Changelog-None: Currently, fuzz testing for b64_encode() merely
encodes input and frees the result, providing no real verification
of its behavior.
Introduce a new b64_decode() function (modeled after b32_decode())
and update the fuzz test to perform a roundtrip—encoding followed
by decoding—to ensure that b64_encode() correctly preserves the
original data.
This method has a similar purpose as "guesstoremote" but is for use when
the channel's database ID is known. It produces the private key that can
spend the to_remote output of the peer's commitment transaction. It
assumes the channel was negotiated with option_static_remotekey unless
the optional per-commitment point argument is provided.
Changelog-Added: hsmtool has a new `derivetoremote` method.
Make the payment secret field ('s') mandatory for BOLT11 payment requests,
implementing the requirement specified in BOLT11 spec PR #1242
(https://github.com/lightning/bolts/pull/1242).
This security enhancement prevents payment probing attacks by requiring
all invoices to include payment secrets. Changes include:
1. Adding validation in bolt11_decode_nosig() to reject invoices without
the 's' field
2. Adding payment secrets to all test vectors
3. Updating expected encoded values in test cases to include payment secrets
4. Adding a specific test case that verifies proper rejection of invoices
missing the payment secret field
Changelog-Changed: Made payment secret ('s' field) mandatory in BOLT11 payment requests for improved security.
These checks are a SHOULD, but implementing them helps avoid anyone
making such weird things in future.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Doesn't change anything for us, since we will already fulfull the incoming
HTLCs if we can, but good to note.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
They weren't formatted correctly for bolts/tools/extract-formats.py
until this commit, so we had to patch them in manually.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It was already disabled by Dusty due to a number conflict with splicing, and
the proposal probably needs updating to use quiescence now that is merged.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Changelog-EXPERIMENTAL: The non-functional `experimental-upgrade-protocol` config option.
Sangbida and I traced back through ancient history: when the pay plugin was introduced
in 0.9.0 (2019!) it already used the amount_msat parameter (then called `msatoshi`),
so this case effectively "never happens".
But we added a test for it just in case.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Sangbida asked some excellent questions, and rather than answer them once,
I decided to update this document appropriately. Could probably become
an entire video, TBH.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Changelog-Changed: Future release schedule moved one month: v25.05 is now v25.06, and all deprecations incremented accordingly.
With recent changes, particularly using postgres, we can finish the HTLC before
we force close, so the test fails. Insert an explicit hangup here so we reliably
get the result we expect:
```
@pytest.mark.parametrize("anchors", [False, True])
@unittest.skipIf(TEST_NETWORK != 'regtest', 'elementsd anchors not supportd')
def test_anchorspend_using_to_remote(node_factory, bitcoind, anchors):
"""Make sure we can use `to_remote` output of previous close to spend anchor"""
# Try with old output from both anchor and non-anchor channel.
l4_opts = {}
if anchors is False:
l4_opts['dev-force-features'] = "-23"
l1, l2, l3, l4 = node_factory.get_nodes(4, opts=[{},
{},
{'disconnect': ['-WIRE_UPDATE_FULFILL_HTLC']},
l4_opts])
# Give l2 some funds, from a to-remote output. It will have to spend
# this to use anchor.
node_factory.join_nodes([l4, l2])
# l4 unilaterally closes, l2 gets to-remote with its output.
l4.rpc.pay(l2.rpc.invoice(100000000, 'test', 'test')['bolt11'])
> wait_for(lambda: only_one(l4.rpc.listpeerchannels()['channels'])['htlcs'] != [])
tests/test_closing.py:4183:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
success = <function test_anchorspend_using_to_remote.<locals>.<lambda> at 0x7f8293e7fe20>
timeout = 180
def wait_for(success, timeout=TIMEOUT):
start_time = time.time()
interval = 0.25
while not success():
time_left = start_time + timeout - time.time()
if time_left <= 0:
> raise ValueError("Timeout while waiting for {}".format(success))
E ValueError: Timeout while waiting for <function test_anchorspend_using_to_remote.<locals>.<lambda> at 0x7f8293e7fe20>
```
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Apparently clboss gives us \u UTF codes. We don't support that (use UTF-8 directly)
```
126 ../sysdeps/x86_64/multiarch/strlen-vec.S: No such file or directory.
(gdb) bt
label=label@entry=0x63e2f9604db9 "char *[]") at ccan/ccan/tal/str/str.c:137
complete=complete@entry=0x7ffe9090b0f6, destroyed=destroyed@entry=0x7ffe9090b0f7) at lightningd/plugin.c:773
```
Reported-by: Ken Sedgwick
Fixes: #8338
Changelog-None: broken in this release
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Checking a signature is a CPU-intensive operation that should be performed only
if gossmap doesn't already have the channel announcement in question and we're
not already checking for the announcement's UTxO.
Changelog-Fixed: `gossipd` doesn't waste CPU cycles checking signatures on channel announcements that are already known
Issue: https://github.com/ElementsProject/lightning/issues/7972
Ubuntu 20.04 reached its end-of-life (EOL) on April 15, 2025, and GitHub Actions subsequently removed the Ubuntu 20.04 LTS runner. As a result, we must upgrade all workflow runners to at least Ubuntu 22.04. Currently, this update has only been applied to pypi.yml for core-lightning.
Changelog-None.
The reproducible build is currently failing on Ubuntu Noble, causing the daily `Repro Build Nightly` GitHub action to fail and triggering email notifications.
This update resolves the issue by adjusting the default sqlite3 version and checksums to match the packages now available in Noble, allowing the image to build successfully.
Changelog-None.
We asserted that a node would be connected, but now we always call the
chanbackup peer_connected hook, it might not be that fast:
```
2025-05-17T08:37:58.7193306Z def test_funding_fail(node_factory, bitcoind):
...
2025-05-17T08:37:58.7204037Z # Restart l2 without ridiculous locktime.
2025-05-17T08:37:58.7204546Z del l2.daemon.opts['watchtime-blocks']
2025-05-17T08:37:58.7204990Z l2.restart()
2025-05-17T08:37:58.7206578Z l1.rpc.connect(l2.info['id'], 'localhost', l2.port)
2025-05-17T08:37:58.7207072Z
2025-05-17T08:37:58.7207522Z # We don't have enough left to cover fees if we try to spend it all.
2025-05-17T08:37:58.7208203Z with pytest.raises(RpcError, match=r'not afford'):
2025-05-17T08:37:58.7208761Z l1.rpc.fundchannel(l2.info['id'], funds)
2025-05-17T08:37:58.7209203Z
2025-05-17T08:37:58.7209598Z # Should still be connected (we didn't contact the peer)
2025-05-17T08:37:58.7210243Z assert only_one(l1.rpc.listpeers()['peers'])['connected']
2025-05-17T08:37:58.7210875Z l2.daemon.wait_for_log('Handed peer, entering loop')
2025-05-17T08:37:58.7211439Z > assert only_one(l2.rpc.listpeers()['peers'])['connected']
2025-05-17T08:37:58.7211912Z E assert False
```
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It can definitely happen (it's not dead yet):
```
2025-05-17T08:44:48.9829150Z lightningd-2 2025-05-17T08:36:43.597Z **BROKEN** 0266e4598d1d3c415f572a8488830b60f7e744ed9235eb0b1ba93283b315c03518-chan#3: gossipd gave channel_update in CGOSSIP_CHANNEL_ANNOUNCED_DYING? update=01027cf5d46590c45eb608a7e07a7b123c998ac12a655ce11004c9d9bb59f83698e8760d7b992df0dcf925f6732503de55d596aadaa35f0a8837cee58e0769172d2a06226e46111a0b59caaf126043eb5bbf28c34f3a5e332a1fc7b2b73cf188910f00006f00000100006828493f010200060000000000000000000000010000000a000000003b023380
```
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We picked one node and iterated. This means we would only sent to 1,
not 2 nodes if we picked the last (common if there were only a few
peers). But it also means we would generally send to the same pair of
nodes, which isn't great for redundancy.
Rework to be more random.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Now we've make it only on existing channels, and not have to call
listdatastore every time, that means we can safely turn it on by
default.
Changelog-Added: Protocol: we now offer peer storage to any peers who create a channel.
Changelog-Deprecated: Config: `--experimental-peer-storage` (it's now the default).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
