vmware · WildFireFlum · Apr 1, 2022 · Apr 12, 2022 · Apr 12, 2022 · Apr 13, 2022
@@ -3,5 +3,6 @@
 
 # Ignore all protobuf/gRPC generated source files
 *.pb.cc
-# ignore test as it tests moved obkects
-*lru_cache_test.cpp
+# ignore test as it tests moved objects
+*lru_cache_test.cpp
+*BenchmarkThreshsign.cpp
@@ -34,7 +34,8 @@ jobs:
           run: |
               script -q -e -c "make pull"
               sudo df -h
-              script -q -e -c "CONCORD_BFT_CMAKE_OMIT_TEST_OUTPUT=TRUE CONCORD_BFT_CMAKE_KEEP_APOLLO_LOGS=FALSE CONCORD_BFT_CMAKE_ASAN=TRUE CONCORD_BFT_CMAKE_USE_FAKE_CLOCK_IN_TIME_SERVICE=TRUE make build" \
+              script -q -e -c "CONCORD_BFT_CMAKE_OMIT_TEST_OUTPUT=TRUE CONCORD_BFT_CMAKE_KEEP_APOLLO_LOGS=FALSE CONCORD_BFT_CMAKE_ASAN=TRUE CONCORD_BFT_CMAKE_USE_FAKE_CLOCK_IN_TIME_SERVICE=TRUE \
+              make build" \
               && script -q -e -c "make test"
         - name: Check if ASAN passed
           if: always()

@@ -29,7 +29,8 @@ jobs:
           script -q -e -c "make pull"
           sudo df -h
           script -q -e -c "CONCORD_BFT_CONTAINER_CC=clang CONCORD_BFT_CONTAINER_CXX=clang++ \
-          CONCORD_BFT_CMAKE_CODECOVERAGE=TRUE CONCORD_BFT_CMAKE_TRANSPORT=UDP make build" && script -q -e -c "make test"
+          CONCORD_BFT_CMAKE_CODECOVERAGE=TRUE CONCORD_BFT_CMAKE_TRANSPORT=UDP \
+          make build" && script -q -e -c "make test"
         continue-on-error: true
 
       - name: Generate code coverage report for apollo tests

@@ -34,7 +34,8 @@ jobs:
           run: |
               script -q -e -c "make pull"
               sudo df -h
-              script -q -e -c "CONCORD_BFT_CMAKE_OMIT_TEST_OUTPUT=TRUE CONCORD_BFT_CMAKE_KEEP_APOLLO_LOGS=FALSE CONCORD_BFT_CMAKE_TSAN=TRUE CONCORD_BFT_CMAKE_USE_FAKE_CLOCK_IN_TIME_SERVICE=TRUE make build" \
+              script -q -e -c "CONCORD_BFT_CMAKE_OMIT_TEST_OUTPUT=TRUE CONCORD_BFT_CMAKE_KEEP_APOLLO_LOGS=FALSE CONCORD_BFT_CMAKE_TSAN=TRUE CONCORD_BFT_CMAKE_USE_FAKE_CLOCK_IN_TIME_SERVICE=TRUE \
+              make build" \
               && script -q -e -c "make test"
         - name: Check if TSAN passed
           if: always()

@@ -19,10 +19,11 @@ if(NOT CMAKE_BUILD_TYPE)
     set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "Enable debug or release builds" FORCE)
 endif()
 
-if (NOT DEFINED USE_LOG4CPP)
-  option(USE_LOG4CPP "Enable LOG4CPP" ON)
+if(NOT DEFINED USE_LOG4CPP)
+    option(USE_LOG4CPP "Enable LOG4CPP" ON)
 endif()
 
+option(USE_RELIC "Enable usage of Relic library for BLS threshold signature generation/verification" OFF)
 option(RUN_APOLLO_TESTS "Enable Apollo tests run" ON)
 option(KEEP_APOLLO_LOGS "Retains logs from replicas in separate folder for each test in build/tests/apollo/logs" ON)
 option(TXN_SIGNING_ENABLED "Enable External concord client transcattion signing" ON)
@@ -43,11 +44,17 @@ option(USE_JSON "Enable use of JSON library" ON)
 option(USE_HTTPLIB "Enable use of httplib" ON)
 option(USE_GRPC "Enable GRPC and Protobuf" ON)
 option(USE_OPENSSL "Enable use of OpenSSL" ON)
+option(USE_EDDSA_OPENSSL "Enable use of EdDSA's OpenSSL implementation for signature generation and verification" ON)
 option(BUILD_THIRDPARTY "Wheter to build third party librarie or use preinstalled ones" OFF)
 option(CODECOVERAGE "Enable Code Coverage Metrics in Clang" OFF)
 option(ENABLE_RESTART_RECOVERY_TESTS "Enable tests for restart recovery" OFF)
 
-if(USE_OPENSSL AND NOT BUILD_THIRDPARTY)
+if(NOT (USE_EDDSA_OPENSSL OR USE_RELIC))
+    message(FATAL_ERROR "At least one threshold/multisig implementation needs to be chosen, "
+            "Define at least one of the following cmake options: [USE_EDDSA_OPENSSL, USE_RELIC]")
+endif()
+
+if((USE_OPENSSL OR USE_EDDSA_OPENSSL) AND NOT BUILD_THIRDPARTY)
     set(OPENSSL_ROOT_DIR /usr/local/ssl) # not to confuse with system ssl libs
 endif()
 

@@ -1,6 +1,6 @@
 CONCORD_BFT_DOCKER_REPO?=concordbft/
 CONCORD_BFT_DOCKER_IMAGE?=concord-bft
-CONCORD_BFT_DOCKER_IMAGE_VERSION?=0.44
+CONCORD_BFT_DOCKER_IMAGE_VERSION?=0.45
 CONCORD_BFT_DOCKER_CONTAINER?=concord-bft
 
 CONCORD_BFT_DOCKERFILE?=Dockerfile

@@ -21,10 +21,7 @@
 #include "bftengine/IStateTransfer.hpp"
 #include "Metrics.hpp"
 #include "kvstream.h"
-#include "Digest.hpp"
-
-using concord::util::digest::Digest;
-using concord::util::digest::BlockDigest;
+#include "crypto/digest.hpp"
 
 namespace concord {
 namespace storage {
@@ -48,7 +45,7 @@ namespace bcst {
 // blocks.
 // Blocks are numbered. The first block should be block number 1.
 
-// represnts a digest
+// represents a digest
 #pragma pack(push, 1)
 struct StateTransferDigest {
   char content[DIGEST_SIZE];
@@ -61,7 +58,7 @@ void computeBlockDigest(const uint64_t blockId,
                         const uint32_t blockSize,
                         StateTransferDigest *outDigest);
 
-BlockDigest computeBlockDigest(const uint64_t blockId, const char *block, const uint32_t blockSize);
+concord::crypto::BlockDigest computeBlockDigest(const uint64_t blockId, const char *block, const uint32_t blockSize);
 
 // This interface should be implemented by the application/storage layer.
 // It is used by the state transfer module.

@@ -18,6 +18,7 @@
 #include "ReplicaConfig.hpp"
 #include "IKeyExchanger.hpp"
 #include "Logger.hpp"
+#include "crypto/crypto.hpp"
 
 namespace bftEngine {
 typedef std::int64_t SeqNum;                    // TODO [TK] redefinition
@@ -51,11 +52,29 @@ class CryptoManager : public IKeyExchanger, public IMultiSigKeyGenerator {
   std::shared_ptr<IThresholdVerifier> thresholdVerifierForOptimisticCommit(const SeqNum sn) const {
     return get(sn)->thresholdVerifierForOptimisticCommit_;
   }
+
+  std::unique_ptr<Cryptosystem>& getLatestCryptoSystem() const { return cryptoSystems_.rbegin()->second->cryptosys_; }
+
+  /**
+   * @return An algorithm identifier for the latest threshold signature scheme
+   */
+  concord::crypto::SignatureAlgorithm getLatestSignatureAlgorithm() const {
+    const std::unordered_map<std::string, concord::crypto::SignatureAlgorithm> typeToAlgorithm{
+        {MULTISIG_BLS_SCHEME, concord::crypto::SignatureAlgorithm::BLS},
+        {THRESHOLD_BLS_SCHEME, concord::crypto::SignatureAlgorithm::BLS},
+        {MULTISIG_EDDSA_SCHEME, concord::crypto::SignatureAlgorithm::EdDSA},
+    };
+    auto currentType = getLatestCryptoSystem()->getType();
+    return typeToAlgorithm.at(currentType);
+  }
+
   // IMultiSigKeyGenerator methods
-  std::pair<std::string, std::string> generateMultisigKeyPair() override {
+  std::tuple<std::string, std::string, concord::crypto::SignatureAlgorithm> generateMultisigKeyPair() override {
     LOG_INFO(logger(), "Generating new multisig key pair");
-    return cryptoSystems_.rbegin()->second->cryptosys_->generateNewKeyPair();
+    auto [priv, pub] = getLatestCryptoSystem()->generateNewKeyPair();
+    return {priv, pub, getLatestSignatureAlgorithm()};
   }
+
   // IKeyExchanger methods
   // onPrivateKeyExchange and onPublicKeyExchange callbacks for a given checkpoint may be called in a different order.
   // Therefore the first called will create a CryptoSys

@@ -10,9 +10,10 @@
 // file.
 
 #pragma once
-#include "crypto_utils.hpp"
 #include <string>
 #include <cstdint>
+#include <tuple>
+#include "crypto/crypto.hpp"
 
 // Interface for objects that need to be notified on key rotation
 class IKeyExchanger {
@@ -25,11 +26,11 @@ class IKeyExchanger {
 class IMultiSigKeyGenerator {
  public:
   virtual ~IMultiSigKeyGenerator() {}
-  virtual std::pair<std::string, std::string> generateMultisigKeyPair() = 0;
+  virtual std::tuple<std::string, std::string, concord::crypto::SignatureAlgorithm> generateMultisigKeyPair() = 0;
 };
 
 class IClientPublicKeyStore {
  public:
   virtual ~IClientPublicKeyStore() = default;
-  virtual void setClientPublicKey(uint16_t clientId, const std::string& key, concord::util::crypto::KeyFormat) = 0;
+  virtual void setClientPublicKey(uint16_t clientId, const std::string& key, concord::crypto::KeyFormat) = 0;
 };
@@ -18,8 +18,9 @@
 #include "Metrics.hpp"
 #include "secrets_manager_impl.h"
 #include "SysConsts.hpp"
-#include "crypto_utils.hpp"
+#include "crypto/crypto.hpp"
 #include <future>
+
 namespace bftEngine::impl {
 
 class IInternalBFTClient;
@@ -30,7 +31,7 @@ class KeyExchangeManager {
  public:
   void exchangeTlsKeys(const SeqNum& bft_sn);
   // Generates and publish key to consensus
-  void sendKeyExchange(const SeqNum&);
+  void generateConsensusKeyAndSendInternalClientMsg(const SeqNum& sn);
   // Send the current main public key of the replica to consensus
   void sendMainPublicKey();
   // Generates and publish the first replica's key,
@@ -48,7 +49,7 @@ class KeyExchangeManager {
     uint32_t liveClusterSize = ReplicaConfig::instance().waitForFullCommOnStartup ? clusterSize_ : quorumSize_;
     bool exchange_self_keys = publicKeys_.keyExists(ReplicaConfig::instance().replicaId);
     return ReplicaConfig::instance().getkeyExchangeOnStart()
-               ? (publicKeys_.numOfExchangedReplicas() >= liveClusterSize - 1) && exchange_self_keys
+               ? (publicKeys_.numOfExchangedReplicas() + 1 >= liveClusterSize) && exchange_self_keys
                : true;
   }
   const std::string kInitialKeyExchangeCid = "KEY-EXCHANGE-";
@@ -64,10 +65,10 @@ class KeyExchangeManager {
   void sendInitialClientsKeys(const std::string&);
   void onPublishClientsKeys(const std::string& keys, std::optional<std::string> bootstrap_keys);
   // called on a new client key
-  void onClientPublicKeyExchange(const std::string& key, concord::util::crypto::KeyFormat, NodeIdType clientId);
+  void onClientPublicKeyExchange(const std::string& key, concord::crypto::KeyFormat, NodeIdType clientId);
   // called when client keys are loaded
   void loadClientPublicKey(const std::string& key,
-                           concord::util::crypto::KeyFormat,
+                           concord::crypto::KeyFormat,
                            NodeIdType clientId,
                            bool saveToReservedPages);
   ///////// end - Clients public keys interface///////////////
@@ -92,11 +93,15 @@ class KeyExchangeManager {
         std::string cid;
         // seqnum of key exchange request
         SeqNum sn;
+        // Key algorithm
+        concord::crypto::SignatureAlgorithm algorithm;
+
         void clear() {
           priv.clear();
           pub.clear();
           cid.clear();
           sn = 0;
+          algorithm = concord::crypto::SignatureAlgorithm::Uninitialized;
         }
       } generated;
       // seqnum -> private key

@@ -22,11 +22,13 @@ struct KeyExchangeMsg : public concord::serialize::SerializableFactory<KeyExchan
   uint16_t repID;
   uint64_t generated_sn;
   uint64_t epoch;
+  uint16_t algorithm;
 
   std::string toString() const {
     std::stringstream ss;
     ss << "pubkey [" << pubkey << "] replica id [" << repID << "] generate sequence number [" << generated_sn
-       << "] epoch [" << epoch << "]";
+       << "] epoch [" << epoch << "]"
+       << " algorithm [" << algorithm << "]";
     return ss.str();
   }
   static KeyExchangeMsg deserializeMsg(const char* serializedMsg, const int& size) {
@@ -38,19 +40,21 @@ struct KeyExchangeMsg : public concord::serialize::SerializableFactory<KeyExchan
   }
 
  protected:
-  const std::string getVersion() const override { return "1"; }
+  const std::string getVersion() const override { return "2"; }
   void serializeDataMembers(std::ostream& outStream) const override {
     serialize(outStream, op);
     serialize(outStream, pubkey);
     serialize(outStream, repID);
     serialize(outStream, generated_sn);
     serialize(outStream, epoch);
+    serialize(outStream, algorithm);
   }
   void deserializeDataMembers(std::istream& inStream) override {
     deserialize(inStream, op);
     deserialize(inStream, pubkey);
     deserialize(inStream, repID);
     deserialize(inStream, generated_sn);
     deserialize(inStream, epoch);
+    deserialize(inStream, algorithm);
   }
 };
@@ -20,8 +20,7 @@
 #include <chrono>
 #include "string.hpp"
 #include "kvstream.h"
-
-#include "Serializable.h"
+#include "crypto/factory.hpp"
 
 namespace bftEngine {
 
@@ -281,6 +280,16 @@ class ReplicaConfig : public concord::serialize::SerializableFactory<ReplicaConf
                "the concord-ctl script");
   CONFIG_PARAM(kvBlockchainVersion, std::uint32_t, 1u, "Default version of KV blockchain for this replica");
 
+  CONFIG_PARAM(replicaMsgSigningAlgo,
+               concord::crypto::SIGN_VERIFY_ALGO,
+               concord::crypto::SIGN_VERIFY_ALGO::EDDSA,
+               "A flag to specify the replica message signing algorithm. It is defaulted to use EDDSA algo.");
+
+  CONFIG_PARAM(operatorMsgSigningAlgo,
+               concord::crypto::SIGN_VERIFY_ALGO,
+               concord::crypto::SIGN_VERIFY_ALGO::EDDSA,
+               "A flag to specify the operator message signing algorithm. It is defaulted to use EDDSA algo.");
+
   // Parameter to enable/disable waiting for transaction data to be persisted.
   // Not predefined configuration parameters
   // Example of usage:
@@ -406,6 +415,8 @@ class ReplicaConfig : public concord::serialize::SerializableFactory<ReplicaConf
     serialize(outStream, diagnosticsServerPort);
     serialize(outStream, useUnifiedCertificates);
     serialize(outStream, kvBlockchainVersion);
+    serialize(outStream, operatorMsgSigningAlgo);
+    serialize(outStream, replicaMsgSigningAlgo);
   }
   void deserializeDataMembers(std::istream& inStream) {
     deserialize(inStream, isReadOnly);
@@ -506,6 +517,8 @@ class ReplicaConfig : public concord::serialize::SerializableFactory<ReplicaConf
     deserialize(inStream, diagnosticsServerPort);
     deserialize(inStream, useUnifiedCertificates);
     deserialize(inStream, kvBlockchainVersion);
+    deserialize(inStream, operatorMsgSigningAlgo);
+    deserialize(inStream, replicaMsgSigningAlgo);
   }
 
  private:
@@ -591,6 +604,10 @@ inline std::ostream& operator<<(std::ostream& os, const ReplicaConfig& rc) {
               rc.adaptivePruningIntervalPeriod,
               rc.dbSnapshotIntervalSeconds.count());
   os << ",";
+  const auto replicaMsgSignAlgo =
+      (concord::crypto::SIGN_VERIFY_ALGO::RSA == rc.replicaMsgSigningAlgo) ? "rsa" : "eddsa";
+  const auto operatorMsgSignAlgo =
+      (concord::crypto::SIGN_VERIFY_ALGO::ECDSA == rc.operatorMsgSigningAlgo) ? "ecdsa" : "eddsa";
   os << KVLOG(rc.dbCheckpointMonitorIntervalSeconds.count(),
               rc.dbCheckpointDiskSpaceThreshold,
               rc.enableMultiplexChannel,
@@ -599,7 +616,9 @@ inline std::ostream& operator<<(std::ostream& os, const ReplicaConfig& rc) {
               rc.enablePreProcessorMemoryPool,
               rc.diagnosticsServerPort,
               rc.useUnifiedCertificates,
-              rc.kvBlockchainVersion);
+              rc.kvBlockchainVersion,
+              replicaMsgSignAlgo,
+              operatorMsgSignAlgo);
   os << ", ";
   for (auto& [param, value] : rc.config_params_) os << param << ": " << value << "\n";
   return os;

@@ -71,15 +71,13 @@ class Communication : public ICommunication {
   uint16_t repId_;
 };
 
-class InternalSigner : public concord::util::crypto::ISigner {
+class InternalSigner : public concord::crypto::ISigner {
  public:
-  std::string sign(const std::string& data) override {
-    std::string out;
-    out.resize(bftEngine::impl::SigManager::instance()->getMySigLength());
-    bftEngine::impl::SigManager::instance()->sign(data.data(), data.size(), out.data(), signatureLength());
-    return out;
+  size_t signBuffer(const concord::Byte* dataIn, size_t dataLen, concord::Byte* sigOutBuffer) override {
+    return bftEngine::impl::SigManager::instance()->sign(dataIn, dataLen, sigOutBuffer);
   }
-  uint32_t signatureLength() const override { return bftEngine::impl::SigManager::instance()->getMySigLength(); }
+
+  size_t signatureLength() const override { return bftEngine::impl::SigManager::instance()->getMySigLength(); }
   std::string getPrivKey() const override { return ""; }
 };