Merge pull request #349 from ariard/2019-07-data_loss

Implement option_data_loss_protect on both sides

Author: TheBlueMatt

src/ln/channel.rs

@@ -16,7 +16,7 @@ use secp256k1::{Secp256k1,Signature};
 use secp256k1;
 
 use ln::msgs;
-use ln::msgs::{DecodeError, OptionalField, LocalFeatures};
+use ln::msgs::{DecodeError, OptionalField, LocalFeatures, DataLossProtect};
 use ln::channelmonitor::ChannelMonitor;
 use ln::channelmanager::{PendingHTLCStatus, HTLCSource, HTLCFailReason, HTLCFailureMsg, PendingForwardHTLCInfo, RAACommitmentOrder, PaymentPreimage, PaymentHash, BREAKDOWN_TIMEOUT, MAX_LOCAL_BREAKDOWN_TIMEOUT};
 use ln::chan_utils::{TxCreationKeys,HTLCOutputInCommitment,HTLC_SUCCESS_TX_WEIGHT,HTLC_TIMEOUT_TX_WEIGHT};
@@ -32,7 +32,7 @@ use util::config::{UserConfig,ChannelConfig};
 
 use std;
 use std::default::Default;
-use std::{cmp,mem};
+use std::{cmp,mem,fmt};
 use std::sync::{Arc};
 
 #[cfg(test)]
@@ -366,10 +366,23 @@ pub const OFFERED_HTLC_SCRIPT_WEIGHT: usize = 133;
 /// Used to return a simple Error back to ChannelManager. Will get converted to a
 /// msgs::ErrorAction::SendErrorMessage or msgs::ErrorAction::IgnoreError as appropriate with our
 /// channel_id in ChannelManager.
-#[derive(Debug)]
 pub(super) enum ChannelError {
 	Ignore(&'static str),
 	Close(&'static str),
+	CloseDelayBroadcast {
+		msg: &'static str,
+		update: Option<ChannelMonitor>
+	},
+}
+
+impl fmt::Debug for ChannelError {
+	fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+		match self {
+			&ChannelError::Ignore(e) => write!(f, "Ignore : {}", e),
+			&ChannelError::Close(e) => write!(f, "Close : {}", e),
+			&ChannelError::CloseDelayBroadcast { msg, .. } => write!(f, "CloseDelayBroadcast : {}", msg)
+		}
+	}
 }
 
 macro_rules! secp_check {
@@ -2499,6 +2512,22 @@ impl Channel {
 			return Err(ChannelError::Close("Peer sent a garbage channel_reestablish"));
 		}
 
+		if msg.next_remote_commitment_number > 0 {
+			match msg.data_loss_protect {
+				OptionalField::Present(ref data_loss) => {
+					if chan_utils::build_commitment_secret(self.local_keys.commitment_seed, INITIAL_COMMITMENT_NUMBER - msg.next_remote_commitment_number + 1) != data_loss.your_last_per_commitment_secret {
+						return Err(ChannelError::Close("Peer sent a garbage channel_reestablish with secret key not matching the commitment height provided"));
+					}
+					if msg.next_remote_commitment_number > INITIAL_COMMITMENT_NUMBER - self.cur_local_commitment_transaction_number {
+						self.channel_monitor.provide_rescue_remote_commitment_tx_info(data_loss.my_current_per_commitment_point);
+						return Err(ChannelError::CloseDelayBroadcast { msg: "We have fallen behind - we have received proof that if we broadcast remote is going to claim our funds - we can't do any automated broadcasting", update: Some(self.channel_monitor.clone())
+					});
+					}
+				},
+				OptionalField::Absent => {}
+			}
+		}
+
 		// Go ahead and unmark PeerDisconnected as various calls we may make check for it (and all
 		// remaining cases either succeed or ErrorMessage-fail).
 		self.channel_state &= !(ChannelState::PeerDisconnected as u32);
@@ -2575,7 +2604,7 @@ impl Channel {
 				// now!
 				match self.free_holding_cell_htlcs() {
 					Err(ChannelError::Close(msg)) => return Err(ChannelError::Close(msg)),
-					Err(ChannelError::Ignore(_)) => panic!("Got non-channel-failing result from free_holding_cell_htlcs"),
+					Err(ChannelError::Ignore(_)) | Err(ChannelError::CloseDelayBroadcast { .. }) => panic!("Got non-channel-failing result from free_holding_cell_htlcs"),
 					Ok(Some((commitment_update, channel_monitor))) => return Ok((resend_funding_locked, required_revoke, Some(commitment_update), Some(channel_monitor), self.resend_order.clone(), shutdown_msg)),
 					Ok(None) => return Ok((resend_funding_locked, required_revoke, None, None, self.resend_order.clone(), shutdown_msg)),
 				}
@@ -3255,6 +3284,20 @@ impl Channel {
 	pub fn get_channel_reestablish(&self) -> msgs::ChannelReestablish {
 		assert_eq!(self.channel_state & ChannelState::PeerDisconnected as u32, ChannelState::PeerDisconnected as u32);
 		assert_ne!(self.cur_remote_commitment_transaction_number, INITIAL_COMMITMENT_NUMBER);
+		let data_loss_protect = if self.cur_remote_commitment_transaction_number + 1 < INITIAL_COMMITMENT_NUMBER {
+			let remote_last_secret = self.channel_monitor.get_secret(self.cur_remote_commitment_transaction_number + 2).unwrap();
+			log_trace!(self, "Enough info to generate a Data Loss Protect with per_commitment_secret {}", log_bytes!(remote_last_secret));
+			OptionalField::Present(DataLossProtect {
+				your_last_per_commitment_secret: remote_last_secret,
+				my_current_per_commitment_point: PublicKey::from_secret_key(&self.secp_ctx, &self.build_local_commitment_secret(self.cur_local_commitment_transaction_number + 1))
+			})
+		} else {
+			log_debug!(self, "We don't seen yet any revoked secret, if this channnel has already been updated it means we are fallen-behind, you should wait for other peer closing");
+			OptionalField::Present(DataLossProtect {
+				your_last_per_commitment_secret: [0;32],
+				my_current_per_commitment_point: PublicKey::from_secret_key(&self.secp_ctx, &self.build_local_commitment_secret(self.cur_local_commitment_transaction_number))
+			})
+		};
 		msgs::ChannelReestablish {
 			channel_id: self.channel_id(),
 			// The protocol has two different commitment number concepts - the "commitment
@@ -3275,7 +3318,7 @@ impl Channel {
 			// dropped this channel on disconnect as it hasn't yet reached FundingSent so we can't
 			// overflow here.
 			next_remote_commitment_number: INITIAL_COMMITMENT_NUMBER - self.cur_remote_commitment_transaction_number - 1,
-			data_loss_protect: OptionalField::Absent,
+			data_loss_protect,
 		}
 	}
 

src/ln/channelmanager.rs

@@ -208,6 +208,15 @@ impl MsgHandleErrInternal {
 						},
 					}),
 				},
+				ChannelError::CloseDelayBroadcast { msg, .. } => HandleError {
+					err: msg,
+					action: Some(msgs::ErrorAction::SendErrorMessage {
+						msg: msgs::ErrorMessage {
+							channel_id,
+							data: msg.to_string()
+						},
+					}),
+				},
 			},
 			shutdown_finish: None,
 		}
@@ -447,6 +456,7 @@ macro_rules! break_chan_entry {
 				}
 				break Err(MsgHandleErrInternal::from_finish_shutdown(msg, channel_id, chan.force_shutdown(), $self.get_channel_update(&chan).ok()))
 			},
+			Err(ChannelError::CloseDelayBroadcast { .. }) => { panic!("Wait is only generated on receipt of channel_reestablish, which is handled by try_chan_entry, we don't bother to support it here"); }
 		}
 	}
 }
@@ -466,6 +476,31 @@ macro_rules! try_chan_entry {
 				}
 				return Err(MsgHandleErrInternal::from_finish_shutdown(msg, channel_id, chan.force_shutdown(), $self.get_channel_update(&chan).ok()))
 			},
+			Err(ChannelError::CloseDelayBroadcast { msg, update }) => {
+				log_error!($self, "Channel {} need to be shutdown but closing transactions not broadcast due to {}", log_bytes!($entry.key()[..]), msg);
+				let (channel_id, mut chan) = $entry.remove_entry();
+				if let Some(short_id) = chan.get_short_channel_id() {
+					$channel_state.short_to_id.remove(&short_id);
+				}
+				if let Some(update) = update {
+					if let Err(e) = $self.monitor.add_update_monitor(update.get_funding_txo().unwrap(), update) {
+						match e {
+							// Upstream channel is dead, but we want at least to fail backward HTLCs to save
+							// downstream channels. In case of PermanentFailure, we are not going to be able
+							// to claim back to_remote output on remote commitment transaction. Doesn't
+							// make a difference here, we are concern about HTLCs circuit, not onchain funds.
+							ChannelMonitorUpdateErr::PermanentFailure => {},
+							ChannelMonitorUpdateErr::TemporaryFailure => {},
+						}
+					}
+				}
+				let mut shutdown_res = chan.force_shutdown();
+				if shutdown_res.0.len() >= 1 {
+					log_error!($self, "You have a toxic local commitment transaction {} avaible in channel monitor, read comment in ChannelMonitor::get_latest_local_commitment_txn to be informed of manual action to take", shutdown_res.0[0].txid());
+				}
+				shutdown_res.0.clear();
+				return Err(MsgHandleErrInternal::from_finish_shutdown(msg, channel_id, shutdown_res, $self.get_channel_update(&chan).ok()))
+			}
 		}
 	}
 }

src/ln/channelmonitor.rs

@@ -456,6 +456,10 @@ pub struct ChannelMonitor {
 	payment_preimages: HashMap<PaymentHash, PaymentPreimage>,
 
 	destination_script: Script,
+	// Thanks to data loss protection, we may be able to claim our non-htlc funds
+	// back, this is the script we have to spend from but we need to
+	// scan every commitment transaction for that
+	to_remote_rescue: Option<(Script, SecretKey)>,
 
 	// Used to track outpoint in the process of being claimed by our transactions. We need to scan all transactions
 	// for inputs spending this. If height timer (u32) is expired and claim tx hasn't reached enough confirmations
@@ -535,6 +539,7 @@ impl PartialEq for ChannelMonitor {
 			self.current_local_signed_commitment_tx != other.current_local_signed_commitment_tx ||
 			self.payment_preimages != other.payment_preimages ||
 			self.destination_script != other.destination_script ||
+			self.to_remote_rescue != other.to_remote_rescue ||
 			self.our_claim_txn_waiting_first_conf != other.our_claim_txn_waiting_first_conf ||
 			self.onchain_events_waiting_threshold_conf != other.onchain_events_waiting_threshold_conf
 		{
@@ -585,6 +590,7 @@ impl ChannelMonitor {
 
 			payment_preimages: HashMap::new(),
 			destination_script: destination_script,
+			to_remote_rescue: None,
 
 			our_claim_txn_waiting_first_conf: HashMap::new(),
 
@@ -763,6 +769,22 @@ impl ChannelMonitor {
 		}
 	}
 
+	pub(super) fn provide_rescue_remote_commitment_tx_info(&mut self, their_revocation_point: PublicKey) {
+		match self.key_storage {
+			Storage::Local { ref payment_base_key, .. } => {
+				if let Ok(payment_key) = chan_utils::derive_public_key(&self.secp_ctx, &their_revocation_point, &PublicKey::from_secret_key(&self.secp_ctx, &payment_base_key)) {
+					let to_remote_script =  Builder::new().push_opcode(opcodes::all::OP_PUSHBYTES_0)
+						.push_slice(&Hash160::hash(&payment_key.serialize())[..])
+						.into_script();
+					if let Ok(to_remote_key) = chan_utils::derive_private_key(&self.secp_ctx, &their_revocation_point, &payment_base_key) {
+						self.to_remote_rescue = Some((to_remote_script, to_remote_key));
+					}
+				}
+			},
+			Storage::Watchtower { .. } => {}
+		}
+	}
+
 	/// Informs this monitor of the latest local (ie broadcastable) commitment transaction. The
 	/// monitor watches for timeouts and may broadcast it if we approach such a timeout. Thus, it
 	/// is important that any clones of this channel monitor (including remote clones) by kept
@@ -852,6 +874,7 @@ impl ChannelMonitor {
 				self.current_local_signed_commitment_tx = Some(local_tx);
 			}
 			self.payment_preimages = other.payment_preimages;
+			self.to_remote_rescue = other.to_remote_rescue;
 		}
 
 		self.current_remote_commitment_number = cmp::min(self.current_remote_commitment_number, other.current_remote_commitment_number);
@@ -1105,6 +1128,13 @@ impl ChannelMonitor {
 
 		self.last_block_hash.write(writer)?;
 		self.destination_script.write(writer)?;
+		if let Some((ref to_remote_script, ref local_key)) = self.to_remote_rescue {
+			writer.write_all(&[1; 1])?;
+			to_remote_script.write(writer)?;
+			local_key.write(writer)?;
+		} else {
+			writer.write_all(&[0; 1])?;
+		}
 
 		writer.write_all(&byte_utils::be64_to_array(self.our_claim_txn_waiting_first_conf.len() as u64))?;
 		for (ref outpoint, claim_tx_data) in self.our_claim_txn_waiting_first_conf.iter() {
@@ -1733,6 +1763,16 @@ impl ChannelMonitor {
 					txn_to_broadcast.push(spend_tx);
 				}
 			}
+		} else if let Some((ref to_remote_rescue, ref local_key)) = self.to_remote_rescue {
+			for (idx, outp) in tx.output.iter().enumerate() {
+				if to_remote_rescue == &outp.script_pubkey {
+					spendable_outputs.push(SpendableOutputDescriptor::DynamicOutputP2WPKH {
+						outpoint: BitcoinOutPoint { txid: commitment_txid, vout: idx as u32 },
+						key: local_key.clone(),
+						output: outp.clone(),
+					});
+				}
+			}
 		}
 
 		(txn_to_broadcast, (commitment_txid, watch_outputs), spendable_outputs)
@@ -2048,9 +2088,16 @@ impl ChannelMonitor {
 		None
 	}
 
-	/// Used by ChannelManager deserialization to broadcast the latest local state if it's copy of
-	/// the Channel was out-of-date.
-	pub(super) fn get_latest_local_commitment_txn(&self) -> Vec<Transaction> {
+	/// Used by ChannelManager deserialization to broadcast the latest local state if its copy of
+	/// the Channel was out-of-date. You may use it to get a broadcastable local toxic tx in case of
+	/// fallen-behind, i.e when receiving a channel_reestablish with a proof that our remote side knows
+	/// a higher revocation secret than the local commitment number we are aware of. Broadcasting these
+	/// transactions are UNSAFE, as they allow remote side to punish you. Nevertheless you may want to
+	/// broadcast them if remote don't close channel with his higher commitment transaction after a
+	/// substantial amount of time (a month or even a year) to get back funds. Best may be to contact
+	/// out-of-band the other node operator to coordinate with him if option is available to you.
+	/// In any-case, choice is up to the user.
+	pub fn get_latest_local_commitment_txn(&self) -> Vec<Transaction> {
 		if let &Some(ref local_tx) = &self.current_local_signed_commitment_tx {
 			let mut res = vec![local_tx.tx.clone()];
 			match self.key_storage {
@@ -2088,19 +2135,21 @@ impl ChannelMonitor {
 					}
 				};
 				if funding_txo.is_none() || (prevout.txid == funding_txo.as_ref().unwrap().0.txid && prevout.vout == funding_txo.as_ref().unwrap().0.index as u32) {
-					let (remote_txn, new_outputs, mut spendable_output) = self.check_spend_remote_transaction(tx, height, fee_estimator);
-					txn = remote_txn;
-					spendable_outputs.append(&mut spendable_output);
-					if !new_outputs.1.is_empty() {
-						watch_outputs.push(new_outputs);
-					}
-					if txn.is_empty() {
-						let (local_txn, mut spendable_output, new_outputs) = self.check_spend_local_transaction(tx, height);
+					if (tx.input[0].sequence >> 8*3) as u8 == 0x80 && (tx.lock_time >> 8*3) as u8 == 0x20 {
+						let (remote_txn, new_outputs, mut spendable_output) = self.check_spend_remote_transaction(tx, height, fee_estimator);
+						txn = remote_txn;
 						spendable_outputs.append(&mut spendable_output);
-						txn = local_txn;
 						if !new_outputs.1.is_empty() {
 							watch_outputs.push(new_outputs);
 						}
+						if txn.is_empty() {
+							let (local_txn, mut spendable_output, new_outputs) = self.check_spend_local_transaction(tx, height);
+							spendable_outputs.append(&mut spendable_output);
+							txn = local_txn;
+							if !new_outputs.1.is_empty() {
+								watch_outputs.push(new_outputs);
+							}
+						}
 					}
 					if !funding_txo.is_none() && txn.is_empty() {
 						if let Some(spendable_output) = self.check_spend_closing_transaction(tx) {
@@ -2627,6 +2676,15 @@ impl<R: ::std::io::Read> ReadableArgs<R, Arc<Logger>> for (Sha256dHash, ChannelM
 
 		let last_block_hash: Sha256dHash = Readable::read(reader)?;
 		let destination_script = Readable::read(reader)?;
+		let to_remote_rescue = match <u8 as Readable<R>>::read(reader)? {
+			0 => None,
+			1 => {
+				let to_remote_script = Readable::read(reader)?;
+				let local_key = Readable::read(reader)?;
+				Some((to_remote_script, local_key))
+			}
+			_ => return Err(DecodeError::InvalidValue),
+		};
 
 		let our_claim_txn_waiting_first_conf_len: u64 = Readable::read(reader)?;
 		let mut our_claim_txn_waiting_first_conf = HashMap::with_capacity(cmp::min(our_claim_txn_waiting_first_conf_len as usize, MAX_ALLOC_SIZE / 128));
@@ -2736,6 +2794,7 @@ impl<R: ::std::io::Read> ReadableArgs<R, Arc<Logger>> for (Sha256dHash, ChannelM
 			payment_preimages,
 
 			destination_script,
+			to_remote_rescue,
 
 			our_claim_txn_waiting_first_conf,