zecfoundation
/
zebra
mirror of https://github.com/ZcashFoundation/zebra.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Security: stop gossiping failure and attempt times as last_seen times (#2273) 

* Security: stop gossiping failure and attempt times as last_seen times

Previously, Zebra had a single time field for peer addresses, which was
updated every time a peer was attempted, sent a message, or failed.

This is a security issue, because the `last_seen` time should be
"the last time [a peer] connected to that node", so that
"nodes can use the time field to avoid relaying old 'addr' messages".
So Zebra was sending incorrect peer information to other nodes.

As part of this change, we split the `last_seen` time into the
following fields:
- untrusted_last_seen: gossiped from other peers
- last_response: time we got a response from a directly connected peer
- last_attempt: time we attempted to connect to a peer
- last_failure: time a connection with a peer failed

* Implement Arbitrary and strategies for MetaAddrChange

Also replace the MetaAddr Arbitrary impl with a derive.

* Write proptests for MetaAddr and MetaAddrChange

MetaAddr:
- the only times that get included in serialized MetaAddrs are
  the untrusted last seen and responded times

MetaAddrChange:
- the untrusted last seen time is never updated
- the services are only updated if there has been a handshake
This commit is contained in:
teor 2021-06-15 13:31:16 +10:00 committed by GitHub
parent 2291abc150
commit 3f7410d073
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 703 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
zebra-network/src/address_book.rs
View File

@ -11,7 +11,7 @@ use std::{
use chrono::{DateTime, Utc};
use tracing::Span;
use crate::{constants, types::MetaAddr, Config, PeerAddrState};
use crate::{constants, meta_addr::MetaAddrChange, types::MetaAddr, Config, PeerAddrState};
/// A database of peer listener addresses, their advertised services, and
/// information on when they were last seen.
@ -105,7 +105,7 @@ impl AddressBook {
}
/// Get the local listener address.
pub fn get_local_listener(&self) -> MetaAddr {
pub fn get_local_listener(&self) -> MetaAddrChange {
MetaAddr::new_local_listener(&self.local_listener)
}
@ -115,7 +115,7 @@ impl AddressBook {
let _guard = self.span.enter();
let mut peers = self
.peers()
.map(|a| MetaAddr::sanitize(&a))
.filter_map(|a| MetaAddr::sanitize(&a))
.collect::<Vec<_>>();
peers.shuffle(&mut rand::thread_rng());
peers
@ -133,48 +133,52 @@ impl AddressBook {
self.by_addr.get(&addr).cloned()
}
/// Add `new` to the address book, updating the previous entry if `new` is
/// more recent or discarding `new` if it is stale.
/// Apply `change` to the address book, returning the updated `MetaAddr`,
/// if the change was valid.
///
/// # Correctness
///
/// All new addresses should go through `update`, so that the address book
/// All changes should go through `update`, so that the address book
/// only contains valid outbound addresses.
pub fn update(&mut self, new: MetaAddr) {
pub fn update(&mut self, change: MetaAddrChange) -> Option<MetaAddr> {
let _guard = self.span.enter();
let previous = self.by_addr.get(&change.addr()).cloned();
let updated = change.apply_to_meta_addr(previous);
trace!(
?new,
?change,
?updated,
?previous,
total_peers = self.by_addr.len(),
recent_peers = self.recently_live_peers().count(),
);
if let Some(updated) = updated {
// If a node that we are directly connected to has changed to a client,
// remove it from the address book.
if new.is_direct_client() && self.contains_addr(&new.addr) {
if updated.is_direct_client() && previous.is_some() {
std::mem::drop(_guard);
self.take(new.addr);
return;
self.take(updated.addr);
return None;
}
// Never add unspecified addresses or client services.
//
// Communication with these addresses can be monitored via Zebra's
// metrics. (The address book is for valid peer addresses.)
if !new.is_valid_for_outbound() {
return;
if !updated.is_valid_for_outbound() {
return None;
}
if let Some(prev) = self.get_by_addr(new.addr) {
if prev.get_last_seen() > new.get_last_seen() {
return;
}
}
self.by_addr.insert(new.addr, new);
self.by_addr.insert(updated.addr, updated);
std::mem::drop(_guard);
self.update_metrics();
}
updated
}
/// Removes the entry with `addr`, returning it if it exists
///
/// # Note
@ -221,7 +225,7 @@ impl AddressBook {
// NeverAttempted, Failed, and AttemptPending peers should never be live
Some(peer) => {
peer.last_connection_state == PeerAddrState::Responded
&& peer.get_last_seen().to_chrono() > AddressBook::liveness_cutoff_time()
&& peer.get_last_seen() > AddressBook::liveness_cutoff_time()
}
}
}
@ -417,13 +421,13 @@ impl AddressBook {
}
}
impl Extend<MetaAddr> for AddressBook {
impl Extend<MetaAddrChange> for AddressBook {
fn extend<T>(&mut self, iter: T)
where
T: IntoIterator<Item = MetaAddr>,
T: IntoIterator<Item = MetaAddrChange>,
{
for meta in iter.into_iter() {
self.update(meta);
for change in iter.into_iter() {
self.update(change);
}
}
}

505
zebra-network/src/meta_addr.rs
View File

@ -4,10 +4,12 @@ use std::{
cmp::{Ord, Ordering},
io::{Read, Write},
net::SocketAddr,
time::Instant,
};
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
use chrono::Duration;
use zebra_chain::serialization::{
DateTime32, ReadZcashExt, SerializationError, TrustedPreallocate, WriteZcashExt,
ZcashDeserialize, ZcashDeserializeInto, ZcashSerialize,
@ -15,11 +17,14 @@ use zebra_chain::serialization::{
use crate::protocol::{external::MAX_PROTOCOL_MESSAGE_LEN, types::PeerServices};
use MetaAddrChange::*;
use PeerAddrState::*;
#[cfg(any(test, feature = "proptest-impl"))]
use proptest_derive::Arbitrary;
#[cfg(any(test, feature = "proptest-impl"))]
use zebra_chain::serialization::arbitrary::canonical_socket_addr;
#[cfg(any(test, feature = "proptest-impl"))]
mod arbitrary;
#[cfg(test)]
@ -59,6 +64,16 @@ pub enum PeerAddrState {
AttemptPending,
}
impl PeerAddrState {
/// Return true if this state is a "never attempted" state.
pub fn is_never_attempted(&self) -> bool {
match self {
NeverAttemptedGossiped | NeverAttemptedAlternate => true,
AttemptPending | Responded | Failed => false,
}
}
}
// non-test code should explicitly specify the peer address state
#[cfg(test)]
impl Default for PeerAddrState {
@ -105,8 +120,13 @@ impl PartialOrd for PeerAddrState {
///
/// [Bitcoin reference](https://en.bitcoin.it/wiki/Protocol_documentation#Network_address)
#[derive(Copy, Clone, Debug)]
#[cfg_attr(any(test, feature = "proptest-impl"), derive(Arbitrary))]
pub struct MetaAddr {
/// The peer's address.
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
pub addr: SocketAddr,
/// The services advertised by the peer.
@ -123,20 +143,136 @@ pub struct MetaAddr {
///
/// `services` from `NeverAttempted` peers may be invalid due to outdated
/// records, older peer versions, or buggy or malicious peers.
//
// TODO: make services private and optional
// split gossiped and handshake services?
pub services: PeerServices,
/// The last time we interacted with this peer.
/// The unverified "last seen time" gossiped by the remote peer that sent us
/// this address.
///
/// See `get_last_seen` for details.
last_seen: DateTime32,
/// See the [`MetaAddr::last_seen`] method for details.
untrusted_last_seen: Option<DateTime32>,
/// The last time we received a message from this peer.
///
/// See the [`MetaAddr::last_seen`] method for details.
last_response: Option<DateTime32>,
/// The last time we tried to open an outbound connection to this peer.
///
/// See the [`MetaAddr::last_attempt`] method for details.
last_attempt: Option<Instant>,
/// The last time our outbound connection with this peer failed.
///
/// See the [`MetaAddr::last_failure`] method for details.
last_failure: Option<Instant>,
/// The outcome of our most recent communication attempt with this peer.
pub last_connection_state: PeerAddrState,
//
// TODO: move the time and services fields into PeerAddrState?
// then some fields could be required in some states
}
/// A change to an existing `MetaAddr`.
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
#[cfg_attr(any(test, feature = "proptest-impl"), derive(Arbitrary))]
pub enum MetaAddrChange {
/// Creates a new gossiped `MetaAddr`.
NewGossiped {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
untrusted_services: PeerServices,
untrusted_last_seen: DateTime32,
},
/// Creates new alternate `MetaAddr`.
///
/// Based on the canonical peer address in `Version` messages.
NewAlternate {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
untrusted_services: PeerServices,
},
/// Creates new local listener `MetaAddr`.
NewLocal {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
},
/// Updates an existing `MetaAddr` when an outbound connection attempt
/// starts.
UpdateAttempt {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
},
/// Updates an existing `MetaAddr` when a peer responds with a message.
UpdateResponded {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
services: PeerServices,
},
/// Updates an existing `MetaAddr` when a peer fails.
UpdateFailed {
#[cfg_attr(
any(test, feature = "proptest-impl"),
proptest(strategy = "canonical_socket_addr()")
)]
addr: SocketAddr,
services: Option<PeerServices>,
},
}
// TODO: remove this use in a follow-up PR
use chrono::{DateTime, Utc};
impl MetaAddr {
/// Create a new gossiped [`MetaAddr`], based on the deserialized fields from
/// a gossiped peer [`Addr`][crate::protocol::external::Message::Addr] message.
/// Returns the maximum time among all the time fields.
///
/// This function exists to replicate an old Zebra bug.
/// TODO: remove this function in a follow-up PR
pub(crate) fn get_last_seen(&self) -> DateTime<Utc> {
let latest_seen = self
.untrusted_last_seen
.max(self.last_response)
.map(DateTime32::to_chrono);
// At this point it's pretty obvious why we want to get rid of this code
let latest_try = self
.last_attempt
.max(self.last_failure)
.map(|latest_try| Instant::now().checked_duration_since(latest_try))
.flatten()
.map(Duration::from_std)
.map(Result::ok)
.flatten()
.map(|before_now| Utc::now() - before_now);
latest_seen.or(latest_try).unwrap_or(chrono::MIN_DATETIME)
}
/// Returns a new `MetaAddr`, based on the deserialized fields from a
/// gossiped peer [`Addr`][crate::protocol::external::Message::Addr] message.
pub fn new_gossiped_meta_addr(
addr: SocketAddr,
untrusted_services: PeerServices,
@ -145,13 +281,28 @@ impl MetaAddr {
MetaAddr {
addr,
services: untrusted_services,
last_seen: untrusted_last_seen,
// the state is Zebra-specific, it isn't part of the Zcash network protocol
untrusted_last_seen: Some(untrusted_last_seen),
last_response: None,
last_attempt: None,
last_failure: None,
last_connection_state: NeverAttemptedGossiped,
}
}
/// Create a new `MetaAddr` for a peer that has just `Responded`.
/// Returns a [`MetaAddrChange::NewGossiped`], based on a gossiped peer
/// `MetaAddr`.
pub fn new_gossiped_change(self) -> MetaAddrChange {
NewGossiped {
addr: self.addr,
untrusted_services: self.services,
untrusted_last_seen: self
.untrusted_last_seen
.expect("unexpected missing last seen"),
}
}
/// Returns a [`MetaAddrChange::UpdateResponded`] for a peer that has just
/// sent us a message.
///
/// # Security
///
@ -162,85 +313,113 @@ impl MetaAddr {
/// - malicious peers could interfere with other peers' `AddressBook` state,
/// or
/// - Zebra could advertise unreachable addresses to its own peers.
pub fn new_responded(addr: &SocketAddr, services: &PeerServices) -> MetaAddr {
MetaAddr {
pub fn new_responded(addr: &SocketAddr, services: &PeerServices) -> MetaAddrChange {
UpdateResponded {
addr: *addr,
services: *services,
last_seen: DateTime32::now(),
last_connection_state: Responded,
}
}
/// Create a new `MetaAddr` for a peer that we want to reconnect to.
pub fn new_reconnect(addr: &SocketAddr, services: &PeerServices) -> MetaAddr {
MetaAddr {
/// Returns a [`MetaAddrChange::UpdateConnectionAttempt`] for a peer that we
/// want to make an outbound connection to.
pub fn new_reconnect(addr: &SocketAddr) -> MetaAddrChange {
UpdateAttempt { addr: *addr }
}
/// Returns a [`MetaAddrChange::NewAlternate`] for a peer's alternate address,
/// received via a `Version` message.
pub fn new_alternate(addr: &SocketAddr, untrusted_services: &PeerServices) -> MetaAddrChange {
NewAlternate {
addr: *addr,
services: *services,
last_seen: DateTime32::now(),
last_connection_state: AttemptPending,
untrusted_services: *untrusted_services,
}
}
/// Create a new `MetaAddr` for a peer's alternate address, received via a
/// `Version` message.
pub fn new_alternate(addr: &SocketAddr, services: &PeerServices) -> MetaAddr {
MetaAddr {
addr: *addr,
services: *services,
last_seen: DateTime32::now(),
last_connection_state: NeverAttemptedAlternate,
}
/// Returns a [`MetaAddrChange::NewLocalListener`] for our own listener address.
pub fn new_local_listener(addr: &SocketAddr) -> MetaAddrChange {
NewLocal { addr: *addr }
}
/// Create a new `MetaAddr` for our own listener address.
pub fn new_local_listener(addr: &SocketAddr) -> MetaAddr {
MetaAddr {
/// Returns a [`MetaAddrChange::UpdateFailed`] for a peer that has just had
/// an error.
pub fn new_errored(
addr: &SocketAddr,
services: impl Into<Option<PeerServices>>,
) -> MetaAddrChange {
UpdateFailed {
addr: *addr,
// TODO: create a "local services" constant
services: PeerServices::NODE_NETWORK,
last_seen: DateTime32::now(),
last_connection_state: Responded,
}
}
/// Create a new `MetaAddr` for a peer that has just had an error.
pub fn new_errored(addr: &SocketAddr, services: &PeerServices) -> MetaAddr {
MetaAddr {
addr: *addr,
services: *services,
last_seen: DateTime32::now(),
last_connection_state: Failed,
services: services.into(),
}
}
/// Create a new `MetaAddr` for a peer that has just shut down.
pub fn new_shutdown(addr: &SocketAddr, services: &PeerServices) -> MetaAddr {
pub fn new_shutdown(
addr: &SocketAddr,
services: impl Into<Option<PeerServices>>,
) -> MetaAddrChange {
// TODO: if the peer shut down in the Responded state, preserve that
// state. All other states should be treated as (timeout) errors.
MetaAddr::new_errored(addr, services)
MetaAddr::new_errored(addr, services.into())
}
/// The last time we interacted with this peer.
/// Returns the time of the last successful interaction with this peer.
///
/// The exact meaning depends on `last_connection_state`:
/// - `Responded`: the last time we processed a message from this peer
/// - `NeverAttempted`: the unverified time provided by the remote peer
/// that sent us this address
/// - `Failed`: the last time we marked the peer as failed
/// - `AttemptPending`: the last time we queued the peer for a reconnection
/// attempt
/// Initially set to the unverified "last seen time" gossiped by the remote
/// peer that sent us this address.
///
/// If the `last_connection_state` has ever been `Responded`, this field is
/// set to the last time we processed a message from this peer.
///
/// ## Security
///
/// `last_seen` times from `NeverAttempted` peers may be invalid due to
/// clock skew, or buggy or malicious peers.
pub fn get_last_seen(&self) -> DateTime32 {
self.last_seen
/// `last_seen` times from peers that have never `Responded` may be
/// incorrect due to clock skew, or buggy or malicious peers.
pub fn last_seen(&self) -> Option<DateTime32> {
self.last_response.or(self.untrusted_last_seen)
}
/// Set the last time we interacted with this peer.
pub(crate) fn set_last_seen(&mut self, last_seen: DateTime32) {
self.last_seen = last_seen;
/// Returns the unverified "last seen time" gossiped by the remote peer that
/// sent us this address.
///
/// See the [`MetaAddr::last_seen`] method for details.
//
// TODO: pub(in crate::address_book) - move meta_addr into address_book
pub(crate) fn untrusted_last_seen(&self) -> Option<DateTime32> {
self.untrusted_last_seen
}
/// Returns the last time we received a message from this peer.
///
/// See the [`MetaAddr::last_seen`] method for details.
//
// TODO: pub(in crate::address_book) - move meta_addr into address_book
#[allow(dead_code)]
pub(crate) fn last_response(&self) -> Option<DateTime32> {
self.last_response
}
/// Set the gossiped untrusted last seen time for this peer.
pub(crate) fn set_untrusted_last_seen(&mut self, untrusted_last_seen: DateTime32) {
self.untrusted_last_seen = Some(untrusted_last_seen);
}
/// Returns the time of our last outbound connection attempt with this peer.
///
/// If the `last_connection_state` has ever been `AttemptPending`, this
/// field is set to the last time we started an outbound connection attempt
/// with this peer.
pub fn last_attempt(&self) -> Option<Instant> {
self.last_attempt
}
/// Returns the time of our last failed outbound connection with this peer.
///
/// If the `last_connection_state` has ever been `Failed`, this field is set
/// to the last time:
/// - a connection attempt failed, or
/// - an open connection encountered a fatal protocol error.
pub fn last_failure(&self) -> Option<Instant> {
self.last_failure
}
/// Is this address a directly connected client?
@ -259,18 +438,208 @@ impl MetaAddr {
}
/// Return a sanitized version of this `MetaAddr`, for sending to a remote peer.
pub fn sanitize(&self) -> MetaAddr {
///
/// Returns `None` if this `MetaAddr` should not be sent to remote peers.
pub fn sanitize(&self) -> Option<MetaAddr> {
let interval = crate::constants::TIMESTAMP_TRUNCATION_SECONDS;
let ts = self.last_seen.timestamp();
let ts = self.last_seen()?.timestamp();
// This can't underflow, because `0 <= rem_euclid < ts`
let last_seen = ts - ts.rem_euclid(interval);
MetaAddr {
let last_seen = DateTime32::from(last_seen);
Some(MetaAddr {
addr: self.addr,
// deserialization also sanitizes services to known flags
services: self.services & PeerServices::all(),
last_seen: last_seen.into(),
// the state isn't sent to the remote peer, but sanitize it anyway
// only put the last seen time in the untrusted field,
// this matches deserialization, and avoids leaking internal state
untrusted_last_seen: Some(last_seen),
last_response: None,
// these fields aren't sent to the remote peer, but sanitize them anyway
last_attempt: None,
last_failure: None,
last_connection_state: NeverAttemptedGossiped,
})
}
}
impl MetaAddrChange {
/// Return the address for this change.
pub fn addr(&self) -> SocketAddr {
match self {
NewGossiped { addr, .. }
| NewAlternate { addr, .. }
| NewLocal { addr, .. }
| UpdateAttempt { addr }
| UpdateResponded { addr, .. }
| UpdateFailed { addr, .. } => *addr,
}
}
#[cfg(any(test, feature = "proptest-impl"))]
/// Set the address for this change to `new_addr`.
///
/// This method should only be used in tests.
pub fn set_addr(&mut self, new_addr: SocketAddr) {
match self {
NewGossiped { addr, .. }
| NewAlternate { addr, .. }
| NewLocal { addr, .. }
| UpdateAttempt { addr }
| UpdateResponded { addr, .. }
| UpdateFailed { addr, .. } => *addr = new_addr,
}
}
/// Return the untrusted services for this change, if available.
pub fn untrusted_services(&self) -> Option<PeerServices> {
match self {
NewGossiped {
untrusted_services, ..
} => Some(*untrusted_services),
NewAlternate {
untrusted_services, ..
} => Some(*untrusted_services),
// TODO: create a "services implemented by Zebra" constant
NewLocal { .. } => Some(PeerServices::NODE_NETWORK),
UpdateAttempt { .. } => None,
UpdateResponded { services, .. } => Some(*services),
UpdateFailed { services, .. } => *services,
}
}
/// Return the untrusted last seen time for this change, if available.
pub fn untrusted_last_seen(&self) -> Option<DateTime32> {
match self {
NewGossiped {
untrusted_last_seen,
..
} => Some(*untrusted_last_seen),
NewAlternate { .. } => None,
NewLocal { .. } => None,
UpdateAttempt { .. } => None,
UpdateResponded { .. } => None,
UpdateFailed { .. } => None,
}
}
/// Return the last attempt for this change, if available.
pub fn last_attempt(&self) -> Option<Instant> {
match self {
NewGossiped { .. } => None,
NewAlternate { .. } => None,
NewLocal { .. } => None,
UpdateAttempt { .. } => Some(Instant::now()),
UpdateResponded { .. } => None,
UpdateFailed { .. } => None,
}
}
/// Return the last response for this change, if available.
pub fn last_response(&self) -> Option<DateTime32> {
match self {
NewGossiped { .. } => None,
NewAlternate { .. } => None,
NewLocal { .. } => None,
UpdateAttempt { .. } => None,
UpdateResponded { .. } => Some(DateTime32::now()),
UpdateFailed { .. } => None,
}
}
/// Return the last attempt for this change, if available.
pub fn last_failure(&self) -> Option<Instant> {
match self {
NewGossiped { .. } => None,
NewAlternate { .. } => None,
NewLocal { .. } => None,
UpdateAttempt { .. } => None,
UpdateResponded { .. } => None,
UpdateFailed { .. } => Some(Instant::now()),
}
}
/// Return the peer connection state for this change.
pub fn peer_addr_state(&self) -> PeerAddrState {
match self {
NewGossiped { .. } => NeverAttemptedGossiped,
NewAlternate { .. } => NeverAttemptedAlternate,
// local listeners get sanitized, so the exact value doesn't matter
NewLocal { .. } => NeverAttemptedGossiped,
UpdateAttempt { .. } => AttemptPending,
UpdateResponded { .. } => Responded,
UpdateFailed { .. } => Failed,
}
}
/// If this change can create a new `MetaAddr`, return that address.
pub fn into_new_meta_addr(self) -> Option<MetaAddr> {
match self {
NewGossiped { .. } | NewAlternate { .. } | NewLocal { .. } => Some(MetaAddr {
addr: self.addr(),
// TODO: make services optional when we add a DNS seeder change/state
services: self
.untrusted_services()
.expect("unexpected missing services"),
untrusted_last_seen: self.untrusted_last_seen(),
last_response: None,
last_attempt: None,
last_failure: None,
last_connection_state: self.peer_addr_state(),
}),
UpdateAttempt { .. } | UpdateResponded { .. } | UpdateFailed { .. } => None,
}
}
/// Apply this change to a previous `MetaAddr` from the address book,
/// producing a new or updated `MetaAddr`.
///
/// If the change isn't valid for the `previous` address, returns `None`.
pub fn apply_to_meta_addr(&self, previous: impl Into<Option<MetaAddr>>) -> Option<MetaAddr> {
if let Some(previous) = previous.into() {
assert_eq!(previous.addr, self.addr(), "unexpected addr mismatch");
let previous_has_been_attempted = !previous.last_connection_state.is_never_attempted();
let change_to_never_attempted = self
.into_new_meta_addr()
.map(|meta_addr| meta_addr.last_connection_state.is_never_attempted())
.unwrap_or(false);
if change_to_never_attempted {
if previous_has_been_attempted {
// Security: ignore never attempted changes once we have made an attempt
None
} else {
// never attempted to never attempted update: preserve original values
Some(MetaAddr {
addr: self.addr(),
// TODO: or(self.untrusted_services()) when services become optional
services: previous.services,
// Security: only update the last seen time if it is missing
untrusted_last_seen: previous
.untrusted_last_seen
.or_else(|| self.untrusted_last_seen()),
last_response: None,
last_attempt: None,
last_failure: None,
last_connection_state: self.peer_addr_state(),
})
}
} else {
// any to attempt, responded, or failed: prefer newer values
Some(MetaAddr {
addr: self.addr(),
services: self.untrusted_services().unwrap_or(previous.services),
// we don't modify the last seen field at all
untrusted_last_seen: previous.untrusted_last_seen,
last_response: self.last_response().or(previous.last_response),
last_attempt: self.last_attempt().or(previous.last_attempt),
last_failure: self.last_failure().or(previous.last_failure),
last_connection_state: self.peer_addr_state(),
})
}
} else {
// no previous: create a new entry
self.into_new_meta_addr()
}
}
}
@ -332,7 +701,9 @@ impl Eq for MetaAddr {}
impl ZcashSerialize for MetaAddr {
fn zcash_serialize<W: Write>(&self, mut writer: W) -> Result<(), std::io::Error> {
self.last_seen.zcash_serialize(&mut writer)?;
self.last_seen()
.expect("unexpected MetaAddr with missing last seen time: MetaAddrs should be sanitized before serialization")
.zcash_serialize(&mut writer)?;
writer.write_u64::<LittleEndian>(self.services.bits())?;
writer.write_socket_addr(self.addr)?;
Ok(())

96
zebra-network/src/meta_addr/arbitrary.rs
View File

@ -1,9 +1,17 @@
use proptest::{arbitrary::any, arbitrary::Arbitrary, prelude::*};
use std::net::SocketAddr;
use super::{MetaAddr, PeerAddrState, PeerServices};
use proptest::{arbitrary::any, collection::vec, prelude::*};
use super::{MetaAddr, MetaAddrChange, PeerServices};
use zebra_chain::serialization::{arbitrary::canonical_socket_addr, DateTime32};
/// The largest number of random changes we want to apply to a MetaAddr
///
/// This should be at least twice the number of [`PeerAddrState`]s, so
/// the tests can cover multiple transitions through every state.
pub const MAX_ADDR_CHANGE: usize = 15;
impl MetaAddr {
/// Create a strategy that generates [`MetaAddr`]s in the
/// [`PeerAddrState::NeverAttemptedGossiped`] state.
@ -13,8 +21,8 @@ impl MetaAddr {
any::<PeerServices>(),
any::<DateTime32>(),
)
.prop_map(|(address, services, untrusted_last_seen)| {
MetaAddr::new_gossiped_meta_addr(address, services, untrusted_last_seen)
.prop_map(|(addr, untrusted_services, untrusted_last_seen)| {
MetaAddr::new_gossiped_meta_addr(addr, untrusted_services, untrusted_last_seen)
})
.boxed()
}
@ -23,23 +31,65 @@ impl MetaAddr {
/// [`PeerAddrState::NeverAttemptedAlternate`] state.
pub fn alternate_strategy() -> BoxedStrategy<Self> {
(canonical_socket_addr(), any::<PeerServices>())
.prop_map(|(socket_addr, services)| MetaAddr::new_alternate(&socket_addr, &services))
.prop_map(|(socket_addr, untrusted_services)| {
MetaAddr::new_alternate(&socket_addr, &untrusted_services)
.into_new_meta_addr()
.expect("unexpected invalid alternate change")
})
.boxed()
}
}
impl MetaAddrChange {
/// Returns a strategy which generates changes for `socket_addr`.
///
/// `socket_addr` is typically generated by the `canonical_socket_addr`
/// strategy.
pub fn addr_strategy(addr: SocketAddr) -> BoxedStrategy<Self> {
any::<MetaAddrChange>()
.prop_map(move |mut change| {
change.set_addr(addr);
change
})
.boxed()
}
/// Create a strategy that generates [`MetaAddr`]s which are ready for outbound connections.
/// Returns a strategy which generates a `MetaAddr`, and a vector of up to
/// `max_addr_change` changes.
///
/// TODO: Generate all [`PeerAddrState`] variants, and give them ready fields.
/// The address and the changes all have matching `SocketAddr`s.
pub fn addr_changes_strategy(
max_addr_change: usize,
) -> BoxedStrategy<(MetaAddr, Vec<MetaAddrChange>)> {
any::<MetaAddr>()
.prop_flat_map(move |addr| {
(
Just(addr),
vec(MetaAddrChange::addr_strategy(addr.addr), 1..max_addr_change),
)
})
.boxed()
}
/// Create a strategy that generates [`MetaAddrChange`]s which are ready for
/// outbound connections.
///
/// Currently, all generated changes are the [`NewAlternate`] variant.
/// TODO: Generate all [`MetaAddrChange`] variants, and give them ready fields.
/// (After PR #2276 merges.)
pub fn ready_outbound_strategy() -> BoxedStrategy<Self> {
canonical_socket_addr()
.prop_filter_map("failed MetaAddr::is_valid_for_outbound", |address| {
.prop_filter_map("failed MetaAddr::is_valid_for_outbound", |addr| {
// Alternate nodes use the current time, so they're always ready
//
// TODO: create a "Zebra supported services" constant
let meta_addr = MetaAddr::new_alternate(&address, &PeerServices::NODE_NETWORK);
if meta_addr.is_valid_for_outbound() {
Some(meta_addr)
let change = MetaAddr::new_alternate(&addr, &PeerServices::NODE_NETWORK);
if change
.into_new_meta_addr()
.expect("unexpected invalid alternate change")
.is_valid_for_outbound()
{
Some(change)
} else {
None
}
@ -47,27 +97,3 @@ impl MetaAddr {
.boxed()
}
}
impl Arbitrary for MetaAddr {
type Parameters = ();
fn arbitrary_with(_args: Self::Parameters) -> Self::Strategy {
(
canonical_socket_addr(),
any::<PeerServices>(),
any::<DateTime32>(),
any::<PeerAddrState>(),
)
.prop_map(
|(addr, services, last_seen, last_connection_state)| MetaAddr {
addr,
services,
last_seen,
last_connection_state,
},
)
.boxed()
}
type Strategy = BoxedStrategy<Self>;
}

50
zebra-network/src/meta_addr/tests/check.rs
View File

@ -4,36 +4,66 @@ use super::super::MetaAddr;
use crate::{constants::TIMESTAMP_TRUNCATION_SECONDS, types::PeerServices};
/// Check that `sanitized_addr` has less time and state metadata than
/// `original_addr`.
/// Check that:
/// - the only times that are included in serialized `MetaAddr`s are the last
/// responded time, and the untrusted last seen time, and
/// - `sanitized_addr` has less time and state metadata than `original_addr`.
///
/// Also check that the time hasn't changed too much.
/// Also checks that the time hasn't changed too much.
pub(crate) fn sanitize_avoids_leaks(original: &MetaAddr, sanitized: &MetaAddr) {
// check that irrelevant times are cleared by sanitization
assert_eq!(sanitized.last_attempt, None);
assert_eq!(sanitized.last_failure, None);
// check that the last seen and responded times end up in the untrusted field
// (but ignore their values for now - those checks are next)
assert_eq!(sanitized.last_response, None);
assert_eq!(
sanitized.untrusted_last_seen.is_some(),
original
.last_response
.or(original.untrusted_last_seen)
.is_some()
);
// Check the responded field overrides the untrusted field
assert_eq!(
original.last_seen(),
original.last_response.or(original.untrusted_last_seen)
);
// check for time truncation
if let Some(sanitized_last_seen) = sanitized.last_seen() {
// We want the sanitized timestamp to:
// - be a multiple of the truncation interval,
// - have a zero nanoseconds component, and
// - be within the truncation interval of the original timestamp.
assert_eq!(
sanitized.get_last_seen().timestamp() % TIMESTAMP_TRUNCATION_SECONDS,
sanitized_last_seen.timestamp() % TIMESTAMP_TRUNCATION_SECONDS,
0
);
// check that the times haven't changed too much
let original_last_seen = original
.last_seen()
.expect("unexpected missing original last seen when sanitized last seen is Some");
// handle underflow and overflow by skipping the check
// the other check will ensure correctness
let lowest_time = original
.get_last_seen()
let lowest_time = original_last_seen
.timestamp()
.checked_sub(TIMESTAMP_TRUNCATION_SECONDS);
let highest_time = original
.get_last_seen()
let highest_time = original_last_seen
.timestamp()
.checked_add(TIMESTAMP_TRUNCATION_SECONDS);
if let Some(lowest_time) = lowest_time {
assert!(sanitized.get_last_seen().timestamp() > lowest_time);
assert!(sanitized_last_seen.timestamp() > lowest_time);
}
if let Some(highest_time) = highest_time {
assert!(sanitized.get_last_seen().timestamp() < highest_time);
assert!(sanitized_last_seen.timestamp() < highest_time);
}
}
// check the other fields
// Sanitize to the the default state, even though it's not serialized
assert_eq!(sanitized.last_connection_state, Default::default());

14
zebra-network/src/meta_addr/tests/preallocate.rs
View File

@ -12,6 +12,13 @@ proptest! {
/// This verifies that our calculated `TrustedPreallocate::max_allocation()` is indeed an upper bound.
#[test]
fn meta_addr_size_is_correct(addr in MetaAddr::arbitrary()) {
zebra_test::init();
// We require sanitization before serialization
let addr = addr.sanitize();
prop_assume!(addr.is_some());
let addr = addr.unwrap();
let serialized = addr
.zcash_serialize_to_vec()
.expect("Serialization to vec must succeed");
@ -23,6 +30,13 @@ proptest! {
/// 2. The largest allowed vector is small enough to fit in a legal Zcash message
#[test]
fn meta_addr_max_allocation_is_correct(addr in MetaAddr::arbitrary()) {
zebra_test::init();
// We require sanitization before serialization
let addr = addr.sanitize();
prop_assume!(addr.is_some());
let addr = addr.unwrap();
let max_allocation: usize = MetaAddr::max_allocation().try_into().unwrap();
let mut smallest_disallowed_vec = Vec::with_capacity(max_allocation + 1);
for _ in 0..(MetaAddr::max_allocation() + 1) {

49
zebra-network/src/meta_addr/tests/prop.rs
View File

@ -1,7 +1,8 @@
//! Randomised property tests for MetaAddr.
use super::check;
use crate::{meta_addr::MetaAddr, types::PeerServices};
use crate::meta_addr::{arbitrary::MAX_ADDR_CHANGE, MetaAddr, MetaAddrChange, PeerAddrState::*};
use proptest::prelude::*;
@ -14,18 +15,22 @@ proptest! {
fn sanitize_avoids_leaks(addr in MetaAddr::arbitrary()) {
zebra_test::init();
check::sanitize_avoids_leaks(&addr, &addr.sanitize());
if let Some(sanitized) = addr.sanitize() {
check::sanitize_avoids_leaks(&addr, &sanitized);
}
}
/// Test round-trip serialization for gossiped MetaAddrs
#[test]
fn gossiped_roundtrip(
mut gossiped_addr in MetaAddr::gossiped_strategy()
gossiped_addr in MetaAddr::gossiped_strategy()
) {
zebra_test::init();
// Zebra's deserialization sanitizes `services` to known flags
gossiped_addr.services &= PeerServices::all();
// We require sanitization before serialization
let gossiped_addr = gossiped_addr.sanitize();
prop_assume!(gossiped_addr.is_some());
let gossiped_addr = gossiped_addr.unwrap();
// Check that malicious peers can't make Zebra's serialization fail
let addr_bytes = gossiped_addr.zcash_serialize_to_vec();
@ -88,7 +93,12 @@ proptest! {
) {
zebra_test::init();
// We require sanitization before serialization,
// but we also need the original address for this test
let sanitized_addr = addr.sanitize();
prop_assume!(sanitized_addr.is_some());
let sanitized_addr = sanitized_addr.unwrap();
// Make sure sanitization avoids leaks on this address, to avoid spurious errors
check::sanitize_avoids_leaks(&addr, &sanitized_addr);
@ -149,4 +159,33 @@ proptest! {
}
/// Make sure that `[MetaAddrChange]`s:
/// - do not modify the last seen time, unless it was None, and
/// - only modify the services after a response or failure.
#[test]
fn preserve_initial_untrusted_values((mut addr, changes) in MetaAddrChange::addr_changes_strategy(MAX_ADDR_CHANGE)) {
zebra_test::init();
for change in changes {
if let Some(changed_addr) = change.apply_to_meta_addr(addr) {
// untrusted last seen times:
// check that we replace None with Some, but leave Some unchanged
if addr.untrusted_last_seen.is_some() {
prop_assert_eq!(changed_addr.untrusted_last_seen, addr.untrusted_last_seen);
} else {
prop_assert_eq!(changed_addr.untrusted_last_seen, change.untrusted_last_seen());
}
// services:
// check that we only change if there was a handshake
if changed_addr.last_connection_state.is_never_attempted()
|| changed_addr.last_connection_state == AttemptPending
|| change.untrusted_services().is_none() {
prop_assert_eq!(changed_addr.services, addr.services);
}
addr = changed_addr;
}
}
}
}

18
zebra-network/src/meta_addr/tests/vectors.rs
View File

@ -10,17 +10,27 @@ fn sanitize_extremes() {
let min_time_entry = MetaAddr {
addr: "127.0.0.1:8233".parse().unwrap(),
services: Default::default(),
last_seen: u32::MIN.into(),
untrusted_last_seen: Some(u32::MIN.into()),
last_response: Some(u32::MIN.into()),
last_attempt: None,
last_failure: None,
last_connection_state: Default::default(),
};
let max_time_entry = MetaAddr {
addr: "127.0.0.1:8233".parse().unwrap(),
services: Default::default(),
last_seen: u32::MAX.into(),
untrusted_last_seen: Some(u32::MAX.into()),
last_response: Some(u32::MAX.into()),
last_attempt: None,
last_failure: None,
last_connection_state: Default::default(),
};
check::sanitize_avoids_leaks(&min_time_entry, &min_time_entry.sanitize());
check::sanitize_avoids_leaks(&max_time_entry, &max_time_entry.sanitize());
if let Some(min_sanitized) = min_time_entry.sanitize() {
check::sanitize_avoids_leaks(&min_time_entry, &min_sanitized);
}
if let Some(max_sanitized) = max_time_entry.sanitize() {
check::sanitize_avoids_leaks(&max_time_entry, &max_sanitized);
}
}

28
zebra-network/src/peer/handshake.rs
View File

@ -23,6 +23,7 @@ use zebra_chain::{block, parameters::Network};
use crate::{
constants,
meta_addr::MetaAddrChange,
protocol::{
external::{types::*, Codec, InventoryHash, Message},
internal::{Request, Response},
@ -45,7 +46,7 @@ use super::{Client, ClientRequest, Connection, ErrorSlot, HandshakeError, PeerEr
pub struct Handshake<S> {
config: Config,
inbound_service: S,
timestamp_collector: mpsc::Sender<MetaAddr>,
timestamp_collector: mpsc::Sender<MetaAddrChange>,
inv_collector: broadcast::Sender<(InventoryHash, SocketAddr)>,
nonces: Arc<futures::lock::Mutex<HashSet<Nonce>>>,
user_agent: String,
@ -296,7 +297,7 @@ impl fmt::Debug for ConnectedAddr {
pub struct Builder<S> {
config: Option<Config>,
inbound_service: Option<S>,
timestamp_collector: Option<mpsc::Sender<MetaAddr>>,
timestamp_collector: Option<mpsc::Sender<MetaAddrChange>>,
our_services: Option<PeerServices>,
user_agent: Option<String>,
relay: Option<bool>,
@ -336,7 +337,10 @@ where
///
/// This channel takes `MetaAddr`s, permanent addresses which can be used to
/// make outbound connections to peers.
pub fn with_timestamp_collector(mut self, timestamp_collector: mpsc::Sender<MetaAddr>) -> Self {
pub fn with_timestamp_collector(
mut self,
timestamp_collector: mpsc::Sender<MetaAddrChange>,
) -> Self {
self.timestamp_collector = Some(timestamp_collector);
self
}
@ -671,16 +675,8 @@ where
let alternate_addrs = connected_addr.get_alternate_addrs(remote_canonical_addr);
for alt_addr in alternate_addrs {
let alt_addr = MetaAddr::new_alternate(&alt_addr, &remote_services);
if alt_addr.is_valid_for_outbound() {
tracing::info!(
?alt_addr,
"sending valid alternate peer address to the address book"
);
// awaiting a local task won't hang
let _ = timestamp_collector.send(alt_addr).await;
} else {
tracing::trace!(?alt_addr, "dropping invalid alternate peer address");
}
}
// Set the connection's version to the minimum of the received version or our own.
@ -772,7 +768,7 @@ where
if let Some(book_addr) = connected_addr.get_address_book_addr() {
let _ = inbound_ts_collector
.send(MetaAddr::new_errored(&book_addr, &remote_services))
.send(MetaAddr::new_errored(&book_addr, remote_services))
.await;
}
}
@ -882,7 +878,7 @@ where
if let Some(book_addr) = connected_addr.get_address_book_addr() {
// awaiting a local task won't hang
let _ = timestamp_collector
.send(MetaAddr::new_shutdown(&book_addr, &remote_services))
.send(MetaAddr::new_shutdown(&book_addr, remote_services))
.await;
}
return;
@ -970,7 +966,7 @@ async fn send_one_heartbeat(server_tx: &mut mpsc::Sender<ClientRequest>) -> Resu
/// `handle_heartbeat_error`.
async fn heartbeat_timeout<F, T>(
fut: F,
timestamp_collector: &mut mpsc::Sender<MetaAddr>,
timestamp_collector: &mut mpsc::Sender<MetaAddrChange>,
connected_addr: &ConnectedAddr,
remote_services: &PeerServices,
) -> Result<T, BoxError>
@ -1004,7 +1000,7 @@ where
/// If `result.is_err()`, mark `connected_addr` as failed using `timestamp_collector`.
async fn handle_heartbeat_error<T, E>(
result: Result<T, E>,
timestamp_collector: &mut mpsc::Sender<MetaAddr>,
timestamp_collector: &mut mpsc::Sender<MetaAddrChange>,
connected_addr: &ConnectedAddr,
remote_services: &PeerServices,
) -> Result<T, E>
@ -1018,7 +1014,7 @@ where
if let Some(book_addr) = connected_addr.get_address_book_addr() {
let _ = timestamp_collector
.send(MetaAddr::new_errored(&book_addr, remote_services))
.send(MetaAddr::new_errored(&book_addr, *remote_services))
.await;
}
Err(err)

21
zebra-network/src/peer_set/candidate_set.rs
View File

@ -258,6 +258,8 @@ where
/// Add new `addrs` to the address book.
fn send_addrs(&self, addrs: impl IntoIterator<Item = MetaAddr>) {
let addrs = addrs.into_iter().map(MetaAddr::new_gossiped_change);
// # Correctness
//
// Briefly hold the address book threaded mutex, to extend
@ -307,9 +309,8 @@ where
// `None`. We only need to sleep before yielding an address.
let reconnect = guard.reconnection_peers().next()?;
let reconnect = MetaAddr::new_reconnect(&reconnect.addr, &reconnect.services);
guard.update(reconnect);
reconnect
let reconnect = MetaAddr::new_reconnect(&reconnect.addr);
guard.update(reconnect)?
};
// SECURITY: rate-limit new outbound peer connections
@ -322,7 +323,7 @@ where
/// Mark `addr` as a failed peer.
pub fn report_failed(&mut self, addr: &MetaAddr) {
let addr = MetaAddr::new_errored(&addr.addr, &addr.services);
let addr = MetaAddr::new_errored(&addr.addr, addr.services);
// # Correctness
//
// Briefly hold the address book threaded mutex, to update the state for
@ -378,7 +379,10 @@ fn limit_last_seen_times(addrs: &mut Vec<MetaAddr>, last_seen_limit: DateTime32)
addrs
.iter()
.fold((u32::MAX, u32::MIN), |(oldest, newest), addr| {
let last_seen = addr.get_last_seen().timestamp();
let last_seen = addr
.untrusted_last_seen()
.expect("unexpected missing last seen")
.timestamp();
(oldest.min(last_seen), newest.max(last_seen))
});
@ -391,10 +395,13 @@ fn limit_last_seen_times(addrs: &mut Vec<MetaAddr>, last_seen_limit: DateTime32)
if oldest_resulting_timestamp >= 0 {
// No underflow is possible, so apply offset to all addresses
for addr in addrs {
let old_last_seen = addr.get_last_seen().timestamp();
let old_last_seen = addr
.untrusted_last_seen()
.expect("unexpected missing last seen")
.timestamp();
let new_last_seen = old_last_seen - offset;
addr.set_last_seen(new_last_seen.into());
addr.set_untrusted_last_seen(new_last_seen.into());
}
} else {
// An underflow will occur, so reject all gossiped peers

8
zebra-network/src/peer_set/candidate_set/tests/prop.rs
View File

@ -16,8 +16,8 @@ use zebra_chain::serialization::DateTime32;
use super::super::{validate_addrs, CandidateSet};
use crate::{
constants::MIN_PEER_CONNECTION_INTERVAL, types::MetaAddr, AddressBook, BoxError, Config,
Request, Response,
constants::MIN_PEER_CONNECTION_INTERVAL, meta_addr::MetaAddrChange, types::MetaAddr,
AddressBook, BoxError, Config, Request, Response,
};
/// The maximum number of candidates for a "next peer" test.
@ -46,7 +46,7 @@ proptest! {
let validated_peers = validate_addrs(gossiped_peers, last_seen_limit);
for peer in validated_peers {
prop_assert![peer.get_last_seen() <= last_seen_limit];
prop_assert!(peer.untrusted_last_seen().unwrap() <= last_seen_limit);
}
}
@ -90,7 +90,7 @@ proptest! {
/// Test that new outbound peer connections are rate-limited.
#[test]
fn new_outbound_peer_connections_are_rate_limited(
peers in vec(MetaAddr::ready_outbound_strategy(), TEST_ADDRESSES),
peers in vec(MetaAddrChange::ready_outbound_strategy(), TEST_ADDRESSES),
initial_candidates in 0..MAX_TEST_CANDIDATES,
extra_candidates in 0..MAX_TEST_CANDIDATES,
) {

9
zebra-network/src/timestamp_collector.rs
View File

@ -4,7 +4,7 @@ use std::sync::Arc;
use futures::{channel::mpsc, prelude::*};
use crate::{types::MetaAddr, AddressBook, Config};
use crate::{meta_addr::MetaAddrChange, AddressBook, Config};
/// The timestamp collector hooks into incoming message streams for each peer and
/// records per-connection last-seen timestamps into an [`AddressBook`].
@ -14,7 +14,12 @@ impl TimestampCollector {
/// Spawn a new [`TimestampCollector`] task, and return handles for the
/// transmission channel for timestamp events and for the [`AddressBook`] it
/// updates.
pub fn spawn(config: &Config) -> (Arc<std::sync::Mutex<AddressBook>>, mpsc::Sender<MetaAddr>) {
pub fn spawn(
config: &Config,
) -> (
Arc<std::sync::Mutex<AddressBook>>,
mpsc::Sender<MetaAddrChange>,
) {
use tracing::Level;
const TIMESTAMP_WORKER_BUFFER_SIZE: usize = 100;
let (worker_tx, mut worker_rx) = mpsc::channel(TIMESTAMP_WORKER_BUFFER_SIZE);