uqbar-dao/nectar
1
1
Fork 0
mirror of https://github.com/uqbar-dao/nectar.git synced 2025-01-03 14:17:20 +03:00
Code Issues Packages Projects Releases Wiki Activity

superfluous verification removed

Browse Source
This commit is contained in:
Drew Tada 2024-01-17 14:50:42 -06:00
parent a814934af2
commit 904309cd59
3 changed files with 36 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/kernel/mod.rs
View File

@ -199,18 +199,8 @@ async fn handle_kernel_request(
} else {
for cap in initial_capabilities {
match parent_caps.get(&cap) {
// TODO I don't think we *have* to verify the sigs here but it doesn't hurt...
Some(sig) => {
match pk.verify(&rmp_serde::to_vec(&cap).unwrap_or_default(), sig) {
Ok(_) => {
valid_capabilities.insert(cap, sig.to_vec());
}
Err(e) => {
println!("kernel: InitializeProcess bad cap sig: {}\r", e);
continue;
}
}
}
// NOTE: verifying sigs here would be unnecessary
Some(sig) => valid_capabilities.insert(cap, sig.to_vec()),
None => {
println!(
"kernel: InitializeProcess caller {} doesn't have capability\r",
@ -1095,22 +1085,14 @@ pub async fn kernel(
}
);
},
t::CapMessage::GetSome { on, caps, responder } => {
t::CapMessage::FilterCaps { on, caps, responder } => {
let _ = responder.send(
match process_map.get(&on) {
None => vec![],
Some(p) => {
caps.iter().filter_map(|cap| {
// if issuer is foreign, retrieve uncritically
if cap.issuer.node != our.name {
p.capabilities.get(cap).map(|sig| {
(
cap.clone(),
sig.clone()
)
})
// if issuer is self, retrieve uncritically
} else if cap.issuer.process == on {
// if issuer is message source, then sign the cap
if cap.issuer.process == on {
Some((
cap.clone(),
keypair
@ -1118,20 +1100,12 @@ pub async fn kernel(
.as_ref()
.to_vec()
))
// otherwise verify the signature before returning
// otherwise, only attach previously saved caps
// NOTE we don't need to verify the sigs!
} else {
match p.capabilities.get(cap) {
None => None,
Some(sig) => {
let pk = signature::UnparsedPublicKey::new(&signature::ED25519, keypair.public_key());
match pk.verify(
&rmp_serde::to_vec(cap).unwrap_or_default(),
sig,
) {
Ok(_) => Some((cap.clone(), sig.clone())),
Err(_) => None,
}
},
Some(sig) => Some((cap.clone(), sig.clone()))
}
}
}).collect()

38
src/kernel/process.rs
View File

@ -146,7 +146,7 @@ impl ProcessState {
inner_request.capabilities = {
let (tx, rx) = tokio::sync::oneshot::channel();
self.caps_oracle
.send(t::CapMessage::GetSome {
.send(t::CapMessage::FilterCaps {
on: self.metadata.our.process.clone(),
caps: request
.capabilities
@ -264,7 +264,7 @@ impl ProcessState {
let (tx, rx) = tokio::sync::oneshot::channel();
let _ = self
.caps_oracle
.send(t::CapMessage::GetSome {
.send(t::CapMessage::FilterCaps {
on: self.metadata.our.process.clone(),
caps: response
.capabilities
@ -378,15 +378,18 @@ impl ProcessState {
.capabilities
.iter()
.filter_map(|(cap, sig)| {
if cap.issuer.node != self.metadata.our.node {
// accept all remote caps uncritically
// The only time we verify a cap's signature is when a foreign node
// sends us a cap that we (allegedly) issued
if km.source.node != self.metadata.our.node
&& cap.issuer.node == self.metadata.our.node
{
match pk.verify(&rmp_serde::to_vec(&cap).unwrap_or_default(), sig) {
Ok(_) => Some((cap.clone(), sig.clone())),
Err(_) => None,
}
} else {
return Some((cap.clone(), sig.clone()));
}
// otherwise only return capabilities that were properly signed
match pk.verify(&rmp_serde::to_vec(&cap).unwrap_or_default(), sig) {
Ok(_) => Some((cap.clone(), sig.clone())),
Err(_) => None,
}
})
.collect::<Vec<(t::Capability, Vec<u8>)>>();
wit::Message::Request(t::en_wit_request(request))
@ -398,15 +401,18 @@ impl ProcessState {
.capabilities
.iter()
.filter_map(|(cap, sig)| {
if cap.issuer.node != self.metadata.our.node {
// accept all remote caps uncritically
// The only time we verify a cap's signature is when a foreign node
// sends us a cap that we (allegedly) issued
if km.source.node != self.metadata.our.node
&& cap.issuer.node == self.metadata.our.node
{
match pk.verify(&rmp_serde::to_vec(&cap).unwrap_or_default(), sig) {
Ok(_) => Some((cap.clone(), sig.clone())),
Err(_) => None,
}
} else {
return Some((cap.clone(), sig.clone()));
}
// otherwise only return capabilities that were properly signed
match pk.verify(&rmp_serde::to_vec(&cap).unwrap_or_default(), sig) {
Ok(_) => Some((cap.clone(), sig.clone())),
Err(_) => None,
}
})
.collect::<Vec<(t::Capability, Vec<u8>)>>();
wit::Message::Response((t::en_wit_response(response), context))

7
src/types.rs
View File

@ -959,6 +959,7 @@ pub enum KernelResponse {
#[derive(Debug)]
pub enum CapMessage {
/// root access: uncritically sign and add all `caps` to `on`
Add {
on: ProcessId,
caps: Vec<Capability>,
@ -970,17 +971,21 @@ pub enum CapMessage {
cap: Capability,
responder: tokio::sync::oneshot::Sender<bool>,
},
/// does `on` have `cap` in its store?
Has {
// a bool is given in response here
on: ProcessId,
cap: Capability,
responder: tokio::sync::oneshot::Sender<bool>,
},
/// return all caps in `on`'s store
GetAll {
on: ProcessId,
responder: tokio::sync::oneshot::Sender<Vec<(Capability, Vec<u8>)>>,
},
GetSome {
/// before `on` sends a message, filter out any bogus caps it may have attached, sign any new
/// caps it may have created, and retreive the signature for the caps in its store.
FilterCaps {
on: ProcessId,
caps: Vec<Capability>,
responder: tokio::sync::oneshot::Sender<Vec<(Capability, Vec<u8>)>>,