1
0
mirror of https://github.com/lightning/bolts.git synced 2024-11-19 01:50:03 +01:00
Commit Graph

131 Commits

Author SHA1 Message Date
Matt Corallo
fc40879995
Allow nodes to overshoot the MPP total_msat when paying (#1031)
When a node retires a failed path as part of a larger MPP payment,
the node may wish to use a path which is constrained by an
`htlc_minimum_msat` value. In this case, the node is forced to
overpay, likely overshooting the `total_msat` it set in the earlier
onions for the same MPP payment.

There are two possible solutions to this - either allow the
`total_msat` value to change in later HTLCs or allow the node to
(slightly) overshoot the `total_msat` value.

Allowing `total_msat` to change across HTLCs is nontrivial to
implement - HTLCs may arrive out-of-order, causing the receiving
node to have to track all seen `total_msat` values and accept a
set of HTLCs which meet any of the seen `total_msat` values.

Instead, this commit changes the MPP logic to simply allow a sender
to overshoot the stated `total_msat`.

Sadly the backwards-compatibility story for this is not great.
There doesn't seem to be a good way to resolve this issue in a
backwards-compatible way. Instead we just bite the bullet and make
the incompatible change, hoping the overshooting is rare enough
that it's not a major issue.
2022-11-08 08:37:07 +01:00
Rusty Russell
60cfb5972a BOLT 4: Remove legacy format, make var_onion_optin compulsory.
My measurements a few weeks ago reveal that only 5 nodes do not
advertize this feature, of over 17000.  I have a patch to
remove support from c-lightning, too.

[ 6 months later: t-bast notes that they only see 0.2% of htlcs using
  legacy, and my node hasn't seen one for 2 months w/ 12000 htlcs --RR ]

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-09-29 12:37:35 +09:30
Matt Corallo
bc86304b4b
Merge pull request #910 from rustyrussell/zeroconf-as-alias
Explicitly allow funding_locked early, and support alias scids (feat 46/47/50/51)
2022-05-30 13:50:25 -07:00
Rusty Russell
f8e5c92fb5 channel_update: make sure we use alias scids correctly.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-05-30 20:47:49 +00:00
Matt Corallo
fe96e8fc3d Note that lightning implementations used to skip the msg type bytes
...well, okay, do today, but by the time anyone is reading this
it'll be "used to".
2022-05-19 08:28:31 +02:00
Matt Corallo
de8bb07a65 Clarify how to encode channel_update messages in onions
Apparently not all implementations implemented the onion encoding
the same, causing vastly differing onion failure packets. This
should unify them somewhat.

CC https://github.com/ElementsProject/lightning/issues/5154
2022-05-19 08:28:31 +02:00
Matt Corallo
03468e1756 Clarify what the two flag bytes are in channel_disabled failures
Fixes #791
2022-05-19 08:28:31 +02:00
Joost Jager
2ab3a9f022
Add payment metadata to payment request 2022-01-03 20:09:14 +01:00
Adam Gibson
3d88d1dd31
Remove stale reference to the gamma key from Bolt 4 (#928)
Fixes #927.
The gamma key was removed from the onion routing spec in 8b29062.

Co-authored-by: Adam Gibson <AdamISZ@protonmail.com>
2021-10-19 08:14:36 +02:00
Rusty Russell
83980de786
BOLT 4: remove space in formatting which prevented tools/extract-formats.py (#858)
This is the only one, so I simply removed it.  We'd notice if a new field
was introduced which didn't change the output these days, but this has been
here since 2017.

Here's the difference in extract-formats.py's output:

```diff
@@ -177,6 +177,9 @@
 msgtype,final_incorrect_htlc_amount,19
 msgdata,final_incorrect_htlc_amount,incoming_htlc_amt,u64,
 msgtype,channel_disabled,UPDATE|20
+msgdata,channel_disabled,flags,u16,
+msgdata,channel_disabled,len,u16,
+msgdata,channel_disabled,channel_update,byte,len
 msgtype,expiry_too_far,21
 msgtype,invalid_onion_payload,PERM|22
 msgdata,invalid_onion_payload,type,bigsize,
```

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-04-08 08:54:01 +02:00
Matheus Degiovani
ffa0a3c243
Clarify nonce size for onion cipher
Some ChaCha20 implementations API's support both 64- and 96-bit nonces, while
others only support a single one.

Functionally, both nonce sizes are equivalent for LN usage, since the
nonce is always zeroed. However, while evaluating spec compliance of
ChaCha20 libraries, the fact that some do not support the 8 byte nonce
variant prompted a closer investigation about the nonce requirement.

Since RFC8439 is the one linked to in the current BOLT0004 spec and that
RFC only specifies the 96-bit nonce variant, that requirement is made
more explicit by this commit.
2021-02-18 10:21:48 -03:00
Corné Plooy
72188227fc BOLT 4: link to BOLT 1 for tlv_payload format 2020-11-09 13:10:22 -06:00
Yong
50b7391a6e
Replace RFC7539 with RFC8439 (#763) 2020-08-03 22:56:00 +02:00
Rusty Russell
9e8e29af9b
Complete the Fundamental Types. (#778)
* Rename all the 'varint' to 'bigsize'.

Having both is confusing; we chose the name bigsize, so use it
explicitly.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

* BOLT 7: use `byte` instead of `u8`.

`u8` isn't a type; see BOLT #1 "Fundamental Types".

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

* BOLT 1: promote bigsize to a Fundamental Type.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2020-05-25 22:25:46 +02:00
Darosior
452a0eb916
bolt-04: fix some typos (#752)
A missing parenthesis closure and some trailing tabs.
2020-03-11 09:28:56 +01:00
Orfeas Stefanos Thyfronitis Litos
a2afdfd12b
Keep hmac case consistent (#547)
Use `hmac` (lower-case) in packet fields to stay consistent with other fields.
2020-02-18 09:51:57 +01:00
Tim Ruffing
fb7102e034
Remove reference to DER encoding for public keys in compressed format (#742)
ECDSA signatures in Bitcoin are DER-encoded but public keys are not.

The compressed format for public keys is for example standardized in
Sections 2.3.3 and 2.3.4 of

  Standards for Efficient Cryptography, SEC 1: Elliptic Curve
  Cryptography, Certicom Research, Version 2, 2009,
  https://www.secg.org/sec1-v2.pdf
2020-02-17 11:00:30 +01:00
Christian Decker
7c1edeb063 bolt04: minor JSON fix and generate the exact number of bytes for the padding 2020-01-24 18:17:10 +01:00
Olaoluwa Osuntokun
8dd0b75809 BOLT-04: modify Sphinx packet construction to use starting random bytes
In this commit, we modify the existing instructions to create the Sphinx
packet to no longer start out with a zero initialize set of 1366 bytes.
Instead, we now instruct the sender to use _random_ bytes derived from a
CSPRG. This fixes a recently discovered privacy leak that allows an
adversarial exit hop to ascertain a lower bound on the true path length.

Note that this doesn't affect packet processing, so this is a backwards
compatible change. Only clients need to update in order to avoid this
privacy leak.

After this change is applied, the test vectors as is don't match the
spec, as they're created using the original all zero starting bytes. We
can either update these with our specified set of random bytes, or leave
them as is, as they're fully deterministic as is.

An alternative path would be to generate more random bytes from the
shared secret as we do elsewhere (the chacha based CSPRNG).
2020-01-24 18:17:10 +01:00
Conner Fromknecht
53653e5c52 BOLT 04: add missing subsections to ToC 2020-01-21 13:26:49 +01:00
ZmnSCPxj, ZmnSCPxj jxPCSmnZ
11f6017e84 04-onion-routing.md: Fix factual error about final_expiry_too_soon. (#722)
As reading of commit 6729755f shows, `final_expiry_too_soon` was
17, not PERM|17.

Note that because we folded a previously non-permanent failure into
the now-permanent PERM|15 failure code, modifications to payment
algorithms may now be needed to specificalyl detect this case,
otherwise payment algorithms may give up in some edge cases where
blocks are mined while payments are in-transit between sender and
receiver.
2020-01-10 13:27:29 -08:00
ueno
f219ee048a #711 don't allow a "fee" for the final node. (#718)
Update a requirement that was missed in #711
2020-01-08 10:06:04 +01:00
Rusty Russell
6ad8ee4cc4 BOLT 4/11: require payment_secret for multi-part payments.
This means the BOLT11 invoice must offer it (we already say it must
set the field if it offers it), and that the receiving node must
require it (again, we already say it must check it if it requires it).

Without the payment_secret, MPP payments are especially vulnerable to
probing attacks: unlike normal payments (with amounts) they can be
detected with 1msat payment probes.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 14:20:02 +10:30
Rusty Russell
4c3d01616d BOLT 4: Multi-part payments.
This also defines the TLV format for payment_secret; the two are intertwined.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 03:48:57 +00:00
Rusty Russell
2422630274 BOLT 4: don't allow a "fee" for the final node.
I recently made a cut & paste bug with the protocol tests, and
paid an HTLC of amount 100M msat, but with only a 1M msat `amt_to_forward`
in the hop_data.  To my surprise, it was accepted.

This is because we allow overpaying the routing fee (considered 0
for the final hop).  This doesn't make sense for the final hop: anything
but exact equality implies a bug, or that the previous node took the
wrong amount from the payment.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-12-13 01:07:09 +00:00
Darosior
6e1bea0d48 bolt04: Correct some typos (#667) 2019-09-06 08:39:16 +00:00
Bastien Teinturier
db92932a9f
BOLT 04: Add failure code for invalid payload. (#627)
The specification currently doesn't specify the case where the onion per-hop
payload can't be correctly decoded.

This is somewhat fine with the fixed frames because every field of the payload
can always be interpreted as a numeric value from the input bytes, so it leads
to application errors in upper layers when those values are actually
interpreted (and we realize that for instance we have an invalid
short_channel_id` value).

With variable-length tlv streams in the onion payloads, we will encounter
decoding errors (duplicate tlv types, invalid ordering, etc) and the spec
should define the failure code to use in that case.
2019-09-03 06:54:13 +00:00
Joost Jager
6729755f0c BOLT 4: Merge final_expiry_too_soon into incorrect_or_unknown_payment_details (#608)
In commit 914ebab908 the
incorrect_payment_amount error was merged into
incorrect_or_unknown_payment_details to prevent a probing attack
that allowed intermediate nodes to learn the final destination of
a payment.

A similar attack is possible using the htlc expiry value. By trying
payments with the correct amount but low expiry values to candidate
destinations, an incorrect_or_unknown_payment_details error can be
elicited. This would signal that the probe payment was sent to the
final destination.

For the intermediate node to determine the correct amount, an estimate
must be calculated. A logical choice would be the outgoing amount of the
intermediate node plus some allowance for routing fees that would
otherwise be paid to subsequent nodes along the path.

Picking a low enough - but not too low - expiry value is more tricky.
A reasonable guess could be made using external knowledge of the
final destination's implementation defaults or the type of invoice that
is paid to. Especially in the case of an hodl invoice that typically has
a large expiry delta, it is easier to make a correct guess.

This form of attack is arguably harder to realize than the amount probe
that was previously possible. The attacker may accidentally
pay the invoice if the expiry value guess satisfies the invoice
final cltv requirement. In that case, the attacker still has the
incoming htlc to pull which limits the loss.
2019-08-19 13:12:52 -07:00
Bastien Teinturier
8b2cf00546
Bolt 04: fix a few left-over spelling / clean-up nits (#653)
* Fix a few left-over spelling / clean-up nits
* Bolt 09: fix spec links
2019-07-31 07:21:38 +00:00
Christian Decker
d23f4b056c bolt04: Remove TLV based termination signal
As discussed during the IRC meeting on 2019-07-22 this would have been a
duplication of signals. It was decided to use one for now, with the option of
coming back should we ever need the last 32 bytes of the onion.
2019-07-26 11:38:33 +02:00
Christian Decker
0616c29bed bolt04: Introduce the destination_signal to the tlv_payload
As discussed during the spec meeting this allows us not to use the 32 byte
HMAC to identify the last hop, and use a 2-byte signal instead.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
6cdbedb649 bolt04: Add the TLV types for the new payload format
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
10c345bcf4 bolt04: Remove in-spec test vector in favor of JSON test vector
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
ecaf591bca bolt04: Amend the filler generation and onion decoding to varpayload
This actually introduces the variable size shift and filler generation.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
a148abbad5 bolt04: Describe the variable size hop_payload
Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Christian Decker
3ac0091ef9 bolt04: Formatting cleanup and fold clarifications into conventions
The clarifications were tacked on after the fact, but they should really be
part of the conventions. I also updated the links to use the reference style,
which results in better text flow and makes it easier to read the source.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
2019-07-26 11:38:33 +02:00
Orfeas Stefanos Thyfronitis Litos
238c06282d Rephrase last node payload requirements (#615)
Mention that `outgoing_cltv_value` has to be equal to
`min_final_cltv_expiry` and `amt_to_forward` has to be equal to
`amount` if the [BOLT #11](11-payment-encoding.md) invoice is used
2019-07-22 22:42:00 +02:00
Rusty Russell
6f6ea63233 BOLT 1,2,4,7: remove pubkey fundamental type in favor of point.
And remove `secret` and `preimage` types in favor of open-coding.

Agreed-at: http://www.erisian.com.au/meetbot/lightning-dev/2019/lightning-dev.2019-07-08-20.05.html

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-07-09 00:48:46 +00:00
Rusty Russell
6639cef095 Spec: use explicit types, not just bytelengths for fields.
It's trivial to make types->lengths, but not so much the other way.

The types I used here are the ones I found useful in implementation, and
I think add some clarity, though we can certainly argue about them.

There's no normative changes to the spec in here.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-07-09 00:48:46 +00:00
sstone
da71867c84 BOLT 4: fix onion vectors
Final result was correct but intermediary results had not been updated when the payloads were changed.
Fixes #494
2019-02-18 20:20:42 +00:00
Orfeas Stefanos Thyfronitis Litos
835ca46a81 BOLT 4: Correct "16-byte" to "12-byte" (padding) 2019-02-04 23:45:38 +00:00
Rusty Russell
a2480ca138 BOLT 4: remove incorrect_payment_amount altogether.
914ebab908 effectively deprecated this, but
left it for "reject if more than 2x expected amount" case.

Leaving it for gross overpayment still leaves an attack on the current
network in practice (all implementations I know of reject grossly excessive
payments), and removing it causes our code to nicely break when regenerating,
since that error code is now not defined anywhere.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2019-01-22 21:44:22 +01:00
Pierre-Marie Padiou
137106a716 report outgoing HTLC values when appropriate
For some relaying errors it makes more sense to report the values of the outgoing HTLC rather than the incoming HTLC.
2019-01-21 21:16:11 +01:00
Rusty Russell
cdb275b52e
Merge pull request #523 from nayuta-gondo/pr/20181204-ek_k
BOLT 4: fix the index of `ek`.
2019-01-07 19:42:17 +00:00
Matt Corallo
914ebab908 Merge incorrect_payment_amount and unknown_payment_hash errors
Because the errors are separate, if an intermediate node sees a
payment hash for relay and has several guesses as to the
destination of the payment, they can check their guesses by sending
HTLCs with the same payment hashes first and seeing the error sent
back.

By adding the htlc_msat that the final node received to
unknown_or_incorrect_payment_details, origin nodes can still
identify bad value-relaying peers.
2018-12-10 22:24:05 +00:00
Hiroki Gondo
88b0000a91 BOLT 4: fix the index of ek. 2018-12-04 18:05:49 +09:00
Conner Fromknecht
7163c52d93 04-onion-routing: document non-strict forwarding
This commit documents the allowance of non-strict
forwarding, permitting forwarding nodes to select
between any available outgoing channel with the peer
that would otherwise be specified by the
short_channel_id in the onion packet.

It also includes recommendations for fee schedules
when using non-strict forwarding, either by using
a uniform fee schedule with a peer or only
considering like-policied channels, to ensure the
channel is truly equivalent in terms of fee revenue
for the forwarder.
2018-11-29 04:21:46 +00:00
araspitzu
2b2e5632ca BOLT 4 Add clarifications about the longest route 2018-11-29 04:12:36 +00:00
araspitzu
90ba6ddbc5 Explicit the number of intermediate nodes in the longest route supported by the spec 2018-11-29 04:12:36 +00:00
araspitzu
a01efdd65e BOLT 4: clarify the maximum length of the route 2018-11-29 04:12:36 +00:00