crypto: Use a different library for ed25519/sr25519 (#6526)
At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems.
Summary of changes:
* curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics.
* curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s).
* (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented.
* curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap.
Side issues fixed:
* The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim.
Open design questions/issues:
* As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface.
* As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward).
* curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time. 3 years ago crypto: Use a different library for ed25519/sr25519 (#6526)
At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems.
Summary of changes:
* curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics.
* curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s).
* (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented.
* curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap.
Side issues fixed:
* The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim.
Open design questions/issues:
* As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface.
* As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward).
* curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time. 3 years ago rpc/client/http: Do not drop events even if the `out` channel is full (#6163)
```
// unbuffered
out, err := httpClient.Subscribe(ctx, "event.type=NewTx and account.name=Jack", 0)
// buffered
out, err := httpClient.Subscribe(ctx, "event.type=NewTx AND account.name=Jack", 20)
```
Before: when the `out` channel is buffered and becomes full, we drop an event (+ log the error)
After: when the `out` channel is buffered and becomes full, we block
**Before it was not apparent to the app when an event was dropped (looking at the logs is manual task). After this PR, if the user does not read from `out` on 1 subscription, all other subscriptions will be stuck too.**
Closes #6161 4 years ago rpc/jsonrpc: Unmarshal RPCRequest correctly (#6191)
i.e. without double pointer. With double pointer, it was possible to
submit `null` value, which will crash the server.
```
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x189ddc0]
goroutine 1 [running]:
github.com/tendermint/tendermint/rpc/jsonrpc/types.(*RPCRequest).UnmarshalJSON(0xc0000147e0, 0xc00029f201, 0x4, 0x1ff, 0x883baa0, 0xc0000147e0)
/Users/anton/go/src/github.com/tendermint/tendermint/rpc/jsonrpc/types/types.go:70 +0x100
encoding/json.(*decodeState).literalStore(0xc000216bb0, 0xc00029f201, 0x4, 0x1ff, 0x1998800, 0xc0000147e0, 0x199, 0xc000231700, 0x10e0a5e, 0x197)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:860 +0x30ce
encoding/json.(*decodeState).value(0xc000216bb0, 0x1998800, 0xc0000147e0, 0x199, 0x1998800, 0xc0000147e0)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:384 +0x40c
encoding/json.(*decodeState).array(0xc000216bb0, 0x18df040, 0xc0001be540, 0x16, 0xc000216bd8, 0x10e405b)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:558 +0x365
encoding/json.(*decodeState).value(0xc000216bb0, 0x18df040, 0xc0001be540, 0x16, 0x16, 0x6e)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:360 +0x22f
encoding/json.(*decodeState).unmarshal(0xc000216bb0, 0x18df040, 0xc0001be540, 0xc000216bd8, 0x0)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:180 +0x2c9
encoding/json.Unmarshal(0xc00029f200, 0x6, 0x200, 0x18df040, 0xc0001be540, 0x0, 0x0)
/usr/local/Cellar/go/1.16/libexec/src/encoding/json/decode.go:107 +0x15d
```
4 years ago |
|
- # Unreleased Changes
-
- ## vX.X
-
- Special thanks to external contributors on this release:
-
- Friendly reminder: We have a [bug bounty program](https://hackerone.com/tendermint).
-
- ### BREAKING CHANGES
-
- - CLI/RPC/Config
- - [pubsub/events] \#6634 The `ResultEvent.Events` field is now of type `[]abci.Event` preserving event order instead of `map[string][]string`. (@alexanderbez)
- - [config] \#5598 The `test_fuzz` and `test_fuzz_config` P2P settings have been removed. (@erikgrinaker)
- - [config] \#5728 `fast_sync = "v1"` is no longer supported (@melekes)
- - [cli] \#5772 `gen_node_key` prints JSON-encoded `NodeKey` rather than ID and does not save it to `node_key.json` (@melekes)
- - [cli] \#5777 use hyphen-case instead of snake_case for all cli commands and config parameters (@cmwaters)
- - [rpc] \#6019 standardise RPC errors and return the correct status code (@bipulprasad & @cmwaters)
- - [rpc] \#6168 Change default sorting to desc for `/tx_search` results (@melekes)
- - [cli] \#6282 User must specify the node mode when using `tendermint init` (@cmwaters)
- - [state/indexer] \#6382 reconstruct indexer, move txindex into the indexer package (@JayT106)
- - [cli] \#6372 Introduce `BootstrapPeers` as part of the new p2p stack. Peers to be connected on startup (@cmwaters)
- - [config] \#6462 Move `PrivValidator` configuration out of `BaseConfig` into its own section. (@tychoish)
- - [rpc] \#6610 Add MaxPeerBlockHeight into /status rpc call (@JayT106)
- - [fastsync/rpc] \#6620 Add TotalSyncedTime & RemainingTime to SyncInfo in /status RPC (@JayT106)
- - [rpc/grpc] \#6725 Mark gRPC in the RPC layer as deprecated.
- - [blockchain/v2] \#6730 Fast Sync v2 is deprecated, please use v0
- - [rpc] Add genesis_chunked method to support paginated and parallel fetching of large genesis documents.
- - [rpc/jsonrpc/server] \#6785 `Listen` function updated to take an `int` argument, `maxOpenConnections`, instead of an entire config object. (@williambanfield)
- - [rpc] \#6820 Update RPC methods to reflect changes in the p2p layer, disabling support for `UnsafeDialPeers` and `UnsafeDialPeers` when used with the new p2p layer, and changing the response format of the peer list in `NetInfo` for all users.
- - [cli] \#6854 Remove deprecated snake case commands. (@tychoish)
- - Apps
- - [ABCI] \#6408 Change the `key` and `value` fields from `[]byte` to `string` in the `EventAttribute` type. (@alexanderbez)
- - [ABCI] \#5447 Remove `SetOption` method from `ABCI.Client` interface
- - [ABCI] \#5447 Reset `Oneof` indexes for `Request` and `Response`.
- - [ABCI] \#5818 Use protoio for msg length delimitation. Migrates from int64 to uint64 length delimiters.
- - [ABCI] \#3546 Add `mempool_error` field to `ResponseCheckTx`. This field will contain an error string if Tendermint encountered an error while adding a transaction to the mempool. (@williambanfield)
- - [Version] \#6494 `TMCoreSemVer` has been renamed to `TMVersion`.
- - It is not required any longer to set ldflags to set version strings
- - [abci/counter] \#6684 Delete counter example app
-
- - P2P Protocol
-
- - Go API
- - [pubsub] \#6634 The `Query#Matches` method along with other pubsub methods, now accepts a `[]abci.Event` instead of `map[string][]string`. (@alexanderbez)
- - [p2p] \#6618 Move `p2p.NodeInfo` into `types` to support use of the SDK. (@tychoish)
- - [p2p] \#6583 Make `p2p.NodeID` and `p2p.NetAddress` exported types to support their use in the RPC layer. (@tychoish)
- - [node] \#6540 Reduce surface area of the `node` package by making most of the implementation details private. (@tychoish)
- - [p2p] \#6547 Move the entire `p2p` package and all reactor implementations into `internal`. (@tychoish)
- - [libs/log] \#6534 Remove the existing custom Tendermint logger backed by go-kit. The logging interface, `Logger`, remains. Tendermint still provides a default logger backed by the performant zerolog logger. (@alexanderbez)
- - [libs/time] \#6495 Move types/time to libs/time to improve consistency. (@tychoish)
- - [mempool] \#6529 The `Context` field has been removed from the `TxInfo` type. `CheckTx` now requires a `Context` argument. (@alexanderbez)
- - [abci/client, proxy] \#5673 `Async` funcs return an error, `Sync` and `Async` funcs accept `context.Context` (@melekes)
- - [p2p] Remove unused function `MakePoWTarget`. (@erikgrinaker)
- - [libs/bits] \#5720 Validate `BitArray` in `FromProto`, which now returns an error (@melekes)
- - [proto/p2p] Rename `DefaultNodeInfo` and `DefaultNodeInfoOther` to `NodeInfo` and `NodeInfoOther` (@erikgrinaker)
- - [proto/p2p] Rename `NodeInfo.default_node_id` to `node_id` (@erikgrinaker)
- - [libs/os] Kill() and {Must,}{Read,Write}File() functions have been removed. (@alessio)
- - [store] \#5848 Remove block store state in favor of using the db iterators directly (@cmwaters)
- - [state] \#5864 Use an iterator when pruning state (@cmwaters)
- - [types] \#6023 Remove `tm2pb.Header`, `tm2pb.BlockID`, `tm2pb.PartSetHeader` and `tm2pb.NewValidatorUpdate`.
- - Each of the above types has a `ToProto` and `FromProto` method or function which replaced this logic.
- - [light] \#6054 Move `MaxRetryAttempt` option from client to provider.
- - `NewWithOptions` now sets the max retry attempts and timeouts (@cmwaters)
- - [all] \#6077 Change spelling from British English to American (@cmwaters)
- - Rename "Subscription.Cancelled()" to "Subscription.Canceled()" in libs/pubsub
- - Rename "behaviour" pkg to "behavior" and internalized it in blockchain v2
- - [rpc/client/http] \#6176 Remove `endpoint` arg from `New`, `NewWithTimeout` and `NewWithClient` (@melekes)
- - [rpc/client/http] \#6176 Unexpose `WSEvents` (@melekes)
- - [rpc/jsonrpc/client/ws_client] \#6176 `NewWS` no longer accepts options (use `NewWSWithOptions` and `OnReconnect` funcs to configure the client) (@melekes)
- - [internal/libs] \#6366 Move `autofile`, `clist`,`fail`,`flowrate`, `protoio`, `sync`, `tempfile`, `test` and `timer` lib packages to an internal folder
- - [libs/rand] \#6364 Remove most of libs/rand in favour of standard lib's `math/rand` (@liamsi)
- - [mempool] \#6466 The original mempool reactor has been versioned as `v0` and moved to a sub-package under the root `mempool` package.
- Some core types have been kept in the `mempool` package such as `TxCache` and it's implementations, the `Mempool` interface itself
- and `TxInfo`. (@alexanderbez)
- - [crypto/sr25519] \#6526 Do not re-execute the Ed25519-style key derivation step when doing signing and verification. The derivation is now done once and only once. This breaks `sr25519.GenPrivKeyFromSecret` output compatibility. (@Yawning)
- - [types] \#6627 Move `NodeKey` to types to make the type public.
- - [config] \#6627 Extend `config` to contain methods `LoadNodeKeyID` and `LoadorGenNodeKeyID`
- - [blocksync] \#6755 Rename `FastSync` and `Blockchain` package to `BlockSync`
- (@cmwaters)
-
- - Blockchain Protocol
-
- - Data Storage
- - [store/state/evidence/light] \#5771 Use an order-preserving varint key encoding (@cmwaters)
- - [mempool] \#6396 Remove mempool's write ahead log (WAL), (previously unused by the tendermint code). (@tychoish)
- - [state] \#6541 Move pruneBlocks from consensus/state to state/execution. (@JayT106)
-
- - Tooling
- - [tools] \#6498 Set OS home dir to instead of the hardcoded PATH. (@JayT106)
- - [cli/indexer] \#6676 Reindex events command line tooling. (@JayT106)
-
- ### FEATURES
-
- - [config] Add `--mode` flag and config variable. See [ADR-52](https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-052-tendermint-mode.md) @dongsam
- - [rpc] \#6329 Don't cap page size in unsafe mode (@gotjoshua, @cmwaters)
- - [pex] \#6305 v2 pex reactor with backwards compatability. Introduces two new pex messages to
- accomodate for the new p2p stack. Removes the notion of seeds and crawling. All peer
- exchange reactors behave the same. (@cmwaters)
- - [crypto] \#6376 Enable sr25519 as a validator key
- - [mempool] \#6466 Introduction of a prioritized mempool. (@alexanderbez)
- - `Priority` and `Sender` have been introduced into the `ResponseCheckTx` type, where the `priority` will determine the prioritization of
- the transaction when a proposer reaps transactions for a block proposal. The `sender` field acts as an index.
- - Operators may toggle between the legacy mempool reactor, `v0`, and the new prioritized reactor, `v1`, by setting the
- `mempool.version` configuration, where `v1` is the default configuration.
- - Applications that do not specify a priority, i.e. zero, will have transactions reaped by the order in which they are received by the node.
- - Transactions are gossiped in FIFO order as they are in `v0`.
- - [config/indexer] \#6411 Introduce support for custom event indexing data sources, specifically PostgreSQL. (@JayT106)
- - [fastsync/event] \#6619 Emit fastsync status event when switching consensus/fastsync (@JayT106)
- - [statesync/event] \#6700 Emit statesync status start/end event (@JayT106)
- - [inspect] \#6785 Add a new `inspect` command for introspecting the state and block store of a crashed tendermint node. (@williambanfield)
-
- ### IMPROVEMENTS
-
- - [libs/log] Console log formatting changes as a result of \#6534 and \#6589. (@tychoish)
- - [statesync] \#6566 Allow state sync fetchers and request timeout to be configurable. (@alexanderbez)
- - [types] \#6478 Add `block_id` to `newblock` event (@jeebster)
- - [crypto/ed25519] \#5632 Adopt zip215 `ed25519` verification. (@marbar3778)
- - [crypto/ed25519] \#6526 Use [curve25519-voi](https://github.com/oasisprotocol/curve25519-voi) for `ed25519` signing and verification. (@Yawning)
- - [crypto/sr25519] \#6526 Use [curve25519-voi](https://github.com/oasisprotocol/curve25519-voi) for `sr25519` signing and verification. (@Yawning)
- - [privval] \#5603 Add `--key` to `init`, `gen_validator`, `testnet` & `unsafe_reset_priv_validator` for use in generating `secp256k1` keys.
- - [privval] \#5725 Add gRPC support to private validator.
- - [privval] \#5876 `tendermint show-validator` will query the remote signer if gRPC is being used (@marbar3778)
- - [abci/client] \#5673 `Async` requests return an error if queue is full (@melekes)
- - [mempool] \#5673 Cancel `CheckTx` requests if RPC client disconnects or times out (@melekes)
- - [abci] \#5706 Added `AbciVersion` to `RequestInfo` allowing applications to check ABCI version when connecting to Tendermint. (@marbar3778)
- - [blockchain/v1] \#5728 Remove in favor of v2 (@melekes)
- - [blockchain/v0] \#5741 Relax termination conditions and increase sync timeout (@melekes)
- - [cli] \#5772 `gen_node_key` output now contains node ID (`id` field) (@melekes)
- - [blockchain/v2] \#5774 Send status request when new peer joins (@melekes)
- - [consensus] \#5792 Deprecates the `time_iota_ms` consensus parameter, to reduce the bug surface. The parameter is no longer used. (@valardragon)
- - [store] \#5888 store.SaveBlock saves using batches instead of transactions for now to improve ACID properties. This is a quick fix for underlying issues around tm-db and ACID guarantees. (@githubsands)
- - [consensus] \#5987 Remove `time_iota_ms` from consensus params. Merge `tmproto.ConsensusParams` and `abci.ConsensusParams`. (@marbar3778)
- - [types] \#5994 Reduce the use of protobuf types in core logic. (@marbar3778)
- - `ConsensusParams`, `BlockParams`, `ValidatorParams`, `EvidenceParams`, `VersionParams`, `sm.Version` and `version.Consensus` have become native types. They still utilize protobuf when being sent over the wire or written to disk.
- - [rpc/client/http] \#6163 Do not drop events even if the `out` channel is full (@melekes)
- - [node] \#6059 Validate and complete genesis doc before saving to state store (@silasdavis)
- - [state] \#6067 Batch save state data (@githubsands & @cmwaters)
- - [crypto] \#6120 Implement batch verification interface for ed25519 and sr25519. (@marbar3778)
- - [types] \#6120 use batch verification for verifying commits signatures.
- - If the key type supports the batch verification API it will try to batch verify. If the verification fails we will single verify each signature.
- - [privval/file] \#6185 Return error on `LoadFilePV`, `LoadFilePVEmptyState`. Allows for better programmatic control of Tendermint.
- - [privval] \#6240 Add `context.Context` to privval interface.
- - [rpc] \#6265 set cache control in http-rpc response header (@JayT106)
- - [statesync] \#6378 Retry requests for snapshots and add a minimum discovery time (5s) for new snapshots.
- - [node/state] \#6370 graceful shutdown in the consensus reactor (@JayT106)
- - [crypto/merkle] \#6443 Improve HashAlternatives performance (@cuonglm)
- - [crypto/merkle] \#6513 Optimize HashAlternatives (@marbar3778)
- - [p2p/pex] \#6509 Improve addrBook.hash performance (@cuonglm)
- - [consensus/metrics] \#6549 Change block_size gauge to a histogram for better observability over time (@marbar3778)
- - [statesync] \#6587 Increase chunk priority and re-request chunks that don't arrive (@cmwaters)
- - [state/privval] \#6578 No GetPubKey retry beyond the proposal/voting window (@JayT106)
- - [rpc] \#6615 Add TotalGasUsed to block_results response (@crypto-facs)
- - [cmd/tendermint/commands] \#6623 replace `$HOME/.some/test/dir` with `t.TempDir` (@tanyabouman)
- - [statesync] \6807 Implement P2P state provider as an alternative to RPC (@cmwaters)
-
- ### BUG FIXES
-
- - [privval] \#5638 Increase read/write timeout to 5s and calculate ping interval based on it (@JoeKash)
- - [blockchain/v1] [\#5701](https://github.com/tendermint/tendermint/pull/5701) Handle peers without blocks (@melekes)
- - [blockchain/v1] \#5711 Fix deadlock (@melekes)
- - [evidence] \#6375 Fix bug with inconsistent LightClientAttackEvidence hashing (cmwaters)
- - [rpc] \#6507 Ensure RPC client can handle URLs without ports (@JayT106)
- - [statesync] \#6463 Adds Reverse Sync feature to fetch historical light blocks after state sync in order to verify any evidence (@cmwaters)
- - [fastsync] \#6590 Update the metrics during fast-sync (@JayT106)
- - [gitignore] \#6668 Fix gitignore of abci-cli (@tanyabouman)
|