We don't actually implement closing when we have HTLCs (we should
allow it, as that's what the clearing phase is for), since soon we'll
rewrite HTLC to match the async HTLC protocol of BOLT #2.
Note that this folds the close paths, using a simple check if we have
a close transaction. That's a slight state layer violation, but
reduces code duplication.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
For the change to asynchronous updates as specified by BOLT #2, we
need to know when the other side acknowledged a packet. This creates
a simple callback mechanism for it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This uses libsodium (we could use openssl, but the required primitives
are only in 1.1.0 which is still in alpha).
It doesn't handle reconnections yet, either.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This means we send the first two revocation hashes; this is important
once we move to a commit model as we need to send (unsolicited) the
signature for the *next* commit tx so we need its commit hash.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This encapsulates proposals more cleanly, and is important when we change
the protocol to have more than one outstanding at a time.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
The channel funding code needs to know who offered the anchor, as they
are responsible for paying fees until the other side is able to. This
is actually a hack, but at least now it's internal to funding and not
passed in at every funding_delta() call.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
If something goes wrong after we've broadcast the anchor tx, we need to use
the commit tx to spend it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It currently points into freed memory once we've make_commit_txs; we
don't currently dereference it after that, but I did in some test code
and got a surprise. Make a copy in all cases where we set it, so
there can't be lifetime problems.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is only for the simple case where there are no HTLCs.
We group the current commit information together in the struct;
this involves a trivial transform from peer->cur_commit_theirsig to
peer->cur_commit.theirsig.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is required for transactions which use OP_CSV to lock outputs for
a given amount of time: we need to know the mediantime of the block
they were included into.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We abort when this happens, but still worth testing.
This involves a refactor so we can allocate watches off a specific context,
for easy freeing when they're no longer wanted.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
When a peer is finally to be freed (ie. STATE_CLOSED), doing this
inside the state logic is a bit fraught. We're better off exiting the
io loop and freeing it there.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We do the simplest thing: a timer goes off, and we check all HTLCs for
one which has expired more than 30 seconds ago.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Otherwise we won't finish the conversation. In fact, only the writer
side should ever close: we wake it if we want to close and it tests
peer->cond.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
When the only commands are via JSON, you might argue that we should
simply insist the user not operate on the same peer in parallel. That
would suck, and also we need to handle the case of a command from
a timer (eg. HTLC expiry!) or a bitcoin event.
So, we need a queue for commands, but also we need to do some of the
command checking just before the command runs: the HTLC we're dealing
with might have vanished for example.
The current command is wrapped in an anonymous "curr_cmd" struct
for extra clarity.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This lets us implement accept_pkt_anchor().
Also had to predeclare sha256 in commit_tx.h, revealed by the new
includes.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
bitcoind has a limit of 16 requests at once, by default, so our simplest
solution is to serialize them.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Because we use the bitcoin wallet to create the anchor transaction, we
need to make sure it doesn't broadcast it; safest to check their config
for the option.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It was "connecting" to "localhost 30000" successfully, because it was
using UDP. Oops.
This reveals another issue: init_conn() uses the wrong address to
connect to, as we'd already incremented the pointer in try_connect_one().
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
After useful feedback from Anthony Towns and Mats Jerratsch (of
thunder.network fame), this is the third version of inter-node crypto.
1) First, each side sends a 33-byte session pubkey. This is a
bitcoin-style compressed EC key, unique for each session.
2) ECDH is used to derive a shared secret. From this we generate
the following transmission encoding parameters for each side:
Session AES-128 key: SHA256(shared-secret || my-sessionpubkey || 0)
Session HMAC key: SHA256(shared-secret || my-sessionpubkey || 1)
IV for AES: SHA256(shared-secret || my-sessionpubkey || 2)
3) All packets from then on are encrypted of form:
/* HMAC, covering totlen and data */
struct sha256 hmac;
/* Total data transmitted (including this). */
le64 totlen;
/* Encrypted contents, rounded up to 16 byte boundary. */
u8 data[];
4) The first packet is an Authenticate protobuf, containing this node's
pubkey, and a bitcoin-style EC signature of the other side's session
pubkey.
5) Unknown protobuf fields are handled in the protocol as follows
(including in the initial Authenticate packet):
1) Odd numbered fields are optional, and backwards compatible.
2) Even numbered fields are required; abort if you get one.
Currently both sides just send an error packet "hello" after the
handshake, and make sure they receive the same.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Also based on pettycoin code.
(With embarrassing bug fixed where it didn't increment the address used,
thus using 100% CPU if that connect failed!)
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
For better or worse, the ccan/timer structure is completely minimal,
and designed to be wrapped inside a container structure.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell