Created Ingestion Class. Generate client encryption keys in the client simulator and on the ingestion side. (Currently just for server 0)

App/appconfig.cpp

@@ -85,9 +85,9 @@ bool config_parse(Config &config, const std::string configstr,
                 } else if (!pentry.first.compare("pub_in")) {
                     config.m_pub_in = pentry.second.get_value<uint8_t>();
                 // Currently hardcoding an AES key for client -> server communication
-                } else if (!pentry.first.compare("client_aes_key")) {
+                } else if (!pentry.first.compare("master_secret")) {
                     std::string hex_key = pentry.second.data();
-                    memcpy(config.client_aes_key, hex_key.c_str(), SGX_AESGCM_KEY_SIZE);
+                    memcpy(config.master_secret, hex_key.c_str(), SGX_AESGCM_KEY_SIZE);
 
                 } else {
                     std::cerr << "Unknown field in params: " <<
@@ -158,7 +158,7 @@ bool config_parse(Config &config, const std::string configstr,
     apiparams.m_priv_in = config.m_priv_in;
     apiparams.m_pub_out = config.m_pub_out;
     apiparams.m_pub_in = config.m_pub_in;
-    memcpy(apiparams.client_aes_key, config.client_aes_key, SGX_AESGCM_KEY_SIZE);
+    memcpy(apiparams.master_secret, config.master_secret, SGX_AESGCM_KEY_SIZE);
     nodenum_t num_nodes = (nodenum_t)(config.nodes.size());
     std::vector<EnclaveAPINodeConfig> apinodeconfigs;
     apinodeconfigs.resize(num_nodes);

App/appconfig.hpp

@@ -30,8 +30,8 @@ struct Config {
     std::vector<NodeConfig> nodes;
     // Which node is this one?
     nodenum_t my_node_num;
-    // Hardcoded AES key for client -> server communication
-    sgx_aes_gcm_128bit_key_t client_aes_key;
+    // Hardcoded master secret to generate keys for client -> server communication
+    sgx_aes_gcm_128bit_key_t master_secret;
 };
 
 bool config_parse(Config &config, const std::string configstr,

Client/clients.cpp

@@ -7,7 +7,11 @@
 #include "boost/property_tree/json_parser.hpp"
 #include <boost/asio.hpp>
 #include <boost/thread.hpp>
+#include "gcm.h"
+#include "sgx_tcrypto.h"
+#include "clients.hpp"
 
+#define CEILDIV(x,y) (((x)+(y)-1)/(y))
 
 // Split a hostport string like "127.0.0.1:12000" at the rightmost colon
 // into a host part "127.0.0.1" and a port part "12000".
@@ -59,7 +63,6 @@ static bool hextobuf(unsigned char *buf, const char *str, size_t len)
     return true;
 }
 
-
 bool config_parse(Config &config, const std::string configstr,
     std::vector<NodeConfig> &ingestion_nodes,
     std::vector<NodeConfig> &storage_nodes)
@@ -88,9 +91,9 @@ bool config_parse(Config &config, const std::string configstr,
                 } else if (!pentry.first.compare("pub_in")) {
                     config.m_pub_in = pentry.second.get_value<uint8_t>();
                 // Currently hardcoding an AES key for client -> server communication
-                } else if (!pentry.first.compare("client_aes_key")) {
+                } else if (!pentry.first.compare("master_secret")) {
                     std::string hex_key = pentry.second.data();
-                    memcpy(config.client_aes_key, hex_key.c_str(), SGX_AESGCM_KEY_SIZE);
+                    memcpy(config.master_secret, hex_key.c_str(), SGX_AESGCM_KEY_SIZE);
 
                 } else {
                     std::cerr << "Unknown field in params: " <<
@@ -155,6 +158,74 @@ static void usage(const char *argv0)
     exit(1);
 }
 
+/*
+
+    Generate ESK (Encryption master Secret Key) and TSK (Token master Secret Key)
+
+*/
+int generateMasterKeys(sgx_aes_gcm_128bit_key_t master_secret,
+   aes_key &ESK, aes_key &TSK )
+{
+    unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
+    unsigned char iv[SGX_AESGCM_IV_SIZE];
+    unsigned char mac[SGX_AESGCM_MAC_SIZE];
+    memset(iv, 0, SGX_AESGCM_IV_SIZE);
+    memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
+    memcpy(iv, "Encryption", sizeof("Encryption"));
+
+    if (sizeof(zeroes) != gcm_encrypt(zeroes, SGX_AESGCM_KEY_SIZE, NULL, 0,
+            master_secret, iv, SGX_AESGCM_IV_SIZE, ESK, mac)) {
+        printf("Client: generateMasterKeys FAIL\n");
+        return -1;
+    }
+
+    printf("Encryption Master Key: ");
+    for(int i=0;i<SGX_AESGCM_KEY_SIZE;i++) {
+        printf("%x", ESK[i]);
+    }
+    printf("\n\n");
+
+    memset(iv, 0, SGX_AESGCM_IV_SIZE);
+    memcpy(iv, "Token", sizeof("Token"));
+    if (sizeof(zeroes) != gcm_encrypt(zeroes, SGX_AESGCM_KEY_SIZE, NULL, 0,
+            master_secret, iv, SGX_AESGCM_IV_SIZE, TSK, mac)) {
+        printf("generateMasterKeys failed\n");
+        return -1;
+    }
+
+    printf("Token Master Key: ");
+    for(int i=0;i<SGX_AESGCM_KEY_SIZE;i++) {
+        printf("%x", TSK[i]);
+    }
+    printf("\n");
+
+    return 1;
+}
+
+/*
+    Takes the client_number, the master aes_key for generating client encryption keys,
+    and the client aes_key to be generated.
+*/
+int generateClientEncryptionKey(clientid_t client_number, aes_key &ESK, aes_key &client_key)
+{
+    unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
+    unsigned char mac[SGX_AESGCM_MAC_SIZE];
+    unsigned char iv[SGX_AESGCM_IV_SIZE];
+    memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
+    memset(iv, 0, SGX_AESGCM_IV_SIZE);
+    memcpy(iv, (unsigned char*) (&client_number), sizeof(client_number));
+
+    // GCM-encrypt, using the chunk key as the associated data
+    if (sizeof(zeroes) != gcm_encrypt(zeroes, SGX_AESGCM_KEY_SIZE, NULL, 0, ESK,
+            iv, SGX_AESGCM_IV_SIZE, client_key, mac)) {
+        printf("generateClientEncryptionKey failed\n");
+        return -1;
+    }
+
+    return 1;
+}
+
+
 
 int main(int argc, char **argv)
 {
@@ -186,6 +257,8 @@ int main(int argc, char **argv)
     std::getline(std::cin, configstr);
 
     Config config;
+    aes_key ESK, TSK;
+    Client *clients = new Client[config.user_count];
 
     if (!config_parse(config, configstr, ingestion_nodes, storage_nodes)) {
        exit(1);
@@ -194,6 +267,24 @@ int main(int argc, char **argv)
     printf("Number of ingestion_nodes = %ld, Number of storage_node = %ld\n",
         ingestion_nodes.size(), storage_nodes.size());
 
+    generateMasterKeys(config.master_secret, ESK, TSK);
+
+    uint32_t clients_per_ing = CEILDIV(config.user_count, ingestion_nodes.size());
+    aes_key client_key;
+
+    for(uint32_t i=0; i<config.user_count; i++) {
+        generateClientEncryptionKey(i, ESK, client_key);
+        clients[i].setKey(client_key);
+
+        printf("Client %d key: ", i);
+        for(int i=0;i<SGX_AESGCM_KEY_SIZE;i++) {
+            printf("%x", client_key[i]);
+        }
+        printf("\n");
+    }
+
+
+    /*
     // Attempt sending a data packet to one of the ingestion servers
     boost::asio::io_context io_context;
     boost::system::error_code err;
@@ -217,6 +308,28 @@ int main(int argc, char **argv)
     nodenum_t node_num = 7;
     boost::asio::write(nodesock,
         boost::asio::buffer(&node_num, sizeof(node_num)));
+    */
+
+    /*
+    int randfd = open("/dev/urandom", O_RDONLY);
+    if (randfd < 0) {
+      throw std::runtime_error("Cannot open /dev/urandom");
+    }
+
+    unsigned char zeroes[config.msg_size];
+    unsigned char buffer[config.msg_size+4+12+16];
+    memset(zeroes, 0, sizeof(zeroes));
+    // An AES key for constructing and verifying the _plaintext_ of the blocks
+    // so that we can ensure that the blocks come out unaltered
+    unsigned char datakey[16];
+    read(randfd, datakey, 16);
+
+    // GCM-encrypt, using the chunk key as the associated data
+    if (sizeof(zeroes) != gcm_encrypt(zeroes, sizeof(zeroes), buffer, 4, datakey,
+            buffer+4, 12, buffer+4+12, buffer+4+12+sizeof(zeroes))) {
+        printf("Inner encryption failed\n");
+    }
+    */
 
     /*
         Spin config.user_client actual clients. Each client:
@@ -226,5 +339,5 @@ int main(int argc, char **argv)
         4) Repeat from 1)
     */
 
+    delete [] clients;
 }
-

Enclave/config.cpp

@@ -3,9 +3,53 @@
 #include "config.hpp"
 #include "utils.hpp"
 #include "route.hpp"
+#include "ingest.hpp"
 
 Config g_teems_config;
 
+int generateMasterKeys(sgx_aes_gcm_128bit_key_t master_secret,
+    sgx_aes_gcm_128bit_key_t &ESK, sgx_aes_gcm_128bit_key_t &TSK)
+{
+    unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
+    unsigned char iv[SGX_AESGCM_IV_SIZE];
+    sgx_aes_gcm_128bit_tag_t mac;
+    memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
+    memset(iv, 0, SGX_AESGCM_IV_SIZE);
+    memcpy(iv, "Encryption", sizeof("Encryption"));
+    sgx_status_t ret = SGX_SUCCESS;
+
+    ret = sgx_rijndael128GCM_encrypt((const sgx_aes_gcm_128bit_key_t *)
+        (master_secret), zeroes, SGX_AESGCM_KEY_SIZE,
+        (uint8_t*) ESK, iv, SGX_AESGCM_IV_SIZE, NULL, 0, &mac);
+    if(ret!=SGX_SUCCESS) {
+        return -1;
+    }
+
+    printf("Encryption Master Key: ");
+    for(int i=0;i<SGX_AESGCM_KEY_SIZE;i++) {
+        printf("%x", ESK[i]);
+    }
+    printf("\n\n");
+
+    memset(iv, 0, SGX_AESGCM_IV_SIZE);
+    memcpy(iv, "Token", sizeof("Token"));
+    ret = sgx_rijndael128GCM_encrypt((const sgx_aes_gcm_128bit_key_t *)
+        (master_secret), zeroes, SGX_AESGCM_KEY_SIZE,
+        (uint8_t*) TSK, iv, SGX_AESGCM_IV_SIZE, NULL, 0, &mac);
+    if(ret!=SGX_SUCCESS) {
+        return -1;
+    }
+
+    printf("Token Master Key: ");
+    for(int i=0;i<SGX_AESGCM_KEY_SIZE;i++) {
+        printf("%x", TSK[i]);
+    }
+    printf("\n");
+
+    return 1;
+}
+
+
 bool ecall_config_load(threadid_t nthreads, bool private_routing,
     EnclaveAPIParams *apiparams,
     EnclaveAPINodeConfig *apinodeconfigs,
@@ -24,7 +68,7 @@ bool ecall_config_load(threadid_t nthreads, bool private_routing,
     g_teems_config.m_pub_out = apiparams->m_pub_out;
     g_teems_config.m_pub_in = apiparams->m_pub_in;
     g_teems_config.private_routing = private_routing;
-    memcpy(g_teems_config.clients_aes_key, apiparams->client_aes_key, SGX_AESGCM_KEY_SIZE);
+    memcpy(g_teems_config.master_secret, apiparams->master_secret, SGX_AESGCM_KEY_SIZE);
 
     // Temporary vectors to store node numbers for nodes of different
     // types, where the node numbers are smaller than our own node
@@ -92,6 +136,24 @@ bool ecall_config_load(threadid_t nthreads, bool private_routing,
     threadpool_init(nthreads);
     PRB_pool_init(nthreads);
 
+    sgx_aes_gcm_128bit_key_t ESK, TSK;
+    generateMasterKeys(g_teems_config.master_secret, ESK, TSK);
+    if(my_node_num==0) {
+        printf("My_node_num match!\n");
+        g_ing.initialize(g_teems_config.user_count, 0, ESK);
+
+        for(uint32_t i=0; i<g_teems_config.user_count; i++) {
+            printf("Client Key %d: ", i);
+            sgx_aes_gcm_128bit_key_t key;
+            memcpy(key, (g_ing.clients).client_keys[i], SGX_AESGCM_KEY_SIZE);
+            for(int j = 0; j<SGX_AESGCM_KEY_SIZE; j++) {
+                printf("%x", key[j]);
+            }
+            printf("\n");
+        }
+
+    }
+
     if (!route_init()) {
         return false;
     }

Enclave/config.hpp

@@ -34,7 +34,7 @@ struct Config {
     std::vector<nodenum_t> ingestion_nodes;
     std::vector<nodenum_t> routing_nodes;
     std::vector<nodenum_t> storage_nodes;
-    sgx_aes_gcm_128bit_key_t clients_aes_key;
+    sgx_aes_gcm_128bit_key_t master_secret;
 };
 
 extern Config g_teems_config;

Enclave/enclave_api.h

@@ -5,6 +5,8 @@
 
 typedef uint16_t threadid_t;
 typedef uint16_t nodenum_t;
+typedef uint32_t clientid_t;
+
 
 struct EnclaveAPIParams {
     uint32_t user_count;
@@ -13,7 +15,7 @@ struct EnclaveAPIParams {
     uint8_t m_priv_in;
     uint8_t m_pub_out;
     uint8_t m_pub_in;
-    sgx_aes_gcm_128bit_key_t client_aes_key;
+    sgx_aes_gcm_128bit_key_t master_secret;
 };
 
 #define ROLE_INGESTION 0x01

Enclave/ingest.cpp

@@ -0,0 +1,35 @@
+#include <pthread.h>
+#include "Enclave_t.h"
+#include "utils.hpp"
+#include "config.hpp"
+#include "route.hpp"
+#include "ingest.hpp"
+
+
+void Ingestion::generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK)
+{
+    printf("In Ingestion::genCK, num_clients = %d, client_start = %d, client_end = %d\n",
+        num_clients, client_start, client_end);
+    for(uint32_t i=0; i<clients.num_clients; i++)
+    {
+        unsigned char zeroes[SGX_AESGCM_KEY_SIZE];
+        unsigned char iv[SGX_AESGCM_IV_SIZE];
+        sgx_aes_gcm_128bit_tag_t mac;
+        memset(zeroes, 0, SGX_AESGCM_KEY_SIZE);
+        memset(iv, 0, SGX_AESGCM_IV_SIZE);
+
+        uint32_t client_num = clients.client_start + i;
+        memcpy(iv, (uint8_t*) (&client_num), sizeof(client_num));
+
+        sgx_status_t ret = SGX_SUCCESS;
+        ret = sgx_rijndael128GCM_encrypt((const sgx_aes_gcm_128bit_key_t *) (ESK),
+            zeroes, SGX_AESGCM_KEY_SIZE, (uint8_t*) (clients.client_keys[i]), iv,
+            SGX_AESGCM_IV_SIZE, NULL, 0, &mac);
+        if(ret!=SGX_SUCCESS) {
+            printf("Ingestion::GCK FAIL\n");
+        }
+
+    }
+}
+
+Ingestion g_ing;

Enclave/ingest.hpp

@@ -0,0 +1,38 @@
+#ifndef __INGEST_HPP__
+#define __INGEST_HPP__
+
+struct ClientList {
+    uint32_t num_clients;
+    uint32_t client_start;
+    uint32_t client_end;
+    sgx_aes_gcm_128bit_key_t *client_keys;
+};
+
+class Ingestion : public ClientList {
+private:
+    //int decrypt();
+    //int verify_tokens();
+    //int queue();
+
+public:
+    ClientList clients;
+
+    void generateClientKeys(sgx_aes_gcm_128bit_key_t &ESK);
+
+    Ingestion() {
+    }
+
+    void initialize(uint32_t num, uint32_t start, sgx_aes_gcm_128bit_key_t &ESK) {
+        clients.num_clients = num;
+        clients.client_start = start;
+        clients.client_end = num+start;
+        clients.client_keys = new sgx_aes_gcm_128bit_key_t[num];
+        generateClientKeys(ESK);
+    }
+
+    //int process();
+};
+
+extern Ingestion g_ing;
+
+#endif

Makefile

@@ -117,7 +117,7 @@ Client_Cpp_Flags := -fPIC -Wno-attributes $(Client_Include_Paths)
 
 Client_Cpp_Objects := $(Client_Cpp_Files:.cpp=.o)
 
-Client_Link_Flags := -lboost_thread -lpthread
+Client_Link_Flags := -lboost_thread -lpthread -lssl3 -lcrypto
 
 Client_Name := Client/clients
 
@@ -323,9 +323,11 @@ Untrusted/Untrusted.o: Untrusted/Enclave_u.h
 Enclave/comms.o: Enclave/Enclave_t.h Enclave/enclave_api.h Enclave/config.hpp
 Enclave/comms.o: Enclave/enclave_api.h
 Enclave/config.o: Enclave/Enclave_t.h Enclave/enclave_api.h Enclave/comms.hpp
-Enclave/config.o: Enclave/enclave_api.h Enclave/config.hpp Enclave/route.hpp
+Enclave/config.o: Enclave/enclave_api.h Enclave/config.hpp Enclave/route.hpp Enclave/ingest.hpp
 Enclave/route.o: Enclave/Enclave_t.h Enclave/enclave_api.h Enclave/config.hpp
 Enclave/route.o: Enclave/enclave_api.h Enclave/route.hpp
+Enclave/ingest.o: Enclave/Enclave_t.h Enclave/enclave_api.h Enclave/config.hpp
+Enclave/ingest.o: Enclave/route.hpp
 Enclave/sort.o: Enclave/sort.hpp
 Enclave/OblivAlgs/RecursiveShuffle.o: Enclave/OblivAlgs/oasm_lib.h
 Enclave/OblivAlgs/RecursiveShuffle.o: Enclave/OblivAlgs/CONFIG.h