#include "bitcoind.h" #include "chaintopology.h" #include "close_tx.h" #include "commit_tx.h" #include "controlled_time.h" #include "cryptopkt.h" #include "dns.h" #include "find_p2sh_out.h" #include "jsonrpc.h" #include "lightningd.h" #include "log.h" #include "names.h" #include "onion.h" #include "pay.h" #include "payment.h" #include "peer.h" #include "permute_tx.h" #include "protobuf_convert.h" #include "pseudorand.h" #include "routing.h" #include "secrets.h" #include "state.h" #include "timeout.h" #include "utils.h" #include "wallet.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct json_connecting { /* This owns us, so we're freed after command_fail or command_success */ struct command *cmd; const char *name, *port; struct anchor_input *input; }; struct peer *find_peer(struct lightningd_state *dstate, const struct pubkey *id) { struct peer *peer; list_for_each(&dstate->peers, peer, list) { if (peer->id && pubkey_eq(peer->id, id)) return peer; } return NULL; } static struct peer *find_peer_json(struct lightningd_state *dstate, const char *buffer, jsmntok_t *peeridtok) { struct pubkey peerid; if (!pubkey_from_hexstr(dstate->secpctx, buffer + peeridtok->start, peeridtok->end - peeridtok->start, &peerid)) return NULL; return find_peer(dstate, &peerid); } static bool peer_uncommitted_changes(const struct peer *peer) { /* Not initialized yet? */ if (!peer->remote.staging_cstate || !peer->remote.commit || !peer->remote.commit->cstate) return false; /* We could have proposed changes to their commit */ return peer->remote.staging_cstate->changes != peer->remote.commit->cstate->changes; } void peer_update_complete(struct peer *peer) { log_debug(peer->log, "peer_update_complete"); if (peer->commit_jsoncmd) { command_success(peer->commit_jsoncmd, null_response(peer->commit_jsoncmd)); peer->commit_jsoncmd = NULL; } /* Have we got more changes in the meantime? */ if (peer_uncommitted_changes(peer)) { log_debug(peer->log, "peer_update_complete: more changes!"); remote_changes_pending(peer); } } void peer_open_complete(struct peer *peer, const char *problem) { if (problem) log_unusual(peer->log, "peer open failed: %s", problem); else { struct lightningd_state *dstate = peer->dstate; struct node *n; log_debug(peer->log, "peer open complete"); assert(!peer->nc); n = get_node(dstate, peer->id); if (!n) n = new_node(dstate, peer->id); peer->nc = add_connection(dstate, get_node(dstate, &dstate->id), n, dstate->config.fee_base, dstate->config.fee_per_satoshi, dstate->config.min_htlc_expiry, dstate->config.min_htlc_expiry); } } static void set_peer_state(struct peer *peer, enum state newstate, const char *caller) { log_debug(peer->log, "%s: %s => %s", caller, state_name(peer->state), state_name(newstate)); peer->state = newstate; } static void peer_breakdown(struct peer *peer) { if (peer->commit_jsoncmd) { command_fail(peer->commit_jsoncmd, "peer breakdown"); peer->commit_jsoncmd = NULL; } /* If we have a closing tx, use it. */ if (peer->closing.their_sig) { log_unusual(peer->log, "Peer breakdown: sending close tx"); broadcast_tx(peer, bitcoin_close(peer)); /* If we have a signed commit tx (maybe not if we just offered * anchor, or they supplied anchor). */ } else if (peer->local.commit->sig) { log_unusual(peer->log, "Peer breakdown: sending commit tx"); broadcast_tx(peer, bitcoin_commit(peer)); } else { log_info(peer->log, "Peer breakdown: nothing to do"); /* We close immediately. */ set_peer_state(peer, STATE_CLOSED, __func__); io_wake(peer); } } /* All unrevoked commit txs must have no HTLCs in them. */ static bool committed_to_htlcs(const struct peer *peer) { const struct commit_info *i; /* Before anchor exchange, we don't even have cstate. */ if (!peer->local.commit || !peer->local.commit->cstate) return false; i = peer->local.commit; while (i && !i->revocation_preimage) { if (tal_count(i->cstate->side[OURS].htlcs)) return true; if (tal_count(i->cstate->side[THEIRS].htlcs)) return true; i = i->prev; } i = peer->remote.commit; while (i && !i->revocation_preimage) { if (tal_count(i->cstate->side[OURS].htlcs)) return true; if (tal_count(i->cstate->side[THEIRS].htlcs)) return true; i = i->prev; } return false; } static struct io_plan *peer_close(struct io_conn *conn, struct peer *peer) { /* Tell writer to wrap it up (may have to xmit first) */ io_wake(peer); /* We do nothing more. */ return io_wait(conn, NULL, io_never, NULL); } /* Communication failed: send err (if non-NULL), then dump to chain and close. */ static bool peer_comms_err(struct peer *peer, Pkt *err) { if (err) queue_pkt_err(peer, err); set_peer_state(peer, STATE_ERR_BREAKDOWN, __func__); peer_breakdown(peer); return false; } /* Unexpected packet received: stop listening, start breakdown procedure. */ static bool peer_received_unexpected_pkt(struct peer *peer, const Pkt *pkt) { peer_unexpected_pkt(peer, pkt); return peer_comms_err(peer, pkt_err_unexpected(peer, pkt)); } /* This is the io loop while we're negotiating closing tx. */ static bool closing_pkt_in(struct peer *peer, const Pkt *pkt) { const CloseSignature *c = pkt->close_signature; struct bitcoin_tx *close_tx; struct bitcoin_signature theirsig; assert(peer->state == STATE_MUTUAL_CLOSING); if (pkt->pkt_case != PKT__PKT_CLOSE_SIGNATURE) return peer_received_unexpected_pkt(peer, pkt); log_info(peer->log, "closing_pkt_in: they offered close fee %"PRIu64, c->close_fee); /* BOLT #2: * * The sender MUST set `close_fee` lower than or equal to the fee of the * final commitment transaction, and MUST set `close_fee` to an even * number of satoshis. */ if ((c->close_fee & 1) || c->close_fee > commit_tx_fee(peer->remote.commit->tx, peer->anchor.satoshis)) { return peer_comms_err(peer, pkt_err(peer, "Invalid close fee")); } /* FIXME: Don't accept tiny fee at all? */ /* BOLT #2: ... otherwise it SHOULD propose a value strictly between the received `close_fee` and its previously-sent `close_fee`. */ if (peer->closing.their_sig) { /* We want more, they should give more. */ if (peer->closing.our_fee > peer->closing.their_fee) { if (c->close_fee <= peer->closing.their_fee) return peer_comms_err(peer, pkt_err(peer, "Didn't increase close fee")); } else { if (c->close_fee >= peer->closing.their_fee) return peer_comms_err(peer, pkt_err(peer, "Didn't decrease close fee")); } } /* BOLT #2: * * The receiver MUST check `sig` is valid for the close * transaction with the given `close_fee`, and MUST fail the * connection if it is not. */ theirsig.stype = SIGHASH_ALL; if (!proto_to_signature(peer->dstate->secpctx, c->sig, &theirsig.sig)) return peer_comms_err(peer, pkt_err(peer, "Invalid signature format")); close_tx = peer_create_close_tx(peer, c->close_fee); if (!check_tx_sig(peer->dstate->secpctx, close_tx, 0, NULL, 0, peer->anchor.witnessscript, &peer->remote.commitkey, &theirsig)) return peer_comms_err(peer, pkt_err(peer, "Invalid signature")); tal_free(peer->closing.their_sig); peer->closing.their_sig = tal_dup(peer, struct bitcoin_signature, &theirsig); peer->closing.their_fee = c->close_fee; if (peer->closing.our_fee != peer->closing.their_fee) { /* BOLT #2: * * If the receiver agrees with the fee, it SHOULD reply with a * `close_signature` with the same `close_fee` value, * otherwise it SHOULD propose a value strictly between the * received `close_fee` and its previously-sent `close_fee`. */ /* Adjust our fee to close on their fee. */ u64 sum; /* Beware overflow! */ sum = (u64)peer->closing.our_fee + peer->closing.their_fee; peer->closing.our_fee = sum / 2; if (peer->closing.our_fee & 1) peer->closing.our_fee++; log_info(peer->log, "accept_pkt_close_sig: we change to %"PRIu64, peer->closing.our_fee); queue_pkt_close_signature(peer); } /* Note corner case: we may *now* agree with them! */ if (peer->closing.our_fee == peer->closing.their_fee) { log_info(peer->log, "accept_pkt_close_sig: we agree"); /* BOLT #2: * * Once a node has sent or received a `close_signature` with * matching `close_fee` it SHOULD close the connection and * SHOULD sign and broadcast the final closing transaction. */ broadcast_tx(peer, bitcoin_close(peer)); return false; } /* FIXME: Dynamic fee! */ return true; } /* This is the io loop while we're clearing. */ static bool clearing_pkt_in(struct peer *peer, const Pkt *pkt) { Pkt *err = NULL; assert(peer->state == STATE_CLEARING || peer->state == STATE_CLEARING_COMMITTING); switch (pkt->pkt_case) { case PKT__PKT_UPDATE_REVOCATION: if (peer->state == STATE_CLEARING) err = pkt_err_unexpected(peer, pkt); else { err = accept_pkt_revocation(peer, pkt); if (!err) { set_peer_state(peer, STATE_CLEARING, __func__); peer_update_complete(peer); } } break; case PKT__PKT_UPDATE_ADD_HTLC: /* BOLT #2: * * A node MUST NOT send a `update_add_htlc` after a * `close_clearing` */ if (peer->closing.their_script) err = pkt_err(peer, "Update during clearing"); else err = accept_pkt_htlc_add(peer, pkt); break; case PKT__PKT_CLOSE_CLEARING: /* BOLT #2: * * A node... MUST NOT send more than one `close_clearing`. */ if (peer->closing.their_script) err = pkt_err_unexpected(peer, pkt); else err = accept_pkt_close_clearing(peer, pkt); break; case PKT__PKT_UPDATE_FULFILL_HTLC: err = accept_pkt_htlc_fulfill(peer, pkt); break; case PKT__PKT_UPDATE_FAIL_HTLC: err = accept_pkt_htlc_fail(peer, pkt); break; case PKT__PKT_UPDATE_COMMIT: err = accept_pkt_commit(peer, pkt); if (!err) queue_pkt_revocation(peer); break; case PKT__PKT_ERROR: peer_unexpected_pkt(peer, pkt); return peer_comms_err(peer, NULL); case PKT__PKT_AUTH: case PKT__PKT_OPEN: case PKT__PKT_OPEN_ANCHOR: case PKT__PKT_OPEN_COMMIT_SIG: case PKT__PKT_OPEN_COMPLETE: case PKT__PKT_CLOSE_SIGNATURE: default: peer_unexpected_pkt(peer, pkt); err = pkt_err_unexpected(peer, pkt); break; } if (err) return peer_comms_err(peer, err); if (!committed_to_htlcs(peer)) { set_peer_state(peer, STATE_MUTUAL_CLOSING, __func__); peer_calculate_close_fee(peer); queue_pkt_close_signature(peer); } return true; } static void peer_start_clearing(struct peer *peer) { assert(peer->state == STATE_CLEARING || peer->state == STATE_CLEARING_COMMITTING); /* If they started close, we might not have sent ours. */ if (!peer->closing.our_script) { u8 *redeemscript = bitcoin_redeem_single(peer, peer->dstate->secpctx, &peer->local.finalkey); peer->closing.our_script = scriptpubkey_p2sh(peer, redeemscript); tal_free(redeemscript); /* BOLT #2: * * A node SHOULD send a `close_clearing` (if it has * not already) after receiving `close_clearing`. */ queue_pkt_close_clearing(peer); } /* Catch case where we've exchanged and had no HTLCs anyway. */ if (peer->closing.our_script && peer->closing.their_script && !committed_to_htlcs(peer)) { set_peer_state(peer, STATE_MUTUAL_CLOSING, __func__); peer_calculate_close_fee(peer); queue_pkt_close_signature(peer); } } /* This is the io loop while we're in normal mode. */ static bool normal_pkt_in(struct peer *peer, const Pkt *pkt) { Pkt *err = NULL; assert(peer->state == STATE_NORMAL || peer->state == STATE_NORMAL_COMMITTING); switch (pkt->pkt_case) { case PKT_UPDATE_ADD_HTLC: err = accept_pkt_htlc_add(peer, pkt); break; case PKT_UPDATE_FULFILL_HTLC: err = accept_pkt_htlc_fulfill(peer, pkt); break; case PKT_UPDATE_FAIL_HTLC: err = accept_pkt_htlc_fail(peer, pkt); break; case PKT_UPDATE_COMMIT: err = accept_pkt_commit(peer, pkt); if (!err) queue_pkt_revocation(peer); break; case PKT_CLOSE_CLEARING: err = accept_pkt_close_clearing(peer, pkt); if (err) break; if (peer->state == STATE_NORMAL) set_peer_state(peer, STATE_CLEARING, __func__); else { assert(peer->state == STATE_NORMAL_COMMITTING); set_peer_state(peer, STATE_CLEARING_COMMITTING, __func__); } peer_start_clearing(peer); return true; case PKT_UPDATE_REVOCATION: if (peer->state == STATE_NORMAL_COMMITTING) { err = accept_pkt_revocation(peer, pkt); if (!err) { peer_update_complete(peer); set_peer_state(peer, STATE_NORMAL, __func__); } break; } /* Fall thru. */ default: return peer_received_unexpected_pkt(peer, pkt); } if (err) { return peer_comms_err(peer, err); } return true; } static void state_single(struct peer *peer, const enum state_input input, const Pkt *pkt) { const struct bitcoin_tx *broadcast; enum state newstate; size_t old_outpkts = tal_count(peer->outpkt); newstate = state(peer, input, pkt, &broadcast); set_peer_state(peer, newstate, input_name(input)); /* If we added uncommitted changes, we should have set them to send. */ if (peer_uncommitted_changes(peer)) assert(peer->commit_timer); if (tal_count(peer->outpkt) > old_outpkts) { Pkt *outpkt = peer->outpkt[old_outpkts]; log_add(peer->log, " (out %s)", pkt_name(outpkt->pkt_case)); } if (broadcast) broadcast_tx(peer, broadcast); if (state_is_error(peer->state)) { /* Breakdown is common, others less so. */ if (peer->state != STATE_ERR_BREAKDOWN) log_broken(peer->log, "Entered error state %s", state_name(peer->state)); peer_breakdown(peer); /* Start output if not running already; it will close conn. */ io_wake(peer); } } static void state_event(struct peer *peer, const enum state_input input, const Pkt *pkt) { if (!state_is_opening(peer->state)) { log_unusual(peer->log, "Unexpected input %s while state %s", input_name(input), state_name(peer->state)); } else { state_single(peer, input, pkt); } } static struct htlc *htlc_by_index(const struct commit_info *ci, size_t index) { if (ci->map[index] == -1) return NULL; /* First two are non-HTLC outputs to us, them. */ assert(index >= 2); index -= 2; if (index < tal_count(ci->cstate->side[OURS].htlcs)) return ci->cstate->side[OURS].htlcs[index]; index -= tal_count(ci->cstate->side[OURS].htlcs); assert(index < tal_count(ci->cstate->side[THEIRS].htlcs)); return ci->cstate->side[THEIRS].htlcs[index]; } static bool htlc_is_ours(const struct commit_info *ci, size_t index) { assert(index >= 2); index -= 2; return index < tal_count(ci->cstate->side[OURS].htlcs); } /* Create a HTLC fulfill transaction */ static const struct bitcoin_tx *htlc_fulfill_tx(const struct peer *peer, const struct commit_info *ci, unsigned int i) { u8 *wscript; struct htlc *htlc; struct bitcoin_tx *tx = bitcoin_tx(peer, 1, 1); struct bitcoin_signature sig; u64 fee, satoshis; htlc = htlc_by_index(ci, i); assert(htlc->r); wscript = bitcoin_redeem_htlc_recv(peer, peer->dstate->secpctx, &peer->local.finalkey, &peer->remote.finalkey, &htlc->expiry, &peer->remote.locktime, &ci->revocation_hash, &htlc->rhash); tx->input[0].index = ci->map[i]; bitcoin_txid(ci->tx, &tx->input[0].txid); satoshis = htlc->msatoshis / 1000; tx->input[0].amount = tal_dup(tx->input, u64, &satoshis); tx->input[0].sequence_number = bitcoin_nsequence(&peer->remote.locktime); /* Using a new output address here would be useless: they can tell * it's their HTLC, and that we collected it via rval. */ tx->output[0].script = scriptpubkey_p2sh(tx, bitcoin_redeem_single(tx, peer->dstate->secpctx, &peer->local.finalkey)); tx->output[0].script_length = tal_count(tx->output[0].script); log_debug(peer->log, "Pre-witness txlen = %zu\n", measure_tx_cost(tx) / 4); assert(measure_tx_cost(tx) == 83 * 4); /* Witness length can vary, due to DER encoding of sigs, but we * use 539 from an example run. */ /* FIXME: Dynamic fees! */ fee = fee_by_feerate(83 + 539 / 4, peer->dstate->config.closing_fee_rate); /* FIXME: Fail gracefully in these cases (not worth collecting) */ if (fee > satoshis || is_dust_amount(satoshis - fee)) fatal("HTLC fulfill amount of %"PRIu64" won't cover fee %"PRIu64, satoshis, fee); tx->output[0].amount = satoshis - fee; sig.stype = SIGHASH_ALL; peer_sign_htlc_fulfill(peer, tx, wscript, &sig.sig); tx->input[0].witness = bitcoin_witness_htlc(tx, peer->dstate->secpctx, htlc->r, &sig, wscript); log_debug(peer->log, "tx cost for htlc fulfill tx: %zu", measure_tx_cost(tx)); return tx; } /* FIXME: Reason! */ static bool command_htlc_fail(struct peer *peer, struct htlc *htlc) { /* If onchain, nothing we can do. */ if (!state_can_remove_htlc(peer->state)) return false; queue_pkt_htlc_fail(peer, htlc); return true; } /* BOLT #onchain: * * If the node receives... a redemption preimage for an unresolved *commitment * tx* output it was offered, it MUST *resolve* the output by spending it using * the preimage. */ static bool fulfill_onchain(struct peer *peer, struct htlc *htlc) { const struct commit_info *ci = peer->closing_onchain.ci; size_t i; for (i = 0; i < tal_count(ci->cstate->side[THEIRS].htlcs); i++) { if (ci->cstate->side[THEIRS].htlcs[i] == htlc) { /* Already irrevocably resolved? */ if (peer->closing_onchain.resolved[i]) return false; peer->closing_onchain.resolved[i] = htlc_fulfill_tx(peer, ci, i); return true; } } fatal("Unknown HTLC to fulfill onchain"); } static bool command_htlc_fulfill(struct peer *peer, struct htlc *htlc, const struct rval *r) { assert(!htlc->r); htlc->r = tal_dup(htlc, struct rval, r); if (peer->state == STATE_CLOSE_ONCHAIN_THEIR_UNILATERAL || peer->state == STATE_CLOSE_ONCHAIN_OUR_UNILATERAL) { return fulfill_onchain(peer, htlc); } if (!state_can_remove_htlc(peer->state)) return false; queue_pkt_htlc_fulfill(peer, htlc, r); return true; } struct htlc *command_htlc_add(struct peer *peer, u64 msatoshis, unsigned int expiry, const struct sha256 *rhash, struct htlc *src, const u8 *route) { struct channel_state *cstate; struct abs_locktime locktime; struct htlc *htlc; if (!blocks_to_abs_locktime(expiry, &locktime)) { log_unusual(peer->log, "add_htlc: fail: bad expiry %u", expiry); return NULL; } if (expiry < get_block_height(peer->dstate) + peer->dstate->config.min_htlc_expiry) { log_unusual(peer->log, "add_htlc: fail: expiry %u is too soon", expiry); return NULL; } if (expiry > get_block_height(peer->dstate) + peer->dstate->config.max_htlc_expiry) { log_unusual(peer->log, "add_htlc: fail: expiry %u is too far", expiry); return NULL; } /* BOLT #2: * * A node MUST NOT add a HTLC if it would result in it * offering more than 300 HTLCs in the remote commitment transaction. */ if (tal_count(peer->remote.staging_cstate->side[OURS].htlcs) == 300) { log_unusual(peer->log, "add_htlc: fail: already at limit"); return NULL; } if (!state_can_add_htlc(peer->state)) { log_unusual(peer->log, "add_htlc: fail: peer state %s", state_name(peer->state)); return NULL; } htlc = peer_new_htlc(peer, peer->htlc_id_counter, msatoshis, rhash, expiry, route, tal_count(route), src, OURS); /* FIXME: BOLT is not correct here: we should say IFF we cannot * afford it in remote at its own current proposed fee-rate. */ /* BOLT #2: * * A node MUST NOT offer `amount_msat` it cannot pay for in * the remote commitment transaction at the current `fee_rate` */ cstate = copy_cstate(peer, peer->remote.staging_cstate); if (!cstate_add_htlc(cstate, htlc, OURS)) { log_unusual(peer->log, "add_htlc: fail: Cannot afford %"PRIu64 " milli-satoshis in their commit tx", msatoshis); return tal_free(htlc); } tal_free(cstate); cstate = copy_cstate(peer, peer->local.staging_cstate); if (!cstate_add_htlc(cstate, htlc, OURS)) { log_unusual(peer->log, "add_htlc: fail: Cannot afford %"PRIu64 " milli-satoshis in our commit tx", msatoshis); return tal_free(htlc); } tal_free(cstate); queue_pkt_htlc_add(peer, htlc); /* Make sure we never offer the same one twice. */ peer->htlc_id_counter++; return htlc; } static struct io_plan *pkt_out(struct io_conn *conn, struct peer *peer) { Pkt *out; size_t n = tal_count(peer->outpkt); if (n == 0) { /* We close the connection once we've sent everything. */ if (!state_can_io(peer->state)) { log_debug(peer->log, "pkt_out: no IO possible, closing"); return io_close(conn); } return io_out_wait(conn, peer, pkt_out, peer); } if (peer->fake_close || !peer->output_enabled) return io_out_wait(conn, peer, pkt_out, peer); out = peer->outpkt[0]; memmove(peer->outpkt, peer->outpkt + 1, (sizeof(*peer->outpkt)*(n-1))); tal_resize(&peer->outpkt, n-1); return peer_write_packet(conn, peer, out, pkt_out); } static struct io_plan *pkt_in(struct io_conn *conn, struct peer *peer) { bool keep_going; /* We ignore packets if they tell us to, or we're closing already */ if (peer->fake_close || !state_can_io(peer->state)) keep_going = true; else if (state_is_normal(peer->state)) keep_going = normal_pkt_in(peer, peer->inpkt); else if (state_is_clearing(peer->state)) keep_going = clearing_pkt_in(peer, peer->inpkt); else if (peer->state == STATE_MUTUAL_CLOSING) keep_going = closing_pkt_in(peer, peer->inpkt); else { state_event(peer, peer->inpkt->pkt_case, peer->inpkt); keep_going = true; } peer->inpkt = tal_free(peer->inpkt); if (keep_going) return peer_read_packet(conn, peer, pkt_in); else return peer_close(conn, peer); } /* Crypto is on, we are live. */ static struct io_plan *peer_crypto_on(struct io_conn *conn, struct peer *peer) { peer_secrets_init(peer); peer_get_revocation_hash(peer, 0, &peer->local.next_revocation_hash); assert(peer->state == STATE_INIT); state_event(peer, peer->local.offer_anchor, NULL); return io_duplex(conn, peer_read_packet(conn, peer, pkt_in), pkt_out(conn, peer)); } static void destroy_peer(struct peer *peer) { if (peer->conn) io_close(peer->conn); list_del_from(&peer->dstate->peers, &peer->list); } static void peer_disconnect(struct io_conn *conn, struct peer *peer) { log_info(peer->log, "Disconnected"); /* No longer connected. */ peer->conn = NULL; /* Not even set up yet? Simply free.*/ if (peer->state == STATE_INIT) { tal_free(peer); return; } /* Completely dead? Free it now. */ if (peer->state == STATE_CLOSED) { io_break(peer); return; } /* This is an unexpected close. */ if (!state_is_onchain(peer->state) && !state_is_error(peer->state)) { /* FIXME: Try to reconnect. */ set_peer_state(peer, STATE_ERR_BREAKDOWN, "peer_disconnect"); peer_breakdown(peer); } } static void do_commit(struct peer *peer, struct command *jsoncmd) { /* We can have changes we suggested, or changes they suggested. */ if (!peer_uncommitted_changes(peer)) { log_debug(peer->log, "do_commit: no changes to commit"); if (jsoncmd) command_fail(jsoncmd, "no changes to commit"); return; } log_debug(peer->log, "do_commit: sending commit command"); assert(state_can_commit(peer->state)); assert(!peer->commit_jsoncmd); peer->commit_jsoncmd = jsoncmd; queue_pkt_commit(peer); if (peer->state == STATE_CLEARING) { set_peer_state(peer, STATE_CLEARING_COMMITTING, __func__); } else { assert(peer->state == STATE_NORMAL); set_peer_state(peer, STATE_NORMAL_COMMITTING, __func__); } } static void try_commit(struct peer *peer) { peer->commit_timer = NULL; if (state_can_commit(peer->state)) do_commit(peer, NULL); else { /* FIXME: try again when we receive revocation, rather * than using timer! */ log_debug(peer->log, "try_commit: state=%s, re-queueing timer", state_name(peer->state)); remote_changes_pending(peer); } } void remote_changes_pending(struct peer *peer) { log_debug(peer->log, "remote_changes_pending: changes=%u", peer->remote.staging_cstate->changes); if (!peer->commit_timer) { log_debug(peer->log, "remote_changes_pending: adding timer"); peer->commit_timer = new_reltimer(peer->dstate, peer, peer->dstate->config.commit_time, try_commit, peer); } else log_debug(peer->log, "remote_changes_pending: timer already exists"); } static struct peer *new_peer(struct lightningd_state *dstate, struct io_conn *conn, int addr_type, int addr_protocol, enum state_input offer_anchor, const char *in_or_out) { struct peer *peer = tal(dstate, struct peer); assert(offer_anchor == CMD_OPEN_WITH_ANCHOR || offer_anchor == CMD_OPEN_WITHOUT_ANCHOR); /* FIXME: Stop listening if too many peers? */ list_add(&dstate->peers, &peer->list); peer->state = STATE_INIT; peer->id = NULL; peer->dstate = dstate; peer->addr.type = addr_type; peer->addr.protocol = addr_protocol; peer->io_data = NULL; peer->secrets = NULL; list_head_init(&peer->watches); peer->outpkt = tal_arr(peer, Pkt *, 0); peer->commit_jsoncmd = NULL; list_head_init(&peer->outgoing_txs); list_head_init(&peer->pay_commands); peer->anchor.watches = NULL; peer->cur_commit.watch = NULL; peer->closing.their_sig = NULL; peer->closing.our_script = NULL; peer->closing.their_script = NULL; peer->closing_onchain.tx = NULL; peer->closing_onchain.resolved = NULL; peer->closing_onchain.ci = NULL; peer->commit_timer = NULL; peer->nc = NULL; /* Make it different from other node (to catch bugs!), but a * round number for simple eyeballing. */ peer->htlc_id_counter = pseudorand(1ULL << 32) * 1000; /* If we free peer, conn should be closed, but can't be freed * immediately so don't make peer a parent. */ peer->conn = conn; peer->fake_close = false; peer->output_enabled = true; io_set_finish(conn, peer_disconnect, peer); peer->local.offer_anchor = offer_anchor; if (!blocks_to_rel_locktime(dstate->config.locktime_blocks, &peer->local.locktime)) fatal("Could not convert locktime_blocks"); peer->local.mindepth = dstate->config.anchor_confirms; peer->local.commit_fee_rate = dstate->config.commitment_fee_rate; peer->local.commit = peer->remote.commit = NULL; peer->local.staging_cstate = peer->remote.staging_cstate = NULL; htlc_map_init(&peer->local.htlcs); htlc_map_init(&peer->remote.htlcs); /* FIXME: Attach IO logging for this peer. */ tal_add_destructor(peer, destroy_peer); peer->addr.addrlen = sizeof(peer->addr.saddr); if (getpeername(io_conn_fd(conn), &peer->addr.saddr.s, &peer->addr.addrlen) != 0) { log_unusual(dstate->base_log, "Could not get address for peer: %s", strerror(errno)); return tal_free(peer); } peer->log = new_log(peer, dstate->log_record, "%s%s:%s:", log_prefix(dstate->base_log), in_or_out, netaddr_name(peer, &peer->addr)); return peer; } static void htlc_destroy(struct htlc *htlc) { struct htlc_map *map; if (htlc->side == OURS) map = &htlc->peer->local.htlcs; else { assert(htlc->side == THEIRS); map = &htlc->peer->remote.htlcs; } if (!htlc_map_del(map, htlc)) fatal("Could not find htlc to destroy"); } struct htlc *peer_new_htlc(struct peer *peer, u64 id, u64 msatoshis, const struct sha256 *rhash, u32 expiry, const u8 *route, size_t routelen, struct htlc *src, enum channel_side side) { struct htlc *h = tal(peer, struct htlc); h->peer = peer; h->side = side; h->id = id; h->msatoshis = msatoshis; h->rhash = *rhash; h->r = NULL; if (!blocks_to_abs_locktime(expiry, &h->expiry)) fatal("Invalid HTLC expiry %u", expiry); h->routing = tal_dup_arr(h, u8, route, routelen, 0); h->src = src; if (side == OURS) { if (src) { h->deadline = abs_locktime_to_blocks(&src->expiry) - peer->dstate->config.deadline_blocks; } else /* If we're paying, give it a little longer. */ h->deadline = expiry + peer->dstate->config.min_htlc_expiry; htlc_map_add(&peer->local.htlcs, h); } else { assert(side == THEIRS); htlc_map_add(&peer->remote.htlcs, h); } tal_add_destructor(h, htlc_destroy); return h; } static struct io_plan *peer_connected_out(struct io_conn *conn, struct lightningd_state *dstate, struct json_connecting *connect) { /* Initiator currently funds channel */ struct peer *peer = new_peer(dstate, conn, SOCK_STREAM, IPPROTO_TCP, CMD_OPEN_WITH_ANCHOR, "out"); if (!peer) { command_fail(connect->cmd, "Failed to make peer for %s:%s", connect->name, connect->port); return io_close(conn); } log_info(peer->log, "Connected out to %s:%s", connect->name, connect->port); peer->anchor.input = tal_steal(peer, connect->input); command_success(connect->cmd, null_response(connect)); return peer_crypto_setup(conn, peer, peer_crypto_on); } static struct io_plan *peer_connected_in(struct io_conn *conn, struct lightningd_state *dstate) { struct peer *peer = new_peer(dstate, conn, SOCK_STREAM, IPPROTO_TCP, CMD_OPEN_WITHOUT_ANCHOR, "in"); if (!peer) return io_close(conn); log_info(peer->log, "Peer connected in"); return peer_crypto_setup(conn, peer, peer_crypto_on); } static int make_listen_fd(struct lightningd_state *dstate, int domain, void *addr, socklen_t len) { int fd = socket(domain, SOCK_STREAM, 0); if (fd < 0) { log_debug(dstate->base_log, "Failed to create %u socket: %s", domain, strerror(errno)); return -1; } if (!addr || bind(fd, addr, len) == 0) { if (listen(fd, 5) == 0) return fd; log_unusual(dstate->base_log, "Failed to listen on %u socket: %s", domain, strerror(errno)); } else log_debug(dstate->base_log, "Failed to bind on %u socket: %s", domain, strerror(errno)); close_noerr(fd); return -1; } void setup_listeners(struct lightningd_state *dstate, unsigned int portnum) { struct sockaddr_in addr; struct sockaddr_in6 addr6; socklen_t len; int fd1, fd2; u16 listen_port; addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = htons(portnum); addr6.sin6_family = AF_INET6; addr6.sin6_addr = in6addr_any; addr6.sin6_port = htons(portnum); /* IPv6, since on Linux that (usually) binds to IPv4 too. */ fd1 = make_listen_fd(dstate, AF_INET6, portnum ? &addr6 : NULL, sizeof(addr6)); if (fd1 >= 0) { struct sockaddr_in6 in6; len = sizeof(in6); if (getsockname(fd1, (void *)&in6, &len) != 0) { log_unusual(dstate->base_log, "Failed get IPv6 sockname: %s", strerror(errno)); close_noerr(fd1); } else { addr.sin_port = in6.sin6_port; listen_port = ntohs(addr.sin_port); log_info(dstate->base_log, "Creating IPv6 listener on port %u", listen_port); io_new_listener(dstate, fd1, peer_connected_in, dstate); } } /* Just in case, aim for the same port... */ fd2 = make_listen_fd(dstate, AF_INET, addr.sin_port ? &addr : NULL, sizeof(addr)); if (fd2 >= 0) { len = sizeof(addr); if (getsockname(fd2, (void *)&addr, &len) != 0) { log_unusual(dstate->base_log, "Failed get IPv4 sockname: %s", strerror(errno)); close_noerr(fd2); } else { listen_port = ntohs(addr.sin_port); log_info(dstate->base_log, "Creating IPv4 listener on port %u", listen_port); io_new_listener(dstate, fd2, peer_connected_in, dstate); } } if (fd1 < 0 && fd2 < 0) fatal("Could not bind to a network address"); } static void peer_failed(struct lightningd_state *dstate, struct json_connecting *connect) { /* FIXME: Better diagnostics! */ command_fail(connect->cmd, "Failed to connect to peer %s:%s", connect->name, connect->port); } static void json_connect(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct json_connecting *connect; jsmntok_t *host, *port, *txtok; struct bitcoin_tx *tx; int output; size_t txhexlen; if (!json_get_params(buffer, params, "host", &host, "port", &port, "tx", &txtok, NULL)) { command_fail(cmd, "Need host, port and tx to a wallet address"); return; } connect = tal(cmd, struct json_connecting); connect->cmd = cmd; connect->name = tal_strndup(connect, buffer + host->start, host->end - host->start); connect->port = tal_strndup(connect, buffer + port->start, port->end - port->start); connect->input = tal(connect, struct anchor_input); txhexlen = txtok->end - txtok->start; tx = bitcoin_tx_from_hex(connect->input, buffer + txtok->start, txhexlen); if (!tx) { command_fail(cmd, "'%.*s' is not a valid transaction", txtok->end - txtok->start, buffer + txtok->start); return; } bitcoin_txid(tx, &connect->input->txid); /* Find an output we know how to spend. */ connect->input->w = NULL; for (output = 0; output < tx->output_count; output++) { connect->input->w = wallet_can_spend(cmd->dstate, &tx->output[output]); if (connect->input->w) break; } if (!connect->input->w) { command_fail(cmd, "Tx doesn't send to wallet address"); return; } connect->input->index = output; connect->input->amount = tx->output[output].amount; if (!dns_resolve_and_connect(cmd->dstate, connect->name, connect->port, peer_connected_out, peer_failed, connect)) { command_fail(cmd, "DNS failed"); return; } } const struct json_command connect_command = { "connect", json_connect, "Connect to a {host} at {port} offering anchor of {satoshis}", "Returns an empty result on success" }; /* Have any of our HTLCs passed their deadline? */ static bool any_deadline_past(struct peer *peer, const struct channel_state *cstate) { size_t i; u32 height = get_block_height(peer->dstate); struct htlc **htlcs = cstate->side[OURS].htlcs; for (i = 0; i < tal_count(htlcs); i++) { if (height >= htlcs[i]->deadline) { log_unusual_struct(peer->log, "HTLC %s deadline has passed", struct htlc, htlcs[i]); return true; } } return false; } static void check_htlc_expiry(struct peer *peer) { size_t i; u32 height = get_block_height(peer->dstate); again: /* Check their currently still-existing htlcs for expiry: * We eliminate them from staging as we go. */ for (i = 0; i < tal_count(peer->remote.staging_cstate->side[THEIRS].htlcs); i++) { struct htlc *htlc = peer->remote.staging_cstate->side[THEIRS].htlcs[i]; assert(!abs_locktime_is_seconds(&htlc->expiry)); /* We give it an extra block, to avoid the worst of the * inter-node timing issues. */ if (height <= abs_locktime_to_blocks(&htlc->expiry)) continue; /* This can fail only if we're in an error state. */ if (!command_htlc_fail(peer, htlc)) return; goto again; } /* BOLT #2: * * A node MUST NOT offer a HTLC after this deadline, and MUST * fail the connection if an HTLC which it offered is in * either node's current commitment transaction past this * deadline. */ /* To save logic elsewhere (ie. to avoid signing a new commit with a * past-deadline HTLC) we also check staged HTLCs. */ if (!state_is_normal(peer->state)) return; if (any_deadline_past(peer, peer->remote.staging_cstate) || any_deadline_past(peer, peer->local.staging_cstate) || any_deadline_past(peer, peer->remote.commit->cstate) || any_deadline_past(peer, peer->local.commit->cstate)) { set_peer_state(peer, STATE_ERR_BREAKDOWN, __func__); peer_breakdown(peer); } } struct anchor_watch { struct peer *peer; enum state_input depthok; enum state_input timeout; /* If timeout != INPUT_NONE, this is the timer. */ struct oneshot *timer; }; static enum watch_result anchor_depthchange(struct peer *peer, unsigned int depth, const struct sha256_double *txid, void *unused) { struct anchor_watch *w = peer->anchor.watches; /* Still waiting for it to reach depth? */ if (w->depthok != INPUT_NONE) { if (depth >= peer->local.mindepth) { enum state_input in = w->depthok; w->depthok = INPUT_NONE; /* We don't need the timeout timer any more. */ w->timer = tal_free(w->timer); state_event(peer, in, NULL); } } else if (depth == 0) /* FIXME: Report losses! */ fatal("Funding transaction was unspent!"); /* Since this gets called on every new block, check HTLCs here. */ check_htlc_expiry(peer); return KEEP_WATCHING; } /* Yay, segwit! We can just compare txids, even though we don't have both * signatures. */ static bool txidmatch(const struct bitcoin_tx *tx, const struct sha256_double *txid) { struct sha256_double tx_txid; bitcoin_txid(tx, &tx_txid); return structeq(txid, &tx_txid); } static struct commit_info *find_commit(struct commit_info *ci, const struct sha256_double *txid) { while (ci) { if (txidmatch(ci->tx, txid)) return ci; ci = ci->prev; } return NULL; } static bool is_mutual_close(const struct peer *peer, const struct bitcoin_tx *tx) { const u8 *ours, *theirs; ours = peer->closing.our_script; theirs = peer->closing.their_script; /* If we don't know the closing scripts, can't have signed them. */ if (!ours || !theirs) return false; if (tx->output_count != 2) return false; /* Without knowing fee amounts, can't determine order. Check both. */ if (scripteq(tx->output[0].script, tx->output[0].script_length, ours, tal_count(ours)) && scripteq(tx->output[1].script, tx->output[1].script_length, theirs, tal_count(theirs))) return true; if (scripteq(tx->output[0].script, tx->output[0].script_length, theirs, tal_count(theirs)) && scripteq(tx->output[1].script, tx->output[1].script_length, ours, tal_count(ours))) return true; return false; } /* Create a HTLC refund collection */ static const struct bitcoin_tx *htlc_timeout_tx(const struct peer *peer, const struct commit_info *ci, unsigned int i) { u8 *wscript; struct htlc *htlc; struct bitcoin_tx *tx = bitcoin_tx(peer, 1, 1); struct bitcoin_signature sig; u64 fee, satoshis; htlc = htlc_by_index(ci, i); wscript = bitcoin_redeem_htlc_send(peer, peer->dstate->secpctx, &peer->local.finalkey, &peer->remote.finalkey, &htlc->expiry, &peer->remote.locktime, &ci->revocation_hash, &htlc->rhash); /* We must set locktime so HTLC expiry can OP_CHECKLOCKTIMEVERIFY */ tx->lock_time = htlc->expiry.locktime; tx->input[0].index = 0; bitcoin_txid(ci->tx, &tx->input[0].txid); satoshis = htlc->msatoshis / 1000; tx->input[0].amount = tal_dup(tx->input, u64, &satoshis); tx->input[0].sequence_number = bitcoin_nsequence(&peer->remote.locktime); /* Using a new output address here would be useless: they can tell * it's our HTLC, and that we collected it via timeout. */ tx->output[0].script = scriptpubkey_p2sh(tx, bitcoin_redeem_single(tx, peer->dstate->secpctx, &peer->local.finalkey)); tx->output[0].script_length = tal_count(tx->output[0].script); log_unusual(peer->log, "Pre-witness txlen = %zu\n", measure_tx_cost(tx) / 4); assert(measure_tx_cost(tx) == 83 * 4); /* Witness length can vary, due to DER encoding of sigs, but we * use 539 from an example run. */ /* FIXME: Dynamic fees! */ fee = fee_by_feerate(83 + 539 / 4, peer->dstate->config.closing_fee_rate); /* FIXME: Fail gracefully in these cases (not worth collecting) */ if (fee > satoshis || is_dust_amount(satoshis - fee)) fatal("HTLC refund amount of %"PRIu64" won't cover fee %"PRIu64, satoshis, fee); tx->output[0].amount = satoshis - fee; sig.stype = SIGHASH_ALL; peer_sign_htlc_refund(peer, tx, wscript, &sig.sig); tx->input[0].witness = bitcoin_witness_htlc(tx, peer->dstate->secpctx, NULL, &sig, wscript); log_unusual(peer->log, "tx cost for htlc timeout tx: %zu", measure_tx_cost(tx)); return tx; } static void reset_onchain_closing(struct peer *peer) { if (peer->closing_onchain.tx) { /* FIXME: Log old txid */ log_unusual(peer->log, "New anchor spend, forgetting old"); peer->closing_onchain.tx = tal_free(peer->closing_onchain.tx); peer->closing_onchain.resolved = NULL; peer->closing_onchain.ci = NULL; } } static const struct bitcoin_tx *irrevocably_resolved(struct peer *peer) { /* We can't all be irrevocably resolved until the commit tx is, * so just mark that as resolving us. */ return peer->closing_onchain.tx; } static void connect_input(const struct commit_info *ci, struct bitcoin_tx_input *input, u32 index) { bitcoin_txid(ci->tx, &input->txid); input->index = index; input->amount = tal_dup(ci, u64, &ci->tx->output[index].amount); } static void resolve_cheating(struct peer *peer) { const struct bitcoin_tx *tx = peer->closing_onchain.tx; const struct commit_info *ci = peer->closing_onchain.ci; struct bitcoin_tx *steal_tx; u8 **wscripts; size_t i, n, num_to_steal; int *map; peer->closing_onchain.resolved = tal_arrz(tx, const struct bitcoin_tx *, tal_count(ci->map)); /* BOLT #onchain: * * If a node sees a *commitment tx* for which it has a revocation * preimage, it *resolves* the funding transaction output: * * 1. _A's main output_: No action is required; this is a * simple P2WPKH output. This output is considered * *resolved* by the *commitment tx*. */ /* Their commit tx, so our output is [1], theirs in [0]. */ peer->closing_onchain.resolved[1] = tx; /* BOLT #onchain: * * 2. _B's main output_: The node MUST *resolve* this by * spending using the revocation preimage. * * 3. _A's offered HTLCs_: The node MUST *resolve* this by * spending using the revocation preimage. * * 4. _B's offered HTLCs_: The node MUST *resolve* this by * spending using the revocation preimage. */ num_to_steal = 0; if (ci->map[0] == -1) peer->closing_onchain.resolved[0] = tx; else num_to_steal++; for (i = 2; i < tal_count(ci->map); i++) if (ci->map[i] == -1) peer->closing_onchain.resolved[i] = tx; else num_to_steal++; /* Nothing to steal? */ if (num_to_steal == 0) return; /* BOLT #onchain: * * The node MAY use a single transaction to *resolve* all the * outputs; due to the 300 HTLC-per-party limit (See BOLT #2: * 3.2. Adding an HTLC) this can be done within a standard * transaction. */ steal_tx = bitcoin_tx(peer, num_to_steal, 1); wscripts = tal_arr(steal_tx, u8 *, num_to_steal); n = 0; if (ci->map[0] != -1) { connect_input(ci, &steal_tx->input[n], ci->map[0]); peer->closing_onchain.resolved[0] = steal_tx; wscripts[n++] = bitcoin_redeem_secret_or_delay(wscripts, peer->dstate->secpctx, &peer->remote.finalkey, &peer->local.locktime, &peer->local.finalkey, &ci->revocation_hash); } for (i = 2; i < tal_count(ci->map); i++) { struct htlc *h; if (ci->map[i] == -1) continue; peer->closing_onchain.resolved[i] = steal_tx; connect_input(ci, &steal_tx->input[n], ci->map[i]); h = htlc_by_index(ci, i); if (!htlc_is_ours(ci, i)) { wscripts[n] = bitcoin_redeem_htlc_send(wscripts, peer->dstate->secpctx, &peer->remote.finalkey, &peer->local.finalkey, &h->expiry, &peer->local.locktime, &ci->revocation_hash, &h->rhash); } else { wscripts[n] = bitcoin_redeem_htlc_recv(wscripts, peer->dstate->secpctx, &peer->remote.finalkey, &peer->local.finalkey, &h->expiry, &peer->local.locktime, &ci->revocation_hash, &h->rhash); } n++; } assert(n == num_to_steal); /* This obscures the order in which HTLCs were received, at least. */ map = tal_arr(steal_tx, int, num_to_steal); permute_inputs(steal_tx->input, steal_tx->input_count, map); /* Now, we can sign them all (they're all of same form). */ for (n = 0; n < num_to_steal; n++) { struct bitcoin_signature sig; sig.stype = SIGHASH_ALL; peer_sign_steal_input(peer, steal_tx, map[n], wscripts[n], &sig.sig); steal_tx->input[map[n]].witness = bitcoin_witness_secret(steal_tx, peer->dstate->secpctx, ci->revocation_preimage, sizeof(*ci->revocation_preimage), &sig, wscripts[n]); } broadcast_tx(peer, steal_tx); } static enum watch_result our_htlc_spent(struct peer *peer, const struct bitcoin_tx *tx, size_t input_num, ptrint_t *pi) { struct htlc *h; struct sha256 sha; struct rval preimage; size_t i = ptr2int(pi); /* It should be spending the HTLC we expect. */ assert(peer->closing_onchain.ci->map[i] == tx->input[input_num].index); /* BOLT #onchain: * * If a node sees a redemption transaction...the node MUST extract the * preimage from the transaction input witness. This is either to * prove payment (if this node originated the payment), or to redeem * the corresponding incoming HTLC from another peer. */ /* This is the form of all HTLC spends. */ if (!tx->input[input_num].witness || tal_count(tx->input[input_num].witness) != 3 || tal_count(tx->input[input_num].witness[1]) != sizeof(preimage)) fatal("Impossible HTLC spend for %zu", i); /* Our timeout tx has all-zeroes, so we can distinguish it. */ if (memeqzero(tx->input[input_num].witness[1], sizeof(preimage))) /* They might try to race us. */ return KEEP_WATCHING; memcpy(&preimage, tx->input[input_num].witness[1], sizeof(preimage)); sha256(&sha, &preimage, sizeof(preimage)); h = htlc_by_index(peer->closing_onchain.ci, i); /* FIXME: This could happen with a ripemd collision, since * script.c only checks that ripemd matches... */ if (!structeq(&sha, &h->rhash)) fatal("HTLC redeemed with incorrect r value?"); log_unusual(peer->log, "Peer redeemed HTLC %zu on-chain using r value", i); our_htlc_fulfilled(peer, h, &preimage); /* BOLT #onchain: * * If a node sees a redemption transaction, the output is considered * *irrevocably resolved*... Note that we don't care about the fate of * the redemption transaction itself once we've extracted the * preimage; the knowledge is not revocable. */ peer->closing_onchain.resolved[i] = irrevocably_resolved(peer); return DELETE_WATCH; } static void our_htlc_failed(struct peer *peer, struct htlc *htlc) { if (htlc->src) command_htlc_fail(htlc->src->peer, htlc->src); else complete_pay_command(peer, htlc); } /* We've spent an HTLC output to get our funds back. There's still a * chance that they could also spend the HTLC output (using the preimage), * so we need to wait for some confirms. * * However, we don't want to wait too long: our upstream will get upset if * their HTLC has timed out and we don't close it. So we wait one less * than the HTLC timeout difference. */ static enum watch_result our_htlc_timeout_depth(struct peer *peer, unsigned int depth, const struct sha256_double *txid, ptrint_t *i) { if (depth == 0) return KEEP_WATCHING; if (depth + 1 < peer->dstate->config.min_htlc_expiry) return KEEP_WATCHING; our_htlc_failed(peer, htlc_by_index(peer->closing_onchain.ci, ptr2int(i))); return DELETE_WATCH; } static enum watch_result our_htlc_depth(struct peer *peer, unsigned int depth, const struct sha256_double *txid, bool our_commit, size_t i) { struct htlc *h; u32 height; /* Must be in a block. */ if (depth == 0) return KEEP_WATCHING; height = get_block_height(peer->dstate); h = htlc_by_index(peer->closing_onchain.ci, i); /* BOLT #onchain: * * If the *commitment tx* is the other node's, the output is * considered *timed out* once the HTLC is expired. If the * *commitment tx* is this node's, the output is considered *timed * out* once the HTLC is expired, AND the output's * `OP_CHECKSEQUENCEVERIFY` delay has passed. */ if (height < abs_locktime_to_blocks(&h->expiry)) return KEEP_WATCHING; if (our_commit) { if (depth < rel_locktime_to_blocks(&peer->remote.locktime)) return KEEP_WATCHING; } /* BOLT #onchain: * * If the output has *timed out* and not been *resolved*, the node * MUST *resolve* the output by spending it. */ /* FIXME: we should simply delete this watch if HTLC is fulfilled. */ if (!peer->closing_onchain.resolved[i]) { peer->closing_onchain.resolved[i] = htlc_timeout_tx(peer, peer->closing_onchain.ci, i); watch_tx(peer->closing_onchain.resolved[i], peer, peer->closing_onchain.resolved[i], our_htlc_timeout_depth, int2ptr(i)); broadcast_tx(peer, peer->closing_onchain.resolved[i]); } return DELETE_WATCH; } static enum watch_result our_htlc_depth_ourcommit(struct peer *peer, unsigned int depth, const struct sha256_double *txid, ptrint_t *i) { return our_htlc_depth(peer, depth, txid, true, ptr2int(i)); } static enum watch_result our_htlc_depth_theircommit(struct peer *peer, unsigned int depth, const struct sha256_double *txid, ptrint_t *i) { return our_htlc_depth(peer, depth, txid, false, ptr2int(i)); } static void resolve_our_htlcs(struct peer *peer, const struct commit_info *ci, const struct bitcoin_tx *tx, const struct bitcoin_tx **resolved, bool from_ourcommit, size_t start, size_t num) { size_t i; struct sha256_double txid; bitcoin_txid(tx, &txid); for (i = start; i < start + num; i++) { /* Doesn't exist? Resolved by tx itself. */ if (ci->map[i] == -1) { resolved[i] = tx; continue; } /* BOLT #onchain: * * A node MUST watch for spends of *commitment tx* outputs for * HTLCs it offered; each one must be *resolved* by a timeout * transaction (the node pays back to itself) or redemption * transaction (the other node provides the redemption * preimage). */ watch_txo(tx, peer, &txid, ci->map[i], our_htlc_spent, int2ptr(i)); watch_txid(tx, peer, &txid, from_ourcommit ? our_htlc_depth_ourcommit : our_htlc_depth_theircommit, int2ptr(i)); } } void our_htlc_fulfilled(struct peer *peer, struct htlc *htlc, const struct rval *preimage) { if (htlc->src) command_htlc_fulfill(htlc->src->peer, htlc->src, preimage); else { assert(!htlc->r); htlc->r = tal_dup(htlc, struct rval, preimage); complete_pay_command(peer, htlc); } } static enum watch_result their_htlc_depth(struct peer *peer, unsigned int depth, const struct sha256_double *txid, ptrint_t *pi) { u32 height; struct htlc *h; size_t i = ptr2int(pi); /* Must be in a block. */ if (depth == 0) return KEEP_WATCHING; height = get_block_height(peer->dstate); h = htlc_by_index(peer->closing_onchain.ci, i); /* BOLT #onchain: * * Otherwise, if the output HTLC has expired, it is considered * *irrevocably resolved*. */ if (height < abs_locktime_to_blocks(&h->expiry)) return KEEP_WATCHING; peer->closing_onchain.resolved[i] = irrevocably_resolved(peer); return DELETE_WATCH; } static void resolve_their_htlcs(struct peer *peer, const struct commit_info *ci, const struct bitcoin_tx *tx, const struct bitcoin_tx **resolved, size_t start, size_t num) { size_t i; for (i = start; i < start + num; i++) { struct htlc *htlc; /* Doesn't exist? Resolved by tx itself. */ if (ci->map[i] == -1) { resolved[i] = tx; continue; } /* BOLT #onchain: * * If the node ... already knows... a redemption preimage for * an unresolved *commitment tx* output it was offered, it * MUST *resolve* the output by spending it using the * preimage. */ htlc = htlc_by_index(ci, i); if (htlc->r) { peer->closing_onchain.resolved[i] = htlc_fulfill_tx(peer, ci, i); broadcast_tx(peer, peer->closing_onchain.resolved[i]); } else { /* BOLT #onchain: * * Otherwise, if the output HTLC has expired, it is * considered *irrevocably resolved*. */ watch_tx(tx, peer, tx, their_htlc_depth, int2ptr(i)); } } } static enum watch_result our_main_output_depth(struct peer *peer, unsigned int depth, const struct sha256_double *txid, void *unused) { /* Not past CSV timeout? */ if (depth < rel_locktime_to_blocks(&peer->remote.locktime)) return KEEP_WATCHING; assert(!peer->closing_onchain.resolved[0]); /* BOLT #onchain: * * 1. _A's main output_: A node SHOULD spend this output to a * convenient address. This avoids having to remember the * complicated witness script associated with that particular * channel for later spending. ... If the output is spent (as * recommended), the output is *resolved* by the spending * transaction */ peer->closing_onchain.resolved[0] = bitcoin_spend_ours(peer); broadcast_tx(peer, peer->closing_onchain.resolved[0]); return DELETE_WATCH; } /* Any of our HTLCs we didn't have in our commitment tx, but they did, * we can't fail until we're sure our commitment tx will win. */ static enum watch_result our_unilateral_depth(struct peer *peer, unsigned int depth, const struct sha256_double *txid, void *unused) { size_t i; if (depth < peer->dstate->config.min_htlc_expiry) return KEEP_WATCHING; for (i = 0; i < tal_count(peer->local.commit->acked_changes); i++) { if (peer->local.commit->acked_changes[i].type != HTLC_ADD) continue; our_htlc_failed(peer, peer->local.commit->acked_changes[i].add.htlc); } return DELETE_WATCH; } /* BOLT #onchain: * * When node A sees its own *commitment tx*: */ static void resolve_our_unilateral(struct peer *peer) { const struct bitcoin_tx *tx = peer->closing_onchain.tx; const struct commit_info *ci = peer->closing_onchain.ci; size_t num_ours, num_theirs; peer->closing_onchain.resolved = tal_arrz(tx, const struct bitcoin_tx *, tal_count(ci->map)); /* This only works because we always watch for a long time before * freeing peer, by which time this has resolved. We could create * resolved[] entries for these uncommitted HTLCs, too. */ watch_tx(tx, peer, tx, our_unilateral_depth, NULL); /* BOLT #onchain: * * 1. _A's main output_: A node SHOULD spend this output to a * convenient address. ... A node MUST wait until the * `OP_CHECKSEQUENCEVERIFY` delay has passed (as specified by the * other node's `open_channel` `delay` field) before spending the * output. */ watch_tx(tx, peer, tx, our_main_output_depth, NULL); /* BOLT #onchain: * * 2. _B's main output_: No action required, this output is considered * *resolved* by the *commitment tx*. */ peer->closing_onchain.resolved[1] = tx; num_ours = tal_count(ci->cstate->side[OURS].htlcs); num_theirs = tal_count(ci->cstate->side[THEIRS].htlcs); /* BOLT #onchain: * * 3. _A's offered HTLCs_: See On-chain HTLC Handling: Our Offers below. */ resolve_our_htlcs(peer, ci, tx, peer->closing_onchain.resolved, true, 2, num_ours); /* BOLT #onchain: * * 4. _B's offered HTLCs_: See On-chain HTLC Handling: Their * Offers below. */ resolve_their_htlcs(peer, ci, tx, peer->closing_onchain.resolved, 2 + num_ours, num_theirs); } /* BOLT #onchain: * * Similarly, when node A sees a *commitment tx* from B: */ static void resolve_their_unilateral(struct peer *peer) { const struct bitcoin_tx *tx = peer->closing_onchain.tx; const struct commit_info *ci = peer->closing_onchain.ci; size_t num_ours, num_theirs; peer->closing_onchain.resolved = tal_arrz(tx, const struct bitcoin_tx *, tal_count(ci->map)); /* BOLT #onchain: * * 1. _A's main output_: No action is required; this is a * simple P2WPKH output. This output is considered * *resolved* by the *commitment tx*. */ peer->closing_onchain.resolved[1] = tx; /* BOLT #onchain: * * 2. _B's main output_: No action required, this output is * considered *resolved* by the *commitment tx*. */ peer->closing_onchain.resolved[0] = tx; num_ours = tal_count(ci->cstate->side[OURS].htlcs); num_theirs = tal_count(ci->cstate->side[THEIRS].htlcs); /* BOLT #onchain: * * 3. _A's offered HTLCs_: See On-chain HTLC Handling: Our Offers below. */ resolve_our_htlcs(peer, ci, tx, peer->closing_onchain.resolved, false, 2 + num_theirs, num_ours); /* BOLT #onchain: * * 4. _B's offered HTLCs_: See On-chain HTLC Handling: Their * Offers below. */ resolve_their_htlcs(peer, ci, tx, peer->closing_onchain.resolved, 2, num_theirs); } static void resolve_mutual_close(struct peer *peer) { const struct bitcoin_tx *tx = peer->closing_onchain.tx; /* BOLT #onchain: * * A node doesn't need to do anything else as it has already agreed to * the output, which is sent to its specified scriptpubkey (see BOLT * #2 "4.1: Closing initiation: close_clearing"). */ peer->closing_onchain.resolved = tal_arr(tx, const struct bitcoin_tx *, 0); } /* Called every time the tx spending the funding tx changes depth. */ static enum watch_result check_for_resolution(struct peer *peer, unsigned int depth, const struct sha256_double *txid, void *unused) { size_t i, n = tal_count(peer->closing_onchain.resolved); size_t forever = peer->dstate->config.forever_confirms; /* BOLT #onchain: * * A node MUST *resolve* all outputs as specified below, and MUST be * prepared to resolve them multiple times in case of blockchain * reorganizations. */ for (i = 0; i < n; i++) if (!peer->closing_onchain.resolved[i]) return KEEP_WATCHING; /* BOLT #onchain: * * Outputs which are *resolved* by a transaction are considered * *irrevocably resolved* once they are included in a block at least * 100 deep on the most-work blockchain. */ if (depth < forever) return KEEP_WATCHING; for (i = 0; i < n; i++) { struct sha256_double txid; bitcoin_txid(peer->closing_onchain.resolved[i], &txid); if (get_tx_depth(peer->dstate, &txid) < forever) return KEEP_WATCHING; } /* BOLT #onchain: * * A node MUST monitor the blockchain for transactions which spend any * output which is not *irrevocably resolved* until all outputs are * *irrevocably resolved*. */ set_peer_state(peer, STATE_CLOSED, "check_for_resolution"); /* It's theoretically possible that peer is still writing output */ if (!peer->conn) io_break(peer); else io_wake(peer); return DELETE_WATCH; } /* We assume the tx is valid! Don't do a blockchain.info and feed this * invalid transactions! */ static enum watch_result anchor_spent(struct peer *peer, const struct bitcoin_tx *tx, size_t input_num, void *unused) { struct sha256_double txid; Pkt *err; enum state newstate; size_t i; assert(input_num < tx->input_count); /* We only ever sign single-input txs. */ if (input_num != 0) fatal("Anchor spend by non-single input tx"); /* We may have been following a different spend. Forget it. */ reset_onchain_closing(peer); peer->closing_onchain.tx = tal_steal(peer, tx); bitcoin_txid(tx, &txid); /* If we have any HTLCs we're not committed to yet, fail them now. */ for (i = 0; i < tal_count(peer->remote.commit->unacked_changes); i++) { if (peer->remote.commit->unacked_changes[i].type != HTLC_ADD) continue; our_htlc_failed(peer, peer->remote.commit->unacked_changes[i].add.htlc); } peer->closing_onchain.ci = find_commit(peer->remote.commit, &txid); if (peer->closing_onchain.ci) { if (peer->closing_onchain.ci->revocation_preimage) { newstate = STATE_CLOSE_ONCHAIN_CHEATED; err = pkt_err(peer, "Revoked transaction seen"); resolve_cheating(peer); } else { newstate = STATE_CLOSE_ONCHAIN_THEIR_UNILATERAL; err = pkt_err(peer, "Unilateral close tx seen"); resolve_their_unilateral(peer); } } else if (txidmatch(peer->local.commit->tx, &txid)) { newstate = STATE_CLOSE_ONCHAIN_OUR_UNILATERAL; /* We're almost certainly closed to them by now. */ err = pkt_err(peer, "Our own unilateral close tx seen"); peer->closing_onchain.ci = peer->local.commit; resolve_our_unilateral(peer); } else if (is_mutual_close(peer, tx)) { newstate = STATE_CLOSE_ONCHAIN_MUTUAL; err = NULL; resolve_mutual_close(peer); } else { /* BOLT #onchain: * * A node SHOULD report an error to the operator if it * sees a transaction spend the funding transaction * output which does not fall into one of these * categories (mutual close, unilateral close, or * cheating attempt). Such a transaction implies its * private key has leaked, and funds may be lost. */ /* FIXME: Log harder! */ log_broken(peer->log, "Unknown tx spend! Funds may be lost!"); set_peer_state(peer, STATE_ERR_INFORMATION_LEAK, "anchor_spent"); /* No longer call into the state machine. */ peer->anchor.watches->depthok = INPUT_NONE; return DELETE_WATCH; } /* BOLT #onchain: * * A node MAY send a descriptive error packet in this case. */ if (err && state_can_io(peer->state)) queue_pkt_err(peer, err); set_peer_state(peer, newstate, "anchor_spent"); /* If we've just closed connection, make output close it. */ io_wake(peer); /* BOLT #onchain: * * A node SHOULD fail the connection if it is not already * closed when it sees the funding transaction spent. */ assert(!state_can_io(peer->state)); assert(peer->closing_onchain.resolved != NULL); watch_tx(tx, peer, tx, check_for_resolution, NULL); /* No longer call into the state machine. */ peer->anchor.watches->depthok = INPUT_NONE; return KEEP_WATCHING; } static void anchor_timeout(struct anchor_watch *w) { assert(w == w->peer->anchor.watches); state_event(w->peer, w->timeout, NULL); /* Freeing this gets rid of the other watches, and timer, too. */ w->peer->anchor.watches = tal_free(w); } void peer_watch_anchor(struct peer *peer, enum state_input depthok, enum state_input timeout) { struct anchor_watch *w; w = peer->anchor.watches = tal(peer, struct anchor_watch); w->peer = peer; w->depthok = depthok; w->timeout = timeout; watch_txid(w, peer, &peer->anchor.txid, anchor_depthchange, NULL); watch_txo(w, peer, &peer->anchor.txid, 0, anchor_spent, NULL); /* For anchor timeout, expect 20 minutes per block, +2 hours. * * Probability(no block in time N) = e^(-N/600). * Thus for 1 block, P = e^(-(7200+1*1200)/600) = 0.83 in a million. * * Glenn Willen says, if we want to know how many 10-minute intervals for * a 1 in a million chance of spurious failure for N blocks, put * this into http://www.wolframalpha.com: * * e^(-x) * sum x^i / fact(i), i=0 to N < 1/1000000 * * N=20: 51 * N=10: 35 * N=8: 31 * N=6: 28 * N=4: 24 * N=3: 22 * N=2: 20 * * So, our formula of 12 + N*2 holds for N <= 20 at least. */ if (w->timeout != INPUT_NONE) { w->timer = new_reltimer(peer->dstate, w, time_from_sec(7200 + 20*peer->local.mindepth), anchor_timeout, w); } else w->timer = NULL; } void peer_unwatch_anchor_depth(struct peer *peer, enum state_input depthok, enum state_input timeout) { assert(peer->anchor.watches); assert(peer->anchor.watches->depthok == depthok); peer->anchor.watches->depthok = INPUT_NONE; } uint64_t commit_tx_fee(const struct bitcoin_tx *commit, uint64_t anchor_satoshis) { uint64_t i, total = 0; for (i = 0; i < commit->output_count; i++) total += commit->output[i].amount; assert(anchor_satoshis >= total); return anchor_satoshis - total; } struct bitcoin_tx *peer_create_close_tx(struct peer *peer, u64 fee) { struct channel_state cstate; /* We don't need a deep copy here, just fee levels. */ cstate = *peer->local.staging_cstate; if (!force_fee(&cstate, fee)) { log_unusual(peer->log, "peer_create_close_tx: can't afford fee %"PRIu64, fee); return NULL; } log_debug(peer->log, "creating close-tx with fee %"PRIu64" amounts %u/%u to ", fee, cstate.side[OURS].pay_msat / 1000, cstate.side[THEIRS].pay_msat / 1000); log_add_struct(peer->log, "%s", struct pubkey, &peer->local.finalkey); log_add_struct(peer->log, "/%s", struct pubkey, &peer->remote.finalkey); return create_close_tx(peer->dstate->secpctx, peer, peer->closing.our_script, peer->closing.their_script, &peer->anchor.txid, peer->anchor.index, peer->anchor.satoshis, cstate.side[OURS].pay_msat / 1000, cstate.side[THEIRS].pay_msat / 1000); } void peer_calculate_close_fee(struct peer *peer) { /* Use actual worst-case length of close tx: based on BOLT#02's * commitment tx numbers, but only 1 byte for output count */ const uint64_t txsize = 41 + 221 + 10 + 32 + 32; uint64_t maxfee; /* FIXME: Dynamic fee */ peer->closing.our_fee = fee_by_feerate(txsize, peer->dstate->config.closing_fee_rate); /* BOLT #2: * The sender MUST set `close_fee` lower than or equal to the * fee of the final commitment transaction, and MUST set * `close_fee` to an even number of satoshis. */ maxfee = commit_tx_fee(peer->local.commit->tx, peer->anchor.satoshis); if (peer->closing.our_fee > maxfee) { /* This shouldn't happen: we never accept a commit fee * less than the min_rate, which is greater than the * closing_fee_rate. Also, our txsize estimate for * the closing tx is 2 bytes smaller than the commitment tx. */ log_unusual(peer->log, "Closing fee %"PRIu64" exceeded commit fee %"PRIu64", reducing.", peer->closing.our_fee, maxfee); peer->closing.our_fee = maxfee; /* This can happen if actual commit txfee is odd. */ if (peer->closing.our_fee & 1) peer->closing.our_fee--; } assert(!(peer->closing.our_fee & 1)); } void peer_unexpected_pkt(struct peer *peer, const Pkt *pkt) { const char *p; /* Check packet for weird chars. */ for (p = pkt->error->problem; *p; p++) { if (cisprint(*p)) continue; p = tal_hexstr(peer, pkt->error->problem, strlen(pkt->error->problem)); log_unusual(peer->log, "Error pkt (hex) %s", p); tal_free(p); return; } log_unusual(peer->log, "Error pkt '%s'", pkt->error->problem); } /* Create a bitcoin close tx, using last signature they sent. */ const struct bitcoin_tx *bitcoin_close(struct peer *peer) { struct bitcoin_tx *close_tx; struct bitcoin_signature our_close_sig; close_tx = peer_create_close_tx(peer, peer->closing.their_fee); our_close_sig.stype = SIGHASH_ALL; peer_sign_mutual_close(peer, close_tx, &our_close_sig.sig); close_tx->input[0].witness = bitcoin_witness_2of2(close_tx->input, peer->dstate->secpctx, peer->closing.their_sig, &our_close_sig, &peer->remote.commitkey, &peer->local.commitkey); return close_tx; } /* Create a bitcoin spend tx (to spend our commit's outputs) */ const struct bitcoin_tx *bitcoin_spend_ours(struct peer *peer) { u8 *witnessscript; const struct bitcoin_tx *commit = peer->local.commit->tx; struct bitcoin_signature sig; struct bitcoin_tx *tx; unsigned int p2wsh_out; uint64_t fee; /* The redeemscript for a commit tx is fairly complex. */ witnessscript = bitcoin_redeem_secret_or_delay(peer, peer->dstate->secpctx, &peer->local.finalkey, &peer->remote.locktime, &peer->remote.finalkey, &peer->local.commit->revocation_hash); /* Now, create transaction to spend it. */ tx = bitcoin_tx(peer, 1, 1); bitcoin_txid(commit, &tx->input[0].txid); p2wsh_out = find_p2wsh_out(commit, witnessscript); tx->input[0].index = p2wsh_out; tx->input[0].sequence_number = bitcoin_nsequence(&peer->remote.locktime); tx->input[0].amount = tal_dup(tx->input, u64, &commit->output[p2wsh_out].amount); tx->output[0].script = scriptpubkey_p2sh(tx, bitcoin_redeem_single(tx, peer->dstate->secpctx, &peer->local.finalkey)); tx->output[0].script_length = tal_count(tx->output[0].script); /* Witness length can vary, due to DER encoding of sigs, but we * use 176 from an example run. */ assert(measure_tx_cost(tx) == 83 * 4); /* FIXME: Dynamic fees! */ fee = fee_by_feerate(83 + 176 / 4, peer->dstate->config.closing_fee_rate); /* FIXME: Fail gracefully in these cases (not worth collecting) */ if (fee > commit->output[p2wsh_out].amount || is_dust_amount(commit->output[p2wsh_out].amount - fee)) fatal("Amount of %"PRIu64" won't cover fee %"PRIu64, commit->output[p2wsh_out].amount, fee); tx->output[0].amount = commit->output[p2wsh_out].amount - fee; sig.stype = SIGHASH_ALL; peer_sign_spend(peer, tx, witnessscript, &sig.sig); tx->input[0].witness = bitcoin_witness_secret(tx, peer->dstate->secpctx, NULL, 0, &sig, witnessscript); return tx; } /* Sign and return our commit tx */ const struct bitcoin_tx *bitcoin_commit(struct peer *peer) { struct bitcoin_signature sig; /* Can't be signed already, and can't have scriptsig! */ assert(peer->local.commit->tx->input[0].script_length == 0); assert(!peer->local.commit->tx->input[0].witness); sig.stype = SIGHASH_ALL; peer_sign_ourcommit(peer, peer->local.commit->tx, &sig.sig); peer->local.commit->tx->input[0].witness = bitcoin_witness_2of2(peer->local.commit->tx->input, peer->dstate->secpctx, peer->local.commit->sig, &sig, &peer->remote.commitkey, &peer->local.commitkey); return peer->local.commit->tx; } /* Now we can create anchor tx. */ static void got_feerate(struct lightningd_state *dstate, u64 rate, struct peer *peer) { u64 fee; struct bitcoin_tx *tx = bitcoin_tx(peer, 1, 1); size_t i; tx->output[0].script = scriptpubkey_p2wsh(tx, peer->anchor.witnessscript); tx->output[0].script_length = tal_count(tx->output[0].script); /* Add input script length. FIXME: This is normal case, not exact. */ fee = fee_by_feerate(measure_tx_cost(tx)/4 + 1+73 + 1+33 + 1, rate); if (fee >= peer->anchor.input->amount) /* FIXME: Report an error here! * We really should set this when they do command, but * we need to modify state to allow immediate anchor * creation: using estimate_fee is a convenient workaround. */ fatal("Amount %"PRIu64" below fee %"PRIu64, peer->anchor.input->amount, fee); tx->output[0].amount = peer->anchor.input->amount - fee; tx->input[0].txid = peer->anchor.input->txid; tx->input[0].index = peer->anchor.input->index; tx->input[0].amount = tal_dup(tx->input, u64, &peer->anchor.input->amount); wallet_add_signed_input(peer->dstate, peer->anchor.input->w, tx, 0); bitcoin_txid(tx, &peer->anchor.txid); peer->anchor.tx = tx; peer->anchor.index = 0; /* We'll need this later, when we're told to broadcast it. */ peer->anchor.satoshis = tx->output[0].amount; /* To avoid malleation, all inputs must be segwit! */ for (i = 0; i < tx->input_count; i++) assert(tx->input[i].witness); state_event(peer, BITCOIN_ANCHOR_CREATED, NULL); } /* Creation the bitcoin anchor tx, spending output user provided. */ void bitcoin_create_anchor(struct peer *peer, enum state_input done) { /* We must be offering anchor for us to try creating it */ assert(peer->local.offer_anchor); assert(done == BITCOIN_ANCHOR_CREATED); bitcoind_estimate_fee(peer->dstate, got_feerate, peer); } /* We didn't end up broadcasting the anchor: we don't need to do anything * to "release" TXOs, since we have our own internal wallet now. */ void bitcoin_release_anchor(struct peer *peer, enum state_input done) { } /* Get the bitcoin anchor tx. */ const struct bitcoin_tx *bitcoin_anchor(struct peer *peer) { return peer->anchor.tx; } void add_unacked(struct peer_visible_state *which, const union htlc_staging *stage) { size_t n = tal_count(which->commit->unacked_changes); tal_resize(&which->commit->unacked_changes, n+1); which->commit->unacked_changes[n] = *stage; } void add_acked_changes(union htlc_staging **acked, const union htlc_staging *changes) { size_t n_acked, n_changes; n_acked = tal_count(*acked); n_changes = tal_count(changes); tal_resize(acked, n_acked + n_changes); memcpy(*acked + n_acked, changes, n_changes * sizeof(*changes)); } static const char *owner_name(enum channel_side side) { return side == OURS ? "our" : "their"; } static void route_htlc_onwards(struct peer *peer, struct htlc *htlc, u64 msatoshis, const BitcoinPubkey *pb_id, const u8 *rest_of_route) { struct pubkey id; struct peer *next; log_debug_struct(peer->log, "Forwarding HTLC %s", struct sha256, &htlc->rhash); log_add(peer->log, " (id %"PRIu64")", htlc->id); if (!proto_to_pubkey(peer->dstate->secpctx, pb_id, &id)) { log_unusual(peer->log, "Malformed pubkey for HTLC %"PRIu64, htlc->id); command_htlc_fail(peer, htlc); return; } next = find_peer(peer->dstate, &id); if (!next || !next->nc) { log_unusual(peer->log, "Can't route HTLC %"PRIu64": no %speer ", htlc->id, next ? "ready " : ""); log_add_struct(peer->log, "%s", struct pubkey, &id); if (!peer->dstate->dev_never_routefail) command_htlc_fail(peer, htlc); return; } /* Offered fee must be sufficient. */ if (htlc->msatoshis - msatoshis < connection_fee(next->nc, msatoshis)) { log_unusual(peer->log, "Insufficient fee for HTLC %"PRIu64 ": %"PRIi64" on %"PRIu64, htlc->id, htlc->msatoshis - msatoshis, msatoshis); command_htlc_fail(peer, htlc); return; } log_debug_struct(peer->log, "HTLC forward to %s", struct pubkey, next->id); /* This checks the HTLC itself is possible. */ if (!command_htlc_add(next, msatoshis, abs_locktime_to_blocks(&htlc->expiry) - next->nc->delay, &htlc->rhash, htlc, rest_of_route)) { command_htlc_fail(peer, htlc); return; } } static void their_htlc_added(struct peer *peer, struct htlc *htlc) { RouteStep *step; const u8 *rest_of_route; struct payment *payment; if (abs_locktime_is_seconds(&htlc->expiry)) { log_unusual(peer->log, "HTLC %"PRIu64" is in seconds", htlc->id); command_htlc_fail(peer, htlc); return; } if (abs_locktime_to_blocks(&htlc->expiry) <= get_block_height(peer->dstate) + peer->dstate->config.min_htlc_expiry) { log_unusual(peer->log, "HTLC %"PRIu64" expires too soon:" " block %u", htlc->id, abs_locktime_to_blocks(&htlc->expiry)); command_htlc_fail(peer, htlc); return; } if (abs_locktime_to_blocks(&htlc->expiry) > get_block_height(peer->dstate) + peer->dstate->config.max_htlc_expiry) { log_unusual(peer->log, "HTLC %"PRIu64" expires too far:" " block %u", htlc->id, abs_locktime_to_blocks(&htlc->expiry)); command_htlc_fail(peer, htlc); return; } step = onion_unwrap(peer, htlc->routing, tal_count(htlc->routing), &rest_of_route); if (!step) { log_unusual(peer->log, "Bad onion, failing HTLC %"PRIu64, htlc->id); command_htlc_fail(peer, htlc); return; } switch (step->next_case) { case ROUTE_STEP__NEXT_END: payment = find_payment(peer->dstate, &htlc->rhash); if (!payment) { log_unusual(peer->log, "No payment for HTLC %"PRIu64, htlc->id); log_add_struct(peer->log, " rhash=%s", struct sha256, &htlc->rhash); if (unlikely(!peer->dstate->dev_never_routefail)) command_htlc_fail(peer, htlc); goto free_rest; } if (htlc->msatoshis != payment->msatoshis) { log_unusual(peer->log, "Short payment for HTLC %"PRIu64 ": %"PRIu64" not %"PRIu64 " satoshi!", htlc->id, htlc->msatoshis, payment->msatoshis); command_htlc_fail(peer, htlc); return; } log_info(peer->log, "Immediately resolving HTLC %"PRIu64, htlc->id); command_htlc_fulfill(peer, htlc, &payment->r); goto free_rest; case ROUTE_STEP__NEXT_BITCOIN: route_htlc_onwards(peer, htlc, step->amount, step->bitcoin, rest_of_route); goto free_rest; default: log_info(peer->log, "Unknown step type %u", step->next_case); command_htlc_fail(peer, htlc); goto free_rest; } free_rest: tal_free(rest_of_route); } /* When changes are committed to. */ void peer_both_committed_to(struct peer *peer, const union htlc_staging *changes, enum channel_side side) { size_t i, n = tal_count(changes); /* All this, simply for debugging. */ for (i = 0; i < n; i++) { u64 htlc_id; const char *type, *owner; switch (changes[i].type) { case HTLC_ADD: type = "ADD"; htlc_id = changes[i].add.htlc->id; owner = owner_name(side); assert(cstate_htlc_by_id(peer->remote.commit->cstate, htlc_id, side)); assert(cstate_htlc_by_id(peer->local.commit->cstate, htlc_id, side)); goto print; case HTLC_FAIL: type = "FAIL"; htlc_id = changes[i].fail.htlc->id; owner = owner_name(!side); assert(!cstate_htlc_by_id(peer->remote.commit->cstate, htlc_id, !side)); assert(!cstate_htlc_by_id(peer->local.commit->cstate, htlc_id, !side)); assert(cstate_htlc_by_id(peer->remote.commit->prev->cstate, htlc_id, !side) || cstate_htlc_by_id(peer->local.commit->prev->cstate, htlc_id, !side)); goto print; case HTLC_FULFILL: type = "FULFILL"; htlc_id = changes[i].fulfill.htlc->id; owner = owner_name(!side); assert(!cstate_htlc_by_id(peer->remote.commit->cstate, htlc_id, !side)); assert(!cstate_htlc_by_id(peer->local.commit->cstate, htlc_id, !side)); assert(cstate_htlc_by_id(peer->remote.commit->prev->cstate, htlc_id, !side) || cstate_htlc_by_id(peer->local.commit->prev->cstate, htlc_id, !side)); goto print; } abort(); print: log_debug(peer->log, "Both committed to %s of %s HTLC %"PRIu64, type, owner, htlc_id); } /* We actually only respond to changes they made. */ if (side == OURS) return; for (i = 0; i < n; i++) { switch (changes[i].type) { case HTLC_ADD: their_htlc_added(peer, changes[i].add.htlc); break; case HTLC_FULFILL: /* We handled this as soon as we got it. */ break; case HTLC_FAIL: our_htlc_failed(peer, changes[i].fail.htlc); break; } } } /* Sets up the initial cstate and commit tx for both nodes: false if * insufficient funds. */ bool setup_first_commit(struct peer *peer) { assert(!peer->local.commit->tx); assert(!peer->remote.commit->tx); /* Revocation hashes already filled in, from pkt_open */ peer->local.commit->cstate = initial_cstate(peer, peer->anchor.satoshis, peer->local.commit_fee_rate, peer->local.offer_anchor == CMD_OPEN_WITH_ANCHOR ? OURS : THEIRS); if (!peer->local.commit->cstate) return false; peer->remote.commit->cstate = initial_cstate(peer, peer->anchor.satoshis, peer->remote.commit_fee_rate, peer->local.offer_anchor == CMD_OPEN_WITH_ANCHOR ? OURS : THEIRS); if (!peer->remote.commit->cstate) return false; peer->local.commit->tx = create_commit_tx(peer->local.commit, peer->dstate->secpctx, &peer->local.finalkey, &peer->remote.finalkey, &peer->local.locktime, &peer->remote.locktime, &peer->anchor.txid, peer->anchor.index, peer->anchor.satoshis, &peer->local.commit->revocation_hash, peer->local.commit->cstate, OURS, &peer->local.commit->map); peer->remote.commit->tx = create_commit_tx(peer->remote.commit, peer->dstate->secpctx, &peer->local.finalkey, &peer->remote.finalkey, &peer->local.locktime, &peer->remote.locktime, &peer->anchor.txid, peer->anchor.index, peer->anchor.satoshis, &peer->remote.commit->revocation_hash, peer->remote.commit->cstate, THEIRS, &peer->remote.commit->map); peer->local.staging_cstate = copy_cstate(peer, peer->local.commit->cstate); peer->remote.staging_cstate = copy_cstate(peer, peer->remote.commit->cstate); return true; } static void json_add_abstime(struct json_result *response, const char *id, const struct abs_locktime *t) { json_object_start(response, id); if (abs_locktime_is_seconds(t)) json_add_num(response, "second", abs_locktime_to_seconds(t)); else json_add_num(response, "block", abs_locktime_to_blocks(t)); json_object_end(response); } static void json_add_pubkey(struct json_result *response, secp256k1_context *secpctx, const char *id, const struct pubkey *key) { u8 der[PUBKEY_DER_LEN]; pubkey_to_der(secpctx, der, key); json_add_hex(response, id, der, sizeof(der)); } static void json_add_htlcs(struct json_result *response, const char *id, const struct channel_oneside *side) { size_t i; json_array_start(response, id); for (i = 0; i < tal_count(side->htlcs); i++) { json_object_start(response, NULL); json_add_u64(response, "msatoshis", side->htlcs[i]->msatoshis); json_add_abstime(response, "expiry", &side->htlcs[i]->expiry); json_add_hex(response, "rhash", &side->htlcs[i]->rhash, sizeof(side->htlcs[i]->rhash)); json_object_end(response); } json_array_end(response); } /* FIXME: add history command which shows all prior and current commit txs */ /* FIXME: Somehow we should show running DNS lookups! */ static void json_getpeers(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *p; struct json_result *response = new_json_result(cmd); json_object_start(response, NULL); json_array_start(response, "peers"); list_for_each(&cmd->dstate->peers, p, list) { const struct channel_state *last; json_object_start(response, NULL); json_add_string(response, "name", log_prefix(p->log)); json_add_string(response, "state", state_name(p->state)); if (p->id) json_add_pubkey(response, cmd->dstate->secpctx, "peerid", p->id); json_add_bool(response, "connected", p->conn && !p->fake_close); /* FIXME: Report anchor. */ if (!p->local.commit || !p->local.commit->cstate) { json_object_end(response); continue; } last = p->local.commit->cstate; json_add_num(response, "our_amount", last->side[OURS].pay_msat); json_add_num(response, "our_fee", last->side[OURS].fee_msat); json_add_num(response, "their_amount", last->side[THEIRS].pay_msat); json_add_num(response, "their_fee", last->side[THEIRS].fee_msat); json_add_htlcs(response, "our_htlcs", &last->side[OURS]); json_add_htlcs(response, "their_htlcs", &last->side[THEIRS]); /* Any changes since then? */ if (p->local.staging_cstate->changes != last->changes) json_add_num(response, "local_staged_changes", p->local.staging_cstate->changes - last->changes); if (p->remote.staging_cstate->changes != p->remote.commit->cstate->changes) json_add_num(response, "remote_staged_changes", p->remote.staging_cstate->changes - p->remote.commit->cstate->changes); json_object_end(response); } json_array_end(response); json_object_end(response); command_success(cmd, response); } const struct json_command getpeers_command = { "getpeers", json_getpeers, "List the current peers", "Returns a 'peers' array" }; /* To avoid freeing underneath ourselves, we free outside event loop. */ void cleanup_peers(struct lightningd_state *dstate) { struct peer *peer, *next; list_for_each_safe(&dstate->peers, peer, next, list) { /* Deletes itself from list. */ if (!peer->conn && peer->state == STATE_CLOSED) tal_free(peer); } } /* A zero-fee single route to this peer. */ static const u8 *dummy_single_route(const tal_t *ctx, const struct peer *peer, u64 msatoshis) { struct node_connection **path = tal_arr(ctx, struct node_connection *, 0); return onion_create(ctx, peer->dstate->secpctx, path, msatoshis, 0); } static void json_newhtlc(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok, *msatoshistok, *expirytok, *rhashtok; unsigned int expiry; u64 msatoshis; struct sha256 rhash; if (!json_get_params(buffer, params, "peerid", &peeridtok, "msatoshis", &msatoshistok, "expiry", &expirytok, "rhash", &rhashtok, NULL)) { command_fail(cmd, "Need peerid, msatoshis, expiry and rhash"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->remote.commit || !peer->remote.commit->cstate) { command_fail(cmd, "peer not fully established"); return; } if (!json_tok_u64(buffer, msatoshistok, &msatoshis)) { command_fail(cmd, "'%.*s' is not a valid number", (int)(msatoshistok->end - msatoshistok->start), buffer + msatoshistok->start); return; } if (!json_tok_number(buffer, expirytok, &expiry)) { command_fail(cmd, "'%.*s' is not a valid number", (int)(expirytok->end - expirytok->start), buffer + expirytok->start); return; } if (!hex_decode(buffer + rhashtok->start, rhashtok->end - rhashtok->start, &rhash, sizeof(rhash))) { command_fail(cmd, "'%.*s' is not a valid sha256 hash", (int)(rhashtok->end - rhashtok->start), buffer + rhashtok->start); return; } if (!command_htlc_add(peer, msatoshis, expiry, &rhash, NULL, dummy_single_route(cmd, peer, msatoshis))) { command_fail(cmd, "could not add htlc"); return; } command_success(cmd, null_response(cmd)); } /* FIXME: Use HTLC ids, not r values! */ const struct json_command newhtlc_command = { "newhtlc", json_newhtlc, "Offer {peerid} an HTLC worth {msatoshis} in {expiry} (block number) with {rhash}", "Returns an empty result on success" }; /* Looks for their HTLC, but must be committed. */ static struct htlc *find_their_committed_htlc(struct peer *peer, const struct sha256 *rhash) { /* Must be in last committed cstate. */ if (!cstate_find_htlc(peer->remote.commit->cstate, rhash, THEIRS)) return NULL; return cstate_find_htlc(peer->remote.staging_cstate, rhash, THEIRS); } static void json_fulfillhtlc(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok, *rtok; struct rval r; struct sha256 rhash; struct htlc *htlc; if (!json_get_params(buffer, params, "peerid", &peeridtok, "r", &rtok, NULL)) { command_fail(cmd, "Need peerid and r"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->remote.commit || !peer->remote.commit->cstate) { command_fail(cmd, "peer not fully established"); return; } if (!hex_decode(buffer + rtok->start, rtok->end - rtok->start, &r, sizeof(r))) { command_fail(cmd, "'%.*s' is not a valid sha256 preimage", (int)(rtok->end - rtok->start), buffer + rtok->start); return; } sha256(&rhash, &r, sizeof(r)); htlc = find_their_committed_htlc(peer, &rhash); if (!htlc) { command_fail(cmd, "preimage htlc not found"); return; } if (command_htlc_fulfill(peer, htlc, &r)) command_success(cmd, null_response(cmd)); else command_fail(cmd, "htlc_fulfill not possible in state %s", state_name(peer->state)); } const struct json_command fulfillhtlc_command = { "fulfillhtlc", json_fulfillhtlc, "Redeem htlc proposed by {peerid} using {r}", "Returns an empty result on success" }; static void json_failhtlc(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok, *rhashtok; struct sha256 rhash; struct htlc *htlc; if (!json_get_params(buffer, params, "peerid", &peeridtok, "rhash", &rhashtok, NULL)) { command_fail(cmd, "Need peerid and rhash"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->remote.commit || !peer->remote.commit->cstate) { command_fail(cmd, "peer not fully established"); return; } if (!hex_decode(buffer + rhashtok->start, rhashtok->end - rhashtok->start, &rhash, sizeof(rhash))) { command_fail(cmd, "'%.*s' is not a valid sha256 preimage", (int)(rhashtok->end - rhashtok->start), buffer + rhashtok->start); return; } /* Look in peer->remote.staging_cstate->a, as that's where we'll * immediately remove it from: avoids double-handling. */ htlc = find_their_committed_htlc(peer, &rhash); if (!htlc) { command_fail(cmd, "htlc not found"); return; } if (command_htlc_fail(peer, htlc)) command_success(cmd, null_response(cmd)); else command_fail(cmd, "htlc_fail not possible in state %s", state_name(peer->state)); } const struct json_command failhtlc_command = { "failhtlc", json_failhtlc, "Fail htlc proposed by {peerid} which has redeem hash {rhash}", "Returns an empty result on success" }; static void json_commit(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok; if (!json_get_params(buffer, params, "peerid", &peeridtok, NULL)) { command_fail(cmd, "Need peerid"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->remote.commit || !peer->remote.commit->cstate) { command_fail(cmd, "peer not fully established"); return; } if (!state_can_commit(peer->state)) { command_fail(cmd, "peer in state %s", state_name(peer->state)); return; } do_commit(peer, cmd); } const struct json_command commit_command = { "commit", json_commit, "Commit all staged HTLC changes with {peerid}", "Returns an empty result on success" }; static void json_close(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok; if (!json_get_params(buffer, params, "peerid", &peeridtok, NULL)) { command_fail(cmd, "Need peerid"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!state_is_normal(peer->state) && !state_is_opening(peer->state)) { command_fail(cmd, "Peer is already closing: state %s", state_name(peer->state)); return; } if (peer->state == STATE_NORMAL_COMMITTING) set_peer_state(peer, STATE_CLEARING_COMMITTING, __func__); else set_peer_state(peer, STATE_CLEARING, __func__); peer_start_clearing(peer); command_success(cmd, null_response(cmd)); } const struct json_command close_command = { "close", json_close, "Close the channel with peer {peerid}", "Returns an empty result on success" }; static void json_disconnect(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok; if (!json_get_params(buffer, params, "peerid", &peeridtok, NULL)) { command_fail(cmd, "Need peerid"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->conn) { command_fail(cmd, "Peer is already disconnected"); return; } /* We don't actually close it, since for testing we want only * one side to freak out. We just ensure we ignore it. */ log_debug(peer->log, "Pretending connection is closed"); peer->fake_close = true; set_peer_state(peer, STATE_ERR_BREAKDOWN, "json_disconnect"); peer_breakdown(peer); command_success(cmd, null_response(cmd)); } static void json_signcommit(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok; u8 *linear; const struct bitcoin_tx *tx; struct json_result *response = new_json_result(cmd); if (!json_get_params(buffer, params, "peerid", &peeridtok, NULL)) { command_fail(cmd, "Need peerid"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->local.commit->sig) { command_fail(cmd, "Peer has not given us a signature"); return; } tx = bitcoin_commit(peer); linear = linearize_tx(cmd, tx); /* Clear witness for potential future uses. */ tx->input[0].witness = tal_free(tx->input[0].witness); json_object_start(response, NULL); json_add_string(response, "tx", tal_hexstr(cmd, linear, tal_count(linear))); json_object_end(response); command_success(cmd, response); } static void json_output(struct command *cmd, const char *buffer, const jsmntok_t *params) { struct peer *peer; jsmntok_t *peeridtok, *enabletok; bool enable; if (!json_get_params(buffer, params, "peerid", &peeridtok, "enable", &enabletok, NULL)) { command_fail(cmd, "Need peerid and enable"); return; } peer = find_peer_json(cmd->dstate, buffer, peeridtok); if (!peer) { command_fail(cmd, "Could not find peer with that peerid"); return; } if (!peer->conn) { command_fail(cmd, "Peer is already disconnected"); return; } if (!json_tok_bool(buffer, enabletok, &enable)) { command_fail(cmd, "enable must be true or false"); return; } log_debug(peer->log, "dev-output: output %s", enable ? "enabled" : "disabled"); peer->output_enabled = enable; /* Flush any outstanding output */ if (peer->output_enabled) io_wake(peer); command_success(cmd, null_response(cmd)); } const struct json_command output_command = { "dev-output", json_output, "Enable/disable any messages to peer {peerid} depending on {enable}", "Returns an empty result on success" }; const struct json_command disconnect_command = { "dev-disconnect", json_disconnect, "Force a disconned with peer {peerid}", "Returns an empty result on success" }; const struct json_command signcommit_command = { "dev-signcommit", json_signcommit, "Sign and return the current commit with peer {peerid}", "Returns a hex string on success" };