Additional safety checks in PSBT signer #13917
Conversation
|
Excellent! Thanks for tightening PSBT! Concept ACK |
Note to reviewers: This pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
src/wallet/rpcwallet.cpp
Outdated
| input.non_witness_utxo = nullptr; | ||
| } else { | ||
| input.witness_utxo.SetNull(); | ||
| if (from_wallet) { |
There was a problem hiding this comment.
Commit "Only wipe wrong UTXO type data if overwritten by wallet"
Suggestion, either reuse above condition if (it != pwallet->mapWallet.end())or above do:
const bool from_wallet = it != pwallet->mapWallet.end();
if (from_wallet) {
...
}| CTxOut utxo; | ||
| if (input.non_witness_utxo) { | ||
| // If we're taking our information from a non-witness UTXO, verify that it matches the prevout. |
There was a problem hiding this comment.
Commit "Additional sanity checks in SignPSBTInput"
nit, could reflow comments.
|
utACK Here is a commit with some more test cases: achow101@9f110e1. It tests for non-matching redeem scripts with both witness and non-witness utxos and non-matching witness scripts (for witness utxo only) |
sipa
force-pushed
the
201808_psbtsafesign
branch
from
1b44970
to
2bc1296
Compare
| if (input.non_witness_utxo->GetHash() != tx.vin[index].prevout.hash) return false; | ||
| // If both witness and non-witness UTXO are provided, verify that they match. This check shouldn't | ||
| // matter, as the PSBT deserializer enforces only one of both is provided, and the only way both | ||
| // can be present is when they're added simultaneously by FillPSBT (in which case they always match). |
There was a problem hiding this comment.
Is this comment based on the BIP/spec or implementation? What about other implementations that may not do what FillPSBT does in Bitcoin Core? I understand that the check is done anyway, but the comment sounds like it could be skipped due to an implementation detail, which sounds error-prone.
There was a problem hiding this comment.
@achow101 just opened a PR that adds the actual requirements to test for to BIP 174, including a simple implementation in pseudocode that implements it.
|
utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6 |
|
Perhaps unrelated, but either |
sipa
force-pushed
the
201808_psbtsafesign
branch
from
2bc1296
to
5df6f08
Compare
|
Rebased after #13666. |
|
re-utACK |
|
re-utACK 5df6f08 |
|
utACK 5df6f08 |
GitHub-Pull: bitcoin#13917 Rebased-From: 8254e99
GitHub-Pull: bitcoin#13917 Rebased-From: c05712c
GitHub-Pull: bitcoin#13917 Rebased-From: 7c8bffd
GitHub-Pull: bitcoin#13917 Rebased-From: 5df6f08
|
Will be backported in #13976 |
0333914 More tests of signer checks (Andrew Chow) 8935869 Test that a non-witness script as witness utxo is not signed (Andrew Chow) dbaadc9 Only wipe wrong UTXO type data if overwritten by wallet (Pieter Wuille) ad6d845 Additional sanity checks in SignPSBTInput (Pieter Wuille) 517010e Serialize non-witness utxo as a non-witness tx but always deserialize as witness (Andrew Chow) 8c4cd2b Fix PSBT deserialization of 0-input transactions (Andrew Chow) Pull request description: Backports #13917 and #13960 to the 0.17 branch. Tree-SHA512: b3853aff2a13a53aa0a390b6b4b0c539f0ef0d42f2c517e956efd0b135c74c4ddce6a1d00700849a58c696824fa95951d8cac6ca58b426e8dfcb8bb62f680b7c
GitHub-Pull: bitcoin#13917 Rebased-From: 8254e99
GitHub-Pull: bitcoin#13917 Rebased-From: c05712c
GitHub-Pull: bitcoin#13917 Rebased-From: 7c8bffd
GitHub-Pull: bitcoin#13917 Rebased-From: 5df6f08
The current PSBT signing code can end up producing a non-segwit signature, while only the UTXO being spent is provided in the PSBT (as opposed to the entire transaction being spent). This may be used to trick a user to incorrectly decide a transaction has the semantics he intends to sign.
Fix this by refusing to sign if there is any mismatch between the provided data and what is being signed.