Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Script][BUG] Fix signature malleability for t inputs in Sapling txes #2064

Merged

Conversation

random-zebra
Copy link

We are currently signing the transaparent inputs with SIGVERSION_BASE, thus we are not considering the sapData in the hash.

The functional test included (sapling_malleable_sigs.py) provides a demo for a basic trolling exploit (intercept a t->z tx to effectively burn the amount of PIV that was supposed to be shielded).

Fix:
Always use SIGVERSION_SAPLING to sign txes with version >= TxVersion::SAPLING.
This required a bit of refactoring, in order to pass the proper sigversion.
In the future we could simplify this flow, saving the sigversion directly inside the SignatureCreator.

The json data for sighash_test unit test has been updated to reflect the new hashes.

The sapling_malleable_sigs functional test, now failing after the fix, is updated to verify that the proper exception is thrown.

@furszy
Copy link

furszy commented Dec 15, 2020

Concept ACK, awesome catch! 👌 .

Copy link
Collaborator

@Fuzzbawls Fuzzbawls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good

utACK e5b8dba

@@ -671,6 +671,9 @@ isminetype SaplingScriptPubKeyMan::IsMine(const CWalletTx& wtx, const SaplingOut

CAmount SaplingScriptPubKeyMan::GetCredit(const CWalletTx& tx, const isminefilter& filter, const bool fUnspent) const
{
if (!tx.IsShieldedTx() || tx.sapData->vShieldedOutput.empty()) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IsShieldedTx is asking for vShieldedOutput.empty inside. Would be good if we add a new method hasShieldedOutputs.
(Same for the GetDebit, an hasShieldedSpends)

Copy link

@furszy furszy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review ACK e5b8dba .
You won a big beer for this one

Two reminders for separate PRs:

  1. Code organization discussion for the SigVersion being allocated inside the transaction primitive file when the signature lives on top of it.
  2. New sighash.json for v1 transactions.

@furszy furszy merged commit d3866a0 into PIVX-Project:master Dec 16, 2020
Fuzzbawls added a commit that referenced this pull request Dec 19, 2020
…fee calculation loop

e5aab53 Refactor: initialize dummy Spend/Output descriptions only once (random-zebra)
6099737 Sapling: Skip proofs and signatures during fee calculation loop (random-zebra)
5d8ba3d Sapling: add option to skip ProveAndSing in TransactionBuilder::Build (random-zebra)
efd7139 Sapling: Decouple ProveAndSign from Build (random-zebra)
44620de [Wallet] Do not perform ECDSA signing in the fee calculation inner loop (random-zebra)

Pull request description:

  First commit backports bitcoin#9465.
  Following commits adapt the same idea to sapling transactions, including also the spend/output descriptors.

  This gives a **huge** speed-up in the transaction-creation process (especially with many inuputs and/or outputs).

  Down-side: less time for the awesome shield animation in the GUI :)

  ~~Built on top of #2064 to remove the conflicts.~~

ACKs for top commit:
  furszy:
    Nice one!, ACK e5aab53
  Fuzzbawls:
    ACK e5aab53

Tree-SHA512: 22fb95e8f5d635e7031e911edcfed66b6f15168ca8027ad3080ce01f8e93b1032a86988d9463425eb4f2755f286b299328910538d23fe15bbee8cfbc3763b8fe
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
Fuzzbawls pushed a commit to Fuzzbawls/PIVX that referenced this pull request Dec 19, 2020
furszy added a commit that referenced this pull request Dec 21, 2020
9390f8e [Refactor] Pass caught logic_error by reference in CreateSig (random-zebra)
7f37d7e Only use one set of parentheses for optional arguments (Fuzzbawls)
19f5eae [RPC] Use "shield" nomenclature instead of "shielded" (Fuzzbawls)
0cb01c9 GUI: settings information, fix missing initial masternodes count value. (furszy)
20bd97a GUI: ccontrol: remove column checkbox extra whitespace in tree mode (random-zebra)
1555406 warnings: Compiler warning on memset usage for non-trivial type (Lenny Maiorani)
359f0c6 Drop defunct IS_TRIVIALLY_CONSTRUCTIBLE handling from prevector.h (Ben Woosley)
9675199 Reduce redundant code of prevector and speed it up (random-zebra)
e6ffe2a Add new prevector benchmarks. (random-zebra)
04756ee Fixup various formatting inconsistencies with RPC help output (Fuzzbawls)
41fc192 Don't bother registering the `multisend` command (Fuzzbawls)
bbbc7c9 Fix typo in `getsaplingnotescount` help text (Fuzzbawls)
87c4d21 [Build] Unify header file extensions (Fuzzbawls)
411edee [BUG] Miner not paying valid finalized budget if <20 active masternodes (random-zebra)
dabe995 Tests: minor fixes for mining_pos_reorg_py (random-zebra)
03ec6bb Wallet: return unconfirmed balance for all spendable coins by default (random-zebra)
e9a9d54 Consensus: Allow setting old spork key before its expiration (random-zebra)
c5abbda Consensus: update spork keys for v5 (random-zebra)
60f1535 GUI: Dashboard, fix type filtering disappearance. (furszy)
1f28551 Params: clear testnet checkpoints (random-zebra)
5b809b2 Params: Fix PoS block value for testnet to 5 (random-zebra)
4c847eb Params: Update testnet params - remove unused ones (random-zebra)
f2ea00d Params: change testnet datadir to testnet5 (random-zebra)
2444e54 BUG: Miner don't check for PoS activation at negative height (random-zebra)
f3b01ba Consensus: Budget: Fix instant killing of proposals (random-zebra)
0d0fe24 [BUG][GUI] Receive widget: check typeRole before refreshing view (random-zebra)
40e3203 Refactor: initialize dummy Spend/Output descriptions only once (random-zebra)
6ea78ad Sapling: Skip proofs and signatures during fee calculation loop (random-zebra)
0aa9439 Sapling: add option to skip ProveAndSing in TransactionBuilder::Build (random-zebra)
ff2dec2 Sapling: Decouple ProveAndSign from Build (random-zebra)
5b7e86d [Wallet] Do not perform ECDSA signing in the fee calculation inner loop (random-zebra)
7c87241 [Consensus] Bump TxVersion::SAPLING to 3 (random-zebra)
05fe877 Cleanup: remove unneeded check (time-based) for version 4 header (random-zebra)
a29f1e3 Miner: set proper block version based on upgrade enforcements (random-zebra)
8e0a9d9 Consensus: reject blocks with outdated version (<8) after v5 enforcement (random-zebra)
25e2816 BUG: Fix TestBlockValidity for PoW blocks (random-zebra)
1466f0b [GUI] Connect alert signal (furszy)
6850224 Move GetWarnings() into its own file. (furszy)
edf51b3 util GetWarnings, adding "gui" parameter type. (furszy)
60cc6f2 Eliminate data races for strMiscWarning and fLargeWork*Found. (furszy)
3fc1597 Make QT runawayException call GetWarnings instead of directly access strMiscWarning. (furszy)
0ece82d Separate CTranslationInterface from CClientUIInterface (furszy)
a46f00d [Cleanup] Remove unused global fields from util.h/cpp (furszy)
ee5306f Tests: Update sapling_malleable-sigs test, now failing (random-zebra)
8780161 Tests: update sighash json test data for saplingVersion txes (random-zebra)
0a82c10 Script: Properly sign/verify shielded tx with sigversion sapling (random-zebra)
6b5d96d Tests: Add trolling exploit demo (random-zebra)
460a875 Tests: fix order of sapData serialization (random-zebra)
43f7ca7 BUG: Guard access to tx.sapData in connectBlock (random-zebra)
c12ff2b BUG: SSPKM, guard GetDebit/GetCredit for non-shield v2 txes (random-zebra)
5797e2b [GUI][Trivial] Adjust CoinControl column widths for readability (Ambassador)
8c500df Tests: Add sapling_fillblock functional test (random-zebra)
ce7f265 Consensus: check total size of all shielded txes inside a block (random-zebra)
7b8425a Miner: do not include more than 750 kB of shielded txes inside a block (random-zebra)
c314d7b Trivial: Add Zcash copyright (random-zebra)
99fa644 Refactor: Decouple ShieldedSendManyTo from sendtoaddress/sendmany (random-zebra)
2b7b466 [Test] Add case for (shielded) sendtoaddress (random-zebra)
25b2513 [RPC] Redirect sendtoaddress to shieldedsendmany when shielded recipient (random-zebra)
8c2c328 Refactor: always check mnp blockhash in CMasternodePing::CheckAndUpdate (random-zebra)
aca3764 MN: pass sigTime to CMasternodePing constructor (random-zebra)
1ca9476 MN: pass lastPing to CMasternodeBroadcast constructor (random-zebra)
974b965 [Validation] Remove unused DisconnectBlock function definition. (furszy)
5a33bb1 [Validation] Remove unused DisconnectBlocks function. (furszy)
76ae626 [Validation] Remove unused ReprocessBlocks function. (furszy)
626170e [Masternde] Refactor activeMasternode.GetKeys callers to not expect a bool. (furszy)
545ca77 [Masternode] Clean now unused global strMasterNodePrivKey. (furszy)
8a88cd9 [Masternode] Stop parsing the MN private key string on every finalized budget vote. (furszy)
83080ea [Masternode] Stop parsing the masternode private key string on every ping. (furszy)
77a3959 [Masternode] Cache decoded Masternode private key (furszy)
d4b8a32 [net] Avoid initialization to a value that is never read (furszy)
bbc3a7e Revert "Use async name resolving to improve net thread responsiveness" (furszy)
e9469b1 Use Socks5ErrorString() to decode error responses from socks proxy. (furszy)
2e23740 Make Socks5() InterruptibleRecv() timeout/failures informative. (furszy)
7eefaba SOCKS5 connecting and connected messages with -debug=net. (furszy)
6baf377 Make failures to connect via Socks5() more informative and less unnecessarily scary. (furszy)
aff68db [GUI] Transaction detail, scroll memo fix, starting from the top. (furszy)
38895a9 Make tests pass after 2020 (Bernhard M. Wiedemann)
ac8d818 [Wallet] BugFix: automatic upgrade for unlocked wallet isn't upgrading the wallet feature version. (furszy)
b1133c4 [Tests] Check spent nullifier in sapling_wallet_listreceived (random-zebra)
9576897 [RPC] Add nullifiers to listshieldedunspent output (random-zebra)
f99a176 [BUG][RPC] Fix check in wallet upgrade RPC (random-zebra)
fb58f5f [Miner] Update block header's current version to v8 (Fuzzbawls)
99c2d5e [TierTwo] Remove unneeded extra logging. (furszy)
3066165 [Sapling] Transparent inputs selection, fixing inverted order. Sort decrementally instead of incrementally. (furszy)
0eaf735 [Test] Adding sapling transaction validation unit test coverage. (furszy)
f695d12 CMakeList, pivxd and test_pivx fix for missing MacOS framework. (furszy)

Pull request description:

  backports the following PRs from master to the 5.0 branch:

  #2041
  #2042
  #2046
  #2045
  #2052
  #2047
  #2049
  #2048
  #2059
  #2055
  #2054
  #2056
  #2058
  #2060
  #2050
  #2061
  #2062
  #2033
  #2064
  #2063
  #2067
  #2051
  #2065
  #2066
  #2068
  #2069
  #2073
  #2071
  #2080
  #2081
  #2084
  #2087
  #2088
  #2083
  #2070
  #2075
  #2086
  #2091

ACKs for top commit:
  random-zebra:
    utACK 9390f8e
  furszy:
    utACK 9390f8e

Tree-SHA512: aca2dc8fd3b8d234a27ba7b128168cc3e48b0b775b5699f8fe53e84ac548eb99121b3f0304939896c6e876ffd252f2023958ccb38a344425093948f206238892
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants