[❄] Check secret share is part of session

This protects against a programmer error which (might?) be exploitable. It looks like we used to have this check. I should probably write a test but we want to get rid of the need for this in the future.
LLFourn · Nov 7, 2024 · 32ca7fd · 32ca7fd
1 parent 19607d6
commit 32ca7fd
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/schnorr_fun/src/frost/session.rs b/schnorr_fun/src/frost/session.rs
@@ -205,11 +205,12 @@ impl PartySignSession {
     ///
     /// ## Return value
     ///
-    /// Returns a signature share
+    /// Returns a signature share. It will be valid if the right `secret_nonce` and `secret_share` was used.
     ///
     /// ## Panics
     ///
-    /// Panics if the `secret_share` was not part of the signing session
+    /// - If `secret_share` was not part of the signing session
+    /// - If `secret_share` is not paired with the same public key as the session.
     pub fn sign(
         &self,
         secret_share: &PairedSecretShare<EvenY>,
@@ -218,6 +219,9 @@ impl PartySignSession {
         if self.public_key != secret_share.public_key() {
             panic!("the share's shared key is not the same as the shared key of the session");
         }
+        if !self.parties.contains(&secret_share.index()) {
+            panic!("this signer is not part of this signing session");
+        }
         let secret_share = secret_share.secret_share();
         let lambda = poly::eval_basis_poly_at_0(secret_share.index, self.parties.iter().cloned());
         let [mut r1, mut r2] = secret_nonce.secret;