1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <pete@petertodd.org>) id 1XmKSX-0002Ia-He
for bitcoin-development@lists.sourceforge.net;
Thu, 06 Nov 2014 10:38:33 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of petertodd.org
designates 62.13.148.96 as permitted sender)
client-ip=62.13.148.96; envelope-from=pete@petertodd.org;
helo=outmail148096.authsmtp.net;
Received: from outmail148096.authsmtp.net ([62.13.148.96])
by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1XmKSV-0000Lj-56 for bitcoin-development@lists.sourceforge.net;
Thu, 06 Nov 2014 10:38:33 +0000
Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237])
by punt17.authsmtp.com (8.14.2/8.14.2/) with ESMTP id sA6AcOS5081549
for <bitcoin-development@lists.sourceforge.net>;
Thu, 6 Nov 2014 10:38:24 GMT
Received: from savin.petertodd.org (75-119-251-161.dsl.teksavvy.com
[75.119.251.161]) (authenticated bits=128)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id sA6AcKH3004341
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
for <bitcoin-development@lists.sourceforge.net>;
Thu, 6 Nov 2014 10:38:22 GMT
Date: Thu, 6 Nov 2014 05:38:20 -0500
From: Peter Todd <pete@petertodd.org>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Message-ID: <20141106103820.GA17096@savin.petertodd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: 0863ae9f-65a1-11e4-9f74-002590a135d3
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVJwpGK10IU0Fd
P1hXKl1LNVAaWXld WiVPGEoXDxgzCjYj NEgGOBsDNw4AXwN1
LhcPXVBSFQF4ABwL BRYUUBo8cABYeX95 e0RnX25aWkVlcE56
XU8aVhwAFDQbEGMf UERbcwIadgBIdlFF YlZ8BSYEN3gBYyth
WlZqMmx0bDsAdGEN GltQfAobGB1WEmUq fDs4PA0TKnMofQQd
HisdFmQ9N3o8FG56 OF0tEXk4HjQxMSxx V2dqPEcA
X-Authentic-SMTP: 61633532353630.1024:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 75.119.251.161/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
X-Headers-End: 1XmKSV-0000Lj-56
Subject: [Bitcoin-development] SCRIPT_VERIFY_STRICTENC and CHECKSIG NOT
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 10:38:33 -0000
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
So right now git head will accept the following invalid transaction into
the mempool:
0100000001140de229e08fda25cbc16ded2618cdacce49fcb18c0b6ccdace00040909adae40=
00000009000493046022100f7828d81c849c5448ba5ba4ef55df6b4d0ba3ae3f1a59cff3291=
880c2c8e524f022100d2f5bc9dc2f0674eded31023cb47e61a596e10f8f1ddd44cf92d290c9=
db577c70144410778d430274f8c5ec1321338151e9f27f4c676a008bdf8638d07c0b6be9ab3=
5c71a1518063243acd4dfe96b66e3f2ec8013c8e072cd09b3834a19f81f659cc3455ac91fff=
fffff01102700000000000017a914e661a2229cc824329c9409f49d99cb5ac350c928870000=
0000
which spends the redeemScript:
0778d430274f8c5ec1321338151e9f27f4c676a008bdf8638d07c0b6be9ab35c71a15180632=
43acd4dfe96b66e3f2ec8013c8e072cd09b3834a19f81f659cc3455
CHECKSIG NOT
That pubkey is valid and accepted by OpenSSL as it's obscure "hybrid"
format. The transaction is invalid because the signature is correct,
causing CHECKSIG to return 1, which is inverted to 0 by the NOT.
However the implementation of the STRICTENC flag simply makes pubkey
formats it doesn't recognize act as through the signature was invalid,
rather than failing the transaction. Similar to the invalid due to too
many sigops DoS attack I found before, this lets you fill up the mempool
with garbage transactions that will never be mined. OTOH I don't see any
way to exploit this in a v0.9.x IsStandard() transaction, so we haven't
shipped code that actually has this vulnerability. (dunno about
alt-implementations)
I suggest we either change STRICTENC to simply fail unrecognized pubkeys
immediately - similar to how non-standard signatures are treated - or
fail the script if the pubkey is non-standard and signature verification
succeeds.
Thoughts?
--=20
'peter'[:-1]@petertodd.org
0000000000000000152dc55f27338b58325f0432d2dc6edb90c8d449d9959583
--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQGrBAEBCACVBQJUW0+XXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDAxNTJkYzU1ZjI3MzM4YjU4MzI1ZjA0MzJkMmRjNmVkYjkw
YzhkNDQ5ZDk5NTk1ODMvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfu4qwf9G3Al42HvzWeAcHmHxfFPGakB
zK2t4oW4Lu4jsqNrEcmvdJ1ITVLzwWcGOqjsOlliFF5sS7w8ODHZWzLe7tczlrWP
Ke2aqp741ccuiw/eSbajD9UsZrvfOvnqgkAq6GqfqA6GX2twnILE7TfwtHOltNE1
9mp5m8YC/R+UQPIaejN/zZxAVVInmxJMfY/8xGumaPip7iUOWpyZEFenUshuKz/d
ReN6Q8u8IGSzZx8uTG6JZTbBgMCLJE8OOyM+3KxebrQm/DWQAUaQNoO0FcBfGToL
6VLnVFeWIA/4v4nC0yJqtahYmsKSRcbR2QgXO7FAo2F6rj1WvjXcqrHWb7rvVg==
=6m0W
-----END PGP SIGNATURE-----
--k1lZvvs/B4yU6o8G--
|
