Additional safety checks in PSBT signer #13917

pull sipa wants to merge 4 commits into bitcoin:master from sipa:201808_psbtsafesign changing 5 files +79 −11
  1. sipa commented at 9:33 pm on August 8, 2018: member

    The current PSBT signing code can end up producing a non-segwit signature, while only the UTXO being spent is provided in the PSBT (as opposed to the entire transaction being spent). This may be used to trick a user to incorrectly decide a transaction has the semantics he intends to sign.

    Fix this by refusing to sign if there is any mismatch between the provided data and what is being signed.

  2. MarcoFalke added the label Tests on Aug 8, 2018
  3. MarcoFalke removed the label Tests on Aug 8, 2018
  4. MarcoFalke added this to the milestone 0.17.0 on Aug 8, 2018
  5. MarcoFalke added the label Wallet on Aug 8, 2018
  6. sipa added the label Bug on Aug 8, 2018
  7. practicalswift commented at 10:32 pm on August 8, 2018: contributor

    Excellent! Thanks for tightening PSBT!

    Concept ACK

  8. in src/wallet/rpcwallet.cpp:4530 in 9c6ed3a41c outdated 
    4526@@ -4525,10 +4527,12 @@ bool FillPSBT(const CWallet* pwallet, PartiallySignedTransaction& psbtx, const C
4527         }
4528 
4529         // Drop the unnecessary UTXO
4530-        if (sigdata.witness) {
4531-            input.non_witness_utxo = nullptr;
4532-        } else {
4533-            input.witness_utxo.SetNull();
4534+        if (from_wallet) {
    promag commented at 10:46 pm on August 8, 2018:

    Commit “Only wipe wrong UTXO type data if overwritten by wallet”

    Suggestion, either reuse above condition if (it != pwallet->mapWallet.end())or above do:

    0const bool from_wallet = it != pwallet->mapWallet.end();
1if (from_wallet) {
2    ...
3}
    sipa commented at 11:41 pm on August 8, 2018:
    Done.
  9. in src/script/sign.cpp:250 in 41dad138f7 outdated 
    243@@ -244,17 +244,33 @@ bool SignPSBTInput(const SigningProvider& provider, const CMutableTransaction& t
244     input.FillSignatureData(sigdata);
245 
246     // Get UTXO
247+    bool require_witness_sig = false;
248     CTxOut utxo;
249     if (input.non_witness_utxo) {
250+        // If we're taking our information from a non-witness UTXO, verify that it matches the prevout.
    promag commented at 10:48 pm on August 8, 2018:

    Commit “Additional sanity checks in SignPSBTInput”

    nit, could reflow comments.

    sipa commented at 11:41 pm on August 8, 2018:
    I think they’re fine.
  10. DrahtBot commented at 11:06 pm on August 8, 2018: member
    • #13932 (Additional utility RPCs for PSBT by achow101)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  11. achow101 commented at 11:18 pm on August 8, 2018: member

    utACK

    Here is a commit with some more test cases: https://github.com/achow101/bitcoin/commit/9f110e1acbb1dc882ea871043fd03cf9064a1063. It tests for non-matching redeem scripts with both witness and non-witness utxos and non-matching witness scripts (for witness utxo only)

  12. sipa force-pushed on Aug 8, 2018
  13. sipa commented at 11:41 pm on August 8, 2018: member
    Addressed @promag’s nit, and included more tests by @achow101.
  14. in src/script/sign.cpp:254 in 9abc8b1338 outdated 
    249     if (input.non_witness_utxo) {
250+        // If we're taking our information from a non-witness UTXO, verify that it matches the prevout.
251+        if (input.non_witness_utxo->GetHash() != tx.vin[index].prevout.hash) return false;
252+        // If both witness and non-witness UTXO are provided, verify that they match. This check shouldn't
253+        // matter, as the PSBT deserializer enforces only one of both is provided, and the only way both
254+        // can be present is when they're added simultaneously by FillPSBT (in which case they always match).
    kallewoof commented at 6:37 am on August 9, 2018:
    Is this comment based on the BIP/spec or implementation? What about other implementations that may not do what FillPSBT does in Bitcoin Core? I understand that the check is done anyway, but the comment sounds like it could be skipped due to an implementation detail, which sounds error-prone.
    sipa commented at 7:29 am on August 9, 2018:
    @achow101 just opened a PR that adds the actual requirements to test for to BIP 174, including a simple implementation in pseudocode that implements it.
  15. kallewoof commented at 6:38 am on August 9, 2018: member
    utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6
  16. achow101 commented at 6:31 pm on August 9, 2018: member
    utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6
  17. kallewoof commented at 9:24 am on August 13, 2018: member

    Perhaps unrelated, but either createpsbt is too lenient, or decodepsbt is broken.

    0$ ./bitcoin-cli createpsbt "[]" "[{\"$(./bitcoin-cli getnewaddress)\":0.01}]"
1cHNidP8BACoCAAAAAAFAQg8AAAAAABepFG6Rty1Vk+fUOR4v9E6R6YXDFkHwhwAAAAAAAA==
2$ ./bitcoin-cli decodepsbt cHNidP8BACoCAAAAAAFAQg8AAAAAABepFG6Rty1Vk+fUOR4v9E6R6YXDFkHwhwAAAAAAAA==
3error code: -22
4error message:
5TX decode failed CDataStream::read(): end of data: unspecified iostream_category error
  18. fanquake commented at 10:33 am on August 13, 2018: member
    @sipa Can you rebase this now that #13666 is merged.
  19. DrahtBot added the label Needs rebase on Aug 13, 2018
  20. Only wipe wrong UTXO type data if overwritten by wallet c05712cb59
  21. Additional sanity checks in SignPSBTInput 8254e9950f
  22. Test that a non-witness script as witness utxo is not signed 7c8bffdc24
  23. More tests of signer checks 5df6f089b5
  24. sipa force-pushed on Aug 13, 2018
  25. sipa commented at 3:42 pm on August 13, 2018: member
    Rebased after #13666.
  26. DrahtBot removed the label Needs rebase on Aug 13, 2018
  27. achow101 commented at 6:37 pm on August 13, 2018: member
    re-utACK
  28. kallewoof commented at 5:24 am on August 14, 2018: member
    re-utACK 5df6f089b53c5b5859e5a3454c026447e4752f82
  29. laanwj added the label Needs backport on Aug 14, 2018
  30. laanwj commented at 4:01 pm on August 14, 2018: member
    utACK 5df6f089b53c5b5859e5a3454c026447e4752f82
  31. ken2812221 referenced this in commit 63f8b0128b on Aug 14, 2018
  32. laanwj merged this on Aug 14, 2018
  33. laanwj closed this on Aug 14, 2018
  34. fanquake referenced this in commit ad6d845ac9 on Aug 15, 2018
  35. fanquake referenced this in commit dbaadc9ea9 on Aug 15, 2018
  36. fanquake referenced this in commit 8935869487 on Aug 15, 2018
  37. fanquake referenced this in commit 0333914467 on Aug 15, 2018
  38. fanquake removed the label Needs backport on Aug 15, 2018
  39. fanquake commented at 2:04 am on August 15, 2018: member
    Will be backported in #13976
  40. laanwj referenced this in commit 4a2960f73e on Aug 15, 2018
  41. uhliksk referenced this in commit fd273d0cc0 on Aug 29, 2018
  42. uhliksk referenced this in commit 86d89d4ec4 on Aug 29, 2018
  43. uhliksk referenced this in commit dce4cf7f5a on Aug 29, 2018
  44. uhliksk referenced this in commit bb51d30689 on Aug 29, 2018
  45. HashUnlimited referenced this in commit f108a9fe06 on Sep 14, 2018
  46. HashUnlimited referenced this in commit 34bf9621b1 on Sep 14, 2018
  47. HashUnlimited referenced this in commit b12061c8d0 on Sep 14, 2018
  48. HashUnlimited referenced this in commit 8802e10c12 on Sep 14, 2018
  49. MarcoFalke locked this on Sep 8, 2021


sipa practicalswift promag DrahtBot achow101 kallewoof fanquake laanwj

Labels
Bug Wallet

Milestone
0.17.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-08 22:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me