Skip to content
This repository has been archived by the owner on Jan 13, 2025. It is now read-only.

Check transaction signatures in entry verify #8596

Merged
merged 1 commit into from
Mar 4, 2020
Merged

Check transaction signatures in entry verify #8596

merged 1 commit into from
Mar 4, 2020

Conversation

sakridge
Copy link
Contributor

@sakridge sakridge commented Mar 3, 2020

Problem

Transaction signatures not verified.

Summary of Changes

Verify them in entry verification.

Fixes #8593

@sakridge sakridge added the work in progress This isn't quite right yet label Mar 3, 2020
@codecov
Copy link

codecov bot commented Mar 3, 2020
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@4f05f08). Click here to learn what that means.
The diff coverage is 97.5%.

@@           Coverage Diff            @@
##             master   #8596   +/-   ##
========================================
  Coverage          ?     80%           
========================================
  Files             ?     256           
  Lines             ?   55768           
  Branches          ?       0           
========================================
  Hits              ?   44651           
  Misses            ?   11117           
  Partials          ?       0

@sakridge sakridge removed the work in progress This isn't quite right yet label Mar 3, 2020
@garious
Copy link
Contributor

garious commented Mar 3, 2020

That's a PoH Verify function. I would have expected it added in the TVU somewhere OR see SigVerifyStage moved to some shared location. Also, surprised to see CPU-based signature verification here. But given the central location, does this indicate that ledger-tool was skipping the verification as well?

I think it'd be best to address the architectural diagrams first on this one:

https://github.com/solana-labs/solana/blob/master/docs/art/validator.bob
https://github.com/solana-labs/solana/blob/master/docs/art/tpu.bob
https://github.com/solana-labs/solana/blob/master/docs/art/tvu.bob

@mvines
Copy link
Contributor

mvines commented Mar 3, 2020

does this indicate that ledger-tool was skipping the verification as well?

Yes, ledger-tool verify was not verifying the transaction signatures themselves. Arguably because by transactions should be all good by the time they hit blockstore, but yeah

@mvines mvines added the v1.0 label Mar 3, 2020
@sakridge
Copy link
Contributor Author

sakridge commented Mar 3, 2020

That's a PoH Verify function.

It was, now it's poh verify & transaction signature verify. There's nothing that says poh_verify that I noticed.

I would have expected it added in the TVU somewhere OR see SigVerifyStage moved to some
shared location. Also, surprised to see CPU-based signature verification here.

We can do it in a follow-up change, but this is the easiest/most straightforward way to add it. I did some perf sanity checks, we are still above 50k tps cpu-only on colo.

But given the central location, does this indicate that ledger-tool was skipping the verification as well?

Yes. This also solves this problem.

aeyakovenko
aeyakovenko previously approved these changes Mar 3, 2020
View reviewed changes
@garious
Copy link
Contributor

garious commented Mar 4, 2020

This is an architecture bug more than it is an implementation bug. I don't think we should merge this until a change to architecture documents is approved. Zooming way, way in, all the way to function level (which is already too far), this patch makes the architectural decision to do signature verification before PoH verification. That alone looks like an attack vector (malicious leader randomly resembles transactions and floods the validators). At the very least, the code in this patch should be in a separate function, so that it's clear one form of verification is happening before the other.

@sakridge
Copy link
Contributor Author

sakridge commented Mar 4, 2020

That alone looks like an attack vector (malicious leader randomly resembles transactions and floods the validators)

Why couldn't/wouldn't the malicious leader assemble those transaction to just pass poh verify? It just needs to do some hashing.

@garious
Copy link
Contributor

garious commented Mar 4, 2020

The intent of my comment wasn't to debate an attack vector. It was to give a concrete example of how this innocent looking PR may have significant implications, and how a PR to an architectural document would be a better venue for that discussion.

@mergify mergify bot dismissed aeyakovenko’s stale review March 4, 2020 02:25

Pull request has been modified.

garious
garious approved these changes Mar 4, 2020
View reviewed changes
Copy link
Contributor

@garious garious left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. While I would have rather discussed the change at the architectural level, this patch and tests are now so clear that anyone should easily be able to move it elsewhere, if needed.

@sakridge sakridge merged commit b68b74a into solana-labs:master Mar 4, 2020
@sakridge sakridge deleted the verify-tx-sigs branch March 4, 2020 04:49
mergify bot pushed a commit that referenced this pull request Mar 4, 2020
@sakridge
Check transaction signatures in entry verify (#8596)
0cfcdf7 
(cherry picked from commit b68b74a)
solana-grimes pushed a commit that referenced this pull request Mar 4, 2020
@mergify
Check transaction signatures in entry verify (#8596) (#8614)
74ae40b 
automerge
@ryoqun ryoqun mentioned this pull request May 13, 2022
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@garious garious garious approved these changes

@aeyakovenko aeyakovenko aeyakovenko left review comments

@mvines mvines Awaiting requested review from mvines

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TVU does not verify transaction signatures
4 participants
@sakridge @garious @mvines @aeyakovenko