Peer Storage Feature – Part 2

[adi2011]

This is the second PR in the peer storage feature series.

Key Changes

• Enable ChainMonitor to send peer storage to all channel partners whenever a new block is mined.
• Add get_peer_storage_key() to NodeSigner.
• Implement decryption logic for peer storage in handle_peer_storage_retrieval().

In the next one, I will add serialisation logic for ChannelMonitors inside peer storage.

[tnull]

Seems this isn't properly rebased, hence CI is failing?

[adi2011]

Seems this isn't properly rebased, hence CI is failing?

I think #3626 will fix this.

[tnull]

Seems this isn't properly rebased, hence CI is failing?

I think #3626 will fix this.

No, it fails with:

src/ln/our_peer_storage.rs - ln::our_peer_storage::OurPeerStorage (line 48) stdout ----
error[E0433]: failed to resolve: use of undeclared type `OurPeerStorage`
 --> src/ln/our_peer_storage.rs:49:28
  |
3 | let mut our_peer_storage = OurPeerStorage::new();
  |                            ^^^^^^^^^^^^^^ not found in this scope
  |
help: consider importing this struct
  |
2 | use lightning::ln::our_peer_storage::OurPeerStorage;
  |

error[E0433]: failed to resolve: use of undeclared type `OurPeerStorage`
 --> src/ln/our_peer_storage.rs:54:1
  |
8 | OurPeerStorage::decrypt_our_peer_storage(&mut decrypted, &encrypted).unwrap();
  | ^^^^^^^^^^^^^^ not found in this scope
  |
help: consider importing this struct
  |
2 | use lightning::ln::our_peer_storage::OurPeerStorage;
  |

error: aborting due to 2 previous errors

For more information about this error, try `rustc --explain E0433`.
Couldn't compile the test.

failures:
    src/ln/our_peer_storage.rs - ln::our_peer_storage::OurPeerStorage (line 48)

test result: FAILED. 28 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 3.00s

error: test failed, to rerun pass '--doc'

[adi2011]

That is because it’s trying to compile the commented code in the documentation, I will fix it in a bit.

[tnull]

Unfortunately CI is still failing as the code doesn't work in no_std.

[tnull]

As LDK also supports no_std, we need to make this code work in no_std environments. As accessing time is only available in std, it means we either need to find a way to have the user provide the timestamp themselves, or feature-gate the peer storage to only work on std.

That said, are we positive that we need a timestamp in the first place?

[adi2011]

No, I have added a timestamp so that if we receive multiple peer storage instances, we can select the latest one. I was thinking of replacing the timestamp with block height...

[TheBlueMatt]

Not sure why we need to select the latest one specifically? Can't we just decode all of them and see if any have new data for our ChannelMonitors?

[adi2011]

Thanks for the review @tnull.

Fixed the CI :)

[codecov]

Codecov Report

Attention: Patch coverage is 83.91960% with 32 lines in your changes missing coverage. Please review.

Project coverage is 89.37%. Comparing base (c355ea4) to head (7d56ef7).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	74.00%	12 Missing and 1 partial ⚠️
lightning/src/chain/chainmonitor.rs	80.95%	8 Missing ⚠️
lightning/src/ln/peer_handler.rs	60.00%	5 Missing and 1 partial ⚠️
lightning/src/ln/our_peer_storage.rs	95.55%	2 Missing ⚠️
lightning/src/util/test_utils.rs	66.66%	2 Missing ⚠️
lightning/src/ln/blinded_payment_tests.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3623      +/-   ##
==========================================
+ Coverage   89.20%   89.37%   +0.16%     
==========================================
  Files         155      156       +1     
  Lines      119377   121060    +1683     
  Branches   119377   121060    +1683     
==========================================
+ Hits       106496   108193    +1697     
+ Misses      10266    10262       -4     
+ Partials     2615     2605      -10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

No, this is a trait method, it doesn't, itself, do anything. Documentation on a trait method should describe what the method should do as well as additional context for when the method is called and possibly a possible implementation, but it what the method "does" do.

[adi2011]

Yes, makes sense. Fixed it.

[TheBlueMatt]

Rather than HKDF'ing from the node secret, let's derive a new key from the next hardened idx off the seed in KeysManager::new?

[adi2011]

Sure, I will update the PR to derive the key from the next hardened index. Could you share a bit more about the reasoning behind this approach?

[TheBlueMatt]

Seems weird to document private things?

[adi2011]

Yes. I initially implemented this with public fields for simplicity, but after further consideration, I refactored the code to use getter and setter methods instead.

[TheBlueMatt]

Not sure why we need to select the latest one specifically? Can't we just decode all of them and see if any have new data for our ChannelMonitors?

[TheBlueMatt]

I have no idea from the docs in this module what it means to "stub a channel" nor what this method does without looking at the code. Maybe just say that it "sets the serialized data to be included in the storage"?

[adi2011]

Sorry for being less descriptive. Fixed it.

[TheBlueMatt]

This flow is fairly brittle. We currently have to create a dummy OurPeerStorage with new, then store the data we need with stub_channels after calling encrypt_our_peer_storage on the data. But at no point does any of this change the type. Instead, why not just have a method to create_from_data that takes the key and does the encryption, and a decrypt(&self) -> Vec<u8> data that returns the data decrypted?

[adi2011]

Agreed. In the future PR we might need setter for ser_channels but not now. Thanks!

[TheBlueMatt]

Its not clear to me why this needs a trait? MessageSendEventsProvider already lets us send messages, and send_peer_storage is only called internally in chainmonitor.rs so it doesn't seem like something we need to expose to the world (let along via a trait rather than letting ChainMonitor have the method directly)

[adi2011]

Yes, that's what I initially thought as well. However, since we need to process events through PeerManager::process_events, I considered adding a new message handler to allow calling get_and_clear_pending_msg_events on ChainMonitor.

What could be an alternative structure that would still allow access to ChainMonitor::get_and_clear_pending_msg_events through PeerManager::process_events?

[TheBlueMatt]

We should explicitly document that this should be from the KeysManager's method to match what ChannelManager does.

[adi2011]

Thanks for pointing this out. Fixed!

[tnull]

Hmm, if it's ~a requirement to use the key retrieved via NodeSigner::get_peer_storage_key, why not actually introduce a PeerStorageKey (new)type rather than using a generic [u8; 32] that could be anything?

[adi2011]

I agree PeerStorageKey would be better than [u8; 32], what do you think @TheBlueMatt?

[TheBlueMatt]

Not sure I understand the point of storing this in the ChainMonitor all the time. Rather, isn't it simpler to just build the OurPeerStorage that we need when send_peer_storage is called, encrypt it, and directly enqueue it as a message?

[adi2011]

Agreed. Thanks for pointing out.

[TheBlueMatt]

Please pass the key and ciphertext as separate arguments rather than concatenating them.

[adi2011]

Implemented this change based on the feedback from #2943 (comment).

[tnull]

This unfortunately needs a rebase now.

[tnull]

nit: According to the Rust API guidlines, this should just be called ser_channels. Also, maybe it would be worth spelling/renaming out ser_channels as the name doesn't communicate super clearly what it holds.

Also, can we have this return a reference and leave it up to the callsite whether they want/need to clone or not?

[adi2011]

Thank you so much, @tnull and @TheBlueMatt, for taking the time to review this. I’ve done my best to address all the comments. Please let me know if there’s anything I might have missed or if further changes are needed.

[TheBlueMatt]

Not sure we need to warn our peer if they send us bogus data.

[adi2011]

This won’t lead to a unilateral close and is also mentioned in the spec.

It's not compulsory, but it won’t make much of a difference, I guess?

The receiver of peer_storage_retrieval:

when it receives peer_storage_retrieval with an outdated or irrelevant data:
       MAY send a warning.

[TheBlueMatt]

I guess it doesn't matter much, but if a peer is corrupting our data they probably know it cause they're corrupting state in other ways.

[TheBlueMatt]

We dont need to implement readable/writeable now since we use just a vec for the encrypted data, no?

[adi2011]

Writeable is used internally inside create_from_data, and Readable is used inside decrypt_our_peer_storage. I agree we currently don’t need them very much, but in the next one, we are going to use them for serialisation and deserialisation. Wouldn’t it be better to have it in this one instead of implementing serialisation and deserialisation logic directly within those functions?

[TheBlueMatt]

I don't think this needs to be a SecretKey? SecretKey implies secp256k1 operations. We really want a [u8; 32], I think.

[adi2011]

Done!

[tnull]

Well, that was my fault as I had requested it above. No strong opinion though, excuse the noise!

[TheBlueMatt]

This is given by the return type, we don't have to specify it.

[adi2011]

Yes, I wrote it just as a note to implementations. But, yeah, the return type specifies it. Removing it.

[TheBlueMatt]

What does this communicate that the function signature does not?

[TheBlueMatt]

I'm not sure what a "node-specific secret" means. Honestly, I'm not sure any of the sections below the first paragraph are needed.

[adi2011]

Yes, on second thought, I agree it’s unnecessary.

[TheBlueMatt]

Feel free to squash!

[TheBlueMatt]

There's no reason to allocate a new vec, just resize ser_channels to add 16 bytes to it and encrypt-in-place into it.

[adi2011]

Fixed, Thanks for the suggestions.

[TheBlueMatt]

Same here, we can decrypt in-place.

[adi2011]

Fixed...

[adi2011]

@tnull We're calling send_peer_storage from ChainMonitor, which doesn't have access to entropy_source to derive random_bytes. Is there any other way to generate random bytes?

[TheBlueMatt]

Got a way into this but realized it looks like we still need to change the encryption logic?

[TheBlueMatt]

nit make the functions links so that we get a compilation error if we change them without updating the docs here.

[adi2011]

Agreed.

[TheBlueMatt]

What does this communicate that the first paragraph did not?

[adi2011]

Agreed, modifying it. Thanks!

[TheBlueMatt]

Generally we try to avoid methods surprisingly cloning - we should either return a &Vec<u8>, or, really, in this case, change the method to a into_vec(self) -> Vec<u8> which consumes the object and is what the current only callsite wants.

[adi2011]

Agreed.

[TheBlueMatt]

nit: Seems a bit weird to have a constructor that can build a peer storage with invalid data. Its fine and maybe not worth changing, but in general this API feels really awkward. Its just a wrapper around a Vec<u8> but has no guarantees about what is actually in that vec, implying it should maybe instead just be two freestanding utility functions. If we want to actually have a useful struct, we should have some guarantees, eg check the hmac here. Again, probably not worth changing, just general advice.

[adi2011]

Ik this does not make any sense right now but that is because we haven't added channelmonitor serialisation logic which I will put up in the next PR, but if you feel we should check the HMAC here, we can do that but that would require us to add the key to this as well...

[adi2011]

I will shift the min_ciphertext_len check to this new() function.

[TheBlueMatt]

We're calling send_peer_storage from ChainMonitor, which doesn't have access to entropy_source to derive random_bytes. Is there any other way to generate random bytes?

We'll need to provide ChainMonitor with an EntropySource, sadly.

[tnull]

Thanks for adding nonce derivation! CI is unfortunately failing currently, but seems a ~unrelated flake: #3716

[tnull]

nit: While we're here, let's reindent the other params here so they align with the new one.

[adi2011]

Sure.

[tnull]

Let's avoid this overly long line: please move the arguments to variables before giving them to create_from_data

[adi2011]

Yes, that'd be cleaner, Thanks!

[tnull]

Same here and below: let's reindent the pre-existing args to align with the new one.

[adi2011]

Fixed...

[tnull]

As mentioned above, let's use an Hmac for this:

diff --git a/lightning/src/ln/our_peer_storage.rs b/lightning/src/ln/our_peer_storage.rs
index 1dc44ceea..349e29cb4 100644
--- a/lightning/src/ln/our_peer_storage.rs
+++ b/lightning/src/ln/our_peer_storage.rs
@@ -12,6 +12,7 @@
 //! transmission.
 //!
 use bitcoin::hashes::sha256::Hash as Sha256;
+use bitcoin::hashes::{Hmac, HmacEngine};
 use bitcoin::hashes::{Hash, HashEngine};

 use crate::sign::PeerStorageKey;
@@ -68,13 +69,12 @@ impl OurPeerStorage {

                let plaintext_len = ser_channels.len();

-               // Compute Sha256(Sha256(key) + random_bytes).
-               let mut sha = Sha256::engine();
-               sha.input(&key_hash.to_byte_array());
-               sha.input(&random_bytes);
+               // Compute Hmac(Sha256(key) + random_bytes).
+               let mut hmac = HmacEngine::<Sha256>::new(key_hash.as_byte_array());
+               hmac.input(&random_bytes);

                let mut nonce = [0u8; 12];
-               nonce[4..].copy_from_slice(&Sha256::from_engine(sha).to_byte_array()[0..8]);
+               nonce.copy_from_slice(&Hmac::from_engine(hmac).to_byte_array());

                let mut chacha = ChaCha20Poly1305RFC::new(&key.inner, &nonce, b"");
                let mut tag = [0; 16];

I think it would make sense to split nonce generation from random bytes and the key out to a helper method that you can simply reuse in decrypt_our_peer_storage.

Also, please add some unit test(s) below to ensure decrypting the encrypted messages actually works as expected.

[adi2011]

Thanks for the suggestion! I added the unit test and moved the nonce derivation into a helper function.

[tnull]

nit: Lets add this at the end of the constructor, just as the definition.

[adi2011]

Sure, thanks!

[tnull]

Might be worth leaving a comment here describing what 'send-only events' are.

[adi2011]

Added a short description to this.

[tnull]

nit: Let's link to NodeSigner::get_peer_storage_key here and include a link at the bottom, just like:

[`NodeSigner::get_peer_storage_key`]: crate::sign::NodeSigner::get_peer_storage_key

(also note the absence of ())

[adi2011]

Thanks for pointing this out.

[tnull]

nit: KeysManager, not KeyManager. Please also link these objects, which would have cargo doc complain about the mispelling, fwiw.

[adi2011]

Fixed, thanks!

[tnull]

I have to say I still find the OurPeerStorage::create_from_data API pretty confusing at this point, especially since OurPeerStorage is not expected to hold any state really and it could just be helper methods at this point. But I hope this will clear up in one of the upcoming PR(s).

[adi2011]

You can have a brief idea of how this would go: https://github.com/lightningdevkit/rust-lightning/pull/2943/files#diff-bc3c3cde415648f49633e54b572a14448e7611ea2b389796d732bc042218a4df

Although it could look completely different based on the reviews.

[tnull]

Thanks for adding this helper, though I don't think it should live on the OurPeerStorage struct as it doesn't require &self. Let's move it down and add it as a freestanding util method.

[tnull]

Huh, why? Why are we not filling the full 12 bytes of the nonce here?

[adi2011]

This: https://github.com/lightningdevkit/rust-lightning/blob/main/lightning/src/crypto/chacha20poly1305rfc.rs#L40

[tnull]

Hmm, right, I keep forgetting this limitation and keep getting confused by it. So fine to leave as is here, sorry for the noise.

That said, @TheBlueMatt could you shed some light on that (not very verbose) comment here? IIUC, at the time ChaCha20 couldn't handle 12-byte nonces? Or what is the diff to the RFC exactly? If there is no easy way to align the implementation, wouldn't it be safer if our ChaCha20Poly1305RFC implementation would simply accept a nonce: [u8; 8] and do the expected 0-padding instead of panicing on this undocumented requirement?

[tnull]

Seems this outdated as it's not returning a Vec<u8>?

[tnull]

s/Append/Prepend/

[adi2011]

Fixed

[tnull]

Please also test that failure cases results in errors, e.g., incorrect key, modifying the nonce, etc.

[adi2011]

Thanks for the suggestion, covered nonce derivation and key changes in the same test.

[adi2011]

@tnull Thank you so much for your patience and reviews on this.

If it looks good now, can I squash the fixups?

[tnull]

Looks good from my side, at least for now. Feel free to squash fixups!

I'm still not super happy with the OurPeerStorage API, tbh., but I'll suspend my doubts assuming that it will become clearer in the upcoming PRs.

[tnull]

@adi2011 Gentle ping here? We don't necessarily need to do this in this PR, but would love to hear your thoughts on it?

[tnull]

I still wonder if it wouldn't be easier/simpler to have decrypt_our_peer_storage be a constructor and just drop new? Or, we could even consider introducing two separate objects representing the decrypted/encrypted state, i.e., EncryptedPeerStorage and DecryptedPeerStorage and have respective method transition between them? But I guess it will become clear why that's not possible in the upcoming PRs, IIUC?

[tnull]

Hmm, not sure I'm fully following the API. Couldn't we have two separate objects, EncryptedPeerStorage and DecryptedPeerStorage that represent the two states that this could be in? Then, we could just transition between them? Alternatively, we could consider making OurPeerStorage an enum with Encrypted/Decrypted variants?

[tnull]

nit: End in .