Simplify LSPS5/validator: drop time checks & custom signature storage #3961
Conversation
|
👋 Thanks for assigning @TheBlueMatt as a reviewer! |
thoughts? @tnull @TheBlueMatt |
martinsaposnic
force-pushed
the
lsps5-validator-follow-up
branch
from
f4dc5a0 to
e397c77
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3961 +/- ##
=======================================
Coverage 88.93% 88.94%
=======================================
Files 174 174
Lines 123880 123835 -45
Branches 123880 123835 -45
=======================================
- Hits 110176 110147 -29
+ Misses 11251 11240 -11
+ Partials 2453 2448 -5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
martinsaposnic
force-pushed
the
lsps5-validator-follow-up
branch
3 times, most recently
from
a882fed to
2122b24
Compare
|
I'm a fan of this, and the code seems Obviously Correct (tm), but I'll let @tnull chime in in case he thinks there is some attack the more full-featured replay protection fixes. |
TheBlueMatt
requested review from
tnull
and removed request for
valentinewallace
|
🔔 1st Reminder Hey @tnull! This PR has been waiting for your review. |
There was a problem hiding this comment.
As discussed elsewhere, concept ACK from my side. I'll actually also see to update the bLIP-55 PR to drop the mention of the timestamp header there.
That said, I'm a bit confused why we have a signature cache at all now? If we think TLS sufficiently protects against replaying packets, what additional protection does the cache give us? Especially, since the cache is of course easily gamed, as any adversary able to intercept and replay messages could now simply intercept 6 different messages and replay them in batches, ensuring that the cache lookup always misses?
from what I remember from our convo a few weeks ago, the cache is mainly there to handle "accidental" replays from the LSP, e.g. the connection drops and the LSP doesn’t get the ACK, so it retries even though the notification actually landed. but yeah, I agree we could just drop those extra lines and keep things simpler. @TheBlueMatt what are your thoughts? |
Remove timestamp validation, TimeProvider, SignatureStore trait and its InMemory implementation in favor of a fixed size signature cache. HTTPS already secures delivery, so a small cache is sufficient for basic replay protection.
martinsaposnic
force-pushed
the
lsps5-validator-follow-up
branch
from
2122b24 to
dc97b9c
Compare
done ✅ |
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Remove timestamp validation, TimeProvider, SignatureStore trait and its InMemory implementation in favor of a fixed size signature cache. HTTPS already secures delivery, so a small cache is sufficient for basic replay protection.
pub const MAX_RECENT_SIGNATURES: usize = 5;-> I came up with the 5 number limit, not sure if we need more/less. Please comment your opinion on thisThis is a planned follow up for the recently merged PR #3662, here is link with the discussion and motivation for this change #3662 (comment)