Add support for opt_shutdown_anysegwit feature #780
#794
Conversation
Codecov Report
@@ Coverage Diff @@
## main #794 +/- ##
==========================================
- Coverage 90.85% 90.82% -0.03%
==========================================
Files 45 45
Lines 24547 24660 +113
==========================================
+ Hits 22301 22398 +97
- Misses 2246 2262 +16
Continue to review full report at Codecov.
|
|
Added a further item to the list above. I had a chat with @TheBlueMatt on Slack to dig further into what he meant in the |
There was a problem hiding this comment.
Thanks to implement this, see my points about making it non-mandatory.
- Have a look on
test_upfront_shutdown_scriptsinfunctional_tests.rsas an inspiration source for a functional test enforcing new feature at shutdown - IIUC, you want to craft a witness program v1 and feed it ? In what it differs from the test you're want to write above ?
- Are you proposing a method
check_counterparty_channel_policyto wrap code dup betweenaccept/new_from_req? Why not, but I guess you will still have some checks context-dependent. See Channel internal refactoring and cleanups #648 on further channel internal refactoring
Staying available on slack/irc if you have any questions :)
lightning/src/ln/channel.rs
Outdated
| @@ -691,11 +691,17 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| return Err(ChannelError::Close("Insufficient funding amount for initial commitment".to_owned())); | |||
| } | |||
|
|
|||
| // TODO duplicate code new_from_req / accept_channel | |||
| if !their_features.requires_shutdown_anysegwit() { | |||
There was a problem hiding this comment.
I think this check makes it mandatory for our peers to support opt_shutdown_anysegwit ? I would keep it optional for now, we don't higher versions of segwit deployed yet.
There was a problem hiding this comment.
Hmmmm. That's indeed a doubt I had while I was working on this. I used @TheBlueMatt's comment here as guide:
(b) we should require the feature for all peers
I understood that that he meant that this would be mandatory. Happy to make it optional if needed.
There was a problem hiding this comment.
Right, sorry, as I'd mentioned on slack the other day, I think it may be a bit too early for this. Likely we can do it in a few months, at least once a few other implementations get it shipped, but its likely preferrable to have (b) and (c) sitting in a yet-unmerged PR for now.
There was a problem hiding this comment.
Ah sorry, I missed the bit where you said it was too early
lightning/src/ln/channel.rs
Outdated
| @@ -2906,13 +2918,13 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| assert_eq!(self.channel_state & ChannelState::ShutdownComplete as u32, 0); | |||
|
|
|||
| // BOLT 2 says we must only send a scriptpubkey of certain standard forms, which are up to | |||
| // 34 bytes in length, so don't let the remote peer feed us some super fee-heavy script. | |||
| if self.is_outbound() && msg.scriptpubkey.len() > 34 { | |||
| // 42 bytes in length, so don't let the remote peer feed us some super fee-heavy script. | |||
There was a problem hiding this comment.
Maybe precise bip ref "A BIP-141-compliant witness program is at max 42 bytes in length, ..."
lightning/src/ln/features.rs
Outdated
| @@ -101,6 +101,8 @@ mod sealed { | |||
| StaticRemoteKey, | |||
| // Byte 2 | |||
| , | |||
| // Byte 3 | |||
| ShutdownAnySegwit, | |||
There was a problem hiding this comment.
See my point above but I think for now it's better to keep this new feature optional.
|
Updated the PR with a new commit which hopefully handles all the feedback so far. Here's what I've done in this new commit:
Side note: I feel it'd be cleaner if each of the situations tested inside |
lightning/src/ln/channel.rs
Outdated
| @@ -386,6 +386,8 @@ pub(super) struct Channel<ChanSigner: ChannelKeys> { | |||
| commitment_secrets: CounterpartyCommitmentSecrets, | |||
|
|
|||
| network_sync: UpdateStatus, | |||
|
|
|||
| supports_shutdown_anysegwit: bool, | |||
There was a problem hiding this comment.
I don't think we want to cache this in the Channel - see my comment at lightning/bolts#672 (review) but I think we should be passing the InitFeatures object through the shutdown message handler (this may require a change to ChannelManager, PeerHandler, and the ln::msgs::ChannelMessageHandler trait, but it should be as easy as adding a new parameter.
lightning/src/ln/channel.rs
Outdated
| @@ -1392,7 +1399,8 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| match &msg.shutdown_scriptpubkey { | |||
| &OptionalField::Present(ref script) => { | |||
| // Peer is signaling upfront_shutdown and has provided a non-accepted scriptpubkey format. We enforce it while receiving shutdown msg | |||
| if script.is_p2pkh() || script.is_p2sh() || script.is_v0_p2wsh() || script.is_v0_p2wpkh() { | |||
| let is_witness_program_allowed = their_features.supports_shutdown_anysegwit() && script.is_witness_program(); | |||
There was a problem hiding this comment.
It may be nice to abstract this out into a helper function.
There was a problem hiding this comment.
See my point, I think the spec is currently fuzzy on what is meant by "if only opt_shutdown_anysegwit is negotiated". Asking clarifications on IRC.
Side note: I feel it'd be cleaner if each of the situations tested inside test_upfront_shutdown_script would be a separate test itself. Any reason to keep them all inside there?
For sure, at least this new option deserves its own test. Zooming out, our functional test would be worthy to be split up and better documented to ease its understanding by newcomers and also what's actually covered by contributors. I've few branches doing it but never pushed it forward 😅
lightning/src/ln/channel.rs
Outdated
| @@ -695,7 +699,8 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| match &msg.shutdown_scriptpubkey { | |||
| &OptionalField::Present(ref script) => { | |||
| // Peer is signaling upfront_shutdown and has provided a non-accepted scriptpubkey format. We enforce it while receiving shutdown msg | |||
| if script.is_p2pkh() || script.is_p2sh() || script.is_v0_p2wsh() || script.is_v0_p2wpkh() { | |||
| let is_witness_program_allowed = their_features.supports_shutdown_anysegwit() && script.is_witness_program(); | |||
There was a problem hiding this comment.
Currently this PR checks holder node supports shutdown_anysegwit at shutdown message reception only.
It has the following pitfall. If our peer provide us a anysegwit scriptpubkey at channel opening through the upfront_shutdown feature we'll accept it but reject it later during the cooperative closure attempt, thus forcing us to fallback on a costly, privacy-damaging unilateral closure.
If we don't support shutdown_anysegwit, I think we should reject channel opening at all. It's up to our peer to read our public features correctly and propose us an upfront witness suiting us.
There was a problem hiding this comment.
Hmmm, so if I'm reading this right, you're suggesting that if they say they don't support shutdown anysegwit, but the script is witness, we fail right away?
Please update the issue/PR when you find out :)
Yeah, I'll probably create 2 separate tests, one for each different scenario in the next PR revision. |
|
I've pushed some updates to address the latest round of feedback. The include:
|
|
By the way, I'm planning to squash the commits once the feature is ready, but for now I keep them separate for easier understanding of feedback improvements. |
|
CI failure was due to my changes. Updating C bindings... |
|
Don't worry about the C bindings, we generally update those asynchronously (and are probably going to pull them out into a separate repo soon). |
lightning/src/ln/msgs.rs
Outdated
| @@ -761,7 +761,7 @@ pub trait ChannelMessageHandler : MessageSendEventsProvider + Send + Sync { | |||
|
|
|||
| // Channl close: | |||
| /// Handle an incoming shutdown message from the given peer. | |||
| fn handle_shutdown(&self, their_node_id: &PublicKey, msg: &Shutdown); | |||
| fn handle_shutdown(&self, their_node_id: &PublicKey, their_features: InitFeatures, msg: &Shutdown); | |||
There was a problem hiding this comment.
Probably pass their_features as a &InitFeatures instead, the Channel doesn't need ownership so good to avoid cloning.
lightning/src/ln/channel.rs
Outdated
| @@ -1391,6 +1395,10 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| let counterparty_shutdown_scriptpubkey = if their_features.supports_upfront_shutdown_script() { | |||
| match &msg.shutdown_scriptpubkey { | |||
| &OptionalField::Present(ref script) => { | |||
| if unsupported_witness_shutdown_script(their_features, script) { | |||
There was a problem hiding this comment.
Why not just drop the next if block and do the pre-anysegwit check in unsupported_witness_script as well? It's a change in behavior to reject a new channel if the script is invalid, but that's ok, we probably should have been doing that initially anyway.
lightning/src/ln/channel.rs
Outdated
| // BOLT 2 says we must only send a scriptpubkey of certain standard forms, | ||
| // which for a a BIP-141-compliant witness program is at max 42 bytes in length. | ||
| // So don't let the remote peer feed us some super fee-heavy script. | ||
| if self.is_outbound() && msg.scriptpubkey.len() > 42 { |
There was a problem hiding this comment.
Hmm, I dont see why this check had an is_outbound() on it - it didn't matter because the script had to be a more concrete (and small) type in the next check, but now it does. This check should probably also move into unsupported_witness_shutdown_script IMO.
|
Updated the PR with 3 commits to handle the latest feedback. |
|
Added a new commit to tidy up things. |
There was a problem hiding this comment.
Hmmm, so if I'm reading this right, you're suggesting that if they say they don't support shutdown anysegwit, but the script is witness, we fail right away?
After last LN devs meeting, we concluded this behavior can happen but was likely to be that much an edge-case that it wasn't worthy to mention even in the spec. If we or our peer forget we support opt_shutdown_anysegwit between channel opening and shutdown let's reject the witness and go for an unilateral close.
| fn is_unsupported_shutdown_script(their_features: &InitFeatures, scriptpubkey: &Script, is_outbound: bool) -> bool { | ||
| // BOLT 2 says we must only send a scriptpubkey of certain standard forms, | ||
| // which for a a BIP-141-compliant witness program is at max 42 bytes in length. | ||
| // So don't let the remote peer feed us some super fee-heavy script. |
There was a problem hiding this comment.
We restrain shutdown scripts for at least different reasons :
a) to avoid fee-heavy script costing us a lot if we're funder (fees are only paid by funder for now)
b) to avoid transactions not propagating on the p2p tx-relay network (e.g sending you a 20-of-20 CHECKMULTISIG scriptpubkey, too big)
I think the first one is clear enough but would be better to underscore b), standardness is a more restrictive notion than smallness
There was a problem hiding this comment.
Hmmm, this comment was already in place before this PR (see here). All I have done here is move it as a result of moving the validation code, and add a very small modification that you mentioned in this PR before.
If you want something different, can you be specific on the exact comment you want in the code? I can copy/paste what you said 👆 but not sure that's exactly what you want.
There was a problem hiding this comment.
I think the risk of non-standard transactions broadcasts should be mentioned, it's the reason why those checks should be applied independently of funder/fundee role.
"We restrain shutdown scripts to standards forms to avoid transactions not propagating on the p2p tx-relay network"
lightning/src/ln/channel.rs
Outdated
| // So don't let the remote peer feed us some super fee-heavy script. | ||
| let is_script_too_long = is_outbound && scriptpubkey.len() > 42; | ||
| let not_valid_witness = !their_features.supports_shutdown_anysegwit() && scriptpubkey.is_witness_program(); | ||
| return is_script_too_long || (not_valid_witness && !scriptpubkey.is_p2pkh() && !scriptpubkey.is_p2sh() && !scriptpubkey.is_v0_p2wpkh() && !scriptpubkey.is_v0_p2wsh()) |
There was a problem hiding this comment.
I don't think we need to check script length at all. P2PKH, P2SH and segwit scriptpubkeys by defintion MUST be inferior to 42 bytes.
For not_valid_witness, I think you need to pass our features support to check that our node is supporting shutdown_anysegwit.
There was a problem hiding this comment.
The is_script_too_long thing is also applied for anysegwit, so I think its fine?
As for checkout our own features - we always use Features::supported() so there's nothing to check against. We can revisit if we build a way for users to configure different features themselves.
There was a problem hiding this comment.
Ah! is_witness_program enforces size already https://docs.rs/bitcoin/0.26.0/src/bitcoin/blockdata/script.rs.html#366. I don't mind (kinda like) enforcing it double, but could be commented to note that.
There was a problem hiding this comment.
Hmmmmm, I would keep the check because the check inside is_witness_program should only be done if they support shutdown any segwit (I'll comment on the condition in the other comment).
lightning/src/ln/channel.rs
Outdated
| // BOLT 2 says we must only send a scriptpubkey of certain standard forms, | ||
| // which for a a BIP-141-compliant witness program is at max 42 bytes in length. | ||
| // So don't let the remote peer feed us some super fee-heavy script. | ||
| let is_script_too_long = is_outbound && scriptpubkey.len() > 42; |
There was a problem hiding this comment.
is_outbound isn't relevant here - see first half of #794 (comment)
There was a problem hiding this comment.
Hmmmm, I don't understand. I thought you meant that the check had to be moved into the function?
There was a problem hiding this comment.
That's what the second part suggested. I didn't fully understand what you really were after with the first part of the comment :\
There was a problem hiding this comment.
Tried to clarify on slack, sorry for the confusion. My point there was that I think we should do the script_too_long check in both the outbound and inbound channels, so no need for an is_outbound check here. This is a change against master, but not in practice, since the list of standard output types all come with a strict length check.
lightning/src/ln/channel.rs
Outdated
| @@ -773,7 +774,7 @@ impl<ChanSigner: ChannelKeys> Channel<ChanSigner> { | |||
| channel_transaction_parameters: ChannelTransactionParameters { | |||
| holder_pubkeys: pubkeys, | |||
| holder_selected_contest_delay: config.own_channel_config.our_to_self_delay, | |||
| is_outbound_from_holder: false, | |||
| is_outbound_from_holder: is_outbound, | |||
There was a problem hiding this comment.
Note that in this context (new_from_req) we're handling an incoming channel_open message so it is always inbound. I think the outbound parameter can be dropped from is_unsupported_shutdown_script anyway, so should just drop the is_outbound variable.
There was a problem hiding this comment.
If the outbound parameter check is dropped from is_unsupported_shutdown_script, is it kept anywhere in the context of handling shutdown?
lightning/src/ln/channel.rs
Outdated
| // So don't let the remote peer feed us some super fee-heavy script. | ||
| let is_script_too_long = is_outbound && scriptpubkey.len() > 42; | ||
| let not_valid_witness = !their_features.supports_shutdown_anysegwit() && scriptpubkey.is_witness_program(); | ||
| return is_script_too_long || (not_valid_witness && !scriptpubkey.is_p2pkh() && !scriptpubkey.is_p2sh() && !scriptpubkey.is_v0_p2wpkh() && !scriptpubkey.is_v0_p2wsh()) |
There was a problem hiding this comment.
The is_script_too_long thing is also applied for anysegwit, so I think its fine?
As for checkout our own features - we always use Features::supported() so there's nothing to check against. We can revisit if we build a way for users to configure different features themselves.
lightning/src/ln/channel.rs
Outdated
| // which for a a BIP-141-compliant witness program is at max 42 bytes in length. | ||
| // So don't let the remote peer feed us some super fee-heavy script. | ||
| let is_script_too_long = is_outbound && scriptpubkey.len() > 42; | ||
| let not_valid_witness = !their_features.supports_shutdown_anysegwit() && scriptpubkey.is_witness_program(); |
There was a problem hiding this comment.
Shouldn't this be !their_features.supports_shutdown_anysegwit() || !scriptpubkey.is_witness_program()? That would mean the script is invalid if the script is too long, or ((its not a witness or they didn't say they wanted any witness) and its not an otherwise-known type).
There was a problem hiding this comment.
Indeed this doesn't seem right. their_features.supports_shutdown_anysegwit() && !scriptpubkey.is_witness_program() sounds better in my head...
There was a problem hiding this comment.
Oops, this the witness check is also incorrect - witness version 0 where the push size is not 20 or 32 is non-standard so would result in us signing a non-standard transaction. The BOLT PR captures this, noting that anysegwit enables " OP_1 through OP_16 inclusive, followed by a single push of 2 to 40 bytes" but not OP_0.
There was a problem hiding this comment.
I'll add a specific test to make sure OP_0 starting script fails and will adjust other test to make sure OP_1 or any following are allowed.
lightning/src/ln/features.rs
Outdated
| @@ -253,6 +261,8 @@ mod sealed { | |||
| "Feature flags for `payment_secret`."); | |||
| define_feature!(17, BasicMPP, [InitContext, NodeContext], | |||
| "Feature flags for `basic_mpp`."); | |||
| define_feature!(25, ShutdownAnySegwit, [InitContext, NodeContext], | |||
There was a problem hiding this comment.
The spec PR has changed to 27.
There was a problem hiding this comment.
Thx for heads up, I'll rebase and readjust as the last step.
galderz
force-pushed
the
t_opt_shutdown_anysegwit_780
branch
from
a286007
to
479070d
Compare
|
I've squashed all the work so far (except the spec number update) so that I could easily rebase with the latest changes in main. Before squashing I added the following changes that should handle all the latest comments:
|
lightning/src/ln/channel.rs
Outdated
|
|
||
| // Providing an empty is supported | ||
| let script_lenght = script.len(); | ||
| if script_lenght == 0 { |
There was a problem hiding this comment.
This means we'll accept an empty script in shutdown, which we definitely cannot do - an empty script will be nonstandard. I think instead just check the 0-length case directly in the accept_channel/open_channel handling.
lightning/src/ln/channel.rs
Outdated
| // PUSHNUM_1-PUSHNUM_16 | ||
| && (script_bytes[0] >= min_vernum && script_bytes[0] <= max_vernum) | ||
| // Second byte push opcode 2-40 bytes | ||
| && script_bytes[1] >= opcodes::all::OP_PUSHBYTES_2.into_u8() |
There was a problem hiding this comment.
Why not allow PUSHBYTES_1? More generally, instead of adding a bunch of script parsing code, can we not just switch to script.is_witness_script() && script.as_bytes()[0] != OP_PUSHNUM_1? That should be less error-prone.
lightning/src/ln/functional_tests.rs
Outdated
| let node_chanmgrs = create_node_chanmgrs(3, &node_cfgs, &user_cfgs); | ||
| let nodes = create_network(3, &node_cfgs, &node_chanmgrs); | ||
|
|
||
| //// We test that if the remote peer does not accept opt_shutdown_anysegwit, the witness program cannot be used on shutdown |
There was a problem hiding this comment.
This comment is wrong - we're using anysegwit here, but checking that a nonstandard-size version-0 script fails.
|
Addressed latest round of feedback:
|
|
Code Review ACK 6746a16 modulo squash! |
Indeed I think the same. It's just that sometimes when I'm working on a PR I like to keep the commits separate so that it's easier for the reviewer what feedback has just been handled. This means that the reviewer can focus a subsequent review in just the last commit. Indeed at the end I normally squash things unless there's a good reason to keep them separate (e.g. make backporting easier or clear distinct functionality). We're on the same page :) |
* Implemented protocol. * Made feature optional. * Verify that the default value is true. * Verify that on shutdown, if Channel.supports_shutdown_anysegwit is enabled, the script can be a witness program. * Added a test that verifies that a scriptpubkey for an unreleased segwit version is handled successfully. * Added a test that verifies that if node has op_shutdown_anysegwit disabled, a scriptpubkey with an unreleased segwit version on shutdown throws an error. * Added peer InitFeatures to handle_shutdown * Check if shutdown script is valid when given upfront. * Added a test to verify that an invalid test results in error. * Added a test to check that if a segwit script with version 0 is provided, the updated anysegwit check detects it and returns unsupported. * An empty script is only allowed when sent as upfront shutdown script, so make sure that check is only done for accept/open_channel situations. * Instead of reimplementing a variant of is_witness_script, just call it and verify that the witness version is not 0.
galderz
force-pushed
the
t_opt_shutdown_anysegwit_780
branch
from
6746a16
to
24ed1dc
Compare
|
Commits squashed 😊 |
This is a draft PR for #780.
So far it includes:
The following is a checklist of doubts / todos I'd like to resolve:
scriptpubkeyon shutdown is a witness program, in order to verify that it's handled as correctly. Do you have any pointers for how to test this? Would it be another unit test inchannel.rsor a functional test infunctional_tests.rs?scriptpubkeysupports a witness program? I've added checks for it in the PR but I'd like to make sure they work.new_from_reqandaccept_channelthat affects this PR. Should that be refactored? Wouldchannel.rsbe the best place for it?KeysInterface.get_shutdown_pubkeyAPI (as suggested by Matt on here.p.s. This is fun :)