finding 7: hash-pin g1 and g2 SRS at bbapi entry

suyash67 · suyash67 · commit 2c2381860f3c · 2026-05-01T21:45:03.000Z
diff --git a/barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp b/barretenberg/cpp/src/barretenberg/bbapi/bbapi_srs.cpp
@@ -5,11 +5,15 @@
 #include "barretenberg/bbapi/bbapi_srs.hpp"
 #include "barretenberg/common/serialize.hpp"
 #include "barretenberg/common/thread.hpp"
+#include "barretenberg/crypto/sha256/sha256.hpp"
 #include "barretenberg/ecc/curves/bn254/g1.hpp"
 #include "barretenberg/ecc/curves/bn254/g2.hpp"
 #include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
 #include "barretenberg/numeric/uint256/uint256.hpp"
+#include "barretenberg/srs/factories/bn254_crs_data.hpp"
+#include "barretenberg/srs/factories/bn254_g1_chunk_hashes.hpp"
 #include "barretenberg/srs/global_crs.hpp"
+#include <span>
 
 namespace bb::bbapi {
 
@@ -30,6 +34,24 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
             }
         });
     } else if (bytes_per_point == COMPRESSED_POINT_SIZE) {
+        // Verify SHA-256 of every fully-present 4 MB chunk against the in-binary pin
+        // BN254_G1_CHUNK_HASHES before decompression. This is the same defense as
+        // verify_bn254_crs_integrity used by get_bn254_g1_data on the C++ download path; without
+        // it, bb.js (which downloads g1_compressed.dat externally and forwards the bytes here)
+        // would have no cryptographic gate against a tampered or wrong-trusted-setup payload.
+        // Partial trailing data is not chunk-hash-verified — instead the post-parse generator and
+        // tau·G checks below close the small-num_points gap.
+        size_t num_full_chunks = points_buf.size() / bb::srs::SRS_CHUNK_SIZE_BYTES;
+        size_t chunks_to_verify = std::min(num_full_chunks, static_cast<size_t>(bb::srs::SRS_NUM_FULL_CHUNKS));
+        for (size_t i = 0; i < chunks_to_verify; ++i) {
+            auto chunk = std::span<const uint8_t>(points_buf.data() + i * bb::srs::SRS_CHUNK_SIZE_BYTES,
+                                                  bb::srs::SRS_CHUNK_SIZE_BYTES);
+            auto hash = bb::crypto::sha256(chunk);
+            if (hash != bb::srs::BN254_G1_CHUNK_HASHES[i]) {
+                throw_or_abort("SrsInitSrs: g1 compressed chunk " + std::to_string(i) + " SHA-256 mismatch");
+            }
+        }
+
         // Compressed: decompress and return uncompressed bytes for caller to cache
         parallel_for([&](ThreadChunk chunk) {
             for (auto i : chunk.range(static_cast<size_t>(num_points))) {
@@ -50,11 +72,25 @@ SrsInitSrs::Response SrsInitSrs::execute(BB_UNUSED BBApiRequest& request) &&
                        std::to_string(bytes_per_point));
     }
 
-    // Parse G2 point from buffer (128 bytes). `serialize_from_buffer` validates that the bytes
-    // decode to a curve point but does NOT enforce subgroup membership. BN254 G2 has a non-trivial
-    // cofactor (h2 ≈ 2^254), so a curve point may lie in a small cofactor subgroup of order
-    // dividing h2 rather than the prime-order subgroup of order r. Reject anything outside
-    // the prime-order subgroup before it reaches the SRS factory.
+    // Parsed-form sanity check that pins the first two G1 points to their canonical trusted-setup
+    // values. Catches a wrong-SRS swap even when num_points is below one chunk (where the
+    // compressed-chunk hash loop above has nothing to verify) and runs identically for the
+    // uncompressed input path.
+    if (num_points >= 1 && g1_points[0] != bb::srs::BN254_G1_FIRST_ELEMENT) {
+        throw_or_abort("SrsInitSrs: g1_points[0] is not the canonical BN254 generator");
+    }
+    if (num_points >= 2 && g1_points[1] != bb::srs::get_bn254_g1_second_element()) {
+        throw_or_abort("SrsInitSrs: g1_points[1] does not match the canonical trusted-setup tau·G");
+    }
+
+    // Defense in depth: hash-pin AND subgroup-check the G2 input. Hash equality alone is sufficient
+    // for the canonical case (it implies prime-order membership); the subgroup check is kept so
+    // that any future relaxation of the hash gate (e.g. a flag to allow a different trusted setup)
+    // does not silently reopen audit finding #7's small-subgroup attack.
+    auto g2_hash = bb::crypto::sha256(std::span<const uint8_t>(g2_point.data(), g2_point.size()));
+    if (g2_hash != bb::srs::BN254_G2_ELEMENT_SHA256) {
+        throw_or_abort("SrsInitSrs: g2_point bytes do not match the canonical Aztec [x]_2 SHA-256");
+    }
     auto g2_point_elem = from_buffer<g2::affine_element>(g2_point.data());
     if (!g2_point_elem.is_in_prime_subgroup()) {
         throw_or_abort("SrsInitSrs: g2_point is not in the BN254 G2 prime-order subgroup");
