diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp index 98da466c..1c7adff3 100644 --- a/src/crypto/crypto.cpp +++ b/src/crypto/crypto.cpp @@ -81,12 +81,16 @@ namespace crypto { } /* generate a random 32-byte (256-bit) integer and copy it to res */ - static inline void random_scalar(ec_scalar &res) { + static inline void random_scalar_not_thread_safe(ec_scalar &res) { unsigned char tmp[64]; generate_random_bytes_not_thread_safe(64, tmp); sc_reduce(tmp); memcpy(&res, tmp, 32); } + static inline void random_scalar(ec_scalar &res) { + boost::lock_guard lock(random_lock); + random_scalar_not_thread_safe(res); + } static inline void hash_to_scalar(const void *data, size_t length, ec_scalar &res) { cn_fast_hash(data, length, reinterpret_cast(res)); @@ -99,7 +103,6 @@ namespace crypto { * */ secret_key crypto_ops::generate_keys(public_key &pub, secret_key &sec, const secret_key& recovery_key, bool recover) { - boost::lock_guard lock(random_lock); ge_p3 point; secret_key rng; @@ -197,8 +200,14 @@ namespace crypto { ec_point comm; }; + struct s_comm_2 { + hash msg; + ec_point D; + ec_point X; + ec_point Y; + }; + void crypto_ops::generate_signature(const hash &prefix_hash, const public_key &pub, const secret_key &sec, signature &sig) { - boost::lock_guard lock(random_lock); ge_p3 tmp3; ec_scalar k; s_comm buf; @@ -242,6 +251,124 @@ namespace crypto { return sc_isnonzero(&c) == 0; } + void crypto_ops::generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) { + // sanity check + ge_p3 R_p3; + ge_p3 A_p3; + ge_p3 D_p3; + if (ge_frombytes_vartime(&R_p3, &R) != 0) throw std::runtime_error("tx pubkey is invalid"); + if (ge_frombytes_vartime(&A_p3, &A) != 0) throw std::runtime_error("recipient view pubkey is invalid"); + if (ge_frombytes_vartime(&D_p3, &D) != 0) throw std::runtime_error("key derivation is invalid"); +#if !defined(NDEBUG) + { + assert(sc_check(&r) == 0); + // check R == r*G + ge_p3 dbg_R_p3; + ge_scalarmult_base(&dbg_R_p3, &r); + public_key dbg_R; + ge_p3_tobytes(&dbg_R, &dbg_R_p3); + assert(R == dbg_R); + // check D == r*A + ge_p2 dbg_D_p2; + ge_scalarmult(&dbg_D_p2, &r, &A_p3); + public_key dbg_D; + ge_tobytes(&dbg_D, &dbg_D_p2); + assert(D == dbg_D); + } +#endif + + // pick random k + ec_scalar k; + random_scalar(k); + + // compute X = k*G + ge_p3 X_p3; + ge_scalarmult_base(&X_p3, &k); + + // compute Y = k*A + ge_p2 Y_p2; + ge_scalarmult(&Y_p2, &k, &A_p3); + + // sig.c = Hs(Msg || D || X || Y) + s_comm_2 buf; + buf.msg = prefix_hash; + buf.D = D; + ge_p3_tobytes(&buf.X, &X_p3); + ge_tobytes(&buf.Y, &Y_p2); + hash_to_scalar(&buf, sizeof(s_comm_2), sig.c); + + // sig.r = k - sig.c*r + sc_mulsub(&sig.r, &sig.c, &r, &k); + } + + bool crypto_ops::check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) { + // sanity check + ge_p3 R_p3; + ge_p3 A_p3; + ge_p3 D_p3; + if (ge_frombytes_vartime(&R_p3, &R) != 0) return false; + if (ge_frombytes_vartime(&A_p3, &A) != 0) return false; + if (ge_frombytes_vartime(&D_p3, &D) != 0) return false; + if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0) return false; + + // compute sig.c*R + ge_p2 cR_p2; + ge_scalarmult(&cR_p2, &sig.c, &R_p3); + + // compute sig.r*G + ge_p3 rG_p3; + ge_scalarmult_base(&rG_p3, &sig.r); + + // compute sig.c*D + ge_p2 cD_p2; + ge_scalarmult(&cD_p2, &sig.c, &D_p3); + + // compute sig.r*A + ge_p2 rA_p2; + ge_scalarmult(&rA_p2, &sig.r, &A_p3); + + // compute X = sig.c*R + sig.r*G + public_key cR; + ge_tobytes(&cR, &cR_p2); + ge_p3 cR_p3; + if (ge_frombytes_vartime(&cR_p3, &cR) != 0) return false; + ge_cached rG_cached; + ge_p3_to_cached(&rG_cached, &rG_p3); + ge_p1p1 X_p1p1; + ge_add(&X_p1p1, &cR_p3, &rG_cached); + ge_p2 X_p2; + ge_p1p1_to_p2(&X_p2, &X_p1p1); + + // compute Y = sig.c*D + sig.r*A + public_key cD; + public_key rA; + ge_tobytes(&cD, &cD_p2); + ge_tobytes(&rA, &rA_p2); + ge_p3 cD_p3; + ge_p3 rA_p3; + if (ge_frombytes_vartime(&cD_p3, &cD) != 0) return false; + if (ge_frombytes_vartime(&rA_p3, &rA) != 0) return false; + ge_cached rA_cached; + ge_p3_to_cached(&rA_cached, &rA_p3); + ge_p1p1 Y_p1p1; + ge_add(&Y_p1p1, &cD_p3, &rA_cached); + ge_p2 Y_p2; + ge_p1p1_to_p2(&Y_p2, &Y_p1p1); + + // compute c2 = Hs(Msg || D || X || Y) + s_comm_2 buf; + buf.msg = prefix_hash; + buf.D = D; + ge_tobytes(&buf.X, &X_p2); + ge_tobytes(&buf.Y, &Y_p2); + ec_scalar c2; + hash_to_scalar(&buf, sizeof(s_comm_2), c2); + + // test if c2 == sig.c + sc_sub(&c2, &c2, &sig.c); + return sc_isnonzero(&c2) == 0; + } + static void hash_to_ec(const public_key &key, ge_p3 &res) { hash h; ge_p2 point; @@ -280,7 +407,6 @@ POP_WARNINGS const public_key *const *pubs, size_t pubs_count, const secret_key &sec, size_t sec_index, signature *sig) { - boost::lock_guard lock(random_lock); size_t i; ge_p3 image_unp; ge_dsmp image_pre; diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h index 3b8c7996..e99b6651 100644 --- a/src/crypto/crypto.h +++ b/src/crypto/crypto.h @@ -123,6 +123,10 @@ namespace crypto { friend void generate_signature(const hash &, const public_key &, const secret_key &, signature &); static bool check_signature(const hash &, const public_key &, const signature &); friend bool check_signature(const hash &, const public_key &, const signature &); + static void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &); + friend void generate_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const secret_key &, signature &); + static bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &); + friend bool check_tx_proof(const hash &, const public_key &, const public_key &, const public_key &, const signature &); static void generate_key_image(const public_key &, const secret_key &, key_image &); friend void generate_key_image(const public_key &, const secret_key &, key_image &); static void generate_ring_signature(const hash &, const key_image &, @@ -200,6 +204,16 @@ namespace crypto { return crypto_ops::check_signature(prefix_hash, pub, sig); } + /* Generation and checking of a tx proof; given a tx pubkey R, the recipient's view pubkey A, and the key + * derivation D, the signature proves the knowledge of the tx secret key r such that R=r*G and D=r*A + */ + inline void generate_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const secret_key &r, signature &sig) { + crypto_ops::generate_tx_proof(prefix_hash, R, A, D, r, sig); + } + inline bool check_tx_proof(const hash &prefix_hash, const public_key &R, const public_key &A, const public_key &D, const signature &sig) { + return crypto_ops::check_tx_proof(prefix_hash, R, A, D, sig); + } + /* To send money to a key: * * The sender generates an ephemeral key and includes it in transaction output. * * To spend the money, the receiver generates a key image from it. diff --git a/src/simplewallet/simplewallet.cpp b/src/simplewallet/simplewallet.cpp index 81665e6a..4d53f063 100644 --- a/src/simplewallet/simplewallet.cpp +++ b/src/simplewallet/simplewallet.cpp @@ -47,6 +47,7 @@ #include "common/command_line.h" #include "common/util.h" #include "common/dns_utils.h" +#include "common/base58.h" #include "p2p/net_node.h" #include "cryptonote_protocol/cryptonote_protocol_handler.h" #include "simplewallet.h" @@ -714,6 +715,8 @@ simple_wallet::simple_wallet() m_cmd_binder.set_handler("rescan_spent", boost::bind(&simple_wallet::rescan_spent, this, _1), tr("Rescan blockchain for spent outputs")); m_cmd_binder.set_handler("get_tx_key", boost::bind(&simple_wallet::get_tx_key, this, _1), tr("Get transaction key (r) for a given ")); m_cmd_binder.set_handler("check_tx_key", boost::bind(&simple_wallet::check_tx_key, this, _1), tr("Check amount going to
in ")); + m_cmd_binder.set_handler("get_tx_proof", boost::bind(&simple_wallet::get_tx_proof, this, _1), tr("Generate a signature to prove payment to
in using the transaction secret key (r) without revealing it")); + m_cmd_binder.set_handler("check_tx_proof", boost::bind(&simple_wallet::check_tx_proof, this, _1), tr("Check tx proof for payment going to
in ")); m_cmd_binder.set_handler("show_transfers", boost::bind(&simple_wallet::show_transfers, this, _1), tr("show_transfers [in|out|pending|failed|pool] [ []] - Show incoming/outgoing transfers within an optional height range")); m_cmd_binder.set_handler("unspent_outputs", boost::bind(&simple_wallet::unspent_outputs, this, _1), tr("unspent_outputs [ ] - Show unspent outputs within an optional amount range)")); m_cmd_binder.set_handler("rescan_bc", boost::bind(&simple_wallet::rescan_blockchain, this, _1), tr("Rescan blockchain from scratch")); @@ -1190,7 +1193,11 @@ bool simple_wallet::init(const boost::program_options::variables_map& vm) bool r = open_wallet(vm); CHECK_AND_ASSERT_MES(r, false, tr("failed to open account")); } - assert(m_wallet); + if (!m_wallet) + { + fail_msg_writer() << tr("wallet is null"); + return false; + } // set --trusted-daemon if local try @@ -1570,7 +1577,11 @@ bool simple_wallet::start_mining(const std::vector& args) if (!try_connect_to_daemon()) return true; - assert(m_wallet); + if (!m_wallet) + { + fail_msg_writer() << tr("wallet is null"); + return true; + } COMMAND_RPC_START_MINING::request req = AUTO_VAL_INIT(req); req.miner_address = m_wallet->get_account().get_public_address_str(m_wallet->testnet()); @@ -1613,7 +1624,11 @@ bool simple_wallet::stop_mining(const std::vector& args) if (!try_connect_to_daemon()) return true; - assert(m_wallet); + if (!m_wallet) + { + fail_msg_writer() << tr("wallet is null"); + return true; + } COMMAND_RPC_STOP_MINING::request req; COMMAND_RPC_STOP_MINING::response res; bool r = net_utils::invoke_http_json("/stop_mining", req, res, m_http_client); @@ -1630,7 +1645,11 @@ bool simple_wallet::save_bc(const std::vector& args) if (!try_connect_to_daemon()) return true; - assert(m_wallet); + if (!m_wallet) + { + fail_msg_writer() << tr("wallet is null"); + return true; + } COMMAND_RPC_SAVE_BC::request req; COMMAND_RPC_SAVE_BC::response res; bool r = net_utils::invoke_http_json("/save_bc", req, res, m_http_client); @@ -3232,6 +3251,85 @@ bool simple_wallet::get_tx_key(const std::vector &args_) } } //---------------------------------------------------------------------------------------------------- +bool simple_wallet::get_tx_proof(const std::vector &args) +{ + if(args.size() != 2 && args.size() != 3) { + fail_msg_writer() << tr("usage: get_tx_proof []"); + return true; + } + if (m_wallet->ask_password() && !get_and_verify_password()) { return true; } + + cryptonote::blobdata txid_data; + if(!epee::string_tools::parse_hexstr_to_binbuff(args[0], txid_data) || txid_data.size() != sizeof(crypto::hash)) + { + fail_msg_writer() << tr("failed to parse txid"); + return true; + } + crypto::hash txid = *reinterpret_cast(txid_data.data()); + + cryptonote::account_public_address address; + bool has_payment_id; + crypto::hash8 payment_id; + if(!cryptonote::get_account_address_from_str_or_url(address, has_payment_id, payment_id, m_wallet->testnet(), args[1])) + { + fail_msg_writer() << tr("failed to parse address"); + return true; + } + + LOCK_IDLE_SCOPE(); + + crypto::secret_key tx_key, tx_key2; + bool r = m_wallet->get_tx_key(txid, tx_key); + cryptonote::blobdata tx_key_data; + if (args.size() == 3) + { + if(!epee::string_tools::parse_hexstr_to_binbuff(args[2], tx_key_data) || tx_key_data.size() != sizeof(crypto::secret_key)) + { + fail_msg_writer() << tr("failed to parse tx_key"); + return true; + } + tx_key2 = *reinterpret_cast(tx_key_data.data()); + } + if (r) + { + if (args.size() == 3 && tx_key != rct::sk2rct(tx_key2)) + { + fail_msg_writer() << tr("Tx secret key was found for the given txid, but you've also provided another tx secret key which doesn't match the found one."); + return true; + } + } + else + { + if (tx_key_data.empty()) + { + fail_msg_writer() << tr("Tx secret key wasn't found in the wallet file. Provide it as the optional third parameter if you have it elsewhere."); + return true; + } + tx_key = tx_key2; + } + + crypto::public_key R; + crypto::secret_key_to_public_key(tx_key, R); + crypto::public_key rA = rct::rct2pk(rct::scalarmultKey(rct::pk2rct(address.m_view_public_key), rct::sk2rct(tx_key))); + crypto::signature sig; + try + { + crypto::generate_tx_proof(txid, R, address.m_view_public_key, rA, tx_key, sig); + } + catch (const std::runtime_error &e) + { + fail_msg_writer() << e.what(); + return true; + } + + std::string sig_str = std::string("ProofV1") + + tools::base58::encode(std::string((const char *)&rA, sizeof(crypto::public_key))) + + tools::base58::encode(std::string((const char *)&sig, sizeof(crypto::signature))); + + success_msg_writer() << tr("Signature: ") << sig_str; + return true; +} +//---------------------------------------------------------------------------------------------------- bool simple_wallet::check_tx_key(const std::vector &args_) { std::vector local_args = args_; @@ -3244,7 +3342,11 @@ bool simple_wallet::check_tx_key(const std::vector &args_) if (!try_connect_to_daemon()) return true; - assert(m_wallet); + if (!m_wallet) + { + fail_msg_writer() << tr("wallet is null"); + return true; + } cryptonote::blobdata txid_data; if(!epee::string_tools::parse_hexstr_to_binbuff(local_args[0], txid_data) || txid_data.size() != sizeof(crypto::hash)) { @@ -3253,8 +3355,6 @@ bool simple_wallet::check_tx_key(const std::vector &args_) } crypto::hash txid = *reinterpret_cast(txid_data.data()); - LOCK_IDLE_SCOPE(); - if (local_args[1].size() < 64 || local_args[1].size() % 64) { fail_msg_writer() << tr("failed to parse tx key"); @@ -3278,6 +3378,18 @@ bool simple_wallet::check_tx_key(const std::vector &args_) return true; } + crypto::key_derivation derivation; + if (!crypto::generate_key_derivation(address.m_view_public_key, tx_key, derivation)) + { + fail_msg_writer() << tr("failed to generate key derivation from supplied parameters"); + return true; + } + + return check_tx_key_helper(txid, address, derivation); +} +//---------------------------------------------------------------------------------------------------- +bool simple_wallet::check_tx_key_helper(const crypto::hash &txid, const cryptonote::account_public_address &address, const crypto::key_derivation &derivation) +{ COMMAND_RPC_GET_TRANSACTIONS::request req; COMMAND_RPC_GET_TRANSACTIONS::response res; req.txs_hashes.push_back(epee::string_tools::pod_to_hex(txid)); @@ -3311,13 +3423,6 @@ bool simple_wallet::check_tx_key(const std::vector &args_) return true; } - crypto::key_derivation derivation; - if (!crypto::generate_key_derivation(address.m_view_public_key, tx_key, derivation)) - { - fail_msg_writer() << tr("failed to generate key derivation from supplied parameters"); - return true; - } - uint64_t received = 0; try { for (size_t n = 0; n < tx.vout.size(); ++n) @@ -3340,14 +3445,6 @@ bool simple_wallet::check_tx_key(const std::vector &args_) { rct::key Ctmp; //rct::key amount_key = rct::hash_to_scalar(rct::scalarmultKey(rct::pk2rct(address.m_view_public_key), rct::sk2rct(tx_key))); - crypto::key_derivation derivation; - bool r = crypto::generate_key_derivation(address.m_view_public_key, tx_key, derivation); - if (!r) - { - LOG_ERROR("Failed to generate key derivation to decode rct output " << n); - amount = 0; - } - else { crypto::secret_key scalar1; crypto::derivation_to_scalar(derivation, n, scalar1); @@ -3404,6 +3501,129 @@ bool simple_wallet::check_tx_key(const std::vector &args_) return true; } //---------------------------------------------------------------------------------------------------- +bool simple_wallet::check_tx_proof(const std::vector &args) +{ + if(args.size() != 3) { + fail_msg_writer() << tr("usage: check_tx_proof
"); + return true; + } + + if (!try_connect_to_daemon()) + return true; + + // parse txid + cryptonote::blobdata txid_data; + if(!epee::string_tools::parse_hexstr_to_binbuff(args[0], txid_data) || txid_data.size() != sizeof(crypto::hash)) + { + fail_msg_writer() << tr("failed to parse txid"); + return true; + } + crypto::hash txid = *reinterpret_cast(txid_data.data()); + + // parse address + cryptonote::account_public_address address; + bool has_payment_id; + crypto::hash8 payment_id; + if(!cryptonote::get_account_address_from_str_or_url(address, has_payment_id, payment_id, m_wallet->testnet(), args[1])) + { + fail_msg_writer() << tr("failed to parse address"); + return true; + } + + // parse pubkey r*A & signature + std::string sig_str = args[2]; + const size_t header_len = strlen("ProofV1"); + if (sig_str.size() < header_len || sig_str.substr(0, header_len) != "ProofV1") + { + fail_msg_writer() << tr("Signature header check error"); + return true; + } + crypto::public_key rA; + crypto::signature sig; + const size_t rA_len = tools::base58::encode(std::string((const char *)&rA, sizeof(crypto::public_key))).size(); + const size_t sig_len = tools::base58::encode(std::string((const char *)&sig, sizeof(crypto::signature))).size(); + std::string rA_decoded; + std::string sig_decoded; + if (!tools::base58::decode(sig_str.substr(header_len, rA_len), rA_decoded)) + { + fail_msg_writer() << tr("Signature decoding error"); + return true; + } + if (!tools::base58::decode(sig_str.substr(header_len + rA_len, sig_len), sig_decoded)) + { + fail_msg_writer() << tr("Signature decoding error"); + return true; + } + if (sizeof(crypto::public_key) != rA_decoded.size() || sizeof(crypto::signature) != sig_decoded.size()) + { + fail_msg_writer() << tr("Signature decoding error"); + return true; + } + memcpy(&rA, rA_decoded.data(), sizeof(crypto::public_key)); + memcpy(&sig, sig_decoded.data(), sizeof(crypto::signature)); + + // fetch tx pubkey from the daemon + COMMAND_RPC_GET_TRANSACTIONS::request req; + COMMAND_RPC_GET_TRANSACTIONS::response res; + req.txs_hashes.push_back(epee::string_tools::pod_to_hex(txid)); + if (!net_utils::invoke_http_json("/gettransactions", req, res, m_http_client) || + (res.txs.size() != 1 && res.txs_as_hex.size() != 1)) + { + fail_msg_writer() << tr("failed to get transaction from daemon"); + return true; + } + cryptonote::blobdata tx_data; + bool ok; + if (res.txs.size() == 1) + ok = string_tools::parse_hexstr_to_binbuff(res.txs.front().as_hex, tx_data); + else + ok = string_tools::parse_hexstr_to_binbuff(res.txs_as_hex.front(), tx_data); + if (!ok) + { + fail_msg_writer() << tr("failed to parse transaction from daemon"); + return true; + } + crypto::hash tx_hash, tx_prefix_hash; + cryptonote::transaction tx; + if (!cryptonote::parse_and_validate_tx_from_blob(tx_data, tx, tx_hash, tx_prefix_hash)) + { + fail_msg_writer() << tr("failed to validate transaction from daemon"); + return true; + } + if (tx_hash != txid) + { + fail_msg_writer() << tr("failed to get the right transaction from daemon"); + return true; + } + crypto::public_key R = get_tx_pub_key_from_extra(tx); + if (R == null_pkey) + { + fail_msg_writer() << tr("Tx pubkey was not found"); + return true; + } + + // check signature + if (crypto::check_tx_proof(txid, R, address.m_view_public_key, rA, sig)) + { + success_msg_writer() << tr("Good signature"); + } + else + { + fail_msg_writer() << tr("Bad signature"); + return true; + } + + // obtain key derivation by multiplying scalar 1 to the pubkey r*A included in the signature + crypto::key_derivation derivation; + if (!crypto::generate_key_derivation(rA, rct::rct2sk(rct::I), derivation)) + { + fail_msg_writer() << tr("failed to generate key derivation"); + return true; + } + + return check_tx_key_helper(txid, address, derivation); +} +//---------------------------------------------------------------------------------------------------- static std::string get_human_readable_timestamp(uint64_t ts) { char buffer[64]; diff --git a/src/simplewallet/simplewallet.h b/src/simplewallet/simplewallet.h index edef47e0..e0435229 100644 --- a/src/simplewallet/simplewallet.h +++ b/src/simplewallet/simplewallet.h @@ -154,6 +154,9 @@ namespace cryptonote bool set_log(const std::vector &args); bool get_tx_key(const std::vector &args); bool check_tx_key(const std::vector &args); + bool check_tx_key_helper(const crypto::hash &txid, const cryptonote::account_public_address &address, const crypto::key_derivation &derivation); + bool get_tx_proof(const std::vector &args); + bool check_tx_proof(const std::vector &args); bool show_transfers(const std::vector &args); bool unspent_outputs(const std::vector &args); bool rescan_blockchain(const std::vector &args);