Vulnerability in light client proxy (#1081)

* Vulnerability in light client proxy When calling GetCertifiedCommit the light client proxy would call Certify and even on error return the Commit as if it had been correctly certified. Now it returns the error correctly and returns an empty Commit on error. * Improve names for clarity The lite package now contains StaticCertifier, DynamicCertifier and InqueringCertifier. This also changes the method receivers from one letter to two letter names, which will make future refactoring easier and follows the coding standards. * Fix test failures * Rename files * remove dead code
7 years ago · 32311acd01
--- a/lite/client/provider_test.go
+++ b/lite/client/provider_test.go
@ -35,7 +35,7 @@ func TestProvider(t *testing.T) {

 	// let's check this is valid somehow
 	assert.Nil(seed.ValidateBasic(chainID))
 	cert := lite.NewStatic(chainID, seed.Validators)
 	cert := lite.NewStaticCertifier(chainID, seed.Validators)

 	// historical queries now work :)
 	lower := sh - 5
--- a/lite/dynamic_certifier.go
+++ b/lite/dynamic_certifier.go
--- a/lite/dynamic_certifier_test.go
+++ b/lite/dynamic_certifier_test.go
--- a/lite/inquirer.go
+++ b/lite/inquirer.go
@ -1,159 +0,0 @@
 package lite

 import (
 	"github.com/tendermint/tendermint/types"

 	liteErr "github.com/tendermint/tendermint/lite/errors"
 )

 // Inquiring wraps a dynamic certifier and implements an auto-update strategy. If a call to Certify
 // fails due to a change it validator set, Inquiring will try and find a previous FullCommit which
 // it can use to safely update the validator set. It uses a source provider to obtain the needed
 // FullCommits. It stores properly validated data on the local system.
 type Inquiring struct {
 	cert *Dynamic
 	// These are only properly validated data, from local system
 	trusted Provider
 	// This is a source of new info, like a node rpc, or other import method
 	Source Provider
 }

 // NewInquiring returns a new Inquiring object. It uses the trusted provider to store validated
 // data and the source provider to obtain missing FullCommits.
 //
 // Example: The trusted provider should a CacheProvider, MemProvider or files.Provider. The source
 // provider should be a client.HTTPProvider.
 func NewInquiring(chainID string, fc FullCommit, trusted Provider,
 	source Provider) (*Inquiring, error) {

 	// store the data in trusted
 	err := trusted.StoreCommit(fc)
 	if err != nil {
 		return nil, err
 	}

 	return &Inquiring{
 		cert:    NewDynamic(chainID, fc.Validators, fc.Height()),
 		trusted: trusted,
 		Source:  source,
 	}, nil
 }

 // ChainID returns the chain id.
 func (c *Inquiring) ChainID() string {
 	return c.cert.ChainID()
 }

 // Validators returns the validator set.
 func (c *Inquiring) Validators() *types.ValidatorSet {
 	return c.cert.cert.vSet
 }

 // LastHeight returns the last height.
 func (c *Inquiring) LastHeight() int64 {
 	return c.cert.lastHeight
 }

 // Certify makes sure this is checkpoint is valid.
 //
 // If the validators have changed since the last know time, it looks
 // for a path to prove the new validators.
 //
 // On success, it will store the checkpoint in the store for later viewing
 func (c *Inquiring) Certify(commit Commit) error {
 	err := c.useClosestTrust(commit.Height())
 	if err != nil {
 		return err
 	}

 	err = c.cert.Certify(commit)
 	if !liteErr.IsValidatorsChangedErr(err) {
 		return err
 	}
 	err = c.updateToHash(commit.Header.ValidatorsHash)
 	if err != nil {
 		return err
 	}

 	err = c.cert.Certify(commit)
 	if err != nil {
 		return err
 	}

 	// store the new checkpoint
 	return c.trusted.StoreCommit(NewFullCommit(commit, c.Validators()))
 }

 // Update will verify if this is a valid change and update
 // the certifying validator set if safe to do so.
 func (c *Inquiring) Update(fc FullCommit) error {
 	err := c.useClosestTrust(fc.Height())
 	if err != nil {
 		return err
 	}

 	err = c.cert.Update(fc)
 	if err == nil {
 		err = c.trusted.StoreCommit(fc)
 	}
 	return err
 }

 func (c *Inquiring) useClosestTrust(h int64) error {
 	closest, err := c.trusted.GetByHeight(h)
 	if err != nil {
 		return err
 	}

 	// if the best seed is not the one we currently use,
 	// let's just reset the dynamic validator
 	if closest.Height() != c.LastHeight() {
 		c.cert = NewDynamic(c.ChainID(), closest.Validators, closest.Height())
 	}
 	return nil
 }

 // updateToHash gets the validator hash we want to update to
 // if IsTooMuchChangeErr, we try to find a path by binary search over height
 func (c *Inquiring) updateToHash(vhash []byte) error {
 	// try to get the match, and update
 	fc, err := c.Source.GetByHash(vhash)
 	if err != nil {
 		return err
 	}
 	err = c.cert.Update(fc)
 	// handle IsTooMuchChangeErr by using divide and conquer
 	if liteErr.IsTooMuchChangeErr(err) {
 		err = c.updateToHeight(fc.Height())
 	}
 	return err
 }

 // updateToHeight will use divide-and-conquer to find a path to h
 func (c *Inquiring) updateToHeight(h int64) error {
 	// try to update to this height (with checks)
 	fc, err := c.Source.GetByHeight(h)
 	if err != nil {
 		return err
 	}
 	start, end := c.LastHeight(), fc.Height()
 	if end <= start {
 		return liteErr.ErrNoPathFound()
 	}
 	err = c.Update(fc)

 	// we can handle IsTooMuchChangeErr specially
 	if !liteErr.IsTooMuchChangeErr(err) {
 		return err
 	}

 	// try to update to mid
 	mid := (start + end) / 2
 	err = c.updateToHeight(mid)
 	if err != nil {
 		return err
 	}

 	// if we made it to mid, we recurse
 	return c.updateToHeight(h)
 }
--- a/lite/inquiring_certifier.go
+++ b/lite/inquiring_certifier.go
@ -0,0 +1,163 @@
 package lite

 import (
 	"github.com/tendermint/tendermint/types"

 	liteErr "github.com/tendermint/tendermint/lite/errors"
 )

 var _ Certifier = (*InquiringCertifier)(nil)

 // InquiringCertifier wraps a dynamic certifier and implements an auto-update strategy. If a call
 // to Certify fails due to a change it validator set, InquiringCertifier will try and find a
 // previous FullCommit which it can use to safely update the validator set. It uses a source
 // provider to obtain the needed FullCommits. It stores properly validated data on the local system.
 type InquiringCertifier struct {
 	cert *DynamicCertifier
 	// These are only properly validated data, from local system
 	trusted Provider
 	// This is a source of new info, like a node rpc, or other import method
 	Source Provider
 }

 // NewInquiringCertifier returns a new Inquiring object. It uses the trusted provider to store
 // validated data and the source provider to obtain missing FullCommits.
 //
 // Example: The trusted provider should a CacheProvider, MemProvider or files.Provider. The source
 // provider should be a client.HTTPProvider.
 func NewInquiringCertifier(chainID string, fc FullCommit, trusted Provider,
 	source Provider) (*InquiringCertifier, error) {

 	// store the data in trusted
 	err := trusted.StoreCommit(fc)
 	if err != nil {
 		return nil, err
 	}

 	return &InquiringCertifier{
 		cert:    NewDynamicCertifier(chainID, fc.Validators, fc.Height()),
 		trusted: trusted,
 		Source:  source,
 	}, nil
 }

 // ChainID returns the chain id.
 // Implements Certifier.
 func (ic *InquiringCertifier) ChainID() string {
 	return ic.cert.ChainID()
 }

 // Validators returns the validator set.
 func (ic *InquiringCertifier) Validators() *types.ValidatorSet {
 	return ic.cert.cert.vSet
 }

 // LastHeight returns the last height.
 func (ic *InquiringCertifier) LastHeight() int64 {
 	return ic.cert.lastHeight
 }

 // Certify makes sure this is checkpoint is valid.
 //
 // If the validators have changed since the last know time, it looks
 // for a path to prove the new validators.
 //
 // On success, it will store the checkpoint in the store for later viewing
 // Implements Certifier.
 func (ic *InquiringCertifier) Certify(commit Commit) error {
 	err := ic.useClosestTrust(commit.Height())
 	if err != nil {
 		return err
 	}

 	err = ic.cert.Certify(commit)
 	if !liteErr.IsValidatorsChangedErr(err) {
 		return err
 	}
 	err = ic.updateToHash(commit.Header.ValidatorsHash)
 	if err != nil {
 		return err
 	}

 	err = ic.cert.Certify(commit)
 	if err != nil {
 		return err
 	}

 	// store the new checkpoint
 	return ic.trusted.StoreCommit(NewFullCommit(commit, ic.Validators()))
 }

 // Update will verify if this is a valid change and update
 // the certifying validator set if safe to do so.
 func (ic *InquiringCertifier) Update(fc FullCommit) error {
 	err := ic.useClosestTrust(fc.Height())
 	if err != nil {
 		return err
 	}

 	err = ic.cert.Update(fc)
 	if err == nil {
 		err = ic.trusted.StoreCommit(fc)
 	}
 	return err
 }

 func (ic *InquiringCertifier) useClosestTrust(h int64) error {
 	closest, err := ic.trusted.GetByHeight(h)
 	if err != nil {
 		return err
 	}

 	// if the best seed is not the one we currently use,
 	// let's just reset the dynamic validator
 	if closest.Height() != ic.LastHeight() {
 		ic.cert = NewDynamicCertifier(ic.ChainID(), closest.Validators, closest.Height())
 	}
 	return nil
 }

 // updateToHash gets the validator hash we want to update to
 // if IsTooMuchChangeErr, we try to find a path by binary search over height
 func (ic *InquiringCertifier) updateToHash(vhash []byte) error {
 	// try to get the match, and update
 	fc, err := ic.Source.GetByHash(vhash)
 	if err != nil {
 		return err
 	}
 	err = ic.cert.Update(fc)
 	// handle IsTooMuchChangeErr by using divide and conquer
 	if liteErr.IsTooMuchChangeErr(err) {
 		err = ic.updateToHeight(fc.Height())
 	}
 	return err
 }

 // updateToHeight will use divide-and-conquer to find a path to h
 func (ic *InquiringCertifier) updateToHeight(h int64) error {
 	// try to update to this height (with checks)
 	fc, err := ic.Source.GetByHeight(h)
 	if err != nil {
 		return err
 	}
 	start, end := ic.LastHeight(), fc.Height()
 	if end <= start {
 		return liteErr.ErrNoPathFound()
 	}
 	err = ic.Update(fc)

 	// we can handle IsTooMuchChangeErr specially
 	if !liteErr.IsTooMuchChangeErr(err) {
 		return err
 	}

 	// try to update to mid
 	mid := (start + end) / 2
 	err = ic.updateToHeight(mid)
 	if err != nil {
 		return err
 	}

 	// if we made it to mid, we recurse
 	return ic.updateToHeight(h)
 }
--- a/lite/inquiring_certifier_test.go
+++ b/lite/inquiring_certifier_test.go
--- a/lite/performance_test.go
+++ b/lite/performance_test.go
@ -105,7 +105,7 @@ func BenchmarkCertifyCommitSec100(b *testing.B) {
 func benchmarkCertifyCommit(b *testing.B, keys lite.ValKeys) {
 	chainID := "bench-certify"
 	vals := keys.ToValidators(20, 10)
 	cert := lite.NewStatic(chainID, vals)
 	cert := lite.NewStaticCertifier(chainID, vals)
 	check := keys.GenCommit(chainID, 123, nil, vals, []byte("foo"), []byte("params"), []byte("res"), 0, len(keys))
 	for i := 0; i < b.N; i++ {
 		err := cert.Certify(check)
--- a/lite/proxy/certifier.go
+++ b/lite/proxy/certifier.go
@ -6,7 +6,7 @@ import (
 	"github.com/tendermint/tendermint/lite/files"
 )

 func GetCertifier(chainID, rootDir, nodeAddr string) (*lite.Inquiring, error) {
 func GetCertifier(chainID, rootDir, nodeAddr string) (*lite.InquiringCertifier, error) {
 	trust := lite.NewCacheProvider(
 		lite.NewMemStoreProvider(),
 		files.NewProvider(rootDir),
@ -26,7 +26,7 @@ func GetCertifier(chainID, rootDir, nodeAddr string) (*lite.Inquiring, error) {
 		return nil, err
 	}

 	cert, err := lite.NewInquiring(chainID, fc, trust, source)
 	cert, err := lite.NewInquiringCertifier(chainID, fc, trust, source)
 	if err != nil {
 		return nil, err
 	}
--- a/lite/proxy/proxy.go
+++ b/lite/proxy/proxy.go
@ -18,7 +18,11 @@ const (
 // set up the rpc routes to proxy via the given client,
 // and start up an http/rpc server on the location given by bind (eg. :1234)
 func StartProxy(c rpcclient.Client, listenAddr string, logger log.Logger) error {
 	c.Start()
 	err := c.Start()
 	if err != nil {
 		return err
 	}

 	r := RPCRoutes(c)

 	// build the handler...
@ -30,7 +34,7 @@ func StartProxy(c rpcclient.Client, listenAddr string, logger log.Logger) error
 	core.SetLogger(logger)
 	mux.HandleFunc(wsEndpoint, wm.WebsocketHandler)

 	_, err := rpc.StartHTTPServer(listenAddr, mux, logger)
 	_, err = rpc.StartHTTPServer(listenAddr, mux, logger)

 	return err
 }
--- a/lite/proxy/query.go
+++ b/lite/proxy/query.go
@ -51,7 +51,7 @@ func GetWithProofOptions(path string, key []byte, opts rpcclient.ABCIQueryOption

 	// make sure the proof is the proper height
 	if resp.IsErr() {
 		err = errors.Errorf("Query error %d: %d", resp.Code)
 		err = errors.Errorf("Query error for key %d: %d", key, resp.Code)
 		return nil, nil, err
 	}
 	if len(resp.Key) == 0 || len(resp.Proof) == 0 {
@ -79,7 +79,7 @@ func GetWithProofOptions(path string, key []byte, opts rpcclient.ABCIQueryOption
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "Couldn't verify proof")
 		}
 		return &ctypes.ResultABCIQuery{resp}, eproof, nil
 		return &ctypes.ResultABCIQuery{Response: resp}, eproof, nil
 	}

 	// The key wasn't found, construct a proof of non-existence.
@ -93,13 +93,12 @@ func GetWithProofOptions(path string, key []byte, opts rpcclient.ABCIQueryOption
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "Couldn't verify proof")
 	}
 	return &ctypes.ResultABCIQuery{resp}, aproof, ErrNoData()
 	return &ctypes.ResultABCIQuery{Response: resp}, aproof, ErrNoData()
 }

 // GetCertifiedCommit gets the signed header for a given height
 // and certifies it.  Returns error if unable to get a proven header.
 func GetCertifiedCommit(h int64, node rpcclient.Client,
 	cert lite.Certifier) (empty lite.Commit, err error) {
 func GetCertifiedCommit(h int64, node rpcclient.Client, cert lite.Certifier) (lite.Commit, error) {

 	// FIXME: cannot use cert.GetByHeight for now, as it also requires
 	// Validators and will fail on querying tendermint for non-current height.
@ -107,14 +106,18 @@ func GetCertifiedCommit(h int64, node rpcclient.Client,
 	rpcclient.WaitForHeight(node, h, nil)
 	cresp, err := node.Commit(&h)
 	if err != nil {
 		return
 		return lite.Commit{}, err
 	}
 	commit := client.CommitFromResult(cresp)

 	commit := client.CommitFromResult(cresp)
 	// validate downloaded checkpoint with our request and trust store.
 	if commit.Height() != h {
 		return empty, certerr.ErrHeightMismatch(h, commit.Height())
 		return lite.Commit{}, certerr.ErrHeightMismatch(h, commit.Height())
 	}
 	err = cert.Certify(commit)

 	if err = cert.Certify(commit); err != nil {
 		return lite.Commit{}, err
 	}

 	return commit, nil
 }
--- a/lite/proxy/query_test.go
+++ b/lite/proxy/query_test.go
@ -58,7 +58,7 @@ func _TestAppProofs(t *testing.T) {
 	source := certclient.NewProvider(cl)
 	seed, err := source.GetByHeight(brh - 2)
 	require.NoError(err, "%+v", err)
 	cert := lite.NewStatic("my-chain", seed.Validators)
 	cert := lite.NewStaticCertifier("my-chain", seed.Validators)

 	client.WaitForHeight(cl, 3, nil)
 	latest, err := source.LatestCommit()
@ -117,7 +117,7 @@ func _TestTxProofs(t *testing.T) {
 	source := certclient.NewProvider(cl)
 	seed, err := source.GetByHeight(brh - 2)
 	require.NoError(err, "%+v", err)
 	cert := lite.NewStatic("my-chain", seed.Validators)
 	cert := lite.NewStaticCertifier("my-chain", seed.Validators)

 	// First let's make sure a bogus transaction hash returns a valid non-existence proof.
 	key := types.Tx([]byte("bogus")).Hash()
@ -136,5 +136,4 @@ func _TestTxProofs(t *testing.T) {
 	commit, err := GetCertifiedCommit(br.Height, cl, cert)
 	require.Nil(err, "%+v", err)
 	require.Equal(res.Proof.RootHash, commit.Header.DataHash)

 }
--- a/lite/proxy/wrapper.go
+++ b/lite/proxy/wrapper.go
@ -15,14 +15,14 @@ var _ rpcclient.Client = Wrapper{}
 // provable before passing it along. Allows you to make any rpcclient fully secure.
 type Wrapper struct {
 	rpcclient.Client
 	cert *lite.Inquiring
 	cert *lite.InquiringCertifier
 }

 // SecureClient uses a given certifier to wrap an connection to an untrusted
 // host and return a cryptographically secure rpc client.
 //
 // If it is wrapping an HTTP rpcclient, it will also wrap the websocket interface
 func SecureClient(c rpcclient.Client, cert *lite.Inquiring) Wrapper {
 func SecureClient(c rpcclient.Client, cert *lite.InquiringCertifier) Wrapper {
 	wrap := Wrapper{c, cert}
 	// TODO: no longer possible as no more such interface exposed....
 	// if we wrap http client, then we can swap out the event switch to filter
@ -34,7 +34,9 @@ func SecureClient(c rpcclient.Client, cert *lite.Inquiring) Wrapper {
 }

 // ABCIQueryWithOptions exposes all options for the ABCI query and verifies the returned proof
 func (w Wrapper) ABCIQueryWithOptions(path string, data data.Bytes, opts rpcclient.ABCIQueryOptions) (*ctypes.ResultABCIQuery, error) {
 func (w Wrapper) ABCIQueryWithOptions(path string, data data.Bytes,
 	opts rpcclient.ABCIQueryOptions) (*ctypes.ResultABCIQuery, error) {

 	res, _, err := GetWithProofOptions(path, data, opts, w.Client, w.cert)
 	return res, err
 }
--- a/lite/static_certifier.go
+++ b/lite/static_certifier.go
--- a/lite/static_certifier_test.go
+++ b/lite/static_certifier_test.go
--- a/rpc/client/interface.go
+++ b/rpc/client/interface.go
@ -33,7 +33,8 @@ type ABCIClient interface {
 	// reading from abci app
 	ABCIInfo() (*ctypes.ResultABCIInfo, error)
 	ABCIQuery(path string, data data.Bytes) (*ctypes.ResultABCIQuery, error)
 	ABCIQueryWithOptions(path string, data data.Bytes, opts ABCIQueryOptions) (*ctypes.ResultABCIQuery, error)
 	ABCIQueryWithOptions(path string, data data.Bytes,
 		opts ABCIQueryOptions) (*ctypes.ResultABCIQuery, error)

 	// writing to abci app
 	BroadcastTxCommit(tx types.Tx) (*ctypes.ResultBroadcastTxCommit, error)
--- a/types/priv_validator.go
+++ b/types/priv_validator.go
@ -369,8 +369,6 @@ func (pvs PrivValidatorsByAddress) Swap(i, j int) {

 //-------------------------------------

 type checkOnlyDifferByTimestamp func([]byte, []byte) bool

 // returns the timestamp from the lastSignBytes.
 // returns true if the only difference in the votes is their timestamp.
 func checkVotesOnlyDifferByTimestamp(lastSignBytes, newSignBytes []byte) (time.Time, bool) {