Skip to content

fix: Mark the gossip keys from the message as verified, not the ones from the db #5247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 6, 2024
Merged

fix: Mark the gossip keys from the message as verified, not the ones from the db #5247

merged 1 commit into from
Feb 6, 2024

Conversation

@Hocuri
Copy link
Collaborator

@Hocuri Hocuri commented Feb 3, 2024
edited
Loading

I don't think it's feasible to write a test for this.

Hocuri
Hocuri commented Feb 3, 2024
View reviewed changes
src/peerstate.rs
&mut self,
which_key: PeerstateKeyType,
key: SignedPublicKey,
fingerprint: Fingerprint,
Copy link
Collaborator Author

@Hocuri Hocuri Feb 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not completely sure whether we still need the fingerprint parameter. We could also remove it and unconditionally set the verified_key - I can't come up with a scenario where this would be a problem, but also I'm not sure I thought of every possible scenario.

Copy link
Collaborator

@iequidoo iequidoo Feb 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's still needed -- see the verify_sender_by_fingerprint() call for Alice in the Steps 5+6 in "Setup verified contact" protocol section, in that case the fingerprint must be taken from the Secure-Join-Fingerprint header

Copy link
Collaborator Author

@Hocuri Hocuri Feb 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since verify_sender_by_fingerprint() first loads the key with this fingerprint and only then calls set_verified(), I don't think that this particular usage of set_verified() requires the fingerprint parameter?

Copy link
Collaborator

@iequidoo iequidoo Feb 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, i didn't noticed -- verify_sender_by_fingerprint() already checks the fingerprint on its own:

.filter(|&fp| fp == fingerprint)

Looks like this parameter indeed can be removed, but mark_peer_as_verified() must check then that the fingerprint is a public key fingerprint of the peer.

@Hocuri Hocuri force-pushed the hoc/fix-verifying-gossip-keys branch from 4017193 to bb2d421 Compare February 3, 2024 16:04
iequidoo
iequidoo approved these changes Feb 3, 2024
View reviewed changes
src/peerstate.rs
&mut self,
which_key: PeerstateKeyType,
key: SignedPublicKey,
fingerprint: Fingerprint,
Copy link
Collaborator

@iequidoo iequidoo Feb 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's still needed -- see the verify_sender_by_fingerprint() call for Alice in the Steps 5+6 in "Setup verified contact" protocol section, in that case the fingerprint must be taken from the Secure-Join-Fingerprint header

@Hocuri Hocuri force-pushed the hoc/fix-verifying-gossip-keys branch from bb2d421 to d33de5d Compare February 4, 2024 10:26
@Hocuri
fix: Mark the gossip keys from the message as verified, not the ones …
4bf08b6 
…from the db

Previously, `set_verified()` loaded the gossip key from the database and
then set it as verified. Now, if, for some reason, the database doesn't
contain the key that was just gossiped with the incoming message,
then we'll mark the wrong key as verified ("gossip key injection").

Instead, remember the `SignedPublicKey`s in the `MimeMessage` and
directly mark those as verified.
@Hocuri Hocuri force-pushed the hoc/fix-verifying-gossip-keys branch from d33de5d to 4bf08b6 Compare February 4, 2024 10:26
@Hocuri Hocuri changed the title [WIP] fix: Mark the gossip keys from the message as verified, not the ones from the db fix: Mark the gossip keys from the message as verified, not the ones from the db Feb 4, 2024
@Hocuri Hocuri requested a review from link2xt February 4, 2024 21:01
@Hocuri Hocuri merged commit f1688d2 into main Feb 6, 2024
@Hocuri Hocuri deleted the hoc/fix-verifying-gossip-keys branch February 6, 2024 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iequidoo iequidoo iequidoo approved these changes

@link2xt link2xt Awaiting requested review from link2xt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hocuri @iequidoo