New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional safety checks in PSBT signer #13917
Conversation
Excellent! Thanks for tightening PSBT! Concept ACK |
Note to reviewers: This pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
src/wallet/rpcwallet.cpp
Outdated
input.non_witness_utxo = nullptr; | ||
} else { | ||
input.witness_utxo.SetNull(); | ||
if (from_wallet) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commit "Only wipe wrong UTXO type data if overwritten by wallet"
Suggestion, either reuse above condition if (it != pwallet->mapWallet.end())
or above do:
const bool from_wallet = it != pwallet->mapWallet.end();
if (from_wallet) {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
CTxOut utxo; | ||
if (input.non_witness_utxo) { | ||
// If we're taking our information from a non-witness UTXO, verify that it matches the prevout. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commit "Additional sanity checks in SignPSBTInput"
nit, could reflow comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think they're fine.
utACK Here is a commit with some more test cases: achow101@9f110e1. It tests for non-matching redeem scripts with both witness and non-witness utxos and non-matching witness scripts (for witness utxo only) |
1b44970
to
2bc1296
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6
if (input.non_witness_utxo->GetHash() != tx.vin[index].prevout.hash) return false; | ||
// If both witness and non-witness UTXO are provided, verify that they match. This check shouldn't | ||
// matter, as the PSBT deserializer enforces only one of both is provided, and the only way both | ||
// can be present is when they're added simultaneously by FillPSBT (in which case they always match). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this comment based on the BIP/spec or implementation? What about other implementations that may not do what FillPSBT
does in Bitcoin Core? I understand that the check is done anyway, but the comment sounds like it could be skipped due to an implementation detail, which sounds error-prone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@achow101 just opened a PR that adds the actual requirements to test for to BIP 174, including a simple implementation in pseudocode that implements it.
utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6 |
Perhaps unrelated, but either
|
2bc1296
to
5df6f08
Compare
Rebased after #13666. |
re-utACK |
re-utACK 5df6f08 |
utACK 5df6f08 |
GitHub-Pull: bitcoin#13917 Rebased-From: 8254e99
GitHub-Pull: bitcoin#13917 Rebased-From: c05712c
GitHub-Pull: bitcoin#13917 Rebased-From: 7c8bffd
GitHub-Pull: bitcoin#13917 Rebased-From: 5df6f08
Will be backported in #13976 |
0333914 More tests of signer checks (Andrew Chow) 8935869 Test that a non-witness script as witness utxo is not signed (Andrew Chow) dbaadc9 Only wipe wrong UTXO type data if overwritten by wallet (Pieter Wuille) ad6d845 Additional sanity checks in SignPSBTInput (Pieter Wuille) 517010e Serialize non-witness utxo as a non-witness tx but always deserialize as witness (Andrew Chow) 8c4cd2b Fix PSBT deserialization of 0-input transactions (Andrew Chow) Pull request description: Backports #13917 and #13960 to the 0.17 branch. Tree-SHA512: b3853aff2a13a53aa0a390b6b4b0c539f0ef0d42f2c517e956efd0b135c74c4ddce6a1d00700849a58c696824fa95951d8cac6ca58b426e8dfcb8bb62f680b7c
GitHub-Pull: bitcoin#13917 Rebased-From: 8254e99
GitHub-Pull: bitcoin#13917 Rebased-From: c05712c
GitHub-Pull: bitcoin#13917 Rebased-From: 7c8bffd
GitHub-Pull: bitcoin#13917 Rebased-From: 5df6f08
The current PSBT signing code can end up producing a non-segwit signature, while only the UTXO being spent is provided in the PSBT (as opposed to the entire transaction being spent). This may be used to trick a user to incorrectly decide a transaction has the semantics he intends to sign.
Fix this by refusing to sign if there is any mismatch between the provided data and what is being signed.