Add additional checks to key_gen/sign

There is the ability to cause state bloat by flooding Tributary. KeyGen/Sign specifically shouldn't allow bloat since we check the commitments/preprocesses/shares for validity. Accordingly, any invalid data (such as bloat) should be detected. It was posssible to place bloat after the valid data. Doing so would be considered a valid KeyGen/Sign message, yet could add up to 50k kB per sign.
2025-03-12 09:26:51 +00:00 · 2023-04-20 05:22:59 -04:00 · 2023-04-20 05:22:59 -04:00 · 8b5eaa8092
commit 8b5eaa8092
parent 8041a0d845
2 changed files with 26 additions and 4 deletions
--- a/processor/src/key_gen.rs
+++ b/processor/src/key_gen.rs
@ -267,6 +267,12 @@ impl<C: Coin, D: Db> KeyGen<C, D> {
        let (coin_machine, coin_shares) =
          handle_machine(&mut rng, params, machines.1, &mut commitments_ref);

+        for (_, commitments) in commitments_ref {
+          if !commitments.is_empty() {
+            todo!("malicious signer: extra bytes");
+          }
+        }
+
        self.active_share.insert(id.set, (substrate_machine, coin_machine));

        let mut shares: HashMap<_, _> =
@ -354,6 +360,12 @@ impl<C: Coin, D: Db> KeyGen<C, D> {
        let substrate_keys = handle_machine(&mut rng, params, machines.0, &mut shares_ref);
        let coin_keys = handle_machine(&mut rng, params, machines.1, &mut shares_ref);

+        for (_, shares) in shares_ref {
+          if !shares.is_empty() {
+            todo!("malicious signer: extra bytes");
+          }
+        }
+
        let mut coin_keys = ThresholdKeys::new(coin_keys);
        C::tweak_keys(&mut coin_keys);

--- a/processor/src/signer.rs
+++ b/processor/src/signer.rs
@ -374,9 +374,14 @@ impl<C: Coin, D: Db> Signer<C, D> {
        let preprocesses = match preprocesses
          .drain()
          .map(|(l, preprocess)| {
-            machine
-              .read_preprocess::<&[u8]>(&mut preprocess.as_ref())
-              .map(|preprocess| (l, preprocess))
+            let mut preprocess_ref = preprocess.as_ref();
+            let res = machine
+              .read_preprocess::<&[u8]>(&mut preprocess_ref)
+              .map(|preprocess| (l, preprocess));
+            if !preprocess_ref.is_empty() {
+              todo!("malicious signer: extra bytes");
+            }
+            res
          })
          .collect::<Result<_, _>>()
        {
@ -424,7 +429,12 @@ impl<C: Coin, D: Db> Signer<C, D> {
        let shares = match shares
          .drain()
          .map(|(l, share)| {
-            machine.read_share::<&[u8]>(&mut share.as_ref()).map(|share| (l, share))
+            let mut share_ref = share.as_ref();
+            let res = machine.read_share::<&[u8]>(&mut share_ref).map(|share| (l, share));
+            if !share_ref.is_empty() {
+              todo!("malicious signer: extra bytes");
+            }
+            res
          })
          .collect::<Result<_, _>>()
        {