2 This file is part of GNUnet.
3 Copyright (C) 2012, 2016 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file secretsharing/secretsharing_api.c
24 * @author Florian Dold
27 #include "gnunet_util_lib.h"
28 #include "gnunet_secretsharing_service.h"
29 #include "secretsharing.h"
33 #define LOG(kind, ...) GNUNET_log_from (kind, "secretsharing-api", __VA_ARGS__)
36 * Session that will eventually establish a shared secred between
37 * the involved peers and allow encryption and cooperative decryption.
39 struct GNUNET_SECRETSHARING_Session
42 * Message queue for @e client.
44 struct GNUNET_MQ_Handle *mq;
47 * Called when the secret sharing is done.
49 GNUNET_SECRETSHARING_SecretReadyCallback secret_ready_cb;
52 * Closure for @e secret_ready_cb.
54 void *secret_ready_cls;
59 * Handle to cancel a cooperative decryption operation.
61 struct GNUNET_SECRETSHARING_DecryptionHandle
64 * Message queue for @e client.
66 struct GNUNET_MQ_Handle *mq;
69 * Called when the secret sharing is done.
71 GNUNET_SECRETSHARING_DecryptCallback decrypt_cb;
74 * Closure for @e decrypt_cb.
81 * The ElGamal prime field order as libgcrypt mpi.
82 * Initialized in #init_crypto_constants.
84 static gcry_mpi_t elgamal_q;
87 * Modulus of the prime field used for ElGamal.
88 * Initialized in #init_crypto_constants.
90 static gcry_mpi_t elgamal_p;
93 * Generator for prime field of order 'elgamal_q'.
94 * Initialized in #init_crypto_constants.
96 static gcry_mpi_t elgamal_g;
100 * Function to initialize #elgamal_q, #elgamal_p and #elgamal_g.
103 ensure_elgamal_initialized (void)
105 if (NULL != elgamal_q)
106 return; /* looks like crypto is already initialized */
108 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_q, GCRYMPI_FMT_HEX,
109 GNUNET_SECRETSHARING_ELGAMAL_Q_HEX, 0,
111 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_p, GCRYMPI_FMT_HEX,
112 GNUNET_SECRETSHARING_ELGAMAL_P_HEX, 0,
114 GNUNET_assert (0 == gcry_mpi_scan (&elgamal_g, GCRYMPI_FMT_HEX,
115 GNUNET_SECRETSHARING_ELGAMAL_G_HEX, 0,
121 * Callback invoked when there is an error communicating with
122 * the service. Notifies the application about the error.
124 * @param cls the `struct GNUNET_SECRETSHARING_Session`
125 * @param error error code
128 handle_session_client_error (void *cls,
129 enum GNUNET_MQ_Error error)
131 struct GNUNET_SECRETSHARING_Session *s = cls;
133 s->secret_ready_cb (s->secret_ready_cls, NULL, NULL, 0, NULL);
134 GNUNET_SECRETSHARING_session_destroy (s);
139 * Callback invoked when there is an error communicating with
140 * the service. Notifies the application about the error.
142 * @param cls the `struct GNUNET_SECRETSHARING_DecryptionHandle`
143 * @param error error code
146 handle_decrypt_client_error (void *cls,
147 enum GNUNET_MQ_Error error)
149 struct GNUNET_SECRETSHARING_DecryptionHandle *dh = cls;
151 dh->decrypt_cb (dh->decrypt_cls, NULL);
152 GNUNET_SECRETSHARING_decrypt_cancel (dh);
157 * Handler invoked with the final result message from
158 * secret sharing. Decodes the message and passes the
159 * result to the application.
161 * @param cls the `struct GNUNET_SECRETSHARING_Session`
162 * @param m message with the result
165 check_secret_ready (void *cls,
166 const struct GNUNET_SECRETSHARING_SecretReadyMessage *m)
168 /* FIXME: actually check m is well-formed here! */
174 * Handler invoked with the final result message from
175 * secret sharing. Decodes the message and passes the
176 * result to the application.
178 * @param cls the `struct GNUNET_SECRETSHARING_Session`
179 * @param m message with the result
182 handle_secret_ready (void *cls,
183 const struct GNUNET_SECRETSHARING_SecretReadyMessage *m)
185 struct GNUNET_SECRETSHARING_Session *s = cls;
186 struct GNUNET_SECRETSHARING_Share *share;
189 LOG (GNUNET_ERROR_TYPE_DEBUG,
190 "Got secret ready message of size %u\n",
191 ntohs (m->header.size));
192 share_size = ntohs (m->header.size) - sizeof(struct
193 GNUNET_SECRETSHARING_SecretReadyMessage);
195 share = GNUNET_SECRETSHARING_share_read (&m[1],
198 GNUNET_assert (NULL != share); // FIXME: this can fail!
199 // should have been checked in #check_secret_ready!
200 // FIXME: below we never check &m[1] is valid!
201 // FIXME: do we leak 'share' here?
202 s->secret_ready_cb (s->secret_ready_cls,
206 (const struct GNUNET_PeerIdentity *) &m[1]);
208 GNUNET_SECRETSHARING_session_destroy (s);
213 * Destroy a secret sharing session.
214 * The secret ready callback will not be called.
216 * @param s session to destroy
219 GNUNET_SECRETSHARING_session_destroy (struct GNUNET_SECRETSHARING_Session *s)
221 GNUNET_MQ_destroy (s->mq);
228 * Create a session that will eventually establish a shared secret
229 * with the other peers.
231 * @param cfg configuration to use
232 * @param num_peers number of peers in @a peers
233 * @param peers array of peers that we will share secrets with, can optionally contain the local peer
234 * @param session_id unique session id
235 * @param start When should all peers be available for sharing the secret?
236 * Random number generation can take place before the start time.
237 * @param deadline point in time where the session must be established; taken as hint
238 * by underlying consensus sessions
239 * @param threshold minimum number of peers that must cooperate to decrypt a value
240 * @param cb called when the secret has been established
241 * @param cls closure for @a cb
243 struct GNUNET_SECRETSHARING_Session *
244 GNUNET_SECRETSHARING_create_session (const struct
245 GNUNET_CONFIGURATION_Handle *cfg,
246 unsigned int num_peers,
247 const struct GNUNET_PeerIdentity *peers,
248 const struct GNUNET_HashCode *session_id,
249 struct GNUNET_TIME_Absolute start,
250 struct GNUNET_TIME_Absolute deadline,
251 unsigned int threshold,
252 GNUNET_SECRETSHARING_SecretReadyCallback cb,
255 struct GNUNET_SECRETSHARING_Session *s
256 = GNUNET_new (struct GNUNET_SECRETSHARING_Session);
257 struct GNUNET_MQ_MessageHandler mq_handlers[] = {
258 GNUNET_MQ_hd_var_size (secret_ready,
259 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_SECRET_READY,
260 struct GNUNET_SECRETSHARING_SecretReadyMessage,
262 GNUNET_MQ_handler_end ()
264 struct GNUNET_MQ_Envelope *ev;
265 struct GNUNET_SECRETSHARING_CreateMessage *msg;
267 s->mq = GNUNET_CLIENT_connect (cfg,
270 &handle_session_client_error,
274 /* secretsharing not configured correctly */
279 s->secret_ready_cb = cb;
280 s->secret_ready_cls = cls;
281 ev = GNUNET_MQ_msg_extra (msg,
282 num_peers * sizeof(struct GNUNET_PeerIdentity),
283 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_GENERATE);
285 msg->threshold = htons (threshold);
286 msg->num_peers = htons (num_peers);
287 msg->session_id = *session_id;
288 msg->start = GNUNET_TIME_absolute_hton (start);
289 msg->deadline = GNUNET_TIME_absolute_hton (deadline);
290 GNUNET_memcpy (&msg[1], peers, num_peers * sizeof(struct
291 GNUNET_PeerIdentity));
293 GNUNET_MQ_send (s->mq, ev);
295 LOG (GNUNET_ERROR_TYPE_DEBUG,
296 "Secretsharing session created with %u peers\n",
303 handle_decrypt_done (void *cls,
305 GNUNET_SECRETSHARING_DecryptResponseMessage *m)
307 struct GNUNET_SECRETSHARING_DecryptionHandle *dh = cls;
308 const struct GNUNET_SECRETSHARING_Plaintext *plaintext;
313 plaintext = (void *) &m->plaintext;
314 dh->decrypt_cb (dh->decrypt_cls, plaintext);
315 GNUNET_SECRETSHARING_decrypt_cancel (dh);
320 * Publish the given ciphertext for decryption. Once a sufficient (>=k) number of peers has
321 * published the same value, it will be decrypted.
323 * When the operation is canceled, the decrypt_cb is not called anymore, but the calling
324 * peer may already have irrevocably contributed its share for the decryption of the value.
326 * @param share our secret share to use for decryption
327 * @param ciphertext ciphertext to publish in order to decrypt it (if enough peers agree)
328 * @param decrypt_cb callback called once the decryption succeeded
329 * @param decrypt_cb_cls closure for @a decrypt_cb
330 * @return handle to cancel the operation
332 struct GNUNET_SECRETSHARING_DecryptionHandle *
333 GNUNET_SECRETSHARING_decrypt (const struct GNUNET_CONFIGURATION_Handle *cfg,
334 struct GNUNET_SECRETSHARING_Share *share,
336 GNUNET_SECRETSHARING_Ciphertext *ciphertext,
337 struct GNUNET_TIME_Absolute start,
338 struct GNUNET_TIME_Absolute deadline,
339 GNUNET_SECRETSHARING_DecryptCallback decrypt_cb,
340 void *decrypt_cb_cls)
342 struct GNUNET_SECRETSHARING_DecryptionHandle *s
343 = GNUNET_new (struct GNUNET_SECRETSHARING_DecryptionHandle);
344 struct GNUNET_MQ_MessageHandler mq_handlers[] = {
345 GNUNET_MQ_hd_fixed_size (decrypt_done,
346 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT_DONE,
347 struct GNUNET_SECRETSHARING_DecryptResponseMessage,
349 GNUNET_MQ_handler_end ()
351 struct GNUNET_MQ_Envelope *ev;
352 struct GNUNET_SECRETSHARING_DecryptRequestMessage *msg;
355 s->decrypt_cb = decrypt_cb;
356 s->decrypt_cls = decrypt_cb_cls;
357 s->mq = GNUNET_CLIENT_connect (cfg,
360 &handle_decrypt_client_error,
367 GNUNET_assert (GNUNET_OK ==
368 GNUNET_SECRETSHARING_share_write (share, NULL, 0,
371 ev = GNUNET_MQ_msg_extra (msg,
373 GNUNET_MESSAGE_TYPE_SECRETSHARING_CLIENT_DECRYPT);
375 GNUNET_assert (GNUNET_OK ==
376 GNUNET_SECRETSHARING_share_write (share,
381 msg->start = GNUNET_TIME_absolute_hton (start);
382 msg->deadline = GNUNET_TIME_absolute_hton (deadline);
383 msg->ciphertext = *ciphertext;
385 GNUNET_MQ_send (s->mq, ev);
387 LOG (GNUNET_ERROR_TYPE_DEBUG,
388 "decrypt session created\n");
394 GNUNET_SECRETSHARING_plaintext_generate_i (struct
395 GNUNET_SECRETSHARING_Plaintext *
402 ensure_elgamal_initialized ();
404 GNUNET_assert (NULL != (x = gcry_mpi_new (0)));
406 negative = GNUNET_NO;
409 negative = GNUNET_YES;
410 exponent = -exponent;
413 gcry_mpi_set_ui (x, exponent);
415 gcry_mpi_powm (x, elgamal_g, x, elgamal_p);
417 if (GNUNET_YES == negative)
420 res = gcry_mpi_invm (x, x, elgamal_p);
422 return GNUNET_SYSERR;
425 GNUNET_CRYPTO_mpi_print_unsigned (plaintext,
427 GNUNET_SECRETSHARING_Plaintext),
435 * Encrypt a value. This operation is executed locally, no communication is
438 * This is a helper function, encryption can be done soley with a session's public key
439 * and the crypto system parameters.
441 * @param public_key public key to use for decryption
442 * @param message message to encrypt
443 * @param message_size number of bytes in @a message
444 * @param result_ciphertext pointer to store the resulting ciphertext
445 * @return #GNUNET_YES on succes, #GNUNET_SYSERR if the message is invalid (invalid range)
448 GNUNET_SECRETSHARING_encrypt (const struct
449 GNUNET_SECRETSHARING_PublicKey *public_key,
451 GNUNET_SECRETSHARING_Plaintext *plaintext,
452 struct GNUNET_SECRETSHARING_Ciphertext *
459 /* plaintext message */
464 ensure_elgamal_initialized ();
466 GNUNET_assert (NULL != (h = gcry_mpi_new (0)));
467 GNUNET_assert (NULL != (y = gcry_mpi_new (0)));
468 GNUNET_assert (NULL != (tmp = gcry_mpi_new (0)));
470 GNUNET_CRYPTO_mpi_scan_unsigned (&h, public_key, sizeof *public_key);
471 GNUNET_CRYPTO_mpi_scan_unsigned (&m, plaintext, sizeof *plaintext);
473 // Randomize y such that 0 < y < elgamal_q.
474 // The '- 1' is necessary as bitlength(q) = bitlength(p) - 1.
477 gcry_mpi_randomize (y, GNUNET_SECRETSHARING_ELGAMAL_BITS - 1,
480 while ((gcry_mpi_cmp_ui (y, 0) == 0) || (gcry_mpi_cmp (y, elgamal_q) >= 0));
483 gcry_mpi_powm (tmp, elgamal_g, y, elgamal_p);
485 GNUNET_CRYPTO_mpi_print_unsigned (&result_ciphertext->c1_bits,
486 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
489 gcry_mpi_powm (tmp, h, y, elgamal_p);
491 gcry_mpi_mulm (tmp, tmp, m, elgamal_p);
493 GNUNET_CRYPTO_mpi_print_unsigned (&result_ciphertext->c2_bits,
494 GNUNET_SECRETSHARING_ELGAMAL_BITS / 8, tmp);
501 * Cancel a decryption.
503 * The decrypt_cb is not called anymore, but the calling
504 * peer may already have irrevocably contributed its share for the decryption of the value.
506 * @param dh to cancel
509 GNUNET_SECRETSHARING_decrypt_cancel (struct
510 GNUNET_SECRETSHARING_DecryptionHandle *dh)
512 GNUNET_MQ_destroy (dh->mq);
518 /* end of secretsharing_api.c */