Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
use core::ops::Deref;
|
|
|
|
|
use std::{io, vec, default::Default};
|
|
|
|
|
|
|
|
|
|
use scale::Decode;
|
|
|
|
|
|
|
|
|
|
use zeroize::Zeroizing;
|
|
|
|
|
|
|
|
|
|
use blake2::{Digest, Blake2s256, Blake2b512};
|
|
|
|
|
|
|
|
|
|
use rand::{RngCore, CryptoRng};
|
|
|
|
|
|
|
|
|
|
use ciphersuite::{
|
|
|
|
|
group::{GroupEncoding, ff::Field},
|
|
|
|
|
Ciphersuite, Ristretto,
|
|
|
|
|
};
|
|
|
|
|
use schnorr::SchnorrSignature;
|
|
|
|
|
|
|
|
|
|
use crate::{
|
|
|
|
|
transaction::{Transaction, TransactionKind, TransactionError},
|
|
|
|
|
ReadWrite,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
use tendermint::{
|
|
|
|
|
SignedMessageFor, Data,
|
|
|
|
|
round::RoundData,
|
|
|
|
|
time::CanonicalInstant,
|
|
|
|
|
commit_msg,
|
|
|
|
|
ext::{Network, Commit, RoundNumber, SignatureScheme},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/// Signing data for a slash vote.
|
|
|
|
|
///
|
|
|
|
|
/// The traditional Signed uses a nonce, whereas votes aren't required/expected to be ordered.
|
|
|
|
|
/// Accordingly, a simple uniqueness check works instead.
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
|
|
|
|
pub struct VoteSignature {
|
|
|
|
|
pub signer: <Ristretto as Ciphersuite>::G,
|
|
|
|
|
pub signature: SchnorrSignature<Ristretto>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ReadWrite for VoteSignature {
|
|
|
|
|
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
|
|
|
|
|
let signer = Ristretto::read_G(reader)?;
|
|
|
|
|
let signature = SchnorrSignature::<Ristretto>::read(reader)?;
|
|
|
|
|
|
|
|
|
|
Ok(VoteSignature { signer, signature })
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
writer.write_all(&self.signer.to_bytes())?;
|
|
|
|
|
self.signature.write(writer)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Default for VoteSignature {
|
|
|
|
|
fn default() -> Self {
|
|
|
|
|
VoteSignature {
|
|
|
|
|
signer: Ristretto::generator(),
|
|
|
|
|
signature: SchnorrSignature::<Ristretto>::read(&mut [0; 64].as_slice()).unwrap(),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// A vote to slash a malicious validator.
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
|
|
|
|
pub struct SlashVote {
|
|
|
|
|
pub id: [u8; 13], // vote id(slash event id)
|
|
|
|
|
pub target: [u8; 32], // who to slash
|
|
|
|
|
pub sig: VoteSignature, // signature
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ReadWrite for SlashVote {
|
|
|
|
|
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
|
|
|
|
|
let mut id = [0; 13];
|
|
|
|
|
let mut target = [0; 32];
|
|
|
|
|
reader.read_exact(&mut id)?;
|
|
|
|
|
reader.read_exact(&mut target)?;
|
|
|
|
|
let sig = VoteSignature::read(reader)?;
|
|
|
|
|
|
|
|
|
|
Ok(SlashVote { id, target, sig })
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
writer.write_all(&self.id)?;
|
|
|
|
|
writer.write_all(&self.target)?;
|
|
|
|
|
self.sig.write(writer)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[allow(clippy::large_enum_variant)]
|
|
|
|
|
#[derive(Clone, PartialEq, Eq, Debug)]
|
|
|
|
|
pub enum TendermintTx {
|
|
|
|
|
SlashEvidence(Vec<u8>),
|
|
|
|
|
// TODO: should the SlashVote.sig be directly in the enum
|
|
|
|
|
// like as in (SlashVote, sig) since the sig is sig of the tx.
|
|
|
|
|
SlashVote(SlashVote),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ReadWrite for TendermintTx {
|
|
|
|
|
fn read<R: io::Read>(reader: &mut R) -> io::Result<Self> {
|
|
|
|
|
let mut kind = [0];
|
|
|
|
|
reader.read_exact(&mut kind)?;
|
|
|
|
|
match kind[0] {
|
|
|
|
|
0 => {
|
|
|
|
|
let mut len = [0; 4];
|
|
|
|
|
reader.read_exact(&mut len)?;
|
|
|
|
|
let mut len =
|
|
|
|
|
usize::try_from(u32::from_le_bytes(len)).expect("running on a 16-bit system?");
|
|
|
|
|
|
|
|
|
|
let mut data = vec![];
|
|
|
|
|
|
|
|
|
|
// Read chunk-by-chunk so a claimed 4 GB length doesn't cause a 4 GB allocation
|
|
|
|
|
// While we could check the length is sane, that'd require we know what a sane length is
|
|
|
|
|
// We'd also have to maintain that length's sanity even as other parts of the codebase,
|
|
|
|
|
// and even entire crates, change
|
|
|
|
|
// This is fine as it'll eventually hit the P2P message size limit, yet doesn't require
|
|
|
|
|
// knowing it nor does it make any assumptions
|
|
|
|
|
const CHUNK_LEN: usize = 1024;
|
|
|
|
|
let mut chunk = [0; CHUNK_LEN];
|
|
|
|
|
while len > 0 {
|
|
|
|
|
let to_read = len.min(CHUNK_LEN);
|
|
|
|
|
data.reserve(to_read);
|
|
|
|
|
reader.read_exact(&mut chunk[.. to_read])?;
|
|
|
|
|
data.extend(&chunk[.. to_read]);
|
|
|
|
|
len -= to_read;
|
|
|
|
|
}
|
|
|
|
|
Ok(TendermintTx::SlashEvidence(data))
|
|
|
|
|
}
|
|
|
|
|
1 => {
|
|
|
|
|
let vote = SlashVote::read(reader)?;
|
|
|
|
|
Ok(TendermintTx::SlashVote(vote))
|
|
|
|
|
}
|
|
|
|
|
_ => Err(io::Error::new(io::ErrorKind::Other, "invalid transaction type")),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn write<W: io::Write>(&self, writer: &mut W) -> io::Result<()> {
|
|
|
|
|
match self {
|
|
|
|
|
TendermintTx::SlashEvidence(ev) => {
|
|
|
|
|
writer.write_all(&[0])?;
|
|
|
|
|
writer.write_all(&u32::try_from(ev.len()).unwrap().to_le_bytes())?;
|
|
|
|
|
writer.write_all(ev)
|
|
|
|
|
}
|
|
|
|
|
TendermintTx::SlashVote(vote) => {
|
|
|
|
|
writer.write_all(&[1])?;
|
|
|
|
|
vote.write(writer)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Transaction for TendermintTx {
|
|
|
|
|
fn kind(&self) -> TransactionKind<'_> {
|
|
|
|
|
// There's an assert elsewhere in the codebase expecting this behavior
|
|
|
|
|
// If we do want to add Provided/Signed TendermintTxs, review the implications carefully
|
|
|
|
|
TransactionKind::Unsigned
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn hash(&self) -> [u8; 32] {
|
|
|
|
|
let mut tx = self.serialize();
|
|
|
|
|
if let TendermintTx::SlashVote(vote) = self {
|
|
|
|
|
// Make sure the part we're cutting off is the signature
|
|
|
|
|
assert_eq!(tx.drain((tx.len() - 64) ..).collect::<Vec<_>>(), vote.sig.signature.serialize());
|
|
|
|
|
}
|
|
|
|
|
Blake2s256::digest(tx).into()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn sig_hash(&self, genesis: [u8; 32]) -> <Ristretto as Ciphersuite>::F {
|
|
|
|
|
match self {
|
|
|
|
|
TendermintTx::SlashEvidence(_) => panic!("sig_hash called on slash evidence transaction"),
|
|
|
|
|
TendermintTx::SlashVote(vote) => {
|
|
|
|
|
let signature = &vote.sig.signature;
|
|
|
|
|
<Ristretto as Ciphersuite>::F::from_bytes_mod_order_wide(
|
|
|
|
|
&Blake2b512::digest(
|
use half-aggregation for tm messages (#346)
* dalek 4.0
* cargo update
Moves to a version of Substrate which uses curve25519-dalek 4.0 (not a rc).
Doesn't yet update the repo to curve25519-dalek 4.0 (as a branch does) due
to the official schnorrkel using a conflicting curve25519-dalek. This would
prevent installation of frost-schnorrkel without a patch.
* use half-aggregation for tm messages
* fmt
* fix pr comments
* cargo update
Achieves three notable updates.
1) Resolves RUSTSEC-2022-0093 by updating libp2p-identity.
2) Removes 3 old rand crates via updating ed25519-dalek (a dependency of
libp2p-identity).
3) Sets serde_derive to 1.0.171 via updating to time 0.3.26 which pins at up to
1.0.171.
The last one is the most important. The former two are niceties.
serde_derive, since 1.0.171, ships a non-reproducible binary blob in what's a
complete compromise of supply chain security. This is done in order to reduce
compile times, yet also for the maintainer of serde (dtolnay) to leverage
serde's position as the 8th most downloaded crate to attempt to force changes
to the Rust build pipeline.
While dtolnay's contributions to Rust are respectable, being behind syn, quote,
and proc-macro2 (the top three crates by downloads), along with thiserror,
anyhow, async-trait, and more (I believe also being part of the Rust project),
they have unfortunately decided to refuse to listen to the community on this
issue (or even engage with counter-commentary). Given their political agenda
they seem to try to be accomplishing with force, I'd go as far as to call their
actions terroristic (as they're using the threat of the binary blob as
justification for cargo to ship 'proper' support for binary blobs).
This is arguably representative of dtolnay's past work on watt. watt was a wasm
interpreter to execute a pre-compiled proc macro. This would save the compile
time of proc macros, yet sandbox it so a full binary did not have to be run.
Unfortunately, watt (while decreasing compile times) fails to be a valid
solution to supply chain security (without massive ecosystem changes). It never
implemented reproducible builds for its wasm blobs, and a malicious wasm blob
could still fundamentally compromise a project. The only solution for an end
user to achieve a secure pipeline would be to locally build the project,
verifying the blob aligns, yet doing so would negate all advantages of the
blob.
dtolnay also seems to be giving up their role as a FOSS maintainer given that
serde no longer works in several environments. While FOSS maintainers are not
required to never implement breaking changes, the version number is still 1.0.
While FOSS maintainers are not required to follow semver, releasing a very
notable breaking change *without a new version number* in an ecosystem which
*does follow semver*, then refusing to acknowledge bugs as bugs with their work
does meet my personal definition of "not actively maintaining their existing
work". Maintenance would be to fix bugs, not introduce and ignore.
For now, serde > 1.0.171 has been banned. In the future, we may host a fork
without the blobs (yet with the patches). It may be necessary to ban all of
dtolnay's maintained crates, if they continue to force their agenda as such,
yet I hope this may be resolved within the next week or so.
Sources:
https://github.com/serde-rs/serde/issues/2538 - Binary blob discussion
This includes several reports of various workflows being broken.
https://github.com/serde-rs/serde/issues/2538#issuecomment-1682519944
dtolnay commenting that security should be resolved via Rust toolchain edits,
not via their own work being secure. This is why I say they're trying to
leverage serde in a political game.
https://github.com/serde-rs/serde/issues/2526 - Usage via git broken
dtolnay explicitly asks the submitting user if they'd be willing to advocate
for changes to Rust rather than actually fix the issue they created. This is
further political arm wrestling.
https://github.com/serde-rs/serde/issues/2530 - Usage via Bazel broken
https://github.com/serde-rs/serde/issues/2575 - Unverifiable binary blob
https://github.com/dtolnay/watt - dtolnay's prior work on precompilation
* add Rs() api to SchnorrAggregate
* Correct serai-processor-tests to dalek 4
* fmt + deny
* Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
* Add DSTs to Tributary TX sig_hash functions
Prevents conflicts with other systems/other parts of the Tributary.
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 08:22:00 +03:00
|
|
|
[
|
|
|
|
|
b"Tributary Slash Vote",
|
|
|
|
|
genesis.as_ref(),
|
|
|
|
|
&self.hash(),
|
|
|
|
|
signature.R.to_bytes().as_ref(),
|
|
|
|
|
]
|
|
|
|
|
.concat(),
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 07:28:23 +03:00
|
|
|
)
|
|
|
|
|
.into(),
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn verify(&self) -> Result<(), TransactionError> {
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl TendermintTx {
|
|
|
|
|
// Sign a transaction
|
|
|
|
|
pub fn sign<R: RngCore + CryptoRng>(
|
|
|
|
|
&mut self,
|
|
|
|
|
rng: &mut R,
|
|
|
|
|
genesis: [u8; 32],
|
|
|
|
|
key: &Zeroizing<<Ristretto as Ciphersuite>::F>,
|
|
|
|
|
) {
|
|
|
|
|
fn signature(tx: &mut TendermintTx) -> Option<&mut VoteSignature> {
|
|
|
|
|
match tx {
|
|
|
|
|
TendermintTx::SlashVote(vote) => Some(&mut vote.sig),
|
|
|
|
|
_ => None,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
signature(self).unwrap().signer = Ristretto::generator() * key.deref();
|
|
|
|
|
|
|
|
|
|
let sig_nonce = Zeroizing::new(<Ristretto as Ciphersuite>::F::random(rng));
|
|
|
|
|
signature(self).unwrap().signature.R =
|
|
|
|
|
<Ristretto as Ciphersuite>::generator() * sig_nonce.deref();
|
|
|
|
|
|
|
|
|
|
let sig_hash = self.sig_hash(genesis);
|
|
|
|
|
|
|
|
|
|
signature(self).unwrap().signature =
|
|
|
|
|
SchnorrSignature::<Ristretto>::sign(key, sig_nonce, sig_hash);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn decode_evidence<N: Network>(
|
|
|
|
|
mut ev: &[u8],
|
|
|
|
|
) -> Result<(SignedMessageFor<N>, Option<SignedMessageFor<N>>), TransactionError> {
|
|
|
|
|
<(SignedMessageFor<N>, Option<SignedMessageFor<N>>)>::decode(&mut ev).map_err(|_| {
|
|
|
|
|
dbg!("failed to decode");
|
|
|
|
|
TransactionError::InvalidContent
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TODO: Move this into tendermint-machine
|
|
|
|
|
// TODO: Strongly type Evidence, instead of having two messages and no idea what's supposedly
|
|
|
|
|
// wrong with them. Doing so will massively simplify the auditability of this (as this
|
|
|
|
|
// re-implements an entire foreign library's checks for malicious behavior).
|
|
|
|
|
pub(crate) fn verify_tendermint_tx<N: Network>(
|
|
|
|
|
tx: &TendermintTx,
|
|
|
|
|
genesis: [u8; 32],
|
|
|
|
|
schema: N::SignatureScheme,
|
|
|
|
|
commit: impl Fn(u32) -> Option<Commit<N::SignatureScheme>>,
|
|
|
|
|
) -> Result<(), TransactionError> {
|
|
|
|
|
tx.verify()?;
|
|
|
|
|
|
|
|
|
|
match tx {
|
|
|
|
|
TendermintTx::SlashEvidence(ev) => {
|
|
|
|
|
let (first, second) = decode_evidence::<N>(ev)?;
|
|
|
|
|
|
|
|
|
|
// verify that evidence messages are signed correctly
|
|
|
|
|
if !first.verify_signature(&schema) {
|
|
|
|
|
Err(TransactionError::InvalidSignature)?
|
|
|
|
|
}
|
|
|
|
|
let first = first.msg;
|
|
|
|
|
|
|
|
|
|
if let Some(second) = second {
|
|
|
|
|
if !second.verify_signature(&schema) {
|
|
|
|
|
Err(TransactionError::InvalidSignature)?
|
|
|
|
|
}
|
|
|
|
|
let second = second.msg;
|
|
|
|
|
|
|
|
|
|
// 2 types of evidence here
|
|
|
|
|
// 1- multiple distinct messages for the same block + round + step
|
|
|
|
|
// 2- precommitted to multiple blocks
|
|
|
|
|
|
|
|
|
|
// Make sure they're distinct messages, from the same sender, within the same block
|
|
|
|
|
if (first == second) || (first.sender != second.sender) || (first.block != second.block) {
|
|
|
|
|
Err(TransactionError::InvalidContent)?;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Distinct messages within the same step
|
|
|
|
|
if (first.round == second.round) && (first.data.step() == second.data.step()) {
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// check whether messages are precommits to different blocks
|
|
|
|
|
// The inner signatures don't need to be verified since the outer signatures were
|
|
|
|
|
// While the inner signatures may be invalid, that would've yielded a invalid precommit
|
|
|
|
|
// signature slash instead of distinct precommit slash
|
|
|
|
|
if let Data::Precommit(Some((h1, _))) = first.data {
|
|
|
|
|
if let Data::Precommit(Some((h2, _))) = second.data {
|
|
|
|
|
if h1 == h2 {
|
|
|
|
|
Err(TransactionError::InvalidContent)?;
|
|
|
|
|
}
|
|
|
|
|
return Ok(());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No fault identified
|
|
|
|
|
Err(TransactionError::InvalidContent)?
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 2 types of evidence can be here
|
|
|
|
|
// 1- invalid commit signature
|
|
|
|
|
// 2- vr number that was greater than or equal to the current round
|
|
|
|
|
match &first.data {
|
|
|
|
|
Data::Proposal(vr, _) => {
|
|
|
|
|
// check the vr
|
|
|
|
|
if vr.is_none() || vr.unwrap().0 < first.round.0 {
|
|
|
|
|
Err(TransactionError::InvalidContent)?
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
Data::Precommit(Some((id, sig))) => {
|
|
|
|
|
// TODO: We need to be passed in the genesis time to handle this edge case
|
|
|
|
|
if first.block.0 == 0 {
|
|
|
|
|
todo!("invalid precommit signature on first block")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// get the last commit
|
|
|
|
|
// TODO: Why do we use u32 when Tendermint uses u64?
|
|
|
|
|
let prior_commit = match u32::try_from(first.block.0 - 1) {
|
|
|
|
|
Ok(n) => match commit(n) {
|
|
|
|
|
Some(c) => c,
|
|
|
|
|
// If we have yet to sync the block in question, we will return InvalidContent based
|
|
|
|
|
// on our own temporal ambiguity
|
|
|
|
|
// This will also cause an InvalidContent for anything using a non-existent block,
|
|
|
|
|
// yet that's valid behavior
|
|
|
|
|
// TODO: Double check the ramifications of this
|
|
|
|
|
_ => Err(TransactionError::InvalidContent)?,
|
|
|
|
|
},
|
|
|
|
|
_ => Err(TransactionError::InvalidContent)?,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// calculate the end time till the msg round
|
|
|
|
|
let mut last_end_time = CanonicalInstant::new(prior_commit.end_time);
|
|
|
|
|
for r in 0 ..= first.round.0 {
|
|
|
|
|
last_end_time = RoundData::<N>::new(RoundNumber(r), last_end_time).end_time();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// verify that the commit was actually invalid
|
|
|
|
|
if schema.verify(first.sender, &commit_msg(last_end_time.canonical(), id.as_ref()), sig) {
|
|
|
|
|
Err(TransactionError::InvalidContent)?
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
_ => Err(TransactionError::InvalidContent)?,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
TendermintTx::SlashVote(vote) => {
|
|
|
|
|
// TODO: verify the target is actually one of our validators?
|
|
|
|
|
// this shouldn't be a problem because if the target isn't valid, no one else
|
|
|
|
|
// gonna vote on it. But we still have to think about spam votes.
|
|
|
|
|
|
|
|
|
|
// TODO: we need to check signer is a participant
|
|
|
|
|
|
|
|
|
|
// TODO: Move this into the standalone TendermintTx verify
|
|
|
|
|
let sig = &vote.sig;
|
|
|
|
|
// verify the tx signature
|
|
|
|
|
// TODO: Use Schnorr half-aggregation and a batch verification here
|
|
|
|
|
if !sig.signature.verify(sig.signer, tx.sig_hash(genesis)) {
|
|
|
|
|
Err(TransactionError::InvalidSignature)?;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|