Murisi/fix tx malleability #1607
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fraccaman
previously approved these changes
Jun 23, 2023
|
LGTM! this is more or less how I was thinking this problem could be fixed. We need better API to construct a tx but we can manage in another PR :) thanks! |
murisi
force-pushed
the
murisi/fix-tx-malleability
branch
from
d0f457e
to
ef34267
Compare
grarco
reviewed
Jun 25, 2023
core/src/proto/types.rs
Outdated
| @@ -1002,7 +1033,7 @@ impl Tx { | |||
| match &self.header.tx_type { | |||
| // verify signature and extract signed data | |||
| TxType::Wrapper(wrapper) => { | |||
| self.verify_signature(&wrapper.pk, &self.header_hash()) | |||
| self.verify_signature(&wrapper.pk, &[self.header_hash()]) | |||
There was a problem hiding this comment.
Should we validate the signature over the header and also all of the sections? I see that in sign_wrapper we initialize the vector of hashes with the header hash and then push the hashes of all the sections included in the tx. I imagined we would do the same here
There was a problem hiding this comment.
Good point, thanks. Currently we're just checking for a valid signature over the header, which indirectly implies a check that all sections targetted in the signature exist (i.e. haven't been removed or tampered with). But we should check that all sections in a transaction are signed over - this would prevent the addition of new sections to a transaction. Let me work on that.
…d renamed it to validate_tx.
murisi
force-pushed
the
murisi/fix-tx-malleability
branch
from
2519226
to
a3a8bbc
Compare
grarco
previously approved these changes
Jun 27, 2023
This was referenced Jul 2, 2023
Closed
tzemanovic
reviewed
Jul 3, 2023
| @@ -998,35 +1044,35 @@ impl Tx { | |||
| /// the Tx and verify it is of the appropriate form. This means | |||
| /// 1. The wrapper tx is indeed signed | |||
| /// 2. The signature is valid | |||
| pub fn validate_header(&self) -> std::result::Result<(), TxError> { | |||
| pub fn validate_tx( | |||
There was a problem hiding this comment.
the rustdoc on this is a bit outdated
tzemanovic
previously approved these changes
Jul 3, 2023
Fraccaman
added a commit
that referenced
this pull request
Jul 3, 2023
* origin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
Fraccaman
added a commit
that referenced
this pull request
Jul 3, 2023
…gin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
This was referenced Jul 4, 2023
Closed
Closed
Closed
Closed
brentstone
added a commit
that referenced
this pull request
Jul 5, 2023
* murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
Fraccaman
added a commit
that referenced
this pull request
Jul 6, 2023
* origin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An attempt to fix the transaction malleability described at #1567 . The approach taken is as follows:
Vec<Hash>Additionally the signatures over data and code sections have now been combined to eliminate the possibility of the wrapper signer somehow changing the inner WASM code that is supposed to execute over the signed data in the inner transaction. That is, the inner transaction code and data are now bound together by a signature.