Update Vault validate observations

[russell-stern]

Summary

Fixes two malicious-node liveness vulnerabilities in the vault OCR plugin where observations could pass ValidateObservation but fail to reach consensus in StateTransition when only 2F+1 observations are available.

Fix 1 — Pending queue observation validation (no flag, needs to be merged after optimizations flag is enabled)

ValidateObservation now re-runs appendPendingQueueObservations using the submitted PendingQueueItems and SortNonce to compute the expected truncation point, then requires the submitted observations to be an ordered prefix of exactly that length.

This blocks attacks where a malicious node submits too few items (e.g. only the first or last pending queue item), which would otherwise leave honest nodes one observation short of the 2F+1 GetSecrets quorum.

Fix 2 — Ciphertextless GetSecrets observations (feature-flagged)

GetSecrets observations previously included EncryptedValue in the observation SHA without validating it, so a malicious node could submit fake ciphertext and split consensus.

When VaultCiphertextlessObservationsEnabled is on:

• Observation omits ciphertext from GetSecrets responses
• shaForObservation excludes ciphertext from the SHA
• StateTransition reads the real ciphertext from KV when building outcomes

The optimizations smoke topology enables both VaultOptimizationsEnabled and VaultCiphertextlessObservationsEnabled.

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[cedric-cordenier]

Nit: worth inlining IMO -- I don't think you gain much by abstracting this out

[russell-stern]

We have this practice with all our gates, the one liner is long so this make it easier to read when you put the gate directly into an if

[cedric-cordenier]

I do wonder if this has some weird error modes and I think we should ask research to take a look.

One possibility that springs to mind: we generate the shares during Observation, but then a request in the same batch updates the secret. If this is processed before the get request in StateTransition, the shares will effectively be for an outdated version of the ciphertext.

It might be safer to hash the ciphertext so that we can effectively "pin" the shares to a particular ciphertext to avoid issues like this.

[russell-stern]

There's a caching system in StateTransition now so you always get the ciphertext that was present at the start of the round even if that same secret is updated before you get it

[cedric-cordenier]

You shouldn't use a getter when writing; this will initialize a nil Data if it doesn't exist which may lead to unexpected results. You're guarding against that above, so you can just use resp.Data.EncryptedValue = foo

[russell-stern]

It doesn't allow me to access resp.Data directly

[cl-sonarqube-production]

Quality Gate passed

Issues
5 New issues
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube