Require payment secrets and track them in ChannelManager

[TheBlueMatt]

This should massively reduce confusion and foot-guns around our PaymentReceived event handling.

Still a few TODOs and some docs to write, but this is basically there. Next step would be to add utilities for invoices to use the new APIs exposed here.

[valentinewallace]

This is roughly the top-level API I was picturing:

impl Invoice {
	pub fn from_channelmanager<Signer: Sign, M: Deref, T: Deref, K: Deref, F:
	Deref, L: Deref>(channelmanager: &ChannelManager<Signer, M, T, K, F, L>,
			our_node_privkey: SecretKey, amt_msat: u64, preimage: PaymentPreimage,
			payment_secret: PaymentSecret, description: String, network: Network) ->
		Result<Invoice, CreationError>

And in my mind, this function^ then calls a new method channel_manager.invoice_generated(preimage, secret, amt, cltv) which then stores the info.

So I guess that makes me a bit confused where get_payment_secret_preimage and get_payment_secret fit into the equation. Maybe giving example usage in the docs would help?

FYI @jkczyz I think I told you I was creating this API^ but ended up passing the buck to Matt yesterday, who then created this PR.

[TheBlueMatt]

I think we should (a) drop the node_privkey parameter and expose it from ChannelManager, (b) make amount_msat Optional (so that people can do 0-value invoices), though I guess they could pass 0?, (d) drop the preimage and secret parameters.

Then that method would call chanman.get_payment_secret_preimage(amount, DEFAULT_EXPIRY) and use the payment secret and hash provided by that method, then calling chanman.get_node_key when signing.

[valentinewallace]

Ah okay... So when does the user have an opportunity to store the payment preimage/secret? (I know we're currently not dropping them on expiry, but I presume that we plan to.)

[jkczyz]

Could I help by writing that utility based off this work? Or is someone already working on it?

[valentinewallace]

Discussed offline, I have a half-finished utility so gonna update features and then PR the utility based on this PR.

[TheBlueMatt]

So when does the user have an opportunity to store the payment preimage/secret?

I thought the goal was that they wouldn't have to? :) But, generally, if the user wants to store it, they can do it after calling get_payment_secret_preimage or, if they prefer to generate their own preimage, before calling get_payment_secret.

[codecov]

Codecov Report

Merging #893 (b7bc634) into main (affefb6) will increase coverage by 0.03%.
The diff coverage is 93.76%.

❗ Current head b7bc634 differs from pull request most recent head 615ef7d. Consider uploading reports for the commit 615ef7d to get more accurate results

@@            Coverage Diff             @@
##             main     #893      +/-   ##
==========================================
+ Coverage   90.39%   90.43%   +0.03%     
==========================================
  Files          57       57              
  Lines       29353    29501     +148     
==========================================
+ Hits        26535    26679     +144     
- Misses       2818     2822       +4     

Impacted Files	Coverage Δ
lightning/src/ln/functional_tests.rs	97.06% <ø> (+0.04%)	⬆️
lightning/src/util/events.rs	17.27% <0.00%> (-1.00%)	⬇️
lightning/src/ln/channelmanager.rs	83.42% <89.43%> (+0.27%)	⬆️
lightning-persister/src/lib.rs	94.06% <100.00%> (ø)
lightning/src/chain/chainmonitor.rs	95.52% <100.00%> (ø)
lightning/src/ln/chanmon_update_fail_tests.rs	97.64% <100.00%> (+<0.01%)	⬆️
lightning/src/ln/features.rs	98.81% <100.00%> (ø)
lightning/src/ln/functional_test_utils.rs	95.06% <100.00%> (-0.03%)	⬇️
lightning/src/ln/onion_route_tests.rs	96.80% <100.00%> (+0.03%)	⬆️
lightning/src/ln/reorg_tests.rs	99.62% <100.00%> (ø)
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update affefb6...615ef7d. Read the comment docs.

[TheBlueMatt]

Aside from some minor issues noted in the last commit and some new tests which are required, this should be good for review! Sorry about the delay, I thought it was closer than it was yesterday.

[jkczyz]

I wonder if these two methods are trait-worthy. It may have (1) a single method for creating an inbound payment and generating/storing the preimage as it sees fit (rather than two methods) and (2) a method for retrieving this data including the preimage.

Or is there a reason why PaymentReceived should not contain a preimage that was generated elsewhere?

[TheBlueMatt]

Hmm, what exactly did you have in mind? A trait that ChannelManager implements? Or a trait for fetching payment preimages against a user implementation of some trait (presumably with some default implementation)?

In general I don't mind doing this via some external trait, but I do worry that we'd be adding a chunk of complexity to make users serialize yet another object that stores payment preimages (which is already the case, but I figured we could drop that requirement).

[jkczyz]

Decided to keep the interface as-is for now after offline discussion on Slack. For posterity: https://lightningdevkit.slack.com/archives/CTBLT3CAU/p1619364792017100

[TheBlueMatt]

Addressed outstanding comments and issues, as well as added appropriate testing. Should be good to go.

[jkczyz]

Is running over ok as per create_inbound_payment_for_hash's docs?

[TheBlueMatt]

No - running over inbound_payment.get().min_value_msat (which comes from create_inbound_payment_for_hash) is fine, but running over payment_data.total_msat (which comes from the HTLC sender) is not. The second is controlled by the spec.

[valentinewallace]

This looks pretty much good to me!

I wasn't sure what you meant by this on Slack: "actually handling preimages could use some thinking to see if you can figure a way to distinguish between "node knows preimage" and "node doesn't know preimage" if you only have a payment hash but not the payment secret -- is this in process_pending_htlc_forwards?

[TheBlueMatt]

Pushed a set of changes to swap out the expiration height for time - invoices use time not height, so it was incongruous. Of course time is a bit more awkward since we only extract time from block headers, but it should work alright and doesn't need to be perfect.

[valentinewallace]

nit: could note that entries are also removed when they expire

[valentinewallace]

Should this be enforced somehow, ideally?

[TheBlueMatt]

Yes! I don't know that Rust has a built-in way to do this :(. I suppose we could add our own lock-order detection, and maybe we should when we move to per-channel locks, but its probably a bit out of scope here :/.

[valentinewallace]

Don't think this check: htlc.value > expected_amount * 2 was migrated anywhere, is it needed?

[TheBlueMatt]

It only really applies for non-MPP - pre-MPP "don't overpay massively" was one (kinda poor) heuristic suggested in the spec to ignore sends from people other than the invoice-recipient. Once we have the payment secret, we don't really care too much, and the sender (who proved their knowledge of the payment preimage) sends also the specific amount we should expect, which we enforce is identical.

[ariard]

Small thing but not tested AFAICT:

diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
index 9a52828b..b2d4e3b6 100644
--- a/lightning/src/ln/channelmanager.rs
+++ b/lightning/src/ln/channelmanager.rs
@@ -3379,7 +3379,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
        }
 
        fn set_payment_hash_secret_map(&self, payment_hash: PaymentHash, payment_preimage: Option<PaymentPreimage>, min_value_msat: Option<u64>, invoice_expiry_delta_secs: u32, user_payment_id: u64) -> Result<PaymentSecret, APIError> {
-               assert!(invoice_expiry_delta_secs <= 60*60*24*365); // Sadly bitcoin timestamps are u32s, so panic before 2106
+               //assert!(invoice_expiry_delta_secs <= 60*60*24*365); // Sadly bitcoin timestamps are u32s, so panic before 2106
 
                let payment_secret = PaymentSecret(self.keys_manager.get_secure_random_bytes());

[ariard]

Super likely we'll need to replace with a new keysinterface method for AMP/PTLC support where you want to enforce a cryptographic relation between the payment path identifier and the packet redeeming secret. But that's maybe too far ahead and we'll need to tweak this API anyway...

Shorter term, is this API keysend-proof where the payment_secret is actually provided by the payer ?

[TheBlueMatt]

Super likely we'll need to replace with a new keysinterface method for AMP/PTLC support where you want to enforce a cryptographic relation between the payment path identifier and the packet redeeming secret.

Hmm, I wasn't under the impression it would matter? The only relation that matters for the payment secret for invoice-initiated payments is that it came from the invoice to authenticate the sender. I kinda assumed PTLC stuff will only impact the payment hash-payment preimage relation, but maybe I'm missing something obvious?

Shorter term, is this API keysend-proof

IIUC, keysend implies reading the payment preimage from the final hop onion TLV, which you can't do with either the current or the new API. We need to have a completely separate HTLC-processing path for HTLCs identifying themselves as keysend.

[ariard]

Hmm, I wasn't under the impression it would matter?

After reading again the documentation available on PTLC (https://github.com/ElementsProject/scriptless-scripts/blob/master/md/multi-hop-locks.md) I think you're right and we might still need a payment_secret in the future to associate adaptor secret to final pointlock otherwise you might to create all adaptor sigs combinations you know about, which might be a DoS vector...

We need to have a completely separate HTLC-processing path for HTLCs identifying themselves as keysend.

Right and it needs to start as deep as adding a new msgs::OnionHopDataFormat and corresponding processing in decode_update_add_htlc_onion

[ariard]

Can a counterparty replay announcement signatures to prevent expiration of our pending payments ?

In internal_announcement_signatures, we generate a BroadcastChannelAnnouncement if signatures validation is successful. But we don't seem to prevent replay.

Following BroadcastChannelAnnouncement documentation it says :

Note that after doing so, you very likely (unless you did so very recently) want to call ChannelManager::broadcast_node_announcement...

If implemented automatically, this call to broadcast_node_announcement will increase our self.last_node_announcement_serial by one.

In best_block_updated, we'll keep the max between current last_node_announcement_serial and header time. If old serial is superior to header time we'll never expire payments ?

I think potential manipulation of last_node_announcement_serial is already there before this PR ? Maybe we should upper bound on some assumptions on block variance. Like no more than 300 updates per-block interval.

[TheBlueMatt]

Hmm, good point, I hadn't caught the docs suggesting that (I'd only looked at the explicit uses of last_node_announcement_serial. If we feel strongly, we should probably just add a second variable which only tracks header times rather than bothering mixing two different uses in the same variable. As for the general case around last_node_announcement_serial, do we actually care if we end up with some super high serial number for our node announcements? Last I checked the spec indicated that's allowed but I may be wrong now.

[ariard]

As for the general case around last_node_announcement_serial, do we actually care if we end up with some super high serial number for our node announcements? Last I checked the spec indicated that's allowed but I may be wrong now.

Yes i think we don't care about a super high serial number for our node announcements, unless other implementations have some custom upper bounds or discard any further announcements about some rate. Though to be honest, accidental or malicious partitions from the rest of the gossip layer are still ranking as a low-priority for me. I was more concerned with the payment reception interference here.

Thanks for adding highest_seen_timestamp.

[ariard]

Expiration is gateway on header time superior to old_serial so the risk is more never expiring a never-received inbound payment ?

Also I don't think the relation between "once per second" and "more than two hours in the future" is really clear. The problem is last_announcement_serial getting forever in advance of the block time, i.e if you generate more than 600 updates per-expected block interval. Of course your header time can still jump to 2 hours in the future per-consensus rules and swallow back the delay...and then your last_announcement_serial jumping ahead in the time race again. Not clearly easy to explain and reasoning on.

[TheBlueMatt]

Hmm, do you have a concrete suggestion to improve it? I'll go ahead and drop the reliance on last_node_announcement_serial here and just add a new field to track highest-header, which simplifies it some, but I'm not sure how to further simplify it.

[TheBlueMatt]

I wasn't sure what you meant by this on Slack: "actually handling preimages could use some thinking to see if you can figure a way to distinguish between "node knows preimage" and "node doesn't know preimage" if you only have a payment hash but not the payment secret -- is this in process_pending_htlc_forwards?

Correct, yes - if a third-party which does not know the payment secret can distinguish between "knows preimage" and "doesn't know preimage" in our handling of HTLCs anywhere, then we're vulnerable to some probing attacks. I believe this code correctly handles both "payment secret doesn't match" and "we don't know the preimage" identically, making such probing impossible.

[valentinewallace]

LGTM, fine to leave anything further to follow-up

[valentinewallace]

Maybe we could give a hint for how users should compute this number (i.e., should it be at least the highest cltv_expiry_delta of their route hints, if that makes sense?)

[TheBlueMatt]

Hmm, good point. I'm not sure what it should be - the limit is unrelated to the cltv_expiry, which is relative to the block height at the time the invoice is paid/received, but the timeout is relative to when the invoice is generated. Its really up to the user for how long they want the invoice to still be valid. Maybe we can better capture that requirement in the docs (or mention the default of 2 hours) - do you have any suggestions?

[valentinewallace]

Ah, I see. I think it may have just been my misunderstanding, hmm. I think mentioning the default would be helpful.

[TheBlueMatt]

Pushed a fixup commit, let me know if its good and I'll squash + merge.

[valentinewallace]

LGTM

[jkczyz]

Overall looks good. I'm sure we can iterate on the API once we get a better sense of the use cases.

[TheBlueMatt]

Squashed the fixup commits so CI should hopefully pass now. The fuzz CI failure here is #902.

[TheBlueMatt]

Only diff is docs, gonna merge once all the non-fuzz CI passes (fuzz will have to wait for 902):

$ git diff-tree -U1 7f320f546 615ef7d6f
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
index 752452414..31529343d 100644
--- a/lightning/src/ln/channelmanager.rs
+++ b/lightning/src/ln/channelmanager.rs
@@ -3460,2 +3460,6 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 	/// in excess of the current time. This should roughly match the expiry time set in the invoice.
+	/// After this many seconds, we will remove the inbound payment, resulting in any attempts to
+	/// pay the invoice failing. The BOLT spec suggests 7,200 secs as a default validity time for
+	/// invoices when no timeout is set.
+	///
 	/// Note that we use block header time to time-out pending inbound payments (with some margin

[ariard]

Post-merge Code Review ACK 615ef7d

[ariard]

FYI, we might scale up those delays in function of HTLC value and counterparty risk in the future. I believe one of the issue down the road is a weird dependency where the invoice also has to commit to a specific r field to force inbound receiving through the private channel with the corresponding scaled-on-purpose MIN_FINAL_CLTV_EXPIRY.

[TheBlueMatt]

Right, that would make sense. We'll need a new API then either way cause presumably we'll want some kind of configurability then as well.

[ariard]

Hmm, I wasn't under the impression it would matter?

After reading again the documentation available on PTLC (https://github.com/ElementsProject/scriptless-scripts/blob/master/md/multi-hop-locks.md) I think you're right and we might still need a payment_secret in the future to associate adaptor secret to final pointlock otherwise you might to create all adaptor sigs combinations you know about, which might be a DoS vector...

We need to have a completely separate HTLC-processing path for HTLCs identifying themselves as keysend.

Right and it needs to start as deep as adding a new msgs::OnionHopDataFormat and corresponding processing in decode_update_add_htlc_onion

[ariard]

Good with the API, only concern is a limit pending_inbound_payments(MAX_PENDING_PAYMENTS=10000). Otherwise if your payment logic generates invoices on third-party demand and call create_inbound_payment_for_hash in consequence you have a DoS vector ? Even if I don't know how much we should care about unsafe use of the API this one sounds pretty easy to mitigate...

[TheBlueMatt]

Hmmm, that's definitely a good question. I don't really know that that's a requirement at our layer - certainly some users (especially those on a server providing access to inbound payments via an API) may want a huge limit, and others a very small one. Presumably you also want rate-limiting by the client, not just a strict limit. We can certainly mention it in the docs, is that sufficient?

[TheBlueMatt]

Mentioned in #905.