No encryption between apache and decryptor - got same derived key.

Makefile

@@ -37,3 +37,4 @@ crypto.o: crypto.cpp
 
 localattestation_decryption.so:  systemMain.o ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o crypto.o
 	${CXX} ${LD_FLAGS} -Wl,--no-undefined systemMain.o ProtobufLAInitiator.o SgxProtobufLAInitiator.o SgxProtobufLAInitiator_Transforms.o ProtobufLAMessages.pb.o crypto.o  -L./ -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive  -l$(Service_Library_Name) -l$(Crypto_Library_Name) -lsgx_tstdc  -lprotobuf -L${Openssl_Path}/lib -lssl -lcrypto   -lphpcpp  -Wl,-Bsymbolic -Wl,-pie,-eenclave_entry -Wl,--export-dynamic  -Wl,--verbose -o $@
+#-Wl,--rpath /home/m2mazmud/plain-openssl/lib -o $@

ProtobufLAInitiator.cpp

@@ -15,7 +15,7 @@ using namespace google::protobuf::io;
 #include <sys/socket.h>
 #include <netinet/in.h>
 
-int global_decryptor_fd; 
+int global_decryptor_fd;
 
 
 // TODO: Make these private functions
@@ -42,7 +42,7 @@ int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& mess
     fflush(stdout);
     return -1;
   }
-  printf("Done parsing msg\n"); fflush(stdout); 
+  printf("Done parsing msg\n"); fflush(stdout);
   coded_input->PopLimit(limit);
   return 0;
 }
@@ -108,13 +108,13 @@ int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
   protobuf_sgx_dh_msg3_t protobuf_msg3;
   uint32_t protobuf_sgx_ret;
 
-//  uint8_t encrypted_hash[32]; uint8_t encrypted_tag[16]; size_t post_la_bytes_written; 
+//  uint8_t encrypted_hash[32]; uint8_t encrypted_tag[16]; size_t post_la_bytes_written;
 //	uint8_t tokenT_and_tag[176]; size_t bytes_read;
 
   // For socket to listen to the Apache enclave.
 //  int server_fd=0; int accept_fd = 0;
 //   std::string protobuf_encrypted_msg_string(protobuf_encrypted_msg.msg());
-  // memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176); 
+  // memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176);
 //  struct sockaddr_in own_addr;
 //  struct sockaddr_storage apache_addr; socklen_t apache_addr_size = sizeof(apache_addr);
   uint32_t session_id;
@@ -152,35 +152,35 @@ int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
           unsigned char tokenT_and_tag[176]; int protobuf_encrypted_msg_size;
 
 
-          protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg; 
+          protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
         if(read_protobuf_msg_from_fd(decryptor_fd, protobuf_encrypted_msg)!=0)
    {
-	printf("Not all of the post-LA message was read\n"); fflush(stdout); return 0xfe; 
+	printf("Not all of the post-LA message was read\n"); fflush(stdout); return 0xfe;
    }
    std::string protobuf_encrypted_msg_string(protobuf_encrypted_msg.msg());
-   memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176); 
+   memcpy(tokenT_and_tag, protobuf_encrypted_msg_string.c_str(), 176);
 
-   printf("Read encrypted signature and tag from the decryptor socket.\n"); fflush(stdout); 
-    uint32_t count;  
+   printf("Read encrypted signature and tag from the decryptor socket.\n"); fflush(stdout);
+    uint32_t count;
 	printf("Encrypted data:\n");
 	for(count=0;count<176;count++)
 		printf("0x%02x ", tokenT_and_tag[count]);
-	printf("\n"); fflush(stdout); 
+	printf("\n"); fflush(stdout);
 	uint8_t plaintext_token[160]; int plaintext_length=0;
 	uint32_t ret_decrypt=aes_gcm_wrapper(0, tokenT_and_tag, 160, plaintext_token, &plaintext_length, tokenT_and_tag+160);
-//int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag); 
+//int aes_cipher(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag);
 	if(ret_decrypt!=0)
 		{
-			printf("Errorin decryption 0x%x", ret_decrypt); fflush(stdout); return 0xed; 
+			printf("Errorin decryption 0x%x", ret_decrypt); fflush(stdout); return 0xed;
 		}
         printf("Decryption keypair\n");
         for(count=0;count<64;count++)
                 printf("0x%02x ", plaintext_token[count]);
-	printf("\n"); fflush(stdout); 
+	printf("\n"); fflush(stdout);
 	printf("Decryption verifier mrenclave\n");
 	for(count=64;count<96;count++)
                 printf("0x%02x ", plaintext_token[count]);
-	printf("\n"); fflush(stdout); 
+	printf("\n"); fflush(stdout);
 	count=base64_encoding_wrapper(plaintext_token, base64_encoded_token, 160);
 	if(count != 216)
 	{
@@ -192,97 +192,117 @@ int local_attestation_initiator(int port, unsigned char* base64_encoded_token)
 	return 0;
 }
 
-// should be called with the base64encoded public key and data to be decrypted
-// base64 encoded public key should be of length 4*(ceil(64/3)) = 88 (at least)
-int decrypt_client_data_through_decryptor(unsigned char* base64_encoded_client_pub_key, unsigned char* ciphertext, uint32_t ciphertext_length, unsigned char* plaintext_user_data, uint32_t* op_plaintext_user_data_length)
+int extract_binary_key_and_client_ciphertext_data_from_base64(unsigned char* base64_encoded_client_pub_key, unsigned char* base64_ciphertext, uint32_t base64_ciphertext_length, unsigned char* op_client_public_key_and_ciphertext, uint32_t* op_ciphertext_length)
 {
-	int openssl_ret_status; 
-	unsigned char client_pub_key[64];
-	uint32_t count; 
-	uint32_t length;
-	unsigned char* client_data_to_decryptor; 
-	unsigned char* client_data_encrypted_to_decryptor; 
-	unsigned char* client_data_from_decryptor;
-	int encryption_result; 
-        protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg; 
-	int output_length;
-
-	for(count=0; count<ciphertext_length; count++)
-		plaintext_user_data[count] = ciphertext[count]; 
-	*op_plaintext_user_data_length = ciphertext_length;
+	int openssl_ret_status;
+        openssl_ret_status=base64_decoding_wrapper(base64_encoded_client_pub_key, op_client_public_key_and_ciphertext, 88);
+        if(openssl_ret_status == -1)
+        	return 0xfe;
 
-
-        client_data_to_decryptor = (unsigned char*) malloc(64 + (ciphertext_length * 3/4)); 
-	openssl_ret_status=base64_decoding_wrapper(base64_encoded_client_pub_key, client_data_to_decryptor, 88); 
-	if(openssl_ret_status == -1)
+	*op_ciphertext_length = base64_decoding_wrapper(base64_ciphertext, op_client_public_key_and_ciphertext + 64, base64_ciphertext_length);
+	if(*op_ciphertext_length == -1)
 	{
-		free(client_data_to_decryptor); 
-		return 0xfe;
+		return 0x33;
 	}
+	return 0;
 
-	printf("Received the following key from the client:\n"); 
-	for(count=0;count<64;count++)
-		printf("0x%02x ", client_data_to_decryptor[count]);
-        printf("\n"); fflush(stdout);
-	// // TODO: call aes_gcm_wrapper or aes_gcm  *in encryption mode* on ciphertext data of ciphertext_length (where is the iv?) 
-
-	length = base64_decoding_wrapper(ciphertext, client_data_to_decryptor + 64, ciphertext_length);
-	if(length == -1)
-        {
-		free(client_data_to_decryptor);
-		return 0x33; 
-        }
+}
 
-	for(count = 0; count<64 + length; count++)
-		printf("0x%02x ", client_data_to_decryptor[count]); 
+// should be called with the base64encoded public key and data to be decrypted
+// base64 encoded public key should be of length 4*(ceil(64/3)) = 88 (at least)
+int decrypt_client_data_through_decryptor(unsigned char* base64_client_public_key, unsigned char* base64_ciphertext_client_data, uint32_t base64_ciphertext_client_data_length, unsigned char* plaintext_client_data, uint32_t* op_plaintext_client_data_length)
+{
+	int ret_status;
+	uint32_t count;
+	unsigned char* client_data_to_decryptor;
+	unsigned char* client_data_encrypted_to_decryptor;
+	unsigned char* client_data_from_decryptor;
+	unsigned char tag[16]; 
+	const char* msg;
+	protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
+	int output_length;
+	int input_length;
+	uint32_t ciphertext_length;
+	for(count=0; count<base64_ciphertext_client_data_length; count++)
+		plaintext_client_data[count] = base64_ciphertext_client_data[count];
+	*op_plaintext_client_data_length = base64_ciphertext_client_data_length;
+
+	client_data_to_decryptor = (unsigned char*) malloc(64 + (base64_ciphertext_client_data_length * 3/4));
+	// If ciphertext_length != base64_ciphertext_client_data_length * 3/4 then it will write outside the allocated memory
+	ret_status = extract_binary_key_and_client_ciphertext_data_from_base64(base64_client_public_key, base64_ciphertext_client_data, base64_ciphertext_client_data_length, client_data_to_decryptor, &ciphertext_length);
+	if(ret_status != 0)
+		return ret_status;
+
+	input_length = ciphertext_length + 64; // normal case - no writing outside the allocated memory.
+	printf("Public key and ciphertext:\n"); fflush(stdout);
+	for(count = 0; count<input_length; count++)
+		printf("0x%02x ", client_data_to_decryptor[count]);
 	printf("\n"); fflush(stdout);
 
-	client_data_encrypted_to_decryptor = (unsigned char*) malloc(length + 64 + 16);
+/*	client_data_encrypted_to_decryptor = (unsigned char*) malloc(input_length + 16);
 	// TODO: try to call aes_gcm  *in encryption mode* on ciphertext data of ciphertext_length (where is the iv?)
-	// if output_length != length + 64 then problems
-	encryption_result = aes_gcm_wrapper(1, client_data_to_decryptor, length + 64, client_data_encrypted_to_decryptor, &output_length, client_data_encrypted_to_decryptor + length + 80);
-	if(encryption_result != 0)
-  	{
+	// if output_length != ciphertext_length + 64 then tag will be overwritten.
+	ret_status = aes_gcm_wrapper(1, client_data_to_decryptor, input_length, client_data_encrypted_to_decryptor, &output_length, tag);
+	if(ret_status != 0 || output_length != input_length)
+	{
 		free(client_data_to_decryptor);
 		free(client_data_encrypted_to_decryptor);
-		return encryption_result;
+		return ret_status;
 	}
-	// TODO: Increment AESGCM IV here. 
-
-	protobuf_encrypted_msg.set_msg((void*)client_data_encrypted_to_decryptor, output_length);  
+	for(count=0; count<16; count++)
+		client_data_encrypted_to_decryptor[output_length+count]=tag[count]; 
+	// TODO: Increment AESGCM IV here.
+*/
+	protobuf_encrypted_msg.set_msg((void*)client_data_to_decryptor, input_length);
 	free(client_data_to_decryptor);
-	free(client_data_encrypted_to_decryptor);
+//	free(client_data_encrypted_to_decryptor);
+/*
+	printf("Writing this to the decryptor: \n"); fflush(stdout); 
+	for(count=8;count<output_length+16+8;count++)
+		printf("0x%02x ", client_data_to_decryptor[count]);
+	printf("\n");	fflush(stdout);
+*/
 
 	// write message to decryptor
-        if(write_protobuf_msg_to_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
-   	{
-        	printf("Not all of the client's pub key and ciphertext data was written\n"); fflush(stdout); return 0xfe; 
-   	}
+	if(write_protobuf_msg_to_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
+	{
+		printf("Not all of the client's pub key and ciphertext data was written\n"); fflush(stdout); return 0xfe;
+	}
 
 	// clear the message before setting it again
-	protobuf_encrypted_msg.clear_msg(); 
+	protobuf_encrypted_msg.clear_msg();
 
 	// read encrypted data
-	printf("Reading msg from decryptor"); fflush(stdout); 
-        if(read_protobuf_msg_from_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
+	printf("Reading msg from decryptor"); fflush(stdout);
+	if(read_protobuf_msg_from_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
 	{
-        	printf("Not all of the decryptor's message was read\n"); fflush(stdout); return 0xfe; 
+		printf("Not all of the decryptor's message was read\n"); fflush(stdout); return 0xf3;
 	}
-	printf("Done reading msg from decryptor\n"); fflush(stdout); 
+	printf("Done reading msg from decryptor\n"); fflush(stdout);
 
 	// define plaintext array
-	length = protobuf_encrypted_msg.msg().length(); 
-	client_data_from_decryptor=(unsigned char*)malloc(length);	
-	memcpy(client_data_from_decryptor, protobuf_encrypted_msg.msg().c_str(), length); //TODO: THIS might be a problem - c_str might terminate at null bytes? 
-
-	// TODO: decrypt data received in the protobuf_encrypted_msg, set bytes at plaintext_user_data to it. 
-	for(count=0;count<length;count++)
+	input_length = protobuf_encrypted_msg.msg().length();
+	msg = protobuf_encrypted_msg.msg().c_str(); 
+	for(count=0; count<input_length; count++)
+		plaintext_client_data[count] = msg[count]; 
+	*op_plaintext_client_data_length = input_length; 
+	/* client_data_from_decryptor=(unsigned char*)malloc(input_length);
+	memcpy(client_data_from_decryptor, protobuf_encrypted_msg.msg().c_str(), input_length); //TODO: THIS might be a problem - c_str might terminate at null bytes?
+
+	// TODO: decrypt data received in the protobuf_encrypted_msg, set bytes at plaintext_client_data to it.
+	for(count=0;count<input_length;count++)
+	{
+		plaintext_client_data[count]=client_data_from_decryptor[count]; 
 		printf("0x%02x ", client_data_from_decryptor[count]);
+	}
 	printf("\n"); fflush(stdout);
+	*op_plaintext_client_data_length=input_length; 
 
-	encryption_result = aes_gcm_wrapper(0, client_data_from_decryptor, length, plaintext_user_data, &output_length, client_data_from_decryptor + length - 16); 
-	if(encryption_result == 0)
-		*op_plaintext_user_data_length = output_length; 
+	ret_status = aes_gcm_wrapper(0, client_data_from_decryptor, input_length, plaintext_client_data, &output_length, client_data_from_decryptor + input_length - 16);
+	if(ret_status == 0)
+		*op_plaintext_client_data_length = output_length;
 	free(client_data_from_decryptor);
-	return encryption_result; 
+	*/
+	return 0;
 }
+

systemMain.cpp

@@ -112,7 +112,7 @@ class Mitigator : public Php::Base
 			fflush(stdout); 
 
 			std::string plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length); 
-			free(plaintext_user_data);
+			// free(plaintext_user_data); // TODO: For some reason, this causes a crash. 
 			return plaintext_user_data_str; // "Miti";// plaintext_user_data_obj; // (ciphertext_user_data, ciphertext_length) ; 
 		}