keymanager/src/churp: Respond to requests only if node is in committee

An enclave should respond to share reduction and SGX policy key share requests only if it is part of the committee. Similarly, it should only respond to bivariate share, proactivization, and share distribution requests if the node has applied for the next committee.
oasisprotocol · Jul 25, 2024 · 381407e · 381407e
1 parent 86cc53b
commit 381407e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/.changelog/5792.trivial.md b/.changelog/5792.trivial.md
diff --git a/keymanager/src/churp/handler.rs b/keymanager/src/churp/handler.rs
@@ -1182,6 +1182,10 @@ impl<S: Suite> Instance<S> {
 impl<S: Suite> Handler for Instance<S> {
     fn verification_matrix(&self, req: &QueryRequest) -> Result<Vec<u8>> {
         let status = self.verify_last_handoff(req.epoch)?;
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
+
         let shareholder = self.get_shareholder(status.handoff)?;
         let vm = shareholder
             .verifiable_share()
@@ -1197,6 +1201,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<Vec<u8>> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let kind = Self::handoff_kind(&status);
         if !matches!(kind, HandoffKind::CommitteeChanged) {
@@ -1225,6 +1232,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<Vec<u8>> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.applications.contains_key(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let kind = Self::handoff_kind(&status);
         if !matches!(kind, HandoffKind::CommitteeChanged) {
@@ -1254,6 +1264,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<EncodedVerifiableSecretShare> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.applications.contains_key(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let node_id = req.node_id.as_ref().ok_or(Error::NotAuthenticated)?;
         if !status.applications.contains_key(node_id) {
@@ -1307,6 +1320,9 @@ impl<S: Suite> Handler for Instance<S> {
         if status.handoff != req.epoch {
             return Err(Error::HandoffMismatch.into());
         }
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         // Note that querying past key shares can fail at this point
         // if the policy has changed.