Revocation enforcement

[devrandom]

We want to make sure that we don't sign revoked transactions.

Given that ChannelKeys (actually EnforcingChannelKeys) are not singletons and revocation enforcement is stateful, we need to store the revocation state in KeysInterface.

This builds on #761. The first new commit "Use TestKeysInterface in functional tests" could be folded in to that PR.

[codecov]

Codecov Report

Merging #764 (142b0d6) into main (21a44da) will increase coverage by 0.04%.
The diff coverage is 96.26%.

@@            Coverage Diff             @@
##             main     #764      +/-   ##
==========================================
+ Coverage   91.24%   91.28%   +0.04%     
==========================================
  Files          37       37              
  Lines       22846    22920      +74     
==========================================
+ Hits        20845    20922      +77     
+ Misses       2001     1998       -3     

Impacted Files	Coverage Δ
lightning/src/util/enforcing_trait_impls.rs	90.19% <80.76%> (-9.81%)	⬇️
lightning/src/chain/keysinterface.rs	93.47% <100.00%> (+0.17%)	⬆️
lightning/src/ln/chanmon_update_fail_tests.rs	97.56% <100.00%> (ø)
lightning/src/ln/functional_test_utils.rs	95.13% <100.00%> (+<0.01%)	⬆️
lightning/src/ln/functional_tests.rs	97.18% <100.00%> (+0.23%)	⬆️
lightning/src/ln/onchaintx.rs	94.02% <100.00%> (ø)
lightning/src/util/test_utils.rs	84.78% <100.00%> (+1.10%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 21a44da...142b0d6. Read the comment docs.

[devrandom]

I'm seeing a fuzzing problem, but after trying to fix it, looks like there's an actual out of order revocation.

The fuzz target is: TARGET=chanmon_consistency HEX=2d321d51ffff0b1030341d51ffff0b100a2d

[devrandom]

Fuzzing issue fixed

[TheBlueMatt]

One nit.

[TheBlueMatt]

Hmm, at least here, maybe elsewhere - dont we create the TestKeysInterface a few lines up, meaning we lose the state tracking?

[devrandom]

This is done, but together with the fix for the other nit, a significant issue was uncovered in data_loss_protect handling.

It looks like the Node Drop implementation does a serialization round-trip, which ends up trying to broadcast a revoked commitment tx, since we restored an old state. This seems to be an actual issue with channel reestablish - not sure how you intended it to recover going forward since it's out of sync. It seems like if there's data-loss, we have to update our commitment number instead of just erroring in channel_reestablish?

[TheBlueMatt]

Hmm, can you push the branch that demonstrates that somewhere? I suppose the "right" answer could be to not panic, return an Err, make sure ChannelMonitor handles that fine (it should?) and then hope we can broadcast the current state when our counterparty broadcasts theirs. That's not quite enough because we should be able to broadcast the old state manually, but then it'd be up to the signer to accept a stale state if we give up waiting on our counterparty.

[TheBlueMatt]

I suppose we could tweak the signer to check a boolean whether we should panic or not and in a few tests (like this one), let it Err instead of panicing and then test that we can still claim a counterparty-broadcasted tx or retry broadcasting our state later.

[devrandom]

Sorry, pushed now, forgot yesterday.

[devrandom]

It seems like full support for data_loss_protect would entail putting the system in a state where it doesn't try to go on-chain, because we don't have the needed data for a non-revoked tx. Punting on that for later, I've added a commit that marks the node as failed and doesn't try to execute Node::Drop for the node that suffered the data-loss in test_data_loss_protect.

[devrandom]

As discussed elsewhere, we now return Err when there is a revocation issue and err_on_sign_revoked_holder_tx is on in TestKeysInterface / EnforcingChannelKeys.

[devrandom]

... however, this workaround no longer works as a result of OnChainTx.holder_commitment no longer being optional. As part of that change, we panic if an Err is return when trying to sign the latest commitment. Also, this is now an issue also in tests that test justice reactions by simulating a bad actor - they panic during HTLC claims when they react to their own broadcast.

I see a couple of approaches:

• propagate the Err up the call stack and don't panic
• simulate bad actor / data loss more accurately by rolling back the signer or at least the revocation counter

The rebase that fails tests was pushed just now.

[devrandom]

Actually, the simplest fix is to disable the revocation enforcement for these spots.

[devrandom]

Due to issues described in #775, test_data_loss_protect isn't quite right, but we're not going to fix this right now.

The panic has been changed to an Err.

[TheBlueMatt]

The panic has been changed to an Err.

Can we have the test enforcing signer have an internal setting to either panic or return an Err so we still ensure we hit panics in most tests, with a comment pointing to the new issue in test_data_loss_protect.

[devrandom]

Added err_on_sign_revoked_holder_tx. The issue is mentioned at the top of test_data_loss_protect

[TheBlueMatt]

This looks good mod the fuzzers failing to compile. One nit bug no need to fix it now.

[devrandom]

Ran into an issue in #764 (comment) after rebase, will look into possible approaches.

[devrandom]

Ran into an issue in #764 (comment) after rebase, will look into possible approaches.

This has been corrected, and the PR is ready for final review.

[ariard]

Just minor comments otherwise SGTM.

[devrandom]

Added some more docs, please take a look. I believe this addresses all outstanding comments.

[ariard]

Post-Merge Code Review ACK 142b0d6