* Channel::get_counterparty_htlc_minimum_msat() returned
holder_htlc_minimum_msat, which was obviously incorrect.
* ChannelManager::get_channel_update set htlc_minimum_msat to
Channel::get_holder_htlc_minimum_msat(), but the spec explicitly
states we "MUST set htlc_minimum_msat to the minimum HTLC value
(in millisatoshi) that the channel peer will accept." This makes
sense because the reason we're rejecting the HTLC is because our
counterparty's HTLC minimum value is too small for us to send to
them, our own HTLC minimum value plays no role. Further, our
router already expects this - looking at the same directional
channel info as it does fees.
Finally, we add a test in the existing onion router test cases
which fails if either of the above is incorrect (the second issue
discovered in the process of writing the test).
They all have a specific structure, so having them in the mess that
is functional_tests isn't really conducive to readability. More
importantly, functional_tests is so big it slows down compilation,
so even dropping a few hundred lines is a win.
Sources of the failure may be multiple in case of distributed watchtower
deployment. In either case, the channel manager must return a final
update asking to its channel monitor(s) to broadcast the lastest state
available. Revocation secret must not be released for the faultive
channel.
In the future, we may return wider type of failures to take more
fine-grained processing decision (e.g if local disk failure and
redudant remote channel copy available channel may still be processed
forward).
Watchower Alice receives block 134, broadcasts state X, rejects state Y.
Watchtower Bob accepts state Y, receives blocks 135, broadcasts state Y.
State Y confirms onchain. Alice must be able to claim outputs.
With a distrbuted watchtowers deployment, where each monitor is plugged
to its own chain view, there is no guarantee that block are going to be
seen in same order. Watchtower may diverge in their acceptance of a
submitted `commitment_signed` update due to a block timing-out a HTLC
and provoking a subset but yet not seen by the other watchtower subset.
Any update reject by one of the watchtower must block offchain coordinator
to move channel state forward and release revocation secret for previous
state.
In this case, we want any watchtower from the rejection subset to still
be able to claim outputs if the concurrent state, has accepted by the
other subset, is confirming. This improve overall watchtower system
fault-tolerance.
This change stores local commitment transaction unconditionally and fail
the update if there is knowledge of an already signed commitment
transaction (ChannelMonitor.local_tx_signed=true).
Comment meaning of holder/counterparty
Diverse chan_utils cleanups
Cleanups post-cbindings merge
Fix misusage of holder_selected_contest_delay instead of counterparty
_selected_contest_delay in HolderCommitmentTransaction
Fix old payment_point comment
A TxCreationKeys set represents the key which will be embedded in output
scripts of a party's commitment tx state. Among them there is a always
a key belonging to counter-party, the HTLC pubkey. To dissociate
strongly, prefix keys with broadcaster/countersignatory.
A revocation keypair is attributed to the broadcaster as it's used
to punish a fraudulent broadcast while minding that such keypair
derivation method will be always used by countersignatory as it's
its task to enforce punishement thanks to the release secret.
To avoid reviewers confusion, rename counterparty_to_self_delay
to counteparty_selected_contest_delay, i.e the justice delay announced
by a channel counterparty restraining our transactions, and to_self_delay
to locally_selected_contest_delay, i.e the justice delay announced by us
restraining counterparty's transactions
We deviate from wider nomenclature by prefixing local data with a
locally_ extension due to the leak of this value in transactions/scripts
builder, where the confusion may happen.
Rename further AcceptChannelData to the new nomenclature.
Previously most of variable fields relative to data belonging to
our node or counterparty were labeled "local"/"remote". It has been
deemed confusing with regards to transaction construction which is
always done from a "local" viewpoint, even if owner is our counterparty
Until we get the bindings generation process super stable, let the
bindings get stale with respect to the main repo while still letting
`cargo check` pass.
Variables should be named according to the script semantic which is
an invariant with regards to generating a local or remote commitment
transaction.
I.e a broadcaster_htlc_key will always guard a HTLC to the party able
to broadcast the computed transactions whereas countersignatory_htlc_key
will guard HTLC to a countersignatory of the commitment transaction.
In general, it maps:
* Traits to a struct with a void* and a list of function pointers,
emulating what the compiler will do for a dyn trait anyway,
* Structs as a struct with a single opaque pointer to the
underlying type and a flag to indicate ownership. While this is
a bit less effecient than just a direct pointer, it neatly lets
us expose in the public interface the concept of ownership by
setting a flag in the generated struct.
* Unit enums as enums with each type copied over and conversion
functions,
* Non-unit enums have each field converted back and forth with a
type flag and a union across all the C-mapped fields.
