Conversation
Co-authored-by: eltitanb <lorenzo@gattaca.com> Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com> Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: eltitanb <lorenzo@gattaca.com> Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com> Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: eltitanb <lorenzo@gattaca.com> Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com> Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
…st-client into sigp-audit-fixes
Co-authored-by: eltitanb <lorenzo@gattaca.com> Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com> Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: eltitanb <lorenzo@gattaca.com> Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com> Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com>
Co-authored-by: Manuel Iñaki Bilbao <manuel.bilbao@lambdaclass.com>
…st-client into sigp-audit-fixes
Co-authored-by: Joe Clapis <jclapis@outlook.com>
… rightmost setup (#410)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
… 1.91 as required. Add audit.toml to ignore irrevelent audit error in CI.
crates/common/src/config/signer.rs
Outdated
|
|
||
| fn make_local_signer_config(tls_mode: TlsMode) -> SignerConfig { | ||
| SignerConfig { | ||
| host: Ipv4Addr::new(127, 0, 0, 1), |
There was a problem hiding this comment.
can use Ipv4Addr::LOCALHOST
crates/signer/src/service.rs
Outdated
| let chain_id: U256; | ||
| match &*state.manager.read().await { | ||
| SigningManager::Local(local_manager) => { | ||
| chain_id = local_manager.get_chain().id(); | ||
| if is_proxy { |
There was a problem hiding this comment.
I think it would help readaility to refactor the match to return (chain_id, Result) which are later handled in the following map, rather than chaining these together directly
| ?req_id, | ||
| "Module signing ID not found" | ||
| ); | ||
| return Err(SignerModuleError::RequestError("Module signing ID not found".to_string())); |
There was a problem hiding this comment.
maybe we could return the request id too? otherwise there is no reason to construct it beforehand just to print it once
There was a problem hiding this comment.
the same pattern was used in handle_request_signature_bls(). Don't think req_id provides any value since it's only generated server-side, and you can't easily correlate it back to a client-side request. I'm opting towards removing req_id from both bls/ecdsa signing paths and instead adding the pubkey + object_root + nonce to the error messages which are unambiguous and already public info.
crates/signer/src/service.rs
Outdated
| let chain_id: U256; | ||
| match &*state.manager.read().await { |
crates/common/src/config/mod.rs
Outdated
| }) | ||
| } | ||
|
|
||
| /// Helper to return if signer uses TLS |
There was a problem hiding this comment.
nit: I'm not sure these comments are super helpful?
crates/common/src/config/signer.rs
Outdated
| let jwts = load_jwt_secrets()?; | ||
| let (admin_secret, jwt_secrets) = load_jwt_secrets()?; | ||
|
|
||
| // Load the module signing configs |
crates/common/src/config/signer.rs
Outdated
| let mut seen_jwt_secrets = HashMap::new(); | ||
| let mut seen_signing_ids = HashMap::new(); | ||
| for module in modules { | ||
| // Validate the module ID |
There was a problem hiding this comment.
nit: same as above. most other comments in this function are doing much either
crates/common/src/config/signer.rs
Outdated
| pbs: StaticPbsConfig { | ||
| docker_image: String::from("cb-fake-repo/fake-cb:latest"), | ||
| pbs_config: PbsConfig { | ||
| host: Ipv4Addr::new(127, 0, 0, 1), |
crates/common/src/utils.rs
Outdated
| Ok(claims) | ||
| } | ||
|
|
||
| /// Validate a JWT with the given secret |
crates/common/src/utils.rs
Outdated
| Ok(()) | ||
| } | ||
|
|
||
| /// Validate an admin JWT with the given secret |
There was a problem hiding this comment.
nit: and this? given that it says the same thing as the function name
There was a problem hiding this comment.
should we add some tests here for singing and verifying signatures from a real world block? esp for the builder api messages
- add missing ADMIN_JWT_ENV and SIGNER_TLS_CERTIFICATES_PATH_ENV - support https healthchecks
…eserialization error message
…which conflicted with deserializing `SignConsensusRequest`
…fault to readlock
| "Module {module_id} signing ID not found in commit-boost config, cannot reload" | ||
| ); | ||
| error!(event = "reload", module_id = %module_id, error = %error_message); | ||
| return Err(SignerModuleError::RequestError(error_message)); |
There was a problem hiding this comment.
if we're able to return midway through the loop it's strange that we're also updating the configs in place because we may exit and return an error to the client having half-updated the configs
It doesn't look like an actual vulnerability, but it's not clean and it's not obvious to the client I think
if you think it's better to be able to do this, then I think we should be able to communicate to the client which modules have been updated, also maybe save the error and continue updating other modules afterwards
though i would prefer to check first, update later only if all are ok
crates/signer/src/service.rs
Outdated
| if elapsed > state.jwt_auth_fail_timeout { | ||
| drop(failures); | ||
| debug!("Removing {client_ip} from JWT auth failure list"); | ||
| state.jwt_auth_failures.write().remove(client_ip); |
There was a problem hiding this comment.
this is a concurrency issue - we can't expect the state to have stayed the same after we've dropped the read lock above
there could've been another failure we missed in between the dropping of the read lock and the acquiring of the write lock where a new failure was added
not likely a big vulnerability either, but a bug nevertheless
| SigningService::init_metrics(config.chain)?; | ||
|
|
||
| let app = axum::Router::new() | ||
| .route(REQUEST_SIGNATURE_PATH, post(handle_request_signature)) |
There was a problem hiding this comment.
Should we keep the path as deprecated to avoid sudden breaking changes?
6 participants
Implements the recommended changes to address issues from the Sigma Prime audit report.