Skip to content

Commit 83b032a

Browse files
cboh4cboh4
committed
add verification for the block header hash inside the enclave
1 parent f4b586e commit 83b032a

9 files changed

Lines changed: 37 additions & 35 deletions

File tree

cosmwasm/enclaves/Cargo.lock

Lines changed: 4 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cosmwasm/enclaves/execute/Cargo.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,9 @@ block-verifier = { path = "../shared/block-verifier", optional = true }
9191
time = "=0.3.17"
9292
ed25519-dalek = { version = "1.0", default-features = false }
9393
sha2 = "0.10"
94-
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false, features = ["rust-crypto"] }
95-
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false }
96-
tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false, features = ["rust-crypto"] }
94+
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
95+
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false }
96+
tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
9797

9898
[dependencies.webpki]
9999
git = "https://github.com/mesalock-linux/webpki"

cosmwasm/enclaves/shared/block-verifier/Cargo.toml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,9 @@ sgx_types = { rev = "d2d339cbb005f676bb700059bd51dc689c025f6b", git = "https://g
1919

2020
[dependencies]
2121
sha2 = "0.10"
22-
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false, features = ["rust-crypto"] }
23-
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false }
24-
tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false, features = ["rust-crypto"] }
22+
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
23+
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false }
24+
tendermint-light-client-verifier = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
2525
lazy_static = "1.4.0"
2626
log = "0.4.17"
2727

cosmwasm/enclaves/shared/block-verifier/src/submit_block_signatures.rs

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,15 @@
1+
use core::convert::TryInto;
12
use std::slice;
23

34
use sgx_types::sgx_status_t;
45

56
use enclave_utils::{validate_const_ptr, validate_input_length, validate_mut_ptr, KEY_MANAGER};
67
use log::debug;
78
use log::error;
9+
use std::convert::TryFrom;
10+
use tendermint::signature::Ed25519Signature;
811
use tendermint::Hash;
12+
use tendermint::Signature;
913

1014
macro_rules! unwrap_or_return {
1115
($result:expr) => {
@@ -136,13 +140,6 @@ pub unsafe fn submit_block_signatures_impl(
136140

137141
let implicit_hash = tendermint::Hash::Sha256(hash_result);
138142

139-
debug!("implicit_hash: {:?}", &implicit_hash);
140-
141-
debug!(
142-
"header.header.implicit_hash: {:?}",
143-
&header.header.implicit_hash
144-
);
145-
146143
if implicit_hash != header.header.implicit_hash {
147144
error!("Implicit hash does not match header implicit hash");
148145
return sgx_status_t::SGX_ERROR_INVALID_PARAMETER;

cosmwasm/enclaves/shared/block-verifier/src/verify/header.rs

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,15 @@
1+
use crate::verify::block::verify_block;
2+
use core::time::Duration;
13
use log::error;
24
use sgx_types::sgx_status_t;
5+
use sha2::{Digest, Sha256};
36
use tendermint::block::signed_header::SignedHeader;
47
use tendermint::block::{Commit, Header};
58
use tendermint::validator::Set;
69
use tendermint_light_client_verifier::types::UntrustedBlockState;
710
use tendermint_proto::v0_38::types::Header as RawHeader;
811
use tendermint_proto::Protobuf;
912

10-
use crate::verify::block::verify_block;
11-
1213
pub fn validate_block_header(
1314
block_header_slice: &[u8],
1415
validator_set: &Set,
@@ -32,6 +33,15 @@ pub fn validate_block_header(
3233
return Err(sgx_status_t::SGX_ERROR_FILE_RECOVERY_NEEDED);
3334
}
3435

36+
if signed_header.header.hash() != signed_header.commit.block_id.hash {
37+
error!(
38+
"Error verifying block hash in header! got {:?}, expected: {:?}",
39+
signed_header.header.hash(),
40+
signed_header.commit.block_id.hash
41+
);
42+
return Err(sgx_status_t::SGX_ERROR_INVALID_PARAMETER);
43+
}
44+
3545
let untrusted_block = UntrustedBlockState {
3646
signed_header: &signed_header,
3747
validators: validator_set,

cosmwasm/enclaves/shared/utils/Cargo.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,6 @@ serde = { git = "https://github.com/mesalock-linux/serde-sgx", features = [
3232
"derive"
3333
] }
3434
serde_json = { git = "https://github.com/mesalock-linux/serde-json-sgx" }
35-
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false }
36-
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.3", default-features = false, features = ["rust-crypto"] }
35+
tendermint-proto = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false }
36+
tendermint = { git = "https://github.com/scrtlabs/tendermint-rs", tag = "v0.38.0-secret.9-add-implicit-hash", default-features = false, features = ["rust-crypto"] }
3737
enclave_crypto = { path = "../crypto" }

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,8 @@ replace (
99
cosmossdk.io/store => github.com/scrtlabs/cosmos-sdk-store v1.1.1-secret.1
1010
cosmossdk.io/x/tx => github.com/scrtlabs/cosmos-sdk-x-tx v0.13.7-secret.0
1111
// github.com/cometbft/cometbft => github.com/scrtlabs/tendermint v0.38.17-secret.0
12-
github.com/cometbft/cometbft => github.com/scrtlabs/tendermint v0.38.17-secret-7-add-implicit-hash
13-
github.com/cosmos/cosmos-sdk => github.com/scrtlabs/cosmos-sdk v0.50.11-secret-4-implicit-hash
12+
github.com/cometbft/cometbft => github.com/scrtlabs/tendermint v0.38.17-secret-23-add-implicit-hash
13+
github.com/cosmos/cosmos-sdk => github.com/scrtlabs/cosmos-sdk v0.50.11-secret-15-implicit-hash
1414
github.com/cosmos/iavl => github.com/scrtlabs/iavl v1.2.2-secret.0
1515
github.com/syndtr/goleveldb => github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7
1616

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1593,8 +1593,8 @@ github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWR
15931593
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
15941594
github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
15951595
github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
1596-
github.com/scrtlabs/cosmos-sdk v0.50.11-secret-4-implicit-hash h1:BKQ6Z0piKAKaFpsBHRvJkfi07ozNyd1u6otmpGCD9cw=
1597-
github.com/scrtlabs/cosmos-sdk v0.50.11-secret-4-implicit-hash/go.mod h1:dJQYQ36O/vHv5h7HJECpnSQzelkobTPgwy1ND4pG1dI=
1596+
github.com/scrtlabs/cosmos-sdk v0.50.11-secret-15-implicit-hash h1:4nIG7McsrhkbMQkrLz6VRd0UQiOg24RX6Gf7Z1T42kA=
1597+
github.com/scrtlabs/cosmos-sdk v0.50.11-secret-15-implicit-hash/go.mod h1:2emBr6HobBqfY1gpDsRuCWgQiQYIwG+U600DiwzSgTs=
15981598
github.com/scrtlabs/cosmos-sdk-api v0.7.6-secret.0 h1:9IGLySVhC2qSrxT3fZvvqwjKsnXWSSKnywQDzT8y1Gs=
15991599
github.com/scrtlabs/cosmos-sdk-api v0.7.6-secret.0/go.mod h1:IcxpYS5fMemZGqyYtErK7OqvdM0C8kdW3dq8Q/XIG38=
16001600
github.com/scrtlabs/cosmos-sdk-store v1.1.1-secret.1 h1:TELtwBkSg0xBrs2ObFE0pVVWF6E31fPCDX2tk8OiJPo=
@@ -1603,8 +1603,8 @@ github.com/scrtlabs/cosmos-sdk-x-tx v0.13.7-secret.0 h1:i3k5706sDHKhaCvzokB+n33/
16031603
github.com/scrtlabs/cosmos-sdk-x-tx v0.13.7-secret.0/go.mod h1:V6DImnwJMTq5qFjeGWpXNiT/fjgE4HtmclRmTqRVM3w=
16041604
github.com/scrtlabs/iavl v1.2.2-secret.0 h1:P96PL1Lf8OBSW9pMrlaRxhceZ4z9Hc7jk12g9ShWeHw=
16051605
github.com/scrtlabs/iavl v1.2.2-secret.0/go.mod h1:GiM43q0pB+uG53mLxLDzimxM9l/5N9UuSY3/D0huuVw=
1606-
github.com/scrtlabs/tendermint v0.38.17-secret-7-add-implicit-hash h1:enOfMMDhEANlxnmf0aQfRIa3aIwWKUYsgSx86lQVJb0=
1607-
github.com/scrtlabs/tendermint v0.38.17-secret-7-add-implicit-hash/go.mod h1:vVQJOjosVUoChSxdYGQQ2Ojy35m/8el7r1LziCy4ox4=
1606+
github.com/scrtlabs/tendermint v0.38.17-secret-23-add-implicit-hash h1:DNE7aW19nTUgFMUNIIRgJBi/I6vYYEP4WQLQclY1ZIw=
1607+
github.com/scrtlabs/tendermint v0.38.17-secret-23-add-implicit-hash/go.mod h1:vVQJOjosVUoChSxdYGQQ2Ojy35m/8el7r1LziCy4ox4=
16081608
github.com/scrtlabs/tm-secret-enclave v1.12.3-implicit-hash h1:vssSAjnieWcH4XsGjpGv5MRk1fJTL4boCWrwbgkCFDQ=
16091609
github.com/scrtlabs/tm-secret-enclave v1.12.3-implicit-hash/go.mod h1:nxZQtzzAqBNBLOEXSv4cKlUnVA4vRmHOn6ujr3kxVME=
16101610
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=

x/compute/module.go

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -158,26 +158,23 @@ func (am AppModule) BeginBlock(c context.Context) error {
158158
ctx.Logger().Error("Failed to get scheduled cron msgs")
159159
return err
160160
}
161+
// hash := sha256.Sum256([]byte("random"))
162+
// block_header.ImplicitHash = hash[:]
163+
// block_header.AppHash = hash[:]
161164

162165
cron_msgs := tm_type.Data{Txs: bytesCronMsgs}
163166
cron_data, err := cron_msgs.Marshal()
164167
if err != nil {
165168
ctx.Logger().Error("Failed to marshal cron_msgs")
166169
return err
167170
}
168-
// hash := sha256.Sum256(cron_data)
169171

170172
header, err := block_header.Marshal()
171173
if err != nil {
172174
ctx.Logger().Error("Failed to marshal block header")
173175
return err
174176
}
175177

176-
// fmt.Printf("---------------bytesCronMsgs--------------\n%+v\n", bytesCronMsgs)
177-
// fmt.Printf("---------------execCronMsgs--------------\n%+v\n", execCronMsgs)
178-
// fmt.Printf("ImplicitHash: %+v\n", hex.EncodeToString(hash[:]))
179-
// fmt.Printf("beginBlock: block_header: %+v\n", block_header)
180-
181178
commit := ctx.Commit()
182179
b_commit, err := commit.Marshal()
183180
if err != nil {
@@ -222,8 +219,6 @@ func (am AppModule) BeginBlock(c context.Context) error {
222219
// EndBlock returns the end blocker for the compute module.
223220
func (am AppModule) EndBlock(c context.Context) error {
224221
ctx := c.(sdk.Context)
225-
block_header := ctx.BlockHeader()
226-
fmt.Printf("endBlock: block_header: %+v\n", block_header)
227222

228223
_, bytesCronMsgs, err := am.keeper.GetScheduledMsgs(ctx, crontypes.ExecutionStage_EXECUTION_STAGE_END_BLOCKER)
229224
if err != nil {
@@ -245,7 +240,6 @@ func (am AppModule) EndBlock(c context.Context) error {
245240
ctx.Logger().Error("Failed to set implicit hash %+v", err)
246241
return err
247242
}
248-
fmt.Printf("---------------EndBlock--------------\n")
249243
return nil
250244
}
251245

0 commit comments

Comments
 (0)