Fixed a silent bug with client authentication failing since IV has to be SGX_AESGCM_IV_SIZE. Split client structures into Enclave/Client and moved client authentication there for use by storage module as well

Client/clients.cpp

@@ -82,8 +82,6 @@ void displayMessage(unsigned char *msg, uint16_t msg_size) {
 
 void displayPtMessageBundle(unsigned char *bundle, uint16_t priv_out, uint16_t msg_size) {
     unsigned char *ptr = bundle;
-    uint64_t header = *((uint64_t*) ptr);
-    ptr+=sizeof(uint64_t);
 
     for(int i=0; i<priv_out; i++) {
         displayMessage(ptr, msg_size);
@@ -418,14 +416,13 @@ int Client::sendAuthMessage(unsigned long epoch_no)
     memcpy(am_ptr, &epoch_no, sizeof(unsigned long));
     am_ptr+=sizeof(unsigned long);
 
-    unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
-    unsigned char tag[SGX_AESGCM_MAC_SIZE];
-    memset(iv, 0, SGX_AESGCM_IV_SIZE);
-    memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
-    memset(tag, 0, SGX_AESGCM_KEY_SIZE);
+    unsigned char zeroes[SGX_AESGCM_KEY_SIZE] = {0};
+    unsigned char tag[SGX_AESGCM_MAC_SIZE] = {0};
+    unsigned char epoch_iv[SGX_AESGCM_IV_SIZE] = {0};
+    memcpy(epoch_iv, &epoch_no, sizeof(epoch_no));
 
     if (sizeof(zeroes) != gcm_encrypt(zeroes, SGX_AESGCM_KEY_SIZE, NULL, 0, key,
-            (unsigned char*) &epoch_no, sizeof(epoch_no), am_ptr, tag)) {
+            epoch_iv, SGX_AESGCM_IV_SIZE, am_ptr, tag)) {
         printf("generateClientEncryptionKey failed\n");
         return -1;
     }

Client/clients.hpp

@@ -39,7 +39,7 @@ private:
     // number and the userid at that storage node in the last DEST_UID_BITS
     clientid_t id;
     aes_key key;
-    unsigned char iv[SGX_AESGCM_IV_SIZE];
+    unsigned char iv[SGX_AESGCM_IV_SIZE] = {0};
 
     boost::asio::ip::tcp::socket *ingestion_sock = NULL;
 

Enclave/client.cpp

@@ -0,0 +1,34 @@
+#include "Enclave_t.h"
+#include "utils.hpp"
+#include "client.hpp"
+
+bool authenticateClient(unsigned char *auth_message,
+    const sgx_aes_gcm_128bit_key_t *ckey)
+{
+    int auth_success = 0;
+    unsigned long epoch_no = *((unsigned long*) auth_message);
+    auth_message+=(sizeof(unsigned long));
+
+    unsigned char computed_auth[SGX_AESGCM_KEY_SIZE];
+    unsigned char zeroes[SGX_AESGCM_KEY_SIZE] = {0};
+    unsigned char iv[SGX_AESGCM_IV_SIZE] = {0};
+    sgx_aes_gcm_128bit_tag_t mac;
+    memcpy(iv, &epoch_no, sizeof(epoch_no));
+    sgx_status_t ret = SGX_SUCCESS;
+
+    ret = sgx_rijndael128GCM_encrypt(ckey, zeroes, SGX_AESGCM_KEY_SIZE,
+        computed_auth, iv, SGX_AESGCM_IV_SIZE, NULL, 0, &mac);
+    if(ret!=SGX_SUCCESS) {
+        return false;
+    }
+
+    auth_success = memcmp(auth_message, computed_auth, SGX_AESGCM_KEY_SIZE);
+
+    if(auth_success == 0) {
+        return true;
+    } else {
+        printf("authentication FAIL\n");
+        return false;
+    }
+}
+

Enclave/client.hpp

@@ -0,0 +1,19 @@
+#ifndef __CLIENTS_HPP__
+#define __CLIENTS_HPP__
+
+
+struct IngClient {
+    sgx_aes_gcm_128bit_key_t key;
+    // Add other relevant ingestion client state like
+    // public priority and last epoch here.
+};
+
+struct StgClient{
+    sgx_aes_gcm_128bit_key_t key;
+};
+
+
+bool authenticateClient(unsigned char *auth_message,
+    const sgx_aes_gcm_128bit_key_t *ckey);
+
+#endif

Enclave/ingest.cpp

@@ -13,6 +13,7 @@ void displayMessage(unsigned char *msg, uint16_t msg_size) {
     sid = *((clientid_t*) ptr);
     ptr+=sizeof(sid);
     rid = *((clientid_t*) ptr);
+    ptr+=sizeof(rid);
     printf("Sender ID: %d, Receiver ID: %d, Token: N/A\n", sid, rid );
     printf("Message: ");
     for(int j = 0; j<msg_size - sizeof(sid)*2; j++) {
@@ -59,11 +60,11 @@ bool ecall_authenticate(clientid_t cid, unsigned char *auth_message)
     return ret;
 }
 
-void Ingestion::initialize(uint32_t cnum, uint32_t cstart, sgx_aes_gcm_128bit_key_t &ESK) {
-    clients.num = cnum;
-    clients.start = cstart;
-    clients.end = cnum + cstart;
-    clients.keys = new sgx_aes_gcm_128bit_key_t[cnum];
+void Ingestion::initialize(uint32_t num, uint32_t start, sgx_aes_gcm_128bit_key_t &ESK) {
+    cnum = num;
+    cstart = start;
+    clients = new IngClient[cnum];
+
     generateClientKeys(ESK);
 
     max_buffer_size = g_teems_config.m_priv_out * cnum;
@@ -72,54 +73,26 @@ void Ingestion::initialize(uint32_t cnum, uint32_t cstart, sgx_aes_gcm_128bit_ke
 
 bool Ingestion::authenticate(clientid_t cid, unsigned char *auth_message)
 {
-    int auth_success = 0;
-    unsigned long epoch_no = *((unsigned long*) auth_message);
-    auth_message+=(sizeof(unsigned long));
-    // Fetch corresponding client key
-    clientid_t lcid = cid - g_ing.clients.start;
-    sgx_aes_gcm_128bit_key_t &ckey = (g_ing.clients).keys[lcid];
-
-    unsigned char computed_auth[SGX_AESGCM_KEY_SIZE];
-    unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
-    unsigned char iv[SGX_AESGCM_IV_SIZE];
-    sgx_aes_gcm_128bit_tag_t mac;
-    memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
-    memset(iv, 0, SGX_AESGCM_IV_SIZE);
-    sgx_status_t ret = SGX_SUCCESS;
-
-    ret = sgx_rijndael128GCM_encrypt(&ckey, zeroes, SGX_AESGCM_KEY_SIZE,
-        computed_auth, (unsigned char*) (&epoch_no), sizeof(epoch_no), NULL, 0, &mac);
-    if(ret!=SGX_SUCCESS) {
-        return -1;
-    }
-
-    auth_success = memcmp(auth_message, computed_auth, SGX_AESGCM_KEY_SIZE);
-
-    if(auth_success == 0) {
-        return true;
-    } else {
-        printf("authentication FAIL\n");
-        return false;
-    }
+    uint32_t lcid = cid-cstart;
+    const sgx_aes_gcm_128bit_key_t *ckey = &(clients[lcid].key);
+    return(authenticateClient(auth_message, ckey));
 }
 
 bool Ingestion::processMsgBundle(clientid_t cid, unsigned char *msgbundle,
     uint32_t num_msgs) {
 
     // Fetch corresponding client key
-    clientid_t lcid = cid - g_ing.clients.start;
-    sgx_aes_gcm_128bit_key_t &ckey = (g_ing.clients).keys[lcid];
+    clientid_t lcid = cid - g_ing.cstart;
+    sgx_aes_gcm_128bit_key_t *ckey = &(clients[lcid].key);
     unsigned char *iv = msgbundle;
     msgbundle += SGX_AESGCM_IV_SIZE;
 
     uint16_t msg_size = g_teems_config.msg_size;
     uint32_t msgbundle_size = num_msgs * msg_size;
     unsigned char *dec_msgbundle = (unsigned char *) malloc (msgbundle_size);
-    //sgx_aes_gcm_128bit_tag_t tag;
-    //memcpy(tag, msgbundle + msgbundle_size, SGX_AESGCM_MAC_SIZE);
     sgx_aes_gcm_128bit_tag_t *tag = (sgx_aes_gcm_128bit_tag_t*) (msgbundle + msgbundle_size);
 
-    sgx_status_t ret = sgx_rijndael128GCM_decrypt(&ckey, msgbundle, msgbundle_size,
+    sgx_status_t ret = sgx_rijndael128GCM_decrypt(ckey, msgbundle, msgbundle_size,
         dec_msgbundle, iv, SGX_AESGCM_IV_SIZE, NULL, 0, tag);
     if(ret!=SGX_SUCCESS) {
         printf("Ingestion::processMsgBundle FAIL\n");
@@ -154,8 +127,8 @@ bool Ingestion::processMsgBundle(clientid_t cid, unsigned char *msgbundle,
 void Ingestion::generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK)
 {
     printf("In Ingestion::genCK, num_clients = %d, client_start = %d, client_end = %d\n",
-        clients.num, clients.start, clients.end);
-    for(uint32_t i=0; i<clients.num; i++)
+        cnum, cstart, cnum + cstart);
+    for(uint32_t i=0; i<cnum; i++)
     {
         unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
         unsigned char iv[SGX_AESGCM_IV_SIZE];
@@ -163,12 +136,12 @@ void Ingestion::generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK)
         memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
         memset(iv, 0, SGX_AESGCM_IV_SIZE);
 
-        uint32_t client_num = clients.start + i;
+        uint32_t client_num = cstart + i;
         memcpy(iv, (uint8_t*) (&client_num), sizeof(client_num));
 
         sgx_status_t ret = SGX_SUCCESS;
         ret = sgx_rijndael128GCM_encrypt((const sgx_aes_gcm_128bit_key_t *) (ESK),
-            zeroes, SGX_AESGCM_KEY_SIZE, (uint8_t*) (clients.keys[i]), iv,
+            zeroes, SGX_AESGCM_KEY_SIZE, (uint8_t*) (clients[i].key), iv,
             SGX_AESGCM_IV_SIZE, NULL, 0, &tag);
         if(ret!=SGX_SUCCESS) {
             printf("Ingestion::GCK FAIL\n");
@@ -176,3 +149,8 @@ void Ingestion::generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK)
 
     }
 }
+
+sgx_aes_gcm_128bit_key_t* Ingestion::getClientKey(uint32_t lcid)
+{
+    return(&(clients[lcid].key));
+}

Enclave/ingest.hpp

@@ -1,21 +1,19 @@
 #ifndef __INGEST_HPP__
 #define __INGEST_HPP__
 
-//#define DEBUG_INGESTION
+#include "client.hpp"
 
-struct ClientList {
-    uint32_t num;
-    uint32_t start;
-    uint32_t end;
-    sgx_aes_gcm_128bit_key_t *keys;
-};
+//#define DEBUG_INGESTION
 
 class Ingestion{
 private:
 
-    ClientList clients;
+    // ClientList clients;
+    IngClient *clients;
     MsgBuffer *buffer;
     uint32_t max_buffer_size;
+    uint32_t cstart;
+    uint32_t cnum;
 
 public:
 
@@ -24,19 +22,9 @@ public:
 
     void generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK);
 
-    void initialize(uint32_t cnum, uint32_t cstart, sgx_aes_gcm_128bit_key_t &ESK);
-
-    uint32_t getClientNum() {
-        return (clients.num);
-    }
-
-    uint32_t getClientStart() {
-        return (clients.start);
-    }
+    sgx_aes_gcm_128bit_key_t* getClientKey(uint32_t lcid);
 
-    sgx_aes_gcm_128bit_key_t* getClientKeys() {
-        return (clients.keys);
-    }
+    void initialize(uint32_t cnum, uint32_t cstart, sgx_aes_gcm_128bit_key_t &ESK);
 
     bool authenticate(clientid_t cid, unsigned char *auth_string);