Skip to content

Validate channel_update signatures without holding a graph lock #3310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 24, 2024
Merged

Validate channel_update signatures without holding a graph lock #3310

merged 2 commits into from
Sep 24, 2024

Conversation

@TheBlueMatt
Copy link
Collaborator 

We often process many gossip messages in parallel across different
peer connections, making the `NetworkGraph` mutexes fairly
contention-sensitive (not to mention the potential that we want to
send a payment and need to find a path to do so).

Because we need to look up a node's public key to validate a
signature on `channel_update` messages, we always need to take a
`NetworkGraph::channels` lock before we can validate the message.

For simplicity, and to avoid taking a lock twice, we'd always
validated the `channel_update` signature while holding the same
lock, but here we address the contention issues by doing a
`channel_update` validation in three stages.

First we take a read lock on `NetworkGraph::channels` and check if
the `channel_update` is new, then release the lock and validate the
message signature, and finally take a write lock, (re-check if the
`channel_update` is new) and update the graph.

@TheBlueMatt
Refactor channel_update processing logic into local fns
0b7838b 
In the next commit we'll move to checking `channel_update`s in
three steps - first we check if the `channel_update` is new and the
latest for a channel, then we check the signature, and finally we
update our local state. This allows us to avoid holding a lock on
`NetworkGraph::channels` while validating the message signature.

Here we do a quick prefactor to make that simpler - moving the
validation logic of `channel_update` that we'll do in step one (and
repeat in step three) into a local function. We also take this
opportunity to do one static check unlocked which we had been doing
while holding a `channel` lock.
@codecov
Copy link

codecov bot commented Sep 12, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 94.28571% with 4 lines in your changes missing coverage. Please review.

Project coverage is 90.97%. Comparing base (db905e8) to head (131849f).
Report is 91 commits behind head on main.

Files with missing lines Patch % Lines
lightning/src/routing/gossip.rs 94.28% 1 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3310      +/-   ##
==========================================
+ Coverage   89.64%   90.97%   +1.32%     
==========================================
  Files         126      126              
  Lines      102251   112645   +10394     
  Branches   102251   112645   +10394     
==========================================
+ Hits        91666   102479   +10813     
+ Misses       7863     7576     -287     
+ Partials     2722     2590     -132
Flag Coverage Δ
90.97% <94.28%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tnull tnull self-requested a review September 12, 2024 10:14
jkczyz
jkczyz reviewed Sep 12, 2024
View reviewed changes
lightning/src/routing/gossip.rs
if msg.channel_flags & 1 == 1 {
if let Some(sig) = sig {
secp_verify_sig!(self.secp_ctx, &msg_hash, &sig, &PublicKey::from_slice(channel.node_two.as_slice()).map_err(|_| LightningError{
let node_pubkey;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

let node_pubkey = {
	// ...
};

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just find that hard to read across a long block...I know we do it a lot of places, was just trying to avoid it and try something new 🤷‍♂️

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, YMMV. Just seemed shorter after your change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least I didn't suggest a long chaining expression. 😉

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it affects legibility much, though consistency would favor @jkczyz's suggestion.

@arik-so
Copy link
Contributor

arik-so commented Sep 19, 2024

Looks good, feel free to squash the fixup.

@tnull tnull removed their request for review September 19, 2024 09:34
@TheBlueMatt
Validate channel_update signatures without holding a graph lock
131849f 
We often process many gossip messages in parallel across different
peer connections, making the `NetworkGraph` mutexes fairly
contention-sensitive (not to mention the potential that we want to
send a payment and need to find a path to do so).

Because we need to look up a node's public key to validate a
signature on `channel_update` messages, we always need to take a
`NetworkGraph::channels` lock before we can validate the message.

For simplicity, and to avoid taking a lock twice, we'd always
validated the `channel_update` signature while holding the same
lock, but here we address the contention issues by doing a
`channel_update` validation in three stages.

First we take a read lock on `NetworkGraph::channels` and check if
the `channel_update` is new, then release the lock and validate the
message signature, and finally take a write lock, (re-check if the
`channel_update` is new) and update the graph.
@TheBlueMatt
Copy link
Collaborator Author

Squashed.

@TheBlueMatt TheBlueMatt force-pushed the 2024-09-unlocked-checksig branch from 0325c14 to 131849f Compare September 23, 2024 03:48
@TheBlueMatt TheBlueMatt merged commit 23109b6 into lightningdevkit:main Sep 24, 2024
18 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arik-so arik-so arik-so approved these changes

@jkczyz jkczyz jkczyz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TheBlueMatt @arik-so @jkczyz