From 86cc53b8d530576929021315ed626ca778dbb9e2 Mon Sep 17 00:00:00 2001
From: Peter Nose <peter.nose@gmail.com>
Date: Thu, 25 Jul 2024 10:18:24 +0200
Subject: [PATCH 1/2] keymanager/src/churp: Minor fixes

---
 keymanager/src/churp/handler.rs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/keymanager/src/churp/handler.rs b/keymanager/src/churp/handler.rs
index d61eddb7082..d69e709c675 100644
--- a/keymanager/src/churp/handler.rs
+++ b/keymanager/src/churp/handler.rs
@@ -1182,9 +1182,7 @@ impl<S: Suite> Instance<S> {
 impl<S: Suite> Handler for Instance<S> {
     fn verification_matrix(&self, req: &QueryRequest) -> Result<Vec<u8>> {
         let status = self.verify_last_handoff(req.epoch)?;
-        let shareholder = match status.suite_id {
-            SuiteId::NistP384Sha3_384 => self.get_shareholder(req.epoch)?,
-        };
+        let shareholder = self.get_shareholder(status.handoff)?;
         let vm = shareholder
             .verifiable_share()
             .verification_matrix()

From 381407e4e584ae48b336a6c9fd355a4e900d4365 Mon Sep 17 00:00:00 2001
From: Peter Nose <peter.nose@gmail.com>
Date: Thu, 25 Jul 2024 10:28:58 +0200
Subject: [PATCH 2/2] keymanager/src/churp: Respond to requests only if node is
 in committee

An enclave should respond to share reduction and SGX policy key share
requests only if it is part of the committee. Similarly, it should only
respond to bivariate share, proactivization, and share distribution
requests if the node has applied for the next committee.
---
 .changelog/5792.trivial.md      |  0
 keymanager/src/churp/handler.rs | 16 ++++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 .changelog/5792.trivial.md

diff --git a/.changelog/5792.trivial.md b/.changelog/5792.trivial.md
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/keymanager/src/churp/handler.rs b/keymanager/src/churp/handler.rs
index d69e709c675..06c3706c370 100644
--- a/keymanager/src/churp/handler.rs
+++ b/keymanager/src/churp/handler.rs
@@ -1182,6 +1182,10 @@ impl<S: Suite> Instance<S> {
 impl<S: Suite> Handler for Instance<S> {
     fn verification_matrix(&self, req: &QueryRequest) -> Result<Vec<u8>> {
         let status = self.verify_last_handoff(req.epoch)?;
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
+
         let shareholder = self.get_shareholder(status.handoff)?;
         let vm = shareholder
             .verifiable_share()
@@ -1197,6 +1201,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<Vec<u8>> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let kind = Self::handoff_kind(&status);
         if !matches!(kind, HandoffKind::CommitteeChanged) {
@@ -1225,6 +1232,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<Vec<u8>> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.applications.contains_key(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let kind = Self::handoff_kind(&status);
         if !matches!(kind, HandoffKind::CommitteeChanged) {
@@ -1254,6 +1264,9 @@ impl<S: Suite> Handler for Instance<S> {
         req: &QueryRequest,
     ) -> Result<EncodedVerifiableSecretShare> {
         let status = self.verify_next_handoff(req.epoch)?;
+        if !status.applications.contains_key(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         let node_id = req.node_id.as_ref().ok_or(Error::NotAuthenticated)?;
         if !status.applications.contains_key(node_id) {
@@ -1307,6 +1320,9 @@ impl<S: Suite> Handler for Instance<S> {
         if status.handoff != req.epoch {
             return Err(Error::HandoffMismatch.into());
         }
+        if !status.committee.contains(&self.node_id) {
+            return Err(Error::NotInCommittee.into());
+        }
 
         // Note that querying past key shares can fail at this point
         // if the policy has changed.