lightningnetwork / lnd / 11170835610

package chanbackup

import (

        "bytes"

        "fmt"

        "io"

        "net"

        "github.com/btcsuite/btcd/btcec/v2"

        "github.com/btcsuite/btcd/btcutil"

        "github.com/btcsuite/btcd/chaincfg/chainhash"

        "github.com/btcsuite/btcd/wire"

        "github.com/lightningnetwork/lnd/channeldb"

        "github.com/lightningnetwork/lnd/keychain"

        "github.com/lightningnetwork/lnd/lnencrypt"

        "github.com/lightningnetwork/lnd/lnwire"

)

// SingleBackupVersion denotes the version of the single static channel backup.

// Based on this version, we know how to pack/unpack serialized versions of the

// backup.

type SingleBackupVersion byte

const (

        // DefaultSingleVersion is the default version of the single channel

        // backup. The serialized version of this static channel backup is

        // simply: version || SCB. Where SCB is the known format of the

        // version.

        DefaultSingleVersion = 0

        // TweaklessCommitVersion is the second SCB version. This version

        // implicitly denotes that this channel uses the new tweakless commit

        // format.

        TweaklessCommitVersion = 1

        // AnchorsCommitVersion is the third SCB version. This version

        // implicitly denotes that this channel uses the new anchor commitment

        // format.

        AnchorsCommitVersion = 2

        // AnchorsZeroFeeHtlcTxCommitVersion is a version that denotes this

        // channel is using the zero-fee second-level anchor commitment format.

        AnchorsZeroFeeHtlcTxCommitVersion = 3

        // ScriptEnforcedLeaseVersion is a version that denotes this channel is

        // using the zero-fee second-level anchor commitment format along with

        // an additional CLTV requirement of the channel lease maturity on any

        // commitment and HTLC outputs that pay directly to the channel

        // initiator.

        ScriptEnforcedLeaseVersion = 4

        // SimpleTaprootVersion is a version that denotes this channel is using

        // the musig2 based taproot commitment format.

        SimpleTaprootVersion = 5

)

// Single is a static description of an existing channel that can be used for

// the purposes of backing up. The fields in this struct allow a node to

// recover the settled funds within a channel in the case of partial or

// complete data loss. We provide the network address that we last used to

// connect to the peer as well, in case the node stops advertising the IP on

// the network for whatever reason.

//

// TODO(roasbeef): suffix version into struct?

type Single struct {

        // Version is the version that should be observed when attempting to

        // pack the single backup.

        Version SingleBackupVersion

        // IsInitiator is true if we were the initiator of the channel, and

        // false otherwise. We'll need to know this information in order to

        // properly re-derive the state hint information.

        IsInitiator bool

        // ChainHash is a hash which represents the blockchain that this

        // channel will be opened within. This value is typically the genesis

        // hash. In the case that the original chain went through a contentious

        // hard-fork, then this value will be tweaked using the unique fork

        // point on each branch.

        ChainHash chainhash.Hash

        // FundingOutpoint is the outpoint of the final funding transaction.

        // This value uniquely and globally identities the channel within the

        // target blockchain as specified by the chain hash parameter.

        FundingOutpoint wire.OutPoint

        // ShortChannelID encodes the exact location in the chain in which the

        // channel was initially confirmed. This includes: the block height,

        // transaction index, and the output within the target transaction.

        // Channels that were not confirmed at the time of backup creation will

        // have the funding TX broadcast height set as their block height in

        // the ShortChannelID.

        ShortChannelID lnwire.ShortChannelID

        // RemoteNodePub is the identity public key of the remote node this

        // channel has been established with.

        RemoteNodePub *btcec.PublicKey

        // Addresses is a list of IP address in which either we were able to

        // reach the node over in the past, OR we received an incoming

        // authenticated connection for the stored identity public key.

        Addresses []net.Addr

        // Capacity is the size of the original channel.

        Capacity btcutil.Amount

        // LocalChanCfg is our local channel configuration. It contains all the

        // information we need to re-derive the keys we used within the

        // channel. Most importantly, it allows to derive the base public

        // that's used to deriving the key used within the non-delayed

        // pay-to-self output on the commitment transaction for a node. With

        // this information, we can re-derive the private key needed to sweep

        // the funds on-chain.

        //

        // NOTE: Of the items in the ChannelConstraints, we only write the CSV

        // delay.

        LocalChanCfg channeldb.ChannelConfig

        // RemoteChanCfg is the remote channel confirmation. We store this as

        // well since we'll need some of their keys to re-derive things like

        // the state hint obfuscator which will allow us to recognize the state

        // their broadcast on chain.

        //

        // NOTE: Of the items in the ChannelConstraints, we only write the CSV

        // delay.

        RemoteChanCfg channeldb.ChannelConfig

        // ShaChainRootDesc describes how to derive the private key that was

        // used as the shachain root for this channel.

        ShaChainRootDesc keychain.KeyDescriptor

        // LeaseExpiry represents the absolute expiration as a height of the

        // chain of a channel lease that is applied to every output that pays

        // directly to the channel initiator in addition to the usual CSV

        // requirement.

        //

        // NOTE: This field will only be present for the following versions:

        //

        // - ScriptEnforcedLeaseVersion

        LeaseExpiry uint32

}

// NewSingle creates a new static channel backup based on an existing open

// channel. We also pass in the set of addresses that we used in the past to

// connect to the channel peer.

func NewSingle(channel *channeldb.OpenChannel,

        // If a channel is unconfirmed, the block height of the ShortChannelID

        // is zero. This will lead to problems when trying to restore that

        // channel as the spend notifier would get a height hint of zero.

        // To work around that problem, we add the channel broadcast height

        // to the channel ID so we can use that as height hint on restore.

        // If this is a zero-conf channel, we'll need to have separate logic

        // depending on whether it's confirmed or not. This is because the

        // ShortChanID is an alias.

        }

        }

}

// Serialize attempts to write out the serialized version of the target

// StaticChannelBackup into the passed io.Writer.

        }

        // If the sha chain root has specified a public key (which is

        // optional), then we'll encode it now.

        // First we gather the SCB as is into a temporary buffer so we can

        // determine the total length. Before we write out the serialized SCB,

        // we write the length which allows us to skip any Singles that we

        // don't know of when decoding a multi.

        }

        // TODO(yy): remove the type assertion when we finished refactoring db

        // into using write buffer.

}

// PackToWriter is similar to the Serialize method, but takes the operation a

// step further by encryption the raw bytes of the static channel back up. For

// encryption we use the chacah20poly1305 AEAD cipher with a 24 byte nonce and

// 32-byte key size. We use a 24-byte nonce, as we can't ensure that we have a

// global counter to use as a sequence number for nonces, and want to ensure

// that we're able to decrypt these blobs without any additional context. We

// derive the key that we use for encryption via a SHA2 operation of the with

// the golden keychain.KeyFamilyBaseEncryption base encryption key.  We then

// take the serialized resulting shared secret point, and hash it using sha256

// to obtain the key that we'll use for encryption. When using the AEAD, we

// pass the nonce as associated data such that we'll be able to package the two

// together for storage. Before writing out the encrypted payload, we prepend

// the nonce to the final blob.

        // Finally, we'll encrypt the raw serialized SCB (using the nonce as

        // associated data), and write out the ciphertext prepend with the

        // nonce that we used to the passed io.Reader.

}

// readLocalKeyDesc reads a KeyDescriptor encoded within an unpacked Single.

// For local KeyDescs, we only write out the KeyLocator information as we can

// re-derive the pubkey from it.

}

// readRemoteKeyDesc reads a remote KeyDescriptor encoded within an unpacked

// Single. For remote KeyDescs, we write out only the PubKey since we don't

// actually have the KeyLocator data.

}

// Deserialize attempts to read the raw plaintext serialized SCB from the

// passed io.Reader. If the method is successful, then the target

// StaticChannelBackup will be fully populated.

        }

        // Finally, we'll parse out the ShaChainRootDesc.

        // Since this field is optional, we'll check to see if the pubkey has

        // been specified or not.

        }

        }

}

// UnpackFromReader is similar to Deserialize method, but it expects the passed

// io.Reader to contain an encrypt SCB. Refer to the SerializeAndEncrypt method

// for details w.r.t the encryption scheme used. If we're unable to decrypt the

// payload for whatever reason (wrong key, wrong nonce, etc), then this method

// will return an error.

        // Finally, we'll pack the bytes into a reader to we can deserialize

        // the plaintext bytes of the SCB.

}

// PackStaticChanBackups accepts a set of existing open channels, and a

// keychain.KeyRing, and returns a map of outpoints to the serialized+encrypted

// static channel backups. The passed keyRing should be backed by the users

// root HD seed in order to ensure full determinism.

func PackStaticChanBackups(backups []Single,

        }

}

// PackedSingles represents a series of fully packed SCBs. This may be the

// combination of a series of individual SCBs in order to batch their

// unpacking.

type PackedSingles [][]byte

// Unpack attempts to decrypt the passed set of encrypted SCBs and deserialize

// each one into a new SCB struct. The passed keyRing should be backed by the

// same HD seed as was used to encrypt the set of backups in the first place.

// If we're unable to decrypt any of the back ups, then we'll return an error.

        }

}

// TODO(roasbeef): make codec package?