Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Murisi/fix tx malleability #1607

Merged
merged 10 commits into from
Jul 6, 2023
Merged

Murisi/fix tx malleability #1607

merged 10 commits into from
Jul 6, 2023

Conversation

murisi
Copy link
Collaborator

@murisi murisi commented Jun 21, 2023

An attempt to fix the transaction malleability described at #1567 . The approach taken is as follows:

  • Enable signature sections to sign over multiple sections as specified in a Vec<Hash>
  • Now make the header signatures span over all the other transactions sections in addition to the header hash
  • The verify signature algorithm now checks that all sections referenced in a signature are still present in the transaction

Additionally the signatures over data and code sections have now been combined to eliminate the possibility of the wrapper signer somehow changing the inner WASM code that is supposed to execute over the signed data in the inner transaction. That is, the inner transaction code and data are now bound together by a signature.

@murisi murisi requested review from Fraccaman, grarco and cwgoes June 21, 2023 16:21
Fraccaman
Fraccaman previously approved these changes Jun 23, 2023
@Fraccaman
Copy link
Member

LGTM! this is more or less how I was thinking this problem could be fixed. We need better API to construct a tx but we can manage in another PR :) thanks!

@murisi murisi force-pushed the murisi/fix-tx-malleability branch from d0f457e to ef34267 Compare June 25, 2023 05:39
@@ -1002,7 +1033,7 @@ impl Tx {
match &self.header.tx_type {
// verify signature and extract signed data
TxType::Wrapper(wrapper) => {
self.verify_signature(&wrapper.pk, &self.header_hash())
self.verify_signature(&wrapper.pk, &[self.header_hash()])
Copy link
Collaborator

@grarco grarco Jun 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we validate the signature over the header and also all of the sections? I see that in sign_wrapper we initialize the vector of hashes with the header hash and then push the hashes of all the sections included in the tx. I imagined we would do the same here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thanks. Currently we're just checking for a valid signature over the header, which indirectly implies a check that all sections targetted in the signature exist (i.e. haven't been removed or tampered with). But we should check that all sections in a transaction are signed over - this would prevent the addition of new sections to a transaction. Let me work on that.

@murisi murisi force-pushed the murisi/fix-tx-malleability branch from 2519226 to a3a8bbc Compare June 27, 2023 12:09
@grarco grarco self-requested a review June 27, 2023 18:16
grarco
grarco previously approved these changes Jun 27, 2023
Copy link
Collaborator

@grarco grarco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me now, thanks!

@@ -998,35 +1044,35 @@ impl Tx {
/// the Tx and verify it is of the appropriate form. This means
/// 1. The wrapper tx is indeed signed
/// 2. The signature is valid
pub fn validate_header(&self) -> std::result::Result<(), TxError> {
pub fn validate_tx(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the rustdoc on this is a bit outdated

tzemanovic
tzemanovic previously approved these changes Jul 3, 2023
Fraccaman added a commit that referenced this pull request Jul 3, 2023
* origin/murisi/fix-tx-malleability:
  Added changelog entry.
  [fix]: Fix failing test-wasm by adding code section and also signing over that.
  Expanded validate_header to check for signature over all sections, and renamed it to validate_tx.
  Make the signature section unmalleable.
  VPs now check that code and data are signed together.
  Fixed clippy and formatting issues.
  Fixed the tests involving transaction signing.
  Now sign over all sections in transactions.
Fraccaman added a commit that referenced this pull request Jul 3, 2023
…gin/murisi/fix-tx-malleability: Added changelog entry. [fix]: Fix failing test-wasm by adding code section and also signing over that. Expanded validate_header to check for signature over all sections, and renamed it to validate_tx. Make the signature section unmalleable. VPs now check that code and data are signed together. Fixed clippy and formatting issues. Fixed the tests involving transaction signing. Now sign over all sections in transactions.
This was referenced Jul 4, 2023
brentstone added a commit that referenced this pull request Jul 5, 2023
* murisi/fix-tx-malleability:
  Added changelog entry.
  [fix]: Fix failing test-wasm by adding code section and also signing over that.
  Expanded validate_header to check for signature over all sections, and renamed it to validate_tx.
  Make the signature section unmalleable.
  VPs now check that code and data are signed together.
  Fixed clippy and formatting issues.
  Fixed the tests involving transaction signing.
  Now sign over all sections in transactions.
Fraccaman added a commit that referenced this pull request Jul 6, 2023
* origin/murisi/fix-tx-malleability:
  Added changelog entry.
  [fix]: Fix failing test-wasm by adding code section and also signing over that.
  Expanded validate_header to check for signature over all sections, and renamed it to validate_tx.
  Make the signature section unmalleable.
  VPs now check that code and data are signed together.
  Fixed clippy and formatting issues.
  Fixed the tests involving transaction signing.
  Now sign over all sections in transactions.
@Fraccaman Fraccaman mentioned this pull request Jul 6, 2023
@brentstone brentstone merged commit 848d0b0 into main Jul 6, 2023
@brentstone brentstone deleted the murisi/fix-tx-malleability branch July 6, 2023 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants