From 0150af69f023bf99d603df9120d35db84fa43bf3 Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Thu, 2 Jul 2020 13:59:30 -0700 Subject: [PATCH] Precautionary Panic --- applications/transcript_app.go | 18 ++++++++++++++++++ applications/transcript_app_test.go | 22 ++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 applications/transcript_app_test.go diff --git a/applications/transcript_app.go b/applications/transcript_app.go index 151df5d..5a89f95 100644 --- a/applications/transcript_app.go +++ b/applications/transcript_app.go @@ -3,6 +3,7 @@ package applications import ( "cwtch.im/tapir" "cwtch.im/tapir/primitives/core" + "git.openprivacy.ca/openprivacy/log" ) // TranscriptApp defines a Tapir Meta-App which provides a global cryptographic transcript @@ -18,6 +19,9 @@ func (TranscriptApp) NewInstance() tapir.Application { // Init initializes the cryptographic transcript func (ta *TranscriptApp) Init(connection tapir.Connection) { + if ta.transcript != nil { + ta.panic() + } ta.transcript = core.NewTranscript("tapir-transcript") } @@ -28,5 +32,19 @@ func (ta *TranscriptApp) Transcript() *core.Transcript { // PropagateTranscript overrides the default transcript and propagates a transcript from a previous session func (ta *TranscriptApp) PropagateTranscript(transcript *core.Transcript) { + if ta.transcript != nil { + ta.panic() + } ta.transcript = transcript } + +func (ta *TranscriptApp) panic() { + // Note: if this is ever happens it is a critical application bug + // This will prevent a misuse of application chains that cause an earlier + // transcript to be overwritten. Since we expect the security of many higher level applications + // to be reliant on the randomness provided by the transcript we want to be actively hostile to any potential + // misuse. + log.Errorf("apps should not attempt to intitalize or overwrite a transcript once one has been initialized - this is a CRITICAL bug and so we have safely crashed") + // We could silently fail to do anything here, but that is likely more dangerous in the long run... + panic("apps should not attempt to intitalize or overwrite a transcript a transcript once one has been initialized - this is a CRITICAL bug and so we have safely crashed") +} diff --git a/applications/transcript_app_test.go b/applications/transcript_app_test.go new file mode 100644 index 0000000..e2af7ce --- /dev/null +++ b/applications/transcript_app_test.go @@ -0,0 +1,22 @@ +package applications + +import "testing" + +func TestTranscriptApp(t *testing.T) { + ta := new(TranscriptApp) + ta.Init(MockConnection{}) + ta.Transcript().NewProtocol("test") + ta.transcript.CommitToTranscript("test-commit") + t.Logf(ta.Transcript().OutputTranscriptToAudit()) + + // Now we test panic'ing.... + defer func() { + if r := recover(); r == nil { + t.Errorf("The code did not panic - it definitely should have") + } + }() + + // Attempt to reinitialized the transcript, apps should *never* do this and we want to be hostile to that + // behaviour + ta.Init(MockConnection{}) +}