I used `amount_msat_eq(x, AMOUNT_MSAT(0))` because I forgot this
function existed. I probably missed it because the name is surprising,
so add "is" in there to make it clear it's a boolean function.
You'll note almost all the places which did use it are Eduardo's and
Lisa's code, so maybe it's just me.
Fix up a few places which I could use it, too.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
send_tlvs is NULL if no special features are supported, and peer
sets `next_to_send` anyway:
```
0x5ed1c6719538 peer_reconnect
channeld/channeld.c:5205
0x5ed1c6719dab init_channel
channeld/channeld.c:5959
0x5ed1c6719f04 main
channeld/channeld.c:6005
```
Backport: v24.08
Fixes: https://github.com/ElementsProject/lightning/issues/7486
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
These were removed from the spec.
We still support existing ones, though we were the only implementation
which ever did, and only in experimental mode, so we should be able to
upgrade them and avoid a forced close, with a bit of engineering...
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We still support *existing* channels. Just not new ones (before they could,
in theory, explicitly ask for one).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Changelog-None: channeld internal
This factoring makes it much clearer which callers only need the pubkey and
which only need the old_secret.
VLS has merged a workaround which prevents crashing when fetching a
per-commitment-point beyond the allowed range (the secret is just not
returned in this case.
https://gitlab.com/lightning-signer/validating-lightning-signer/-/merge_requests/643
In HSM_VERSION 6 the semantic is cleaned up; get_per_commitment_point
never returns a secret and safely be called on any commitment number.
The feerate security margin is a multiplicative factor applied to the
feerate of some transactions in order to guarantee that the
transaction remains publishable and has a sufficient chance of being
confirmed, that we can base some of our decisions on that.
The multiplicative factor is >=1 and was so far a constant 2. This
might have been sensible in the low-fee environment, where the fees
are expected to oscillate, and almost guaranteeing that we will
eventually have rising feerates but in high-fee environments that is
no longer the case, and the 100% margin that the multiplicator 2
brings is excessive. We therefore opt to start out with 100%, then
linearly interpolate up to a given maxfeerate (which does not have to
be a real feerate ever reached, it just indicates the feerate after
which we apply the constant 10% margin.
Fixes#6974Closes#6976
[Fixed up all the other changes required, including spendable calcualtion
comments and unit test and pytest tests --RR]
It's a u64, we should pass by copy. This is a big sweeping change,
but mainly mechanical (change one, compile, fix breakage, repeat).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This has the benefit of being shorter, as well as more reliable (you
will get a link error if we can't print it, not a runtime one!).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We have various functions to convert to a string, rename them all so we can
count on fmt_X being the formatter for struct X, and make them all return
`char *`.
Sometimes they existed but were private, sometimes they had a
different name. Most take a pointer, but simple types pass by copy:
short_channel_id, amount_msat and amount_sat.
The following public functions changed:
1. psbt_to_b64 -> fmt_wally_psbt.
2. pubkey_to_hexstr -> fmt_pubkey.
3. short_channel_id_to_str -> fmt_short_channel_id (scid by copy now!)
4. fmt_signature -> fmt_secp256k1_ecdsa_signature
5. fmt_amount_sat/fmt_amount_msat pass copy not pointer, return non-const char *.
6. node_id_to_hexstr -> fmt_node_id
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Standardizes the is_xxx script function all take a script length, and changes
their first-level callers to pass it. This has several knock on benefits:
- We remove the repeated tal_count/tal_bytelen calls on the script, in
particular the redundant calls that result when we must check for multiple
types of script - which is almost all cases.
- We remove the dependency on the memory being tal-allocated (It is, in
all cases, but theres no reason we need to require that).
- We remove all cases where we create a copy of the script just to id it.
- We remove all allocations for non-interesting scripts while iterating block
txs in process_getfilteredblock_step1().
- We remove all allocations *including for potentially interesting scripts* in
topo_add_utxos().
Signed-off-by: Jon Griffiths <jon_p_griffiths@yahoo.com>
You otherwise get thousands of these zero count Splice resume checks
spamming your logs while most of the time it is only informing you
of "nothing is happening".
Reduces log noise.
Signed-off-by: Warren Togami <wtogami@gmail.com>
We would sometimes propose fees which we couldn't afford, and thus the
peer would get upset: if we didn't recover it could cause force closes.
This was because we didn't take into account that pending htlcs will
remove our total available funds.
Changelog-Fixes: Protocol: Don't upset peers by sending `update_fee` with fees we cannot afford in the case where HTLCs are large.
If the peer isn’t required to send signatures first but does while we are awaiting the next user RPC action — we should be caching the message and using it later.
Before we would leave the message cached in the socket itself, but tx_abort semantics require us to check the socket more often.
Add checking for and sending tx_abort to channeld.
When receiving it we first ACK it back, send a request to restart to lightningd, and then shutdown channeld.
We also must update the splice tests that relied on reconnect checks for splice warnings (as some are now tx_aborts instead).
Changelog-None: fixes hole in ([#7010]), see ([#7026])
Explicit hsmd_revoke_commitment_tx instead of get_per_commitment_point
needed when revokes are retried. The hsmd_revoke_commitment_tx message
is idempotent.
In particular, we were sending `announcement_signatures` before
`channel_reestablish`; we allow this because LND used to do it, but
it's not spec compliant.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
CI revealed one:
```
cc plugins/libplugin-pay.c
plugins/libplugin-pay.c: In function ‘payment_getroute’:
plugins/libplugin-pay.c:888:17: error: ‘errstr’ may be used uninitialized [-Werror=maybe-uninitialized]
888 | payment_fail(p, "%s", errstr);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
plugins/libplugin-pay.c:851:21: note: ‘errstr’ was declared here
851 | const char *errstr;
| ^~~~~~
cc1: all warnings being treated as errors
```
My local compiler gave another:
```
channeld/channeld.c: In function ‘resume_splice_negotiation’:
channeld/channeld.c:3734:23: error: ‘final_tx’ may be used uninitialized [-Werror=maybe-uninitialized]
3734 | msg = towire_channeld_splice_confirmed_signed(tmpctx, final_tx,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3735 | chan_output_index);
| ~~~~~~~~~~~~~~~~~~
channeld/channeld.c:3461:28: note: ‘final_tx’ was declared here
3461 | struct bitcoin_tx *final_tx;
| ^~~~~~~~
cc1: all warnings being treated as errors
make: *** [Makefile:298: channeld/channeld.o] Error 1
```
So fix both.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Adds tests for when the connection fails during
1) splice tx_signature
2) splice commitment_signed
Fleshed out the reestablish flow for these two cases and implemented the fixes to make these reestablish flows work.
Part of this work required changing commit process for splices: Now we send a single commit_part for the splice where previously we sent all commits, and accordingly, we no longer revoke in response.
Changelog-Fixed: Implemented splicing restart logic for tx_signature and commitment_signed. Splice commitments are reworked in a manner incompatible with the last version.
While running the integration testing in VLS we noted that there is a problem with the old_secret during that revoke and ack.
The built-in signer of core lightning return always the secret, but with a signer with more strict policies this can not be true.
In fact, the VLS return the old_secret only if it is the last tx candidate. So we should keep track of the old_secret during the recursion.
The current core is unsage because we can only revoke transaction M-1 once we have transaction M signed by the counterparty. If there is a splice candidate that is unsigned yet, and we revoke commitment transaction M-1 for it, and it gets into the blockchain, and the peer goes away, we can't force close anymore.
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: (null):0 ((null)) 0xffffffffffffffff
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: FATAL SIGNAL (version v23.08-64-gbffe599)
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: common/daemon.c:38 (send_backtrace) 0x55c4a2ebd97b
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: common/status.c:221 (status_failed) 0x55c4a2ecf0ae
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: common/subdaemon.c:18 (status_backtrace_exit) 0x55c4a2ecf42b
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: common/daemon.c:78 (crashdump) 0x55c4a2ebdb16
lightningd-1 2023-10-25T15:24:25.151Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: ./signal/../sysdeps/unix/sysv/linux/x86_64/libc_sigaction.c:0 ((null)) 0x7f084e44251f
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:317 ((null)) 0x7f084e5a09cd
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: wire/towire.c:17 (towire) 0x55c4a2ed610e
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: bitcoin/privkey.c:33 (towire_secret) 0x55c4a2eea03b
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: wire/peer_wiregen.c:2737 (towire_revoke_and_ack) 0x55c4a2ee1d3d
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:1850 (make_revocation_msg_from_secret) 0x55c4a2e9d80e
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:1931 (send_revocation) 0x55c4a2e9de7a
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:2249 (handle_peer_commit_sig) 0x55c4a2e9f175
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:2880 (interactive_send_commitments) 0x55c4a2ea0c2e
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:3937 (splice_initiator_user_finalized) 0x55c4a2ea40ce
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:4011 (splice_initiator_user_update) 0x55c4a2ea44d4
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:5756 (req_in) 0x55c4a2ea8d9d
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: channeld/channeld.c:6151 (main) 0x55c4a2eaa3f8
lightningd-1 2023-10-25T15:24:25.152Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: ../sysdeps/nptl/libc_start_call_main.h:58 (__libc_start_call_main) 0x7f084e429d8f
lightningd-1 2023-10-25T15:24:25.153Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: ../csu/libc-start.c:392 (__libc_start_main_impl) 0x7f084e429e3f
lightningd-1 2023-10-25T15:24:25.153Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: (null):0 ((null)) 0x55c4a2e98734
lightningd-1 2023-10-25T15:24:25.153Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: backtrace: (null):0 ((null)) 0xffffffffffffffff
lightningd-1 2023-10-25T15:24:25.153Z **BROKEN** 022d223620a359a47ff7f7ac447c85c46c923da53389221a0054c11c1e3ca31d59-channeld-chan#1: STATUS_FAIL_INTERNAL_ERROR: FATAL SIGNAL
Reported-by: devrandom
Signed-off-by: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
It's going to want to remember these, in case it encounters peers'
commitment tx and needs to boost it with CPFP on the anchor.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
channel_txs was a thin wrapper around channel_splice_txs, but that's
just confusing. Rename channel_splice_txs to channel_txs, and just
call it everywhere.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Tihis commit is implementing a 2-phase commit between
the signer the node and the peer.
The main reason for this is that everybody must agree on the lock,
otherwise one of them will want N signatures (on the splice candidates),
and another will produce only 1 signature.
check_outpoint is the "prepare" for the signer, and lock_outpoint is the
"commit". if check_outpoint returns true, lock_outpoint must not fail.
Link: https://github.com/ElementsProject/lightning/issues/6722
Suggested-by: @devrandom
Co-Developed-by: Ken Sedgwick <ken@bonsai.com>
Signed-off-by: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
