Merge pull request #5567 from oasisprotocol/kostko/fix/rt-rak-freshness

oasisprotocol · Feb 23, 2024 · d309216 · d309216
2 parents c95d5e0 + 2f7008a
commit d309216
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 20 deletions.
diff --git a/.changelog/5567.bugfix.md b/.changelog/5567.bugfix.md
@@ -0,0 +1 @@
+runtime: Verify freshness with RAK against latest state
diff --git a/runtime/src/config.rs b/runtime/src/config.rs
@@ -2,7 +2,7 @@
 use crate::{common::version::Version, consensus::verifier::TrustRoot, types::Features};
 
 /// Global runtime configuration.
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct Config {
     /// Semantic runtime version.
     pub version: Version,
@@ -15,21 +15,6 @@ pub struct Config {
     /// Whether storage state should be persisted between transaction check invocations. The state
     /// is invalidated on the next round.
     pub persist_check_tx_state: bool,
-    /// Whether TEE freshness is verified with freshness proofs.
-    pub freshness_proofs: bool,
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Self {
-            version: Default::default(),
-            trust_root: None,
-            storage: Default::default(),
-            features: Default::default(),
-            persist_check_tx_state: false,
-            freshness_proofs: true,
-        }
-    }
 }
 
 /// Storage-related configuration.

diff --git a/runtime/src/consensus/tendermint/verifier/mod.rs b/runtime/src/consensus/tendermint/verifier/mod.rs
@@ -471,7 +471,8 @@ impl Verifier {
         // Verify our own RAK is published in registry once per epoch.
         // This ensures consensus state is recent enough.
         if cache.last_verified_epoch != epoch {
-            self.verify_freshness_with_rak(&next_state, cache)?;
+            let latest_state = self.latest_consensus_state(cache, instance)?;
+            self.verify_freshness_with_rak(&latest_state, cache)?;
         }
 
         // Cache verified state root and epoch.
@@ -726,9 +727,7 @@ impl Verifier {
         // Verify state freshness with freshness proof. This step is required only for clients
         // as executors and key managers verify freshness regularly using node registration
         // (RAK with random nonces).
-        if self.protocol.get_config().freshness_proofs {
-            self.verify_freshness_with_proof(&mut instance, &mut cache)?;
-        };
+        self.verify_freshness_with_proof(&mut instance, &mut cache)?;
 
         // Start the command processing loop.
         loop {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		runtime: Verify freshness with RAK against latest state