwrap().merge_package(req); - } - } - } - if let Some(req) = aggregated_request { - preprocessed_requests.push(req); - } - - // Generate claim transactions and track them to bump if necessary at - // height timer expiration (i.e in how many blocks we're going to take action). - for mut req in preprocessed_requests { - if let Some((new_timer, new_feerate, tx)) = self.generate_claim_tx(height, &req, &*fee_estimator, &*logger) { - req.set_timer(new_timer); - req.set_feerate(new_feerate); - let txid = tx.txid(); - for k in req.outpoints() { - log_trace!(logger, "Registering claiming request for {}:{}", k.txid, k.vout); - self.claimable_outpoints.insert(k.clone(), (txid, height)); - } - self.pending_claim_requests.insert(txid, req); - log_trace!(logger, "Broadcasting onchain {}", log_tx!(tx)); - broadcaster.broadcast_transaction(&tx); - } - } - - let mut bump_candidates = HashMap::new(); - for tx in txn_matched { - // Scan all input to verify is one of the outpoint spent is of interest for us - let mut claimed_outputs_material = Vec::new(); - for inp in &tx.input { - if let Some(first_claim_txid_height) = self.claimable_outpoints.get(&inp.previous_output) { - // If outpoint has claim request pending on it... - if let Some(request) = self.pending_claim_requests.get_mut(&first_claim_txid_height.0) { - //... we need to verify equality between transaction outpoints and claim request - // outpoints to know if transaction is the original claim or a bumped one issued - // by us. - let mut set_equality = true; - if request.outpoints().len() != tx.input.len() { - set_equality = false; - } else { - for (claim_inp, tx_inp) in request.outpoints().iter().zip(tx.input.iter()) { - if **claim_inp != tx_inp.previous_output { - set_equality = false; - } - } - } - - macro_rules! clean_claim_request_after_safety_delay { - () => { - let entry = OnchainEventEntry { - txid: tx.txid(), - height, - event: OnchainEvent::Claim { claim_request: first_claim_txid_height.0.clone() } - }; - if !self.onchain_events_awaiting_threshold_conf.contains(&entry) { - self.onchain_events_awaiting_threshold_conf.push(entry); - } - } - } - - // If this is our transaction (or our counterparty spent all the outputs - // before we could anyway with same inputs order than us), wait for - // ANTI_REORG_DELAY and clean the RBF tracking map. - if set_equality { - clean_claim_request_after_safety_delay!(); - } else { // If false, generate new claim request with update outpoint set - let mut at_least_one_drop = false; - for input in tx.input.iter() { - if let Some(package) = request.split_package(&input.previous_output) { - claimed_outputs_material.push(package); - at_least_one_drop = true; - } - // If there are no outpoints left to claim in this request, drop it entirely after ANTI_REORG_DELAY. - if request.outpoints().is_empty() { - clean_claim_request_after_safety_delay!(); - } - } - //TODO: recompute soonest_timelock to avoid wasting a bit on fees - if at_least_one_drop { - bump_candidates.insert(first_claim_txid_height.0.clone(), request.clone()); - } - } - break; //No need to iterate further, either tx is our or their - } else { - panic!("Inconsistencies between pending_claim_requests map and claimable_outpoints map"); - } - } - } - for package in claimed_outputs_material.drain(..) { - let entry = OnchainEventEntry { - txid: tx.txid(), - height, - event: OnchainEvent::ContentiousOutpoint { package }, - }; - if !self.onchain_events_awaiting_threshold_conf.contains(&entry) { - self.onchain_events_awaiting_threshold_conf.push(entry); - } - } - } - - // After security delay, either our claim tx got enough confs or outpoint is definetely out of reach - let onchain_events_awaiting_threshold_conf = - self.onchain_events_awaiting_threshold_conf.drain(..).collect::>(); - for entry in onchain_events_awaiting_threshold_conf { - if entry.has_reached_confirmation_threshold(height) { - match entry.event { - OnchainEvent::Claim { claim_request } => { - // We may remove a whole set of claim outpoints here, as these one may have - // been aggregated in a single tx and claimed so atomically - if let Some(request) = self.pending_claim_requests.remove(&claim_request) { - for outpoint in request.outpoints() { - self.claimable_outpoints.remove(&outpoint); - } - } - }, - OnchainEvent::ContentiousOutpoint { package } => { - self.claimable_outpoints.remove(&package.outpoints()[0]); - } - } - } else { - self.onchain_events_awaiting_threshold_conf.push(entry); - } - } - - // Check if any pending claim request must be rescheduled - for (first_claim_txid, ref request) in self.pending_claim_requests.iter() { - if let Some(h) = request.timer() { - if height >= h { - bump_candidates.insert(*first_claim_txid, (*request).clone()); - } - } - } - - // Build, bump and rebroadcast tx accordingly - log_trace!(logger, "Bumping {} candidates", bump_candidates.len()); - for (first_claim_txid, request) in bump_candidates.iter() { - if let Some((new_timer, new_feerate, bump_tx)) = self.generate_claim_tx(height, &request, &*fee_estimator, &*logger) { - log_trace!(logger, "Broadcasting onchain {}", log_tx!(bump_tx)); - broadcaster.broadcast_transaction(&bump_tx); - if let Some(request) = self.pending_claim_requests.get_mut(first_claim_txid) { - request.set_timer(new_timer); - request.set_feerate(new_feerate); - } - } - } - } - - pub(crate) fn transaction_unconfirmed( - &mut self, - txid: &Txid, - broadcaster: B, - fee_estimator: F, - logger: L, - ) where - B::Target: BroadcasterInterface, - F::Target: FeeEstimator, - L::Target: Logger, - { - let mut height = None; - for entry in self.onchain_events_awaiting_threshold_conf.iter() { - if entry.txid == *txid { - height = Some(entry.height); - break; - } - } - - if let Some(height) = height { - self.block_disconnected(height, broadcaster, fee_estimator, logger); - } - } - - pub(crate) fn block_disconnected(&mut self, height: u32, broadcaster: B, fee_estimator: F, logger: L) - where B::Target: BroadcasterInterface, - F::Target: FeeEstimator, - L::Target: Logger, - { - let mut bump_candidates = HashMap::new(); - let onchain_events_awaiting_threshold_conf = - self.onchain_events_awaiting_threshold_conf.drain(..).collect::>(); - for entry in onchain_events_awaiting_threshold_conf { - if entry.height >= height { - //- our claim tx on a commitment tx output - //- resurect outpoint back in its claimable set and regenerate tx - match entry.event { - OnchainEvent::ContentiousOutpoint { package } => { - if let Some(ancestor_claimable_txid) = self.claimable_outpoints.get(&package.outpoints()[0]) { - if let Some(request) = self.pending_claim_requests.get_mut(&ancestor_claimable_txid.0) { - request.merge_package(package); - // Using a HashMap guarantee us than if we have multiple outpoints getting - // resurrected only one bump claim tx is going to be broadcast - bump_candidates.insert(ancestor_claimable_txid.clone(), request.clone()); - } - } - }, - _ => {}, - } - } else { - self.onchain_events_awaiting_threshold_conf.push(entry); - } - } - for (_, request) in bump_candidates.iter_mut() { - if let Some((new_timer, new_feerate, bump_tx)) = self.generate_claim_tx(height, &request, &&*fee_estimator, &&*logger) { - request.set_timer(new_timer); - request.set_feerate(new_feerate); - log_info!(logger, "Broadcasting onchain {}", log_tx!(bump_tx)); - broadcaster.broadcast_transaction(&bump_tx); - } - } - for (ancestor_claim_txid, request) in bump_candidates.drain() { - self.pending_claim_requests.insert(ancestor_claim_txid.0, request); - } - //TODO: if we implement cross-block aggregated claim transaction we need to refresh set of outpoints and regenerate tx but - // right now if one of the outpoint get disconnected, just erase whole pending claim request. - let mut remove_request = Vec::new(); - self.claimable_outpoints.retain(|_, ref v| - if v.1 >= height { - remove_request.push(v.0.clone()); - false - } else { true }); - for req in remove_request { - self.pending_claim_requests.remove(&req); - } - } - - pub(crate) fn get_relevant_txids(&self) -> Vec { - let mut txids: Vec = self.onchain_events_awaiting_threshold_conf - .iter() - .map(|entry| entry.txid) - .collect(); - txids.sort_unstable(); - txids.dedup(); - txids - } - - pub(crate) fn provide_latest_holder_tx(&mut self, tx: HolderCommitmentTransaction) { - self.prev_holder_commitment = Some(replace(&mut self.holder_commitment, tx)); - self.holder_htlc_sigs = None; - } - - // Normally holder HTLCs are signed at the same time as the holder commitment tx. However, - // in some configurations, the holder commitment tx has been signed and broadcast by a - // ChannelMonitor replica, so we handle that case here. - fn sign_latest_holder_htlcs(&mut self) { - if self.holder_htlc_sigs.is_none() { - let (_sig, sigs) = self.signer.sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("sign holder commitment"); - self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, sigs)); - } - } - - // Normally only the latest commitment tx and HTLCs need to be signed. However, in some - // configurations we may have updated our holder commitment but a replica of the ChannelMonitor - // broadcast the previous one before we sync with it. We handle that case here. - fn sign_prev_holder_htlcs(&mut self) { - if self.prev_holder_htlc_sigs.is_none() { - if let Some(ref holder_commitment) = self.prev_holder_commitment { - let (_sig, sigs) = self.signer.sign_holder_commitment_and_htlcs(holder_commitment, &self.secp_ctx).expect("sign previous holder commitment"); - self.prev_holder_htlc_sigs = Some(Self::extract_holder_sigs(holder_commitment, sigs)); - } - } - } - - fn extract_holder_sigs(holder_commitment: &HolderCommitmentTransaction, sigs: Vec) -> Vec> { - let mut ret = Vec::new(); - for (htlc_idx, (holder_sig, htlc)) in sigs.iter().zip(holder_commitment.htlcs().iter()).enumerate() { - let tx_idx = htlc.transaction_output_index.unwrap(); - if ret.len() <= tx_idx as usize { ret.resize(tx_idx as usize + 1, None); } - ret[tx_idx as usize] = Some((htlc_idx, holder_sig.clone())); - } - ret - } - - //TODO: getting lastest holder transactions should be infallible and result in us "force-closing the channel", but we may - // have empty holder commitment transaction if a ChannelMonitor is asked to force-close just after Channel::get_outbound_funding_created, - // before providing a initial commitment transaction. For outbound channel, init ChannelMonitor at Channel::funding_signed, there is nothing - // to monitor before. - pub(crate) fn get_fully_signed_holder_tx(&mut self, funding_redeemscript: &Script) -> Transaction { - let (sig, htlc_sigs) = self.signer.sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("signing holder commitment"); - self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, htlc_sigs)); - self.holder_commitment.add_holder_sig(funding_redeemscript, sig) - } - - #[cfg(any(test, feature="unsafe_revoked_tx_signing"))] - pub(crate) fn get_fully_signed_copy_holder_tx(&mut self, funding_redeemscript: &Script) -> Transaction { - let (sig, htlc_sigs) = self.signer.unsafe_sign_holder_commitment_and_htlcs(&self.holder_commitment, &self.secp_ctx).expect("sign holder commitment"); - self.holder_htlc_sigs = Some(Self::extract_holder_sigs(&self.holder_commitment, htlc_sigs)); - self.holder_commitment.add_holder_sig(funding_redeemscript, sig) - } - - pub(crate) fn get_fully_signed_htlc_tx(&mut self, outp: &::bitcoin::OutPoint, preimage: &Option) -> Option { - let mut htlc_tx = None; - let commitment_txid = self.holder_commitment.trust().txid(); - // Check if the HTLC spends from the current holder commitment - if commitment_txid == outp.txid { - self.sign_latest_holder_htlcs(); - if let &Some(ref htlc_sigs) = &self.holder_htlc_sigs { - let &(ref htlc_idx, ref htlc_sig) = htlc_sigs[outp.vout as usize].as_ref().unwrap(); - let trusted_tx = self.holder_commitment.trust(); - let counterparty_htlc_sig = self.holder_commitment.counterparty_htlc_sigs[*htlc_idx]; - htlc_tx = Some(trusted_tx - .get_signed_htlc_tx(&self.channel_transaction_parameters.as_holder_broadcastable(), *htlc_idx, &counterparty_htlc_sig, htlc_sig, preimage)); - } - } - // If the HTLC doesn't spend the current holder commitment, check if it spends the previous one - if htlc_tx.is_none() && self.prev_holder_commitment.is_some() { - let commitment_txid = self.prev_holder_commitment.as_ref().unwrap().trust().txid(); - if commitment_txid == outp.txid { - self.sign_prev_holder_htlcs(); - if let &Some(ref htlc_sigs) = &self.prev_holder_htlc_sigs { - let &(ref htlc_idx, ref htlc_sig) = htlc_sigs[outp.vout as usize].as_ref().unwrap(); - let holder_commitment = self.prev_holder_commitment.as_ref().unwrap(); - let trusted_tx = holder_commitment.trust(); - let counterparty_htlc_sig = holder_commitment.counterparty_htlc_sigs[*htlc_idx]; - htlc_tx = Some(trusted_tx - .get_signed_htlc_tx(&self.channel_transaction_parameters.as_holder_broadcastable(), *htlc_idx, &counterparty_htlc_sig, htlc_sig, preimage)); - } - } - } - htlc_tx - } - - #[cfg(any(test,feature = "unsafe_revoked_tx_signing"))] - pub(crate) fn unsafe_get_fully_signed_htlc_tx(&mut self, outp: &::bitcoin::OutPoint, preimage: &Option) -> Option { - let latest_had_sigs = self.holder_htlc_sigs.is_some(); - let prev_had_sigs = self.prev_holder_htlc_sigs.is_some(); - let ret = self.get_fully_signed_htlc_tx(outp, preimage); - if !latest_had_sigs { - self.holder_htlc_sigs = None; - } - if !prev_had_sigs { - self.prev_holder_htlc_sigs = None; - } - ret - } -} diff --git a/lightning/src/ln/package.rs b/lightning/src/ln/package.rs deleted file mode 100644 index 220a3df14..000000000 --- a/lightning/src/ln/package.rs +++ /dev/null @@ -1,812 +0,0 @@ -// This file is Copyright its original authors, visible in version control -// history. -// -// This file is licensed under the Apache License, Version 2.0 or the MIT license -// , at your option. -// You may not use this file except in accordance with one or both of these -// licenses. - -//! Various utilities to assemble claimable outpoints in package of one or more transactions. Those -//! packages are attached metadata, guiding their aggregable or fee-bumping re-schedule. This file -//! also includes witness weight computation and fee computation methods. - -use bitcoin::blockdata::constants::WITNESS_SCALE_FACTOR; -use bitcoin::blockdata::transaction::{TxOut,TxIn, Transaction, SigHashType}; -use bitcoin::blockdata::transaction::OutPoint as BitcoinOutPoint; -use bitcoin::blockdata::script::Script; - -use bitcoin::hash_types::Txid; - -use bitcoin::secp256k1::key::{SecretKey,PublicKey}; - -use ln::PaymentPreimage; -use ln::chan_utils::{TxCreationKeys, HTLCOutputInCommitment, HTLC_OUTPUT_IN_COMMITMENT_SIZE}; -use ln::chan_utils; -use ln::msgs::DecodeError; -use ln::onchaintx::OnchainTxHandler; -use chain::chaininterface::{FeeEstimator, ConfirmationTarget, MIN_RELAY_FEE_SAT_PER_1000_WEIGHT}; -use chain::keysinterface::Sign; -use util::byte_utils; -use util::logger::Logger; -use util::ser::{Readable, Writer, Writeable}; - -use std::cmp; -use std::mem; -use std::ops::Deref; - -const MAX_ALLOC_SIZE: usize = 64*1024; - - -// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script -pub(crate) const WEIGHT_REVOKED_OFFERED_HTLC: u64 = 1 + 1 + 73 + 1 + 33 + 1 + 133; -// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script -pub(crate) const WEIGHT_REVOKED_RECEIVED_HTLC: u64 = 1 + 1 + 73 + 1 + 33 + 1 + 139; -// number_of_witness_elements + sig_length + counterpartyhtlc_sig + preimage_length + preimage + witness_script_length + witness_script -pub(crate) const WEIGHT_OFFERED_HTLC: u64 = 1 + 1 + 73 + 1 + 32 + 1 + 133; -// number_of_witness_elements + sig_length + revocation_sig + pubkey_length + revocationpubkey + witness_script_length + witness_script -pub(crate) const WEIGHT_RECEIVED_HTLC: u64 = 1 + 1 + 73 + 1 + 1 + 1 + 139; -// number_of_witness_elements + sig_length + revocation_sig + true_length + op_true + witness_script_length + witness_script -pub(crate) const WEIGHT_REVOKED_OUTPUT: u64 = 1 + 1 + 73 + 1 + 1 + 1 + 77; - -/// A struct to describe a revoked output and corresponding information to generate a solving -/// witness spending a commitment `to_local` output or a second-stage HTLC transaction output. -/// -/// CSV and pubkeys are used as part of a witnessScript redeeming a balance output, amount is used -/// as part of the signature hash and revocation secret to generate a satisfying witness. -#[derive(Clone, PartialEq)] -pub(crate) struct RevokedOutput { - per_commitment_point: PublicKey, - counterparty_delayed_payment_base_key: PublicKey, - counterparty_htlc_base_key: PublicKey, - per_commitment_key: SecretKey, - weight: u64, - amount: u64, - on_counterparty_tx_csv: u16, -} - -impl RevokedOutput { - pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, per_commitment_key: SecretKey, amount: u64, on_counterparty_tx_csv: u16) -> Self { - RevokedOutput { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - per_commitment_key, - weight: WEIGHT_REVOKED_OUTPUT, - amount, - on_counterparty_tx_csv - } - } -} - -impl_writeable!(RevokedOutput, 33*3 + 32 + 8 + 8 + 2, { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - per_commitment_key, - weight, - amount, - on_counterparty_tx_csv -}); - -/// A struct to describe a revoked offered output and corresponding information to generate a -/// solving witness. -/// -/// HTLCOuputInCommitment (hash timelock, direction) and pubkeys are used to generate a suitable -/// witnessScript. -/// -/// CSV is used as part of a witnessScript redeeming a balance output, amount is used as part -/// of the signature hash and revocation secret to generate a satisfying witness. -#[derive(Clone, PartialEq)] -pub(crate) struct RevokedHTLCOutput { - per_commitment_point: PublicKey, - counterparty_delayed_payment_base_key: PublicKey, - counterparty_htlc_base_key: PublicKey, - per_commitment_key: SecretKey, - weight: u64, - amount: u64, - htlc: HTLCOutputInCommitment, -} - -impl RevokedHTLCOutput { - pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, per_commitment_key: SecretKey, amount: u64, htlc: HTLCOutputInCommitment) -> Self { - let weight = if htlc.offered { WEIGHT_REVOKED_OFFERED_HTLC } else { WEIGHT_REVOKED_RECEIVED_HTLC }; - RevokedHTLCOutput { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - per_commitment_key, - weight, - amount, - htlc - } - } -} - -impl_writeable!(RevokedHTLCOutput, 33*3 + 32 + 8 + 8 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - per_commitment_key, - weight, - amount, - htlc -}); - -/// A struct to describe a HTLC output on a counterparty commitment transaction. -/// -/// HTLCOutputInCommitment (hash, timelock, directon) and pubkeys are used to generate a suitable -/// witnessScript. -/// -/// The preimage is used as part of the witness. -#[derive(Clone, PartialEq)] -pub(crate) struct CounterpartyOfferedHTLCOutput { - per_commitment_point: PublicKey, - counterparty_delayed_payment_base_key: PublicKey, - counterparty_htlc_base_key: PublicKey, - preimage: PaymentPreimage, - htlc: HTLCOutputInCommitment -} - -impl CounterpartyOfferedHTLCOutput { - pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, preimage: PaymentPreimage, htlc: HTLCOutputInCommitment) -> Self { - CounterpartyOfferedHTLCOutput { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - preimage, - htlc - } - } -} - -impl_writeable!(CounterpartyOfferedHTLCOutput, 33*3 + 32 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - preimage, - htlc -}); - -/// A struct to describe a HTLC output on a counterparty commitment transaction. -/// -/// HTLCOutputInCommitment (hash, timelock, directon) and pubkeys are used to generate a suitable -/// witnessScript. -#[derive(Clone, PartialEq)] -pub(crate) struct CounterpartyReceivedHTLCOutput { - per_commitment_point: PublicKey, - counterparty_delayed_payment_base_key: PublicKey, - counterparty_htlc_base_key: PublicKey, - htlc: HTLCOutputInCommitment -} - -impl CounterpartyReceivedHTLCOutput { - pub(crate) fn build(per_commitment_point: PublicKey, counterparty_delayed_payment_base_key: PublicKey, counterparty_htlc_base_key: PublicKey, htlc: HTLCOutputInCommitment) -> Self { - CounterpartyReceivedHTLCOutput { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - htlc - } - } -} - -impl_writeable!(CounterpartyReceivedHTLCOutput, 33*3 + HTLC_OUTPUT_IN_COMMITMENT_SIZE, { - per_commitment_point, - counterparty_delayed_payment_base_key, - counterparty_htlc_base_key, - htlc -}); - -/// A struct to describe a HTLC output on holder commitment transaction. -/// -/// Either offered or received, the amount is always used as part of the bip143 sighash. -/// Preimage is only included as part of the witness in former case. -#[derive(Clone, PartialEq)] -pub(crate) struct HolderHTLCOutput { - preimage: Option, - amount: u64, -} - -impl HolderHTLCOutput { - pub(crate) fn build(preimage: Option, amount: u64) -> Self { - HolderHTLCOutput { - preimage, - amount - } - } -} - -impl_writeable!(HolderHTLCOutput, 0, { - preimage, - amount -}); - -/// A struct to describe the channel output on the funding transaction. -/// -/// witnessScript is used as part of the witness redeeming the funding utxo. -#[derive(Clone, PartialEq)] -pub(crate) struct HolderFundingOutput { - funding_redeemscript: Script, -} - -impl HolderFundingOutput { - pub(crate) fn build(funding_redeemscript: Script) -> Self { - HolderFundingOutput { - funding_redeemscript, - } - } -} - -impl_writeable!(HolderFundingOutput, 0, { - funding_redeemscript -}); - -/// A wrapper encapsulating all in-protocol differing outputs types. -/// -/// The generic API offers access to an outputs common attributes or allow transformation such as -/// finalizing an input claiming the output. -#[derive(Clone, PartialEq)] -pub(crate) enum PackageSolvingData { - RevokedOutput(RevokedOutput), - RevokedHTLCOutput(RevokedHTLCOutput), - CounterpartyOfferedHTLCOutput(CounterpartyOfferedHTLCOutput), - CounterpartyReceivedHTLCOutput(CounterpartyReceivedHTLCOutput), - HolderHTLCOutput(HolderHTLCOutput), - HolderFundingOutput(HolderFundingOutput), -} - -impl PackageSolvingData { - fn amount(&self) -> u64 { - let amt = match self { - PackageSolvingData::RevokedOutput(ref outp) => { outp.amount }, - PackageSolvingData::RevokedHTLCOutput(ref outp) => { outp.amount }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(ref outp) => { outp.htlc.amount_msat / 1000 }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(ref outp) => { outp.htlc.amount_msat / 1000 }, - // Note: Currently, amounts of holder outputs spending witnesses aren't used - // as we can't malleate spending package to increase their feerate. This - // should change with the remaining anchor output patchset. - PackageSolvingData::HolderHTLCOutput(..) => { 0 }, - PackageSolvingData::HolderFundingOutput(..) => { 0 }, - }; - amt - } - fn weight(&self) -> usize { - let weight = match self { - PackageSolvingData::RevokedOutput(ref outp) => { outp.weight as usize }, - PackageSolvingData::RevokedHTLCOutput(ref outp) => { outp.weight as usize }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { WEIGHT_OFFERED_HTLC as usize }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { WEIGHT_RECEIVED_HTLC as usize }, - // Note: Currently, weights of holder outputs spending witnesses aren't used - // as we can't malleate spending package to increase their feerate. This - // should change with the remaining anchor output patchset. - PackageSolvingData::HolderHTLCOutput(..) => { debug_assert!(false); 0 }, - PackageSolvingData::HolderFundingOutput(..) => { debug_assert!(false); 0 }, - }; - weight - } - fn is_compatible(&self, input: &PackageSolvingData) -> bool { - match self { - PackageSolvingData::RevokedOutput(..) => { - match input { - PackageSolvingData::RevokedHTLCOutput(..) => { true }, - PackageSolvingData::RevokedOutput(..) => { true }, - _ => { false } - } - }, - PackageSolvingData::RevokedHTLCOutput(..) => { - match input { - PackageSolvingData::RevokedOutput(..) => { true }, - PackageSolvingData::RevokedHTLCOutput(..) => { true }, - _ => { false } - } - }, - _ => { mem::discriminant(self) == mem::discriminant(&input) } - } - } - fn finalize_input(&self, bumped_tx: &mut Transaction, i: usize, onchain_handler: &mut OnchainTxHandler) -> bool { - match self { - PackageSolvingData::RevokedOutput(ref outp) => { - if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { - let witness_script = chan_utils::get_revokeable_redeemscript(&chan_keys.revocation_key, outp.on_counterparty_tx_csv, &chan_keys.broadcaster_delayed_payment_key); - //TODO: should we panic on signer failure ? - if let Ok(sig) = onchain_handler.signer.sign_justice_revoked_output(&bumped_tx, i, outp.amount, &outp.per_commitment_key, &onchain_handler.secp_ctx) { - bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); - bumped_tx.input[i].witness[0].push(SigHashType::All as u8); - bumped_tx.input[i].witness.push(vec!(1)); - bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); - } else { return false; } - } - }, - PackageSolvingData::RevokedHTLCOutput(ref outp) => { - if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { - let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); - //TODO: should we panic on signer failure ? - if let Ok(sig) = onchain_handler.signer.sign_justice_revoked_htlc(&bumped_tx, i, outp.amount, &outp.per_commitment_key, &outp.htlc, &onchain_handler.secp_ctx) { - bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); - bumped_tx.input[i].witness[0].push(SigHashType::All as u8); - bumped_tx.input[i].witness.push(chan_keys.revocation_key.clone().serialize().to_vec()); - bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); - } else { return false; } - } - }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(ref outp) => { - if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { - let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); - - if let Ok(sig) = onchain_handler.signer.sign_counterparty_htlc_transaction(&bumped_tx, i, &outp.htlc.amount_msat / 1000, &outp.per_commitment_point, &outp.htlc, &onchain_handler.secp_ctx) { - bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); - bumped_tx.input[i].witness[0].push(SigHashType::All as u8); - bumped_tx.input[i].witness.push(outp.preimage.0.to_vec()); - bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); - } - } - }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(ref outp) => { - if let Ok(chan_keys) = TxCreationKeys::derive_new(&onchain_handler.secp_ctx, &outp.per_commitment_point, &outp.counterparty_delayed_payment_base_key, &outp.counterparty_htlc_base_key, &onchain_handler.signer.pubkeys().revocation_basepoint, &onchain_handler.signer.pubkeys().htlc_basepoint) { - let witness_script = chan_utils::get_htlc_redeemscript_with_explicit_keys(&outp.htlc, &chan_keys.broadcaster_htlc_key, &chan_keys.countersignatory_htlc_key, &chan_keys.revocation_key); - - bumped_tx.lock_time = outp.htlc.cltv_expiry; // Right now we don't aggregate time-locked transaction, if we do we should set lock_time before to avoid breaking hash computation - if let Ok(sig) = onchain_handler.signer.sign_counterparty_htlc_transaction(&bumped_tx, i, &outp.htlc.amount_msat / 1000, &outp.per_commitment_point, &outp.htlc, &onchain_handler.secp_ctx) { - bumped_tx.input[i].witness.push(sig.serialize_der().to_vec()); - bumped_tx.input[i].witness[0].push(SigHashType::All as u8); - // Due to BIP146 (MINIMALIF) this must be a zero-length element to relay. - bumped_tx.input[i].witness.push(vec![]); - bumped_tx.input[i].witness.push(witness_script.clone().into_bytes()); - } - } - }, - _ => { panic!("API Error!"); } - } - true - } - fn get_finalized_tx(&self, outpoint: &BitcoinOutPoint, onchain_handler: &mut OnchainTxHandler) -> Option { - match self { - PackageSolvingData::HolderHTLCOutput(ref outp) => { return onchain_handler.get_fully_signed_htlc_tx(outpoint, &outp.preimage); } - PackageSolvingData::HolderFundingOutput(ref outp) => { return Some(onchain_handler.get_fully_signed_holder_tx(&outp.funding_redeemscript)); } - _ => { panic!("API Error!"); } - } - } -} - -impl Writeable for PackageSolvingData { - fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { - match self { - PackageSolvingData::RevokedOutput(ref revoked_outp) => { - 0u8.write(writer)?; - revoked_outp.write(writer)?; - }, - PackageSolvingData::RevokedHTLCOutput(ref revoked_outp) => { - 1u8.write(writer)?; - revoked_outp.write(writer)?; - }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(ref counterparty_outp) => { - 2u8.write(writer)?; - counterparty_outp.write(writer)?; - }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(ref counterparty_outp) => { - 3u8.write(writer)?; - counterparty_outp.write(writer)?; - }, - PackageSolvingData::HolderHTLCOutput(ref holder_outp) => { - 4u8.write(writer)?; - holder_outp.write(writer)?; - }, - PackageSolvingData::HolderFundingOutput(ref funding_outp) => { - 5u8.write(writer)?; - funding_outp.write(writer)?; - } - } - Ok(()) - } -} - -impl Readable for PackageSolvingData { - fn read(reader: &mut R) -> Result { - let byte = ::read(reader)?; - let solving_data = match byte { - 0 => { - PackageSolvingData::RevokedOutput(Readable::read(reader)?) - }, - 1 => { - PackageSolvingData::RevokedHTLCOutput(Readable::read(reader)?) - }, - 2 => { - PackageSolvingData::CounterpartyOfferedHTLCOutput(Readable::read(reader)?) - }, - 3 => { - PackageSolvingData::CounterpartyReceivedHTLCOutput(Readable::read(reader)?) - }, - 4 => { - PackageSolvingData::HolderHTLCOutput(Readable::read(reader)?) - }, - 5 => { - PackageSolvingData::HolderFundingOutput(Readable::read(reader)?) - } - _ => return Err(DecodeError::UnknownVersion) - }; - Ok(solving_data) - } -} - -/// A malleable package might be aggregated with other packages to save on fees. -/// A untractable package has been counter-signed and aggregable will break cached counterparty -/// signatures. -#[derive(Clone, PartialEq)] -pub(crate) enum PackageMalleability { - Malleable, - Untractable, -} - -/// A structure to describe a package content that is generated by ChannelMonitor and -/// used by OnchainTxHandler to generate and broadcast transactions settling onchain claims. -/// -/// A package is defined as one or more transactions claiming onchain outputs in reaction -/// to confirmation of a channel transaction. Those packages might be aggregated to save on -/// fees, if satisfaction of outputs's witnessScript let's us do so. -/// -/// As packages are time-sensitive, we fee-bump and rebroadcast them at scheduled intervals. -/// Failing to confirm a package translate as a loss of funds for the user. -#[derive(Clone, PartialEq)] -pub struct PackageTemplate { - // List of onchain outputs and solving data to generate satisfying witnesses. - inputs: Vec<(BitcoinOutPoint, PackageSolvingData)>, - // Packages are deemed as malleable if we have local knwoledge of at least one set of - // private keys yielding a satisfying witnesses. Malleability implies that we can aggregate - // packages among them to save on fees or rely on RBF to bump their feerates. - // Untractable packages have been counter-signed and thus imply that we can't aggregate - // them without breaking signatures. Fee-bumping strategy will also rely on CPFP. - malleability: PackageMalleability, - // Block height after which the earlier-output belonging to this package is mature for a - // competing claim by the counterparty. As our chain tip becomes nearer from the timelock, - // the fee-bumping frequency will increase. See `OnchainTxHandler::get_height_timer`. - soonest_conf_deadline: u32, - // Determines if this package can be aggregated. - // Timelocked outputs belonging to the same transaction might have differing - // satisfying heights. Picking up the later height among the output set would be a valid - // aggregable strategy but it comes with at least 2 trade-offs : - // * earlier-output fund are going to take longer to come back - // * CLTV delta backing up a corresponding HTLC on an upstream channel could be swallowed - // by the requirement of the later-output part of the set - // For now, we mark such timelocked outputs as non-aggregable, though we might introduce - // smarter aggregable strategy in the future. - aggregable: bool, - // Cache of package feerate committed at previous (re)broadcast. If bumping resources - // (either claimed output value or external utxo), it will keep increasing until holder - // or counterparty successful claim. - feerate_previous: u64, - // Cache of next height at which fee-bumping and rebroadcast will be attempted. In - // the future, we might abstract it to an observed mempool fluctuation. - height_timer: Option, - // Confirmation height of the claimed outputs set transaction. In case of reorg reaching - // it, we wipe out and forget the package. - height_original: u32, -} - -impl PackageTemplate { - pub(crate) fn is_malleable(&self) -> bool { - self.malleability == PackageMalleability::Malleable - } - pub(crate) fn timelock(&self) -> u32 { - self.soonest_conf_deadline - } - pub(crate) fn aggregable(&self) -> bool { - self.aggregable - } - pub(crate) fn feerate(&self) -> u64 { - self.feerate_previous - } - pub(crate) fn set_feerate(&mut self, new_feerate: u64) { - self.feerate_previous = new_feerate; - } - pub(crate) fn timer(&self) -> Option { - if let Some(ref timer) = self.height_timer { - return Some(*timer); - } - None - } - pub(crate) fn set_timer(&mut self, new_timer: Option) { - self.height_timer = new_timer; - } - pub(crate) fn outpoints(&self) -> Vec<&BitcoinOutPoint> { - self.inputs.iter().map(|(o, _)| o).collect() - } - pub(crate) fn split_package(&mut self, split_outp: &BitcoinOutPoint) -> Option { - match self.malleability { - PackageMalleability::Malleable => { - let mut split_package = None; - let timelock = self.soonest_conf_deadline; - let aggregable = self.aggregable; - let feerate_previous = self.feerate_previous; - let height_timer = self.height_timer; - let height_original = self.height_original; - self.inputs.retain(|outp| { - if *split_outp == outp.0 { - split_package = Some(PackageTemplate { - inputs: vec![(outp.0, outp.1.clone())], - malleability: PackageMalleability::Malleable, - soonest_conf_deadline: timelock, - aggregable, - feerate_previous, - height_timer, - height_original, - }); - return false; - } - return true; - }); - return split_package; - }, - _ => { - // Note, we may try to split on remote transaction for - // which we don't have a competing one (HTLC-Success before - // timelock expiration). This explain we don't panic! - // We should refactor OnchainTxHandler::block_connected to - // only test equality on competing claims. - return None; - } - } - } - pub(crate) fn merge_package(&mut self, mut merge_from: PackageTemplate) { - assert_eq!(self.height_original, merge_from.height_original); - if self.malleability == PackageMalleability::Untractable || merge_from.malleability == PackageMalleability::Untractable { - panic!("Merging template on untractable packages"); - } - if !self.aggregable || !merge_from.aggregable { - panic!("Merging non aggregatable packages"); - } - if let Some((_, lead_input)) = self.inputs.first() { - for (_, v) in merge_from.inputs.iter() { - if !lead_input.is_compatible(v) { panic!("Merging outputs from differing types !"); } - } - } else { panic!("Merging template on an empty package"); } - for (k, v) in merge_from.inputs.drain(..) { - self.inputs.push((k, v)); - } - //TODO: verify coverage and sanity? - if self.soonest_conf_deadline > merge_from.soonest_conf_deadline { - self.soonest_conf_deadline = merge_from.soonest_conf_deadline; - } - if self.feerate_previous > merge_from.feerate_previous { - self.feerate_previous = merge_from.feerate_previous; - } - self.height_timer = cmp::min(self.height_timer, merge_from.height_timer); - } - pub(crate) fn package_amount(&self) -> u64 { - let mut amounts = 0; - for (_, outp) in self.inputs.iter() { - amounts += outp.amount(); - } - amounts - } - pub(crate) fn package_weight(&self, destination_script: &Script) -> usize { - let mut inputs_weight = 0; - let mut witnesses_weight = 2; // count segwit flags - for (_, outp) in self.inputs.iter() { - // previous_out_point: 36 bytes ; var_int: 1 byte ; sequence: 4 bytes - inputs_weight += 41 * WITNESS_SCALE_FACTOR; - witnesses_weight += outp.weight(); - } - // version: 4 bytes ; count_tx_in: 1 byte ; count_tx_out: 1 byte ; lock_time: 4 bytes - let transaction_weight = 10 * WITNESS_SCALE_FACTOR; - // value: 8 bytes ; var_int: 1 byte ; pk_script: `destination_script.len()` - let output_weight = (8 + 1 + destination_script.len()) * WITNESS_SCALE_FACTOR; - inputs_weight + witnesses_weight + transaction_weight + output_weight - } - pub(crate) fn finalize_package(&self, onchain_handler: &mut OnchainTxHandler, value: u64, destination_script: Script, logger: &L) -> Option - where L::Target: Logger, - { - match self.malleability { - PackageMalleability::Malleable => { - let mut bumped_tx = Transaction { - version: 2, - lock_time: 0, - input: vec![], - output: vec![TxOut { - script_pubkey: destination_script, - value, - }], - }; - for (outpoint, _) in self.inputs.iter() { - bumped_tx.input.push(TxIn { - previous_output: *outpoint, - script_sig: Script::new(), - sequence: 0xfffffffd, - witness: Vec::new(), - }); - } - for (i, (outpoint, out)) in self.inputs.iter().enumerate() { - log_trace!(logger, "Adding claiming input for outpoint {}:{}", outpoint.txid, outpoint.vout); - if !out.finalize_input(&mut bumped_tx, i, onchain_handler) { return None; } - } - log_trace!(logger, "Finalized transaction {} ready to broadcast", bumped_tx.txid()); - return Some(bumped_tx); - }, - PackageMalleability::Untractable => { - if let Some((outpoint, outp)) = self.inputs.first() { - if let Some(final_tx) = outp.get_finalized_tx(outpoint, onchain_handler) { - log_trace!(logger, "Adding claiming input for outpoint {}:{}", outpoint.txid, outpoint.vout); - log_trace!(logger, "Finalized transaction {} ready to broadcast", final_tx.txid()); - return Some(final_tx); - } - return None; - } else { panic!("API Error: Package must not be inputs empty"); } - }, - } - } - pub (crate) fn build_package(txid: Txid, vout: u32, input_solving_data: PackageSolvingData, soonest_conf_deadline: u32, aggregable: bool, height_original: u32) -> Self { - let malleability = match input_solving_data { - PackageSolvingData::RevokedOutput(..) => { PackageMalleability::Malleable }, - PackageSolvingData::RevokedHTLCOutput(..) => { PackageMalleability::Malleable }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { PackageMalleability::Malleable }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { PackageMalleability::Malleable }, - PackageSolvingData::HolderHTLCOutput(..) => { PackageMalleability::Untractable }, - PackageSolvingData::HolderFundingOutput(..) => { PackageMalleability::Untractable }, - }; - let mut inputs = Vec::with_capacity(1); - inputs.push((BitcoinOutPoint { txid, vout }, input_solving_data)); - PackageTemplate { - inputs, - malleability, - soonest_conf_deadline, - aggregable, - feerate_previous: 0, - height_timer: None, - height_original, - } - } -} - -impl Writeable for PackageTemplate { - fn write(&self, writer: &mut W) -> Result<(), ::std::io::Error> { - writer.write_all(&byte_utils::be64_to_array(self.inputs.len() as u64))?; - for (ref outpoint, ref rev_outp) in self.inputs.iter() { - outpoint.write(writer)?; - rev_outp.write(writer)?; - } - self.soonest_conf_deadline.write(writer)?; - self.feerate_previous.write(writer)?; - self.height_timer.write(writer)?; - self.height_original.write(writer)?; - Ok(()) - } -} - -impl Readable for PackageTemplate { - fn read(reader: &mut R) -> Result { - let inputs_count = ::read(reader)?; - let mut inputs: Vec<(BitcoinOutPoint, PackageSolvingData)> = Vec::with_capacity(cmp::min(inputs_count as usize, MAX_ALLOC_SIZE / 128)); - for _ in 0..inputs_count { - let outpoint = Readable::read(reader)?; - let rev_outp = Readable::read(reader)?; - inputs.push((outpoint, rev_outp)); - } - let (malleability, aggregable) = if let Some((_, lead_input)) = inputs.first() { - match lead_input { - PackageSolvingData::RevokedOutput(..) => { (PackageMalleability::Malleable, true) }, - PackageSolvingData::RevokedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, - PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, - PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { (PackageMalleability::Malleable, false) }, - PackageSolvingData::HolderHTLCOutput(..) => { (PackageMalleability::Untractable, false) }, - PackageSolvingData::HolderFundingOutput(..) => { (PackageMalleability::Untractable, false) }, - } - } else { return Err(DecodeError::InvalidValue); }; - let soonest_conf_deadline = Readable::read(reader)?; - let feerate_previous = Readable::read(reader)?; - let height_timer = Readable::read(reader)?; - let height_original = Readable::read(reader)?; - Ok(PackageTemplate { - inputs, - malleability, - soonest_conf_deadline, - aggregable, - feerate_previous, - height_timer, - height_original, - }) - } -} - -/// Attempt to propose a bumping fee for a transaction from its spent output's values and predicted -/// weight. We start with the highest priority feerate returned by the node's fee estimator then -/// fall-back to lower priorities until we have enough value available to suck from. -/// -/// If the proposed fee is less than the available spent output's values, we return the proposed -/// fee and the corresponding updated feerate. If the proposed fee is equal or more than the -/// available spent output's values, we return nothing -fn compute_fee_from_spent_amounts(input_amounts: u64, predicted_weight: usize, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> - where F::Target: FeeEstimator, - L::Target: Logger, -{ - let mut updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::HighPriority) as u64; - let mut fee = updated_feerate * (predicted_weight as u64) / 1000; - if input_amounts <= fee { - updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::Normal) as u64; - fee = updated_feerate * (predicted_weight as u64) / 1000; - if input_amounts <= fee { - updated_feerate = fee_estimator.get_est_sat_per_1000_weight(ConfirmationTarget::Background) as u64; - fee = updated_feerate * (predicted_weight as u64) / 1000; - if input_amounts <= fee { - log_error!(logger, "Failed to generate an on-chain punishment tx as even low priority fee ({} sat) was more than the entire claim balance ({} sat)", - fee, input_amounts); - None - } else { - log_warn!(logger, "Used low priority fee for on-chain punishment tx as high priority fee was more than the entire claim balance ({} sat)", - input_amounts); - Some((fee, updated_feerate)) - } - } else { - log_warn!(logger, "Used medium priority fee for on-chain punishment tx as high priority fee was more than the entire claim balance ({} sat)", - input_amounts); - Some((fee, updated_feerate)) - } - } else { - Some((fee, updated_feerate)) - } -} - -/// Attempt to propose a bumping fee for a transaction from its spent output's values and predicted -/// weight. If feerates proposed by the fee-estimator have been increasing since last fee-bumping -/// attempt, use them. Otherwise, blindly bump the feerate by 25% of the previous feerate. We also -/// verify that those bumping heuristics respect BIP125 rules 3) and 4) and if required adjust -/// the new fee to meet the RBF policy requirement. -fn feerate_bump(predicted_weight: usize, input_amounts: u64, previous_feerate: u64, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> - where F::Target: FeeEstimator, - L::Target: Logger, -{ - // If old feerate inferior to actual one given back by Fee Estimator, use it to compute new fee... - let new_fee = if let Some((new_fee, _)) = compute_fee_from_spent_amounts(input_amounts, predicted_weight, fee_estimator, logger) { - let updated_feerate = new_fee / (predicted_weight as u64 * 1000); - if updated_feerate > previous_feerate { - new_fee - } else { - // ...else just increase the previous feerate by 25% (because that's a nice number) - let new_fee = previous_feerate * (predicted_weight as u64) / 750; - if input_amounts <= new_fee { - log_trace!(logger, "Can't 25% bump new claiming tx, amount {} is too small", input_amounts); - return None; - } - new_fee - } - } else { - log_trace!(logger, "Can't new-estimation bump new claiming tx, amount {} is too small", input_amounts); - return None; - }; - - let previous_fee = previous_feerate * (predicted_weight as u64) / 1000; - let min_relay_fee = MIN_RELAY_FEE_SAT_PER_1000_WEIGHT * (predicted_weight as u64) / 1000; - // BIP 125 Opt-in Full Replace-by-Fee Signaling - // * 3. The replacement transaction pays an absolute fee of at least the sum paid by the original transactions. - // * 4. The replacement transaction must also pay for its own bandwidth at or above the rate set by the node's minimum relay fee setting. - let new_fee = if new_fee < previous_fee + min_relay_fee { - new_fee + previous_fee + min_relay_fee - new_fee - } else { - new_fee - }; - Some((new_fee, new_fee * 1000 / (predicted_weight as u64))) -} - -/// Deduce a new proposed fee from the claiming transaction output value. -/// If the new proposed fee is superior to the consumed outpoint's value, burn everything in miner's -/// fee to deter counterparties attacker. -pub(crate) fn compute_output_value(predicted_weight: usize, input_amounts: u64, previous_feerate: u64, fee_estimator: &F, logger: &L) -> Option<(u64, u64)> - where F::Target: FeeEstimator, - L::Target: Logger, -{ - // If old feerate is 0, first iteration of this claim, use normal fee calculation - if previous_feerate != 0 { - if let Some((new_fee, feerate)) = feerate_bump(predicted_weight, input_amounts, previous_feerate, fee_estimator, logger) { - // If new computed fee is superior at the whole claimable amount burn all in fees - if new_fee > input_amounts { - return Some((0, feerate)); - } else { - return Some((input_amounts - new_fee, feerate)); - } - } - } else { - if let Some((new_fee, feerate)) = compute_fee_from_spent_amounts(input_amounts, predicted_weight, fee_estimator, logger) { - return Some((input_amounts - new_fee, feerate)); - } - } - None -}