LocalAttestationUntrusted.cpp 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330
  1. // Knows only protobuf_sgx objects, protobuf header.
  2. // For socket programming
  3. #include <sys/socket.h>
  4. #include <stdlib.h>
  5. #include <netinet/in.h>
  6. #include <string.h>
  7. #include <errno.h>
  8. #include <unistd.h>
  9. #include <stdio.h>
  10. #include "ProtobufLAMessages.pb.h"
  11. #include <google/protobuf/io/coded_stream.h>
  12. #include <google/protobuf/io/zero_copy_stream_impl.h>
  13. using namespace google::protobuf::io;
  14. #include "protobufLAInitiator.h"
  15. #include "../Decryptor/Decryptor_u.h"
  16. #include <iostream>
  17. #include "LocalAttestationUntrusted.h"
  18. #include<sys/time.h>
  19. #include <fcntl.h>
  20. #include <sys/types.h>
  21. #include <sys/stat.h>
  22. uint32_t LocalAttestationUntrusted::session_id=0;
  23. protobuf_sgx_dh_msg1_t LocalAttestationUntrusted::protobuf_msg1;
  24. uint8_t* LocalAttestationUntrusted::output_ciphertext_plus_tag=NULL;
  25. int LocalAttestationUntrusted::read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
  26. {
  27. ZeroCopyInputStream* raw_input;
  28. CodedInputStream* coded_input;
  29. uint32_t size;
  30. CodedInputStream::Limit limit;
  31. raw_input = new FileInputStream(accept_fd);
  32. coded_input = new CodedInputStream(raw_input);
  33. if(!coded_input->ReadVarint32(&size))
  34. {
  35. printf("Error in reading size of msg");
  36. fflush(stdout);
  37. return -1;
  38. }
  39. //printf("size of msg was read to be %" PRIu32 " \n", size);
  40. fflush(stdout);
  41. limit = coded_input->PushLimit(size);
  42. if(!message.ParseFromCodedStream(coded_input))
  43. {
  44. printf("Error in parsing msg");
  45. fflush(stdout);
  46. return -1;
  47. }
  48. coded_input->PopLimit(limit);
  49. delete raw_input;
  50. delete coded_input;
  51. return 0;
  52. }
  53. int LocalAttestationUntrusted::write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& message)
  54. {
  55. ZeroCopyOutputStream* raw_output = new FileOutputStream(accept_fd);
  56. CodedOutputStream* coded_output = new CodedOutputStream(raw_output);
  57. coded_output->WriteVarint32(message.ByteSize());
  58. if(!message.SerializeToCodedStream(coded_output))
  59. {
  60. printf("SerializeToCodedStream failed");
  61. fflush(stdout);
  62. return -1;
  63. }
  64. // As per this - https://stackoverflow.com/questions/22881876/protocol-buffers-how-to-serialize-and-deserialize-multiple-messages-into-a-file?noredirect=1&lq=1
  65. // TODO: There may be a better way to do this - 1) this happens with every accept now and 2) make it happen on the stack vs heap - destructor will be called on return from this function (main) and the items will then be written out. (We probably don't want that, actually)
  66. delete coded_output;
  67. delete raw_output;
  68. fflush(stdout);
  69. return 0;
  70. }
  71. // Sets up a socket to bind and listen to the given port. Returns FD of the socket on success, -1 on failure (and prints a msg to stdout with the errno)
  72. int LocalAttestationUntrusted::set_up_socket(int port, sockaddr_in* address)
  73. {
  74. int server_fd = 0;
  75. // Creating socket file descriptor for listening for attestation requests.
  76. server_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
  77. if (server_fd == -1)
  78. {
  79. printf("Error in creating a socket - %d", errno);
  80. return -1;
  81. }
  82. // Preparing the address struct for binding
  83. address->sin_family = AF_INET;
  84. address->sin_addr.s_addr = INADDR_ANY; // Todo: should this be localhost?
  85. address->sin_port = htons(port);
  86. // memset(address->sin_zero,0,sizeof(address->sin_zero));
  87. socklen_t addrlen = sizeof(*address);
  88. // Binding
  89. if (bind(server_fd, (sockaddr*)address, addrlen)<0)
  90. {
  91. printf("Error in binding %d - port was %d - ", errno, port);
  92. return -1;
  93. }
  94. // Listening
  95. if (listen(server_fd, 128) < 0)
  96. {
  97. printf("Error in listening %d", errno);
  98. return -1;
  99. }
  100. return server_fd;
  101. }
  102. uint32_t LocalAttestationUntrusted::local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd)
  103. {
  104. uint32_t protobuf_sgx_ret;
  105. protobuf_sgx_dh_msg2_t protobuf_msg2;
  106. protobuf_sgx_dh_msg3_t protobuf_msg3;
  107. printf("Writing message 1\n"); fflush(stdout);
  108. if(write_protobuf_msg_to_fd(accept_fd, protobuf_msg1)!=0)
  109. return 0x1;
  110. printf("Reading message 2\n"); fflush(stdout);
  111. if(read_protobuf_msg_from_fd(accept_fd, protobuf_msg2)!=0)
  112. return 0x2;
  113. protobuf_sgx_ret = process_protobuf_dh_msg2_generate_protobuf_dh_msg3(own_enclave_id, protobuf_msg2, protobuf_msg3, &LocalAttestationUntrusted::session_id);
  114. if(protobuf_sgx_ret != 0)
  115. {
  116. printf("Error in generate_protobuf_dh_msg2: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
  117. }
  118. printf("Writing message 3\n"); fflush(stdout);
  119. if(write_protobuf_msg_to_fd(accept_fd, protobuf_msg3)!=0)
  120. return 0x3;
  121. return 0;
  122. }
  123. int LocalAttestationUntrusted::decrypt_client_data(uint32_t own_enclave_id, int fd, uint8_t* output_ciphertext_plus_tag, uint8_t* input_ciphertext_plus_tag, int time_file_fd)
  124. {
  125. protobuf_post_LA_encrypted_msg_t protobuf_msg;
  126. protobuf_post_LA_encrypted_msg_t protobuf_msg_response;
  127. unsigned char* protobuf_msg_ptr;
  128. uint32_t sgx_ret_status=0;
  129. uint32_t input_ciphertext_plus_tag_length;
  130. uint32_t output_ciphertext_plus_tag_length;
  131. struct timeval tv1, tv2;
  132. char time_buf[60] = {0};
  133. size_t bytes_written;
  134. unsigned long int new_time, old_time;
  135. uint32_t count;
  136. if(read_protobuf_msg_from_fd(fd, protobuf_msg)!=0)
  137. return 0xfe;
  138. gettimeofday(&tv1, NULL);
  139. input_ciphertext_plus_tag_length = protobuf_msg.msg().length();
  140. protobuf_msg_ptr = (uint8_t*) protobuf_msg.msg().c_str();
  141. // Just so that the ciphertext - client data - is returned back to Apache in case this function fails.
  142. // client data is after public key (64 bytes)
  143. protobuf_msg_response.set_msg((void*) protobuf_msg_ptr + 64, input_ciphertext_plus_tag_length - 64);
  144. for(count=0;count<input_ciphertext_plus_tag_length;count++)
  145. {
  146. input_ciphertext_plus_tag[count]=protobuf_msg_ptr[count];
  147. }
  148. // We assume that the output is not changed unless it is successful throughout.
  149. Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext_plus_tag, &output_ciphertext_plus_tag_length);
  150. if(sgx_ret_status==0)
  151. {
  152. protobuf_msg_response.set_msg((void*) output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
  153. }
  154. else
  155. {
  156. printf("\n Error in decryptors call to the process_apache wrapper : 0x%02x\n", sgx_ret_status);
  157. for(count=0;count<output_ciphertext_plus_tag_length;count++)
  158. printf("0x%02x ", output_ciphertext_plus_tag[count]);
  159. printf("\n"); fflush(stdout);
  160. }
  161. if(write_protobuf_msg_to_fd(fd, protobuf_msg_response)!=0)
  162. return 0xfc;
  163. gettimeofday(&tv2, NULL);
  164. new_time=tv2.tv_usec + tv2.tv_sec * 1000000;
  165. old_time=tv1.tv_usec + tv1.tv_sec * 1000000;
  166. bytes_written=sprintf(time_buf, "%lu %lu\n", old_time, new_time);
  167. write(time_file_fd, time_buf, bytes_written);
  168. return 0;
  169. }
  170. int LocalAttestationUntrusted::prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id) //, int port)
  171. {
  172. uint32_t protobuf_sgx_ret;
  173. protobuf_sgx_ret = generate_protobuf_dh_msg1(own_enclave_id, protobuf_msg1, &LocalAttestationUntrusted::session_id);
  174. if(protobuf_sgx_ret != 0)
  175. {
  176. printf("Error in generate_protobuf_dh_msg1: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
  177. }
  178. return 0;
  179. }
  180. int LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(int port)
  181. {
  182. struct sockaddr_in own_addr;
  183. return set_up_socket(port, &own_addr);
  184. }
  185. // TODO: CHANGED SIGNATURE.
  186. int LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd, int* accept_fd)
  187. {
  188. uint32_t protobuf_sgx_ret;
  189. struct sockaddr_storage apache_addr;
  190. socklen_t apache_addr_size = sizeof(apache_addr);
  191. int temp_accept_fd;
  192. temp_accept_fd = accept(server_fd, (struct sockaddr *)&apache_addr,&apache_addr_size);
  193. if (temp_accept_fd <0)
  194. {
  195. printf("Error in accepting %d", errno); fflush(stdout);
  196. return temp_accept_fd;
  197. }
  198. *accept_fd=temp_accept_fd;
  199. protobuf_sgx_ret = local_attestation_msg2_msg3(own_enclave_id, temp_accept_fd);
  200. return protobuf_sgx_ret;
  201. }
  202. int LocalAttestationUntrusted::post_local_attestation_with_verifier(uint32_t own_enclave_id, int accept_fd)
  203. {
  204. uint32_t protobuf_sgx_ret;
  205. uint8_t encrypted_apache_mrsigner_and_tag[150];
  206. size_t bytes_read;
  207. int count;
  208. printf("Here\n"); fflush(stdout);
  209. bytes_read=read(accept_fd, encrypted_apache_mrsigner_and_tag, 60);
  210. if(bytes_read!=60)
  211. {
  212. printf("Not all of the encrypted apache's mrsigner was read from the verifier.\n"); fflush(stdout);
  213. close(accept_fd);
  214. return 0xfe;
  215. }
  216. for(count=0;count<60;count++)
  217. printf("0x%02x ", encrypted_apache_mrsigner_and_tag[count]);
  218. printf("\n");fflush(stdout);
  219. Decryptor_process_verifiers_message_wrapper(own_enclave_id, &protobuf_sgx_ret, encrypted_apache_mrsigner_and_tag, 60);
  220. if(protobuf_sgx_ret!=0)
  221. {
  222. printf("Error in decryption: 0x%x\n", protobuf_sgx_ret); fflush(stdout);
  223. close(accept_fd);
  224. return protobuf_sgx_ret;
  225. }
  226. printf("Successful decryption\n"); fflush(stdout);
  227. close(accept_fd);
  228. uint8_t output[64];
  229. Decryptor_get_verifier_mrenclave_apache_mrsigner_wrapper(own_enclave_id, output);
  230. uint32_t counter;
  231. for(counter=0; counter<32; counter++)
  232. printf("0x%x ", output[counter]);
  233. printf("/n");
  234. for(counter=32; counter<64; counter++)
  235. printf("0x%x ", output[counter]);
  236. printf("/n");
  237. fflush(stdout);
  238. return 0;
  239. }
  240. int LocalAttestationUntrusted::post_local_attestation_with_apache(uint32_t own_enclave_id, int accept_fd)
  241. {
  242. protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
  243. uint8_t encrypted_sign_data_and_sign_and_tag[200]; // 176+12 for IV = 188
  244. uint32_t op_length;
  245. memset(encrypted_sign_data_and_sign_and_tag,0x0,200);
  246. uint32_t internal_return_status;
  247. uint32_t count;
  248. uint32_t sgx_ret;
  249. Decryptor_create_and_encrypt_mitigator_header_H_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag, &op_length);
  250. if(sgx_ret!=0)
  251. {
  252. printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout);
  253. close(accept_fd);
  254. return 0xf3;
  255. }
  256. for(count=0;count<op_length;count++)
  257. {
  258. printf("0x%02x ", encrypted_sign_data_and_sign_and_tag[count]);
  259. }
  260. printf("\n"); fflush(stdout);
  261. protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, op_length);
  262. if(write_protobuf_msg_to_fd(accept_fd, protobuf_encrypted_msg) != 0)
  263. {
  264. printf("Not all of the mitigator token H was written to the Apache.\n"); fflush(stdout);
  265. close(accept_fd);
  266. return 0xfe;
  267. }
  268. uint8_t public_key[64];
  269. Decryptor_get_short_term_public_key_wrapper(own_enclave_id, public_key);
  270. for(count=0;count<64;count++)
  271. printf("%02x ",public_key[count]);
  272. printf("\n"); fflush(stdout);
  273. uint8_t* output_ciphertext_plus_tag = (uint8_t*) malloc(4100); // 12 bytes for ciphertext iv + 16 bytes for ciphertext tag = 28 byte
  274. uint8_t* input_ciphertext_plus_tag = (uint8_t*) malloc(4100);
  275. int time_file_fd=open("decryptor_time.txt", O_APPEND | O_WRONLY);
  276. do {
  277. internal_return_status = decrypt_client_data(own_enclave_id, accept_fd, output_ciphertext_plus_tag, input_ciphertext_plus_tag, time_file_fd);
  278. } while(internal_return_status==0);
  279. close(accept_fd);
  280. free(output_ciphertext_plus_tag);
  281. free(input_ciphertext_plus_tag);
  282. return internal_return_status;
  283. }