Merge pull request #8596 from EOSIO/develop-security-omnibus

Consolidated Security Fixes for develop
EOSIO · Feb 7, 2020 · 531eaf9 · 531eaf9
2 parents 3b2be55 + 2afe3a9
commit 531eaf9
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/libraries/chain/block_header_state.cpp b/libraries/chain/block_header_state.cpp
@@ -408,6 +408,15 @@ namespace eosio { namespace chain {
    }
 
    void block_header_state::verify_signee( )const {
+
+      size_t num_keys_in_authority = valid_block_signing_authority.visit([](const auto &a){ return a.keys.size(); });
+      EOS_ASSERT(1 + additional_signatures.size() <= num_keys_in_authority, wrong_signing_key,
+                 "number of block signatures (${num_block_signatures}) exceeds number of keys in block signing authority (${num_keys})",
+                 ("num_block_signatures", 1 + additional_signatures.size())
+                 ("num_keys", num_keys_in_authority)
+                 ("authority", valid_block_signing_authority)
+      );
+
       std::set<public_key_type> keys;
       auto digest = sig_digest();
       keys.emplace(fc::crypto::public_key( header.producer_signature, digest, true ));

diff --git a/libraries/fc b/libraries/fc
diff --git a/plugins/net_plugin/net_plugin.cpp b/plugins/net_plugin/net_plugin.cpp
@@ -2410,6 +2410,25 @@ namespace eosio {
             fc::raw::unpack( ds, which ); // throw away
             shared_ptr<signed_block> ptr = std::make_shared<signed_block>();
             fc::raw::unpack( ds, *ptr );
+
+            auto is_webauthn_sig = []( const fc::crypto::signature& s ) {
+               return s.which() == fc::crypto::signature::storage_type::position<fc::crypto::webauthn::signature>();
+            };
+            bool has_webauthn_sig = is_webauthn_sig( ptr->producer_signature );
+
+            constexpr auto additional_sigs_eid = additional_block_signatures_extension::extension_id();
+            auto exts = ptr->validate_and_extract_extensions();
+            if( exts.count( additional_sigs_eid ) ) {
+               const auto &additional_sigs = exts.lower_bound( additional_sigs_eid )->second.get<additional_block_signatures_extension>().signatures;
+               has_webauthn_sig |= std::any_of( additional_sigs.begin(), additional_sigs.end(), is_webauthn_sig );
+            }
+
+            if( has_webauthn_sig ) {
+               fc_dlog( logger, "WebAuthn signed block received from ${p}, closing connection", ("p", peer_name()));
+               close();
+               return false;
+            }
+
             handle_message( blk_id, std::move( ptr ) );
 
          } else if( which == packed_transaction_which ) {
+13 −0		CMakeLists.txt
+1 −1		src/crypto/elliptic_webauthn.cpp
+2 −2		src/log/logger_config.cpp