🔒 [client] Verify state signatures for subchannel funding and se… #61
Conversation
| c.machMtx.Lock() // Lock machine while update is in progress. | ||
| defer c.machMtx.Unlock() | ||
|
|
||
| if err := c.machine.CheckUpdate(req.State, req.ActorIdx, req.Sig, pidx); err != nil { |
There was a problem hiding this comment.
It seems alright to move this up here, but we now do not check anymore for pidx == req.ActorIDx.
To keep the protocol simple we should also put that check here.
Otherwise a sub-channel proposer could put the proposee as Actor for the update.
The check is currently done in validTwoPartyUpdate.
There was a problem hiding this comment.
Can you give an example what would be problematic with this? I suggest you make a separate issue for that.
There was a problem hiding this comment.
Alice can now send a subChannelFundings or subChannelWithdrawals to Bob and put Bobs index as actorIDx.
For Bob it now looks like he received an update from himself.
I think it is not a security issue, but still unclean.
There was a problem hiding this comment.
Yes, it's not clean, I agree. On the other hand, it is a separate issue, so you may want to create one. I had a look into it and it may require some careful thinking.
The issue addressed here is more critical and I would like to get the change through without too much delay.
…ent updates We are intercepting updates for subchannel funding and settlement. However, we did not check the signatures for these updates. This is fixed now. Signed-off-by: Matthias Geihs <matthias@perun.network>
ggwpez
force-pushed
the
57-validate-subchannel-signatures
branch
from
5d12a80 to
bc0d3b3
Compare
2 participants
…ttlement updates
We are intercepting updates for subchannel funding and settlement. However,
we did not check the signatures for these updates. This is fixed now.
Signed-off-by: Matthias Geihs matthias@perun.network
Closes #57