Merge pull request #103 from dfns/publish-fix

Security fix
LFDT-Lockness · Jul 18, 2024 · 9b458cd · 9b458cd
2 parents 9c4d4b8 + d07ddc5
commit 9b458cd
Show file tree

Hide file tree

Showing 30 changed files with 863 additions and 570 deletions.
diff --git a/.github/changelog.sh b/.github/changelog.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+m_branch=m;
+changelog_file=CHANGELOG.md;
+
+# fetch master since we might be in a shallow clone
+git fetch origin "$m_branch:$m_branch" --depth=1
+
+changed=0;
+for log in */"$changelog_file"; do
+    dir=$(dirname "$log");
+    # check if version changed
+    if git diff "$m_branch" -- "$dir/Cargo.toml" | grep -q "^-version = "; then
+        # check if changelog updated
+        if git diff --exit-code --no-patch "$m_branch" -- "$log"; then
+            echo "$dir version changed, but $log is not updated"
+            changed=1;
+        fi
+    fi
+done
+
+exit "$changed";
diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml
@@ -16,6 +16,7 @@ jobs:
   track_deps:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
     steps:
     - uses: actions/checkout@v3

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -6,10 +6,15 @@ on:
   push:
     branches: [ "m" ]
 
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+
 jobs:
   build_pdf:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
     steps:
     - uses: actions/checkout@v3
@@ -74,4 +79,4 @@ jobs:
         path: 'website'
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@v4
+      uses: actions/deploy-pages@v4
diff --git a/.github/workflows/readme.yml b/.github/workflows/readme.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [ "*" ]
 
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+
 jobs:
   check_readme:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -106,6 +106,7 @@ jobs:
   bench:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
     needs: build
     steps:
@@ -140,3 +141,9 @@ jobs:
         cache-on-failure: "true"
     - name: Dry-run publish
       run: cargo publish --dry-run -p ${{ matrix.package }}
+  check-changelog:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check changelogs
+      run: ./.github/changelog.sh
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,3 +9,38 @@ members = [
 exclude = [
     "wasm/no_std",
 ]
+
+[workspace.dependencies]
+cggmp21 = { version = "0.4", path = "cggmp21" }
+cggmp21-keygen = { version = "0.3", path = "cggmp21-keygen" }
+key-share = { version = "0.4", path = "key-share", default-features = false }
+
+generic-ec = { version = "0.4", default-features = false } 
+generic-ec-zkp = { version = "0.4", default-features = false } 
+round-based = { version = "0.3", default-features = false }
+
+paillier-zk = "0.4" 
+udigest = { version = "0.2", default-features = false }
+
+digest = { version = "0.10", default-features = false }
+sha2 = { version = "0.10", default-features = false }
+
+rand = "0.8"
+rand_core = { version = "0.6", default-features = false }
+rand_hash = { version = "0.1" }
+rand_dev = "0.1"
+
+futures = "0.3"
+
+anyhow = "1"
+thiserror = "1"
+displaydoc = { version = "0.2", default-features = false }
+
+serde = { version = "1", default-features = false }
+serde_with = { version = "2", default-features = false }
+serde_json = "1"
+hex = { version = "0.4", default-features = false }
+
+slip-10 = { version = "0.4", default-features = false }
+
+generic-tests = "0.1"
diff --git a/cggmp21-keygen/CHANGELOG.md b/cggmp21-keygen/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## v0.3.0
+* security fix: derive challenges for zero-knowledge proof unambiguously
+* Update `udigest` to v0.2
+* Update `generic-ec` to v0.4
+* Update `slip-10` to v0.4
+
 ## v0.2.0
 * Make library `#![no_std]`-compatible and WASM-friendly [#100]
 * Provide sync API to carry out DKG protocol [#100]

diff --git a/cggmp21-keygen/Cargo.toml b/cggmp21-keygen/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "cggmp21-keygen"
-version = "0.2.0"
+version = "0.3.0"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 description = "UC-secure DKG implementation based on CGGMP21 paper"
@@ -11,25 +11,25 @@ keywords = ["mpc", "dkg", "threshold-signatures", "tss"]
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-key-share = { path = "../key-share", version = "0.3", default-features = false, features = ["serde"] }
-slip-10 = { version = "0.3", default-features = false, optional = true }
+key-share = { workspace = true, features = ["serde"] }
+slip-10 = { workspace = true, optional = true }
 
-generic-ec = { version = "0.3", default-features = false, features = ["serde", "udigest"] }
-generic-ec-zkp = { version = "0.3", default-features = false, features = ["serde", "udigest"] }
-udigest = { version = "0.1", default-features = false, features = ["derive"]}
+generic-ec = { workspace = true, features = ["serde", "udigest", "hash-to-scalar"] }
+generic-ec-zkp = { workspace = true, features = ["serde", "udigest"] }
+udigest = { workspace = true, features = ["derive"]}
 
-round-based = { version = "0.3", default-features = false, features = ["derive"] }
+round-based = { workspace = true, features = ["derive"] }
 
-sha2 = { version = "0.10", default-features = false }
-digest = { version = "0.10", default-features = false }
-rand_core = { version = "0.6", default-features = false }
+sha2 = { workspace = true }
+digest = { workspace = true }
+rand_core = { workspace = true }
 
-serde = { version = "1", default-features = false, features = ["derive"] }
-serde_with = { version = "2", default-features = false }
-hex = { version = "0.4", default-features = false, features = ["serde"] }
+serde = { workspace = true, features = ["derive"] }
+serde_with = { workspace = true }
+hex = { workspace = true, features = ["serde"] }
 
-displaydoc = { version = "0.2", default-features = false }
-thiserror = { version = "1", optional = true }
+displaydoc = { workspace = true }
+thiserror = { workspace = true, optional = true }
 
 [features]
 default = ["std"]

diff --git a/cggmp21-keygen/src/execution_id.rs b/cggmp21-keygen/src/execution_id.rs
@@ -3,8 +3,9 @@
 /// Each protocol execution must have unique execution ID. All signers taking part in the protocol
 /// (keygen/signing/etc.) must share the same execution ID, otherwise protocol will abort with
 /// unverbose error.
-#[derive(Clone, Copy)]
+#[derive(Clone, Copy, udigest::Digestable)]
 pub struct ExecutionId<'id> {
+    #[udigest(as_bytes)]
     id: &'id [u8],
 }
 

diff --git a/cggmp21-keygen/src/lib.rs b/cggmp21-keygen/src/lib.rs
@@ -23,7 +23,6 @@ mod threshold;
 
 mod errors;
 mod execution_id;
-mod rng;
 mod utils;
 
 use alloc::vec::Vec;