New feature 25 "Deterministic Finality and Ride V9" added.#1834
Open
alexeykiselev wants to merge 79 commits intomasterfrom
Open
New feature 25 "Deterministic Finality and Ride V9" added.#1834alexeykiselev wants to merge 79 commits intomasterfrom
alexeykiselev wants to merge 79 commits intomasterfrom
Conversation
alexeykiselev
added
wip
* Added bls signature methods * Added comments * Enforced no duplicates in signatures and public keys * Fixed linter issues * Added pop method * Added public key validation * Bls aggregated sig refactoring (#1838) * BLS package refactoring. Package renamed from blssig to bls. Crypto primitives SecretKey, PublicKey and Signature were added. Public functions Sing and Verify reimplemented to use new primitives. Function to create aggregated signature from multiple Waves secrets keys was removed because it was useful only in tests. PoP functions moved to separate file. * Added test on keys, signature and messages collected from Scala. * Added tests on PoP functions. Fixed review issues. * Fixed linter issues. * Function to create BLS secret key from a Waves secret key moved to bls_test package. Function MustSignatureFromBytes removed. --------- Co-authored-by: Alexey Kiselev <alexey.kiselev@gmail.com>
* Added block finality schemas * Added protobuf schemas * Updated protobuf generated files * Gosec option to exclued generated files added to security workflow. * Set protobuf-schemas submodule to track the branch. Submodule updated to the latest commit. * Generated protobuf code updated to the latest schema. * Protobuf schemas updated and code regenerated. * Tidy go modules. --------- Co-authored-by: Alexey Kiselev <alexey.kiselev@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
* Ride version 9 added. New ride function fillList added and tested. * RideV9 functions replaceFirst and replaceAll implemented and tested. * New RideV9 functions for bytes/string conversions with reduced complexity implemented and tested. Old conversion functions refactored to use proper input and output limits. RideV9 functions replaceFirst and replaceAll correct behavior on empty old string implemented. Test naming changed to use fmt.Sprintf to support GoLand interface. * Removed support for 'base16:' prefix for Ride byte conversion functions. Tests modified accordingly. * Added and tested check that Ride V9 scripts is not allowed before activation of DeterministicFinality feature. * Meaningless comment removed. --------- Co-authored-by: Nikolay Eskov <mr.eskov1@yandex.ru>
Proto code regenerated.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
#2011) generation period start produces a commitment for the next generation period. Test updated accordingly.
alexeykiselev
temporarily deployed
to
Deploy-testnet-amd64
GitHub Actions
Inactive
* Added ignoring of endorsement in some cases * Added verification of endorsements signatures * Fixed linter issues * Inverted statement * Added round changing * Changed to finalizing parent * Added a finalized height check * Changed height for current period * Fixed linter issues
…es SHA256 digest of the message. (#2016) Tests updated.
alexeykiselev
temporarily deployed
to
Deploy-testnet-amd64
GitHub Actions
Inactive
nickeskov
temporarily deployed
to
Deploy-testnet-amd64
GitHub Actions
Inactive
alexeykiselev
temporarily deployed
to
Deploy-testnet-amd64
GitHub Actions
Inactive
alexeykiselev
temporarily deployed
to
Deploy-testnet-amd64
GitHub Actions
Inactive
Mocks and new tests updated.
* Added delayed finalization * Added an extended log * Finalized height is taken from endorsement to form finalization * WIP: separated pending finalization update and promotion. * Fix some TODO's. * Fixed tests. * Update pkg/state/state.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Nikolay Eskov <mr.eskov1@yandex.ru> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| err = a.finalizer.updateFinalization(params.block.FinalizationVoting, currentBlockHeight, | ||
| params.block) | ||
| if err != nil { | ||
| // TODO: maybe return an error, not log it? |
Check failure
Code scanning / Semgrep OSS
Semgrep Finding: dgryski.semgrep-go.errtodo.err-todo Error
* Utility to create CommitToGeneration transactions added. Utility readme file added. Main readme file updated. Make file updated to build new utility. * Review issues fixed.
| } | ||
| if cfg.preHash { // Perform additional pre-hashing of the seed. | ||
| h := sha256.New() | ||
| _, err := h.Write(seed) |
Check failure
Code scanning / CodeQL
Use of a broken or weak cryptographic hashing algorithm on sensitive data High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
General fix: replace fast SHA-256 pre-hashing of sensitive seed material with a memory-hard KDF (Argon2id/scrypt) in the pre-hash branch.
Best single fix here (minimal behavior change): in pkg/crypto/bls/bls.go, update GenerateSecretKey so that when cfg.preHash is enabled, it derives a 32-byte seed using golang.org/x/crypto/argon2 (Argon2id) with deterministic parameters and deterministic salt input (cfg.salt). This preserves deterministic key derivation semantics while removing the weak/fast hash usage for sensitive data. Also remove the now-unused crypto/sha256 import and add golang.org/x/crypto/argon2.
Suggested changeset
1
pkg/crypto/bls/bls.go
| @@ -2,13 +2,13 @@ | ||
|
|
||
| import ( | ||
| "crypto/rand" | ||
| "crypto/sha256" | ||
| "errors" | ||
| "fmt" | ||
| "strings" | ||
|
|
||
| cbls "github.com/cloudflare/circl/sign/bls" | ||
| "github.com/mr-tron/base58" | ||
| "golang.org/x/crypto/argon2" | ||
|
|
||
| "github.com/wavesplatform/gowaves/pkg/crypto" | ||
| "github.com/wavesplatform/gowaves/pkg/util/common" | ||
| @@ -73,12 +67,9 @@ | ||
| } | ||
| } | ||
| if cfg.preHash { // Perform additional pre-hashing of the seed. | ||
| h := sha256.New() | ||
| _, err := h.Write(seed) | ||
| if err != nil { | ||
| return SecretKey{}, fmt.Errorf("failed to generate BLS secret key: %w", err) | ||
| } | ||
| seed = h.Sum(nil) | ||
| // Use Argon2id instead of a fast hash to avoid weak password-hashing patterns on sensitive input. | ||
| // Keep deterministic behavior by using configured salt as Argon2 salt input. | ||
| seed = argon2.IDKey(seed, cfg.salt, 1, 64*1024, 4, SecretKeySize) | ||
| } | ||
| csk, err := cbls.KeyGen[cbls.G1](seed, cfg.salt, cfg.info) | ||
| if err != nil { |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.