-
Notifications
You must be signed in to change notification settings - Fork 977
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Murisi/fix tx malleability #1607
Conversation
LGTM! this is more or less how I was thinking this problem could be fixed. We need better API to construct a tx but we can manage in another PR :) thanks! |
d0f457e
to
ef34267
Compare
core/src/proto/types.rs
Outdated
@@ -1002,7 +1033,7 @@ impl Tx { | |||
match &self.header.tx_type { | |||
// verify signature and extract signed data | |||
TxType::Wrapper(wrapper) => { | |||
self.verify_signature(&wrapper.pk, &self.header_hash()) | |||
self.verify_signature(&wrapper.pk, &[self.header_hash()]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we validate the signature over the header and also all of the sections? I see that in sign_wrapper
we initialize the vector of hashes with the header hash and then push the hashes of all the sections included in the tx. I imagined we would do the same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, thanks. Currently we're just checking for a valid signature over the header, which indirectly implies a check that all sections targetted in the signature exist (i.e. haven't been removed or tampered with). But we should check that all sections in a transaction are signed over - this would prevent the addition of new sections to a transaction. Let me work on that.
…d renamed it to validate_tx.
2519226
to
a3a8bbc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now, thanks!
@@ -998,35 +1044,35 @@ impl Tx { | |||
/// the Tx and verify it is of the appropriate form. This means | |||
/// 1. The wrapper tx is indeed signed | |||
/// 2. The signature is valid | |||
pub fn validate_header(&self) -> std::result::Result<(), TxError> { | |||
pub fn validate_tx( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the rustdoc on this is a bit outdated
* origin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
…gin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
* murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
* origin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
An attempt to fix the transaction malleability described at #1567 . The approach taken is as follows:
Vec<Hash>
Additionally the signatures over data and code sections have now been combined to eliminate the possibility of the wrapper signer somehow changing the inner WASM code that is supposed to execute over the signed data in the inner transaction. That is, the inner transaction code and data are now bound together by a signature.