#include "config.h" #include #include #include #include #include #include #include #include #include #include /*~ This is the key function that checks that their configuration is reasonable: * it applied for both the case where they're trying to open a channel, and when * they've accepted our open. */ bool check_config_bounds(const tal_t *ctx, struct amount_sat funding, u32 feerate_per_kw, u32 max_to_self_delay, struct amount_msat min_effective_htlc_capacity, const struct channel_config *remoteconf, const struct channel_config *localconf, bool option_anchor_outputs, char **err_reason) { struct amount_sat capacity; struct amount_sat reserve; struct amount_sat fee; /* BOLT #2: * * The receiving node MUST fail the channel if: *... * - `to_self_delay` is unreasonably large. */ if (remoteconf->to_self_delay > max_to_self_delay) { *err_reason = tal_fmt(ctx, "to_self_delay %u larger than %u", remoteconf->to_self_delay, max_to_self_delay); return false; } /* BOLT #2: * * The receiving node MAY fail the channel if: *... * - `funding_satoshis` is too small. * - it considers `htlc_minimum_msat` too large. * - it considers `max_htlc_value_in_flight_msat` too small. * - it considers `channel_reserve_satoshis` too large. * - it considers `max_accepted_htlcs` too small. */ /* We accumulate this into an effective bandwidth minimum. */ /* Add both reserves to deduct from capacity. */ if (!amount_sat_add(&reserve, remoteconf->channel_reserve, localconf->channel_reserve)) { *err_reason = tal_fmt(ctx, "channel_reserve_satoshis %s" " too large", type_to_string(ctx, struct amount_sat, &remoteconf->channel_reserve)); return false; } /* BOLT #2: * - if `option_anchors` applies to this commitment * transaction and the sending node is the funder: * - MUST be able to additionally pay for `to_local_anchor` and * `to_remote_anchor` above its reserve. */ /* (We simply include in "reserve" here if they opened). */ if (option_anchor_outputs && !amount_sat_add(&reserve, reserve, AMOUNT_SAT(660))) { *err_reason = tal_fmt(ctx, "cannot add anchors to reserve %s", type_to_string(ctx, struct amount_sat, &reserve)); return false; } /* If reserves are larger than total sat, we fail. */ if (!amount_sat_sub(&capacity, funding, reserve)) { *err_reason = tal_fmt(ctx, "channel_reserve_satoshis %s" " and %s too large for funding %s", type_to_string(ctx, struct amount_sat, &remoteconf->channel_reserve), type_to_string(ctx, struct amount_sat, &localconf->channel_reserve), type_to_string(ctx, struct amount_sat, &funding)); return false; } /* They have to pay for fees, too. Assuming HTLC is dust, though, * we don't account for an HTLC output. */ fee = commit_tx_base_fee(feerate_per_kw, 0, option_anchor_outputs); if (!amount_sat_sub(&capacity, capacity, fee)) { *err_reason = tal_fmt(ctx, "channel_reserve_satoshis %s" " and %s plus fee %s too large for " "funding %s", type_to_string(tmpctx, struct amount_sat, &remoteconf->channel_reserve), type_to_string(tmpctx, struct amount_sat, &localconf->channel_reserve), type_to_string(tmpctx, struct amount_sat, &fee), type_to_string(tmpctx, struct amount_sat, &funding)); return false; } /* If they set the max HTLC value to less than that number, it caps * the channel capacity. */ if (amount_sat_greater(capacity, amount_msat_to_sat_round_down(remoteconf->max_htlc_value_in_flight))) capacity = amount_msat_to_sat_round_down(remoteconf->max_htlc_value_in_flight); /* If the minimum htlc is greater than the capacity, the channel is * useless. */ if (amount_msat_greater_sat(remoteconf->htlc_minimum, capacity)) { *err_reason = tal_fmt(ctx, "htlc_minimum_msat %s" " too large for funding %s" " capacity_msat %s", type_to_string(ctx, struct amount_msat, &remoteconf->htlc_minimum), type_to_string(ctx, struct amount_sat, &funding), type_to_string(ctx, struct amount_sat, &capacity)); return false; } /* If the resulting channel doesn't meet our minimum "effective capacity" * set by lightningd, don't bother opening it. */ if (amount_msat_greater_sat(min_effective_htlc_capacity, capacity)) { struct amount_sat min_effective_htlc_capacity_sat = amount_msat_to_sat_round_down(min_effective_htlc_capacity); *err_reason = tal_fmt(ctx, "channel capacity with funding %s," " reserves %s/%s," " max_htlc_value_in_flight_msat is %s," " channel capacity is %s, which is below %s", type_to_string(ctx, struct amount_sat, &funding), type_to_string(ctx, struct amount_sat, &remoteconf->channel_reserve), type_to_string(ctx, struct amount_sat, &localconf->channel_reserve), type_to_string(ctx, struct amount_msat, &remoteconf->max_htlc_value_in_flight), type_to_string(ctx, struct amount_sat, &capacity), type_to_string(ctx, struct amount_sat, &min_effective_htlc_capacity_sat)); return false; } /* We don't worry about how many HTLCs they accept, as long as > 0! */ if (remoteconf->max_accepted_htlcs == 0) { *err_reason = tal_fmt(ctx, "max_accepted_htlcs %u invalid", remoteconf->max_accepted_htlcs); return false; } /* BOLT #2: * * The receiving node MUST fail the channel if: *... * - `max_accepted_htlcs` is greater than 483. */ if (remoteconf->max_accepted_htlcs > 483) { *err_reason = tal_fmt(ctx, "max_accepted_htlcs %u too large", remoteconf->max_accepted_htlcs); return false; } return true; } u8 *no_upfront_shutdown_script(const tal_t *ctx, struct feature_set *our_features, const u8 *their_features) { #if DEVELOPER /* This is a hack, for feature testing */ const char *e = getenv("DEV_OPENINGD_UPFRONT_SHUTDOWN_SCRIPT"); if (e) return tal_hexdata(ctx, e, strlen(e)); #endif /* BOLT #2: * * - if both nodes advertised the `option_upfront_shutdown_script` * feature: * - MUST include `upfront_shutdown_script` with either a valid * `shutdown_scriptpubkey` as required by `shutdown` * `scriptpubkey`, or a zero-length `shutdown_scriptpubkey` * (ie. `0x0000`). */ if (feature_negotiated(our_features, their_features, OPT_UPFRONT_SHUTDOWN_SCRIPT)) return tal_arr(ctx, u8, 0); return NULL; } bool anchors_negotiated(struct feature_set *our_features, const u8 *their_features) { return feature_negotiated(our_features, their_features, OPT_ANCHOR_OUTPUTS) || feature_negotiated(our_features, their_features, OPT_ANCHORS_ZERO_FEE_HTLC_TX); } char *validate_remote_upfront_shutdown(const tal_t *ctx, struct feature_set *our_features, const u8 *their_features, u8 *shutdown_scriptpubkey STEALS, u8 **state_script) { bool anysegwit = feature_negotiated(our_features, their_features, OPT_SHUTDOWN_ANYSEGWIT); bool anchors = anchors_negotiated(our_features, their_features); /* BOLT #2: * * - MUST include `upfront_shutdown_script` with either a valid * `shutdown_scriptpubkey` as required by `shutdown` `scriptpubkey`, * or a zero-length `shutdown_scriptpubkey` (ie. `0x0000`). */ /* We turn empty into NULL. */ if (tal_bytelen(shutdown_scriptpubkey) == 0) shutdown_scriptpubkey = tal_free(shutdown_scriptpubkey); *state_script = tal_steal(ctx, shutdown_scriptpubkey); if (shutdown_scriptpubkey && !valid_shutdown_scriptpubkey(shutdown_scriptpubkey, anysegwit, !anchors)) return tal_fmt(tmpctx, "Unacceptable upfront_shutdown_script %s", tal_hex(tmpctx, shutdown_scriptpubkey)); return NULL; } void validate_initial_commitment_signature(int hsm_fd, struct bitcoin_tx *tx, struct bitcoin_signature *sig) { struct existing_htlc **htlcs; struct bitcoin_signature *htlc_sigs; u32 feerate; u64 commit_num; const u8 *msg; struct secret *old_secret; struct pubkey next_point; /* Validate the counterparty's signature. */ htlcs = tal_arr(NULL, struct existing_htlc *, 0); htlc_sigs = tal_arr(NULL, struct bitcoin_signature, 0); feerate = 0; /* unused since there are no htlcs */ commit_num = 0; msg = towire_hsmd_validate_commitment_tx(NULL, tx, (const struct simple_htlc **) htlcs, commit_num, feerate, sig, htlc_sigs); tal_free(htlc_sigs); tal_free(htlcs); wire_sync_write(hsm_fd, take(msg)); msg = wire_sync_read(tmpctx, hsm_fd); if (!fromwire_hsmd_validate_commitment_tx_reply(tmpctx, msg, &old_secret, &next_point)) status_failed(STATUS_FAIL_HSM_IO, "Reading validate_commitment_tx reply: %s", tal_hex(tmpctx, msg)); }