Implement the option_simple_close protocol

We introduce a new `NEGOTIATING_SIMPLE` state where we exchange the
`closing_complete` and `closing_sig` messages, and allow RBF-ing previous
transactions and updating our closing script.

We stay in that state until one of the transactions confirms, or a force
close is detected. This is important to ensure we're able to correctly
reconnect and negotiate RBF candidates.

We keep this separate from the previous `NEGOTIATING` state to make it
easier to remove support for the older mutual close protocols once we're
confident the network has been upgraded.

docs/release-notes/eclair-vnext.md

@@ -4,7 +4,17 @@
 
 ## Major changes
 
-<insert changes>
+### Simplified mutual close
+
+This release includes support for the latest [mutual close protocol](https://github.com/lightning/bolts/pull/1096).
+This protocol allows both channel participants to decide exactly how much fees they're willing to pay to close the channel.
+Each participant obtains a channel closing transaction where they are paying the fees.
+
+Once closing transactions are broadcast, they can be RBF-ed by calling the `close` RPC again with a higher feerate:
+
+```sh
+./eclair-cli close --channelId=<channel_id> --preferredFeerateSatByte=<rbf_feerate>
+```
 
 ### Peer storage
 

eclair-core/src/main/scala/fr/acinq/eclair/balance/CheckBalance.scala

@@ -213,6 +213,7 @@ object CheckBalance {
         case (r, d: DATA_NORMAL) => r.modify(_.normal).using(updateMainAndHtlcBalance(d.commitments, knownPreimages))
         case (r, d: DATA_SHUTDOWN) => r.modify(_.shutdown).using(updateMainAndHtlcBalance(d.commitments, knownPreimages))
         case (r, d: DATA_NEGOTIATING) => r.modify(_.negotiating).using(updateMainBalance(d.commitments.latest.localCommit))
+        case (r, d: DATA_NEGOTIATING_SIMPLE) => r.modify(_.negotiating).using(updateMainBalance(d.commitments.latest.localCommit))
         case (r, d: DATA_CLOSING) =>
           Closing.isClosingTypeAlreadyKnown(d) match {
             case None if d.mutualClosePublished.nonEmpty && d.localCommitPublished.isEmpty && d.remoteCommitPublished.isEmpty && d.nextRemoteCommitPublished.isEmpty && d.revokedCommitPublished.isEmpty =>

eclair-core/src/main/scala/fr/acinq/eclair/channel/ChannelData.scala

@@ -72,6 +72,7 @@ case object WAIT_FOR_DUAL_FUNDING_READY extends ChannelState
 case object NORMAL extends ChannelState
 case object SHUTDOWN extends ChannelState
 case object NEGOTIATING extends ChannelState
+case object NEGOTIATING_SIMPLE extends ChannelState
 case object CLOSING extends ChannelState
 case object CLOSED extends ChannelState
 case object OFFLINE extends ChannelState
@@ -653,6 +654,16 @@ final case class DATA_NEGOTIATING(commitments: Commitments,
   require(closingTxProposed.nonEmpty, "there must always be a list for the current negotiation")
   require(!commitments.params.localParams.paysClosingFees || closingTxProposed.forall(_.nonEmpty), "initiator must have at least one closing signature for every negotiation attempt because it initiates the closing")
 }
+final case class DATA_NEGOTIATING_SIMPLE(commitments: Commitments,
+                                         lastClosingFeerate: FeeratePerKw,
+                                         localScriptPubKey: ByteVector, remoteScriptPubKey: ByteVector,
+                                         // Closing transactions we created, where we pay the fees (unsigned).
+                                         proposedClosingTxs: List[ClosingTxs],
+                                         // Closing transactions we published: this contains our local transactions for
+                                         // which they sent a signature, and their closing transactions that we signed.
+                                         publishedClosingTxs: List[ClosingTx]) extends ChannelDataWithCommitments {
+  def findClosingTx(tx: Transaction): Option[ClosingTx] = publishedClosingTxs.find(_.tx.txid == tx.txid).orElse(proposedClosingTxs.flatMap(_.all).find(_.tx.txid == tx.txid))
+}
 final case class DATA_CLOSING(commitments: Commitments,
                               waitingSince: BlockHeight, // how long since we initiated the closing
                               finalScriptPubKey: ByteVector, // where to send all on-chain funds

eclair-core/src/main/scala/fr/acinq/eclair/channel/ChannelExceptions.scala

@@ -116,7 +116,10 @@ case class FeerateTooDifferent                     (override val channelId: Byte
 case class InvalidAnnouncementSignatures           (override val channelId: ByteVector32, annSigs: AnnouncementSignatures) extends ChannelException(channelId, s"invalid announcement signatures: $annSigs")
 case class InvalidCommitmentSignature              (override val channelId: ByteVector32, fundingTxId: TxId, fundingTxIndex: Long, unsignedCommitTx: Transaction) extends ChannelException(channelId, s"invalid commitment signature: fundingTxId=$fundingTxId fundingTxIndex=$fundingTxIndex commitTxId=${unsignedCommitTx.txid} commitTx=$unsignedCommitTx")
 case class InvalidHtlcSignature                    (override val channelId: ByteVector32, txId: TxId) extends ChannelException(channelId, s"invalid htlc signature: txId=$txId")
+case class CannotGenerateClosingTx                 (override val channelId: ByteVector32) extends ChannelException(channelId, "failed to generate closing transaction: all outputs are trimmed")
+case class MissingCloseSignature                   (override val channelId: ByteVector32) extends ChannelException(channelId, "closing_complete is missing a signature for a closing transaction including our output")
 case class InvalidCloseSignature                   (override val channelId: ByteVector32, txId: TxId) extends ChannelException(channelId, s"invalid close signature: txId=$txId")
+case class InvalidCloseeScript                     (override val channelId: ByteVector32, received: ByteVector, expected: ByteVector) extends ChannelException(channelId, s"invalid closee script used in closing_complete: our latest script is $expected, you're using $received")
 case class InvalidCloseAmountBelowDust             (override val channelId: ByteVector32, txId: TxId) extends ChannelException(channelId, s"invalid closing tx: some outputs are below dust: txId=$txId")
 case class CommitSigCountMismatch                  (override val channelId: ByteVector32, expected: Int, actual: Int) extends ChannelException(channelId, s"commit sig count mismatch: expected=$expected actual=$actual")
 case class HtlcSigCountMismatch                    (override val channelId: ByteVector32, expected: Int, actual: Int) extends ChannelException(channelId, s"htlc sig count mismatch: expected=$expected actual=$actual")

eclair-core/src/main/scala/fr/acinq/eclair/channel/Helpers.scala

@@ -59,6 +59,7 @@ object Helpers {
       case d: DATA_NORMAL => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
       case d: DATA_SHUTDOWN => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
       case d: DATA_NEGOTIATING => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
+      case d: DATA_NEGOTIATING_SIMPLE => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
       case d: DATA_CLOSING => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
       case d: DATA_WAIT_FOR_REMOTE_PUBLISH_FUTURE_COMMITMENT => d.modify(_.commitments.params).using(_.updateFeatures(localInit, remoteInit))
     }
@@ -713,6 +714,96 @@ object Helpers {
         }
       }
 
+      /** We are the closer: we sign closing transactions for which we pay the fees. */
+      def makeSimpleClosingTx(currentBlockHeight: BlockHeight, keyManager: ChannelKeyManager, commitment: FullCommitment, localScriptPubkey: ByteVector, remoteScriptPubkey: ByteVector, feerate: FeeratePerKw): Either[ChannelException, (ClosingTxs, ClosingComplete)] = {
+        // We must convert the feerate to a fee: we must build dummy transactions to compute their weight.
+        val closingFee = {
+          val dummyClosingTxs = Transactions.makeSimpleClosingTxs(commitment.commitInput, commitment.localCommit.spec, SimpleClosingTxFee.PaidByUs(0 sat), currentBlockHeight.toLong, localScriptPubkey, remoteScriptPubkey)
+          dummyClosingTxs.preferred_opt match {
+            case Some(dummyTx) =>
+              val dummySignedTx = Transactions.addSigs(dummyTx, Transactions.PlaceHolderPubKey, Transactions.PlaceHolderPubKey, Transactions.PlaceHolderSig, Transactions.PlaceHolderSig)
+              SimpleClosingTxFee.PaidByUs(Transactions.weight2fee(feerate, dummySignedTx.tx.weight()))
+            case None => return Left(CannotGenerateClosingTx(commitment.channelId))
+          }
+        }
+        // Now that we know the fee we're ready to pay, we can create our closing transactions.
+        val closingTxs = Transactions.makeSimpleClosingTxs(commitment.commitInput, commitment.localCommit.spec, closingFee, currentBlockHeight.toLong, localScriptPubkey, remoteScriptPubkey)
+        // The actual fee we're paying will be bigger than the one we previously computed if we omit our output.
+        val actualFee = closingTxs.preferred_opt match {
+          case Some(closingTx) if closingTx.fee > 0.sat => closingTx.fee
+          case _ => return Left(CannotGenerateClosingTx(commitment.channelId))
+        }
+        val localFundingPubKey = keyManager.fundingPublicKey(commitment.localParams.fundingKeyPath, commitment.fundingTxIndex)
+        val closingComplete = ClosingComplete(commitment.channelId, localScriptPubkey, remoteScriptPubkey, actualFee, currentBlockHeight.toLong, TlvStream(Set(
+          closingTxs.localAndRemote_opt.map(tx => ClosingTlv.CloserAndCloseeOutputs(keyManager.sign(tx, localFundingPubKey, TxOwner.Local, commitment.params.commitmentFormat))),
+          closingTxs.localOnly_opt.map(tx => ClosingTlv.CloserOutputOnly(keyManager.sign(tx, localFundingPubKey, TxOwner.Local, commitment.params.commitmentFormat))),
+          closingTxs.remoteOnly_opt.map(tx => ClosingTlv.CloseeOutputOnly(keyManager.sign(tx, localFundingPubKey, TxOwner.Local, commitment.params.commitmentFormat))),
+        ).flatten[ClosingTlv]))
+        Right(closingTxs, closingComplete)
+      }
+
+      /**
+       * We are the closee: we choose one of the closer's transactions and sign it back.
+       *
+       * Callers should ignore failures: since the protocol is fully asynchronous, failures here simply mean that they
+       * are not using our latest script (race condition between our closing_complete and theirs).
+       */
+      def signSimpleClosingTx(keyManager: ChannelKeyManager, commitment: FullCommitment, localScriptPubkey: ByteVector, remoteScriptPubkey: ByteVector, closingComplete: ClosingComplete): Either[ChannelException, (ClosingTx, ClosingSig)] = {
+        val closingFee = SimpleClosingTxFee.PaidByThem(closingComplete.fees)
+        val closingTxs = Transactions.makeSimpleClosingTxs(commitment.commitInput, commitment.localCommit.spec, closingFee, closingComplete.lockTime, localScriptPubkey, remoteScriptPubkey)
+        // If our output isn't dust, they must provide a signature for a transaction that includes it.
+        // Note that we're the closee, so we look for signatures including the closee output.
+        (closingTxs.localAndRemote_opt, closingTxs.localOnly_opt) match {
+          case (Some(_), Some(_)) if closingComplete.closerAndCloseeOutputsSig_opt.isEmpty && closingComplete.closeeOutputOnlySig_opt.isEmpty => return Left(MissingCloseSignature(commitment.channelId))
+          case (Some(_), None) if closingComplete.closerAndCloseeOutputsSig_opt.isEmpty => return Left(MissingCloseSignature(commitment.channelId))
+          case (None, Some(_)) if closingComplete.closeeOutputOnlySig_opt.isEmpty => return Left(MissingCloseSignature(commitment.channelId))
+          case _ => ()
+        }
+        // We choose the closing signature that matches our preferred closing transaction.
+        val closingTxsWithSigs = Seq(
+          closingComplete.closerAndCloseeOutputsSig_opt.flatMap(remoteSig => closingTxs.localAndRemote_opt.map(tx => (tx, remoteSig, localSig => ClosingTlv.CloserAndCloseeOutputs(localSig)))),
+          closingComplete.closeeOutputOnlySig_opt.flatMap(remoteSig => closingTxs.localOnly_opt.map(tx => (tx, remoteSig, localSig => ClosingTlv.CloseeOutputOnly(localSig)))),
+          closingComplete.closerOutputOnlySig_opt.flatMap(remoteSig => closingTxs.remoteOnly_opt.map(tx => (tx, remoteSig, localSig => ClosingTlv.CloserOutputOnly(localSig)))),
+        ).flatten
+        closingTxsWithSigs.headOption match {
+          case Some((closingTx, remoteSig, sigToTlv)) =>
+            val localFundingPubKey = keyManager.fundingPublicKey(commitment.localParams.fundingKeyPath, commitment.fundingTxIndex)
+            val localSig = keyManager.sign(closingTx, localFundingPubKey, TxOwner.Local, commitment.params.commitmentFormat)
+            val signedClosingTx = Transactions.addSigs(closingTx, localFundingPubKey.publicKey, commitment.remoteFundingPubKey, localSig, remoteSig)
+            Transactions.checkSpendable(signedClosingTx) match {
+              case Failure(_) => Left(InvalidCloseSignature(commitment.channelId, signedClosingTx.tx.txid))
+              case Success(_) => Right(signedClosingTx, ClosingSig(commitment.channelId, remoteScriptPubkey, localScriptPubkey, closingComplete.fees, closingComplete.lockTime, TlvStream(sigToTlv(localSig))))
+            }
+          case None => Left(MissingCloseSignature(commitment.channelId))
+        }
+      }
+
+      /**
+       * We are the closer: they sent us their signature so we should now have a fully signed closing transaction.
+       *
+       * Callers should ignore failures: since the protocol is fully asynchronous, failures here simply mean that we
+       * sent another closing_complete before receiving their closing_sig, which is now obsolete: we ignore it and wait
+       * for their next closing_sig that will match our latest closing_complete.
+       */
+      def receiveSimpleClosingSig(keyManager: ChannelKeyManager, commitment: FullCommitment, closingTxs: ClosingTxs, closingSig: ClosingSig): Either[ChannelException, ClosingTx] = {
+        val closingTxsWithSig = Seq(
+          closingSig.closerAndCloseeOutputsSig_opt.flatMap(sig => closingTxs.localAndRemote_opt.map(tx => (tx, sig))),
+          closingSig.closerOutputOnlySig_opt.flatMap(sig => closingTxs.localOnly_opt.map(tx => (tx, sig))),
+          closingSig.closeeOutputOnlySig_opt.flatMap(sig => closingTxs.remoteOnly_opt.map(tx => (tx, sig))),
+        ).flatten
+        closingTxsWithSig.headOption match {
+          case Some((closingTx, remoteSig)) =>
+            val localFundingPubKey = keyManager.fundingPublicKey(commitment.localParams.fundingKeyPath, commitment.fundingTxIndex)
+            val localSig = keyManager.sign(closingTx, localFundingPubKey, TxOwner.Local, commitment.params.commitmentFormat)
+            val signedClosingTx = Transactions.addSigs(closingTx, localFundingPubKey.publicKey, commitment.remoteFundingPubKey, localSig, remoteSig)
+            Transactions.checkSpendable(signedClosingTx) match {
+              case Failure(_) => Left(InvalidCloseSignature(commitment.channelId, signedClosingTx.tx.txid))
+              case Success(_) => Right(signedClosingTx)
+            }
+          case None => Left(MissingCloseSignature(commitment.channelId))
+        }
+      }
+
       /**
        * Check that all closing outputs are above bitcoin's dust limit for their script type, otherwise there is a risk
        * that the closing transaction will not be relayed to miners' mempool and will not confirm.