ClientReadCallback.cc

/*
 * Copyright 2003 Michael A. Marsh, Cornell University. All rights reserved.
 * This software is released under the modified BSD license.
 * See the file LICENSE in the top-level directory for details.
 */
//
// $Id: ClientReadCallback.cc,v 1.5 2005/01/15 03:41:37 mmarsh Exp $
//
// $Log: ClientReadCallback.cc,v $
// Revision 1.5  2005/01/15 03:41:37  mmarsh
// Updated to work with more recent versions of g++.
//
// Revision 1.4  2004/05/19 15:56:51  mmarsh
// *** empty log message ***
//
// Revision 1.3  2003/11/04 22:31:49  mmarsh
// *** empty log message ***
//
//

#include "ClientReadCallback.h"
#include "CODEX_Events/Event.h"
#include "CODEX_Server/ServerExceptions.h"
#include "CODEX_Client/Message.h"
#include "SupportedClientResponse.h"
#include "CODEX_Server/SignRequestEvent.h"
#include "ClientDelegation.h"
#include "SignReadCallback.h"
#include "CODEX_Server/ShareLabelChallenge.h"
#include "CODEX_Server/BroadcastRequestEvent.h"
#include "VerifiableBlindKeyMsg.h"

#include "timing.h"

using namespace CODEX_KeyService;

ClientReadCallback::ClientReadCallback(
   CODEX_Events::DeadPileType& deadPile,
   CODEX_Events::QType& eventQueue,
   CODEX_Server::SignRequestHandler* destination,
   ClientResponseHandler* clientAct,
   const LabeledReadKeyMsg& req,
   const unsigned char* seqNum,
   CODEX_Server::BroadcastRequestHandler* reqHandler ) :
   ResponseCallback( seqNum ),
   CODEX_Events::Activity( deadPile, eventQueue ),
   m_destination( destination ),
   m_clientAct( clientAct ),
   m_request( req ),
   m_complete( false ),
   m_reqHandler( reqHandler )
{
}

ClientReadCallback::~ClientReadCallback()
{
   DigestMap::iterator dItr = m_digests.begin();
   DigestMap::iterator dEnd = m_digests.end();
   for ( ; dItr != dEnd ; ++dItr )
   {
      if ( 0 != dItr->second ) BN_free( dItr->second );
   }
#ifndef ELGAMAL
   PartialMap::iterator pItr = m_partials.begin();
   PartialMap::iterator pEnd = m_partials.end();
   for ( ; pItr != pEnd ; ++pItr )
   {
      while ( pItr->second.size() )
      {
         delete pItr->second.back();
         pItr->second.pop_back();
      }
   }
#endif
   ChallengeVector::iterator vItr = m_challenges.begin();
   ChallengeVector::iterator vEnd = m_challenges.end();
   for ( ; vItr != vEnd ; ++vItr )
   {
      delete *vItr;
   }
}

bool
ClientReadCallback::operator()( unsigned int server,
                                CODEX_Quorum::Message* msg )
{
   if ( 0 == msg )
   {
      return false;
   }

   if ( m_complete )
   {
      delete msg;
      return true;
   }

#ifdef TIMING
   ActiveTimer.start();
#endif

   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }

   // Sanity check -- is the client still connected?
   if ( 0 == stateInfo->getActFromSeqNum( seqNum() ) )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }

   CODEX_Quorum::QuorumSystem* qs = serverState->quorumSystem();
   if ( 0 == qs )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      throw CODEX_Server::NoQuorumSystemException( __FILE__ , __LINE__ );
   }

   unsigned char* data = (unsigned char*)msg->buffer();
   int length = msg->length();

   if ( length < 2 )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }

   // Check the message type.
   if ( stateInfo->delegationDomain() != data[0] )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   ++data;
   --length;

   // Test a special condition
   if ( ClientDelegation::kBadShareLabel == data[0] )
   {
      cerr << __FILE__ << ", line " << __LINE__ << ":\n"
           << "   kBadShareLabel returned" << endl;
      ++data;
      --length;
      // We need to re-send the request with the new label, but only if
      // the label returned is actually valid.
      CODEX_Server::ServerState::LSType::LabelType label;
      if ( 0 == label.unmarshal( 0, &data, length ) )
      {
         // The response is no good.
         delete msg;
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
      LabeledReadKeyMsg newReq( m_request, label );
      const unsigned char* newSeqNum = serverState->newSequenceNumber();
      stateInfo->registerSequenceNumber( newSeqNum, m_clientAct );
      ClientReadCallback* cb = new ClientReadCallback( m_deadPile,
                                                       m_queue,
                                                       m_destination,
                                                       m_clientAct,
                                                       newReq,
                                                       newSeqNum,
                                                       m_reqHandler );

      CODEX_Quorum::Message message;

      unsigned char self = serverState->hostNum();
      message.fill( self | CODEX_Server::ServerState::OutgoingMask );
      message.fill( newSeqNum, CODEX_Server::ServerState::nMID );
      message.fill( stateInfo->messageDomain() );
      message.fill( CODEX_Client::kReadKeyMsg | CODEX_Client::SignatureMask );
      int length = newReq.marshal(0);
      unsigned char* buffer = new unsigned char[length];
      unsigned char* pBuffer = buffer;
      newReq.marshal(&pBuffer);
      message.fill( buffer, length );
      delete [] buffer;

      // Create the outgoing event.
      CODEX_Server::BroadcastRequestEvent* outEvent =
         new CODEX_Server::BroadcastRequestEvent( 0,
                                                  m_reqHandler,
                                                  message,
                                                  cb );
      CODEX_Server::ShareLabelChallenge* slc =
         new CODEX_Server::ShareLabelChallenge( label, server, cb, outEvent );
      m_challenges.push_back( slc );
      if ( m_challenges.size() > qs->faultsTolerated() )
      {
         // register challenges
         ChallengeVector::iterator vItr = m_challenges.begin();
         ChallengeVector::iterator vEnd = m_challenges.end();
         for ( ; vItr != vEnd ; ++vItr )
         {
            serverState->addChallenge( seqNum() , *vItr );
         }
         m_challenges.clear();
         // No progress will be made on this request.
         m_complete = true;
      }
      delete msg;
#ifdef TIMING
   ActiveTimer.stop();
#endif
      return true;
   }

   if ( ClientDelegation::kApproveClientRequest != data[0] )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   ++data;
   --length;

   // Check that it unmarshalls.
   typedef CODEX_Ciphers::RSASignature  SigType;
   typedef ShareType                    TDType;
   typedef BlindPlainTextType           BKType;
   unsigned char* oData = data;

   SigType signature;
   if ( 0 == signature.unmarshal( 0, &data, length ) )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   length -= (data-oData);
   oData = data;

   BlindCipherTextType bct;
   if ( 0 == bct.unmarshal( 0, &data, length ) )
   {
      delete msg;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   length -= (data-oData);
   oData = data;

   TDType* partialResults = new TDType;
   if ( 0 == partialResults->unmarshal( 0, &data, length ) )
   {
      delete msg;
      delete partialResults;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   length -= (data-oData);
   oData = data;

#ifdef ELGAMAL
   const CODEX_Ciphers::ElGamalPublicKey& serviceEGKey =
      serverState->publicEGKey();
   if ( ! serviceEGKey.initialized() )
   {
      delete msg;
      delete partialResults;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      throw CODEX_Server::PublicKeyNotFoundException( __FILE__ ,
                                                      __LINE__ );
   }
   CODEX_ThresholdCrypto::DLProof proofs[TDType::NumShares];
   for ( unsigned int i = 0 ; i < TDType::NumShares ; ++i )
   {
      CODEX_ASN1::Integer ai;
      if ( 0 == ai.unmarshal( 0, &data, length ) )
      {
         delete msg;
         delete partialResults;
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
      length -= (data-oData);
      oData = data;

      if ( 0 != ai.value() )
      {
         if ( 0 == proofs[i].unmarshal( 0, &data, length ) )
         {
            delete msg;
            delete partialResults;
#ifdef TIMING
            ActiveTimer.stop();
#endif
            return false;
         }
         length -= (data-oData);
         oData = data;
      }
   }
#endif

   delete msg;

   CODEX_Server::ServerSignature* servSig = 0;
   try
   {
      DigestMap::iterator dItr = m_digests.find( bct );
      if ( dItr == m_digests.end() )
      {
         m_digests.insert( DigestMap::value_type( bct, 0 ) );
         dItr = m_digests.find( bct );
      }
      if ( 0 == dItr->second )
      {
         unsigned char* buff = 0;
         CODEX_ASN1::ustring* str = 0;
         try
         {
            int length = m_request.SignedReadKeyMsg::marshal(0);
            length += bct.marshal(0);
            buff = new unsigned char[ length ];
            unsigned char* pBuff = buff;
            m_request.SignedReadKeyMsg::marshal(&pBuff);
            bct.marshal(&pBuff);
            str = serverState->hashFunc()( CODEX_ASN1::ustring(buff,length) );
            delete [] buff;
            buff = 0;
            dItr->second = BN_new();
            if ( 0 == dItr->second )
            {
               throw CODEX_Exceptions::BignumNullException( __FILE__ ,
                                                            __LINE__ );
            }
            if ( 0 == BN_bin2bn( str->data(),
                                    str->length(),
                                    dItr->second ) )
            {
               throw CODEX_Exceptions::BignumBin2BNException( __FILE__ ,
                                                              __LINE__ );
            }

            delete str;
         }
         catch ( ... )
         {
            if ( 0 != buff ) delete [] buff;
            if ( 0 != str ) delete str;
            if ( 0 != dItr->second ) BN_free( dItr->second );
            throw;
         }
      }
      // Verify the signature.
      if ( ! serverState->publicKey(server).verifySignature(
         signature, dItr->second ) )
      {
         throw CODEX_Server::SignatureVerificationFailedException( __FILE__ ,
                                                                   __LINE__ );
      }

      // Create a new ServerSignature.
      servSig = new CODEX_Server::ServerSignature( server, signature );

      // Add to the evidence set.
      m_evidence[ bct ].append( servSig );
      servSig = 0;
      // Add to the list of partial results.
#ifndef ELGAMAL
      m_partials[ bct ].push_back( partialResults );
      partialResults = 0;
#else

      // Test the validity of the partials based on the proofs provided.
      //

      // Putting the partials in a ShareSet unifies the interface for
      // any secret sharing scheme.
      ShareSetType tempSS;
      tempSS.addShare( *partialResults );

      const CODEX_Server::ServerState::LSType::LabelType& reqLabel =
         m_request.label();

      bool goodShares = true;
      for ( unsigned int i = 0 ;
            goodShares && ( i < ShareType::NumShares ) ;
            ++i )
      {
         if ( tempSS(i).initialized() )
         {
            if ( ! proofs[i].verify( bct.c1().value(),
                                     serviceEGKey.g().value(),
                                     tempSS(i).value(),
                                     reqLabel.vc(i).value(),
                                     serviceEGKey.p().value(),
                                     serverState->hashFunc() ) )
            {
               goodShares = false;
            }
         }
      }
      if ( goodShares )
      {
         m_partials[ bct ].addShare( *partialResults );
         delete partialResults;
         partialResults = 0;
         ++m_nResp[ bct ];
         for ( unsigned int i = 0 ; i < ShareType::NumShares ; ++i )
         {
            if ( proofs[i].initialized() )
            {
               if ( m_proofs[ bct ].size() != ShareType::NumShares )
               {
                  m_proofs[ bct ].resize( ShareType::NumShares );
               }
               if ( ! m_proofs[ bct ][i].initialized() )
               {
                  m_proofs[ bct ][i] = proofs[i];
               }
            }
         }
      }
      else
      {
         delete partialResults;
         partialResults = 0;
      }
#endif

      // See if we have enough responses to create the threshold signature
      // request.
      typedef VerifiableBlindKeyMsg RespType;
      typedef CODEX_Client::SignedReadKeyMsg ReqType;

      BKType blindedKey;
      PartialMap::key_type pKey;
      PartialMap::mapped_type pVal;

      unsigned int numResp = 0;
      PartialMap::const_iterator itr = m_partials.begin();
      PartialMap::const_iterator end = m_partials.end();
      for ( ; ( itr != end ) && ( ! blindedKey.initialized() ) ; ++itr )
      {
#ifndef ELGAMAL
         numResp += itr->second.size();
#else
         numResp += m_nResp[ itr->first ];
#endif
         constructBlindedKey( blindedKey, itr->first, itr->second );
         if ( blindedKey.initialized() )
         {
            pKey = itr->first;
            pVal = itr->second;
         }
      }

      if ( blindedKey.initialized() )
      {
         RespType bkMsg( m_request.message().name(),
                         blindedKey,
                         m_request.signature(),
#ifdef ELGAMAL
                         reqLabel,
                         pVal,
                         m_proofs[pKey],
#endif
                         pKey );
         const CODEX_Server::ServerState::LSType::LabelType& label =
            serverState->defaultSignatureLabel();

         SupportedClientResponse< RespType, ReqType > resp( bkMsg,
                                                            m_request,
                                                            m_evidence[bct],
                                                            label );
         unsigned char* seqNum = serverState->newSequenceNumber();
         stateInfo->registerSequenceNumber( seqNum, m_clientAct );
         SignReadCallback* cb = new SignReadCallback( m_deadPile,
                                                      m_queue,
                                                      m_clientAct,
                                                      resp,
                                                      seqNum,
                                                      m_destination );

         CODEX_Quorum::Message request;
         unsigned char self = serverState->hostNum();
         request.fill( self | CODEX_Server::ServerState::OutgoingMask );
         request.fill( seqNum, CODEX_Server::ServerState::nMID );
         request.fill( stateInfo->delegationDomain() );
         request.fill( ClientDelegation::kRequestSignature );
         request.fill( CODEX_Client::kBlindKeyMsg );
         int reqLen = resp.marshal(0);
         unsigned char* reqBuff = new unsigned char[reqLen];
         unsigned char* pReqBuff = reqBuff;
         resp.marshal(&pReqBuff);
         request.fill( reqBuff, reqLen );
         delete [] reqBuff;

         CODEX_Server::SignRequestEvent* event =
            new CODEX_Server::SignRequestEvent(this,
                                               m_destination,
                                               request,
                                               cb);
         sendEvent( event, 0 ); // no need to acknowledge
         serverState->removeChallenge( this->seqNum() );
         m_complete = true;
      }
      else if ( numResp >= qs->quorumSize() )
      {
         // We cannot form a threshold decryption because the key values
         // stored at different servers are inconsistent.
         sendEvent( new CODEX_Events::CloseEvent(0, m_clientAct), 0 );
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return false;
      }
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   catch ( CODEX_Exceptions::ExceptionBase& e )
   {
      e.report();
      if ( 0 != servSig ) delete servSig;
      if ( 0 != partialResults ) delete partialResults;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   catch ( ... )
   {
      if ( 0 != servSig ) delete servSig;
      if ( 0 != partialResults ) delete partialResults;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return false;
   }
   // Control should never reach here, but in case it does...
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return false;
}

void
ClientReadCallback::constructBlindedKey( BlindPlainTextType& blindedKey,
                                         const BlindCipherTextType& blinding,
                                         const PartialArray& partials )
{
   typedef ShareType  TDType;

   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      return;
   }

#ifndef ELGAMAL
   if ( partials.size() > CODEX_Server::ServerState::nFaults )
   {
      // optimistic case
      ShareSetType allPartials;
      PartialArray::const_iterator itr = partials.begin();
      PartialArray::const_iterator end = partials.end();
      for ( ; itr != end ; ++itr )
      {
         allPartials.addShare( **itr );
      }
      // Get the threshold decryption, verify it, and if OK respond.
      const CODEX_Server::ServerState::ThresholdRSAType& thresholdRSA =
         serverState->thresholdRSA();
      BIGNUM* bk = thresholdRSA.threshold( allPartials );
      if ( 0 != bk )
      {
         try
         {
            const CODEX_Ciphers::RSAPublicKey& serviceKey =
               serverState->serviceKey();
            if ( ! serviceKey.initialized() )
            {
               throw CODEX_Server::PublicKeyNotFoundException( __FILE__ ,
                                                               __LINE__ );
            }
            // Check if the encryption of the threshold result matches
            // the blind encryption.
            CODEX_Ciphers::RSACipherText* ct = serviceKey.encrypt( bk );
            if ( 0 == BN_cmp( ct->value(), blinding.c1().value() ) )
            {
               blindedKey = BlindPlainTextType( bk, blinding.c2() );
               bk = 0;
            }
            delete ct;
         }
         catch ( ... )
         {
         }
         if ( 0 != bk ) BN_free( bk );
      }

      if ( ! blindedKey.initialized() )
      {
         bk = serverState->thresholdOperation( partials,
                                               blinding.c1().value() );
         if ( 0 != bk )
         {
            blindedKey = BlindPlainTextType( bk, blinding.c2() );
            bk = 0;
         }
         if ( 0 != bk ) BN_free( bk );
      }
   }
#else /* ELGAMAL */
   // The ElGamal case is easy, since all partials have been verified
   // beforehand.  Consequently, if we have all of the partial results,
   // we can trivially compose the threshold decryption.
   BIGNUM * bk = serverState->thresholdEG().thresholdDecrypt( partials,
                                                              blinding );
   if ( 0 == bk )
   {
      return;
   }
   blindedKey = CODEX_ASN1::BigNumber( bk );
#endif /* ELGAMAL */
}

---