feat(mls-rs): Verify the update path even in case of a self removal #224
Conversation
|
I'm wondering @ManevilleF how much security this check is adding? We're verifying a path that we're going to immediately delete since we're removed and its not useful for us. And note that if we're removed, we anyway can't verify everything inside the commit such as the confirmation tag. |
|
We are verifying that:
All these checks mostly prevent group fragmentation (in this case ghost clients) since the other unremoved members would simply ignore this commit. It could also let a member whose credential is revoked but not yet removed from the group to remove anyone he wants. |
I didn't actually realize we re-check the credential even if it didn't change, that makes sense.
Just for the sake of understanding, fragmentation by malicious committers is unavoidable. For example, flipping a bit in the last ciphertext on the update path splits the group in half -- clients who don't use this ciphertext (those in the same half of the tree as the committer) accept, others reject. So if the committer is honest, it won't generate a bad path (if it's a ghost, commit will fail). If it's dishonest, it can fragment anyway. So the space of fragmenting attacks this prevents seems rather narrow? |
fragmentation by malicious committers is unavoidable, yet. This just closes one small door even though as you pointed out there's a blatant gateway opened to cause fragmentation. |
* Fix CI (#223) * feat(mls-rs): Verify the update path even in case of a self removal (#224) * Fix bug where double-hitting a ciphertext deleted the whole ratchet (#228) Co-authored-by: Marta Mularczyk <[email protected]> * Work around rust < 1.78 crash (#231) Somehow the DWARF info generated by the compiler for the `hash`-replacement assignment is confusing to LLVM, which crashes. By using a different form for the same operation, the compiler is happy. * Avoid intermediate Vec in TreeKemPublic::update_hashes (#230) [slice, slice].concat() creates an intermediate Vec, which can be avoided by chaining updated_leaves and trailing_blanks before the first Vec is created. * Add API for deleting exporters (#227) * Add API for deleting exporters * Apply suggestions from code review Co-authored-by: Stephane Raux <[email protected]> --------- Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]> * Key package generation 1.x * Fix clippy warnings * Initial implementation of group join 1.x * Add example for 1x API * Apply suggestions from code review * Add SigningData struct * Fixup * Add more tests * Fixup * Fixup --------- Co-authored-by: Félix Lescaudey de Maneville <[email protected]> Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Mike Hommey <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]>
* Fix CI (#223) * feat(mls-rs): Verify the update path even in case of a self removal (#224) * Fix bug where double-hitting a ciphertext deleted the whole ratchet (#228) Co-authored-by: Marta Mularczyk <[email protected]> * Work around rust < 1.78 crash (#231) Somehow the DWARF info generated by the compiler for the `hash`-replacement assignment is confusing to LLVM, which crashes. By using a different form for the same operation, the compiler is happy. * Avoid intermediate Vec in TreeKemPublic::update_hashes (#230) [slice, slice].concat() creates an intermediate Vec, which can be avoided by chaining updated_leaves and trailing_blanks before the first Vec is created. * Add API for deleting exporters (#227) * Add API for deleting exporters * Apply suggestions from code review Co-authored-by: Stephane Raux <[email protected]> --------- Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]> * Key package generation 1.x * Fix clippy warnings * Initial implementation of group join 1.x * Add example for 1x API * Apply suggestions from code review * Add SigningData struct * Fixup * Add more tests * Fixup * Fixup --------- Co-authored-by: Félix Lescaudey de Maneville <[email protected]> Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Mike Hommey <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]>
* Fix CI (#223) * feat(mls-rs): Verify the update path even in case of a self removal (#224) * Fix bug where double-hitting a ciphertext deleted the whole ratchet (#228) Co-authored-by: Marta Mularczyk <[email protected]> * Work around rust < 1.78 crash (#231) Somehow the DWARF info generated by the compiler for the `hash`-replacement assignment is confusing to LLVM, which crashes. By using a different form for the same operation, the compiler is happy. * Avoid intermediate Vec in TreeKemPublic::update_hashes (#230) [slice, slice].concat() creates an intermediate Vec, which can be avoided by chaining updated_leaves and trailing_blanks before the first Vec is created. * Add API for deleting exporters (#227) * Add API for deleting exporters * Apply suggestions from code review Co-authored-by: Stephane Raux <[email protected]> --------- Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]> * Key package generation 1.x * Fix clippy warnings * Initial implementation of group join 1.x * Add example for 1x API * Apply suggestions from code review * Add SigningData struct * Fixup * Add more tests * Fixup * Fixup --------- Co-authored-by: Félix Lescaudey de Maneville <[email protected]> Co-authored-by: Marta Mularczyk <[email protected]> Co-authored-by: Mike Hommey <[email protected]> Co-authored-by: Tom Leavy <[email protected]> Co-authored-by: Stephane Raux <[email protected]>
Description of changes:
In the case of a self removal commit we early return before verifying the
update_path, This PR drops the early return and self removals verify theupdate_pathand adds some checks in following operations to avoid:update_pathfor a self removalBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT license.