use bdn to fix vulnerable bls aggregation

MixinNetwork · Oct 16, 2024 · 914c46e · 914c46e
1 parent 00d64d3
commit 914c46e
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 24 deletions.
diff --git a/api/http.go b/api/http.go
@@ -106,7 +106,7 @@ func (hdr *Handler) error(w http.ResponseWriter, r *http.Request, code int) {
 func (hdr *Handler) json(w http.ResponseWriter, r *http.Request, code int, data interface{}) {
 	id := r.Header.Get("X-Request-ID")
 	logger.Info(r.Method, r.URL, id, code, data)
-	hdr.render.JSON(w, code, data)
+	_ = hdr.render.JSON(w, code, data)
 }
 
 func handleCORS(handler http.Handler) http.Handler {
@@ -121,14 +121,14 @@ func handleCORS(handler http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Allow-Methods", "OPTIONS,GET,POST,DELETE")
 		w.Header().Set("Access-Control-Max-Age", "600")
 		if r.Method == "OPTIONS" {
-			render.New().JSON(w, http.StatusOK, map[string]interface{}{})
+			_ = render.New().JSON(w, http.StatusOK, map[string]interface{}{})
 		} else {
 			handler.ServeHTTP(w, r)
 		}
 	})
 }
 
-func handlePanic(w http.ResponseWriter, r *http.Request) {
+func handlePanic(_ http.ResponseWriter, _ *http.Request) {
 	rcv := recover()
 	if rcv == nil {
 		return

diff --git a/crypto/bls.go b/crypto/bls.go
@@ -7,20 +7,20 @@ import (
 	"github.com/btcsuite/btcd/btcutil/base58"
 	"github.com/drand/kyber"
 	"github.com/drand/kyber/pairing/bn256"
-	"github.com/drand/kyber/sign/bls"
+	"github.com/drand/kyber/sign/bdn"
 )
 
 const (
 	KeyVersion = 'T'
 )
 
 func Sign(scalar kyber.Scalar, msg []byte) ([]byte, error) {
-	scheme := bls.NewSchemeOnG1(bn256.NewSuiteG2())
+	scheme := bdn.NewSchemeOnG1(bn256.NewSuiteG2())
 	return scheme.Sign(scalar, msg)
 }
 
 func Verify(pub kyber.Point, msg, sig []byte) error {
-	scheme := bls.NewSchemeOnG1(bn256.NewSuiteG2())
+	scheme := bdn.NewSchemeOnG1(bn256.NewSuiteG2())
 	return scheme.Verify(pub, msg, sig)
 }
 

diff --git a/keeper/guard_test.go b/keeper/guard_test.go
@@ -1,7 +1,6 @@
 package keeper
 
 import (
-	"bytes"
 	"context"
 	"crypto/rand"
 	"encoding/base64"
@@ -221,7 +220,7 @@ func TestGuard(t *testing.T) {
 	resNew, err := Guard(bs, signer, newIdentity, signature, data)
 	assert.Nil(err)
 	assert.NotNil(resNew)
-	assert.True(bytes.Compare(res.Assignor, resNew.Assignor) == 0)
+	assert.Equal(res.Assignor, resNew.Assignor)
 	_, _, counter, err = bs.Watch(watcherSeed)
 	assert.Nil(err)
 	assert.Equal(3, counter)

diff --git a/sdk/go/tip_test.go b/sdk/go/tip_test.go
@@ -39,11 +39,14 @@ func TestTip(t *testing.T) {
 	nonce = 123
 	sig, evicted, err = client.Sign(key, ephemeral, nonce, grace, "", "", watcher)
 	assert.NotNil(err)
+	assert.Len(evicted, 4)
+	assert.Len(sig, 0)
 
 	nonce = 1234
 	sig, evicted, err = client.Sign(key, ephemeral, nonce, grace, "", "", watcher)
 	assert.Nil(err)
 	assert.Len(evicted, 0)
+	assert.Equal("8258bc1a22db4865529d7c01a949d303e4d834d6fe79fcf746c6ad3fcb2ee37583975a034eea3ad08105c856f5c302ed02e2b11b71440d9e31da5b06097b691f", hex.EncodeToString(sig))
 	log.Println(hex.EncodeToString(sig))
 }
 
@@ -55,27 +58,27 @@ func testConfigurationJSON() *Configuration {
 			"5Jm9wNExYE3BcjYoHagvzPwWgK9WtAVf9JEwyQugDfT88GmZZr6Ztb9tALV4cYamauNunuVzaCmmZHmhK9yztGWyAKtoe6VeTfEdUzLBhXq3ZQznxxJrEbADKN1GZFmx7xcRVe7iL2AxuwDRkXcgBiTNL4afNLmQ3tiW3t8VnpwxBoxzahoSaY",
 		},
 		Signers: []*signerPair{
-			&signerPair{
+			{
 				Identity: "5HrRVnj6PdfxKojB44te1XqhDSCexUxSognLi96SVx5B6VdnKkbyvUGcpkdQodg9rKgxM5v61ypmbJNGVWJTuacKUSZQfkq1mnc6P4XybemuXYmwSd5g2zkaArPc8VDTU5eEPuvgguSD8cnEgnMZzW7rJfaWoJU1DW6k2ujzUx15EjAG3WDTeG",
 				API:      "http://127.0.0.1:7022",
 			},
-			&signerPair{
+			{
 				Identity: "5HzufHDbh8kUj3oBiYWeEe4wamNMmQ4BZ5uZULxGsyKYULpWLUdzzBb73EExRDgUxZD5vu6iA61ds7QGSjeCWazSmpXv7sMaHfizSnHjxeoEy1TumWVqGJhtAAYwAJPzUbTdyzEGz5r9hRSYFAmHkhwCwLi8BoSk8V2scv6r7LdfphGbXSWSAV",
 				API:      "http://127.0.0.1:7023",
 			},
-			&signerPair{
+			{
 				Identity: "5JRrcBgsnUVr8D7tdTHX8nZAbkpPD4C5TS82KEbBMiV3inVp1vSu4gBwB1WwhQFguGbmkgrvA2vmtfY6GXhyFnh4SRoEQT2jVNTsk91pcPUaZ8nQcEdDAUjKXCTFi6TPDYPYPUsAK67kUXEtyNocsYUijKdF9pGRKUk92Rk7iRuJ3eqADYH7NB",
 				API:      "http://127.0.0.1:7021",
 			},
-			&signerPair{
+			{
 				Identity: "5Jt4ztqknKHcAw13RALYx2mXT9qkKKJTvrU7W7HNcF7vGKxzh5tvSqQvrY4aZCVqzk46DV8X69qudryZsjyKjzLJMjyRMYiDoQY7WZvNk874cibXAoZrUbp7Eyc8DgNLnPycisLbNofh3iJpKMK2qpsQH7AsFkAMdhH8KLFoBGruTs1XcevoC1",
 				API:      "http://127.0.0.1:7024",
 			},
 		},
 	}
 }
 
-func testRunServer(port int) error {
+func testRunServer(port int) {
 	ctx := context.Background()
 	store := testBadgerStore(port)
 	if store == nil {
@@ -94,7 +97,10 @@ func testRunServer(port int) error {
 	ac.Poly = node.GetPoly()
 	ac.Share = node.GetShare()
 	server := api.NewServer(store, ac)
-	return server.ListenAndServe()
+	err := server.ListenAndServe()
+	if err != nil {
+		panic(err)
+	}
 }
 
 func testBadgerStore(port int) *store.BadgerStorage {

diff --git a/signer/setup.go b/signer/setup.go
@@ -13,7 +13,7 @@ import (
 	"github.com/drand/kyber/pairing/bn256"
 	"github.com/drand/kyber/share"
 	"github.com/drand/kyber/share/dkg"
-	"github.com/drand/kyber/sign/bls"
+	"github.com/drand/kyber/sign/bdn"
 	"golang.org/x/crypto/sha3"
 )
 
@@ -38,7 +38,7 @@ func (node *Node) setup(ctx context.Context, nonce uint64) error {
 		Threshold: node.Threshold(),
 		Longterm:  node.key,
 		Nonce:     node.getNonce(nonce),
-		Auth:      bls.NewSchemeOnG1(suite),
+		Auth:      bdn.NewSchemeOnG1(suite),
 		FastSync:  true,
 		NewNodes:  node.signers,
 	}
@@ -50,14 +50,17 @@ func (node *Node) setup(ctx context.Context, nonce uint64) error {
 		return err
 	}
 	node.phaser <- dkg.DealPhase
-	go func() error {
+	go func() {
 		defer node.dkgDone()
 		pub, priv, err = node.runDKG(ctx, protocol)
 		logger.Verbose("runDKG", hex.EncodeToString(pub), hex.EncodeToString(priv), err)
 		if err != nil {
-			return err
+			panic(err)
+		}
+		err = node.store.WritePoly(pub, priv)
+		if err != nil {
+			panic(err)
 		}
-		return node.store.WritePoly(pub, priv)
 	}()
 	return nil
 }
@@ -66,7 +69,7 @@ func (node *Node) NextPhase() chan dkg.Phase {
 	return node.phaser
 }
 
-func (node *Node) runDKG(ctx context.Context, protocol *dkg.Protocol) ([]byte, []byte, error) {
+func (node *Node) runDKG(_ context.Context, protocol *dkg.Protocol) ([]byte, []byte, error) {
 	resCh := protocol.WaitEnd()
 	optRes := <-resCh
 	if optRes.Error != nil {

diff --git a/store/badger.go b/store/badger.go
@@ -95,7 +95,7 @@ func (bs *BadgerStorage) CheckEphemeralNonce(key, ephemeral []byte, nonce uint64
 			valid = true
 			return txn.Set(key, val)
 		}
-		if bytes.Compare(v[8:len(v)-8], ephemeral) != 0 {
+		if !bytes.Equal(v[8:len(v)-8], ephemeral) {
 			return nil
 		}
 		old = binary.BigEndian.Uint64(v[len(v)-8:])
@@ -138,7 +138,7 @@ func (bs *BadgerStorage) CheckPolyGroup(group []byte) (bool, error) {
 		if err != nil {
 			return err
 		}
-		if bytes.Compare(old, group) == 0 {
+		if bytes.Equal(old, group) {
 			valid = true
 		}
 		return nil
@@ -196,7 +196,7 @@ func (bs *BadgerStorage) WriteAssignee(key []byte, assignee []byte) error {
 			}
 		}
 
-		if bytes.Compare(key, assignee) != 0 {
+		if !bytes.Equal(key, assignee) {
 			old, err := readKey(txn, badgerKeyPrefixAssignee, assignee)
 			if err != nil {
 				return err
@@ -320,7 +320,7 @@ func (bs *BadgerStorage) WriteSignRequest(assignor, watcher []byte) (time.Time,
 		old, err = readKey(txn, badgerKeyPrefixWatcher, watcher)
 		if err != nil {
 			return err
-		} else if old != nil && bytes.Compare(old, assignor) != 0 {
+		} else if old != nil && !bytes.Equal(old, assignor) {
 			return fmt.Errorf("invalid watcher %x", watcher)
 		}
 		key = append([]byte(badgerKeyPrefixWatcher), watcher...)