fireblocks / mpc-lib Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v3.0
License: GNU General Public License v3.0
Hi expert.
It seems the ring_pedersen(dlnproof) can be forged, this may lead to an α-shuffle attack.
mpc-lib/src/common/crypto/commitments/ring_pedersen.c
Lines 442 to 450 in 8853061
Suggest include the length of each proof->A[I]. Like Binance's fix: bnb-chain/tss-lib@bb6fb30
See: https://github.com/verichains/tsshock/blob/main/verichains-tsshock-wp-v1.0.pdf
I clone this repo to test library, but when run ecdsa_online_test.cpp file, it throws error.
/test: symbol lookup error: ./test: undefined symbol: secp256k1_ecdsa_recoverable_signature_parse_compact
.
I also have other questions
Firstly, I appreciate this README; it's very helpful for me. I successfully ran this code on Ubuntu OS using the provided instructions. However, I am unable to run it on my Mac M1 machine. Please let me know if this code supports macOS. If so, could you please guide me on how to run it on macOS?
The function eddsa_online_signing_service::get_eddsa_signature
dereferences a null pointer.
my_s
to NULL
memcmp
on line 344 dereferences my_s
my_s
will be NULL and the eddsa online signing service will crash.318
is false (i.e. data.signers_ids
is empty)332
never executes (i.e. my_id
is not a data signer)Modified test case to show this here
This causes the build to fail on recent versions of OpenSSL.
make (main)
make[1]: Entering directory '/home/tobias/repos/mpc-lib/src'
make[2]: Entering directory '/home/tobias/repos/mpc-lib/src/common'
CXX <= cosigner/cosigner_exception.cpp
cosigner/cmp_setup_service.cpp: In member function ‘void fireblocks::common::cosigner::cmp_setup_service::ack_message(const std::map<long unsigned int, fireblocks::common::cosigner::commitment>&, uint8_t (*)[32])’:
cosigner/cmp_setup_service.cpp:638:16: error: ‘int SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
638 | SHA256_Init(&ctx);
| ~~~~~~~~~~~^~~~~~
In file included from cosigner/cmp_setup_service.cpp:7:
/usr/include/openssl/sha.h:73:27: note: declared here
73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);
| ^~~~~~~~~~~
cosigner/cmp_setup_service.cpp:641:22: error: ‘int SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
641 | SHA256_Update(&ctx, &i->first, sizeof(uint64_t));
| ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/sha.h:74:27: note: declared here
74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
| ^~~~~~~~~~~~~
cosigner/cmp_setup_service.cpp:642:22: error: ‘int SHA256_Update(SHA256_CTX*, const void*, size_t)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
642 | SHA256_Update(&ctx, &i->second.data, sizeof(commitments_commitment_t));
| ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/sha.h:74:27: note: declared here
74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
| ^~~~~~~~~~~~~
cosigner/cmp_setup_service.cpp:644:17: error: ‘int SHA256_Final(unsigned char*, SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
644 | SHA256_Final(*ack, &ctx);
| ~~~~~~~~~~~~^~~~~~~~~~~~
/usr/include/openssl/sha.h:76:27: note: declared here
76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c);
| ^~~~~~~~~~~~
cc1plus: all warnings being treated as errors
make[2]: *** [Makefile:46: cosigner/cmp_setup_service.o] Error 1
make[2]: Leaving directory '/home/tobias/repos/mpc-lib/src/common'
make[1]: *** [Makefile:2: all] Error 2
make[1]: Leaving directory '/home/tobias/repos/mpc-lib/src'
make: *** [Makefile:2: all] Error 2
Instead of SHA256_Init
, SHA256_Update
, SHA256_Final
you can use the following interface:
#include <openssl/sha.h>
unsigned char *SHA256(const unsigned char *data, size_t count, unsigned char *md_buf);
Obviously that requires editing some code (it will simplify the code quite a bit).
Another option is to add the following to your CFLAGS:
-Wno-deprecated-declarations
CMP is only suitable for the ECDSA. Which paper is the implementation of EdDSA based on?
It seems like you don't support threshold ECDSA signatures:
mpc-lib/src/common/cosigner/cmp_setup_service.cpp
Lines 54 to 58 in 84b7fb8
Upon failure of BN_get
or BN_copy
, is_coprime_fast
returns -1
. These can fail if OpenSSL fails to allocate the necessary memory (e.g. due to OOM conditions on the OS).
mpc-lib/src/common/crypto/paillier/paillier.c
Lines 9 to 18 in 84b7fb8
mpc-lib/src/common/crypto/paillier/paillier.c
Lines 40 to 43 in 84b7fb8
Many instances throughout the code use a if(!is_coprime_fast(...))
pattern, which will succeed even if the inputs are not in fact coprime when the OOM condition mentioned above is hit. Some (nonexhaustive) examples:
mpc-lib/src/common/cosigner/mta.cpp
Line 825 in 84b7fb8
mpc-lib/src/common/crypto/paillier/paillier_zkp.c
Lines 432 to 436 in 84b7fb8
While these conditions are difficult to trigger in practice, in theory skipping some of these checks may lead to key disclosure.
The most robust solution is to simply panic immediately if these allocations occur. Alternatively, returning 0
in these cases rather than -1
will prevent introduction of similar problematic callsites in the future.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.