From 0ea9bcdd5ca0aaef0485bc2d91fd5fd67a4c19fc Mon Sep 17 00:00:00 2001 From: Martin Raszyk Date: Tue, 14 Nov 2023 17:40:39 +0100 Subject: [PATCH 1/4] restrict nonce to be of length at most 32 --- spec/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spec/index.md b/spec/index.md index 6c99e0207..896d15680 100644 --- a/spec/index.md +++ b/spec/index.md @@ -858,7 +858,7 @@ In development instances of the Internet Computer Protocol (e.g. testnets), the All requests coming in via the HTTPS interface need to be either *anonymous* or *authenticated* using a cryptographic signature. To that end, the following fields are present in the `content` map in all cases: -- `nonce` (`blob`, optional): Arbitrary user-provided data, typically randomly generated. This can be used to create distinct requests with otherwise identical fields. +- `nonce` (`blob`, optional): Arbitrary user-provided data of length at most 32, typically randomly generated. This can be used to create distinct requests with otherwise identical fields. - `ingress_expiry` (`nat`, required): An upper limit on the validity of the request, expressed in nanoseconds since 1970-01-01 (like [ic0.time()](#system-api-time)). This avoids replay attacks: The IC will not accept requests, or transition requests from status `received` to status `processing`, if their expiry date is in the past. The IC may refuse to accept requests with an ingress expiry date too far in the future. This applies to synchronous and asynchronous requests alike (and could have been called `request_expiry`). @@ -3095,6 +3095,7 @@ Conditions ```html E.content.canister_id ∈ verify_envelope(E, E.content.sender, S.system_time) +|E.content.nonce| <= 32 E.content ∉ dom(S.requests) S.system_time <= E.content.ingress_expiry is_effective_canister_id(E.content, ECID) From ec99b69b98df4886b5d44fb281c5e35ecf0d0035 Mon Sep 17 00:00:00 2001 From: Martin Raszyk Date: Tue, 14 Nov 2023 17:45:09 +0100 Subject: [PATCH 2/4] adjust formal semantics --- spec/index.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spec/index.md b/spec/index.md index 896d15680..bb42f19ad 100644 --- a/spec/index.md +++ b/spec/index.md @@ -5212,6 +5212,7 @@ Conditions E.content = CanisterQuery Q Q.canister_id ∈ verify_envelope(E, Q.sender, S.system_time) +|Q.nonce| <= 32 is_effective_canister_id(E.content, ECID) S.system_time <= Q.ingress_expiry @@ -5256,6 +5257,7 @@ Conditions E.content = ReadState RS TS = verify_envelope(E, RS.sender, S.system_time) +|E.content.nonce| <= 32 S.system_time <= RS.ingress_expiry ∀ path ∈ RS.paths. may_read_path_for_canister(S, R.sender, path) ∀ (["request_status", Rid] · _) ∈ RS.paths. ∀ R ∈ dom(S.requests). hash_of_map(R) = Rid => R.canister_id ∈ TS @@ -5306,6 +5308,7 @@ Conditions E.content = ReadState RS TS = verify_envelope(E, RS.sender, S.system_time) +|E.content.nonce| <= 32 S.system_time <= RS.ingress_expiry ∀ path ∈ RS.paths. may_read_path_for_subnet(S, RS.sender, path) From 2d3e2b3089fff2bc2fb6e5031983138468e3469a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Tackmann?= <54846571+Dfinity-Bjoern@users.noreply.github.com> Date: Tue, 21 Nov 2023 15:06:40 +0100 Subject: [PATCH 3/4] Update spec/index.md --- spec/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/index.md b/spec/index.md index bb42f19ad..25f8a5d61 100644 --- a/spec/index.md +++ b/spec/index.md @@ -858,7 +858,7 @@ In development instances of the Internet Computer Protocol (e.g. testnets), the All requests coming in via the HTTPS interface need to be either *anonymous* or *authenticated* using a cryptographic signature. To that end, the following fields are present in the `content` map in all cases: -- `nonce` (`blob`, optional): Arbitrary user-provided data of length at most 32, typically randomly generated. This can be used to create distinct requests with otherwise identical fields. +- `nonce` (`blob`, optional): Arbitrary user-provided data of length at most 32 bytes, typically randomly generated. This can be used to create distinct requests with otherwise identical fields. - `ingress_expiry` (`nat`, required): An upper limit on the validity of the request, expressed in nanoseconds since 1970-01-01 (like [ic0.time()](#system-api-time)). This avoids replay attacks: The IC will not accept requests, or transition requests from status `received` to status `processing`, if their expiry date is in the past. The IC may refuse to accept requests with an ingress expiry date too far in the future. This applies to synchronous and asynchronous requests alike (and could have been called `request_expiry`). From 55c7fe13e069e6ba6e863c2005b14a90da53cb39 Mon Sep 17 00:00:00 2001 From: Martin Raszyk Date: Tue, 21 Nov 2023 16:35:03 +0100 Subject: [PATCH 4/4] update changelog --- spec/_attachments/interface-spec-changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/_attachments/interface-spec-changelog.md b/spec/_attachments/interface-spec-changelog.md index 722ce910e..e8db713d4 100644 --- a/spec/_attachments/interface-spec-changelog.md +++ b/spec/_attachments/interface-spec-changelog.md @@ -10,6 +10,7 @@ * Add per-call context performance counter. * Update the computation of the representation-independent hash for the case of maps with nested maps. * Remove `senders` field from user delegations. +* The maximum length of a nonce in an ingress message is 32 bytes. ### 0.21.0 (2023-09-18) {#0_21_0} * Canister cycle balance cannot decrease below the freezing limit after executing `install_code` on the management canister.