From 91be67e6f0403c04c759ff8514669a859b2024a2 Mon Sep 17 00:00:00 2001 From: vlad Date: Tue, 15 Oct 2024 09:06:25 +0000 Subject: [PATCH] emergency upgrade: using whitelisted validators (hardcoded) --- cosmwasm/enclaves/execute/Cargo.toml | 2 +- .../execute/src/registration/offchain.rs | 22 +++++++++++++++++-- .../block-verifier/src/validator_whitelist.rs | 10 ++++----- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/cosmwasm/enclaves/execute/Cargo.toml b/cosmwasm/enclaves/execute/Cargo.toml index 949d9e0fd..313730a74 100644 --- a/cosmwasm/enclaves/execute/Cargo.toml +++ b/cosmwasm/enclaves/execute/Cargo.toml @@ -87,7 +87,7 @@ log = "0.4.17" simple_logger = { version = "2.3.0", default-features = false, features = [ "stderr" ] } -block-verifier = { path = "../shared/block-verifier", optional = true } +block-verifier = { path = "../shared/block-verifier", optional = true, features = ["verify-validator-whitelist"] } time = "=0.3.17" ed25519-dalek = { version = "1.0", default-features = false } sha2 = "0.10" diff --git a/cosmwasm/enclaves/execute/src/registration/offchain.rs b/cosmwasm/enclaves/execute/src/registration/offchain.rs index 39f3e9d85..3197691c3 100644 --- a/cosmwasm/enclaves/execute/src/registration/offchain.rs +++ b/cosmwasm/enclaves/execute/src/registration/offchain.rs @@ -39,6 +39,9 @@ use super::seed_service::get_next_consensus_seed_from_service; use crate::registration::attestation::verify_quote_ecdsa; use crate::registration::onchain::split_combined_cert; +use block_verifier::validator_whitelist; +use validator_whitelist::ValidatorList; + use super::persistency::{write_master_pub_keys, write_seed}; use super::seed_exchange::{decrypt_seed, encrypt_seed, SeedType}; use enclave_utils::storage::write_to_untrusted; @@ -738,6 +741,9 @@ fn is_export_approved_offchain(mut f_in: File, report: &sgx_report_body_t) -> bo // verify all the signatures, and build the set of addresses let mut signers_set: BTreeSet<[u8; 20]> = BTreeSet::new(); + let mut whitelisted_signers: usize = 0; + let white_list: &ValidatorList = &validator_whitelist::VALIDATOR_WHITELIST; + for (addr_str, (pubkey_str, sig_str)) in &signatures { let pubkey_bytes = base64::decode(pubkey_str).unwrap(); @@ -770,10 +776,22 @@ fn is_export_approved_offchain(mut f_in: File, report: &sgx_report_body_t) -> bo panic!("Incorrect signature for address: {}", addr_str); } - signers_set.insert(addr); + if !signers_set.contains(&addr) { + signers_set.insert(addr); + + let is_whitelisted = white_list.contains(addr_str); + if is_whitelisted { + whitelisted_signers += 1; + } + + println!( + " Approved by {}, whitelisted = {}", + addr_str, is_whitelisted + ); + } } - false + whitelisted_signers >= validator_whitelist::VALIDATOR_THRESHOLD } fn is_export_approved(report: &sgx_report_body_t) -> bool { diff --git a/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs b/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs index e13a07cd9..09f74d55a 100644 --- a/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs +++ b/cosmwasm/enclaves/shared/block-verifier/src/validator_whitelist.rs @@ -7,13 +7,13 @@ const WHITELIST_FROM_FILE: &str = include_str!("../fixtures/validator_whitelist. const WHITELIST_FROM_FILE: &str = include_str!("../fixtures/validator_whitelist_prod.txt"); #[cfg(not(feature = "production"))] -const VALIDATOR_THRESHOLD: usize = 1; +pub const VALIDATOR_THRESHOLD: usize = 1; #[cfg(feature = "production")] -const VALIDATOR_THRESHOLD: usize = 5; +pub const VALIDATOR_THRESHOLD: usize = 5; lazy_static::lazy_static! { - static ref VALIDATOR_WHITELIST: ValidatorList = ValidatorList::from_str(WHITELIST_FROM_FILE); + pub static ref VALIDATOR_WHITELIST: ValidatorList = ValidatorList::from_str(WHITELIST_FROM_FILE); } #[derive(Debug, Clone)] @@ -27,11 +27,11 @@ impl ValidatorList { // use for tests #[allow(dead_code)] - fn len(&self) -> usize { + pub fn len(&self) -> usize { self.0.len() } - fn contains(&self, input: &String) -> bool { + pub fn contains(&self, input: &String) -> bool { self.0.contains(input) } }