Browse Source

Added changes to get the decryption to work

dettanym 5 years ago
parent
commit
3a68fdd0b7
4 changed files with 233 additions and 258 deletions
  1. 107 131
      ProtobufLAInitiator.cpp
  2. 21 23
      SgxProtobufLAInitiator.cpp
  3. 29 30
      crypto.cpp
  4. 76 74
      systemMain.cpp

+ 107 - 131
ProtobufLAInitiator.cpp

@@ -14,9 +14,10 @@ using namespace google::protobuf::io;
 #include <arpa/inet.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
+#include <queue>
 
 int global_decryptor_fd;
-
+#define TOKEN_H_MAX_LENGTH 300;
 
 // TODO: Make these private functions
 int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
@@ -100,7 +101,7 @@ int set_up_socket_connect(int port)
   return sock;
 }
 
-int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
+int do_local_attestation(int port)
 {
   // declare msg1, msg2, msg3 protobuf objects
   protobuf_sgx_dh_msg1_t protobuf_msg1;
@@ -108,19 +109,9 @@ int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
   protobuf_sgx_dh_msg3_t protobuf_msg3;
   uint32_t protobuf_sgx_ret;
 
-//  uint8_t encrypted_hash[32]; uint8_t encrypted_tag[16]; size_t post_la_bytes_written;
-//	uint8_t tokenT_and_tag[176]; size_t bytes_read;
-
-  // For socket to listen to the Apache enclave.
-//  int server_fd=0; int accept_fd = 0;
-//   std::string protobuf_encrypted_msg_string(protobuf_encrypted_msg.msg());
-  // memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176);
-//  struct sockaddr_in own_addr;
-//  struct sockaddr_storage apache_addr; socklen_t apache_addr_size = sizeof(apache_addr);
   uint32_t session_id;
-  //  int counter;
-
   int decryptor_fd;
+
   setbuf(stdout,NULL);
   decryptor_fd=set_up_socket_connect(port);
   if(decryptor_fd == -1)
@@ -128,142 +119,142 @@ int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
     perror("\nCould not set up the socket: had the following error: ");
     fflush(stderr);
   }
-//  printf("");
+  global_decryptor_fd=decryptor_fd;
+
+  // Reading msg 1 from decryptor enclave.
   if(read_protobuf_msg_from_fd(decryptor_fd, protobuf_msg1)!=0)
     return -1;
 
+  // Generating message 2 given message 1 as input
   protobuf_sgx_ret = process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_msg1, protobuf_msg2, &session_id);
   if(protobuf_sgx_ret != 0)
   {
     printf("Error in process_protobuf_dh_msg1_generate_protobuf_dh_msg2: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
   }
 
+  // Writing msg 2 to decryptor enclave.
   if(write_protobuf_msg_to_fd(decryptor_fd, protobuf_msg2)!=0)
     return -1;
 
+  // Reading msg3 from decryptor enclave
   if(read_protobuf_msg_from_fd(decryptor_fd, protobuf_msg3)!=0)
     return -1;
 
+  // Process message 3
   protobuf_sgx_ret = process_protobuf_dh_msg3(protobuf_msg3, &session_id);
   if(protobuf_sgx_ret != 0)
   {
       printf("Error in process_protobuf_dh_msg3: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
   }
-          unsigned char tokenT_and_tag[176]; int protobuf_encrypted_msg_size;
+}
 
+uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encoded_token_H, uint32_t* base64_encoded_token_H_length)
+{
+  unsigned char* encrypted_token_H_and_tag, *plaintext_token_H;
+  uint32_t encrypted_token_H_and_tag_length, plaintext_token_H_length;
+  protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
+  uint32_t count;
+  uint32_t internal_return_status;
+
+  // Reading the encrypted token H from the
+  if(read_protobuf_msg_from_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
+  {
+    printf("Not all of the post-LA message was read\n"); fflush(stdout); return 0xfe;
+  }
 
-          protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
-        if(read_protobuf_msg_from_fd(decryptor_fd, protobuf_encrypted_msg)!=0)
-   {
-	printf("Not all of the post-LA message was read\n"); fflush(stdout); return 0xfe;
-   }
-   std::string protobuf_encrypted_msg_string(protobuf_encrypted_msg.msg());
-   memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176);
+  std::string protobuf_encrypted_msg_string(protobuf_encrypted_msg.msg());
+  encrypted_token_H_and_tag_length=protobuf_encrypted_msg_string.length();
+  encrypted_token_H_and_tag = (unsigned char*) malloc(encrypted_token_H_and_tag_length);
+  memcpy(encrypted_token_H_and_tag, protobuf_encrypted_msg_string.c_str(), protobuf_encrypted_msg_string.length());
 
-   printf("Read encrypted signature and tag from the decryptor socket.\n"); fflush(stdout);
-    uint32_t count;
+  printf("Read the following encrypted token T and tag from the decryptor socket.\n"); fflush(stdout);
 	printf("Encrypted data:\n");
-	for(count=0;count<176;count++)
-		printf("0x%02x ", tokenT_and_tag[count]);
+	for(count=0; count<encrypted_token_H_and_tag_length; count++)
+		printf("0x%02x ", encrypted_token_H_and_tag[count]);
 	printf("\n"); fflush(stdout);
-	uint8_t plaintext_token[160]; int plaintext_length=0;
-	uint32_t ret_decrypt=aes_gcm_wrapper(0, tokenT_and_tag, 160, plaintext_token, &plaintext_length, tokenT_and_tag+160);
-//int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag);
-	if(ret_decrypt!=0)
-		{
-			printf("Errorin decryption 0x%x", ret_decrypt); fflush(stdout); return 0xed;
-		}
-        printf("Decryption keypair\n");
-        for(count=0;count<64;count++)
-                printf("0x%02x ", plaintext_token[count]);
+
+  // TODO: Modify aes_gcm_wrapper to do the thing where it takes care of the tag internally.
+	internal_return_status = aes_gcm_wrapper(0, encrypted_token_H_and_tag, encrypted_token_H_and_tag_length, plaintext_token_H, &plaintext_token_H_length);
+	if(internal_return_status != 0)
+	{
+    printf("Error in decryption 0x%x", ret_decrypt); fflush(stdout); return internal_return_status;
+	}
+
+  printf("Decryptor's short-term public key\n");
+  for(count=0;count<64;count++)
+    printf("0x%02x ", plaintext_token[count]);
 	printf("\n"); fflush(stdout);
-	printf("Decryption verifier mrenclave\n");
+
+	printf("Verifier mrenclave\n");
 	for(count=64;count<96;count++)
-                printf("0x%02x ", plaintext_token[count]);
+    printf("0x%02x ", plaintext_token[count]);
 	printf("\n"); fflush(stdout);
-	count=base64_encoding_wrapper(plaintext_token, base64_encoded_token, 160);
-	if(count != 216)
-	{
-		printf("Somehow not the entire token was encoded in base64:0x%x\n", count); fflush(stdout); return 0x55;
-	}
-	global_decryptor_fd=decryptor_fd;
+
+	*base64_encoded_token_H_length=base64_encoding_wrapper(plaintext_token, base64_encoded_token_H, plaintext_token_H_length);
+  /*
+  // TODO: Better return value handling.
+  if(!(base64_encoded_token_H_length <= 4 * Math.ceil(plaintext_token_H_length/3) && base64_encoded_token_H_length > 4 * (Math.ceil(plaintext_token_H_length/3) - 1)))
+  {
+    printf("Somehow not the entire token was encoded in base64:0x%x\n", base64_encoded_token_H_length); fflush(stdout); return 0x55;
+  }
+  */
 	printf("Successfully done Local attestation\n");
 	fflush(stdout);
 	return 0;
 }
 
-int extract_binary_key_and_client_ciphertext_data_from_base64(unsigned char* base64_encoded_client_pub_key, unsigned char* base64_ciphertext, uint32_t base64_ciphertext_length, unsigned char* op_client_public_key_and_ciphertext, uint32_t* op_ciphertext_length)
+/*uint32_t base64_decoding_on_all_client_data(std::vector<std::string>& ip_base64_client_public_key_ciphertexts, std::vector<std::string>& op_client_public_key_ciphertexts)
 {
-	int openssl_ret_status;
-        openssl_ret_status=base64_decoding_wrapper(base64_encoded_client_pub_key, op_client_public_key_and_ciphertext, 88);
-        if(openssl_ret_status == -1)
-        	return 0xfe;
+	int openssl_ret_status; uint32_t counter;
+  unsigned long list_size;
+  std::string op_string;
+  unsigned char* op_array;
 
-	*op_ciphertext_length = base64_decoding_wrapper(base64_ciphertext, op_client_public_key_and_ciphertext + 64, base64_ciphertext_length);
-	if(*op_ciphertext_length == -1)
-	{
-		return 0x33;
-	}
+  list_size=ip_base64_client_public_key_ciphertexts.size();
+  for(std::string ip_base64_string: ip_base64_client_public_key_ciphertexts)
+  {
+    openssl_ret_status=base64_decoding_wrapper(ip_base64_string.c_str(), op_string, ip_base64_string.length());
+    if(openssl_ret_status == -1)
+      	return 0xfe;
+
+  	*op_ciphertext_length = base64_decoding_wrapper(base64_ciphertext, op_client_public_key_and_ciphertext + 64, base64_ciphertext_length);
+  	if(*op_ciphertext_length == -1)
+  	{
+  		return 0x33;
+  	}
+  }
 	return 0;
 
 }
+*/
 
 // should be called with the base64encoded public key and data to be decrypted
 // base64 encoded public key should be of length 4*(ceil(64/3)) = 88 (at least)
-int decrypt_client_data_through_decryptor(unsigned char* base64_client_public_key, unsigned char* base64_ciphertext_client_data, uint32_t base64_ciphertext_client_data_length, unsigned char* plaintext_client_data, uint32_t* op_plaintext_client_data_length)
+int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_public_key_ciphertext,
+  uint32_t ip_base64_client_public_key_ciphertext_length,
+  unsigned char* op_plaintext,
+  uint32_t op_plaintext_length
+)
 {
-	int ret_status;
-	uint32_t count;
-	unsigned char* client_data_to_decryptor;
-	unsigned char* client_data_encrypted_to_decryptor;
-	unsigned char* client_data_from_decryptor;
-	unsigned char tag[16]; 
-	const char* msg;
-	protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
-	int output_length;
-	int input_length;
-	uint32_t ciphertext_length;
-	for(count=0; count<base64_ciphertext_client_data_length; count++)
-		plaintext_client_data[count] = base64_ciphertext_client_data[count];
-	*op_plaintext_client_data_length = base64_ciphertext_client_data_length;
-
-	client_data_to_decryptor = (unsigned char*) malloc(64 + (base64_ciphertext_client_data_length * 3/4));
-	// If ciphertext_length != base64_ciphertext_client_data_length * 3/4 then it will write outside the allocated memory
-	ret_status = extract_binary_key_and_client_ciphertext_data_from_base64(base64_client_public_key, base64_ciphertext_client_data, base64_ciphertext_client_data_length, client_data_to_decryptor, &ciphertext_length);
-	if(ret_status != 0)
-		return ret_status;
-
-	input_length = ciphertext_length + 64; // normal case - no writing outside the allocated memory.
-	printf("Public key and ciphertext:\n"); fflush(stdout);
-	for(count = 0; count<input_length; count++)
-		printf("0x%02x ", client_data_to_decryptor[count]);
-	printf("\n"); fflush(stdout);
-
-/*	client_data_encrypted_to_decryptor = (unsigned char*) malloc(input_length + 16);
-	// TODO: try to call aes_gcm  *in encryption mode* on ciphertext data of ciphertext_length (where is the iv?)
-	// if output_length != ciphertext_length + 64 then tag will be overwritten.
-	ret_status = aes_gcm_wrapper(1, client_data_to_decryptor, input_length, client_data_encrypted_to_decryptor, &output_length, tag);
-	if(ret_status != 0 || output_length != input_length)
-	{
-		free(client_data_to_decryptor);
-		free(client_data_encrypted_to_decryptor);
-		return ret_status;
-	}
-	for(count=0; count<16; count++)
-		client_data_encrypted_to_decryptor[output_length+count]=tag[count]; 
-	// TODO: Increment AESGCM IV here.
-*/
-	protobuf_encrypted_msg.set_msg((void*)client_data_to_decryptor, input_length);
-	free(client_data_to_decryptor);
-//	free(client_data_encrypted_to_decryptor);
-/*
-	printf("Writing this to the decryptor: \n"); fflush(stdout); 
-	for(count=8;count<output_length+16+8;count++)
-		printf("0x%02x ", client_data_to_decryptor[count]);
-	printf("\n");	fflush(stdout);
-*/
+  unsigned char* ciphertext_to_decryptor, *ciphertext_from_decryptor;
+  uint32_t ciphertext_to_decryptor_length, ciphertext_from_decryptor_length;
+  uint32_t internal_return_status;
+
+  // Encrypting to the decryptor enclave
+  ciphertext_to_decryptor=(unsigned char*) malloc(ip_base64_client_public_key_ciphertext + 16);
+  internal_return_status = aes_gcm_wrapper(1, ip_base64_client_public_key_ciphertext, ip_base64_client_public_key_ciphertext_length,
+    ciphertext_to_decryptor, ciphertext_to_decryptor_length
+  );
+  // Error checking on ciphertext that is to be sent to decryptor
+  if(internal_return_status != 0)
+  {
+    free(ciphertext_to_decryptor);
+    return internal_return_status;
+  }
 
-	// write message to decryptor
+  // write message to decryptor
+  protobuf_encrypted_msg.set_msg( ciphertext_to_decryptor , ciphertext_to_decryptor_length );
+  free(ciphertext_to_decryptor);
 	if(write_protobuf_msg_to_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
 	{
 		printf("Not all of the client's pub key and ciphertext data was written\n"); fflush(stdout); return 0xfe;
@@ -272,37 +263,22 @@ int decrypt_client_data_through_decryptor(unsigned char* base64_client_public_ke
 	// clear the message before setting it again
 	protobuf_encrypted_msg.clear_msg();
 
-	// read encrypted data
+  // read encrypted data
 	printf("Reading msg from decryptor"); fflush(stdout);
 	if(read_protobuf_msg_from_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
 	{
 		printf("Not all of the decryptor's message was read\n"); fflush(stdout); return 0xf3;
 	}
 	printf("Done reading msg from decryptor\n"); fflush(stdout);
+  ciphertext_from_decryptor_length = protobuf_encrypted_msg.length();
+  ciphertext_from_decryptor = protobuf_encrypted_msg.c_str();
 
-	// define plaintext array
-	input_length = protobuf_encrypted_msg.msg().length();
-	msg = protobuf_encrypted_msg.msg().c_str(); 
-	for(count=0; count<input_length; count++)
-		plaintext_client_data[count] = msg[count]; 
-	*op_plaintext_client_data_length = input_length; 
-	/* client_data_from_decryptor=(unsigned char*)malloc(input_length);
-	memcpy(client_data_from_decryptor, protobuf_encrypted_msg.msg().c_str(), input_length); //TODO: THIS might be a problem - c_str might terminate at null bytes?
-
-	// TODO: decrypt data received in the protobuf_encrypted_msg, set bytes at plaintext_client_data to it.
-	for(count=0;count<input_length;count++)
-	{
-		plaintext_client_data[count]=client_data_from_decryptor[count]; 
-		printf("0x%02x ", client_data_from_decryptor[count]);
-	}
-	printf("\n"); fflush(stdout);
-	*op_plaintext_client_data_length=input_length; 
+  // Decrypt data from decryptor
+  internal_return_status = aes_gcm_wrapper(0, ciphertext_from_decryptor, ciphertext_from_decryptor_length,
+    op_plaintext, op_plaintext_length
+  );
+  if(internal_return_status != 0)
+    return internal_return_status;
 
-	ret_status = aes_gcm_wrapper(0, client_data_from_decryptor, input_length, plaintext_client_data, &output_length, client_data_from_decryptor + input_length - 16);
-	if(ret_status == 0)
-		*op_plaintext_client_data_length = output_length;
-	free(client_data_from_decryptor);
-	*/
-	return 0;
+  return 0;
 }
-

+ 21 - 23
SgxProtobufLAInitiator.cpp

@@ -23,6 +23,7 @@
 
 dh_session_t global_session_info;
 sgx_dh_session_t sgx_dh_session;
+uint8_t key[16];
 uint8_t iv[12];
 
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id)
@@ -68,7 +69,8 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
 
   //No verification checks here: no security guarantees obtained from any such checks
   memset(iv, 0, 12);
-  memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
+  memcpy(key, &dhaek, sizeof(sgx_key_128bit_t));
+  //memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
   global_session_info.session_id = 1; // TODO: session_id;
   global_session_info.active.counter = 0;
   global_session_info.status = ACTIVE;
@@ -76,28 +78,24 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
 
   return 0;
 }
-/*
-uint32_t decrypt_wrapper(unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len, unsigned char* ip_encrypted_tag)
-{
-        uint32_t return_status;
-        unsigned char key[16]; uint32_t count;
-        for(count=0;count<16;count++)
-                key[count]=global_session_info.active.AEK[count];
-	printf("Doing decryption\n"); fflush(stdout); 
-        return_status=aes_cipher(0, key, iv, ciphertext, ciphertext_len, op_plaintext,  op_plaintext_len, ip_encrypted_tag);
-        return return_status;
-}
-*/
 
-uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len, unsigned char* ip_tag)
+uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len)
 {
-	memset(iv, 0, 12); 
-        uint32_t return_status;
-        unsigned char key[16]; uint32_t count;
-        for(count=0;count<16;count++)
-                key[count]=global_session_info.active.AEK[count];
-        printf("About to do enc/dec\n"); fflush(stdout); 
-        return_status=aes_gcm(enc, key, iv, ciphertext, ciphertext_len, op_plaintext,  op_plaintext_len, ip_tag);
-        return return_status;
+	memset(iv, 0, 12);
+  uint8_t tag[16];uint32_t counter; uint32_t return_status;
+  if(enc == 0)
+  {
+    for(counter=0;counter<16;counter++)
+      tag[counter] = plaintext[counter + plaintext_length];
+  }
+  uint32_t return_status = aes_gcm_128(enc, key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
+  if(enc == 1)
+  {
+    for(counter=0;counter<16;counter++)
+      ciphertext[counter + *ciphertext_length] = tag[counter];
+    *ciphertext_length=*ciphertext_length + 16;
+  }
+  if(return_status == 0)
+    aes_gcm_increment_iv_internal_call(iv);
+  return return_status;
 }
-

+ 29 - 30
crypto.cpp

@@ -1,9 +1,9 @@
-#include <stdio.h> 
-#include <string> 
+#include <stdio.h>
+#include <string>
 #include <string.h>
 #include <memory>
 using std::unique_ptr;
-#include <openssl/err.h> 
+#include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
@@ -12,49 +12,49 @@ using std::unique_ptr;
 EVP_CIPHER_CTX *ctx;
 RSA* rsa;
 BIGNUM* bn;
-// assumes that the digest is at least of length 256/8 bytes. 
+// assumes that the digest is at least of length 256/8 bytes.
 uint32_t generate_sha256_hash(const unsigned char *message, size_t message_len, unsigned char *digest)
 {
 	EVP_MD_CTX *mdctx; unsigned int digest_len;
 
 	if((mdctx = EVP_MD_CTX_create()) == NULL)
 	{
-		printf("EVP_MD_CTX_create returned NULL - could not create context\n"); fflush(stdout); return 0x1; 
+		printf("EVP_MD_CTX_create returned NULL - could not create context\n"); fflush(stdout); return 0x1;
 	}
 
 	if(EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) != 1)
 	{
-                printf("EVP_DigestInit_ex returned 0 - could not initialize hash with SHA256\n"); fflush(stdout); return 0x2; 
+                printf("EVP_DigestInit_ex returned 0 - could not initialize hash with SHA256\n"); fflush(stdout); return 0x2;
 	}
 
-        if(EVP_DigestUpdate(mdctx, message, message_len) != 1)        
+        if(EVP_DigestUpdate(mdctx, message, message_len) != 1)
         {
-                printf("EVP_DigestUpdate returned 0 - could not compute SHA256 hash\n"); fflush(stdout); return 0x3; 
+                printf("EVP_DigestUpdate returned 0 - could not compute SHA256 hash\n"); fflush(stdout); return 0x3;
         }
 
-	if(1 != EVP_DigestFinal_ex(mdctx, digest, &digest_len))     
+	if(1 != EVP_DigestFinal_ex(mdctx, digest, &digest_len))
         {
-                printf("EVP_DigestFinal_ex returned 0 - could not finalize SHA256 hash\n"); fflush(stdout); return 0x4; 
+                printf("EVP_DigestFinal_ex returned 0 - could not finalize SHA256 hash\n"); fflush(stdout); return 0x4;
         }
 
-	if(digest_len != 32) 
+	if(digest_len != 32)
 	{
-		printf("EVP_DigestFinal_ex returned a digest length of 0x%x instead of 0x20\n", digest_len); fflush(stdout); return 0x5; 
+		printf("EVP_DigestFinal_ex returned a digest length of 0x%x instead of 0x20\n", digest_len); fflush(stdout); return 0x5;
 	}
 	EVP_MD_CTX_destroy(mdctx);
-	return 0; 
+	return 0;
 }
 //////////////////////////////////////////////////////////////////////////
 //////////////////////////////////////
 void crypto_cleanup()
 {
-	RSA_free(rsa); 
-	BN_free(bn); 
-	EVP_CIPHER_CTX_free(ctx); 
+	RSA_free(rsa);
+	BN_free(bn);
+	EVP_CIPHER_CTX_free(ctx);
 }
 
-// Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption 
-int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag)
+// Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
+int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag)
 {
 	int len;
 	int ciphertext_len;
@@ -93,7 +93,7 @@ int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plain
                 {
                        reset_return = EVP_CIPHER_CTX_reset(ctx);
                        ERR_print_errors_fp(stderr); fflush(stderr);
-                       if(1 != reset_return) 
+                       if(1 != reset_return)
                                 return 0xF5;
                         return 0x5;
                 }
@@ -103,8 +103,8 @@ int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plain
 	/* Finalise the encryption. Normally ciphertext bytes may be written at
 	 * this stage, but this does not occur in GCM mode
 	 */
-	// TODO: ^^^ Why the heck does it not occur in GCM mode ? 
-	if(1 != EVP_CipherFinal_ex(ctx, ciphertext + len, &len)) 
+	// TODO: ^^^ Why the heck does it not occur in GCM mode ?
+	if(1 != EVP_CipherFinal_ex(ctx, ciphertext + len, &len))
 	{
 		reset_return = EVP_CIPHER_CTX_reset(ctx);
 		ERR_print_errors_fp(stderr); fflush(stderr);
@@ -121,7 +121,7 @@ int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plain
 		{
                 	reset_return = EVP_CIPHER_CTX_reset(ctx);
                 	ERR_print_errors_fp(stderr); fflush(stderr);
-                	if(1 != reset_return) 
+                	if(1 != reset_return)
                         	return 0xF5;
 	                return 0x5;
 		}
@@ -131,10 +131,10 @@ int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plain
 	if(1 != EVP_CIPHER_CTX_reset(ctx))
 	{
 		ERR_print_errors_fp(stderr); fflush(stderr);
-		return 0xF0; 
+		return 0xF0;
 	}
 
-	*op_ciphertext_len=ciphertext_len; 
+	*op_ciphertext_len=ciphertext_len;
 	return 0;
 }
 
@@ -148,16 +148,15 @@ uint32_t base64_decoding_wrapper(unsigned char* src, unsigned char* dest, uint32
 {
         int length_with_padding = EVP_DecodeBlock(dest, src, length);
         if(length_with_padding == -1)
-                return length_with_padding; 
+                return length_with_padding;
         char* first_equals_character = strstr((char*)src, "=");
         if(first_equals_character != NULL)
         {
                 if(first_equals_character == (char*)src + length - 1) // the first equals character is also the last character in the string ==> Only one equals ==> 2 v$
-                        length_with_padding -= 1; 
+                        length_with_padding -= 1;
                 else //if(first_equals_character == src + 38) // assuming that the base64 string is valid (EVP_DecodeBlock would have thrown an error in that case), the$
-                        length_with_padding -= 2; 
+                        length_with_padding -= 2;
         }
-        
-        return length_with_padding;           
-}
 
+        return length_with_padding;
+}

+ 76 - 74
systemMain.cpp

@@ -15,130 +15,132 @@ using namespace std;
 
 
 
-// #include <unistd.h> 
-// based off the example functionreturnvalue.cpp in PHP-CPP 
+// #include <unistd.h>
+// based off the example functionreturnvalue.cpp in PHP-CPP
 
 /**
  *  Namespace to use
  */
-//using namespace std; 
+//using namespace std;
 
-#define DECRYPTOR_PORT 3825 
+#define DECRYPTOR_PORT 3825
 int local_attestation_successful=0;
 int __ImageBase=0;
 
 class Mitigator : public Php::Base
 {
-	private: 
+	private:
 		static std::string mitigator_pubkey_header_value;
-		static std::string mitigator_pubkey_header; 
+		static std::string mitigator_pubkey_header;
 	public:
-	// adding to extension throws an error if this method is not public
-
-	static void local_attestation_initiator_wrapper() 
-	{
-		printf("Hello.\n"); fflush(stdout);
-		
-		setbuf(stdout,NULL); uint32_t count;
-		uint32_t return_sgx; 
-		unsigned char* base64_encoded_mitigator_header_and_value = (unsigned char*) malloc(mitigator_pubkey_header.length()+1+216); 
-//		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 21 for "Mitigator-Public-Key"
-		memcpy(base64_encoded_mitigator_header_and_value, mitigator_pubkey_header.c_str(), mitigator_pubkey_header.length()); 
-		return_sgx = local_attestation_initiator(DECRYPTOR_PORT, base64_encoded_mitigator_header_and_value+mitigator_pubkey_header.length());
-		if(return_sgx != 0)
+		Mitigator() = default;
+		virtual ~Mitigator() = default;
+
+		static void local_attestation_initiator_wrapper()
 		{
-			if(return_sgx== 0xFFFFFFFF)
+			setbuf(stdout,NULL);
+			uint32_t return_sgx, count, base64_encoded_token_H_length;
+			unsigned char* base64_encoded_mitigator_header_and_value;
+
+			//		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 21 for "Mitigator-Public-Key"
+			memcpy(base64_encoded_mitigator_header_and_value, mitigator_pubkey_header.c_str(), mitigator_pubkey_header.length());
+			return_sgx = local_attestation_initiator(DECRYPTOR_PORT);
+			if(return_sgx != 0)
 			{
-				perror("\nCould not set up the socket: had the following error: "); fflush(stderr);
+				if(return_sgx== 0xFFFFFFFF)
+				{
+					perror("\nCould not set up the socket: had the following error: "); fflush(stderr);
+				}
+				else
+				{
+					printf("\nHad the following error in SGX local attestation: 0x%x", return_sgx);
+					fflush(stdout);
+				}
 			}
-			else
-			{
-				printf("\nHad the following error in SGX local attestation: 0x%x", return_sgx);
+			else {
+				printf("\nSuccessful LA with port %d.\n", DECRYPTOR_PORT);
 				fflush(stdout);
+				base64_encoded_mitigator_header_and_value = (unsigned char*) malloc(400);
+				return_sgx= post_local_attestation_get_mitigator_header(base64_encoded_mitigator_header_and_value + mitigator_pubkey_header.length(),
+					&base64_encoded_token_H_length);
+				if(return_sgx != 0)
+				{
+					printf("\nHad the following error in SGX POST local attestation: 0x%x", return_sgx);
+					fflush(stdout);
+				}
+				mitigator_pubkey_header_value=std::string((char*)base64_encoded_mitigator_header_and_value,mitigator_pubkey_header.length()+base64_encoded_token_H_length);
 			}
 		}
-		else {
-			printf("\nSuccessful LA with port %d.\n", DECRYPTOR_PORT);
-			fflush(stdout);
-			local_attestation_successful=1; 
-			mitigator_pubkey_header_value=std::string((char*)base64_encoded_mitigator_header_and_value,mitigator_pubkey_header.length()+216); 
-		}
-	}
-
 
-		Mitigator() = default; 
-		virtual ~Mitigator() = default;
-		// call this function in PHP async or call add_header here. 
-		static Php::Value get_mitigator_header() 
+		static Php::Value get_mitigator_header()
 		{
-			return mitigator_pubkey_header_value; 
+			return mitigator_pubkey_header_value;
 		}
-		// call this func onRequest 
+
 		static Php::Value php_decrypt_wrapper(Php::Parameters &params   )
 		{
-			
-			int counter; 
-			unsigned char* plaintext_user_data; 
-			unsigned char* ciphertext_user_data;
-			unsigned char* base64_encoded_pub_key; 
-			Php::Value ciphertext_user_data_obj=params[1]; 
-			Php::Value base64_encoded_pub_key_obj=params[0];
-			uint32_t ciphertext_length;
-			uint32_t plaintext_length;
-
-			ciphertext_length = params[1].size();
-			plaintext_user_data = (unsigned char*) malloc(ciphertext_length); 
-			// TODO: The arrays returned by the const char* operator in PHP-CPP are highly likely to be null-terminated. 
-			ciphertext_user_data = (unsigned char*) static_cast<const char*>(ciphertext_user_data_obj);
-                        base64_encoded_pub_key = (unsigned char*) static_cast<const char*>(base64_encoded_pub_key_obj);
+			int counter;
+			unsigned char* plaintext_user_data, * base64_client_ciphertext, *base64_client_public_key;
+			uint32_t ciphertext_length, plaintext_length;
+
+			base64_client_ciphertext = (unsigned char*) static_cast<const char*>(params[1]);
+      base64_client_public_key = (unsigned char*) static_cast<const char*>(params[0]);
+			base64_client_ciphertext_length = params[1].size();
+			base64_client_public_key_length = params[0].size();
+			base64_client_data = (unsigned char*) malloc(params[1].size() + params[0].size());
+			strcpy(base64_client_data, base64_client_public_key, base64_client_public_key_length);
+			strcpy(base64_client_data + base64_client_public_key_length, base64_client_ciphertext, base64_client_ciphertext_length);
+
+			plaintext_user_data = (unsigned char*) malloc(ciphertext_length);
 
 			printf("Base64 encoded key:\n");
-			for(counter=0; counter < 88; counter++)
-				printf("%c", base64_encoded_pub_key[counter]);
-			printf("\n"); fflush(stdout); 
+			for(counter=0; counter < base64_client_public_key_length; counter++)
+				printf("%c", base64_client_data[counter]);
+			printf("\n"); fflush(stdout);
 
 			printf("Ciphertext received:\n");
-			for(counter=0 ; counter < ciphertext_length; counter++ )
-				printf("%02x", ciphertext_user_data[counter]);
-			printf("\n"); fflush(stdout); 
+			for(counter=base64_client_public_key_length; counter < base64_client_public_key_length + base64_client_ciphertext_length; counter++ )
+				printf("%02x", base64_client_data[counter]);
+			printf("\n"); fflush(stdout);
 
-			uint32_t ret_status=decrypt_client_data_through_decryptor(base64_encoded_pub_key, ciphertext_user_data, ciphertext_length, (unsigned char*) plaintext_user_data, &plaintext_length);
+			uint32_t ret_status=decrypt_client_data_through_decryptor(base64_client_data, base64_client_public_key_length + base64_client_ciphertext_length, (unsigned char*) plaintext_user_data, &plaintext_length);
 			if(ret_status != 0)
 			{
 				printf("Received error code: 0x%02x\n", ret_status); fflush(stdout);
+				free(plaintext_user_data);
+				free(base64_client_data);
 			}
 
 			printf("Going to return this plaintext:\n");
 			for(counter=0;counter<plaintext_length;counter++)
 				printf("0x%02x ", plaintext_user_data[counter]);
-			fflush(stdout); 
+			fflush(stdout);
 
-			std::string plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length); 
-			// free(plaintext_user_data); // TODO: For some reason, this causes a crash. 
-			
-			return plaintext_user_data_str; //plaintext_user_data_obj; // (ciphertext_user_data, ciphertext_length) ; 
-//			*/ return params[1];
-		}
+			std::string plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length);
+		  free(plaintext_user_data); // TODO: For some reason, this causes a crash.
+			free(base64_client_data);
 
+			return plaintext_user_data_str;
+		}
 };
- 
+
 std::string Mitigator::mitigator_pubkey_header_value=std::string("!");
-std::string Mitigator::mitigator_pubkey_header=std::string("Mitigator-Public-Key:"); 
-extern "C" {	
+std::string Mitigator::mitigator_pubkey_header=std::string("Mitigator-Public-Key:");
+extern "C" {
 
     // export the "get_module" function that will be called by the Zend engine
     PHPCPP_EXPORT void *get_module()
     {
         // create extension
         static Php::Extension extension("decryptor_la_setup_and_decryption","1.0");
-        
+
         Php::Class<Mitigator> mitigator("Mitigator");
 	mitigator.method<&Mitigator::get_mitigator_header>("get_mitigator_header");
-	mitigator.method<&Mitigator::local_attestation_initiator_wrapper>("local_attestation_initiator_wrapper"); 
-	mitigator.method<&Mitigator::php_decrypt_wrapper>("php_decrypt_wrapper", { Php::ByVal("string", Php::Type::String), Php::ByVal("string", Php::Type::String) }   ); 
+	mitigator.method<&Mitigator::local_attestation_initiator_wrapper>("local_attestation_initiator_wrapper");
+	mitigator.method<&Mitigator::php_decrypt_wrapper>("php_decrypt_wrapper", { Php::ByVal("string", Php::Type::String), Php::ByVal("string", Php::Type::String) }   );
         extension.onStartup(&Mitigator::local_attestation_initiator_wrapper);
         // return the extension module
-	extension.add(mitigator); 
+	extension.add(mitigator);
         return extension.module();
     }
 }