Browse Source

Old commit - instrumentation for timing and some refactoring

dettanym 3 years ago
parent
commit
ab921a343f
5 changed files with 121 additions and 173 deletions
  1. 57 80
      ProtobufLAInitiator.cpp
  2. 34 49
      SgxProtobufLAInitiator.cpp
  3. 0 2
      include/SgxProtobufLAInitiator.h
  4. BIN
      localattestation_decryption.so
  5. 30 42
      systemMain.cpp

+ 57 - 80
ProtobufLAInitiator.cpp

@@ -1,23 +1,24 @@
 // Knows only protobuf_sgx objects, protobuf header.
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
+#include<stdlib.h>
+#include<string.h>
+#include<errno.h>
 #include<unistd.h>
-#include <stdio.h>
-#include "ProtobufLAMessages.pb.h"
-#include <google/protobuf/io/coded_stream.h>
-#include <google/protobuf/io/zero_copy_stream_impl.h>
-using namespace google::protobuf::io;
-#include "SgxProtobufLAInitiator.h"
-#include "crypto.h"
+#include<stdio.h>
+#include"ProtobufLAMessages.pb.h"
+#include<google/protobuf/io/coded_stream.h>
+#include<google/protobuf/io/zero_copy_stream_impl.h>
+#include"SgxProtobufLAInitiator.h"
+#include"crypto.h"
 // For socket programming
-#include <arpa/inet.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <queue>
+#include<arpa/inet.h>
+#include<sys/socket.h>
+#include<netinet/in.h>
+#include<queue>
+using namespace google::protobuf::io;
 
 int global_decryptor_fd;
-#define TOKEN_H_MAX_LENGTH 300;
+#define TOKEN_H_MAX_LENGTH 300
+uint8_t ciphertext_to_decryptor[4092]; 
 
 // TODO: Make these private functions
 int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
@@ -34,8 +35,8 @@ int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& mess
     fflush(stdout);
     return -1;
   }
-  printf("size of msg was read to be %d \n", size);
-  fflush(stdout);
+  //  printf("size of msg was read to be %d \n", size);
+  //  fflush(stdout);
   limit = coded_input->PushLimit(size);
   if(!message.ParseFromCodedStream(coded_input))
   {
@@ -43,7 +44,7 @@ int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& mess
     fflush(stdout);
     return -1;
   }
-  printf("Done parsing msg\n"); fflush(stdout);
+  //  printf("Done parsing msg\n"); fflush(stdout);
   coded_input->PopLimit(limit);
   return 0;
 }
@@ -64,7 +65,7 @@ int write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& messa
   // TODO: There may be a better way to do this - 1) this happens with every accept now and 2) make it happen on the stack vs heap - destructor will be called on return from this function (main) and the items will then be written out. (We probably don't want that, actually)
   delete coded_output;
   delete raw_output;
-  fflush(stdout);
+  //  fflush(stdout);
   return 0;
 }
 
@@ -149,6 +150,7 @@ int local_attestation_initiator(int port)
   return 0;
 }
 
+
 uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encoded_token_H, uint32_t* base64_encoded_token_H_length)
 {
   unsigned char* encrypted_token_H_and_tag, *plaintext_token_H;
@@ -174,13 +176,12 @@ uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encod
 		printf("0x%02x ", encrypted_token_H_and_tag[count]);
 	printf("\n"); fflush(stdout);
  plaintext_token_H=(unsigned char*) malloc(encrypted_token_H_and_tag_length); 
-  // TODO: Modify aes_gcm_wrapper to do the thing where it takes care of the tag internally.
 	internal_return_status = aes_gcm_wrapper(0, encrypted_token_H_and_tag, encrypted_token_H_and_tag_length, plaintext_token_H, &plaintext_token_H_length);
 	if(internal_return_status != 0)
 	{
-	free(encrypted_token_H_and_tag); 
-	free(plaintext_token_H); 
-    printf("Error in decryption 0x%x", internal_return_status); fflush(stdout); return internal_return_status;
+		free(encrypted_token_H_and_tag); 
+		free(plaintext_token_H); 
+		printf("Error in decryption 0x%x", internal_return_status); fflush(stdout); return internal_return_status;
 	}
 
   printf("Decryptor's short-term public key\n");
@@ -194,19 +195,20 @@ uint32_t post_local_attestation_get_mitigator_header(unsigned char* base64_encod
 	printf("\n"); fflush(stdout);
 	 
 	*base64_encoded_token_H_length=base64_encoding_wrapper(base64_encoded_token_H, plaintext_token_H, plaintext_token_H_length);
-  /*
+  
   // TODO: Better return value handling.
-  if(!(base64_encoded_token_H_length <= 4 * Math.ceil(plaintext_token_H_length/3) && base64_encoded_token_H_length > 4 * (Math.ceil(plaintext_token_H_length/3) - 1)))
-  {
-    printf("Somehow not the entire token was encoded in base64:0x%x\n", base64_encoded_token_H_length); fflush(stdout); return 0x55;
-  }
-  */
+  //if(!(base64_encoded_token_H_length <= 4 * Math.ceil(plaintext_token_H_length/3) && base64_encoded_token_H_length > 4 * (Math.ceil(plaintext_token_H_length/3) - 1)))
+  //{
+  //  printf("Somehow not the entire token was encoded in base64:0x%x\n", base64_encoded_token_H_length); fflush(stdout); return 0x55;
+  //}
+  
         free(encrypted_token_H_and_tag); 
         free(plaintext_token_H); 
 	fflush(stdout);
 	return 0;
 }
 
+
 uint32_t base64_decoding_on_all_client_data(unsigned char* ip_base64_client_public_key_ciphertext, 
   uint32_t ip_base64_client_public_key_ciphertext_length,
   unsigned char* op_client_public_key_ciphertext,
@@ -218,76 +220,51 @@ uint32_t base64_decoding_on_all_client_data(unsigned char* ip_base64_client_publ
     if(openssl_ret_status == -1)
       	return 0xfe;
     *op_client_public_key_ciphertext_length = openssl_ret_status; 
-*/    return 0;
+*/
+    return 0;
 
 }
 
-
-// should be called with the base64encoded public key and data to be decrypted
-// base64 encoded public key should be of length 4*(ceil(64/3)) = 88 (at least)
-int decrypt_client_data_through_decryptor( unsigned char* ip_base64_client_public_key_ciphertext, 
-  uint32_t ip_base64_client_public_key_ciphertext_length,
+int decrypt_client_data_through_decryptor( unsigned char* ip_client_public_key_ciphertext, 
+  uint32_t ip_client_public_key_ciphertext_length,
   unsigned char* op_plaintext,
   uint32_t* op_plaintext_length
 )
 {
- unsigned char* ciphertext_to_decryptor, *ciphertext_from_decryptor;
-  uint32_t ciphertext_to_decryptor_length, ciphertext_from_decryptor_length;
-  uint32_t internal_return_status; uint32_t counter;
-  protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg; 
-  std::string protobuf_encrypted_msg_string;
-  // Encrypting to the decryptor enclave
-  ciphertext_to_decryptor=(unsigned char*) malloc(ip_base64_client_public_key_ciphertext_length + 16);
-  internal_return_status = aes_gcm_wrapper(1, ip_base64_client_public_key_ciphertext, ip_base64_client_public_key_ciphertext_length,
-    ciphertext_to_decryptor, &ciphertext_to_decryptor_length );
-  // Error checking on ciphertext that is to be sent to decryptor
-  if(internal_return_status != 0)
-  {
-    free(ciphertext_to_decryptor);
-    return internal_return_status;
-  }
+	uint32_t ciphertext_to_decryptor_length;
+	uint32_t internal_return_status; 
+	protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg; 
+	std::string protobuf_encrypted_msg_string;
+	uint32_t counter;
+	// Encrypting to the decryptor enclave
+	internal_return_status = aes_gcm_wrapper(1, ip_client_public_key_ciphertext, ip_client_public_key_ciphertext_length,    ciphertext_to_decryptor, &ciphertext_to_decryptor_length );
+	// Error checking on ciphertext that is to be sent to decryptor
+	if(internal_return_status != 0)
+	{
+		printf("Error in encrypting content to the decryptor.\n"); fflush(stdout); 
+		return internal_return_status;
+	}
 
-/*  printf("Sending this ciphertext and tag to the decryptor enclave:\n"); 
-  for(counter=0;counter< ciphertext_to_decryptor_length;counter++)
-	printf("0x%02x ", ciphertext_to_decryptor[counter]); 
-  printf("\n"); fflush(stdout);
-*/
-  // write message to decryptor
-  protobuf_encrypted_msg.set_msg( ciphertext_to_decryptor , ciphertext_to_decryptor_length );
-  free(ciphertext_to_decryptor);
+	  // write message to decryptor
+	protobuf_encrypted_msg.set_msg( ciphertext_to_decryptor , ciphertext_to_decryptor_length );
 	if(write_protobuf_msg_to_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
 	{
-		// printf("Not all of the client's pub key and ciphertext data was written\n"); fflush(stdout);   
+		printf("Not all of the client's pub key and ciphertext data was written\n"); fflush(stdout);   
 		return 0xfe;
 	}
 
 	// clear the message before setting it again
 	protobuf_encrypted_msg.clear_msg();
 
-  // read encrypted data
-//	printf("Reading msg from decryptor"); fflush(stdout);
+	// read encrypted data
 	if(read_protobuf_msg_from_fd(global_decryptor_fd, protobuf_encrypted_msg)!=0)
 	{
-	//	printf("Not all of the decryptor's message was read\n"); fflush(stdout); 
+		printf("Not all of the decryptor's message was read\n"); fflush(stdout); 
 		return 0xf3;
 	}
-//	printf("Done reading msg from decryptor\n"); fflush(stdout);
-
-  protobuf_encrypted_msg_string=std::string(protobuf_encrypted_msg.msg());
-  ciphertext_from_decryptor_length=protobuf_encrypted_msg_string.length();
-  ciphertext_from_decryptor = (unsigned char*) malloc(ciphertext_from_decryptor_length);
-  memcpy(ciphertext_from_decryptor, protobuf_encrypted_msg_string.c_str(), protobuf_encrypted_msg_string.length());
-
-/*  printf("Got this ciphertext and tag from the decryptor enclave"); 
-  for(counter=0;counter< ciphertext_from_decryptor_length;counter++)
-        printf("0x%02x ", ciphertext_from_decryptor[counter]); 
-  printf("\n");
-*/
-  // Decrypt data from decryptor
-  internal_return_status = aes_gcm_wrapper(0,  ciphertext_from_decryptor, ciphertext_from_decryptor_length,
-    op_plaintext, op_plaintext_length
-  );
-    free(ciphertext_from_decryptor); 
-    return internal_return_status;
 
+	protobuf_encrypted_msg_string=std::string(protobuf_encrypted_msg.msg());
+	// Decrypt data from decryptor
+	internal_return_status = aes_gcm_wrapper(0, (unsigned char*) protobuf_encrypted_msg.msg().c_str(), protobuf_encrypted_msg_string.length(),  op_plaintext, op_plaintext_length);
+	return internal_return_status;
 }

+ 34 - 49
SgxProtobufLAInitiator.cpp

@@ -3,7 +3,7 @@
 #include <inttypes.h>
 #include "ProtobufLAMessages.pb.h"
 #include <stdio.h>
-
+#include <sys/mman.h>
 #include "sgx_trts.h"
 #include "sgx_utils.h"
 #include "error_codes.h"
@@ -20,11 +20,14 @@
 #include <string.h>
 #include "crypto.h"
 #include "stdio.h"
+#include <errno.h>
+#include <atomic>
+#include <sys/types.h>
+#include <unistd.h>
 
 dh_session_t global_session_info;
 sgx_dh_session_t sgx_dh_session;
 uint8_t key[16];
-uint8_t iv[12];
 
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id)
 {
@@ -68,7 +71,6 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
     return ret_status;
 
   //No verification checks here: no security guarantees obtained from any such checks
-  memset(iv, 0, 12);
   memcpy(key, &dh_aek, sizeof(sgx_key_128bit_t));
   //memcpy(global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
   global_session_info.session_id = 1; // TODO: session_id;
@@ -79,51 +81,34 @@ uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_
   return 0;
 }
 
-  // increments last 4 bytes (in big-endian order)
-  uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv)  {
-        uint32_t counter;
-        for(counter=11;counter>7;counter--)
-        {
-                if(iv[counter] == 0xff)
-                {
-                        if(counter - 1 == 7)
-                                return 0xff;
-                        iv[counter-1] = 0x01;
-                        iv[counter] = 0x0;
-                }
-                else
-                        iv[counter] += 1;
-        }
-        return 0;
-  }
-
-
-
-
-
-
-//uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, uint32_t ciphertext_len, unsigned char* plaintext, uint32_t* plaintext_length)
-  uint32_t aes_gcm_wrapper(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
-
-{
-    uint32_t actual_plaintext_length=plaintext_length; 
-
-	memset(iv, 0, 12);
-  uint8_t tag[16];uint32_t counter; uint32_t return_status;
-  if(enc == 0)
-  {
-    for(counter=0;counter<16;counter++)
-	tag[counter] = plaintext[counter + plaintext_length - 16]; 
-    actual_plaintext_length-=16;
-  }
-  return_status = aes_gcm_128(enc, key, iv, plaintext, actual_plaintext_length, ciphertext, ciphertext_length, tag);
-  if(enc == 1)
+ uint32_t aes_gcm_wrapper(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
   {
-    for(counter=0;counter<16;counter++)
-      ciphertext[counter + *ciphertext_length] = tag[counter];
-    *ciphertext_length=*ciphertext_length + 16;
+    uint32_t actual_plaintext_length=plaintext_length; 
+    uint8_t tag[16];uint32_t counter, return_status;
+	uint8_t iv[12]; 
+    if(enc == 0)
+	{
+                for(counter=0;counter<16;counter++)
+                        tag[counter]=plaintext[counter+plaintext_length-16]; 
+		for(counter=0;counter<12;counter++)
+			iv[counter]=plaintext[counter+plaintext_length-28]; 
+		actual_plaintext_length-=28; 
+	}
+	else
+	{
+		return_status=sgx_read_rand(iv, 12); 
+		if(return_status != 0)
+			return return_status;
+	}
+    return_status = aes_gcm_128(enc, key, iv, plaintext, actual_plaintext_length, ciphertext, ciphertext_length, tag);
+	if(enc == 1 && return_status == 0)
+	{
+                for(counter=0;counter<12;counter++)
+                        ciphertext[counter + *ciphertext_length] = iv[counter];
+		for(counter=0;counter<16;counter++)
+			ciphertext[counter + 12 + *ciphertext_length] = tag[counter];
+		*ciphertext_length=*ciphertext_length + 28;
+	}
+    return return_status;
   }
-//  if(return_status == 0)
-//    aes_gcm_increment_iv_internal_call(iv);
-  return return_status;
-}
+

+ 0 - 2
include/SgxProtobufLAInitiator.h

@@ -1,5 +1,3 @@
 uint32_t process_protobuf_dh_msg1_generate_protobuf_dh_msg2(protobuf_sgx_dh_msg1_t& protobuf_msg1, protobuf_sgx_dh_msg2_t& protobuf_msg2, uint32_t* session_id);
 uint32_t process_protobuf_dh_msg3(protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id);
-//uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, int ciphertext_len, unsigned char* op_plaintext, int* op_plaintext_len, unsigned char* ip_encrypted_tag);
 uint32_t aes_gcm_wrapper(int enc, unsigned char* ciphertext, uint32_t ciphertext_len, unsigned char* op_plaintext, uint32_t* op_plaintext_len);
-

BIN
localattestation_decryption.so


+ 30 - 42
systemMain.cpp

@@ -3,12 +3,11 @@
 #include <string>
 #include <unistd.h>
 #include <errno.h>
-
-//#include <fcntl.h>
-//#include <sys/types.h>
-//#include <sys/stat.h>
+#include<sys/time.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <stdio.h>
-
 #include "crypto.h"
 #include "ProtobufLAInitiator.h"
 using namespace std;
@@ -32,6 +31,7 @@ class Mitigator : public Php::Base
 	private:
 		static std::string mitigator_pubkey_header_value;
 		static std::string mitigator_pubkey_header;
+		static int time_file_fd;
 	public:
 		Mitigator() = default;
 		virtual ~Mitigator() = default;
@@ -39,10 +39,10 @@ class Mitigator : public Php::Base
 		static void local_attestation_initiator_wrapper()
 		{
 			setbuf(stdout,NULL);
-			uint32_t return_sgx, count, base64_encoded_token_H_length;
+			uint32_t return_sgx, base64_encoded_token_H_length;
 			unsigned char* base64_encoded_mitigator_header_and_value;
 
-			base64_encoded_mitigator_header_and_value = (unsigned char*) malloc( 400  ); 
+			base64_encoded_mitigator_header_and_value = (unsigned char*) malloc( 400 ); 
 			//		unsigned char base64_encoded_mitigator_header[229] ; //216=(ceil(160/3) * 4) + 1 (for null character) + 21 for "Mitigator-Public-Key"
 			memcpy(base64_encoded_mitigator_header_and_value, mitigator_pubkey_header.c_str(), mitigator_pubkey_header.length());
 			return_sgx = local_attestation_initiator(DECRYPTOR_PORT);
@@ -71,6 +71,7 @@ class Mitigator : public Php::Base
 				mitigator_pubkey_header_value=std::string((char*)base64_encoded_mitigator_header_and_value,mitigator_pubkey_header.length()+base64_encoded_token_H_length);
 			}
 			free(base64_encoded_mitigator_header_and_value); 
+			time_file_fd=open("target_time.txt", O_APPEND | O_WRONLY);
 		}
 
 		static Php::Value get_mitigator_header()
@@ -80,86 +81,73 @@ class Mitigator : public Php::Base
 
 		static Php::Value php_decrypt_wrapper(Php::Parameters &params   )
 		{
+			struct timeval  tv1, tv2;
+			char time_buf[60] = {0};
+			size_t bytes_written;
+                        unsigned long int new_time, old_time; 
+
+                        gettimeofday(&tv1, NULL);
 
-			unsigned char* plaintext_user_data, * base64_client_ciphertext, *base64_client_public_key, *base64_client_data, *client_data;
-			uint32_t plaintext_length, base64_client_ciphertext_length, base64_client_public_key_length, base64_client_data_length, client_data_length, ret_status, counter;
+			unsigned char* plaintext_user_data, * base64_client_ciphertext, *base64_client_public_key, *client_data;
+			uint32_t plaintext_length, base64_client_ciphertext_length, base64_client_public_key_length,  client_data_length, ret_status;
 			std::string plaintext_user_data_str; 
-			uint32_t old_client_data_length; 
+
 			base64_client_ciphertext = (unsigned char*) static_cast<const char*>(params[1]);
 			base64_client_public_key = (unsigned char*) static_cast<const char*>(params[0]);
 			base64_client_ciphertext_length = params[1].size();
 			base64_client_public_key_length = params[0].size();
 			
-
 			plaintext_user_data = (unsigned char*) malloc( base64_client_ciphertext_length );
 			plaintext_length = base64_client_ciphertext_length;
 			memcpy(plaintext_user_data, base64_client_ciphertext, base64_client_ciphertext_length);
 			plaintext_user_data_str = std::string((char*) plaintext_user_data, base64_client_ciphertext_length); 
-/*
-			printf("Base64 encoded key:\n");
-			for(counter=0; counter < base64_client_public_key_length; counter++)
-				printf("%c", base64_client_public_key[counter]);
-			printf("\n"); fflush(stdout);
-
-			printf("Ciphertext received:\n");
-			for(counter=0; counter < base64_client_ciphertext_length; counter++ )
-				printf("%c", base64_client_ciphertext[counter]);
-			printf("\n"); fflush(stdout);
-*/			
+			
 			client_data = (unsigned char*) malloc(base64_client_ciphertext_length + base64_client_public_key_length); 
 			ret_status = base64_decoding_wrapper(client_data, base64_client_public_key, base64_client_public_key_length);
 			if(ret_status<=0)
 			{
-//                                printf("Could not do base64 decoding correctly.\n"); fflush(stdout); 
+                                printf("Could not do base64 decoding correctly.\n"); fflush(stdout); 
                                 free(plaintext_user_data);
                                 free(client_data);
                                 return plaintext_user_data_str; 
 			}
 			client_data_length = ret_status; 
-			old_client_data_length=client_data_length; 
-/*			printf("Client public key:\n"); 
-			for(counter=0; counter<client_data_length; counter++)
-				printf("%d ", client_data[counter]);
-*/
 
                         ret_status = base64_decoding_wrapper(client_data + client_data_length, base64_client_ciphertext, base64_client_ciphertext_length);
                         if(ret_status<=0)
                         {
-//                                printf("Could not do base64 decoding correctly.\n"); fflush(stdout); 
+                                printf("Could not do base64 decoding correctly.\n"); fflush(stdout); 
                                 free(plaintext_user_data);
                                 free(client_data);
                                 return plaintext_user_data_str; 
-                        }
+                        }                         
                         client_data_length += ret_status; 
 
-/*			printf("\n Ciphertext from client:\n"); 
-                        for(counter=old_client_data_length; counter<client_data_length; counter++)
-                                printf("%d ", client_data[counter]);
-			printf("\n"); fflush(stdout);
-*/			
 			ret_status=decrypt_client_data_through_decryptor(client_data, client_data_length, (unsigned char*) plaintext_user_data, &plaintext_length);
 			if(ret_status != 0)
 			{
-//				printf("Received error code: 0x%02x\n", ret_status); fflush(stdout);
+				printf("Received error code when trying to decrypt data thru decryptor: 0x%02x\n", ret_status); fflush(stdout);
 				free(client_data);
 				free(plaintext_user_data);
 				return plaintext_user_data_str;
 			}
-			
-/*			printf("Going to return this plaintext:\n");
-			for(counter=0;counter<plaintext_length;counter++)
-				printf("%c", plaintext_user_data[counter]);
-			fflush(stdout);
-*/
+
 			plaintext_user_data_str = std::string((char*) plaintext_user_data, plaintext_length);
 			free(plaintext_user_data); 
 			free(client_data); 
+
+			gettimeofday(&tv2, NULL);
+                        new_time=tv2.tv_usec + tv2.tv_sec * 1000000; 
+                        old_time=tv1.tv_usec + tv1.tv_sec * 1000000; 
+                        bytes_written=sprintf(time_buf,  "%lu %lu\n", old_time, new_time); 
+                        write(time_file_fd, time_buf, bytes_written);
 			return plaintext_user_data_str;
 		}
 };
 
 std::string Mitigator::mitigator_pubkey_header_value=std::string("!");
 std::string Mitigator::mitigator_pubkey_header=std::string("Mitigator-Public-Key:");
+int Mitigator::time_file_fd=0; 
 extern "C" {
 
     // export the "get_module" function that will be called by the Zend engine