Skip to content

Commit

Permalink
Remote Smeshing setup incorrectly detected as supervised (#5958)
Browse files Browse the repository at this point in the history
## Motivation

The node allows to start a remote smeshing setup with `smeshing-start` via the config, commandline or grpc API. This adds an additional check to prevent this.
  • Loading branch information
fasmat committed May 20, 2024
1 parent 692d72a commit 7a58ddd
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 29 deletions.
56 changes: 45 additions & 11 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ is macOS 14 (Sonoma) or later ([#5879](https://github.com/spacemeshos/go-spaceme

This update removes migration code for go-spacemesh databases created with versions before v1.5.0.
Upgrading to this version requires going through v1.5.x first. Removed migrations for:
* legacy keys in the post data directory ([#5907](https://github.com/spacemeshos/go-spacemesh/pull/5907)).
* ATX blob separation and always populating nonce column in atxs ([#5942](https://github.com/spacemeshos/go-spacemesh/pull/5942))

* legacy keys in the post data directory ([#5907](https://github.com/spacemeshos/go-spacemesh/pull/5907)).
* ATX blob separation and always populating nonce column in atxs ([#5942](https://github.com/spacemeshos/go-spacemesh/pull/5942))

### Highlights

Expand All @@ -32,22 +33,54 @@ Upgrading to this version requires going through v1.5.x first. Removed migration

* [#5888](https://github.com/spacemeshos/go-spacemesh/pull/5888) Handle DHT discovery startup errors properly

* [#5896](https://github.com/spacemeshos/go-spacemesh/pull/5896) Increase supported number of ATXs to 4.5 Mio.
* [#5932](https://github.com/spacemeshos/go-spacemesh/pull/5932) Fix caching malfeasance when processing new proofs

* [#5943](https://github.com/spacemeshos/go-spacemesh/pull/5943) Fix timing out querying proof in 1:N in a presence of
a broken Poet.

Previously, every identity waited for the full timeout time (~20 minutes) before giving up.

* [#5958](https://github.com/spacemeshos/go-spacemesh/pull/5958) Fix node incorrectly detecting a remote smeshing setup
as supervised.

Ensure that your key file in `data/identities` is named `local.key` if you run a supervised node or with the change
the node will not start.

## Release v1.5.3

### Improvements

* [#5929](https://github.com/spacemeshos/go-spacemesh/pull/5929) Fix "no nonce" error when persisting malicious
(initial) ATXs.

* [#5930](https://github.com/spacemeshos/go-spacemesh/pull/5930) Check if identity for a given malfeasance proof
exists when validating it.

## Release v1.5.2-hotfix1

This release includes our first CVE fix. A vulnerability was found in the way a node handles incoming ATXs. We urge all
node operators to update to this version as soon as possible.

### Improvements

* Fixed a vulnerability in the way a node handles incoming ATXs. This vulnerability allows an attacker to claim rewards
for a full tick amount although they should not be eligible for them.

## Release v1.5.2

### Improvements

* [#5904](https://github.com/spacemeshos/go-spacemesh/pull/5904) Avoid repeated searching for positioning ATX in 1:N

* [#5911](https://github.com/spacemeshos/go-spacemesh/pull/5911) Avoid pulling poet proof multiple times in 1:N setups

* [#5923](https://github.com/spacemeshos/go-spacemesh/pull/5923) Fix high memory consumption and performance issues
in the proposal handler

* [#5932](https://github.com/spacemeshos/go-spacemesh/pull/5932) Fix caching malfeasance when processing new proofs
## Release v1.5.1

* [#5943](https://github.com/spacemeshos/go-spacemesh/pull/5943) Fix timing out querying proof in 1:N in a presence of a broken Poet.
### Improvements

Previously, every identitiy waited for the full timeout time (~20 minutes) before giving up.
* [#5896](https://github.com/spacemeshos/go-spacemesh/pull/5896) Increase supported number of ATXs to 4.5 Mio.

## (v1.5.0)
## Release v1.5.0

### Upgrade information

Expand All @@ -64,7 +97,8 @@ coins. Fixes an oversight in the genesis VM implementation.
* [#5791](https://github.com/spacemeshos/go-spacemesh/pull/5791) Speed up ATX queries.
This also fixes ambiguity of nonces for equivocating identities.

* [#5856](https://github.com/spacemeshos/go-spacemesh/pull/5856) Bump github.com/spacemeshos/api/release/go to v1.37.0.
* [#5923](https://github.com/spacemeshos/go-spacemesh/pull/5923) Fix high memory consumption and performance issues
in the proposal handler

## Release v1.4.6

Expand Down
9 changes: 7 additions & 2 deletions node/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -1658,8 +1658,13 @@ func (app *App) startAPIServices(ctx context.Context) error {
if app.Config.SMESHING.CoinbaseAccount == "" {
return errors.New("smeshing enabled but no coinbase account provided")
}
if len(app.signers) > 1 {
return errors.New("supervised smeshing cannot be started in a multi-smeshing setup")
if len(app.signers) > 1 || app.signers[0].Name() != supervisedIDKeyFileName {
app.log.Error("supervised smeshing cannot be started in a remote or multi-smeshing setup")
app.log.Error(
"if you run a supervised node ensure your key file is named %s and try again",
supervisedIDKeyFileName,
)
return errors.New("smeshing enabled in remote setup")
}
if err := app.postSupervisor.Start(
app.Config.POSTService,
Expand Down
32 changes: 16 additions & 16 deletions signing/signer_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func Test_NewEdSigner_WithPrivateKey(t *testing.T) {
_, err = NewEdSigner(WithPrivateKey(key), WithPrivateKey(key))
require.ErrorContains(t, err, "invalid option WithPrivateKey: private key already set")

keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
dst := make([]byte, hex.EncodedLen(len(ed.PrivateKey())))
hex.Encode(dst, ed.PrivateKey())
err = os.WriteFile(keyFile, dst, 0o600)
Expand All @@ -69,44 +69,44 @@ func Test_NewEdSigner_FromFile(t *testing.T) {
})

t.Run("invalid key", func(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
key := bytes.Repeat([]byte{0}, PrivateKeySize*2)
err := os.WriteFile(keyFile, key, 0o600)
require.NoError(t, err)

_, err = NewEdSigner(FromFile(keyFile))
require.ErrorContains(t, err, "decoding private key in identity.key")
require.ErrorContains(t, err, "decoding private key in local.key")
})

t.Run("invalid key size - too short", func(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
key := bytes.Repeat([]byte{0}, 63)
dst := make([]byte, hex.EncodedLen(len(key)))
hex.Encode(dst, key)
err := os.WriteFile(keyFile, dst, 0o600)
require.NoError(t, err)

_, err = NewEdSigner(FromFile(keyFile))
require.ErrorContains(t, err, "invalid key size 63/64 for identity.key")
require.ErrorContains(t, err, "invalid key size 63/64 for local.key")
})

t.Run("invalid key size - too long", func(t *testing.T) {
keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
key := bytes.Repeat([]byte{0}, 65)
dst := make([]byte, hex.EncodedLen(len(key)))
hex.Encode(dst, key)
err := os.WriteFile(keyFile, dst, 0o600)
require.NoError(t, err)

_, err = NewEdSigner(FromFile(keyFile))
require.ErrorContains(t, err, "invalid key size 65/64 for identity.key")
require.ErrorContains(t, err, "invalid key size 65/64 for local.key")
})

t.Run("valid key", func(t *testing.T) {
ed, err := NewEdSigner()
require.NoError(t, err)

keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
dst := make([]byte, hex.EncodedLen(len(ed.PrivateKey())))
hex.Encode(dst, ed.PrivateKey())
err = os.WriteFile(keyFile, dst, 0o600)
Expand All @@ -116,14 +116,14 @@ func Test_NewEdSigner_FromFile(t *testing.T) {
require.NoError(t, err)
require.Equal(t, ed.priv, ed2.priv)
require.Equal(t, ed.PublicKey(), ed2.PublicKey())
require.Equal(t, "identity.key", ed2.Name())
require.Equal(t, "local.key", ed2.Name())
})

t.Run("fails if private key already set", func(t *testing.T) {
ed, err := NewEdSigner()
require.NoError(t, err)

keyFile := filepath.Join(t.TempDir(), "identity.key")
keyFile := filepath.Join(t.TempDir(), "local.key")
dst := make([]byte, hex.EncodedLen(len(ed.PrivateKey())))
hex.Encode(dst, ed.PrivateKey())
err = os.WriteFile(keyFile, dst, 0o600)
Expand All @@ -142,11 +142,11 @@ func TestEdSigner_ToFile(t *testing.T) {
})

t.Run("valid file", func(t *testing.T) {
path := filepath.Join(t.TempDir(), "identity.key")
path := filepath.Join(t.TempDir(), "local.key")

ed, err := NewEdSigner(ToFile(path))
require.NoError(t, err)
require.Equal(t, "identity.key", ed.Name())
require.Equal(t, "local.key", ed.Name())

require.FileExists(t, path)
data, err := os.ReadFile(path)
Expand All @@ -160,7 +160,7 @@ func TestEdSigner_ToFile(t *testing.T) {
})

t.Run("fails if file already set", func(t *testing.T) {
path := filepath.Join(t.TempDir(), "identity.key")
path := filepath.Join(t.TempDir(), "local.key")

_, err := NewEdSigner(ToFile(path), ToFile(path))
require.ErrorContains(t, err, "invalid option ToFile: file already set")
Expand All @@ -170,19 +170,19 @@ func TestEdSigner_ToFile(t *testing.T) {
ed, err := NewEdSigner()
require.NoError(t, err)

_, err = NewEdSigner(WithPrivateKey(ed.PrivateKey()), ToFile(filepath.Join(t.TempDir(), "identity.key")))
_, err = NewEdSigner(WithPrivateKey(ed.PrivateKey()), ToFile(filepath.Join(t.TempDir(), "local.key")))
require.NoError(t, err)
})

t.Run("fails if file already exists", func(t *testing.T) {
path := filepath.Join(t.TempDir(), "identity.key")
path := filepath.Join(t.TempDir(), "local.key")

_, err := NewEdSigner(ToFile(path))
require.NoError(t, err)

_, err = NewEdSigner(ToFile(path))
require.ErrorIs(t, err, fs.ErrExist)
require.ErrorContains(t, err, "save identity file identity.key")
require.ErrorContains(t, err, "save identity file local.key")

_, err = NewEdSigner(FromFile(path), ToFile(path))
require.ErrorContains(t, err, "invalid option ToFile: file already set")
Expand Down

0 comments on commit 7a58ddd

Please sign in to comment.