non-standard ECDSA sighash types are not preserved, but allowed in PSBT

[apoelstra]

In #669 (comment) we decided to allow non-standard sighash types in PSBT partial signatures, on the grounds that the PSBT spec doesn't forbid them and they're allowed by consensus.

However, as Sanket reminds me at rust-bitcoin/rust-miniscript#290 (comment), our EcdsaSighHashType does not actually distinguish between different nonstandard sighash types, and effectively silently converts them all to 1. This will cause bugs in PSBT if somebody actually tries to use the sighash type.

Solutions are:

• Petition the Bitcoin BIPs repo to restrict PSBT to disallow nonstandard sighash types
• Restrict sighash types in our code, regardless of what the BIP says
• Fix the EcdsaSigHashType to keep track of which nonstandard type it uses (and then do the right thing during sighash computations, serialization, etc)

[apoelstra]

Ah, I see Sanket opened #776 which implements my second suggestion.

[Kixunil]

I think it'd be great to at least probe other Bitcoin devs what they think about restricting things. I strongly dislike doing things against standards, especially in Bitcoin. Historically breaking standard caused us pain.

[sanket1729]

@Kixunil, we are already doing the standardness check in the library for one component. In some sense, we are already reliant on it.

rust-bitcoin/src/util/psbt/serialize.rs

Line 174 in 907b3a7

if rv.as_u32() == raw {

Most of the reason the psbt standard has sighash as u32 instead of allowed values is that it is how it is serialized in segwitv0 signatures.
A few reasons to restrict SigHashType to standard values instead of free-floating u32.

• Non-standard transactions are not relayed by the network, but they can be mined. We should stand along the side of warning users that they are dealing with non-standard transactions, instead of succeeding the API. Bitcoin Core, or BIP does not mention this, but I think there is a lot of value in doing this and we get cleaner types.
• There are virtually zero users of non-standard sig hash types. If they want to sign a transaction, they can use the raw APIs directly that supports non-standard sighash types. I don't think we should sacrifice high-level psbt APIs for something that will never be used.
• The hairy details of which sighash types are allowed are even more complicated. AFAIR, bits 2 and 3 are free-flow bits, and there is some weird masking going on in from_u32_consensus.
• The Bip also does not mention that bitcoin publickeys should be valid, it merely states that they should be 33/65 bytes. I think there may even be some more ECDSA standardness signature rules that we are restricting. By nature of a strong type system in rust, we benefit a lot from restricting these to only valid values that a struct can take.

Overall, I think our approach should be:

• We should have support to parse, accept and validate blocks, transactions, and signatures containing non-standard data. We want to support validation and use-cases like block explorers that might potentially have to deal with non-standard transactions. In short, all code that deals with data over the bitcoin p2p network should follow consensus rules and support non-standard stuff.
• All of the application-level user APIs(like psbt) should treat non-standard stuff as second-class citizens and optimize the code quality for standardness rules. We should not allow users to create pbsts that might be non-standard when spent.

[Kixunil]

Great, at least we have a strong rationale for this and not blindly ignoring it nor we overlooked it. :)
I really want to agree with you it just feels a bit like a minefield. So let's explore:

• I can't imagine any security vulnerability stemming from making things stricter except for attacks where two pieces of software disagree on validity of data. I'm not sure what a good mitigation would be here. "Write better doc" sounds too hand-wavy. However nobody I know of builds "transaction firewalls" today so that at least buys us some time. Also I don't think there's anything stricter than this so having rust-bitcoin at the boundary should be fine.
• Someone could get annoyed we don't support the features he wants. This is a more general problem, we can tell people to make a PR or fork it.
• Communication issues - someone could falsely rely on thinking this is according to the standard. I suggest to very clearly document this is not true BIP 174 but a stricter form. I was thinking calling it "stricter PSBT" in docs
• Reputation issue - someone may be worried that we don't follow the standard perfectly (a reasonable caution I'd say). This library really doesn't have a competition if someone wants Rust and we don't get paid by consumers so probably not a big deal. Also anyone reasonable would read the rationale and at least see we're not ignorant, stupid, careless...
• Probably all of these can be solved by updating the BIP or writing a new one to describe the strictness.

Overall doesn't seem too bad now that I look at it but would be interested if someone has more experience with (defense agains) attacks I mentioned and still would like to document it well.

[sanket1729]

Probably all of these can be solved by updating the BIP or writing a new one to describe the strictness.

I will bring this up with the author of the BIP.

[dr-orlovsky]

Is this issue fully or only partially covered by #779?

[apoelstra]

It's not really related. #779 will preserve hashtypes when reserializing PSBTs but when you actually try to use them (e.g. with the rust-miniscript finalizer) then the PsbtSigHashType will need to be converted to a "real" SigHashType and then the information will be lost.

[sanket1729]

This also affects the signature_hash computation algorithm and is thus not related to the psbt spec completely. After some deliberation on the issue. I think we should just the bullet and add another enum variant to EcdsaSigHashType.

[Kixunil]

Hmm, this is in 0.28 milestone but not closed, kinda strange isn't it?