Browse Source

Commit for updated decrypt_client_data - crashes in Apache

dettanym 5 years ago
parent
commit
6a61074ed8

+ 26 - 34
ProtobufLAInitiator.cpp

@@ -101,7 +101,7 @@ int set_up_socket_connect(int port)
   return sock;
 }
 
-int do_local_attestation(int port)
+int local_attestation_initiator(int port)
 {
   // declare msg1, msg2, msg3 protobuf objects
   protobuf_sgx_dh_msg1_t protobuf_msg1;
@@ -146,6 +146,7 @@ int do_local_attestation(int port)
   {
       printf("Error in process_protobuf_dh_msg3: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
   }
+  return 0;
 }
 
 uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encoded_token_H, uint32_t* base64_encoded_token_H_length)
@@ -177,20 +178,20 @@ uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encod
 	internal_return_status = aes_gcm_wrapper(0, encrypted_token_H_and_tag, encrypted_token_H_and_tag_length, plaintext_token_H, &plaintext_token_H_length);
 	if(internal_return_status != 0)
 	{
-    printf("Error in decryption 0x%x", ret_decrypt); fflush(stdout); return internal_return_status;
+    printf("Error in decryption 0x%x", internal_return_status); fflush(stdout); return internal_return_status;
 	}
 
   printf("Decryptor's short-term public key\n");
   for(count=0;count<64;count++)
-    printf("0x%02x ", plaintext_token[count]);
+    printf("0x%02x ", plaintext_token_H[count]);
 	printf("\n"); fflush(stdout);
 
 	printf("Verifier mrenclave\n");
 	for(count=64;count<96;count++)
-    printf("0x%02x ", plaintext_token[count]);
+    printf("0x%02x ", plaintext_token_H[count]);
 	printf("\n"); fflush(stdout);
 
-	*base64_encoded_token_H_length=base64_encoding_wrapper(plaintext_token, base64_encoded_token_H, plaintext_token_H_length);
+	*base64_encoded_token_H_length=base64_encoding_wrapper(base64_encoded_token_H, plaintext_token_H, plaintext_token_H_length);
   /*
   // TODO: Better return value handling.
   if(!(base64_encoded_token_H_length <= 4 * Math.ceil(plaintext_token_H_length/3) && base64_encoded_token_H_length > 4 * (Math.ceil(plaintext_token_H_length/3) - 1)))
@@ -203,48 +204,39 @@ uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encod
 	return 0;
 }
 
-/*uint32_t base64_decoding_on_all_client_data(std::vector<std::string>& ip_base64_client_public_key_ciphertexts, std::vector<std::string>& op_client_public_key_ciphertexts)
+uint32_t base64_decoding_on_all_client_data(unsigned char* ip_base64_client_public_key_ciphertext, 
+  uint32_t ip_base64_client_public_key_ciphertext_length,
+  unsigned char* op_client_public_key_ciphertext,
+  uint32_t* op_client_public_key_ciphertext_length
+)
 {
-	int openssl_ret_status; uint32_t counter;
-  unsigned long list_size;
-  std::string op_string;
-  unsigned char* op_array;
-
-  list_size=ip_base64_client_public_key_ciphertexts.size();
-  for(std::string ip_base64_string: ip_base64_client_public_key_ciphertexts)
-  {
-    openssl_ret_status=base64_decoding_wrapper(ip_base64_string.c_str(), op_string, ip_base64_string.length());
+    uint32_t openssl_ret_status;
+    openssl_ret_status=base64_decoding_wrapper(ip_base64_client_public_key_ciphertext, op_client_public_key_ciphertext, ip_base64_client_public_key_ciphertext_length);
     if(openssl_ret_status == -1)
       	return 0xfe;
-
-  	*op_ciphertext_length = base64_decoding_wrapper(base64_ciphertext, op_client_public_key_and_ciphertext + 64, base64_ciphertext_length);
-  	if(*op_ciphertext_length == -1)
-  	{
-  		return 0x33;
-  	}
-  }
-	return 0;
+    *op_client_public_key_ciphertext_length = openssl_ret_status; 
+    return 0;
 
 }
-*/
+
 
 // should be called with the base64encoded public key and data to be decrypted
 // base64 encoded public key should be of length 4*(ceil(64/3)) = 88 (at least)
-int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_public_key_ciphertext,
+int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_public_key_ciphertext, 
   uint32_t ip_base64_client_public_key_ciphertext_length,
   unsigned char* op_plaintext,
-  uint32_t op_plaintext_length
+  uint32_t* op_plaintext_length
 )
 {
-  unsigned char* ciphertext_to_decryptor, *ciphertext_from_decryptor;
+/*  unsigned char* ciphertext_to_decryptor; const char *ciphertext_from_decryptor;
   uint32_t ciphertext_to_decryptor_length, ciphertext_from_decryptor_length;
   uint32_t internal_return_status;
+  protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg; 
 
   // Encrypting to the decryptor enclave
-  ciphertext_to_decryptor=(unsigned char*) malloc(ip_base64_client_public_key_ciphertext + 16);
+  ciphertext_to_decryptor=(unsigned char*) malloc(ip_base64_client_public_key_ciphertext_length + 16);
   internal_return_status = aes_gcm_wrapper(1, ip_base64_client_public_key_ciphertext, ip_base64_client_public_key_ciphertext_length,
-    ciphertext_to_decryptor, ciphertext_to_decryptor_length
-  );
+    ciphertext_to_decryptor, &ciphertext_to_decryptor_length );
   // Error checking on ciphertext that is to be sent to decryptor
   if(internal_return_status != 0)
   {
@@ -270,15 +262,15 @@ int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_publi
 		printf("Not all of the decryptor's message was read\n"); fflush(stdout); return 0xf3;
 	}
 	printf("Done reading msg from decryptor\n"); fflush(stdout);
-  ciphertext_from_decryptor_length = protobuf_encrypted_msg.length();
-  ciphertext_from_decryptor = protobuf_encrypted_msg.c_str();
+  ciphertext_from_decryptor_length = protobuf_encrypted_msg.msg().length();
+  ciphertext_from_decryptor = protobuf_encrypted_msg.msg().c_str();
 
   // Decrypt data from decryptor
-  internal_return_status = aes_gcm_wrapper(0, ciphertext_from_decryptor, ciphertext_from_decryptor_length,
+  internal_return_status = aes_gcm_wrapper(0, (unsigned char*) ciphertext_from_decryptor, ciphertext_from_decryptor_length,
     op_plaintext, op_plaintext_length
   );
   if(internal_return_status != 0)
     return internal_return_status;
-
+*/
   return 0;
 }

+ 28 - 3
SgxProtobufLAInitiator.cpp

@@ -69,7 +69,7 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
 
   //No verification checks here: no security guarantees obtained from any such checks
   memset(iv, 0, 12);
-  memcpy(key, &dhaek, sizeof(sgx_key_128bit_t));
+  memcpy(key, &dh_aek, sizeof(sgx_key_128bit_t));
   //memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
   global_session_info.session_id = 1; // TODO: session_id;
   global_session_info.active.counter = 0;
@@ -79,7 +79,32 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
   return 0;
 }
 
-uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len)
+  // increments last 4 bytes (in big-endian order)
+  uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv)  {
+        uint32_t counter;
+        for(counter=11;counter>7;counter--)
+        {
+                if(iv[counter] == 0xff)
+                {
+                        if(counter - 1 == 7)
+                                return 0xff;
+                        iv[counter-1] = 0x01;
+                        iv[counter] = 0x0;
+                }
+                else
+                        iv[counter] += 1;
+        }
+        return 0;
+  }
+
+
+
+
+
+
+//uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, uint32_t ciphertext_len, unsigned char* plaintext, uint32_t* plaintext_length)
+  uint32_t aes_gcm_wrapper(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
+
 {
 	memset(iv, 0, 12);
   uint8_t tag[16];uint32_t counter; uint32_t return_status;
@@ -88,7 +113,7 @@ uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len,
     for(counter=0;counter<16;counter++)
       tag[counter] = plaintext[counter + plaintext_length];
   }
-  uint32_t return_status = aes_gcm_128(enc, key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
+  return_status = aes_gcm_128(enc, key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
   if(enc == 1)
   {
     for(counter=0;counter<16;counter++)

+ 3 - 3
crypto.cpp

@@ -54,7 +54,7 @@ void crypto_cleanup()
 }
 
 // Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
-int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag)
+int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, unsigned char* tag)
 {
 	int len;
 	int ciphertext_len;
@@ -138,13 +138,13 @@ int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 	return 0;
 }
 
-uint32_t base64_encoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length)
+uint32_t base64_encoding_wrapper(unsigned char* dest, unsigned char* src, uint32_t length)
 {
 	return EVP_EncodeBlock(dest, src, length);
 
 }
 
-uint32_t base64_decoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length)
+uint32_t base64_decoding_wrapper(unsigned char* dest, unsigned char* src, uint32_t length)
 {
         int length_with_padding = EVP_DecodeBlock(dest, src, length);
         if(length_with_padding == -1)

+ 11 - 3
include/ProtobufLAInitiator.h

@@ -1,4 +1,12 @@
-int local_attestation_initiator(int port, unsigned char* base64_encoding); 
-int decrypt_client_data_through_decryptor(unsigned char* base64_encoded_client_pub_key, unsigned char* ciphertext, uint32_t ciphertext_length, unsigned char* plaintext_user_data, uint32_t* op_plaintext_user_data_length);
-//int decrypt_client_data_through_decryptor(unsigned char* base64_encoded_client_pub_key, unsigned char* ciphertext, uint32_t ciphertext_length, unsigned char* plaintext_user_data);
+int local_attestation_initiator(int port); 
+int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_public_key_ciphertext,
+  uint32_t ip_base64_client_public_key_ciphertext_length,
+  unsigned char* op_plaintext,
+  uint32_t* op_plaintext_length);
 
+uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encoded_token_H, uint32_t* base64_encoded_token_H_length);
+uint32_t base64_decoding_on_all_client_data(unsigned char* ip_base64_client_public_key_ciphertext, 
+  uint32_t ip_base64_client_public_key_ciphertext_length,
+  unsigned char* op_client_public_key_ciphertext,
+  uint32_t* op_client_public_key_ciphertext_length
+);

+ 2 - 1
include/SgxProtobufLAInitiator.h

@@ -1,4 +1,5 @@
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id);
 uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id);
-uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len, unsigned char* ip_encrypted_tag);
+//uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len, unsigned char* ip_encrypted_tag);
+uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, uint32_t ciphertext_len, unsigned char* op_plaintext, uint32_t* op_plaintext_len);
 

+ 3 - 3
include/crypto.h

@@ -1,3 +1,3 @@
-int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag); 
-uint32_t base64_encoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length);
-uint32_t base64_decoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length);
+int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, unsigned char* tag); 
+uint32_t base64_encoding_wrapper(unsigned char* dest, unsigned char* src, uint32_t length);
+uint32_t base64_decoding_wrapper(unsigned char* dest, unsigned char* src, uint32_t length);

BIN
localattestation_decryption.so


+ 31 - 13
systemMain.cpp

@@ -79,19 +79,23 @@ class Mitigator : public Php::Base
 
 		static Php::Value php_decrypt_wrapper(Php::Parameters &params   )
 		{
-			int counter;
-			unsigned char* plaintext_user_data, * base64_client_ciphertext, *base64_client_public_key;
-			uint32_t ciphertext_length, plaintext_length;
+/*
+			unsigned char* plaintext_user_data, * base64_client_ciphertext, *base64_client_public_key, *base64_client_data, *client_data;
+			uint32_t plaintext_length, base64_client_ciphertext_length, base64_client_public_key_length, base64_client_data_length, client_data_length, ret_status, counter;
+			std::string plaintext_user_data_str; 
 
 			base64_client_ciphertext = (unsigned char*) static_cast<const char*>(params[1]);
-      base64_client_public_key = (unsigned char*) static_cast<const char*>(params[0]);
+			base64_client_public_key = (unsigned char*) static_cast<const char*>(params[0]);
 			base64_client_ciphertext_length = params[1].size();
 			base64_client_public_key_length = params[0].size();
 			base64_client_data = (unsigned char*) malloc(params[1].size() + params[0].size());
-			strcpy(base64_client_data, base64_client_public_key, base64_client_public_key_length);
-			strcpy(base64_client_data + base64_client_public_key_length, base64_client_ciphertext, base64_client_ciphertext_length);
+			memcpy(base64_client_data, base64_client_public_key, base64_client_public_key_length);
+			memcpy(base64_client_data + base64_client_public_key_length, base64_client_ciphertext, base64_client_ciphertext_length);
+			base64_client_data_length = base64_client_public_key_length + base64_client_ciphertext_length;
 
-			plaintext_user_data = (unsigned char*) malloc(ciphertext_length);
+			plaintext_user_data = (unsigned char*) malloc( base64_client_ciphertext_length );
+			memcpy(plaintext_user_data, base64_client_ciphertext, base64_client_ciphertext_length);
+			plaintext_user_data_str = std::string((char*) plaintext_user_data, base64_client_ciphertext_length); 
 
 			printf("Base64 encoded key:\n");
 			for(counter=0; counter < base64_client_public_key_length; counter++)
@@ -102,25 +106,39 @@ class Mitigator : public Php::Base
 			for(counter=base64_client_public_key_length; counter < base64_client_public_key_length + base64_client_ciphertext_length; counter++ )
 				printf("%02x", base64_client_data[counter]);
 			printf("\n"); fflush(stdout);
+			/*
+			client_data = (unsigned char*) malloc(base64_client_data_length); 
+			ret_status = base64_decoding_on_all_client_data(base64_client_data, base64_client_data_length, client_data, &client_data_length);
+			free(base64_client_data);
+			if(ret_status<=0)
+			{
+				printf("Could not do base64 decoding correctly.\n"); fflush(stdout); 
+				free(plaintext_user_data);
+				free(client_data);
+				return plaintext_user_data_str; 
+			}
 
-			uint32_t ret_status=decrypt_client_data_through_decryptor(base64_client_data, base64_client_public_key_length + base64_client_ciphertext_length, (unsigned char*) plaintext_user_data, &plaintext_length);
+			ret_status=decrypt_client_data_through_decryptor(client_data, client_data_length, (unsigned char*) plaintext_user_data, &plaintext_length);
 			if(ret_status != 0)
 			{
 				printf("Received error code: 0x%02x\n", ret_status); fflush(stdout);
+				free(client_data);
 				free(plaintext_user_data);
-				free(base64_client_data);
+				return plaintext_user_data_str;
 			}
-
+			
 			printf("Going to return this plaintext:\n");
 			for(counter=0;counter<plaintext_length;counter++)
 				printf("0x%02x ", plaintext_user_data[counter]);
 			fflush(stdout);
 
-			std::string plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length);
-		  free(plaintext_user_data); // TODO: For some reason, this causes a crash.
-			free(base64_client_data);
+//			plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length);
+			free(plaintext_user_data); 
+//			free(base64_client_data);
 
 			return plaintext_user_data_str;
+*/
+			return params[1];
 		}
 };