nimforum mirror - Nim ask for the Aptos Blockchain, nimAptos

Cnerd (orginal) [2024-06-20T22:57:36+02:00] view original

I present to you folks, after a year of working on this project. https://github.com/C-NERD/nimAptos . This is Nim's sdk for the Aptos Blockchain. Also accompanying this project is https://github.com/C-NERD/nimBcs which is implementation of binary canonical serialization in Nim. BCS is greatly used in nimAptos. I had posted about nimBcs in the past, but It's a bit more stable now so I felt I should talk about it. I would like the community to subject these projects to extensive testing and to report any issues that may arise. I plan to make them more stable going forward. Thanks

Cnerd (orginal) [2024-06-20T22:59:10+02:00] view original

Sorry for the title error, autocorrect did me dirty

demotomohiro (orginal) [2024-06-21T00:48:13+02:00] view original

I just skimed your code and looks like std/random module is used for cryptographic purposes in randomSeed proc: https://github.com/C-NERD/nimAptos/blob/main/src/aptos/ed25519/ed25519.nim https://github.com/C-NERD/nimAptos/blob/main/src/aptos/accounts/aptos_account.nim

Please read: https://nim-lang.org/docs/random.html

You can use this module instead: https://nim-lang.org/docs/sysrand.html

randomSeed proc returns a 32 bytes value but random module can generate only 2^(16 * 8) - 1 values because Rand has only 16 bytes status.

Cnerd (orginal) [2024-06-21T01:01:38+02:00] view original

Thank you for the feedback, I'll look into it and implement a fix immediately.

Cnerd (orginal) [2024-06-21T14:17:13+02:00] view original

I have replaced std/random with std/sysrand in the randomSeed proc of the ed25519 module. I also fixed some errors I noticed occured due to dependency version mistakes, Thanks once more for pointing out the improvement to make on the randomSeed proc.

Also I would love if more members of the community would participate in stress testing this library as it would help make it better. And that if anyone wishes to participate, the person should also try to post the issue on the github issue of the repo so that it will be easier for others to find in the future, Thanks

mratsim (orginal) [2024-06-24T00:12:34+02:00] view original

I'm not sure what your threat model is regarding cryptography but this is a big no-no:

https://github.com/C-NERD/nimAptos/blob/08b838a/src/aptos/ed25519/ed25519.nim#L60-L72

You're using the standard library hex parsing which is vulnerable to timing attacks and MUST NOT be used for cryptographic keys. Either use:

a hex parser supplied by libsodium if any

or nimcrypto's: https://github.com/cheatfate/nimcrypto/blob/71bca15/nimcrypto/utils.nim#L58-L59

or Constantine's (disclaimer, I'm the author): https://github.com/mratsim/constantine/blob/5952e64/constantine/serialization/codecs.nim#L101-L102

There are very unidiomatic blank lines and indents in your library after function declarations or var sections.

Cnerd (orginal) [2024-06-24T08:37:11+02:00] view original

Thank you for this observation. I have pushed a fix to the devel branch at https://github.com/C-NERD/nimAptos/commit/6efcfda09cc7868ded304f4cf9cb8f89cfda7691 using libsodium procs bin2hex and hex2bin.

 I'm not sure what your threat model is regarding cryptography but this is a big no-no

Currently I do not have a threat model, but I'll be sure to draft one in the coming days. Any tips on what to lookout for in terms of cryptographic security?

 There are very unidiomatic blank lines and indents in your library after function declarations or var sections.

The blanklines are simply for aesthetics, I like how they look and it make code more readable to me.

Thanks again

Mirror of forum.nim-lang.org

11808 :: Nim ask for the Aptos Blockchain, nimAptos