[FOLD] Add support for featureCofactoredED25519 amendment

scottschurr · Feb 1, 2024 · 8c6a9df · 8c6a9df
1 parent e9af179
commit 8c6a9df
Show file tree

Hide file tree

Showing 24 changed files with 209 additions and 150 deletions.
diff --git a/conan_debug b/conan_debug
diff --git a/src/ripple/app/consensus/RCLCxPeerPos.cpp b/src/ripple/app/consensus/RCLCxPeerPos.cpp
@@ -48,7 +48,10 @@ bool
 RCLCxPeerPos::checkSign() const
 {
     return verifyDigest(
-        publicKey(), proposal_.signingHash(), signature(), false);
+        publicKey(),
+        proposal_.signingHash(),
+        signature(),
+        RequireFullyCanonicalSig::no);
 }
 
 Json::Value

diff --git a/src/ripple/app/misc/impl/Manifest.cpp b/src/ripple/app/misc/impl/Manifest.cpp
@@ -194,11 +194,12 @@ Manifest::verify() const
 
     // Signing key and signature are not required for
     // master key revocations
-    if (!revoked() && !ripple::verify(st, HashPrefix::manifest, signingKey))
+    if (!revoked() &&
+        !ripple::verify(st, HashPrefix::manifest, signingKey, Cofactored::no))
         return false;
 
     return ripple::verify(
-        st, HashPrefix::manifest, masterKey, sfMasterSignature);
+        st, HashPrefix::manifest, masterKey, Cofactored::no, sfMasterSignature);
 }
 
 uint256

diff --git a/src/ripple/app/misc/impl/ValidatorList.cpp b/src/ripple/app/misc/impl/ValidatorList.cpp
@@ -1290,7 +1290,8 @@ ValidatorList::verify(
         !ripple::verify(
             publisherManifests_.getSigningKey(pubKey),
             makeSlice(data),
-            makeSlice(*sig)))
+            makeSlice(*sig),
+            Cofactored::no))
         return ListDisposition::invalid;
 
     Json::Reader r;

diff --git a/src/ripple/app/tx/impl/PayChan.cpp b/src/ripple/app/tx/impl/PayChan.cpp
@@ -446,10 +446,19 @@ PayChanClaim::preflight(PreflightContext const& ctx)
         if (!publicKeyType(ctx.tx[sfPublicKey]))
             return temMALFORMED;
 
+        Cofactored const cofactored =
+            ctx.rules.enabled(featureCofactoredED25519) ? Cofactored::yes
+                                                        : Cofactored::no;
+
         PublicKey const pk(ctx.tx[sfPublicKey]);
         Serializer msg;
         serializePayChanAuthorization(msg, k.key, authAmt);
-        if (!verify(pk, msg.slice(), *sig, /*canonical*/ true))
+        if (!verify(
+                pk,
+                msg.slice(),
+                *sig,
+                cofactored,
+                RequireFullyCanonicalSig::yes))
             return temBAD_SIGNATURE;
     }
 

diff --git a/src/ripple/app/tx/impl/apply.cpp b/src/ripple/app/tx/impl/apply.cpp
@@ -51,8 +51,8 @@ checkValidity(
         // Don't know signature state. Check it.
         auto const requireCanonicalSig =
             rules.enabled(featureRequireFullyCanonicalSig)
-            ? STTx::RequireFullyCanonicalSig::yes
-            : STTx::RequireFullyCanonicalSig::no;
+            ? RequireFullyCanonicalSig::yes
+            : RequireFullyCanonicalSig::no;
 
         auto const sigVerify = tx.checkSign(requireCanonicalSig, rules);
         if (!sigVerify)

diff --git a/src/ripple/overlay/impl/Handshake.cpp b/src/ripple/overlay/impl/Handshake.cpp
@@ -317,7 +317,11 @@ verifyHandshake(
 
         auto sig = base64_decode(iter->value());
 
-        if (!verifyDigest(publicKey, sharedValue, makeSlice(sig), false))
+        if (!verifyDigest(
+                publicKey,
+                sharedValue,
+                makeSlice(sig),
+                RequireFullyCanonicalSig::no))
             throw std::runtime_error("Failed to verify session");
     }
 

diff --git a/src/ripple/overlay/impl/PeerImp.cpp b/src/ripple/overlay/impl/PeerImp.cpp
@@ -1393,7 +1393,12 @@ PeerImp::onMessage(std::shared_ptr<protocol::TMPeerShardInfoV2> const& m)
         return badData("Invalid public key");
 
     // Verify signature
-    if (!verify(publicKey, s.slice(), makeSlice(m->signature()), false))
+    if (!verify(
+            publicKey,
+            s.slice(),
+            makeSlice(m->signature()),
+            Cofactored::no,
+            RequireFullyCanonicalSig::no))
         return badData("Invalid signature");
 
     // Forward the message if a peer chain exists

diff --git a/src/ripple/protocol/Feature.h b/src/ripple/protocol/Feature.h
@@ -74,7 +74,7 @@ namespace detail {
 // Feature.cpp. Because it's only used to reserve storage, and determine how
 // large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
 // the actual number of amendments. A LogicError on startup will verify this.
-static constexpr std::size_t numFeatures = 65;
+static constexpr std::size_t numFeatures = 66;
 
 /** Amendments that this server supports and the default voting behavior.
    Whether they are enabled depends on the Rules defined in the validated
@@ -352,6 +352,7 @@ extern uint256 const featureXChainBridge;
 extern uint256 const fixDisallowIncomingV1;
 extern uint256 const featureDID;
 extern uint256 const fixFillOrKill;
+extern uint256 const featureCofactoredED25519;
 
 }  // namespace ripple
 

diff --git a/src/ripple/protocol/PublicKey.h b/src/ripple/protocol/PublicKey.h
@@ -241,23 +241,28 @@ publicKeyType(PublicKey const& publicKey)
 /** @} */
 
 /** Verify a secp256k1 signature on the digest of a message. */
+enum class RequireFullyCanonicalSig : bool { no, yes };
 [[nodiscard]] bool
 verifyDigest(
     PublicKey const& publicKey,
     uint256 const& digest,
     Slice const& sig,
-    bool mustBeFullyCanonical = true) noexcept;
+    RequireFullyCanonicalSig canonicalSig =
+        RequireFullyCanonicalSig::yes) noexcept;
 
 /** Verify a signature on a message.
     With secp256k1 signatures, the data is first hashed with
     SHA512-Half, and the resulting digest is signed.
 */
+enum class Cofactored : bool { no, yes };
 [[nodiscard]] bool
 verify(
     PublicKey const& publicKey,
     Slice const& m,
     Slice const& sig,
-    bool mustBeFullyCanonical = true) noexcept;
+    Cofactored cofactored,
+    RequireFullyCanonicalSig canonicalSig =
+        RequireFullyCanonicalSig::yes) noexcept;
 
 /** Calculate the 160-bit node ID from a node public key. */
 NodeID

diff --git a/src/ripple/protocol/STTx.h b/src/ripple/protocol/STTx.h
@@ -119,10 +119,8 @@ class STTx final : public STObject, public CountedObject<STTx>
     /** Check the signature.
         @return `true` if valid signature. If invalid, the error message string.
     */
-    enum class RequireFullyCanonicalSig : bool { no, yes };
     Expected<void, std::string>
-    checkSign(RequireFullyCanonicalSig requireCanonicalSig, Rules const& rules)
-        const;
+    checkSign(RequireFullyCanonicalSig canonicalSig, Rules const& rules) const;
 
     // SQL Functions with metadata.
     static std::string const&
@@ -141,12 +139,12 @@ class STTx final : public STObject, public CountedObject<STTx>
 
 private:
     Expected<void, std::string>
-    checkSingleSign(RequireFullyCanonicalSig requireCanonicalSig) const;
+    checkSingleSign(RequireFullyCanonicalSig canonicalSig, Rules const& rules)
+        const;
 
     Expected<void, std::string>
-    checkMultiSign(
-        RequireFullyCanonicalSig requireCanonicalSig,
-        Rules const& rules) const;
+    checkMultiSign(RequireFullyCanonicalSig canonicalSig, Rules const& rules)
+        const;
 
     STBase*
     copy(std::size_t n, void* buf) const override;

diff --git a/src/ripple/protocol/Sign.h b/src/ripple/protocol/Sign.h
@@ -22,6 +22,7 @@
 
 #include <ripple/protocol/HashPrefix.h>
 #include <ripple/protocol/PublicKey.h>
+#include <ripple/protocol/Rules.h>
 #include <ripple/protocol/STObject.h>
 #include <ripple/protocol/SecretKey.h>
 #include <utility>
@@ -60,6 +61,7 @@ verify(
     STObject const& st,
     HashPrefix const& prefix,
     PublicKey const& pk,
+    Cofactored cofactored,
     SF_VL const& sigField = sfSignature);
 
 /** Return a Serializer suitable for computing a multisigning TxnSignature. */

diff --git a/src/ripple/protocol/impl/Feature.cpp b/src/ripple/protocol/impl/Feature.cpp
@@ -458,7 +458,8 @@ REGISTER_FEATURE(AMM,                           Supported::yes, VoteBehavior::De
 REGISTER_FEATURE(XChainBridge,                  Supported::yes, VoteBehavior::DefaultNo);
 REGISTER_FIX    (fixDisallowIncomingV1,         Supported::yes, VoteBehavior::DefaultNo);
 REGISTER_FEATURE(DID,                           Supported::yes, VoteBehavior::DefaultNo);
-REGISTER_FIX(fixFillOrKill,                     Supported::yes, VoteBehavior::DefaultNo);
+REGISTER_FIX    (fixFillOrKill,                 Supported::yes, VoteBehavior::DefaultNo);
+REGISTER_FEATURE(CofactoredED25519,             Supported::yes, VoteBehavior::DefaultNo);
 
 // The following amendments are obsolete, but must remain supported
 // because they could potentially get enabled.

diff --git a/src/ripple/protocol/impl/PublicKey.cpp b/src/ripple/protocol/impl/PublicKey.cpp
@@ -223,14 +223,14 @@ verifyDigest(
     PublicKey const& publicKey,
     uint256 const& digest,
     Slice const& sig,
-    bool mustBeFullyCanonical) noexcept
+    RequireFullyCanonicalSig canonicalSig) noexcept
 {
     if (publicKeyType(publicKey) != KeyType::secp256k1)
         LogicError("sign: secp256k1 required for digest signing");
     auto const canonicality = ecdsaCanonicality(sig);
     if (!canonicality)
         return false;
-    if (mustBeFullyCanonical &&
+    if (canonicalSig == RequireFullyCanonicalSig::yes &&
         (*canonicality != ECDSACanonicality::fullyCanonical))
         return false;
 
@@ -273,14 +273,14 @@ verify(
     PublicKey const& publicKey,
     Slice const& m,
     Slice const& sig,
-    bool mustBeFullyCanonical) noexcept
+    Cofactored cofactored,
+    RequireFullyCanonicalSig canonicalSig) noexcept
 {
     if (auto const type = publicKeyType(publicKey))
     {
         if (*type == KeyType::secp256k1)
         {
-            return verifyDigest(
-                publicKey, sha512Half(m), sig, mustBeFullyCanonical);
+            return verifyDigest(publicKey, sha512Half(m), sig, canonicalSig);
         }
         else if (*type == KeyType::ed25519)
         {
@@ -291,8 +291,18 @@ verify(
             // byte to distinguish them from secp256k1 keys
             // so when verifying the signature, we need to
             // first strip that prefix.
-            return ed25519_sign_open_cofactored(
-                       m.data(), m.size(), publicKey.data() + 1, sig.data()) == 0;
+            if (cofactored == Cofactored::no)
+                return ed25519_sign_open(
+                           m.data(),
+                           m.size(),
+                           publicKey.data() + 1,
+                           sig.data()) == 0;
+            else
+                return ed25519_sign_open_cofactored(
+                           m.data(),
+                           m.size(),
+                           publicKey.data() + 1,
+                           sig.data()) == 0;
         }
     }
     return false;