Browse Source

Sends base64 encoding of decrypted token string to the client

dettanym 5 years ago
parent
commit
4dda5dc738

+ 7 - 6
Makefile

@@ -1,12 +1,13 @@
 CXX             = g++
 RM              = rm -f
-CXX_FLAGS       = -Wall  -O2 -std=c++11 -fpic -fdata-sections -ffunction-sections
+CXX_FLAGS       = -Wall  -O2 -std=c++11 -fpic #-fdata-sections -ffunction-sections
 LD              = ${CXX} -v
-LD_FLAGS        = -Wall -shared -O2
+LD_FLAGS        = -Wall -shared
 
 OBJECTS := systemMain.o ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o crypto.o 
 
-SGX_SDK := /home/m2mazmud/sgx2.1_installation/sgxsdk
+#SGX_SDK := /home/m2mazmud/sgx2.1_installation/sgxsdk
+SGX_SDK := /opt/intel/sgxsdk
 SGX_COMMON_CFLAGS := -m64
 SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
 Trts_Library_Name := sgx_trts
@@ -29,10 +30,10 @@ Protobuf%.o: Protobuf%.cpp
 	${CXX} -I./include ${CXX_FLAGS} -c $^ -o $@
 
 system%.o: system%.cpp
-	gcc -I./include ${CXX_FLAGS} -c $^ -o $@
+	g++ -I./include ${CXX_FLAGS} -c $^ -o $@
 
 crypto.o: crypto.cpp 
-	gcc -I${Openssl_Path}/include ${CXX_FLAGS} -c $^ -o $@
+	g++ -I${Openssl_Path}/include ${CXX_FLAGS} -c $^ -o $@
 
 localattestation_decryption.so:  systemMain.o ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o crypto.o
-	${CXX} ${LD_FLAGS} systemMain.o crypto.o -L${Openssl_Path}/lib -lssl -lcrypto ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o -L./ -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive  -L$(SGX_LIBRARY_PATH)  -l$(Service_Library_Name) -l$(Crypto_Library_Name) -l$(Uae_Library_Name) -lsgx_tstdc -lsgx_urts -lprotobuf -lsgx_tstdcxx -lphpcpp -Wl,-Bsymbolic -Wl,-pie,-eenclave_entry -Wl,--export-dynamic -Wl,--gc-sections  -Wl,--verbose -o $@
+	${CXX} ${LD_FLAGS} -Wl,--no-undefined systemMain.o ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o crypto.o  -L./ -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive  -l$(Service_Library_Name) -l$(Crypto_Library_Name) -lsgx_tstdc  -lprotobuf -L${Openssl_Path}/lib -lssl -lcrypto   -lphpcpp  -Wl,-Bsymbolic -Wl,-pie,-eenclave_entry -Wl,--export-dynamic  -Wl,--verbose -o $@

+ 40 - 10
ProtobufLAInitiator.cpp

@@ -9,7 +9,7 @@
 #include <google/protobuf/io/zero_copy_stream_impl.h>
 using namespace google::protobuf::io;
 #include "SgxProtobufLAInitiator.h"
-
+#include "crypto.h"
 // For socket programming
 #include <arpa/inet.h>
 #include <sys/socket.h>
@@ -97,14 +97,17 @@ int set_up_socket_connect(int port)
   return sock;
 }
 
-int local_attestation_initiator(int port)
+int local_attestation_initiator(int port, unsigned char* base64_encoded)
 {
   // declare msg1, msg2, msg3 protobuf objects
   protobuf_sgx_dh_msg1_t protobuf_msg1;
   protobuf_sgx_dh_msg2_t protobuf_msg2;
   protobuf_sgx_dh_msg3_t protobuf_msg3;
   uint32_t protobuf_sgx_ret;
-  uint8_t encrypted_hash[32]; uint8_t encrypted_tag[16]; size_t post_la_bytes_written;
+
+//  uint8_t encrypted_hash[32]; uint8_t encrypted_tag[16]; size_t post_la_bytes_written; 
+//	uint8_t tokenT_and_tag[176]; size_t bytes_read;
+
   // For socket to listen to the Apache enclave.
 //  int server_fd=0; int accept_fd = 0;
 //  struct sockaddr_in own_addr;
@@ -156,22 +159,49 @@ int local_attestation_initiator(int port)
 	printf("0x%x ", hash_and_tag[count]);
    printf("\n");fflush(stdout); 
 
+*/
+          uint8_t tokenT_and_tag[176]; size_t bytes_read;
+
 
-   post_la_bytes_written = write(decryptor_fd, encrypted_hash, 32);
-   post_la_bytes_written = write(decryptor_fd, encrypted_tag, 16);
+   bytes_read = read(decryptor_fd, tokenT_and_tag, 176);
+//   post_la_bytes_written = write(decryptor_fd, encrypted_tag, 16);
 
-   if(post_la_bytes_written != 16)
+   if(bytes_read != 176)
    {
-	printf("Not all of the post-LA message was written\n"); fflush(stdout); return 0xfe; 
+	printf("Not all of the post-LA message was read\n"); fflush(stdout); return 0xfe; 
 
    }
-   printf("Wrote the hash and the tag to the decryptor socket.\n"); fflush(stdout); 
+   printf("Read encrypted signature and tag from the decryptor socket.\n"); fflush(stdout); 
    if(close(decryptor_fd)!= 0)
    {
 	printf("Error in closing the socket connection.\n"); fflush(stdout); return 0xfd; 
    } 
-  
-*/
+     uint32_t count;  
+	printf("Encrypted data:\n");
+	for(count=0;count<176;count++)
+		printf("0x%02x ", tokenT_and_tag[count]);
+	printf("\n"); fflush(stdout); 
+	uint8_t plaintext_token[160]; int plaintext_length=0;
+	uint32_t ret_decrypt=decrypt_wrapper(tokenT_and_tag, 160, plaintext_token, &plaintext_length, tokenT_and_tag+160);
+//int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag); 
+	if(ret_decrypt!=0)
+		{
+			printf("Errorin decryption 0x%x", ret_decrypt); fflush(stdout); return 0xed; 
+		}
+        printf("Decryption keypair\n");
+        for(count=0;count<64;count++)
+                printf("0x%02x ", plaintext_token[count]);
+	printf("\n"); fflush(stdout); 
+	printf("Decryption verifier mrenclave\n");
+	for(count=64;count<96;count++)
+                printf("0x%02x ", plaintext_token[count]);
+	printf("\n"); fflush(stdout); 
+	count=base64_encoding_wrapper(plaintext_token, base64_encoded, 160);
+	if(count != 216)
+	{
+		printf("Somehow not the entire token was encoded in base64:0x%x\n", count); fflush(stdout); return 0x55;
+	}
+
 	printf("Successfully done Local attestation\n");
 	fflush(stdout);
 	return 0;

+ 34 - 31
SgxProtobufLAInitiator.cpp

@@ -25,6 +25,10 @@ dh_session_t global_session_info;
 
 sgx_dh_session_t sgx_dh_session;
 //  sgx_key_128bit_t dh_aek;        // Session Key
+        uint8_t iv[12];
+//        memset(iv, 0, 12);
+
+
 
 uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity, uint8_t* expected_mr_enclave, uint8_t* expected_mr_signer);
 
@@ -74,7 +78,7 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
   ret_status = verify_peer_enclave_trust(&responder_identity, NULL, NULL);
   if(ret_status != 0)
     return ret_status;
-
+	memset(iv, 0, 12);
   memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
   global_session_info.session_id = 1; // TODO: session_id;
   global_session_info.active.counter = 0;
@@ -83,7 +87,7 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
 
   return 0;
 }
-
+/*
 uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* op_ciphertext, uint8_t* op_encrypted_tag)
 {
 	uint8_t hash[32]; uint32_t return_status;
@@ -98,32 +102,9 @@ uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* op_ciphertext, uint8_t* op
 	uint8_t encryption_tag[16]; 
 	int ciphertext_len=32;// int plaintext_len=32;
 	uint8_t iv[12];  
-//	memset(ciphertext, 0, 32); //memset(expected_plaintext, 0, 48); 
-	memset(iv, 0, 12);  // memset(expected_plaintext, 0, 32); 
-//	memset(encryption_tag, 0, 16);  
-//	memset(encrypted_hash_and_tag, 0, 48); 
+	memset(iv, 0, 12); 
 	return_status=aes_cipher(1, key, iv, hash, 32, op_ciphertext,  &ciphertext_len, op_encrypted_tag);
-/*	if(return_status != 0)
-	{
-//		memcpy(encrypted_hash_and_tag, ciphertext, 32);	 // For some reason, memcpy does not work
-//		memcpy(encrypted_hash_and_tag+32, encryption_tag,  16); 
-		for(count=0;count<32; count++)
-			*(op_ciphertext+count) = ciphertext[count];
-
-		for(count=0;count<16;count++)
-			*(op_encrypted_tag+count) = encryption_tag[count]; 
-	}
-//	printf("ciphertext len: %d\n", ciphertext_len); fflush(stdout);
-//	printf("Encryption return status: 0x%x", return_status);  fflush(stdout); 
-//	return_status=aes_cipher(0, key, iv, ciphertext, ciphertext_len, expected_plaintext, &plaintext_len, encryption_tag); 
-
 	for(count=0;count<32;count++)
-	{
-		printf("0x%02x ", hash[count]);
-	}
-	printf("\n");
-	fflush(stdout); 
-*/	for(count=0;count<32;count++)
 	{
 		printf("0x%02x ", op_ciphertext[count]); 
 	}
@@ -134,15 +115,37 @@ uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* op_ciphertext, uint8_t* op
 		printf("0x%02x ", op_encrypted_tag[count]); 
 	}
 	printf("\n"); fflush(stdout);
-/*        for(count=0;count<32;count++)
-        {       
-                printf("0x%02x ", op_ciphertext[count]); 
+	return return_status;
+}
+*/
+
+uint32_t decrypt_wrapper(uint8_t* ciphertext, int ciphertext_len, uint8_t* op_plaintext, int* op_plaintext_len, uint8_t* ip_encrypted_tag)
+{
+        uint8_t hash[32]; uint32_t return_status;
+        unsigned char key[16]; uint32_t count;
+        for(count=0;count<16;count++)
+                key[count]=global_session_info.active.AEK[count];
+	printf("Doing decryption\n"); fflush(stdout); 
+        //uint8_t iv[12];
+        //memset(iv, 0, 12);
+        return_status=aes_cipher(0, key, iv, ciphertext, ciphertext_len, op_plaintext,  op_plaintext_len, ip_encrypted_tag);
+/*	printf("Helloworld \n"); fflush(stdout); 
+        for(count=0;count<*op_plaintext_len;count++)
+        {
+                printf("0x%02x ", op_plaintext[count]);
+        }
+        printf("\n");
+        fflush(stdout);
+        for(count=0;count<16;count++)
+        {
+                printf("0x%02x ", ip_encrypted_tag[count]);
         }
         printf("\n"); fflush(stdout);
-*/
-	return return_status;
+*/        return return_status;
 }
 
+
+
 // TODO: Private function
 uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity, uint8_t* expected_mr_enclave, uint8_t* expected_mr_signer)
 {

+ 5 - 0
crypto.cpp

@@ -216,3 +216,8 @@ int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* pl
 	return 0;
 }
 
+uint32_t base64_encoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length)
+{
+	return EVP_EncodeBlock(dest, src, length);
+
+}

+ 1 - 1
include/ProtobufLAInitiator.h

@@ -1 +1 @@
-int local_attestation_initiator(int port); 
+int local_attestation_initiator(int port, unsigned char* base64_encoding); 

+ 3 - 1
include/SgxProtobufLAInitiator.h

@@ -1,3 +1,5 @@
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id);
 uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id);
-uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* hash, uint8_t* tag);
+//uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* hash, uint8_t* tag);
+uint32_t decrypt_wrapper(uint8_t* ciphertext, int ciphertext_len, uint8_t* op_plaintext, int* op_plaintext_len, uint8_t* ip_encrypted_tag);
+

+ 1 - 0
include/crypto.h

@@ -10,3 +10,4 @@
 		uint32_t generate_rsa_keypair_hash(uint8_t* hash);
 //}
 int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag); 
+uint32_t base64_encoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length);

BIN
localattestation_decryption.so


+ 68 - 35
systemMain.cpp

@@ -4,12 +4,12 @@
 #include <unistd.h>
 #include <errno.h>
 
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+//#include <fcntl.h>
+//#include <sys/types.h>
+//#include <sys/stat.h>
 #include <stdio.h>
 
-#include "crypto.h"
+//#include "crypto.h"
 #include "ProtobufLAInitiator.h"
 using namespace std;
 
@@ -21,42 +21,73 @@ using namespace std;
 /**
  *  Namespace to use
  */
-using namespace std; 
+//using namespace std; 
 
 #define DECRYPTOR_PORT 3825 
 int local_attestation_successful=0;
 int __ImageBase=0;
-// Symbols are exported according to the "C" language
-extern "C" 
+
+//extern "C" {
+
+class Mitigator : public Php::Base
 {
-    void local_attestation_initiator_wrapper() 
-    {
-	setbuf(stdout,NULL); 
-  uint32_t return_sgx; 
+	private: 
+		static std::string mitigator_header; 
+//		int x;
+	public:
+	// adding to extension throws an error if this method is not public
 
+	static void local_attestation_initiator_wrapper() 
+	{
+		setbuf(stdout,NULL); uint32_t count;
+		uint32_t return_sgx; 
+		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 12 for "X-Mitigator:"
+		memcpy(base64_encoded_mitigator_header, "X-Mitigator:", 12); 
+		return_sgx = local_attestation_initiator(DECRYPTOR_PORT, base64_encoded_mitigator_header+12);
+		if(return_sgx != 0)
+		{
+			if(return_sgx== 0xFFFFFFFF)
+			{
+				perror("\nCould not set up the socket: had the following error: "); fflush(stderr);
+			}
+			else
+			{
+				printf("\nHad the following error in SGX local attestation: 0x%x", return_sgx);
+				fflush(stdout);
+			}
+		}
+		else {
+		printf("\nSuccessful LA with port %d.\n", DECRYPTOR_PORT);
+		fflush(stdout);
+		local_attestation_successful=1; 
+		char base64_encoding[229];
+		for(count=0;count<229;count++)
+			base64_encoding[count]=base64_encoded_mitigator_header[count];
+		printf("String:%s\nThat string was of length 0x%x\n", base64_encoding, strlen(base64_encoding)); fflush(stdout);
+		mitigator_header=std::string(base64_encoding,228); 
+		}
+	}
 
-  return_sgx = local_attestation_initiator(DECRYPTOR_PORT);
-  if(return_sgx != 0)
-  {
-    if(return_sgx== 0xFFFFFFFF)
-    {
-      perror("\nCould not set up the socket: had the following error: ");
-      fflush(stderr);
-    }
-    else
-    {
-      printf("\nHad the following error in SGX local attestation: 0x%x", return_sgx);
-      fflush(stdout);
-    }
-  //  return return_sgx;
-  }
-  printf("\nSuccessful LA with port %d.\n", DECRYPTOR_PORT);
-  fflush(stdout);
-  local_attestation_successful=1; 
-//  return 0;
+//         std::cout << "MyCustomClass::MyCustomClass()" << std::endl;
 
-    }
+		Mitigator() = default; // {x=3;} //{ mitigator_header=std::string("Miti: Miti");  }
+		virtual ~Mitigator() = default;
+		// call this function in PHP async or call add_header here. 
+		Php::Value get_mitigator_header() 
+		{
+			return mitigator_header; //Php::Value(mitigator_header, 176);
+		}
+		// call this func onRequest 
+/*		Php::Value decrypt_php_wrapper()
+		{
+			return "miti"; 
+		}
+*/
+};
+ 
+std::string Mitigator::mitigator_header=std::string("Miti: Miti");
 
+extern "C" {	
 
     // export the "get_module" function that will be called by the Zend engine
     PHPCPP_EXPORT void *get_module()
@@ -64,12 +95,14 @@ extern "C"
         // create extension
         static Php::Extension extension("decryptor_la_setup_and_decryption","1.0");
         
-        // add function to extension - make this the decryption function
-//        extension.add<my_return_value_function>("my_return_value_function");
+        Php::Class<Mitigator> mitigator("Mitigator");
+	mitigator.method<&Mitigator::get_mitigator_header>("get_mitigator_header");
+//        mitigator.property("mitigator_header", &Mitigator::get_mitigator_header);
 
-        extension.onStartup(&local_attestation_initiator_wrapper);
-        
+
+        extension.onStartup(&Mitigator::local_attestation_initiator_wrapper);
         // return the extension module
+	extension.add(mitigator); 
         return extension.module();
     }
 }