Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

restrict nonce to be of length at most 32 #249

Merged
merged 5 commits into from
Nov 21, 2023
Merged

restrict nonce to be of length at most 32 #249

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0ea9bcd
restrict nonce to be of length at most 32
mraszyk Nov 14, 2023
ec99b69
adjust formal semantics
mraszyk Nov 14, 2023
2d3e2b3
Update spec/index.md
Dfinity-Bjoern Nov 21, 2023
55c7fe1
update changelog
mraszyk Nov 21, 2023
b7d4c46
Merge branch 'master' into mraszyk/bounded-nonce
mraszyk Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion spec/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -858,7 +858,7 @@ In development instances of the Internet Computer Protocol (e.g. testnets), the

All requests coming in via the HTTPS interface need to be either *anonymous* or *authenticated* using a cryptographic signature. To that end, the following fields are present in the `content` map in all cases:

- `nonce` (`blob`, optional): Arbitrary user-provided data, typically randomly generated. This can be used to create distinct requests with otherwise identical fields.
- `nonce` (`blob`, optional): Arbitrary user-provided data of length at most 32, typically randomly generated. This can be used to create distinct requests with otherwise identical fields.
Dfinity-Bjoern marked this conversation as resolved.
Show resolved Hide resolved

- `ingress_expiry` (`nat`, required): An upper limit on the validity of the request, expressed in nanoseconds since 1970-01-01 (like [ic0.time()](#system-api-time)). This avoids replay attacks: The IC will not accept requests, or transition requests from status `received` to status `processing`, if their expiry date is in the past. The IC may refuse to accept requests with an ingress expiry date too far in the future. This applies to synchronous and asynchronous requests alike (and could have been called `request_expiry`).

Expand Down Expand Up @@ -3095,6 +3095,7 @@ Conditions
```html

E.content.canister_id ∈ verify_envelope(E, E.content.sender, S.system_time)
|E.content.nonce| <= 32
E.content ∉ dom(S.requests)
S.system_time <= E.content.ingress_expiry
is_effective_canister_id(E.content, ECID)
Expand Down Expand Up @@ -5211,6 +5212,7 @@ Conditions

E.content = CanisterQuery Q
Q.canister_id ∈ verify_envelope(E, Q.sender, S.system_time)
|Q.nonce| <= 32
is_effective_canister_id(E.content, ECID)
S.system_time <= Q.ingress_expiry

Expand Down Expand Up @@ -5255,6 +5257,7 @@ Conditions

E.content = ReadState RS
TS = verify_envelope(E, RS.sender, S.system_time)
|E.content.nonce| <= 32
S.system_time <= RS.ingress_expiry
∀ path ∈ RS.paths. may_read_path_for_canister(S, R.sender, path)
∀ (["request_status", Rid] · _) ∈ RS.paths. ∀ R ∈ dom(S.requests). hash_of_map(R) = Rid => R.canister_id ∈ TS
Expand Down Expand Up @@ -5305,6 +5308,7 @@ Conditions

E.content = ReadState RS
TS = verify_envelope(E, RS.sender, S.system_time)
|E.content.nonce| <= 32
S.system_time <= RS.ingress_expiry
∀ path ∈ RS.paths. may_read_path_for_subnet(S, RS.sender, path)

Expand Down
Loading