This repository has been archived by the owner on Aug 24, 2022. It is now read-only.
Port tendermint v0.33.6 #168
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* lite2: advance to latest header without any exponential steps rename autoUpdate to autoUpdateRoutine * lite2: wait in Cleanup until goroutines finished running
* docs: minor doc fixes - minor doc fixes that i ran into while reading things - test if we have github actions Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * no github actions yet * add with * revert and change wording
* Add adr-051 to docs * add details * Update docs/architecture/adr-051-double-signing-protection-with-tendermint-mode.md Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * rename adr-051 for only double singing protection * remove contents about tendermint mode * change title to Double Signing Rist Reduction * rename adr md file * add a adr link to ToC Co-authored-by: b-harvest <38277329+dlguddus@users.noreply.github.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
* lite2: add Start method There are few reasons to do that: 1) separation of state and dynamics (some users will want to delay starting the light client; does not matter we should not allow them to create a light client object) 2) less important, but some users might not need autoUpdateRoutine and removeNoLongerTrustedHeadersRoutine routines * lite2: wait till routines are finished in Stop because they are started in Start, it feels more natural to wait for them to finish in Stop. * lite2: add TrustedValidatorSet func
I have added order_by which can be "asc" or "desc" (should be in string format) in the tx_search RPC method. Fixes: #3333 Author: @princesinha19
* docs: update links to rpc - links to rpc have not been updated. thank you @okwme Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * Update docs/app-dev/indexing-transactions.md
* lite2: add Start method There are few reasons to do that: 1) separation of state and dynamics (some users will want to delay starting the light client; does not matter we should not allow them to create a light client object) 2) less important, but some users might not need autoUpdateRoutine and removeNoLongerTrustedHeadersRoutine routines * lite2: wait till routines are finished in Stop because they are started in Start, it feels more natural to wait for them to finish in Stop. * lite2: add TrustedValidatorSet func * refactor cleanup code * changed restore header and val function to handle negative height * reverted restoreTrustedHeaderAndNextVals() functionality Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
not MaxOpenConnections Fixes #4311 Also, set MaxBodyBytes, MaxHeaderBytes and WriteTimeout similar to HTTP server.
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.26.0 to 1.27.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.26.0...v1.27.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Closes #4350 Checks that the chain ID of the witness and that of the lite client are the same before updating the witness list.
Bumps [github.com/golang/protobuf](https://github.com/golang/protobuf) from 1.3.2 to 1.3.3. - [Release notes](https://github.com/golang/protobuf/releases) - [Commits](golang/protobuf@v1.3.2...v1.3.3) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* lite2: make witnesses mandatory at least one witness is required * lite2: return an error if there are no witnesses tendermint/tendermint#4358 (review) * cmd/lite: add witnesses flag * fix linter errors
* update guides with correct path to libs/kv proto files * Apply suggestions from code review Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> * format something to rerun ci Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
…354) Closes issue #4338 Uses a wrapper function around both the signedHeader and validatorSet calls to the primary provider which attempts to retrieve the information 5 times before deeming the provider unavailable and replacing the primary provider with the first alternative before trying recursively again (until all alternatives are depleted) Employs a mutex lock for any operations involving the providers of the light client to ensure no operations occurs whilst the new primary is chosen. Commits: * created swapProvider function * eliminates old primary provider after replacement. Uses a mutex when changing providers * renamed to replaceProvider * created wrapped functions for signed header and val set * created test for primary provider replacement * implemented suggested revisions * created Witnesses() and Primary() * modified backoffAndJitterTime * modified backoffAndJitterTime * changed backoff base and jitter to functional arguments * implemented suggested changes * removed backoff function * changed exp function to match go version * halved the backoff time * removed seeding and added comments * fixed incorrect test * extract backoff timeout calc into a function Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Closes #4328 When TrustedHeader(height) is called, if the height is less than the trusted height but the header is not in the trusted store then a function finds the previous lowest height with a trusted header and performs a forwards sequential verification to the header of the height that was given. If no error is found it updates the trusted store with the header and validator set for that height and can then return them to the user. Commits: * drafted trusted header * created function to find previous trusted height * updates missing headers less than the trusted height * minor cosmetic tweaks * incorporated suggestions * lite2: implement Backwards verification and add SignedHeaderAfter func to Store interface Refs tendermint/tendermint#4328 (comment) * remove unused method * write tests * start with next height in SignedHeaderAfter func * fix linter errors * address Callum's comments Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
As opposed to checking a random witness, all witnesses provided should be used as a reference against the header provided by the primary node. This increases security (at the tradeoff of speed) but also gives control to the user. The more witnesses provided, the more secure the lite client can be.
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.27.0 to 1.27.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.27.0...v1.27.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* validate trust options * add NewClientFromTrustedStore func * make maxRetryAttempts an option Closes #4370 * hash size should be equal to tmhash.Size * make maxRetryAttempts uint * make maxRetryAttempts uint16 maxRetryAttempts possible - 68 years * we do not store trustingPeriod * added test to create client from trusted store * remove header and vals from primary to make sure we're restoring them from the DB
* proto: add buf and protogen script - add buf with minimal changes - add protogen script to easier generate proto files Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> * add protoc needs * add some needed shell cmds * remove buf from tools as it is not needed everytime * add proto lint and breakage to ci * add section in changelog and upgrading files * address pr comments * remove space in circle config * remove spaces in makefile comment * add section on contributing on how to work with proto * bump buf to 0.7 * test bufbuild image * test install make in bufbuild image * revert to tendermintdev image * Update Makefile Co-Authored-By: Anton Kaliaev <anton.kalyaev@gmail.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
* witnesses are dropped after no response * test witness dropout * corrected import structure * moved non responsiveness check to compare function * removed dropout test as witnesses are never dropped * created test to compare witnesses
- erik fixed many of the broken links, just fixed two outstanding ones. - closes #4381 Signed-off-by: Marko Baricevic <marbar3778@yahoo.com> Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Reduce the number of targets and make the buildsystem more flexible by parsing the TENDERMINT_BUILD_OPTIONS command line variable (a-la Debian, inspired by dpkg-buildpackage's DEB_BUILD_OPTIONS), e.g: $ make install TENDERMINT_BUILD_OPTIONS='cleveldb' replaces the old: $ make install_c Options can be mix&match'd, e.g.: $ make install TENDERMINT_BUILD_OPTIONS='cleveldb race nostrip' Three options are available: - nostrip: don't strip debugging symbols nor DWARF tables. - cleveldb: use cleveldb as db backend instead of goleveldb; it switches on the CGO_ENABLED Go environment variale. - race: pass -race to go build and enable data race detection. This changeset is a port of gaia pull request: cosmos/gaia#363. Co-authored-by: Alessio Treglia <alessio@tendermint.com>
* lite: fix HTTP provider error handling Fixes #4739, kind of. See #4740 for the proper fix. --- For contributor use: - [x] Wrote tests - [x] Updated CHANGELOG_PENDING.md - [x] Linked to Github issue with discussion and accepted design OR link to spec that describes this work. - [x] Updated relevant documentation (`docs/`) and code comments - [x] Re-reviewed `Files changed` in the Github PR explorer - [x] Applied Appropriate Labels * adapt tests to missing pull request Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
* privval: remove deprecated `OldFilePV` The old format was deprecated in v0.28. It's time we remove it. * fix changelog
* blockchain/v2: fix excessive CPU usage due to spinning on closed channels (#4761) The event loop uses a `select` on multiple channels. However, reading from a closed channel in Go always yields the channel's zero value. The processor and scheduler close their channels when done, and since these channels are always ready to receive, the event loop keeps spinning on them. This changes `routine.terminate()` to not close the channel, and also removes `stopDemux` and instead uses `events` channel closure to signal event loop termination. Fixes #4687. * blockchain/v2: respect fast_sync option (#4772) Not thoroughly tested, but seems to work. Will do further testing as this is integrated with state sync. Fixes #4688.
in VerifyCommitTrusting Closes #4755
Fixes #4802. The Go HTTP server has a global panic handler for requests, so it was not as severe as first thought. This fix can still panic, since we try to send a `500` response - if that happens, the Go HTTP server will terminate the connection. Otherwise, the client will get a 200 response, which we should avoid. I'm sort of torn on whether it's even necessary to include this fix, instead of just letting the HTTP server deal with it.
allow ReapX and CheckTx functions to run in parallel, making it not possible to block certain proposers from creating a new block. Closes: #2972
Closes #2998 Spec PR: tendermint/spec#94
returning an error Closes #4707
Closes #3433
Closes tendermint/tendermint#3857 Moves `lib/` folder to `jsonrpc/`. Renames: **packages** `rpc` package -> `jsonrpc` package `rpcclient` package -> `client` package `rpcserver` package -> `server` package **structs and interfaces** ``` JSONRPCClient to Client JSONRPCRequestBatch to RequestBatch JSONRPCCaller to Caller ``` **functions** ``` StartHTTPServer to Serve StartHTTPAndTLSServer to ServeTLS rpc/jsonrpc/client: rename NewURIClient to NewURI NewJSONRPCClient to New NewJSONRPCClientWithHTTPClient to NewWithHTTPClient NewWSClient to NewWS ``` **misc** - unexpose `ResponseWriterWrapper` - remove unused http_params.go
in /validators, /consensus_params and /status Closes #3161
fix bug with assigning the new pivot height during bisection. PR: #4850
these proto files are meant to help unblock ibc in their quest of migrating the ibc module to proto.
Since the light client work introduced in v0.33 it appears full nodes are no longer fully verifying commit signatures during block execution - they stop after +2/3. See in VerifyCommit: https://github.com/tendermint/tendermint/blob/0c7fd316eb006c0afc13996c00ac8bde1078b32c/types/validator_set.go#L700-L703 This means proposers can propose blocks that contain valid +2/3 signatures and then the rest of the signatures can be whatever they want. They can claim that all the other validators signed just by including a CommitSig with arbitrary signature data. While this doesn't seem to impact safety of Tendermint per se, it means that Commits may contain a lot of invalid data. This is already true of blocks, since they can include invalid txs filled with garbage, but in that case the application knows they they are invalid and can punish the proposer. But since applications dont verify commit signatures directly (they trust tendermint to do that), they won't be able to detect it. This can impact incentivization logic in the application that depends on the LastCommitInfo sent in BeginBlock, which includes which validators signed. For instance, Gaia incentivizes proposers with a bonus for including more than +2/3 of the signatures. But a proposer can now claim that bonus just by including arbitrary data for the final -1/3 of validators without actually waiting for their signatures. There may be other tricks that can be played because of this. In general, the full node should be a fully verifying machine. While it's true that the light client can avoid verifying all signatures by stopping after +2/3, the full node can not. Thus the light client and full node should use distinct VerifyCommit functions if one is going to stop after +2/3 or otherwise perform less validation (for instance light clients can also skip verifying votes for nil while full nodes can not). See a commit with a bad signature that verifies here: 56367fd. From what I can tell, Tendermint will go on to think this commit is valid and forward this data to the app, so the app will think the second validator actually signed when it clearly did not.
Closes #4926
The dump consensus state had this:
"last_commit": {
"votes": [
"Vote{0:04CBBF43CA3E 385085/00/2(Precommit) 1B73DA9FC4C8 42C97B86D89D @ 2020-05-27T06:46:51.042392895Z}",
"Vote{1:055799E028FA 385085/00/2(Precommit) 652B08AD61EA 0D507D7FA3AB @ 2020-06-28T04:57:29.20793209Z}",
"Vote{2:056024CFA910 385085/00/2(Precommit) 652B08AD61EA C8E95532A4C3 @ 2020-06-28T04:57:29.452696998Z}",
"Vote{3:0741C95814DA 385085/00/2(Precommit) 652B08AD61EA 36D567615F7C @ 2020-06-28T04:57:29.279788593Z}",
Note there's a precommit in there from the first val from May (2020-05-27) while the rest are from today (2020-06-28). It suggests there's a validator from an old instance of the network at this height (they're using the same chain-id!). Obviously a single bad validator shouldn't be an issue. But the Commit refactor work introduced a bug.
When we propose a block, we get the block.LastCommit by calling MakeCommit on the set of precommits we saw for the last height. This set may include precommits for a different block, and hence the block.LastCommit we propose may include precommits that aren't actually for the last block (but of course +2/3 will be). Before v0.33, we just skipped over these precommits during verification. But in v0.33, we expect all signatures for a blockID to be for the same block ID! Thus we end up proposing a block that we can't verify.
n-hutton
approved these changes
Aug 26, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.