2023-09-26 03:11:36 +00:00
|
|
|
use std::collections::{VecDeque, HashMap};
|
2023-04-12 15:13:48 +00:00
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
use ciphersuite::{group::GroupEncoding, Ciphersuite, Ristretto};
|
|
|
|
|
|
|
|
use serai_db::{DbTxn, Db};
|
2023-04-12 15:13:48 +00:00
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
use scale::Decode;
|
|
|
|
|
|
|
|
use tendermint::ext::{Network, Commit};
|
|
|
|
|
2023-04-14 00:35:55 +00:00
|
|
|
use crate::{
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
ReadWrite, ProvidedError, ProvidedTransactions, BlockError, Block, Mempool, Transaction,
|
2023-10-15 01:50:11 +00:00
|
|
|
transaction::{Signed, TransactionKind, TransactionError, Transaction as TransactionTrait},
|
2023-04-14 00:35:55 +00:00
|
|
|
};
|
2023-04-12 15:13:48 +00:00
|
|
|
|
2023-09-26 03:11:36 +00:00
|
|
|
#[derive(Debug)]
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) struct Blockchain<D: Db, T: TransactionTrait> {
|
2023-04-14 18:11:19 +00:00
|
|
|
db: Option<D>,
|
2023-04-12 15:13:48 +00:00
|
|
|
genesis: [u8; 32],
|
2023-04-14 18:11:19 +00:00
|
|
|
|
|
|
|
block_number: u32,
|
2023-04-12 15:13:48 +00:00
|
|
|
tip: [u8; 32],
|
2023-04-12 16:42:23 +00:00
|
|
|
next_nonces: HashMap<<Ristretto as Ciphersuite>::G, u32>,
|
2023-04-13 13:47:14 +00:00
|
|
|
|
2023-04-14 19:03:01 +00:00
|
|
|
provided: ProvidedTransactions<D, T>,
|
2023-04-14 19:51:43 +00:00
|
|
|
mempool: Mempool<D, T>,
|
2023-09-26 03:11:36 +00:00
|
|
|
|
|
|
|
pub(crate) next_block_notifications: VecDeque<tokio::sync::oneshot::Sender<()>>,
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
impl<D: Db, T: TransactionTrait> Blockchain<D, T> {
|
2023-09-25 21:15:36 +00:00
|
|
|
fn tip_key(genesis: [u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"tip", genesis)
|
2023-04-14 18:11:19 +00:00
|
|
|
}
|
|
|
|
fn block_number_key(&self) -> Vec<u8> {
|
2023-04-14 19:51:43 +00:00
|
|
|
D::key(b"tributary_blockchain", b"block_number", self.genesis)
|
2023-04-14 18:11:19 +00:00
|
|
|
}
|
2023-04-24 10:50:40 +00:00
|
|
|
fn block_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"block", [genesis, hash].concat())
|
2023-04-14 18:11:19 +00:00
|
|
|
}
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
fn block_hash_key(genesis: &[u8], block_number: u32) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"block_hash", [genesis, &block_number.to_le_bytes()].concat())
|
|
|
|
}
|
2023-04-24 10:50:40 +00:00
|
|
|
fn commit_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"commit", [genesis, hash].concat())
|
2023-04-14 18:11:19 +00:00
|
|
|
}
|
2023-04-24 10:50:40 +00:00
|
|
|
fn block_after_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"block_after", [genesis, hash].concat())
|
2023-04-24 04:53:15 +00:00
|
|
|
}
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
fn unsigned_included_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"unsigned_included", [genesis, hash].concat())
|
|
|
|
}
|
2023-10-13 23:45:47 +00:00
|
|
|
fn provided_included_key(genesis: &[u8], hash: &[u8; 32]) -> Vec<u8> {
|
|
|
|
D::key(b"tributary_blockchain", b"provided_included", [genesis, hash].concat())
|
|
|
|
}
|
2023-04-14 18:11:19 +00:00
|
|
|
fn next_nonce_key(&self, signer: &<Ristretto as Ciphersuite>::G) -> Vec<u8> {
|
|
|
|
D::key(
|
2023-04-14 19:51:43 +00:00
|
|
|
b"tributary_blockchain",
|
2023-04-14 18:11:19 +00:00
|
|
|
b"next_nonce",
|
|
|
|
[self.genesis.as_ref(), signer.to_bytes().as_ref()].concat(),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn new(
|
|
|
|
db: D,
|
|
|
|
genesis: [u8; 32],
|
|
|
|
participants: &[<Ristretto as Ciphersuite>::G],
|
|
|
|
) -> Self {
|
2023-04-12 16:42:23 +00:00
|
|
|
let mut next_nonces = HashMap::new();
|
|
|
|
for participant in participants {
|
|
|
|
next_nonces.insert(*participant, 0);
|
|
|
|
}
|
2023-04-13 13:47:14 +00:00
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
let mut res = Self {
|
2023-04-14 19:03:01 +00:00
|
|
|
db: Some(db.clone()),
|
2023-04-13 13:47:14 +00:00
|
|
|
genesis,
|
|
|
|
|
2023-04-13 22:43:03 +00:00
|
|
|
block_number: 0,
|
2023-04-13 13:47:14 +00:00
|
|
|
tip: genesis,
|
|
|
|
next_nonces,
|
|
|
|
|
2023-04-14 19:51:43 +00:00
|
|
|
provided: ProvidedTransactions::new(db.clone(), genesis),
|
|
|
|
mempool: Mempool::new(db, genesis),
|
2023-09-26 03:11:36 +00:00
|
|
|
|
|
|
|
next_block_notifications: VecDeque::new(),
|
2023-04-14 18:11:19 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
if let Some((block_number, tip)) = {
|
|
|
|
let db = res.db.as_ref().unwrap();
|
2023-09-25 21:15:36 +00:00
|
|
|
db.get(res.block_number_key()).map(|number| (number, db.get(Self::tip_key(genesis)).unwrap()))
|
2023-04-14 18:11:19 +00:00
|
|
|
} {
|
|
|
|
res.block_number = u32::from_le_bytes(block_number.try_into().unwrap());
|
|
|
|
res.tip.copy_from_slice(&tip);
|
2023-04-13 13:47:14 +00:00
|
|
|
}
|
2023-04-14 18:11:19 +00:00
|
|
|
|
|
|
|
for participant in participants {
|
|
|
|
if let Some(next_nonce) = res.db.as_ref().unwrap().get(res.next_nonce_key(participant)) {
|
|
|
|
res.next_nonces.insert(*participant, u32::from_le_bytes(next_nonce.try_into().unwrap()));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
res
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
|
2023-04-14 00:35:55 +00:00
|
|
|
pub(crate) fn tip(&self) -> [u8; 32] {
|
2023-04-12 15:13:48 +00:00
|
|
|
self.tip
|
|
|
|
}
|
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
pub(crate) fn block_number(&self) -> u32 {
|
2023-04-13 22:43:03 +00:00
|
|
|
self.block_number
|
|
|
|
}
|
|
|
|
|
2023-04-24 10:50:40 +00:00
|
|
|
pub(crate) fn block_from_db(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<Block<T>> {
|
|
|
|
db.get(Self::block_key(&genesis, block))
|
2023-04-15 04:41:48 +00:00
|
|
|
.map(|bytes| Block::<T>::read::<&[u8]>(&mut bytes.as_ref()).unwrap())
|
|
|
|
}
|
|
|
|
|
2023-04-24 10:50:40 +00:00
|
|
|
pub(crate) fn commit_from_db(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<Vec<u8>> {
|
|
|
|
db.get(Self::commit_key(&genesis, block))
|
2023-04-24 03:37:40 +00:00
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn block_hash_from_db(db: &D, genesis: [u8; 32], block: u32) -> Option<[u8; 32]> {
|
|
|
|
db.get(Self::block_hash_key(&genesis, block)).map(|h| h.try_into().unwrap())
|
|
|
|
}
|
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
pub(crate) fn commit(&self, block: &[u8; 32]) -> Option<Vec<u8>> {
|
2023-04-24 10:50:40 +00:00
|
|
|
Self::commit_from_db(self.db.as_ref().unwrap(), self.genesis, block)
|
2023-04-14 18:11:19 +00:00
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn block_hash(&self, block: u32) -> Option<[u8; 32]> {
|
|
|
|
Self::block_hash_from_db(self.db.as_ref().unwrap(), self.genesis, block)
|
|
|
|
}
|
|
|
|
|
|
|
|
pub(crate) fn commit_by_block_number(&self, block: u32) -> Option<Vec<u8>> {
|
|
|
|
self.commit(&self.block_hash(block)?)
|
|
|
|
}
|
|
|
|
|
2023-04-24 10:50:40 +00:00
|
|
|
pub(crate) fn block_after(db: &D, genesis: [u8; 32], block: &[u8; 32]) -> Option<[u8; 32]> {
|
|
|
|
db.get(Self::block_after_key(&genesis, block)).map(|bytes| bytes.try_into().unwrap())
|
2023-04-24 04:53:15 +00:00
|
|
|
}
|
|
|
|
|
2023-10-13 23:45:47 +00:00
|
|
|
pub(crate) fn locally_provided_txs_in_block(
|
|
|
|
db: &D,
|
|
|
|
genesis: &[u8; 32],
|
|
|
|
block: &[u8; 32],
|
|
|
|
order: &str,
|
|
|
|
) -> bool {
|
|
|
|
let local_key = ProvidedTransactions::<D, T>::locally_provided_quantity_key(genesis, order);
|
|
|
|
let local =
|
|
|
|
db.get(local_key).map(|bytes| u32::from_le_bytes(bytes.try_into().unwrap())).unwrap_or(0);
|
|
|
|
let block_key =
|
|
|
|
ProvidedTransactions::<D, T>::block_provided_quantity_key(genesis, block, order);
|
|
|
|
let block =
|
|
|
|
db.get(block_key).map(|bytes| u32::from_le_bytes(bytes.try_into().unwrap())).unwrap_or(0);
|
|
|
|
|
|
|
|
local >= block
|
|
|
|
}
|
|
|
|
|
2023-09-25 21:15:36 +00:00
|
|
|
pub(crate) fn tip_from_db(db: &D, genesis: [u8; 32]) -> [u8; 32] {
|
|
|
|
db.get(Self::tip_key(genesis)).map(|bytes| bytes.try_into().unwrap()).unwrap_or(genesis)
|
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn add_transaction<N: Network>(
|
|
|
|
&mut self,
|
|
|
|
internal: bool,
|
|
|
|
tx: Transaction<T>,
|
|
|
|
schema: N::SignatureScheme,
|
2023-10-15 01:50:11 +00:00
|
|
|
) -> Result<bool, TransactionError> {
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
let db = self.db.as_ref().unwrap();
|
|
|
|
let genesis = self.genesis;
|
|
|
|
|
|
|
|
let commit = |block: u32| -> Option<Commit<N::SignatureScheme>> {
|
|
|
|
let hash = Self::block_hash_from_db(db, genesis, block)?;
|
|
|
|
// we must have a commit per valid hash
|
|
|
|
let commit = Self::commit_from_db(db, genesis, &hash).unwrap();
|
|
|
|
// commit has to be valid if it is coming from our db
|
|
|
|
Some(Commit::<N::SignatureScheme>::decode(&mut commit.as_ref()).unwrap())
|
|
|
|
};
|
|
|
|
|
|
|
|
let unsigned_in_chain =
|
|
|
|
|hash: [u8; 32]| db.get(Self::unsigned_included_key(&self.genesis, &hash)).is_some();
|
|
|
|
self.mempool.add::<N>(&self.next_nonces, internal, tx, schema, unsigned_in_chain, commit)
|
2023-04-13 13:47:14 +00:00
|
|
|
}
|
|
|
|
|
2023-04-14 19:03:01 +00:00
|
|
|
pub(crate) fn provide_transaction(&mut self, tx: T) -> Result<(), ProvidedError> {
|
|
|
|
self.provided.provide(tx)
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
|
2023-04-14 00:35:55 +00:00
|
|
|
/// Returns the next nonce for signing, or None if they aren't a participant.
|
|
|
|
pub(crate) fn next_nonce(&self, key: <Ristretto as Ciphersuite>::G) -> Option<u32> {
|
|
|
|
Some(self.next_nonces.get(&key).cloned()?.max(self.mempool.next_nonce(&key).unwrap_or(0)))
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn build_block<N: Network>(&mut self, schema: N::SignatureScheme) -> Block<T> {
|
|
|
|
let db = self.db.as_ref().unwrap();
|
|
|
|
let unsigned_in_chain =
|
|
|
|
|hash: [u8; 32]| db.get(Self::unsigned_included_key(&self.genesis, &hash)).is_some();
|
|
|
|
|
2023-04-14 00:35:55 +00:00
|
|
|
let block = Block::new(
|
|
|
|
self.tip,
|
2023-04-20 11:30:49 +00:00
|
|
|
self.provided.transactions.values().flatten().cloned().collect(),
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
self.mempool.block(&self.next_nonces, unsigned_in_chain),
|
2023-04-14 00:35:55 +00:00
|
|
|
);
|
2023-04-12 15:13:48 +00:00
|
|
|
// build_block should not return invalid blocks
|
2023-10-13 23:45:47 +00:00
|
|
|
self.verify_block::<N>(&block, schema, false).unwrap();
|
2023-04-12 15:13:48 +00:00
|
|
|
block
|
|
|
|
}
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn verify_block<N: Network>(
|
|
|
|
&self,
|
|
|
|
block: &Block<T>,
|
|
|
|
schema: N::SignatureScheme,
|
2023-10-13 23:45:47 +00:00
|
|
|
allow_non_local_provided: bool,
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
) -> Result<(), BlockError> {
|
|
|
|
let db = self.db.as_ref().unwrap();
|
|
|
|
let unsigned_in_chain =
|
|
|
|
|hash: [u8; 32]| db.get(Self::unsigned_included_key(&self.genesis, &hash)).is_some();
|
2023-10-13 23:45:47 +00:00
|
|
|
let provided_in_chain =
|
|
|
|
|hash: [u8; 32]| db.get(Self::provided_included_key(&self.genesis, &hash)).is_some();
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
let commit = |block: u32| -> Option<Commit<N::SignatureScheme>> {
|
|
|
|
let commit = self.commit_by_block_number(block)?;
|
|
|
|
// commit has to be valid if it is coming from our db
|
|
|
|
Some(Commit::<N::SignatureScheme>::decode(&mut commit.as_ref()).unwrap())
|
|
|
|
};
|
|
|
|
block.verify::<N>(
|
2023-04-14 00:35:55 +00:00
|
|
|
self.genesis,
|
|
|
|
self.tip,
|
2023-04-20 11:30:49 +00:00
|
|
|
self.provided.transactions.clone(),
|
2023-04-14 00:35:55 +00:00
|
|
|
self.next_nonces.clone(),
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
schema,
|
|
|
|
&commit,
|
|
|
|
unsigned_in_chain,
|
2023-10-13 23:45:47 +00:00
|
|
|
provided_in_chain,
|
|
|
|
allow_non_local_provided,
|
2023-04-14 00:35:55 +00:00
|
|
|
)
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
|
2023-04-12 20:18:42 +00:00
|
|
|
/// Add a block.
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
pub(crate) fn add_block<N: Network>(
|
|
|
|
&mut self,
|
|
|
|
block: &Block<T>,
|
|
|
|
commit: Vec<u8>,
|
|
|
|
schema: N::SignatureScheme,
|
|
|
|
) -> Result<(), BlockError> {
|
2023-10-13 23:45:47 +00:00
|
|
|
self.verify_block::<N>(block, schema, true)?;
|
2023-04-12 20:18:42 +00:00
|
|
|
|
2023-08-13 06:21:56 +00:00
|
|
|
log::info!(
|
|
|
|
"adding block {} to tributary {} with {} TXs",
|
|
|
|
hex::encode(block.hash()),
|
|
|
|
hex::encode(self.genesis),
|
|
|
|
block.transactions.len(),
|
|
|
|
);
|
|
|
|
|
2023-04-12 20:18:42 +00:00
|
|
|
// None of the following assertions should be reachable since we verified the block
|
2023-04-14 18:11:19 +00:00
|
|
|
|
|
|
|
// Take it from the Option so Rust doesn't consider self as mutably borrowed thanks to the
|
|
|
|
// existence of the txn
|
|
|
|
let mut db = self.db.take().unwrap();
|
|
|
|
let mut txn = db.txn();
|
|
|
|
|
2023-04-12 15:13:48 +00:00
|
|
|
self.tip = block.hash();
|
2023-09-25 21:15:36 +00:00
|
|
|
txn.put(Self::tip_key(self.genesis), self.tip);
|
2023-04-14 18:11:19 +00:00
|
|
|
|
2023-04-13 22:43:03 +00:00
|
|
|
self.block_number += 1;
|
2023-04-14 18:11:19 +00:00
|
|
|
txn.put(self.block_number_key(), self.block_number.to_le_bytes());
|
|
|
|
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
txn.put(Self::block_hash_key(&self.genesis, self.block_number), self.tip);
|
|
|
|
|
2023-04-24 10:50:40 +00:00
|
|
|
txn.put(Self::block_key(&self.genesis, &self.tip), block.serialize());
|
|
|
|
txn.put(Self::commit_key(&self.genesis, &self.tip), commit);
|
2023-04-14 18:11:19 +00:00
|
|
|
|
2023-04-24 10:50:40 +00:00
|
|
|
txn.put(Self::block_after_key(&self.genesis, &block.parent()), block.hash());
|
2023-04-24 04:53:15 +00:00
|
|
|
|
2023-04-12 15:13:48 +00:00
|
|
|
for tx in &block.transactions {
|
|
|
|
match tx.kind() {
|
2023-04-20 11:30:49 +00:00
|
|
|
TransactionKind::Provided(order) => {
|
2023-10-13 23:45:47 +00:00
|
|
|
let hash = tx.hash();
|
|
|
|
self.provided.complete(&mut txn, order, self.tip, hash);
|
|
|
|
txn.put(Self::provided_included_key(&self.genesis, &hash), []);
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
Slash malevolent validators (#294)
* add slash tx
* ignore unsigned tx replays
* verify that provided evidence is valid
* fix clippy + fmt
* move application tx handling to another module
* partially handle the tendermint txs
* fix pr comments
* support unsigned app txs
* add slash target to the votes
* enforce provided, unsigned, signed tx ordering within a block
* bug fixes
* add unit test for tendermint txs
* bug fixes
* update tests for tendermint txs
* add tx ordering test
* tidy up tx ordering test
* cargo +nightly fmt
* Misc fixes from rebasing
* Finish resolving clippy
* Remove sha3 from tendermint-machine
* Resolve a DoS in SlashEvidence's read
Also moves Evidence from Vec<Message> to (Message, Option<Message>). That
should meet all requirements while being a bit safer.
* Make lazy_static a dev-depend for tributary
* Various small tweaks
One use of sort was inefficient, sorting unsigned || signed when unsigned was
already properly sorted. Given how the unsigned TXs were given a nonce of 0, an
unstable sort may swap places with an unsigned TX and a signed TX with a nonce
of 0 (leading to a faulty block).
The extra protection added here sorts signed, then concats.
* Fix Tributary tests I broke, start review on tendermint/tx.rs
* Finish reviewing everything outside tests and empty_signature
* Remove empty_signature
empty_signature led to corrupted local state histories. Unfortunately, the API
is only sane with a signature.
We now use the actual signature, which risks creating a signature over a
malicious message if we have ever have an invariant producing malicious
messages. Prior, we only signed the message after the local machine confirmed
it was okay per the local view of consensus.
This is tolerated/preferred over a corrupt state history since production of
such messages is already an invariant. TODOs are added to make handling of this
theoretical invariant further robust.
* Remove async_sequential for tokio::test
There was no competition for resources forcing them to be run sequentially.
* Modify block order test to be statistically significant without multiple runs
* Clean tests
---------
Co-authored-by: Luke Parker <lukeparker5132@gmail.com>
2023-08-21 04:28:23 +00:00
|
|
|
TransactionKind::Unsigned => {
|
|
|
|
let hash = tx.hash();
|
|
|
|
// Save as included on chain
|
|
|
|
txn.put(Self::unsigned_included_key(&self.genesis, &hash), []);
|
|
|
|
// remove from the mempool
|
|
|
|
self.mempool.remove(&hash);
|
|
|
|
}
|
2023-04-12 15:13:48 +00:00
|
|
|
TransactionKind::Signed(Signed { signer, nonce, .. }) => {
|
2023-04-14 18:11:19 +00:00
|
|
|
let next_nonce = nonce + 1;
|
2023-04-12 16:42:23 +00:00
|
|
|
let prev = self
|
|
|
|
.next_nonces
|
2023-04-14 18:11:19 +00:00
|
|
|
.insert(*signer, next_nonce)
|
2023-04-12 16:42:23 +00:00
|
|
|
.expect("block had signed transaction from non-participant");
|
|
|
|
if prev != *nonce {
|
2023-04-12 20:18:42 +00:00
|
|
|
panic!("verified block had an invalid nonce");
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
2023-04-14 00:35:55 +00:00
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
txn.put(self.next_nonce_key(signer), next_nonce.to_le_bytes());
|
|
|
|
|
2023-04-14 00:35:55 +00:00
|
|
|
self.mempool.remove(&tx.hash());
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-04-12 20:18:42 +00:00
|
|
|
|
2023-04-14 18:11:19 +00:00
|
|
|
txn.commit();
|
|
|
|
self.db = Some(db);
|
|
|
|
|
2023-09-26 03:11:36 +00:00
|
|
|
for tx in self.next_block_notifications.drain(..) {
|
|
|
|
let _ = tx.send(());
|
|
|
|
}
|
|
|
|
|
2023-04-12 22:04:28 +00:00
|
|
|
Ok(())
|
2023-04-12 15:13:48 +00:00
|
|
|
}
|
|
|
|
}
|