/* This file is part of libbrandt. * Copyright (C) 2016 GNUnet e.V. * * libbrandt is free software: you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation, either version 3 of the License, or (at your option) any later * version. * * libbrandt is distributed in the hope that it will be useful, but WITHOUT ANY * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR * A PARTICULAR PURPOSE. See the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along with * libbrandt. If not, see . */ /** * @file brandt.c * @brief Implementation of the high level libbrandt interface. * @author Markus Teich */ #include "platform.h" #include "crypto.h" #include "internals.h" #include "util.h" void BRANDT_init (struct GNUNET_CRYPTO_EccDlogContext *dlogctx) { gcry_error_t err = 0; if (!gcry_check_version ("1.7.0")) eprintf ("libgcrypt version mismatch"); /* SECMEM cannot be resized dynamically. We do not know how much we need */ if ((err = gcry_control (GCRYCTL_DISABLE_SECMEM, 0))) weprintf ("failed to set libgcrypt option DISABLE_SECMEM: %s", gcry_strerror (err)); /* ecc is slow otherwise and we don't create long term keys anyway. */ if ((err = gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0))) weprintf ("failed to set libgcrypt option ENABLE_QUICK_RANDOM: %s", gcry_strerror (err)); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); brandt_crypto_init (dlogctx); } void BRANDT_bidder_start (struct BRANDT_Auction *auction, uint16_t i, uint16_t n) { enum auction_type atype; enum outcome_type outcome; unsigned char *buf; size_t buflen; GNUNET_assert (auction && n > 0 && i < n); auction->n = n; auction->i = i; atype = auction->m > 0 ? auction_mPlusFirstPrice : auction_firstPrice; outcome = auction->outcome_public ? outcome_public : outcome_private; if (auction_mPlusFirstPrice == atype && n <= auction->m) { /* fewer bidders than items to sell. every bidder won with lowest price */ struct BRANDT_Result *res; if (auction->outcome_public) { res = GNUNET_new_array (n, struct BRANDT_Result); for (uint16_t h = 0; h < n; h++) { res[h].bidder = h; res[h].price = 0; res[h].status = BRANDT_bidder_won; } auction->result (auction->closure, res, n); } else { res = GNUNET_new (struct BRANDT_Result); res->bidder = i; res->price = 0; res->status = BRANDT_bidder_won; auction->result (auction->closure, res, 1); } return; } /* On M+1st price auctions we multiply the amount of prizes by the amount of * bidders and resctrict each bidder to his own distinct subset of the * prices. This is done for tie breaking. An additional proof is used in the * encrypt_bid round to show that the bidder has chosen a valid bid and the * outcome callback will remap the result to the original k price values. */ if (auction_mPlusFirstPrice == atype) { auction->k *= n; auction->b = auction->b * n + n - i - 1; } if (handler_prep[atype][outcome][msg_init]) handler_prep[atype][outcome][msg_init] (auction); if (!handler_out[atype][outcome][msg_init] || !(buf = handler_out[atype][outcome][msg_init](auction, &buflen))) { /** \todo */ weprintf ("wow fail out"); return; } auction->bcast (auction->closure, buf, buflen); gcry_mpi_set_bit (auction->round_progress, auction->i); free (buf); } static void seller_start (void *arg) { struct BRANDT_Auction *ad = (struct BRANDT_Auction *)arg; enum auction_type atype; enum outcome_type outcome; ad->task = NULL; ad->n = ad->start (ad->closure); if (0 == ad->n) { weprintf ("no bidders registered for auction"); ad->result (ad->closure, NULL, 0); return; } else if (ad->n <= ad->m) { struct BRANDT_Result *res = GNUNET_new_array (ad->n, struct BRANDT_Result); weprintf ("less bidders than needed, selling for lowest price"); for (uint16_t i = 0; i < ad->n; i++) { res[i].bidder = i; res[i].price = 0; res[i].status = BRANDT_bidder_won; } ad->result (ad->closure, res, ad->n); } atype = ad->m > 0 ? auction_mPlusFirstPrice : auction_firstPrice; outcome = ad->outcome_public ? outcome_public : outcome_private; /* On M+1st price auctions we multiply the amount of prizes by the amount of * bidders and resctrict each bidder to his own distinct subset of the * prices. This is done for tie breaking. An additional proof is used in the * encrypt_bid round to show that the bidder has chosen a valid bid and the * outcome callback will remap the result to the original k price values. */ if (auction_mPlusFirstPrice == atype) ad->k *= ad->n; if (handler_prep[atype][outcome][msg_init]) handler_prep[atype][outcome][msg_init] (ad); } struct BRANDT_Auction * BRANDT_new (BRANDT_CbResult result, BRANDT_CbBroadcast broadcast, BRANDT_CbStart start, void *auction_closure, void **auction_desc, size_t *auction_desc_len, const void *description, uint32_t description_len, struct GNUNET_TIME_Absolute time_start, struct GNUNET_TIME_Relative time_round, uint16_t num_prices, uint16_t m, int outcome_public) { struct BRANDT_Auction *ret; struct BRANDT_DescrP *desc; struct GNUNET_HashContext *hc; struct GNUNET_TIME_Relative until_start; if (0 == num_prices) return NULL; desc = GNUNET_new (struct BRANDT_DescrP); desc->time_start = GNUNET_TIME_absolute_hton (time_start); desc->time_round = GNUNET_TIME_relative_hton (time_round); desc->description_len = htonl (description_len); desc->k = htons (num_prices); desc->m = htons (m); desc->outcome_public = htons (outcome_public); hc = GNUNET_CRYPTO_hash_context_start (); GNUNET_CRYPTO_hash_context_read (hc, &desc->time_start, sizeof (*desc) - sizeof (desc->hash)); GNUNET_CRYPTO_hash_context_read (hc, description, description_len); GNUNET_CRYPTO_hash_context_finish (hc, &desc->hash); ret = GNUNET_new (struct BRANDT_Auction); ret->time_start = time_start; ret->time_round = time_round; ret->k = num_prices; ret->m = m; ret->outcome_public = outcome_public; ret->cur_round = msg_init; ret->round_progress = gcry_mpi_new (256); /* we are the seller */ ret->seller_mode = 1; /* callback interface with application */ ret->closure = auction_closure; ret->bcast = broadcast; ret->result = result; ret->start = start; until_start = GNUNET_TIME_absolute_get_remaining (time_start); ret->task = GNUNET_SCHEDULER_add_delayed (until_start, &seller_start, ret); *auction_desc_len = sizeof (struct BRANDT_DescrP); *auction_desc = desc; return ret; } int BRANDT_verify_desc (const void *auction_desc, size_t auction_desc_len, const void *description, uint32_t description_len, struct GNUNET_TIME_Absolute *time_start, struct GNUNET_TIME_Relative *time_round, uint16_t *num_prices, uint16_t *m, uint16_t *outcome_public) { const struct BRANDT_DescrP *desc = auction_desc; const uint32_t zero = 0; struct GNUNET_HashContext *hc = GNUNET_CRYPTO_hash_context_start (); struct GNUNET_HashCode computed_hash; if (sizeof (struct BRANDT_DescrP) != auction_desc_len) { weprintf ("auction desc struct size mismatch"); return -1; } GNUNET_CRYPTO_hash_context_read (hc, &desc->time_start, sizeof (*desc) - sizeof (desc->hash)); GNUNET_CRYPTO_hash_context_read (hc, description, description_len); GNUNET_CRYPTO_hash_context_finish (hc, &computed_hash); if (0 != memcmp (&desc->hash, &computed_hash, sizeof (computed_hash))) { weprintf ("auction description hash does not match"); return -1; } if (0 != memcmp (&desc->reserved1, &zero, sizeof (desc->reserved1)) || 0 != memcmp (&desc->reserved2, &zero, sizeof (desc->reserved2))) { weprintf ("unknown auction description format"); return -1; } if (time_start) *time_start = GNUNET_TIME_absolute_ntoh (desc->time_start); if (time_round) *time_round = GNUNET_TIME_relative_ntoh (desc->time_round); if (num_prices) *num_prices = ntohs (desc->k); if (m) *m = ntohs (desc->m); if (outcome_public) *outcome_public = ntohs (desc->outcome_public); return 0; } struct BRANDT_Auction * BRANDT_join (BRANDT_CbResult result, BRANDT_CbBroadcast broadcast, BRANDT_CbUnicast unicast, void *auction_closure, const void *auction_desc, size_t auction_desc_len, const void *description, uint32_t description_len, uint16_t bid) { struct BRANDT_Auction *ret = GNUNET_new (struct BRANDT_Auction); if (0 != BRANDT_verify_desc (auction_desc, auction_desc_len, description, description_len, &ret->time_start, &ret->time_round, &ret->k, &ret->m, &ret->outcome_public)) { weprintf ("failed to parse auction description blob"); return NULL; } ret->cur_round = msg_init; ret->round_progress = gcry_mpi_new (256); ret->b = bid; /* we are the seller */ ret->seller_mode = 0; /* callback interface with application */ ret->closure = auction_closure; ret->bcast = broadcast; ret->ucast = unicast; ret->result = result; return ret; } void BRANDT_destroy (struct BRANDT_Auction *auction) { if (auction->task) GNUNET_SCHEDULER_cancel (auction->task); gcry_mpi_release (auction->round_progress); gcry_mpi_release (auction->x); smc_free1 (auction->y, auction->n); gcry_mpi_point_release (auction->Y); smc_free2 (auction->alpha, auction->n, auction->k); smc_free2 (auction->beta, auction->n, auction->k); smc_free2 (auction->gamma2, auction->n, auction->k); smc_free3 (auction->gamma3, auction->n, auction->n, auction->k); smc_free2 (auction->delta2, auction->n, auction->k); smc_free3 (auction->delta3, auction->n, auction->n, auction->k); smc_free2 (auction->phi2, auction->n, auction->k); smc_free3 (auction->phi3, auction->n, auction->n, auction->k); free (auction->phiproofs3); smc_free1 (auction->tmpa1, auction->k); smc_free1 (auction->tmpb1, auction->k); } static void report_outcome (struct BRANDT_Auction *ad, enum auction_type atype, enum outcome_type outcome) { struct BRANDT_Result *res; uint16_t reslen = 0; if (!handler_res[atype][outcome] || !(res = handler_res[atype][outcome] (ad, &reslen))) ad->result (ad->closure, NULL, 0); else ad->result (ad->closure, res, reslen); } static void advance_round (struct BRANDT_Auction *ad, enum auction_type atype, enum outcome_type outcome) { unsigned char *buf; size_t buflen; if (!ad->seller_mode && msg_decrypt == ad->cur_round && !outcome) { /* we are a bidder on a private outcome auction and * successfully parsed the msg_decrypt from the seller * => we can determine the auction result */ report_outcome (ad, atype, outcome); return; } /* only continue if the round is complete */ for (uint16_t i = 0; i < ad->n; i++) if (!gcry_mpi_test_bit (ad->round_progress, i)) return; if (ad->seller_mode && msg_decrypt == ad->cur_round && !ad->outcome_public) { /* all bidders msg_decrypt received, broadcast combined msg_decrypt */ if (!handler_out[atype][outcome][ad->cur_round] || !(buf = handler_out[atype][outcome][ad->cur_round](ad, &buflen))) { weprintf ("failed to create msg %d buffer as seller", ad->cur_round); return; } ad->bcast (ad->closure, buf, buflen); } if (msg_decrypt == ad->cur_round) { report_outcome (ad, atype, outcome); return; } /* round complete, advance to next one */ gcry_mpi_clear_highbit (ad->round_progress, 0); ad->cur_round++; /* prepare next round. */ if (handler_prep[atype][outcome][ad->cur_round]) handler_prep[atype][outcome][ad->cur_round] (ad); if (ad->seller_mode) { /** \todo: setup round timeout trigger */ /* seller does not send regular messages */ return; } /* create next message buffer */ if (!handler_out[atype][outcome][ad->cur_round] || !(buf = handler_out[atype][outcome][ad->cur_round](ad, &buflen))) { weprintf ("failed to create msg %d buffer as bidder", ad->cur_round); return; } /* msg_decrypt unicast to seller if private outcome mode. * All other messages are broadcasted */ if (msg_decrypt == ad->cur_round && !outcome) ad->ucast (ad->closure, buf, buflen); else ad->bcast (ad->closure, buf, buflen); gcry_mpi_set_bit (ad->round_progress, ad->i); } void BRANDT_got_message (struct BRANDT_Auction *auction, uint16_t sender, const unsigned char *msg, size_t msg_len) { struct msg_head *head = (struct msg_head *)msg; enum auction_type atype; enum outcome_type outcome; enum rounds round = auction->cur_round; atype = auction->m > 0 ? auction_mPlusFirstPrice : auction_firstPrice; outcome = auction->outcome_public ? outcome_public : outcome_private; /** \todo: cache out of order messages instead of discarding */ if (ntohl (head->msg_type) != round || ntohl (head->prot_version) != 0) { weprintf ("got unexpected message, ignoring..."); return; } /* check if we already got that round message from the same user */ if (gcry_mpi_test_bit (auction->round_progress, sender)) { weprintf ("got a duplicate message from user %d", sender); return; } if (!handler_in[atype][outcome][round] || !handler_in[atype][outcome][round](auction, msg + sizeof (*head), msg_len - sizeof (*head), sender)) { /** \todo */ weprintf ("wow fail in"); return; } gcry_mpi_set_bit (auction->round_progress, sender); advance_round (auction, atype, outcome); }