Matt Corallo [Sat, 9 Dec 2023 04:29:12 +0000 (04:29 +0000)]
Make the historical bucket data private to `bucketed_history`
In a comming commit we'll cache some additional data in the
historical bucket tracker. In order to do so, here we isolate the
buckets themselves into the `bucketed_history` module, reducing
the possibility of accidentally updating them directly without
updating caches.
Matt Corallo [Sat, 9 Dec 2023 03:32:40 +0000 (03:32 +0000)]
Store both min and max historical buckets in one, new, struct
In the coming commits we'll isolate historical bucket logic slightly
further, allowing us to cache some state. This is the first step
towards that, storing the historical liquidity information in a new
`HistoricalLiquidityTracker` rather than in the general
`ChannelLiquidity`.
Jeffrey Czyz [Wed, 14 Aug 2024 22:39:13 +0000 (17:39 -0500)]
Add PaymentId authentication to public API
When receiving an InvoiceError message, it should be authenticated
before using it to abandon the payment. Add methods to PaymentId's
public API for constructing and verifying an HMAC for use in
OffersContext::OutboundPayment. This allows other implementations of
OffersMessageHandler to construct the HMAC and authenticate the message.
Arik Sosman [Thu, 15 Aug 2024 06:57:14 +0000 (23:57 -0700)]
Fix fuzz warnings.
Version 0.32.2 of `rust-bitcoin` deprecates a number of methods that
are commonly used in this project, most visibly `txid()`, which is
now called `compute_txid()`. This resulted in a lot of warnings, and
this commit is part of a series that seeks to address that.
Arik Sosman [Thu, 15 Aug 2024 02:52:01 +0000 (19:52 -0700)]
Fix lightning-transaction sync warnings.
Version 0.32.2 of `rust-bitcoin` deprecates a number of methods that
are commonly used in this project, most visibly `txid()`, which is
now called `compute_txid()`. This resulted in a lot of warnings, and
this commit is part of a series that seeks to address that.
Arik Sosman [Wed, 14 Aug 2024 20:31:40 +0000 (13:31 -0700)]
Fix lightning-block-sync warnings.
Version 0.32.2 of `rust-bitcoin` deprecates a number of methods that
are commonly used in this project, most visibly `txid()`, which is
now called `compute_txid()`. This resulted in a lot of warnings, and
this commit is part of a series that seeks to address that.
Arik Sosman [Wed, 14 Aug 2024 20:41:55 +0000 (13:41 -0700)]
Fix lightning-background-processor warnings.
Version 0.32.2 of `rust-bitcoin` deprecates a number of methods that
are commonly used in this project, most visibly `txid()`, which is
now called `compute_txid()`. This resulted in a lot of warnings, and
this commit is part of a series that seeks to address that.
Arik Sosman [Fri, 16 Aug 2024 15:45:27 +0000 (08:45 -0700)]
Fix lightning warnings.
Version 0.32.2 of `rust-bitcoin` deprecates a number of methods that
are commonly used in this project, most visibly `txid()`, which is
now called `compute_txid()`. This resulted in a lot of warnings, and
this commit is part of a series that seeks to address that.
Arik Sosman [Thu, 15 Aug 2024 01:49:22 +0000 (18:49 -0700)]
Introduce io module.
The rust-bitcoin upgrade will introduce `bitcoin::io` module, which
will be missing a necessary subset of traits.
To accommodate those traits' future implementations, we move the
`lightning::io` module to its own file, where we will be able to
implement the missing trait subset in the next commit.
Arik Sosman [Wed, 14 Aug 2024 21:25:56 +0000 (14:25 -0700)]
Simplify Readable mutability.
In anticipation of the rust-bitcoin upgrade, which incorporates its
own `io::Read` implementation, we need to make our usage compatible
with dropping `std::io` and `core2::io`.
Notably, in version 0.32.2, `bitcoin::io`'s `Read` is no longer
implemented for `&mut R where R: Read + ?Sized`, which results in
errors anytime `&mut &mut Readable` is passed instead of
`&mut Readable`.
Matt Corallo [Wed, 14 Aug 2024 19:36:46 +0000 (19:36 +0000)]
Return slices, rather than `Vec` references, in addresses
Its a bit strange to return a reference to a `Vec` in Rust, when a
slice is really intended as the way to do so. Worse, the bindings
don't know how to map a reference to a `Vec` (but do have code to
map a slice of `Clone`able objects).
Here, we move `NodeAnnouncementInfo::addresses` to return a slice,
though to do so we have to adapt the `WithoutLength` `Writeable`
impl to support slices as well.
Jeffrey Czyz [Fri, 9 Aug 2024 16:07:35 +0000 (11:07 -0500)]
Make PaymentFailureReason downgradable
The PaymentFailureReason variants for invoice request failures will
cause downgrades to break. Instead, use a new TLV for the reason and
continue to write the old TLV, only use None for the new reasons.
Jeffrey Czyz [Tue, 6 Aug 2024 23:33:51 +0000 (18:33 -0500)]
Add PaymentFailureReason::InvoiceRequestRejected
Instead of re-using PaymentFailureReason::RecipientRejected, define a
new InvoiceRequestRejected variant for when an InvoiceError is received
instead of a Bolt12Invoice. This allows user to differentiate the cause
of the failure.
Jeffrey Czyz [Tue, 6 Aug 2024 22:51:16 +0000 (17:51 -0500)]
Remove Event::InvoiceRequestFailed
Now that Event::PaymentFailed has an option payment_hash, it can be used
in replace of Event::InvoiceRequestFailed. This allows for including a
reason when abandoning a payment before an invoice is received.
Jeffrey Czyz [Tue, 6 Aug 2024 22:17:52 +0000 (17:17 -0500)]
Make payment_hash optional in Event::PaymentFailed
When abandoning a BOLT12 payment before a Bolt12Invoice is received, an
Event::InvoiceRequestFailed is generated and the abandonment reason is
lost. Make payment_hash optional in Event::PaymentFailed so that
Event::InvoiceRequestFailed can be removed in favor of it.
When testing Bolt12Invoice unknown require feature handling, a large
feature bit can cause SendError::TooBigPacket when creating an onion
message. Use a smaller feature bit for UnknownFeature, which also has
the added benefit of reducing test output.
When handling a BOLT12 invoice, and invoice error is sent if the invoice
contains unknown required features. However, since the payment is still
in state AwaitingInvoice, abandoning it results in losing the reason
since an InvoiceRequestFailed event would be generated. Move the check
to PendingOutboundPayments such that the payment is first moved to state
InvoiceReceived so that a PaymentFailed event is generated instead.
Jeffrey Czyz [Fri, 2 Aug 2024 14:39:52 +0000 (09:39 -0500)]
Don't include HMAC in Refund paths
Refunds are typically communicated via QR code, where a smaller size is
desirable. Make the HMAC in OutboundPayment data optional such that it
is elided from blinded paths used in refunds. This prevents abandoning
refunds if the reader sends an invoice_error instead of an invoice
message. However, this use case isn't necessary as the corresponding
outbound payment will either timeout when the refund expires or can be
explicitly abandoned by the creator.
A BOLT12 payment may be abandoned when handling the invoice or when
receiving an InvoiceError message. When abandoning the payment, don't
use UserAbandoned as the reason since that is meant for when the user
calls ChannelManager::abandon_payment.
When making an outbound BOLT12 payment, multiple invoices may be
received for the same payment id. Instead of abandoning the payment when
a duplicate invoice received, simply ignore it without responding with
an InvoiceError. This prevents abandoning in-progress payments and
sending unnecessary onion messages.
Before abandoning a payment when receiving an InvoiceError, verify that
the PaymentId included in the OffersContext with the included HMAC. This
prevents a malicious actor sending an InvoiceError with a known payment
id from abandoning our payment.
When receiving an InvoiceError in response to an InvoiceRequest, the
corresponding payment should be abandoned. Add an HMAC to
OffersContext::OutboundPayment such that the payment ID can be
authenticated prior to abandoning the payment.
An HMAC needs to be included in OffersContext::OutboundPayment to
authenticate the included PaymentId. Implement Readable and Writeable to
allow for this.
When receiving an InvoiceError in response to an InvoiceRequest, the
corresponding payment should be abandoned. Add functions for
constructing and verifying an HMAC over a Payment ID to allow for this.
Matt Corallo [Fri, 9 Aug 2024 15:27:38 +0000 (15:27 +0000)]
`rustfmt` new files added in the past few commits
The past handful of commits were mostly moving code around, so to
aid reviewers violated our `rustfmt` rules. Here we rectify that by
`rustfmt`'ing the newly-added files.
Matt Corallo [Fri, 9 Aug 2024 15:42:48 +0000 (15:42 +0000)]
Prepare to `rustfmt` newly added files
In the next commit we'll `rustfmt` newly-added files, but before
we do so we clean up some code so that the resulting files won't be
quite as absurd. We also exclude the new `invoice_utils.rs` file,
as it needs quite substantial cleanups.
Matt Corallo [Fri, 9 Aug 2024 02:45:55 +0000 (02:45 +0000)]
Provide the signer with a full `RawBolt11Invoice` to sign
Now that the `lightning` crate depends on the `lightning-invoice`
crate, there's no reason to have the `sign_invoice` method take raw
base32 field elements as we can now give it a real
`RawBolt11Invoice`, which we do here.
This simplifies the interface and avoids a
serialization-deserialization roundtrip when signing invoices in a
validating signer.
Matt Corallo [Fri, 9 Aug 2024 01:29:48 +0000 (01:29 +0000)]
Swap the dep order between `lightning` and `lightning-invoice`
`lightning-invoice` previously had a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
Here we finally rectify this issue, swapping the dependency order
and making `lightning` depend on `lightning-invoice` rather than
the other way around.
This moves various utilities which were in `lightning-invoice` but
relied on `lightning` payment types to make payments to where they
belong (the `lightning` crate), but doesn't bother with integrating
them well in their new home.
Matt Corallo [Fri, 9 Aug 2024 01:13:25 +0000 (01:13 +0000)]
Add a `lightning-types` dependency to `lightning-invoice`
`lightning-invoice` currently has a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
This takes tees us up for the final step, adding a
`lightning-types` dependency to `lightning-invoice` and using it
for imports rather than the `lightning` crate.
Matt Corallo [Fri, 9 Aug 2024 13:20:35 +0000 (13:20 +0000)]
Use `check_added_monitors` test utility in invoice utils tests
In a coming commit, the `lightning-invoice::utils` module will move
to the `lightning` crate, causing its tests to be included in the
global lockorder tests done in that crate. This should be fine,
except that the `lightning-invoice::utils` module currently holds
the `added_monitors` lock too long causing lockorder violations.
Instead, this commit replaces the legacy monitors-added test with
the `check_added_monitors` test utility.
Matt Corallo [Fri, 9 Aug 2024 01:26:21 +0000 (01:26 +0000)]
Move `UntrustedString` and `PrintableString` to `lightning-types`
`lightning-invoice` currently has a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
This takes one more step, moving the `UntrustedString` and
`PrintableString` types to `lightning-types`.
Matt Corallo [Fri, 9 Aug 2024 14:20:50 +0000 (14:20 +0000)]
Move `Features` into `lightning-types`
`lightning-invoice` currently has a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
This takes one more step, moving the `Features` types from
`lightning` to `lightning-types`.
Matt Corallo [Fri, 9 Aug 2024 14:18:09 +0000 (14:18 +0000)]
Replace usages of `Features::is_subset` and remove it
It turns out all the places we use `Features::is_subset` we could
as well be using `Features::requires_unknown_bits_from`. Further,
in the next commit `Features` will move to a different crate so any
methods which the `lightning` crate uses will need to be public. As
the `is_subset` API is prety confusing (it doesn't consider
optional/required bits, only whether the bits themselves are
strictly a subset) it'd be nice to not have to expose it, which is
enabled here.
Matt Corallo [Fri, 9 Aug 2024 00:29:25 +0000 (00:29 +0000)]
Move `Rout{ingFees,eHint{,Hop}}` to `lightning-types`
`lightning-invoice` currently has a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
This takes one more step, moving the routing types
`lightning-invoice` uses into `lightning-types`.
Matt Corallo [Fri, 9 Aug 2024 00:13:41 +0000 (00:13 +0000)]
Move `Payment{Hash,Preimage,Secret}` into a new crate
`lightning-invoice` currently has a dependency on the entire
`lightning` crate just because it wants to use some of the useful
types from it. This is obviously backwards and leads to some
awkwardness like the BOLT 11 invoice signing API in the `lightning`
crate taking a `[u5]` rather than a `Bolt11Invoice`.
This is the first step towards fixing that - moving the common
types we need into a new `lightning-types` crate which both can
depend on.
Since we're using a new crate and can't depend on the existing
`lightning` hex utility to implement `Display`, we also take this
opportunity to switch to the new `Display` impl macro in
`hex_conservative`.
Matt Corallo [Tue, 14 Nov 2023 22:19:19 +0000 (22:19 +0000)]
Include rounded msat balances in `Balance::ClaimableOnChannelClose`
If we're gonna push users towards using `Balance` to determine
their current balances, we really need to provide more information,
including msat balances.
Here we add rounded-out msat balances to the pre-close balance
information
Matt Corallo [Fri, 29 Sep 2023 17:54:24 +0000 (17:54 +0000)]
Add tx fee information to `Balance::ClaimableOnChannelClose`
`Balance::ClaimableOnChannelClose` excludes the commitment
transaction fee, which makes it hard to use for current balance
calculation. Here we add it, setting the value to zero for inbound
channels (i.e. ones for which we don't pay the fee).
Matt Corallo [Thu, 28 Sep 2023 23:02:26 +0000 (23:02 +0000)]
Include an `outbound_payment` flag in `MaybeTimeoutClaimableHTLC`
When the user is fetching their current balances after forwarding a
payment (before it clears), they'll see a
`MaybePreimageClaimableHTLC` and a `MaybeTimeoutClaimableHTLC` but
if they sum up their balance using
`Balance::claimable_amount_satoshis` neither will be included.
Obviously, exactly one of the two balances should be included - one
of the two resolutions should happen in our favor. This causes our
visible balance to fluctuate up and down by the full value of any
HTLCs we're in the middle of forwarding, which is incredibly
confusing to see. If we want to stop the fluctuations, we need to
pick one of the two balances to include. The obvious candidate is
`MaybeTimeoutClaimableHTLC` as it is the lower of the two, and
represents our balance without the fee we'd receive from the
forward.
Sadly, if we always include it, we'll end up also including any
HTLCs which we've sent but which haven't yet been claimed by their
recipient, which is the wrong behavior.
Luckily, we have access to the `Option<HTLCSource>` while walking
HTLCs, which allows us to add an `outbound_payment` flag to
`MaybeTimeoutClaimableHTLC`. This allows us to only include
forwarded payments in `claimable_amount_satoshis`.
Sadly, even with this in place our balance still fluctuates by the
changes in the commitment transaction fees we have to pay during
forwarding, but addressing that is left for later.
Matt Corallo [Mon, 12 Aug 2024 01:03:00 +0000 (01:03 +0000)]
Stop relying on a `Clone`able `NetworkGraph` ref in `DefaultRouter`
While there's not really much harm in requiring a `Clone`able
reference (they almost always are), it does make our bindings
struggle a bit as they don't support multi-trait bounds (as it
would require synthesizing a new C trait, which the bindings don't
do automatically). Luckily, there's really no reason for it, and we
can just call the `DefaultMessageRouter` directly when we want to
route a message.
We've carried this patch for a while on the bindings branch, but
there's not a strong reason it can't go upstream.
Use the `hex-conservative` crate directly from `bitcoin` instead of from
`hashes`. Although it makes no real difference it is slightly more clear
and more terse.
The `hex` crate is re-exported by `rust-bitcoin` so we can get it from
there instead of explicitly depending on it. Doing so reduces the
maintenance burden and helps reduce the likelyhood of getting two
versions in the dependency graph.
Duncan Dean [Fri, 2 Aug 2024 11:44:28 +0000 (13:44 +0200)]
Set default ChannelHandshakeLimits::min_funding_satoshis to 1000
The original default value of 0 was inconsistent with the minimum requirement
of 1000 satoshis in ChannelHandshakeConfig::their_channel_reserve_proportional_millionths.
Elias Rohrer [Thu, 1 Aug 2024 16:30:41 +0000 (11:30 -0500)]
Protect against Core's Merkle leaf node weakness
Bitcoin Core's Merkle tree implementation has no way to discern between
internal and leaf node entries. As a consequence it is susceptible to an
attacker injecting additional transactions by crafting 64-byte
transactions matching an inner Merkle node's hash (see
https://web.archive.org/web/20240329003521/https://bitslog.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/).
To protect against this (highly unlikely attack vector), we check that
the transaction isn't 64 bytes in length, and skip it otherwise.