Additional safety checks in PSBT signer #13917

pull sipa wants to merge 4 commits into bitcoin:master from sipa:201808_psbtsafesign changing 5 files +79 −11
  1. sipa commented at 9:33 PM on August 8, 2018: member

    The current PSBT signing code can end up producing a non-segwit signature, while only the UTXO being spent is provided in the PSBT (as opposed to the entire transaction being spent). This may be used to trick a user to incorrectly decide a transaction has the semantics he intends to sign.

    Fix this by refusing to sign if there is any mismatch between the provided data and what is being signed.

  2. MarcoFalke added the label Tests on Aug 8, 2018
  3. MarcoFalke removed the label Tests on Aug 8, 2018
  4. MarcoFalke added this to the milestone 0.17.0 on Aug 8, 2018
  5. MarcoFalke added the label Wallet on Aug 8, 2018
  6. sipa added the label Bug on Aug 8, 2018
  7. practicalswift commented at 10:32 PM on August 8, 2018: contributor

    Excellent! Thanks for tightening PSBT!

    Concept ACK

  8. in src/wallet/rpcwallet.cpp:4530 in 9c6ed3a41c outdated 
    4526 | @@ -4525,10 +4527,12 @@ bool FillPSBT(const CWallet* pwallet, PartiallySignedTransaction& psbtx, const C
4527 |          }
4528 |  
4529 |          // Drop the unnecessary UTXO
4530 | -        if (sigdata.witness) {
4531 | -            input.non_witness_utxo = nullptr;
4532 | -        } else {
4533 | -            input.witness_utxo.SetNull();
4534 | +        if (from_wallet) {
    promag commented at 10:46 PM on August 8, 2018:

    Commit "Only wipe wrong UTXO type data if overwritten by wallet"

    Suggestion, either reuse above condition if (it != pwallet->mapWallet.end())or above do:

    const bool from_wallet = it != pwallet->mapWallet.end();
if (from_wallet) {
    ...
}
    sipa commented at 11:41 PM on August 8, 2018:

    Done.

  9. in src/script/sign.cpp:250 in 41dad138f7 outdated 
     243 | @@ -244,17 +244,33 @@ bool SignPSBTInput(const SigningProvider& provider, const CMutableTransaction& t
 244 |      input.FillSignatureData(sigdata);
 245 |  
 246 |      // Get UTXO
 247 | +    bool require_witness_sig = false;
 248 |      CTxOut utxo;
 249 |      if (input.non_witness_utxo) {
 250 | +        // If we're taking our information from a non-witness UTXO, verify that it matches the prevout.
    promag commented at 10:48 PM on August 8, 2018:

    Commit "Additional sanity checks in SignPSBTInput"

    nit, could reflow comments.

    sipa commented at 11:41 PM on August 8, 2018:

    I think they're fine.

  10. DrahtBot commented at 11:06 PM on August 8, 2018: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->Note to reviewers: This pull request conflicts with the following ones:

    • #13932 (Additional utility RPCs for PSBT by achow101)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  11. achow101 commented at 11:18 PM on August 8, 2018: member

    utACK

    Here is a commit with some more test cases: https://github.com/achow101/bitcoin/commit/9f110e1acbb1dc882ea871043fd03cf9064a1063. It tests for non-matching redeem scripts with both witness and non-witness utxos and non-matching witness scripts (for witness utxo only)

  12. sipa force-pushed on Aug 8, 2018
  13. sipa commented at 11:41 PM on August 8, 2018: member

    Addressed @promag's nit, and included more tests by @achow101.

  14. DrahtBot cross-referenced this on Aug 9, 2018 from issue PSBT key path cleanups by sipa
  15. DrahtBot cross-referenced this on Aug 9, 2018 from issue Always create signatures with Low R values by achow101
  16. in src/script/sign.cpp:254 in 9abc8b1338 outdated 
     249 |      if (input.non_witness_utxo) {
 250 | +        // If we're taking our information from a non-witness UTXO, verify that it matches the prevout.
 251 | +        if (input.non_witness_utxo->GetHash() != tx.vin[index].prevout.hash) return false;
 252 | +        // If both witness and non-witness UTXO are provided, verify that they match. This check shouldn't
 253 | +        // matter, as the PSBT deserializer enforces only one of both is provided, and the only way both
 254 | +        // can be present is when they're added simultaneously by FillPSBT (in which case they always match).
    kallewoof commented at 6:37 AM on August 9, 2018:

    Is this comment based on the BIP/spec or implementation? What about other implementations that may not do what FillPSBT does in Bitcoin Core? I understand that the check is done anyway, but the comment sounds like it could be skipped due to an implementation detail, which sounds error-prone.

    sipa commented at 7:29 AM on August 9, 2018:

    @achow101 just opened a PR that adds the actual requirements to test for to BIP 174, including a simple implementation in pseudocode that implements it.

  17. kallewoof commented at 6:38 AM on August 9, 2018: member

    utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6

  18. achow101 commented at 6:31 PM on August 9, 2018: member

    utACK 2bc1296db7ba4e99f52a4002e67b11c0351819d6

  19. DrahtBot cross-referenced this on Aug 9, 2018 from issue Additional utility RPCs for PSBT by achow101
  20. kallewoof commented at 9:24 AM on August 13, 2018: member

    Perhaps unrelated, but either createpsbt is too lenient, or decodepsbt is broken.

    $ ./bitcoin-cli createpsbt "[]" "[{\"$(./bitcoin-cli getnewaddress)\":0.01}]"
cHNidP8BACoCAAAAAAFAQg8AAAAAABepFG6Rty1Vk+fUOR4v9E6R6YXDFkHwhwAAAAAAAA==
$ ./bitcoin-cli decodepsbt cHNidP8BACoCAAAAAAFAQg8AAAAAABepFG6Rty1Vk+fUOR4v9E6R6YXDFkHwhwAAAAAAAA==
error code: -22
error message:
TX decode failed CDataStream::read(): end of data: unspecified iostream_category error
  21. fanquake commented at 10:33 AM on August 13, 2018: member

    @sipa Can you rebase this now that #13666 is merged.

  22. DrahtBot added the label Needs rebase on Aug 13, 2018
  23. Only wipe wrong UTXO type data if overwritten by wallet c05712cb59
  24. Additional sanity checks in SignPSBTInput 8254e9950f
  25. Test that a non-witness script as witness utxo is not signed 7c8bffdc24
  26. More tests of signer checks 5df6f089b5
  27. sipa force-pushed on Aug 13, 2018
  28. sipa commented at 3:42 PM on August 13, 2018: member

    Rebased after #13666.

  29. sipa cross-referenced this on Aug 13, 2018 from issue decodepsbt fails for PSBT with no inputs by sipa
  30. DrahtBot removed the label Needs rebase on Aug 13, 2018
  31. achow101 commented at 6:37 PM on August 13, 2018: member

    re-utACK

  32. kallewoof commented at 5:24 AM on August 14, 2018: member

    re-utACK 5df6f089b53c5b5859e5a3454c026447e4752f82

  33. laanwj added the label Needs backport on Aug 14, 2018
  34. laanwj commented at 4:01 PM on August 14, 2018: member

    utACK 5df6f089b53c5b5859e5a3454c026447e4752f82

  35. ken2812221 referenced this in commit 63f8b0128b on Aug 14, 2018
  36. laanwj merged this on Aug 14, 2018
  37. laanwj closed this on Aug 14, 2018
  38. fanquake referenced this in commit ad6d845ac9 on Aug 15, 2018
  39. fanquake referenced this in commit dbaadc9ea9 on Aug 15, 2018
  40. fanquake referenced this in commit 8935869487 on Aug 15, 2018
  41. fanquake referenced this in commit 0333914467 on Aug 15, 2018
  42. fanquake cross-referenced this on Aug 15, 2018 from issue [0.17] Backport #13960 & #13917 by fanquake
  43. fanquake removed the label Needs backport on Aug 15, 2018
  44. fanquake commented at 2:04 AM on August 15, 2018: member

    Will be backported in #13976

  45. laanwj referenced this in commit 4a2960f73e on Aug 15, 2018
  46. uhliksk referenced this in commit fd273d0cc0 on Aug 29, 2018
  47. uhliksk referenced this in commit 86d89d4ec4 on Aug 29, 2018
  48. uhliksk referenced this in commit dce4cf7f5a on Aug 29, 2018
  49. uhliksk referenced this in commit bb51d30689 on Aug 29, 2018
  50. Bushstar cross-referenced this on Sep 4, 2018 from issue commits from bitcoin/master by Bushstar
  51. HashUnlimited referenced this in commit f108a9fe06 on Sep 14, 2018
  52. HashUnlimited cross-referenced this on Sep 14, 2018 from issue Additional sanity checks in SignPSBTInput by HashUnlimited
  53. HashUnlimited referenced this in commit 34bf9621b1 on Sep 14, 2018
  54. HashUnlimited cross-referenced this on Sep 14, 2018 from issue Only wipe wrong UTXO type data if overwritten by wallet by HashUnlimited
  55. HashUnlimited referenced this in commit b12061c8d0 on Sep 14, 2018
  56. HashUnlimited cross-referenced this on Sep 14, 2018 from issue Test that a non-witness script as witness utxo is not signed by HashUnlimited
  57. HashUnlimited referenced this in commit 8802e10c12 on Sep 14, 2018
  58. HashUnlimited cross-referenced this on Sep 14, 2018 from issue More tests of signer checks by HashUnlimited
  59. bitcoin locked this on Sep 8, 2021
Contributors
sipapracticalswiftpromagDrahtBotachow101kallewooffanquakelaanwj
Labels
BugWallet

Milestone
0.17.0

Linked (view graph)
#13958 decodepsbt fails for PSBT with no inputs#13976 [0.17] Backport #13960 & #13917
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:54 UTC