// Copyright (c) 2021-2022, The Monero Project // // All rights reserved. // // Redistribution and use in source and binary forms, with or without modification, are // permitted provided that the following conditions are met: // // 1. Redistributions of source code must retain the above copyright notice, this list of // conditions and the following disclaimer. // // 2. Redistributions in binary form must reproduce the above copyright notice, this list // of conditions and the following disclaimer in the documentation and/or other // materials provided with the distribution. // // 3. Neither the name of the copyright holder nor the names of its contributors may be // used to endorse or promote products derived from this software without specific // prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include "multisig_kex_msg.h" #include "multisig_kex_msg_serialization.h" #include "common/base58.h" #include "crypto/crypto.h" extern "C" { #include "crypto/crypto-ops.h" } #include "cryptonote_basic/cryptonote_format_utils.h" #include "include_base_utils.h" #include "ringct/rctOps.h" #include "serialization/binary_archive.h" #include "serialization/serialization.h" #include #include #include #include #undef MONERO_DEFAULT_LOG_CATEGORY #define MONERO_DEFAULT_LOG_CATEGORY "multisig" const boost::string_ref MULTISIG_KEX_V1_MAGIC{"MultisigV1"}; const boost::string_ref MULTISIG_KEX_MSG_V1_MAGIC{"MultisigxV1"}; const boost::string_ref MULTISIG_KEX_MSG_V2_MAGIC_1{"MultisigxV2R1"}; //round 1 const boost::string_ref MULTISIG_KEX_MSG_V2_MAGIC_N{"MultisigxV2Rn"}; //round n > 1 namespace multisig { //---------------------------------------------------------------------------------------------------------------------- // multisig_kex_msg: EXTERNAL //---------------------------------------------------------------------------------------------------------------------- multisig_kex_msg::multisig_kex_msg(const std::uint32_t round, const crypto::secret_key &signing_privkey, std::vector msg_pubkeys, const crypto::secret_key &msg_privkey) : m_kex_round{round} { CHECK_AND_ASSERT_THROW_MES(round > 0, "Kex round must be > 0."); CHECK_AND_ASSERT_THROW_MES(sc_check((const unsigned char*)&signing_privkey) == 0 && signing_privkey != crypto::null_skey, "Invalid msg signing key."); if (round == 1) { CHECK_AND_ASSERT_THROW_MES(sc_check((const unsigned char*)&msg_privkey) == 0 && msg_privkey != crypto::null_skey, "Invalid msg privkey."); m_msg_privkey = msg_privkey; } else { for (const auto &pubkey : msg_pubkeys) { CHECK_AND_ASSERT_THROW_MES(pubkey != crypto::null_pkey && pubkey != rct::rct2pk(rct::identity()), "Pubkey for message was invalid."); CHECK_AND_ASSERT_THROW_MES((rct::scalarmultKey(rct::pk2rct(pubkey), rct::curveOrder()) == rct::identity()), "Pubkey for message was not in prime subgroup."); } m_msg_pubkeys = std::move(msg_pubkeys); } CHECK_AND_ASSERT_THROW_MES(crypto::secret_key_to_public_key(signing_privkey, m_signing_pubkey), "Failed to derive public key"); // sets message and signing pub key construct_msg(signing_privkey); } //---------------------------------------------------------------------------------------------------------------------- // multisig_kex_msg: EXTERNAL //---------------------------------------------------------------------------------------------------------------------- multisig_kex_msg::multisig_kex_msg(std::string msg) : m_msg{std::move(msg)} { parse_and_validate_msg(); } //---------------------------------------------------------------------------------------------------------------------- // multisig_kex_msg: INTERNAL //---------------------------------------------------------------------------------------------------------------------- crypto::hash multisig_kex_msg::get_msg_to_sign() const { //// // msg_content = kex_round | signing_pubkey | expand(msg_pubkeys) | OPTIONAL msg_privkey // sign_msg = versioning-domain-sep | msg_content /// std::string data; CHECK_AND_ASSERT_THROW_MES(MULTISIG_KEX_MSG_V2_MAGIC_1.size() == MULTISIG_KEX_MSG_V2_MAGIC_N.size(), "Multisig kex msg magic inconsistency."); data.reserve(MULTISIG_KEX_MSG_V2_MAGIC_1.size() + 4 + 32*(1 + (m_kex_round == 1 ? 1 : 0) + m_msg_pubkeys.size())); // versioning domain-sep if (m_kex_round == 1) data.append(MULTISIG_KEX_MSG_V2_MAGIC_1.data(), MULTISIG_KEX_MSG_V2_MAGIC_1.size()); else data.append(MULTISIG_KEX_MSG_V2_MAGIC_N.data(), MULTISIG_KEX_MSG_V2_MAGIC_N.size()); // kex_round as little-endian bytes for (std::size_t i{0}; i < 4; ++i) { data += static_cast(m_kex_round >> i*8); } // signing pubkey data.append((const char *)&m_signing_pubkey, sizeof(crypto::public_key)); // add msg privkey if kex_round == 1 if (m_kex_round == 1) data.append((const char *)&m_msg_privkey, sizeof(crypto::secret_key)); else { // only add pubkeys if not round 1 // msg pubkeys for (const auto &key : m_msg_pubkeys) data.append((const char *)&key, sizeof(crypto::public_key)); } // message to sign crypto::hash hash; crypto::cn_fast_hash(data.data(), data.size(), hash); return hash; } //---------------------------------------------------------------------------------------------------------------------- // multisig_kex_msg: INTERNAL //---------------------------------------------------------------------------------------------------------------------- void multisig_kex_msg::construct_msg(const crypto::secret_key &signing_privkey) { //// // msg_content = kex_round | signing_pubkey | expand(msg_pubkeys) | OPTIONAL msg_privkey // sign_msg = versioning-domain-sep | msg_content // msg = versioning-domain-sep | serialize(msg_content | crypto_sig[signing_privkey](sign_msg)) /// // sign the message crypto::signature msg_signature; crypto::hash msg_to_sign{get_msg_to_sign()}; crypto::generate_signature(msg_to_sign, m_signing_pubkey, signing_privkey, msg_signature); // assemble the message m_msg.clear(); std::stringstream serialized_msg_ss; binary_archive b_archive(serialized_msg_ss); if (m_kex_round == 1) { m_msg.append(MULTISIG_KEX_MSG_V2_MAGIC_1.data(), MULTISIG_KEX_MSG_V2_MAGIC_1.size()); multisig_kex_msg_serializable_round1 msg_serializable; msg_serializable.msg_privkey = m_msg_privkey; msg_serializable.signing_pubkey = m_signing_pubkey; msg_serializable.signature = msg_signature; CHECK_AND_ASSERT_THROW_MES(::serialization::serialize(b_archive, msg_serializable), "Failed to serialize multisig kex msg"); } else { m_msg.append(MULTISIG_KEX_MSG_V2_MAGIC_N.data(), MULTISIG_KEX_MSG_V2_MAGIC_N.size()); multisig_kex_msg_serializable_general msg_serializable; msg_serializable.kex_round = m_kex_round; msg_serializable.msg_pubkeys = m_msg_pubkeys; msg_serializable.signing_pubkey = m_signing_pubkey; msg_serializable.signature = msg_signature; CHECK_AND_ASSERT_THROW_MES(::serialization::serialize(b_archive, msg_serializable), "Failed to serialize multisig kex msg"); } m_msg.append(tools::base58::encode(serialized_msg_ss.str())); } //---------------------------------------------------------------------------------------------------------------------- // multisig_kex_msg: INTERNAL //---------------------------------------------------------------------------------------------------------------------- void multisig_kex_msg::parse_and_validate_msg() { // check message type CHECK_AND_ASSERT_THROW_MES(m_msg.size() > 0, "Kex message unexpectedly empty."); CHECK_AND_ASSERT_THROW_MES(m_msg.substr(0, MULTISIG_KEX_V1_MAGIC.size()) != MULTISIG_KEX_V1_MAGIC, "V1 multisig kex messages are deprecated (unsafe)."); CHECK_AND_ASSERT_THROW_MES(m_msg.substr(0, MULTISIG_KEX_MSG_V1_MAGIC.size()) != MULTISIG_KEX_MSG_V1_MAGIC, "V1 multisig kex messages are deprecated (unsafe)."); // deserialize the message std::string msg_no_magic; CHECK_AND_ASSERT_THROW_MES(MULTISIG_KEX_MSG_V2_MAGIC_1.size() == MULTISIG_KEX_MSG_V2_MAGIC_N.size(), "Multisig kex msg magic inconsistency."); CHECK_AND_ASSERT_THROW_MES(tools::base58::decode(m_msg.substr(MULTISIG_KEX_MSG_V2_MAGIC_1.size()), msg_no_magic), "Multisig kex msg decoding error."); binary_archive b_archive{epee::strspan(msg_no_magic)}; crypto::signature msg_signature; if (m_msg.substr(0, MULTISIG_KEX_MSG_V2_MAGIC_1.size()) == MULTISIG_KEX_MSG_V2_MAGIC_1) { // try round 1 message multisig_kex_msg_serializable_round1 kex_msg_rnd1; if (::serialization::serialize(b_archive, kex_msg_rnd1)) { // in round 1 the message stores a private ancillary key component for the multisig account // that will be shared by all participants (e.g. a shared private view key) m_kex_round = 1; m_msg_privkey = kex_msg_rnd1.msg_privkey; m_signing_pubkey = kex_msg_rnd1.signing_pubkey; msg_signature = kex_msg_rnd1.signature; } else { CHECK_AND_ASSERT_THROW_MES(false, "Deserializing kex msg failed."); } } else if (m_msg.substr(0, MULTISIG_KEX_MSG_V2_MAGIC_N.size()) == MULTISIG_KEX_MSG_V2_MAGIC_N) { // try general message multisig_kex_msg_serializable_general kex_msg_general; if (::serialization::serialize(b_archive, kex_msg_general)) { m_kex_round = kex_msg_general.kex_round; m_msg_privkey = crypto::null_skey; m_msg_pubkeys = std::move(kex_msg_general.msg_pubkeys); m_signing_pubkey = kex_msg_general.signing_pubkey; msg_signature = kex_msg_general.signature; CHECK_AND_ASSERT_THROW_MES(m_kex_round > 1, "Invalid kex message round (must be > 1 for the general msg type)."); } else { CHECK_AND_ASSERT_THROW_MES(false, "Deserializing kex msg failed."); } } else { // unknown message type CHECK_AND_ASSERT_THROW_MES(false, "Only v2 multisig kex messages are supported."); } // checks for (const auto &pubkey: m_msg_pubkeys) { CHECK_AND_ASSERT_THROW_MES(pubkey != crypto::null_pkey && pubkey != rct::rct2pk(rct::identity()), "Pubkey from message was invalid."); CHECK_AND_ASSERT_THROW_MES(rct::isInMainSubgroup(rct::pk2rct(pubkey)), "Pubkey from message was not in prime subgroup."); } CHECK_AND_ASSERT_THROW_MES(m_signing_pubkey != crypto::null_pkey && m_signing_pubkey != rct::rct2pk(rct::identity()), "Message signing key was invalid."); CHECK_AND_ASSERT_THROW_MES(rct::isInMainSubgroup(rct::pk2rct(m_signing_pubkey)), "Message signing key was not in prime subgroup."); // validate signature crypto::hash signed_msg{get_msg_to_sign()}; CHECK_AND_ASSERT_THROW_MES(crypto::check_signature(signed_msg, m_signing_pubkey, msg_signature), "Multisig kex msg signature invalid."); } //---------------------------------------------------------------------------------------------------------------------- } //namespace multisig