From 48b70ecff1152f9eec091ff03b803d997a573b19 Mon Sep 17 00:00:00 2001 From: Ryan Schneider Date: Fri, 2 Nov 2018 13:26:45 -0700 Subject: [PATCH 1/2] cmd, eth: Add support for `--whitelist =,...` flag * Rejects peers that respond with a different hash for any of the passed in block numbers. * Meant for emergency situations when the network forks unexpectedly. --- cmd/geth/main.go | 1 + cmd/geth/usage.go | 1 + cmd/utils/flags.go | 33 +++++++++++++++++++++++++++++++++ eth/backend.go | 2 +- eth/config.go | 3 +++ eth/handler.go | 26 +++++++++++++++++++++++++- eth/handler_test.go | 4 ++-- eth/helper_test.go | 2 +- 8 files changed, 67 insertions(+), 5 deletions(-) diff --git a/cmd/geth/main.go b/cmd/geth/main.go index 69802a48a..fc1bf461f 100644 --- a/cmd/geth/main.go +++ b/cmd/geth/main.go @@ -87,6 +87,7 @@ var ( utils.LightServFlag, utils.LightPeersFlag, utils.LightKDFFlag, + utils.WhitelistFlag, utils.CacheFlag, utils.CacheDatabaseFlag, utils.CacheTrieFlag, diff --git a/cmd/geth/usage.go b/cmd/geth/usage.go index 82f17e0ee..25a702dd7 100644 --- a/cmd/geth/usage.go +++ b/cmd/geth/usage.go @@ -81,6 +81,7 @@ var AppHelpFlagGroups = []flagGroup{ utils.LightServFlag, utils.LightPeersFlag, utils.LightKDFFlag, + utils.WhitelistFlag, }, }, { diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go index 6a285fcb3..4727e7cdf 100644 --- a/cmd/utils/flags.go +++ b/cmd/utils/flags.go @@ -182,6 +182,10 @@ var ( Name: "lightkdf", Usage: "Reduce key-derivation RAM & CPU usage at some expense of KDF strength", } + WhitelistFlag = cli.StringFlag{ + Name: "whitelist", + Usage: "Comma separated block number-to-hash mappings to enforce (=)", + } // Dashboard settings DashboardEnabledFlag = cli.BoolFlag{ Name: metrics.DashboardEnabledFlag, @@ -1072,6 +1076,34 @@ func setEthash(ctx *cli.Context, cfg *eth.Config) { } } +func setWhitelist(ctx *cli.Context, cfg *eth.Config) { + if ctx.GlobalIsSet(WhitelistFlag.Name) { + entries := strings.Split(ctx.String(WhitelistFlag.Name), ",") + whitelist := make(map[uint64]common.Hash) + for _, entry := range entries { + split := strings.SplitN(entry, "=", 2) + if len(split) != 2 { + Fatalf("invalid whitelist entry: %s", entry) + } + + bn, err := strconv.ParseUint(split[0], 0, 64) + if err != nil { + Fatalf("Invalid whitelist block number %s: %v", split[0], err) + } + + hash := common.Hash{} + err = hash.UnmarshalText([]byte(split[1])) + if err != nil { + Fatalf("Invalid whitelist hash %s: %v", split[1], err) + } + + whitelist[bn] = hash + } + + cfg.Whitelist = whitelist + } +} + // checkExclusive verifies that only a single instance of the provided flags was // set by the user. Each flag might optionally be followed by a string type to // specialize it further. @@ -1137,6 +1169,7 @@ func SetEthConfig(ctx *cli.Context, stack *node.Node, cfg *eth.Config) { setGPO(ctx, &cfg.GPO) setTxPool(ctx, &cfg.TxPool) setEthash(ctx, cfg) + setWhitelist(ctx, cfg) if ctx.GlobalIsSet(SyncModeFlag.Name) { cfg.SyncMode = *GlobalTextMarshaler(ctx, SyncModeFlag.Name).(*downloader.SyncMode) diff --git a/eth/backend.go b/eth/backend.go index 472140842..3f538d5f5 100644 --- a/eth/backend.go +++ b/eth/backend.go @@ -173,7 +173,7 @@ func New(ctx *node.ServiceContext, config *Config) (*Ethereum, error) { } eth.txPool = core.NewTxPool(config.TxPool, eth.chainConfig, eth.blockchain) - if eth.protocolManager, err = NewProtocolManager(eth.chainConfig, config.SyncMode, config.NetworkId, eth.eventMux, eth.txPool, eth.engine, eth.blockchain, chainDb); err != nil { + if eth.protocolManager, err = NewProtocolManager(eth.chainConfig, config.SyncMode, config.NetworkId, eth.eventMux, eth.txPool, eth.engine, eth.blockchain, chainDb, config.Whitelist); err != nil { return nil, err } diff --git a/eth/config.go b/eth/config.go index 601f4735e..a5c209512 100644 --- a/eth/config.go +++ b/eth/config.go @@ -87,6 +87,9 @@ type Config struct { SyncMode downloader.SyncMode NoPruning bool + // Whitelist of required block number -> hash values to accept + Whitelist map[uint64]common.Hash `toml:"-"` + // Light client options LightServ int `toml:",omitempty"` // Maximum percentage of time allowed for serving LES requests LightPeers int `toml:",omitempty"` // Maximum number of LES client peers diff --git a/eth/handler.go b/eth/handler.go index 741fc9d5a..21f31bc7c 100644 --- a/eth/handler.go +++ b/eth/handler.go @@ -17,6 +17,7 @@ package eth import ( + "bytes" "encoding/json" "errors" "fmt" @@ -88,6 +89,8 @@ type ProtocolManager struct { txsSub event.Subscription minedBlockSub *event.TypeMuxSubscription + whitelist map[uint64]common.Hash + // channels for fetcher, syncer, txsyncLoop newPeerCh chan *peer txsyncCh chan *txsync @@ -101,7 +104,7 @@ type ProtocolManager struct { // NewProtocolManager returns a new Ethereum sub protocol manager. The Ethereum sub protocol manages peers capable // with the Ethereum network. -func NewProtocolManager(config *params.ChainConfig, mode downloader.SyncMode, networkID uint64, mux *event.TypeMux, txpool txPool, engine consensus.Engine, blockchain *core.BlockChain, chaindb ethdb.Database) (*ProtocolManager, error) { +func NewProtocolManager(config *params.ChainConfig, mode downloader.SyncMode, networkID uint64, mux *event.TypeMux, txpool txPool, engine consensus.Engine, blockchain *core.BlockChain, chaindb ethdb.Database, whitelist map[uint64]common.Hash) (*ProtocolManager, error) { // Create the protocol manager with the base fields manager := &ProtocolManager{ networkID: networkID, @@ -110,6 +113,7 @@ func NewProtocolManager(config *params.ChainConfig, mode downloader.SyncMode, ne blockchain: blockchain, chainconfig: config, peers: newPeerSet(), + whitelist: whitelist, newPeerCh: make(chan *peer), noMorePeers: make(chan struct{}), txsyncCh: make(chan *txsync), @@ -307,6 +311,16 @@ func (pm *ProtocolManager) handle(p *peer) error { } }() } + + // If we have any explicit whitelist block hashes, request them + for bn := range pm.whitelist { + p.Log().Debug("Requesting whitelist block", "number", bn) + if err := p.RequestHeadersByNumber(bn, 1, 0, false); err != nil { + p.Log().Error("whitelist request failed", "err", err, "number", bn, "peer", p.id) + return err + } + } + // main loop. handle incoming messages. for { if err := pm.handleMsg(p); err != nil { @@ -452,6 +466,16 @@ func (pm *ProtocolManager) handleMsg(p *peer) error { // Filter out any explicitly requested headers, deliver the rest to the downloader filter := len(headers) == 1 if filter { + // Check for any responses not matching our whitelist + if expected, ok := pm.whitelist[headers[0].Number.Uint64()]; ok { + actual := headers[0].Hash() + if !bytes.Equal(expected.Bytes(), actual.Bytes()) { + p.Log().Info("Dropping peer with non-matching whitelist block", "number", headers[0].Number.Uint64(), "hash", actual, "expected", expected) + return errors.New("whitelist block mismatch") + } + p.Log().Debug("Whitelist block verified", "number", headers[0].Number.Uint64(), "hash", expected) + } + // If it's a potential DAO fork check, validate against the rules if p.forkDrop != nil && pm.chainconfig.DAOForkBlock.Cmp(headers[0].Number) == 0 { // Disable the fork drop timer diff --git a/eth/handler_test.go b/eth/handler_test.go index 44824fd0b..9fffd9581 100644 --- a/eth/handler_test.go +++ b/eth/handler_test.go @@ -478,7 +478,7 @@ func testDAOChallenge(t *testing.T, localForked, remoteForked bool, timeout bool if err != nil { t.Fatalf("failed to create new blockchain: %v", err) } - pm, err := NewProtocolManager(config, downloader.FullSync, DefaultConfig.NetworkId, evmux, new(testTxPool), pow, blockchain, db) + pm, err := NewProtocolManager(config, downloader.FullSync, DefaultConfig.NetworkId, evmux, new(testTxPool), pow, blockchain, db, nil) if err != nil { t.Fatalf("failed to start test protocol manager: %v", err) } @@ -559,7 +559,7 @@ func testBroadcastBlock(t *testing.T, totalPeers, broadcastExpected int) { if err != nil { t.Fatalf("failed to create new blockchain: %v", err) } - pm, err := NewProtocolManager(config, downloader.FullSync, DefaultConfig.NetworkId, evmux, new(testTxPool), pow, blockchain, db) + pm, err := NewProtocolManager(config, downloader.FullSync, DefaultConfig.NetworkId, evmux, new(testTxPool), pow, blockchain, db, nil) if err != nil { t.Fatalf("failed to start test protocol manager: %v", err) } diff --git a/eth/helper_test.go b/eth/helper_test.go index 4e38a129e..b18a02baf 100644 --- a/eth/helper_test.go +++ b/eth/helper_test.go @@ -66,7 +66,7 @@ func newTestProtocolManager(mode downloader.SyncMode, blocks int, generator func panic(err) } - pm, err := NewProtocolManager(gspec.Config, mode, DefaultConfig.NetworkId, evmux, &testTxPool{added: newtx}, engine, blockchain, db) + pm, err := NewProtocolManager(gspec.Config, mode, DefaultConfig.NetworkId, evmux, &testTxPool{added: newtx}, engine, blockchain, db, nil) if err != nil { return nil, nil, err } From 31b33349227715e8d1f8753d913892c1e35439d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Szil=C3=A1gyi?= Date: Mon, 10 Dec 2018 14:47:01 +0200 Subject: [PATCH 2/2] cmd/utils, eth: minor polishes on whitelist code --- cmd/utils/flags.go | 41 ++++++++++++++++++----------------------- eth/handler.go | 29 +++++++++++------------------ 2 files changed, 29 insertions(+), 41 deletions(-) diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go index 4727e7cdf..c9115d7a3 100644 --- a/cmd/utils/flags.go +++ b/cmd/utils/flags.go @@ -1077,30 +1077,25 @@ func setEthash(ctx *cli.Context, cfg *eth.Config) { } func setWhitelist(ctx *cli.Context, cfg *eth.Config) { - if ctx.GlobalIsSet(WhitelistFlag.Name) { - entries := strings.Split(ctx.String(WhitelistFlag.Name), ",") - whitelist := make(map[uint64]common.Hash) - for _, entry := range entries { - split := strings.SplitN(entry, "=", 2) - if len(split) != 2 { - Fatalf("invalid whitelist entry: %s", entry) - } - - bn, err := strconv.ParseUint(split[0], 0, 64) - if err != nil { - Fatalf("Invalid whitelist block number %s: %v", split[0], err) - } - - hash := common.Hash{} - err = hash.UnmarshalText([]byte(split[1])) - if err != nil { - Fatalf("Invalid whitelist hash %s: %v", split[1], err) - } - - whitelist[bn] = hash + whitelist := ctx.GlobalString(WhitelistFlag.Name) + if whitelist == "" { + return + } + cfg.Whitelist = make(map[uint64]common.Hash) + for _, entry := range strings.Split(whitelist, ",") { + parts := strings.Split(entry, "=") + if len(parts) != 2 { + Fatalf("Invalid whitelist entry: %s", entry) } - - cfg.Whitelist = whitelist + number, err := strconv.ParseUint(parts[0], 0, 64) + if err != nil { + Fatalf("Invalid whitelist block number %s: %v", parts[0], err) + } + var hash common.Hash + if err = hash.UnmarshalText([]byte(parts[1])); err != nil { + Fatalf("Invalid whitelist hash %s: %v", parts[1], err) + } + cfg.Whitelist[number] = hash } } diff --git a/eth/handler.go b/eth/handler.go index 21f31bc7c..b42612a56 100644 --- a/eth/handler.go +++ b/eth/handler.go @@ -17,7 +17,6 @@ package eth import ( - "bytes" "encoding/json" "errors" "fmt" @@ -311,17 +310,13 @@ func (pm *ProtocolManager) handle(p *peer) error { } }() } - // If we have any explicit whitelist block hashes, request them - for bn := range pm.whitelist { - p.Log().Debug("Requesting whitelist block", "number", bn) - if err := p.RequestHeadersByNumber(bn, 1, 0, false); err != nil { - p.Log().Error("whitelist request failed", "err", err, "number", bn, "peer", p.id) + for number := range pm.whitelist { + if err := p.RequestHeadersByNumber(number, 1, 0, false); err != nil { return err } } - - // main loop. handle incoming messages. + // Handle incoming messages until the connection is torn down for { if err := pm.handleMsg(p); err != nil { p.Log().Debug("Ethereum message handling failed", "err", err) @@ -466,16 +461,6 @@ func (pm *ProtocolManager) handleMsg(p *peer) error { // Filter out any explicitly requested headers, deliver the rest to the downloader filter := len(headers) == 1 if filter { - // Check for any responses not matching our whitelist - if expected, ok := pm.whitelist[headers[0].Number.Uint64()]; ok { - actual := headers[0].Hash() - if !bytes.Equal(expected.Bytes(), actual.Bytes()) { - p.Log().Info("Dropping peer with non-matching whitelist block", "number", headers[0].Number.Uint64(), "hash", actual, "expected", expected) - return errors.New("whitelist block mismatch") - } - p.Log().Debug("Whitelist block verified", "number", headers[0].Number.Uint64(), "hash", expected) - } - // If it's a potential DAO fork check, validate against the rules if p.forkDrop != nil && pm.chainconfig.DAOForkBlock.Cmp(headers[0].Number) == 0 { // Disable the fork drop timer @@ -490,6 +475,14 @@ func (pm *ProtocolManager) handleMsg(p *peer) error { p.Log().Debug("Verified to be on the same side of the DAO fork") return nil } + // Otherwise if it's a whitelisted block, validate against the set + if want, ok := pm.whitelist[headers[0].Number.Uint64()]; ok { + if hash := headers[0].Hash(); want != hash { + p.Log().Info("Whitelist mismatch, dropping peer", "number", headers[0].Number.Uint64(), "hash", hash, "want", want) + return errors.New("whitelist block mismatch") + } + p.Log().Debug("Whitelist block verified", "number", headers[0].Number.Uint64(), "hash", want) + } // Irrelevant of the fork checks, send the header to the fetcher just in case headers = pm.fetcher.FilterHeaders(p.id, headers, time.Now()) }