Line data Source code
1 : #include "fd_keyguard.h"
2 : #include "../../ballet/shred/fd_shred.h"
3 : #include "../../ballet/txn/fd_compact_u16.h"
4 :
5 : /* fd_keyguard_match fingerprints signing requests and checks them for
6 : ambiguity.
7 :
8 : Supported message types are as follows:
9 :
10 : - Legacy transaction messages
11 : - Version 0 transaction messages
12 : - Legacy shred signed payloads
13 : - Merkle shred roots
14 : - TLS CertificateVerify challenges
15 : - Gossip message signed payloads (CrdsData)
16 :
17 : ### Fake Signing Attacks
18 :
19 : The main goal of fd_keyguard_match is to defeat "fake signing"
20 : attacks. These are attacks in which the keyguard signs a request for
21 : which the client is not authorized. Such attacks use a combination
22 : of vulnerabilities: Key reuse, and type confusion.
23 :
24 : Key reuse is particularly prevalent with the validator identity key,
25 : the hot Ed25519 key that a validator uses in almost all protocols
26 : that it actively participates in.
27 :
28 : Type confusion occurs when the message payload being signed can be
29 : interpreted as multiple different message types. Usually, this is
30 : categorically prevented by using "signing domains".
31 :
32 : Such attacks are particularly dangerous to validators because their
33 : validator identity key holds an amount of native tokens to
34 : participate in Tower BFT voting. In the worst case, an attacker
35 : could trick a validator into signing an innocuous message (e.g. a
36 : gossip message) that can also be interpreted as a transaction
37 : withdrawing these tokens.
38 :
39 : ### Code Verification
40 :
41 : The safety of this module can be verified using a number of CBMC
42 : proofs composed via deductive reasoning.
43 :
44 : - fd_txn_minsz_proof verifies the constant FD_TXN_MIN_SERIALIZED_SZ.
45 : - fd_txn_ambiguity_gossip_proof verifies that gossip messages cannot
46 : be parsed as transactions.
47 : - fd_keyguard_match_txn_harness verifies that the txn fingerprinting
48 : logic is free of false negatives.
49 : - fd_keyguard_ambiguity_proof verifies that any input up to 2048 byte
50 : size are unambiguous, i.e. either detected by one or none of the
51 : fingerprinting functions.
52 :
53 : Under the hood, CBMC executes the keyguard logic with all possible
54 : inputs (>=2^16384 unique inputs) via symbolic execution. The CBMC
55 : machine model also verifies that the code is free of common
56 : vulnerability classes (memory unsoundness, undefined behavior, …).
57 :
58 : As a result, we know with a high degree of certainty that type
59 : detection logic is free of false negatives. For example, when
60 : fd_keyguard_match sees a transaction, it will always reliably detect
61 : it as one. (fd_keyguard_match might also wrongly fingerprint
62 : arbitrary other inputs as, e.g. transactions. But this is not a
63 : problem, as strict checks follow later on in fd_keyguard_authorize.)
64 :
65 : ### Deployment Context
66 :
67 : fd_keyguard_match is exposed to untrusted "signing request" inputs
68 : and implements the first line of authorization checks in the
69 : keyguard. It is thus a critical component for securing the identity
70 : key.
71 :
72 : ### Implementation Approach
73 :
74 : This code looks awful and scary, but is carefully crafted to meet the
75 : aforementioned high assurance and formal verification requirements.
76 :
77 : Although parsers for the supported message types are available
78 : elsewhere in the codebase, they were not used here due to their time
79 : complexity exceeding the capabilities of CBMC. The time complexity
80 : of all parsers in this compile unit is O(1), which allowed for
81 : complete CBMC coverage.
82 :
83 : TLDR: The following code implements the least possible logic
84 : required to reliably detect types of identity key signing
85 : payloads without false negatives. */
86 :
87 : FD_FN_PURE static int
88 : fd_keyguard_payload_matches_txn_msg( uchar const * data,
89 : ulong sz,
90 0 : int sign_type ) {
91 :
92 0 : uchar const * end = data + sz;
93 :
94 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
95 :
96 : /* txn_msg_min_sz is the smallest valid size of a transaction msg. A
97 : transaction is the concatenation of (signature count, signatures,
98 : msg). The smallest size of a txn is FD_TXN_MIN_SERIALIZED_SZ
99 : (formally proven with CBMC in fd_txn_minsz_proof.c). We know the
100 : smallest sizes of "signature count" and "signatures", thus we can
101 : derive the smallest size of "msg". */
102 :
103 0 : ulong const txn_msg_min_sz =
104 0 : FD_TXN_MIN_SERIALIZED_SZ
105 0 : - 1UL /* min sz of signature count (compact_u16 encoding) */
106 0 : - 64UL; /* min sz of signature list (array of Ed25519 sigs) */
107 0 : if( sz<txn_msg_min_sz ) return 0;
108 :
109 : /* Message type check.
110 :
111 : Bit patterns of first bytes are as follows
112 :
113 : - 0aaaaaaa bbbbbbbb cccccccc (Legacy txns)
114 : - 10000000 aaaaaaaa bbbbbbbb cccccccc (v0 txns)
115 :
116 : Where 'a' are the bits that make up the 'required signature count'
117 : ... 'b' .... 'readonly signed count'
118 : ... 'c' .... 'readonly unsigned count' */
119 :
120 0 : uchar const * cursor = data;
121 0 : uint header_b0 = *cursor;
122 0 : cursor++;
123 0 : uint sig_cnt; /* sig count (ignoring compact_u16 encoding) */
124 0 : if( header_b0 & 0x80UL ) {
125 : /* Versioned message, only v0 recognized so far */
126 0 : if( (header_b0&0x7F)!=FD_TXN_V0 ) return 0;
127 0 : sig_cnt = *cursor;
128 0 : cursor++;
129 0 : } else {
130 : /* Legacy message */
131 0 : sig_cnt = header_b0;
132 0 : }
133 :
134 : /* There must be at least one signature. */
135 0 : if( sig_cnt==0U ) return 0;
136 :
137 : /* Check if signatures exceed txn size limit */
138 0 : ulong sig_sz;
139 0 : if( __builtin_umull_overflow( sig_cnt, 64UL, &sig_sz ) ) return 0;
140 0 : if( sig_sz > (FD_TXN_MTU-txn_msg_min_sz) ) return 0;
141 :
142 : /* Skip other fields */
143 : //uint ro_signed_cnt = *cursor;
144 0 : cursor++;
145 : //uint ro_unsigned_cnt = *cursor;
146 0 : cursor++;
147 :
148 0 : if( cursor + 3 > end ) return 0;
149 0 : ulong addr_cnt_sz = fd_cu16_dec_sz( cursor, 3UL );
150 0 : if( !addr_cnt_sz ) return 0;
151 0 : ulong addr_cnt = fd_cu16_dec_fixed( cursor, addr_cnt_sz );
152 0 : cursor += addr_cnt_sz;
153 :
154 0 : if( sig_cnt>addr_cnt ) return 0;
155 :
156 0 : return 1;
157 0 : }
158 :
159 : FD_FN_PURE static int
160 : fd_keyguard_payload_matches_ping_msg( uchar const * data,
161 : ulong sz,
162 0 : int sign_type ) {
163 0 : return sign_type==FD_KEYGUARD_SIGN_TYPE_ED25519 &&
164 0 : sz==32UL &&
165 0 : (memcmp( data, "SOLANA_PING_PONG", 16UL ) == 0);
166 0 : }
167 :
168 : FD_FN_PURE static int
169 : fd_keyguard_payload_matches_pong_msg( uchar const * data,
170 : ulong sz,
171 0 : int sign_type ) {
172 0 : return sign_type==FD_KEYGUARD_SIGN_TYPE_SHA256_ED25519 &&
173 0 : sz==48UL &&
174 0 : (memcmp( data, "SOLANA_PING_PONG", 16UL ) == 0);
175 0 : }
176 :
177 : FD_FN_PURE static int
178 : fd_keyguard_payload_matches_prune_data( uchar const * data,
179 : ulong sz,
180 0 : int sign_type ) {
181 :
182 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
183 :
184 0 : ulong const static_sz = 80UL;
185 0 : if( sz < static_sz ) return 0;
186 :
187 0 : ulong prune_cnt = FD_LOAD( ulong, data+32UL );
188 0 : ulong expected_sz;
189 0 : if( __builtin_umull_overflow( prune_cnt, 32UL, &expected_sz ) ) return 0;
190 0 : if( __builtin_uaddl_overflow( expected_sz, static_sz, &expected_sz ) ) return 0;
191 0 : if( sz != expected_sz ) return 0;
192 :
193 0 : return 1;
194 0 : }
195 :
196 : FD_FN_PURE static int
197 : fd_keyguard_payload_matches_gossip( uchar const * data,
198 : ulong sz,
199 0 : int sign_type ) {
200 :
201 : /* All gossip messages except pings use raw signing */
202 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
203 :
204 : /* Every gossip message contains a 4 byte enum variant tag (at the
205 : beginning of the message) and a 32 byte public key (at an arbitrary
206 : location). */
207 0 : if( sz<36UL ) return 0;
208 :
209 : /* There probably won't ever be more than 32 different gossip message
210 : types. */
211 0 : if( (data[0] <0x20)
212 0 : & (data[1]==0x00)
213 0 : & (data[2]==0x00)
214 0 : & (data[3]==0x00) )
215 0 : return 1;
216 :
217 0 : return 0;
218 0 : }
219 :
220 : FD_FN_PURE static int
221 : fd_keyguard_payload_matches_repair( uchar const * data,
222 : ulong sz,
223 0 : int sign_type ) {
224 :
225 : /* All repair messages except pings use raw signing */
226 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
227 :
228 : /* Every repair message contains a 4 byte enum variant tag (at the
229 : beginning of the message) and a 32 byte public key (at an arbitrary
230 : location). */
231 0 : if( sz<36UL ) return 0;
232 :
233 : /* There probably won't ever be more than 32 different repair message
234 : types. */
235 0 : if( (data[0] <0x20)
236 0 : & (data[1]==0x00)
237 0 : & (data[2]==0x00)
238 0 : & (data[3]==0x00) )
239 0 : return 1;
240 :
241 0 : return 0;
242 0 : }
243 :
244 : FD_FN_PURE int
245 : fd_keyguard_payload_matches_shred( uchar const * data,
246 : ulong sz,
247 0 : int sign_type ) {
248 0 : (void)data;
249 :
250 : /* Note: Legacy shreds no longer relevant (drop_legacy_shreds) */
251 :
252 : /* FIXME: Sign Merkle shreds using SIGN_TYPE_SHA256_ED25519 (!!!) */
253 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
254 0 : if( sz != 32 ) return 0;
255 :
256 0 : return 1;
257 0 : }
258 :
259 : FD_FN_PURE int
260 : fd_keyguard_payload_matches_tls_cv( uchar const * data,
261 : ulong sz,
262 0 : int sign_type ) {
263 :
264 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_ED25519 ) return 0;
265 :
266 : /* TLS CertificateVerify signing payload one of 3 sizes
267 : depending on hash function chosen */
268 0 : switch( sz ) {
269 0 : case 130UL: break; /* Prefix + 32 byte hash */
270 0 : case 146UL: break; /* Prefix + 48 byte hash */
271 0 : case 162UL: break; /* Prefix + 64 byte hash */
272 0 : default:
273 0 : return 0;
274 0 : }
275 :
276 : /* Always prefixed with client or server pattern */
277 0 : static char const client_prefix[ 98 ] =
278 0 : " " /* 32 spaces */
279 0 : " " /* 32 spaces */
280 0 : "TLS 1.3, client CertificateVerify";
281 :
282 0 : static char const server_prefix[ 98 ] =
283 0 : " " /* 32 spaces */
284 0 : " " /* 32 spaces */
285 0 : "TLS 1.3, server CertificateVerify";
286 0 : int is_client = 0==memcmp( data, client_prefix, 98UL );
287 0 : int is_server = 0==memcmp( data, server_prefix, 98UL );
288 0 : return (is_client)|(is_server);
289 0 : }
290 :
291 : FD_FN_PURE int
292 : fd_keyguard_payload_matches_bundle( uchar const * data,
293 : ulong sz,
294 0 : int sign_type ) {
295 0 : (void)data;
296 :
297 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_PUBKEY_CONCAT_ED25519 ) return 0;
298 0 : if( sz!=9UL ) return 0;
299 :
300 0 : return 1;
301 0 : }
302 :
303 : FD_FN_PURE int
304 : fd_keyguard_payload_matches_event( uchar const * data,
305 : ulong sz,
306 0 : int sign_type ) {
307 0 : (void)data;
308 :
309 0 : if( sign_type != FD_KEYGUARD_SIGN_TYPE_FD_METRICS_REPORT_CONCAT_ED25519 ) return 0;
310 0 : if( sz!=32UL ) return 0;
311 :
312 0 : return 1;
313 0 : }
314 :
315 : FD_FN_PURE ulong
316 : fd_keyguard_payload_match( uchar const * data,
317 : ulong sz,
318 0 : int sign_type ) {
319 0 : ulong res = 0UL;
320 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_txn_msg ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_TXN, 0 );
321 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_gossip ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_GOSSIP, 0 );
322 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_repair ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_REPAIR, 0 );
323 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_prune_data( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_PRUNE, 0 );
324 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_shred ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_SHRED, 0 );
325 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_tls_cv ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_TLS_CV, 0 );
326 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_ping_msg ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_PING, 0 );
327 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_pong_msg ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_PONG, 0 );
328 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_bundle ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_BUNDLE, 0 );
329 0 : res |= fd_ulong_if( fd_keyguard_payload_matches_event ( data, sz, sign_type ), FD_KEYGUARD_PAYLOAD_EVENT, 0 );
330 0 : return res;
331 0 : }
|
