refactor: add helper function to sign messages with blsKeyOperator

Avoid passing around the operator secret key if we can help it. Ask
CActiveMasternodeManager to perform the operation for you instead.
This commit is contained in:
Kittywhiskers Van Gogh 2024-03-12 02:52:08 +00:00
parent 3827355cce
commit 3eb931b596
No known key found for this signature in database
GPG Key ID: 30CD0C065E5C4AAD
5 changed files with 55 additions and 35 deletions

View File

@ -52,7 +52,7 @@ bool CCoinJoinQueue::Sign()
if (!fMasternodeMode) return false;
uint256 hash = GetSignatureHash();
CBLSSignature sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(hash, false));
CBLSSignature sig = ::activeMasternodeManager->Sign(hash, /*is_legacy=*/ false);
if (!sig.IsValid()) {
return false;
}
@ -104,7 +104,7 @@ bool CCoinJoinBroadcastTx::Sign()
if (!fMasternodeMode) return false;
uint256 hash = GetSignatureHash();
CBLSSignature sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(hash, false));
CBLSSignature sig = ::activeMasternodeManager->Sign(hash, /*is_legacy=*/ false);
if (!sig.IsValid()) {
return false;
}

View File

@ -23,38 +23,42 @@ void CMNAuth::PushMNAUTH(CNode& peer, CConnman& connman, const CBlockIndex* tip)
{
if (!fMasternodeMode) return;
LOCK(::activeMasternodeManager->cs);
if (::activeMasternodeManager->m_info.proTxHash.IsNull()) return;
uint256 signHash;
const auto receivedMNAuthChallenge = peer.GetReceivedMNAuthChallenge();
if (receivedMNAuthChallenge.IsNull()) {
return;
}
// We include fInbound in signHash to forbid interchanging of challenges by a man in the middle (MITM). This way
// we protect ourselves against MITM in this form:
// node1 <- Eve -> node2
// It does not protect against:
// node1 -> Eve -> node2
// This is ok as we only use MNAUTH as a DoS protection and not for sensitive stuff
int nOurNodeVersion{PROTOCOL_VERSION};
if (Params().NetworkIDString() != CBaseChainParams::MAIN && gArgs.IsArgSet("-pushversion")) {
nOurNodeVersion = gArgs.GetArg("-pushversion", PROTOCOL_VERSION);
}
const bool is_basic_scheme_active{DeploymentActiveAfter(tip, Params().GetConsensus(), Consensus::DEPLOYMENT_V19)};
const CBLSPublicKeyVersionWrapper pubKey(*::activeMasternodeManager->m_info.blsPubKeyOperator, !is_basic_scheme_active);
if (peer.nVersion < MNAUTH_NODE_VER_VERSION || nOurNodeVersion < MNAUTH_NODE_VER_VERSION) {
signHash = ::SerializeHash(std::make_tuple(pubKey, receivedMNAuthChallenge, peer.IsInboundConn()));
} else {
signHash = ::SerializeHash(std::make_tuple(pubKey, receivedMNAuthChallenge, peer.IsInboundConn(), nOurNodeVersion));
}
CMNAuth mnauth;
mnauth.proRegTxHash = ::activeMasternodeManager->m_info.proTxHash;
mnauth.sig = ::activeMasternodeManager->m_info.blsKeyOperator->Sign(signHash);
uint256 signHash;
{
LOCK(::activeMasternodeManager->cs);
if (::activeMasternodeManager->m_info.proTxHash.IsNull()) {
return;
}
const auto receivedMNAuthChallenge = peer.GetReceivedMNAuthChallenge();
if (receivedMNAuthChallenge.IsNull()) {
return;
}
// We include fInbound in signHash to forbid interchanging of challenges by a man in the middle (MITM). This way
// we protect ourselves against MITM in this form:
// node1 <- Eve -> node2
// It does not protect against:
// node1 -> Eve -> node2
// This is ok as we only use MNAUTH as a DoS protection and not for sensitive stuff
int nOurNodeVersion{PROTOCOL_VERSION};
if (Params().NetworkIDString() != CBaseChainParams::MAIN && gArgs.IsArgSet("-pushversion")) {
nOurNodeVersion = gArgs.GetArg("-pushversion", PROTOCOL_VERSION);
}
const bool is_basic_scheme_active{DeploymentActiveAfter(tip, Params().GetConsensus(), Consensus::DEPLOYMENT_V19)};
const CBLSPublicKeyVersionWrapper pubKey(*::activeMasternodeManager->m_info.blsPubKeyOperator, !is_basic_scheme_active);
if (peer.nVersion < MNAUTH_NODE_VER_VERSION || nOurNodeVersion < MNAUTH_NODE_VER_VERSION) {
signHash = ::SerializeHash(std::make_tuple(pubKey, receivedMNAuthChallenge, peer.IsInboundConn()));
} else {
signHash = ::SerializeHash(std::make_tuple(pubKey, receivedMNAuthChallenge, peer.IsInboundConn(), nOurNodeVersion));
}
mnauth.proRegTxHash = ::activeMasternodeManager->m_info.proTxHash;
} // ::activeMasternodeManager->cs
mnauth.sig = ::activeMasternodeManager->Sign(signHash);
LogPrint(BCLog::NET_NETCONN, "CMNAuth::%s -- Sending MNAUTH, peer=%d\n", __func__, peer.GetId());
connman.PushMessage(&peer, CNetMsgMaker(peer.GetCommonVersion()).Make(NetMsgType::MNAUTH, mnauth));
}

View File

@ -199,7 +199,7 @@ void CDKGSession::SendContributions(CDKGPendingMessages& pendingMessages)
logger.Batch("encrypted contributions. time=%d", t1.count());
qc.sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(qc.GetSignHash()));
qc.sig = ::activeMasternodeManager->Sign(qc.GetSignHash());
logger.Flush();
@ -517,7 +517,7 @@ void CDKGSession::SendComplaint(CDKGPendingMessages& pendingMessages)
logger.Batch("sending complaint. badCount=%d, complaintCount=%d", badCount, complaintCount);
qc.sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(qc.GetSignHash()));
qc.sig = ::activeMasternodeManager->Sign(qc.GetSignHash());
logger.Flush();
@ -711,7 +711,7 @@ void CDKGSession::SendJustification(CDKGPendingMessages& pendingMessages, const
return;
}
qj.sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(qj.GetSignHash()));
qj.sig = ::activeMasternodeManager->Sign(qj.GetSignHash());
logger.Flush();
@ -1003,7 +1003,7 @@ void CDKGSession::SendCommitment(CDKGPendingMessages& pendingMessages)
(*commitmentHash.begin())++;
}
qc.sig = WITH_LOCK(::activeMasternodeManager->cs, return ::activeMasternodeManager->m_info.blsKeyOperator->Sign(commitmentHash));
qc.sig = ::activeMasternodeManager->Sign(commitmentHash);
qc.quorumSig = skShare.Sign(commitmentHash);
if (lieType == 3) {

View File

@ -251,3 +251,15 @@ bool CActiveMasternodeManager::IsValidNetAddr(const CService& addrIn)
return !Params().RequireRoutableExternalIP() ||
(addrIn.IsIPv4() && IsReachable(addrIn) && addrIn.IsRoutable());
}
[[nodiscard]] CBLSSignature CActiveMasternodeManager::Sign(const uint256& hash) const
{
AssertLockNotHeld(cs);
return WITH_LOCK(cs, return Assert(m_info.blsKeyOperator)->Sign(hash));
}
[[nodiscard]] CBLSSignature CActiveMasternodeManager::Sign(const uint256& hash, const bool is_legacy) const
{
AssertLockNotHeld(cs);
return WITH_LOCK(cs, return Assert(m_info.blsKeyOperator)->Sign(hash, is_legacy));
}

View File

@ -12,6 +12,7 @@
class CBLSPublicKey;
class CBLSSecretKey;
class CBLSSignature;
class CDeterministicMNManager;
struct CActiveMasternodeInfo {
@ -63,6 +64,9 @@ public:
static bool IsValidNetAddr(const CService& addrIn);
[[nodiscard]] CBLSSignature Sign(const uint256& hash) const LOCKS_EXCLUDED(cs);
[[nodiscard]] CBLSSignature Sign(const uint256& hash, const bool is_legacy) const LOCKS_EXCLUDED(cs);
private:
bool GetLocalAddress(CService& addrRet);
};