aboutsummaryrefslogblamecommitdiff
path: root/src/multisig/multisig_kex_msg.cpp
blob: 2bbceb19df9289042242462458ed5bbed55236fe (plain) (tree)

































































































































































































































































































                                                                                                                          
// Copyright (c) 2021, The Monero Project
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
//    conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
//    of conditions and the following disclaimer in the documentation and/or other
//    materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
//    used to endorse or promote products derived from this software without specific
//    prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#include "multisig_kex_msg.h"
#include "multisig_kex_msg_serialization.h"

#include "common/base58.h"
#include "crypto/crypto.h"
extern "C"
{
#include "crypto/crypto-ops.h"
}
#include "cryptonote_basic/cryptonote_format_utils.h"
#include "include_base_utils.h"
#include "ringct/rctOps.h"
#include "serialization/binary_archive.h"
#include "serialization/serialization.h"

#include <boost/utility/string_ref.hpp> 

#include <sstream>
#include <utility>
#include <vector>


#undef MONERO_DEFAULT_LOG_CATEGORY
#define MONERO_DEFAULT_LOG_CATEGORY "multisig"

const boost::string_ref MULTISIG_KEX_V1_MAGIC{"MultisigV1"};
const boost::string_ref MULTISIG_KEX_MSG_V1_MAGIC{"MultisigxV1"};
const boost::string_ref MULTISIG_KEX_MSG_V2_MAGIC_1{"MultisigxV2R1"};  //round 1
const boost::string_ref MULTISIG_KEX_MSG_V2_MAGIC_N{"MultisigxV2Rn"};  //round n > 1

namespace multisig
{
  //----------------------------------------------------------------------------------------------------------------------
  // multisig_kex_msg: EXTERNAL
  //----------------------------------------------------------------------------------------------------------------------
  multisig_kex_msg::multisig_kex_msg(const std::uint32_t round,
    const crypto::secret_key &signing_privkey,
    std::vector<crypto::public_key> msg_pubkeys,
    const crypto::secret_key &msg_privkey) :
      m_kex_round{round}
  {
    CHECK_AND_ASSERT_THROW_MES(round > 0, "Kex round must be > 0.");
    CHECK_AND_ASSERT_THROW_MES(sc_check((const unsigned char*)&signing_privkey) == 0 &&
      signing_privkey != crypto::null_skey, "Invalid msg signing key.");

    if (round == 1)
    {
      CHECK_AND_ASSERT_THROW_MES(sc_check((const unsigned char*)&msg_privkey) == 0 &&
        msg_privkey != crypto::null_skey, "Invalid msg privkey.");

      m_msg_privkey = msg_privkey;
    }
    else
    {
      for (const auto &pubkey : msg_pubkeys)
      {
        CHECK_AND_ASSERT_THROW_MES(pubkey != crypto::null_pkey && pubkey != rct::rct2pk(rct::identity()),
          "Pubkey for message was invalid.");
        CHECK_AND_ASSERT_THROW_MES((rct::scalarmultKey(rct::pk2rct(pubkey), rct::curveOrder()) == rct::identity()),
          "Pubkey for message was not in prime subgroup.");
      }

      m_msg_pubkeys = std::move(msg_pubkeys);
    }
    CHECK_AND_ASSERT_THROW_MES(crypto::secret_key_to_public_key(signing_privkey, m_signing_pubkey),
      "Failed to derive public key");

    // sets message and signing pub key
    construct_msg(signing_privkey);
  }
  //----------------------------------------------------------------------------------------------------------------------
  // multisig_kex_msg: EXTERNAL
  //----------------------------------------------------------------------------------------------------------------------
  multisig_kex_msg::multisig_kex_msg(std::string msg) : m_msg{std::move(msg)}
  {
    parse_and_validate_msg();
  }
  //----------------------------------------------------------------------------------------------------------------------
  // multisig_kex_msg: INTERNAL
  //----------------------------------------------------------------------------------------------------------------------
  crypto::hash multisig_kex_msg::get_msg_to_sign() const
  {
    ////
    // msg_content = kex_round | signing_pubkey | expand(msg_pubkeys) | OPTIONAL msg_privkey
    // sign_msg = versioning-domain-sep | msg_content
    ///

    std::string data;
    CHECK_AND_ASSERT_THROW_MES(MULTISIG_KEX_MSG_V2_MAGIC_1.size() == MULTISIG_KEX_MSG_V2_MAGIC_N.size(),
      "Multisig kex msg magic inconsistency.");
    data.reserve(MULTISIG_KEX_MSG_V2_MAGIC_1.size() + 4 + 32*(1 + (m_kex_round == 1 ? 1 : 0) + m_msg_pubkeys.size()));

    // versioning domain-sep
    if (m_kex_round == 1)
      data.append(MULTISIG_KEX_MSG_V2_MAGIC_1.data(), MULTISIG_KEX_MSG_V2_MAGIC_1.size());
    else
      data.append(MULTISIG_KEX_MSG_V2_MAGIC_N.data(), MULTISIG_KEX_MSG_V2_MAGIC_N.size());

    // kex_round as little-endian bytes
    for (std::size_t i{0}; i < 4; ++i)
    {
      data += static_cast<char>(m_kex_round >> i*8);
    }

    // signing pubkey
    data.append((const char *)&m_signing_pubkey, sizeof(crypto::public_key));

    // add msg privkey if kex_round == 1
    if (m_kex_round == 1)
      data.append((const char *)&m_msg_privkey, sizeof(crypto::secret_key));
    else
    {
      // only add pubkeys if not round 1

      // msg pubkeys
      for (const auto &key : m_msg_pubkeys)
        data.append((const char *)&key, sizeof(crypto::public_key));
    }

    // message to sign
    crypto::hash hash;
    crypto::cn_fast_hash(data.data(), data.size(), hash);

    return hash;
  }
  //----------------------------------------------------------------------------------------------------------------------
  // multisig_kex_msg: INTERNAL
  //----------------------------------------------------------------------------------------------------------------------
  void multisig_kex_msg::construct_msg(const crypto::secret_key &signing_privkey)
  {
    ////
    // msg_content = kex_round | signing_pubkey | expand(msg_pubkeys) | OPTIONAL msg_privkey
    // sign_msg = versioning-domain-sep | msg_content
    // msg = versioning-domain-sep | serialize(msg_content | crypto_sig[signing_privkey](sign_msg))
    ///

    // sign the message
    crypto::signature msg_signature;
    crypto::hash msg_to_sign{get_msg_to_sign()};
    crypto::generate_signature(msg_to_sign, m_signing_pubkey, signing_privkey, msg_signature);

    // assemble the message
    m_msg.clear();

    std::stringstream serialized_msg_ss;
    binary_archive<true> b_archive(serialized_msg_ss);

    if (m_kex_round == 1)
    {
      m_msg.append(MULTISIG_KEX_MSG_V2_MAGIC_1.data(), MULTISIG_KEX_MSG_V2_MAGIC_1.size());

      multisig_kex_msg_serializable_round1 msg_serializable;
      msg_serializable.msg_privkey    = m_msg_privkey;
      msg_serializable.signing_pubkey = m_signing_pubkey;
      msg_serializable.signature      = msg_signature;

      CHECK_AND_ASSERT_THROW_MES(::serialization::serialize(b_archive, msg_serializable),
        "Failed to serialize multisig kex msg");
    }
    else
    {
      m_msg.append(MULTISIG_KEX_MSG_V2_MAGIC_N.data(), MULTISIG_KEX_MSG_V2_MAGIC_N.size());

      multisig_kex_msg_serializable_general msg_serializable;
      msg_serializable.kex_round      = m_kex_round;
      msg_serializable.msg_pubkeys    = m_msg_pubkeys;
      msg_serializable.signing_pubkey = m_signing_pubkey;
      msg_serializable.signature      = msg_signature;

      CHECK_AND_ASSERT_THROW_MES(::serialization::serialize(b_archive, msg_serializable),
        "Failed to serialize multisig kex msg");
    }

    m_msg.append(tools::base58::encode(serialized_msg_ss.str()));
  }
  //----------------------------------------------------------------------------------------------------------------------
  // multisig_kex_msg: INTERNAL
  //----------------------------------------------------------------------------------------------------------------------
  void multisig_kex_msg::parse_and_validate_msg()
  {
    // check message type
    CHECK_AND_ASSERT_THROW_MES(m_msg.size() > 0, "Kex message unexpectedly empty.");
    CHECK_AND_ASSERT_THROW_MES(m_msg.substr(0, MULTISIG_KEX_V1_MAGIC.size()) != MULTISIG_KEX_V1_MAGIC,
      "V1 multisig kex messages are deprecated (unsafe).");
    CHECK_AND_ASSERT_THROW_MES(m_msg.substr(0, MULTISIG_KEX_MSG_V1_MAGIC.size()) != MULTISIG_KEX_MSG_V1_MAGIC,
      "V1 multisig kex messages are deprecated (unsafe).");

    // deserialize the message
    std::string msg_no_magic;
    CHECK_AND_ASSERT_THROW_MES(MULTISIG_KEX_MSG_V2_MAGIC_1.size() == MULTISIG_KEX_MSG_V2_MAGIC_N.size(),
      "Multisig kex msg magic inconsistency.");
    CHECK_AND_ASSERT_THROW_MES(tools::base58::decode(m_msg.substr(MULTISIG_KEX_MSG_V2_MAGIC_1.size()), msg_no_magic),
      "Multisig kex msg decoding error.");
    binary_archive<false> b_archive{epee::strspan<std::uint8_t>(msg_no_magic)};
    crypto::signature msg_signature;

    if (m_msg.substr(0, MULTISIG_KEX_MSG_V2_MAGIC_1.size()) == MULTISIG_KEX_MSG_V2_MAGIC_1)
    {
      // try round 1 message
      multisig_kex_msg_serializable_round1 kex_msg_rnd1;

      if (::serialization::serialize(b_archive, kex_msg_rnd1))
      {
        // in round 1 the message stores a private ancillary key component for the multisig account
        // that will be shared by all participants (e.g. a shared private view key)
        m_kex_round      = 1;
        m_msg_privkey    = kex_msg_rnd1.msg_privkey;
        m_signing_pubkey = kex_msg_rnd1.signing_pubkey;
        msg_signature    = kex_msg_rnd1.signature;
      }
      else
      {
        CHECK_AND_ASSERT_THROW_MES(false, "Deserializing kex msg failed.");
      }
    }
    else if (m_msg.substr(0, MULTISIG_KEX_MSG_V2_MAGIC_N.size()) == MULTISIG_KEX_MSG_V2_MAGIC_N)
    {
      // try general message
      multisig_kex_msg_serializable_general kex_msg_general;

      if (::serialization::serialize(b_archive, kex_msg_general))
      {
        m_kex_round      = kex_msg_general.kex_round;
        m_msg_privkey    = crypto::null_skey;
        m_msg_pubkeys    = std::move(kex_msg_general.msg_pubkeys);
        m_signing_pubkey = kex_msg_general.signing_pubkey;
        msg_signature    = kex_msg_general.signature;

        CHECK_AND_ASSERT_THROW_MES(m_kex_round > 1, "Invalid kex message round (must be > 1 for the general msg type).");
      }
      else
      {
        CHECK_AND_ASSERT_THROW_MES(false, "Deserializing kex msg failed.");
      }
    }
    else
    {
      // unknown message type
      CHECK_AND_ASSERT_THROW_MES(false, "Only v2 multisig kex messages are supported.");
    }

    // checks
    for (const auto &pubkey: m_msg_pubkeys)
    {
      CHECK_AND_ASSERT_THROW_MES(pubkey != crypto::null_pkey && pubkey != rct::rct2pk(rct::identity()),
        "Pubkey from message was invalid.");
      CHECK_AND_ASSERT_THROW_MES(rct::isInMainSubgroup(rct::pk2rct(pubkey)),
        "Pubkey from message was not in prime subgroup.");
    }

    CHECK_AND_ASSERT_THROW_MES(m_signing_pubkey != crypto::null_pkey && m_signing_pubkey != rct::rct2pk(rct::identity()),
      "Message signing key was invalid.");
    CHECK_AND_ASSERT_THROW_MES(rct::isInMainSubgroup(rct::pk2rct(m_signing_pubkey)),
      "Message signing key was not in prime subgroup.");

    // validate signature
    crypto::hash signed_msg{get_msg_to_sign()};
    CHECK_AND_ASSERT_THROW_MES(crypto::check_signature(signed_msg, m_signing_pubkey, msg_signature),
      "Multisig kex msg signature invalid.");
  }
  //----------------------------------------------------------------------------------------------------------------------
} //namespace multisig