lsps0: Fix LSPSDateTime::duration_since to saturate at zero on clock skew

f3r10 · f3r10 · commit cbeb36c307b8 · 2026-05-22T11:37:57.000-05:00
Replace abs_diff with a saturating subtraction so that duration_since
returns Duration::ZERO when the reference timestamp is in the apparent
future (e.g. due to clock skew or monotonicity violations). Callers
using the result as an age — prune_terminal_orders (LSPS1),
prune_terminal_channels (LSPS2), and the stale-webhook and cooldown
checks (LSPS5) — no longer risk spuriously large values triggering
premature pruning or incorrect cooldown expiry.

Two unit tests are added to document the contract.
diff --git a/lightning-liquidity/src/lsps0/ser.rs b/lightning-liquidity/src/lsps0/ser.rs
@@ -256,10 +256,14 @@ impl LSPSDateTime {
 		now_seconds_since_epoch > datetime_seconds_since_epoch
 	}
 
-	/// Returns the absolute difference between two datetimes as a `Duration`.
+	/// Returns how long ago `other` occurred relative to `self`, saturating at zero.
+	///
+	/// Returns [`Duration::ZERO`] when `self <= other` (e.g. clock skew pushed `other` into
+	/// the apparent future), so callers treating the result as an age never get a spuriously
+	/// large value.
 	pub fn duration_since(&self, other: &Self) -> Duration {
-		let diff_secs = self.0.timestamp().abs_diff(other.0.timestamp());
-		Duration::from_secs(diff_secs)
+		let diff_secs = self.0.timestamp().saturating_sub(other.0.timestamp());
+		Duration::from_secs(diff_secs.max(0) as u64)
 	}
 
 	/// Returns the time in seconds since the unix epoch.
@@ -981,4 +985,20 @@ mod tests {
 		let decoded_datetime: LSPSDateTime = Readable::read(&mut Cursor::new(buf)).unwrap();
 		assert_eq!(expected_datetime, decoded_datetime);
 	}
+
+	#[test]
+	fn datetime_duration_since_normal() {
+		let earlier = LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap();
+		let later = LSPSDateTime::from_str("2024-01-01T01:00:00Z").unwrap();
+		assert_eq!(later.duration_since(&earlier), Duration::from_secs(3600));
+	}
+
+	#[test]
+	fn datetime_duration_since_clock_skew_saturates_to_zero() {
+		// When `other` is in the apparent future relative to `self` (clock skew),
+		// duration_since must return Duration::ZERO rather than an erroneously large value.
+		let earlier = LSPSDateTime::from_str("2024-01-01T00:00:00Z").unwrap();
+		let later = LSPSDateTime::from_str("2024-01-01T01:00:00Z").unwrap();
+		assert_eq!(earlier.duration_since(&later), Duration::ZERO);
+	}
 }
