DelegateResponseVerifier.cc

/*
 * Copyright 2003 Michael A. Marsh, Cornell University. All rights reserved.
 * This software is released under the modified BSD license.
 * See the file LICENSE in the top-level directory for details.
 */
//
// $Id: DelegateResponseVerifier.cc,v 1.4 2004/05/19 15:56:52 mmarsh Exp $
//
// $Log: DelegateResponseVerifier.cc,v $
// Revision 1.4  2004/05/19 15:56:52  mmarsh
// *** empty log message ***
//
// Revision 1.3  2003/11/04 22:31:49  mmarsh
// *** empty log message ***
//
//

#include "DelegateResponseVerifier.h"
#include "CODEX_Server/ServerResponseEvent.h"
#include "CODEX_Server/ServerState.h"
#include "StateInfo.h"
#include "ClientDelegation.h"
#include "VerifiableBlindKeyMsg.h"

#include "CODEX_Server/ServerExceptions.h"
#include "Exceptions.h"

#include "timing.h"

using namespace CODEX_KeyService;

DelegateResponseVerifier::DelegateResponseVerifier(
   CODEX_Events::DeadPileType& deadPile,
   CODEX_Events::QType& eventQueue,
   SupportedClientResponseHandler* destination ):
   CODEX_Events::Activity( deadPile, eventQueue ),
   m_destination( destination )
{
}

DelegateResponseVerifier::~DelegateResponseVerifier()
{
}

bool
DelegateResponseVerifier::handler(
   SupportedClientResponseEvent< BoundNameMsg, SignedCreateKeyMsg >& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const BoundNameMsg& response = event.message().response();
   const CreateKeyMsg& request = response.request().message();

   // "sRequest" will be digested and checked against the signatures
   // provided as evidence.  Consequently, we don't need to test it,
   // since correct servers would not have signed a malformed request.
   const SignedCreateKeyMsg& sRequest = event.message().request();

   if ( response.name().value() != request.name().value() )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   if ( request.name().value() != sRequest.message().name().value() )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // The signatures must match, or the response is not valid.
   if ( 0 != BN_cmp( response.request().signature().value(),
                     sRequest.signature().value() ) )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the server state info.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // The signature on the request that is contained within the response
   // must be correct.  This ensures that the binding contains valid
   // information.
   CODEX_Ciphers::RSAPublicKey ownerKey( request.owner().value() );
   BIGNUM * digest = 0;
   try
   {
      digest = request.digest( serverState->hashFunc() );
      bool sigOK = ownerKey.verifySignature( response.request().signature(),
                                             digest );
      BN_free(digest);
      digest = 0;
      if ( ! sigOK )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return true;
      }
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free(digest);
#ifdef TIMING
      ActiveTimer.stop();
#endif
      throw;
   }

   // Get the quorum system.
   CODEX_Quorum::QuorumSystem* qs = serverState->quorumSystem();
   if ( 0 == qs )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get a digest of the request.
   try
   {
      digest = sRequest.digest( serverState->hashFunc() );
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free(digest);
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   if ( 0 == digest )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   bool retVal =
      process( digest, event.message().evidence(), qs->quorumSize() );

   BN_free(digest);

   if ( retVal )
   {
      // The key name should be bound here if it isn't already.  If another
      // request bound the name, we should replace it, since the previous
      // binding was not accepted by the quorum system.
      const KeyInfo* keyInfo =
         stateInfo->getKeyInfo( response.name().value() );
      if ( 0 == keyInfo )
      {
         if ( ! stateInfo->addKeyName( response.name().value(), response ) )
         {
#ifdef TIMING
            ActiveTimer.stop();
#endif
            throw KeyExistsException( __FILE__ , __LINE__ );
         }
      }
      else
      {
         // The simplest thing to do is just replace, whether the bindings
         // are different or not.
         if ( ! stateInfo->replaceKeyBinding(
            response.name().value(),
            CODEX_Client::SignedBoundNameMsg(
               response,
               CODEX_Ciphers::RSASignature() ) ) )
         {
#ifdef TIMING
            ActiveTimer.stop();
#endif
            throw KeyNotFoundException( __FILE__ , __LINE__ );
         }
      }

      event.reRoute( m_destination );
   }
   else
   {
      sendEvent( 0, event.source(), true ); // NACK
   }
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return (!retVal);
}

bool
DelegateResponseVerifier::handler(
   SupportedClientResponseEvent< KeyStoredMsg, SignedWriteKeyMsg >& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const KeyStoredMsg& response = event.message().response();

   // We do not need to check the details of the write request, since
   // correct servers will have done that already before signing it.
   const SignedWriteKeyMsg& request = event.message().request();
   if ( response.name().value() != request.message().name().value() )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   // The response must contain the signature on the request, or it's
   // not valid.
   if ( 0 != BN_cmp( response.requestSignature().value(),
                     request.signature().value() ) )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the server state info.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the quorum system.
   CODEX_Quorum::QuorumSystem* qs = serverState->quorumSystem();
   if ( 0 == qs )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get a digest of the request.
   BIGNUM * digest = 0;
   try
   {
      digest = request.digest( serverState->hashFunc() );
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free(digest);
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   if ( 0 == digest )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   bool retVal =
      process( digest, event.message().evidence(), qs->quorumSize() );

   BN_free( digest );

   if ( retVal )
   {
      // The request is valid, so the value should be stored regardless
      // of whether a value exists at this server already.  In addition,
      // the verified bit should be set.
      const KeyInfo* keyInfo =
         stateInfo->getKeyInfo( request.message().name().value() );
      if ( 0 == keyInfo )
      {
         if ( ! stateInfo->addKeyName( response.name().value(),
                                       request.message().binding() ) )
         {
#ifdef TIMING
            ActiveTimer.stop();
#endif
            throw KeyExistsException( __FILE__ , __LINE__ );
         }
         if ( ! stateInfo->addKeyValue( response.name().value(),
                                        request.message().encryption() ) )
         {
#ifdef TIMING
            ActiveTimer.stop();
#endif
            throw KeyNotFoundException( __FILE__ , __LINE__ );
         }
      }
      else
      {
         // If the key value is not yet set, or the values differ, set the
         // key value according to the request.
         if ( ! ( keyInfo->keyValue().initialized() &&
                  ( keyInfo->keyValue() == request.message().encryption() ) ) )
         {
            if ( ! stateInfo->addKeyValue( response.name().value(),
                                           request.message().encryption() ) )
            {
#ifdef TIMING
               ActiveTimer.stop();
#endif
               throw KeyNotFoundException( __FILE__ , __LINE__ );
            }
         }
      }

      if ( ! stateInfo->verifyKeyValue( response.name().value() ) )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         throw KeyNotFoundException( __FILE__ , __LINE__ );
      }

      event.reRoute( m_destination );
   }
   else
   {
      sendEvent( 0, event.source(), true ); // NACK
   }
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return (!retVal);
}

bool
DelegateResponseVerifier::handler( SupportedKeyStoredEvent& event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const KeyStoredMsg& response = event.message().response();

   // Get the server state info.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   StateInfo* stateInfo = StateInfo::instance();
   if ( 0 == stateInfo )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the quorum system.
   CODEX_Quorum::QuorumSystem* qs = serverState->quorumSystem();
   if ( 0 == qs )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get a digest of the response.
   BIGNUM * digest = 0;
   try
   {
      digest = response.digest( serverState->hashFunc() );
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free(digest);
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   if ( 0 == digest )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   bool retVal =
      process( digest, event.message().evidence(), qs->quorumSize() );

   BN_free( digest );

   if ( retVal )
   {
      event.reRoute( m_destination );
   }
   else
   {
      sendEvent( 0, event.source(), true ); // NACK
   }
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return (!retVal);
}

bool
DelegateResponseVerifier::handler(
   SupportedClientResponseEvent< VerifiableBlindKeyMsg, SignedReadKeyMsg >&
   event )
{
#ifdef TIMING
   ActiveTimer.start();
#endif
   const BlindKeyMsg& response = event.message().response();
   const VerifiableBlindKeyMsg& vResponse = event.message().response();

   // We do not need to check the details of the read request, since
   // a correct server will have done that already before signing it.
   const SignedReadKeyMsg& request = event.message().request();

   if ( response.name().value() != request.message().name().value() )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // The response must contain the signature on the request, or it's
   // not valid.
   if ( 0 != BN_cmp( response.requestSignature().value(),
                     request.signature().value() ) )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the server state info.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get the quorum system.
   CODEX_Quorum::QuorumSystem* qs = serverState->quorumSystem();
   if ( 0 == qs )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

   // Get a digest of the request.
   BIGNUM * digest = 0;
   unsigned char* buff = 0;
   CODEX_ASN1::ustring* str = 0;
   try
   {
      int length = request.marshal(0);
      length += vResponse.blindCipher().marshal(0);
      buff = new unsigned char[ length ];
      unsigned char* pBuff = buff;
      request.marshal(&pBuff);
      vResponse.blindCipher().marshal(&pBuff);

      str = serverState->hashFunc()( CODEX_ASN1::ustring( buff, length ) );

      delete [] buff;
      buff = 0;

      digest = BN_new();
      if ( 0 == digest )
      {
         throw CODEX_Exceptions::BignumNullException( __FILE__ , __LINE__ );
      }
      if ( 0 == BN_bin2bn( str->data(), str->length(), digest ) )
      {
         throw CODEX_Exceptions::BignumBin2BNException( __FILE__ , __LINE__ );
      }

      delete str;
   }
   catch ( ... )
   {
      if ( 0 != digest ) BN_free(digest);
      if ( 0 != buff ) delete [] buff;
      if ( 0 != str ) delete str;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   if ( 0 == digest )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }

#ifndef ELGAMAL
   // RSA test
   CODEX_Ciphers::RSACipherText* blindEncryption = 0;
   try
   {
      blindEncryption = serverState->serviceKey().encrypt(
         response.blindedKey().b1().value() );
      bool cipherTest1 = ( *blindEncryption == vResponse.blindCipher().c1() );
      delete blindEncryption;
      blindEncryption = 0;
      bool cipherTest2 =
         ( response.blindedKey().b2() == vResponse.blindCipher().c2() );
      if ( ! ( cipherTest1 && cipherTest2 ) )
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return true;
      }
   }
   catch ( ... )
   {
      if ( 0 != blindEncryption ) delete blindEncryption;
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
#else /* ELGAMAL */
   // ElGamal test
   typedef CODEX_Server::ServerState::ShareSetType  ShareSetType;
   typedef CODEX_Server::ServerState::ShareType     ShareType;
   const CODEX_Ciphers::ElGamalPublicKey& serviceEGKey =
      serverState->publicEGKey();
   ShareSetType tempSS;
   for ( unsigned int i = 0 ; i < ShareType::NumShares ; ++i )
   {
      if ( vResponse.proof(i).verify( vResponse.blindCipher().c1().value(),
                                      serviceEGKey.g().value(),
                                      vResponse.partial(i).value(),
                                      vResponse.label().vc(i).value(),
                                      serviceEGKey.p().value(),
                                      serverState->hashFunc() ) )
      {
         tempSS.setShare(i,vResponse.partial(i));
      }
      else
      {
#ifdef TIMING
         ActiveTimer.stop();
#endif
         return true;
      }
   }
   // We now know that combining the partial results gives us c1^x
   // Now we must recover the plaintext from this using c2, and compare
   // with the alleged plaintext.
   BIGNUM * bk = serverState->thresholdEG().thresholdDecrypt(
      tempSS,
      vResponse.blindCipher() );
   if ( 0 == bk )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
   bool bkMismatch = ( 0 != BN_cmp( bk, response.blindedKey().value() ) );
   BN_clear_free( bk );
   if ( bkMismatch )
   {
#ifdef TIMING
      ActiveTimer.stop();
#endif
      return true;
   }
#endif /* ELGAMAL */

   bool retVal = process(
      digest, event.message().evidence(), qs->faultsTolerated()+1 );

   BN_free( digest );

   if ( retVal )
   {
      event.reRoute( m_destination );
   }
   else
   {
      sendEvent( 0, event.source(), true ); // NACK
   }
#ifdef TIMING
   ActiveTimer.stop();
#endif
   return (!retVal);
}

bool
DelegateResponseVerifier::process(
   const BIGNUM* digest,
   const CODEX_ASN1::Array< CODEX_Server::ServerSignature >& evidence,
   unsigned int evidenceSize )
{
   typedef CODEX_ASN1::Array< CODEX_Server::ServerSignature > ArrayType;

   // Make sure the digest isn't 0.
   if ( 0 == digest )
   {
      return false;
   }

   // We don't want to double-count evidence.
   bool serverResponses[ CODEX_Server::ServerState::nServers ];
   for ( unsigned int i = 0 ; i < CODEX_Server::ServerState::nServers ; ++i )
   {
      serverResponses[i] = false;
   }

   // Get the server state info.
   CODEX_Server::ServerState* serverState =
      CODEX_Server::ServerState::instance();
   if ( 0 == serverState )
   {
      return false;
   }

   // Make sure there is enough evidence.
   if ( evidence.size() < evidenceSize )
   {
      return false;
   }

   // Loop over the evidence.  Any bad signatures result in a verification
   // failure.  Duplications aren't counted and don't result in a rejection.
   // The good-signature counter must accumulate enough for a positive
   // verification.
   unsigned int goodSigs = 0;
   ArrayType::ArrayItr itr = evidence.begin();
   ArrayType::ArrayItr end = evidence.end();
   for ( ; itr != end ; ++itr )
   {
      int serverNum = (*itr)->serverID().value();
      if ( serverResponses[ serverNum ] )
      {
         // We've already seen a purported signature from this server.
         continue;
      }
      serverResponses[ serverNum ] = true;

      // Get the server's public key.
      const CODEX_Ciphers::RSAPublicKey& pubKey =
         serverState->publicKey( serverNum );
      if ( ! pubKey.initialized() )
      {
         break;
      }

      // Now check the signature.
      if ( ! pubKey.verifySignature( (*itr)->signature(), digest ) )
      {
         break;
      }

      // Everything's OK.
      ++goodSigs;
   }

   // Did we get enough?
   if ( goodSigs < evidenceSize )
   {
      return false;
   }
   return true;
}

---