Renamed Mitigator header, added in dummy decryptor method. Removed unused crypto functions.

SgxProtobufLAInitiator.cpp

@@ -22,16 +22,8 @@
 #include "stdio.h"
 
 dh_session_t global_session_info;
-
 sgx_dh_session_t sgx_dh_session;
-//  sgx_key_128bit_t dh_aek;        // Session Key
-        uint8_t iv[12];
-//        memset(iv, 0, 12);
-
-
-
-uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity, uint8_t* expected_mr_enclave, uint8_t* expected_mr_signer);
-
+uint8_t iv[12];
 
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id)
 {
@@ -74,11 +66,8 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
   if(SGX_SUCCESS != ret_status)
     return ret_status;
 
-  // Verify the identity of the destination enclave
-  ret_status = verify_peer_enclave_trust(&responder_identity, NULL, NULL);
-  if(ret_status != 0)
-    return ret_status;
-	memset(iv, 0, 12);
+  //No verification checks here: no security guarantees obtained from any such checks
+  memset(iv, 0, 12);
   memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
   global_session_info.session_id = 1; // TODO: session_id;
   global_session_info.active.counter = 0;
@@ -87,91 +76,14 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
 
   return 0;
 }
-/*
-uint32_t generate_encrypted_rsa_keypair_hash(uint8_t* op_ciphertext, uint8_t* op_encrypted_tag)
-{
-	uint8_t hash[32]; uint32_t return_status;
-	unsigned char key[16]; uint32_t count;
-	for(count=0;count<16;count++)
-		key[count]=global_session_info.active.AEK[count]; 
-	return_status=generate_rsa_keypair_hash(hash); 
-	if(return_status!=0)
-		return return_status; 
-	
-	uint8_t ciphertext[32];// uint8_t expected_plaintext[48]; 
-	uint8_t encryption_tag[16]; 
-	int ciphertext_len=32;// int plaintext_len=32;
-	uint8_t iv[12];  
-	memset(iv, 0, 12); 
-	return_status=aes_cipher(1, key, iv, hash, 32, op_ciphertext,  &ciphertext_len, op_encrypted_tag);
-	for(count=0;count<32;count++)
-	{
-		printf("0x%02x ", op_ciphertext[count]); 
-	}
-	printf("\n");
-	fflush(stdout);
-	for(count=0;count<16;count++)
-	{	
-		printf("0x%02x ", op_encrypted_tag[count]); 
-	}
-	printf("\n"); fflush(stdout);
-	return return_status;
-}
-*/
 
 uint32_t decrypt_wrapper(uint8_t* ciphertext, int ciphertext_len, uint8_t* op_plaintext, int* op_plaintext_len, uint8_t* ip_encrypted_tag)
 {
-        uint8_t hash[32]; uint32_t return_status;
+        uint32_t return_status;
         unsigned char key[16]; uint32_t count;
         for(count=0;count<16;count++)
                 key[count]=global_session_info.active.AEK[count];
 	printf("Doing decryption\n"); fflush(stdout); 
-        //uint8_t iv[12];
-        //memset(iv, 0, 12);
         return_status=aes_cipher(0, key, iv, ciphertext, ciphertext_len, op_plaintext,  op_plaintext_len, ip_encrypted_tag);
-/*	printf("Helloworld \n"); fflush(stdout); 
-        for(count=0;count<*op_plaintext_len;count++)
-        {
-                printf("0x%02x ", op_plaintext[count]);
-        }
-        printf("\n");
-        fflush(stdout);
-        for(count=0;count<16;count++)
-        {
-                printf("0x%02x ", ip_encrypted_tag[count]);
-        }
-        printf("\n"); fflush(stdout);
-*/        return return_status;
-}
-
-
-
-// TODO: Private function
-uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity, uint8_t* expected_mr_enclave, uint8_t* expected_mr_signer)
-{
-  int count=0;
-  if(!peer_enclave_identity)
-    return INVALID_PARAMETER_ERROR;
-
-  sgx_measurement_t actual_mr_enclave = peer_enclave_identity->mr_enclave;
-  sgx_measurement_t actual_mr_signer = peer_enclave_identity->mr_signer;
-
-	if(expected_mr_enclave != NULL)
-	{
-		for(count=0; count<SGX_HASH_SIZE; count++)
-		{
-			if( actual_mr_enclave.m[count] != expected_mr_enclave[count] )
-			        return ENCLAVE_TRUST_ERROR;
-  		}
-	}
-	if(expected_mr_signer !=NULL)
-	{
-		for(count=0; count<SGX_HASH_SIZE; count++)
-		{
-			if( actual_mr_signer.m[count] != expected_mr_signer[count] )
-			        return ENCLAVE_TRUST_ERROR; // TODO: Different error here.
-		}
-	}
-
-  return SUCCESS;
+        return return_status;
 }

crypto.cpp

@@ -7,14 +7,10 @@ using std::unique_ptr;
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
-//using BN_ptr = std::unique_ptr<BIGNUM, decltype(&::BN_free)>;
-//using RSA_ptr = std::unique_ptr<RSA, decltype(&::RSA_free)>;
+
 EVP_CIPHER_CTX *ctx;
 RSA* rsa;
 BIGNUM* bn;
-//RSA_ptr rsa_signing_keypair; //(RSA_new(), ::RSA_free);
-//BN_ptr rsa_bignum;
-
 // assumes that the digest is at least of length 256/8 bytes. 
 uint32_t generate_sha256_hash(const unsigned char *message, size_t message_len, unsigned char *digest)
 {
@@ -47,83 +43,8 @@ uint32_t generate_sha256_hash(const unsigned char *message, size_t message_len,
 	EVP_MD_CTX_destroy(mdctx);
 	return 0; 
 }
-
-//private: 
-//	RSA_ptr rsa(RSA_new(), ::RSA_free);
-//	BN_ptr bn(BN_new(), ::BN_free);
-uint32_t generate_rsa_keypair(FILE* fp, std::string& priv_key_str, std::string& pub_key_str) //, uint8_t* hash)
-{
-    int rc; 
-
-    rsa=RSA_new(); 
-    bn=BN_new();
-    rc = BN_set_word(bn, 3);
-    if(rc != 1)
-      return 0x1;
-
-    rc = RSA_generate_key_ex(rsa, 3072, bn, NULL);
-    if(rc != 1)
-      return 0x2;
-	printf("Generated key\n"); fflush(stdout); 
-/*    int pub_key_der_encoded_len, priv_key_der_encoded_len;
-    unsigned char *pub_key_der, priv_key_der;
-
-    pub_key_der = NULL;
-    pub_key_der_encoded_len = i2d_RSAPublicKey(rsa.get(), (unsigned char**) &pub_key_der);
-    if (pub_key_der_encoded_len < 0)
-      return 0x3;
-
-    priv_key_der = NULL;
-    priv_key_der_encoded_len = i2d_RSAPrivateKey(rsa.get(), (unsigned char**) &priv_key_der);
-    if (priv_key_der_encoded_len < 0)
-      return 0x4;
-    printf("Done\n"); fflush(stdout); 
-//   priv_key_str=std::string(priv_key_der, priv_key_der_encoded_len); //, priv_key_der); 
-//   pub_key_str=std::string(pub_key_der, pub_key_der_encoded_len);  
-*/
-//	BIO* bio_rsa;
-    rc = PEM_write_RSA_PUBKEY(fp, rsa); // doesn't work
-    if(rc != 1) 
-	return 0x3;
-    fflush(fp); 
-//    bio_rsa = BIO_new_file("apache_signature_keypair.pem", "w+");
-//    rc = PEM_write_bio_RSAPublicKey(bio_rsa, rsa.get());
-//    if(rc != 1)
-//	return 0x3;
- //   BIO_flush(bio_rsa); free(bio_rsa); 
-
-  return 0; 
-}
-
-uint32_t generate_rsa_keypair_hash(uint8_t* hash)
-{
-     uint32_t return_internal;
-    const BIGNUM* n_internal_bigendian_struct;
-    RSA_get0_key(rsa, &n_internal_bigendian_struct, NULL, NULL);
-    BIGNUM* n_bigendian_struct = BN_dup(n_internal_bigendian_struct); 
-
-    uint32_t count; 
-    int n_bignum_length=BN_num_bytes(n_bigendian_struct);
-    unsigned char *n_bigendian = (unsigned char*) malloc(n_bignum_length);
-    int length_bignum_le = BN_bn2bin(n_bigendian_struct, n_bigendian); 
-    unsigned char* n_littleendian = (unsigned char*) malloc(length_bignum_le);
-    for(count=0; count<length_bignum_le; count++)
-		n_littleendian[count] = n_bigendian[length_bignum_le-count-1]; 
-    free(n_bigendian); 
-//    unsigned char hash[32];  
-    return_internal=generate_sha256_hash(n_littleendian, length_bignum_le, hash);
-    free(n_littleendian); 
-   if(return_internal != 0)
-   { 	 return return_internal ;  }// TODO: Memory leak here. 
-
-	for(count=0;count<32; count++)
-		printf("%x", hash[count]);
-	printf("\n");
-	fflush(stdout); 
-	return return_internal;
-//   return 0; //length_bignum_le; 
-}
-
+//////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////
 void crypto_cleanup()
 {
 	RSA_free(rsa); 

include/crypto.h

@@ -1,13 +1,2 @@
-//uint32_t generate_rsa_key(std::string& priv_key_str, std::string& pub_key_str);
-//class RSA_signing_keypair 
-//{ 
-//	private:
-//        	RSA_ptr rsa; 
-//        	BN_ptr bn; 
-//	public: 
-//		RSA_signing_keypair(); 
-		uint32_t generate_rsa_keypair(FILE* fp, std::string& priv_key_str, std::string& pub_key_str); //, uint8_t* hash); 
-		uint32_t generate_rsa_keypair_hash(uint8_t* hash);
-//}
 int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag); 
 uint32_t base64_encoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length);

systemMain.cpp

@@ -27,13 +27,11 @@ using namespace std;
 int local_attestation_successful=0;
 int __ImageBase=0;
 
-//extern "C" {
-
 class Mitigator : public Php::Base
 {
 	private: 
-		static std::string mitigator_header; 
-//		int x;
+		static std::string mitigator_pubkey_header_value;
+		static std::string mitigator_pubkey_header; 
 	public:
 	// adding to extension throws an error if this method is not public
 
@@ -41,9 +39,10 @@ class Mitigator : public Php::Base
 	{
 		setbuf(stdout,NULL); uint32_t count;
 		uint32_t return_sgx; 
-		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 12 for "X-Mitigator:"
-		memcpy(base64_encoded_mitigator_header, "X-Mitigator:", 12); 
-		return_sgx = local_attestation_initiator(DECRYPTOR_PORT, base64_encoded_mitigator_header+12);
+		unsigned char* base64_encoded_mitigator_header_and_value = (unsigned char*) malloc(mitigator_pubkey_header.length()+1+216); 
+//		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 21 for "Mitigator-Public-Key"
+		memcpy(base64_encoded_mitigator_header_and_value, mitigator_pubkey_header.c_str(), mitigator_pubkey_header.length()); 
+		return_sgx = local_attestation_initiator(DECRYPTOR_PORT, base64_encoded_mitigator_header_and_value+mitigator_pubkey_header.length());
 		if(return_sgx != 0)
 		{
 			if(return_sgx== 0xFFFFFFFF)
@@ -60,33 +59,33 @@ class Mitigator : public Php::Base
 		printf("\nSuccessful LA with port %d.\n", DECRYPTOR_PORT);
 		fflush(stdout);
 		local_attestation_successful=1; 
-		char base64_encoding[229];
-		for(count=0;count<229;count++)
-			base64_encoding[count]=base64_encoded_mitigator_header[count];
-		printf("String:%s\nThat string was of length 0x%x\n", base64_encoding, strlen(base64_encoding)); fflush(stdout);
-		mitigator_header=std::string(base64_encoding,228); 
+		printf("length of string was %d\n", mitigator_pubkey_header.length()); fflush(stdout); 
+//		char* base64_encoding = (char*) malloc(); 
+//		char base64_encoding[229];
+//		for(count=0;count<229;count++)
+//			base64_encoding[count]=base64_encoded_mitigator_header[count];
+		mitigator_pubkey_header_value=std::string((char*)base64_encoded_mitigator_header_and_value,mitigator_pubkey_header.length()+216); 
 		}
 	}
 
-//         std::cout << "MyCustomClass::MyCustomClass()" << std::endl;
 
-		Mitigator() = default; // {x=3;} //{ mitigator_header=std::string("Miti: Miti");  }
+		Mitigator() = default; // mitigator_pubkey_header("Mitigator-Public-Key:");//, mitigator_pubkey_header_value("!") ;
 		virtual ~Mitigator() = default;
 		// call this function in PHP async or call add_header here. 
-		Php::Value get_mitigator_header() 
+		static Php::Value get_mitigator_header() 
 		{
-			return mitigator_header; //Php::Value(mitigator_header, 176);
+			return mitigator_pubkey_header_value; 
 		}
 		// call this func onRequest 
-/*		Php::Value decrypt_php_wrapper()
+		static Php::Value php_decrypt_wrapper(Php::Parameters &params   )
 		{
-			return "miti"; 
+			return params[0];//"miti"; 
 		}
-*/
+
 };
  
-std::string Mitigator::mitigator_header=std::string("Miti: Miti");
-
+std::string Mitigator::mitigator_pubkey_header_value=std::string("!");
+std::string Mitigator::mitigator_pubkey_header=std::string("Mitigator-Public-Key:"); 
 extern "C" {	
 
     // export the "get_module" function that will be called by the Zend engine
@@ -98,9 +97,10 @@ extern "C" {
         Php::Class<Mitigator> mitigator("Mitigator");
 	mitigator.method<&Mitigator::get_mitigator_header>("get_mitigator_header");
 //        mitigator.property("mitigator_header", &Mitigator::get_mitigator_header);
-
-
+	mitigator.method<&Mitigator::local_attestation_initiator_wrapper>("local_attestation_initiator_wrapper"); 
+	mitigator.method<&Mitigator::php_decrypt_wrapper>("php_decrypt_wrapper", { Php::ByVal("string", Php::Type::String) }   ); 
         extension.onStartup(&Mitigator::local_attestation_initiator_wrapper);
+//	extension.onRequest(&Mitigator::php_decrypt_wrapper); 
         // return the extension module
 	extension.add(mitigator); 
         return extension.module();