diff --git a/demos/local_attestation/AppInitiator/app.cpp b/demos/local_attestation/AppInitiator/app.cpp index 21424b27..da2a094d 100644 --- a/demos/local_attestation/AppInitiator/app.cpp +++ b/demos/local_attestation/AppInitiator/app.cpp @@ -17,60 +17,83 @@ pthread_t thread; sgx_enclave_id_t initiator_enclave_id = 0; -void* attestation(void *arg); +void *attestation(void *arg); -int main(int argc, char* argv[]) -{ +int main(int argc, char *argv[]) { int update = 0; sgx_launch_token_t token = {0}; sgx_status_t status; int exit_status = 0; - const char* occlum_instance_dir = ".occlum"; - const char* cmd_path = "/bin/responder"; // Prepare cmd path and arguments - const char* cmd_args[] = {NULL}; + const char *occlum_instance_dir = ".occlum"; + const char *cmd_path = "/bin/responder"; // Prepare cmd path and arguments + const char *cmd_args[] = {NULL}; // create ECDH initiator enclave - status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update, &initiator_enclave_id, NULL); - if (status != SGX_SUCCESS) - { - printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status); + status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update, + &initiator_enclave_id, NULL); + if (status != SGX_SUCCESS) { + printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, + status); return -1; } printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME); - if (occlum_pal_init(occlum_instance_dir) < 0) - { + struct occlum_pal_attr attr { + .instance_dir = occlum_instance_dir, + .log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"), + }; + if (occlum_pal_init(&attr) < 0) { return EXIT_FAILURE; } - if (pthread_create(&thread, NULL, attestation, NULL) < 0) - { + if (pthread_create(&thread, NULL, attestation, NULL) < 0) { printf("pthread_create failed\n"); return -1; } - // Use Occlum PAL to execute the cmd - if (occlum_pal_exec(cmd_path, cmd_args, &exit_status) < 0) - { + // Use Occlum PAL to create new process for the responder + struct occlum_stdio_fds io_fds = { + .stdin_fd = STDIN_FILENO, + .stdout_fd = STDOUT_FILENO, + .stderr_fd = STDERR_FILENO, + }; + + int libos_tid = 0; + struct occlum_pal_create_process_args create_process_args = { + .path = cmd_path, + .argv = cmd_args, + .env = NULL, + .stdio = (const struct occlum_stdio_fds *) &io_fds, + .pid = &libos_tid, + }; + + if (occlum_pal_create_process(&create_process_args) < 0) { + return EXIT_FAILURE; + } + + // execute the responder process + struct occlum_pal_exec_args exec_args = { + .pid = libos_tid, + .exit_value = &exit_status, + }; + if (occlum_pal_exec(&exec_args) < 0) { return EXIT_FAILURE; } // wait for end and destroy - if (pthread_join(thread, NULL) < 0) - { + if (pthread_join(thread, NULL) < 0) { printf("pthread_join failed\n"); return -1; } status = sgx_destroy_enclave(initiator_enclave_id); - if (status != SGX_SUCCESS) - { - printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status); + if (status != SGX_SUCCESS) { + printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, + status); return -1; } - if (occlum_pal_destroy() < 0) - { + if (occlum_pal_destroy() < 0) { printf("occlum_pal_destroy failed, errno is %d\n", errno); return -1; } @@ -81,24 +104,23 @@ int main(int argc, char* argv[]) // create ECDH session using initiator enclave // it would create ECDH session with responder enclave running in another process -void* attestation(void *arg) -{ +void *attestation(void *arg) { sgx_status_t status; uint32_t ret_status; - sleep(3); + sleep(5); status = test_create_session(initiator_enclave_id, &ret_status); - if (status != SGX_SUCCESS || ret_status != 0) - { - printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status); + if (status != SGX_SUCCESS || ret_status != 0) { + printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n", + status, ret_status); return NULL; } printf("succeed to establish secure channel.\n"); status = test_message_exchange(initiator_enclave_id, &ret_status); - if (status != SGX_SUCCESS || ret_status != 0) - { - printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status); + if (status != SGX_SUCCESS || ret_status != 0) { + printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", + status, ret_status); sgx_destroy_enclave(initiator_enclave_id); return NULL; } @@ -106,9 +128,9 @@ void* attestation(void *arg) // close ECDH session status = test_close_session(initiator_enclave_id, &ret_status); - if (status != SGX_SUCCESS || ret_status != 0) - { - printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status); + if (status != SGX_SUCCESS || ret_status != 0) { + printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", + status, ret_status); return NULL; } printf("Succeed to close session.\n"); diff --git a/demos/local_attestation/AppResponder/proc_msg.c b/demos/local_attestation/AppResponder/proc_msg.c index b11877d7..cc105150 100644 --- a/demos/local_attestation/AppResponder/proc_msg.c +++ b/demos/local_attestation/AppResponder/proc_msg.c @@ -12,17 +12,15 @@ #define SAFE_FREE(ptr) {if (NULL != (ptr)) {free(ptr); (ptr) = NULL;}} #define MESSAGE_EXCHANGE 0x0 -int proc(FIFO_MSG * message); +int proc(FIFO_MSG *message); extern int m_shutdown; -typedef struct _secure_message_t -{ +typedef struct _secure_message_t { uint32_t session_id; //Session ID identifyting the session to which the message belongs sgx_aes_gcm_data_t message_aes_gcm_data; } secure_message_t; -typedef struct _ms_in_msg_exchange_t -{ +typedef struct _ms_in_msg_exchange_t { uint32_t msg_type; //Type of Call E2E or general message exchange uint32_t target_fn_id; //Function Id to be called in Destination. Is valid only when msg_type=ENCLAVE_TO_ENCLAVE_CALL uint32_t inparam_buff_len; //Length of the serialized input parameters @@ -30,8 +28,7 @@ typedef struct _ms_in_msg_exchange_t } ms_in_msg_exchange_t; //Format of the return value and output function parameter structure -typedef struct _ms_out_msg_exchange_t -{ +typedef struct _ms_out_msg_exchange_t { uint32_t retval_len; //Length of the return value uint32_t ret_outparam_buff_len; //Length of the serialized return value and output parameters char ret_outparam_buff[1]; //Serialized return value and output parameters @@ -42,29 +39,26 @@ typedef struct _ms_out_msg_exchange_t * Parameter Description: * [input] clientfd: this is client's connection id. After generating ECDH message 1, server would send back response through this connection id. * */ -int generate_and_send_session_msg1_resp(int clientfd) -{ +int generate_and_send_session_msg1_resp(int clientfd) { int retcode = 0; uint32_t status = 0; sgx_status_t ret = SGX_SUCCESS; SESSION_MSG1_RESP msg1resp; - FIFO_MSG * fifo_resp = NULL; + FIFO_MSG *fifo_resp = NULL; size_t respmsgsize; memset(&msg1resp, 0, sizeof(SESSION_MSG1_RESP)); // call responder enclave to generate ECDH message 1 ret = session_request(&msg1resp.dh_msg1, &msg1resp.sessionid); - if (ret != SGX_SUCCESS) - { + if (ret != SGX_SUCCESS) { printf("failed to do ECALL session_request.\n"); return -1; } respmsgsize = sizeof(FIFO_MSG) + sizeof(SESSION_MSG1_RESP); fifo_resp = (FIFO_MSG *)malloc(respmsgsize); - if (!fifo_resp) - { + if (!fifo_resp) { printf("memory allocation failure.\n"); return -1; } @@ -76,8 +70,7 @@ int generate_and_send_session_msg1_resp(int clientfd) memcpy(fifo_resp->msgbuf, &msg1resp, sizeof(SESSION_MSG1_RESP)); //send message 1 to client - if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1) - { + if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1) { printf("fail to send msg1 response.\n"); retcode = -1; } @@ -90,21 +83,20 @@ int generate_and_send_session_msg1_resp(int clientfd) * [input] clientfd: this is client's connection id * [input] msg2: this contains ECDH message 2 received from client * */ -int process_exchange_report(int clientfd, SESSION_MSG2 * msg2) -{ +int process_exchange_report(int clientfd, SESSION_MSG2 *msg2) { uint32_t status = 0; sgx_status_t ret = SGX_SUCCESS; FIFO_MSG *response; - SESSION_MSG3 * msg3; + SESSION_MSG3 *msg3; size_t msgsize; - if (!msg2) + if (!msg2) { return -1; + } msgsize = sizeof(FIFO_MSG_HEADER) + sizeof(SESSION_MSG3); response = (FIFO_MSG *)malloc(msgsize); - if (!response) - { + if (!response) { printf("memory allocation failure\n"); return -1; } @@ -118,16 +110,14 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2) // call responder enclave to process ECDH message 2 and generate message 3 ret = exchange_report(&msg2->dh_msg2, &msg3->dh_msg3, msg2->sessionid); - if (ret != SGX_SUCCESS) - { + if (ret != SGX_SUCCESS) { printf("Enclave Response_exchange_report failure.\n"); free(response); return -1; } // send ECDH message 3 to client - if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1) - { + if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1) { printf("server_send() failure.\n"); free(response); return -1; @@ -137,111 +127,114 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2) return 0; } -uint32_t get_message_exchange_response(uint32_t inp_secret_data) -{ +uint32_t get_message_exchange_response(uint32_t inp_secret_data) { uint32_t secret_response; - printf("secret=0x%x\n",inp_secret_data); + printf("secret=0x%x\n", inp_secret_data); //User should use more complex encryption method to protect their secret, below is just a simple example secret_response = inp_secret_data & 0x11111111; return secret_response; } -int umarshal_message_exchange_request(uint32_t* inp_secret_data, ms_in_msg_exchange_t* ms) -{ - char* buff; +int umarshal_message_exchange_request(uint32_t *inp_secret_data, + ms_in_msg_exchange_t *ms) { + char *buff; size_t len; - if(!inp_secret_data || !ms) + if (!inp_secret_data || !ms) { return -1; + } buff = ms->inparam_buff; len = ms->inparam_buff_len; - if(len != sizeof(uint32_t)) + if (len != sizeof(uint32_t)) { return -1; + } memcpy(inp_secret_data, buff, sizeof(uint32_t)); return 0; } -int marshal_message_exchange_response(char** resp_buffer, size_t* resp_length, uint32_t secret_response) -{ +int marshal_message_exchange_response(char **resp_buffer, size_t *resp_length, + uint32_t secret_response) { ms_out_msg_exchange_t *ms; size_t secret_response_len, ms_len; size_t retval_len, ret_param_len; - if(!resp_length) + if (!resp_length) { return -1; + } secret_response_len = sizeof(secret_response); retval_len = secret_response_len; ret_param_len = secret_response_len; ms_len = sizeof(ms_out_msg_exchange_t) + ret_param_len; ms = (ms_out_msg_exchange_t *)malloc(ms_len); - if(!ms) + if (!ms) { return -1; + } ms->retval_len = (uint32_t)retval_len; ms->ret_outparam_buff_len = (uint32_t)ret_param_len; memcpy(&ms->ret_outparam_buff, &secret_response, secret_response_len); - *resp_buffer = (char*)ms; + *resp_buffer = (char *)ms; *resp_length = ms_len; return 0; } -int message_exchange_response_generator(char* decrypted_data, - char** resp_buffer, - size_t* resp_length) -{ +int message_exchange_response_generator(char *decrypted_data, + char **resp_buffer, + size_t *resp_length) { ms_in_msg_exchange_t *ms; uint32_t inp_secret_data; uint32_t out_secret_data; - if(!decrypted_data || !resp_length) + if (!decrypted_data || !resp_length) { return -1; + } ms = (ms_in_msg_exchange_t *)decrypted_data; - if(umarshal_message_exchange_request(&inp_secret_data,ms) <0) + if (umarshal_message_exchange_request(&inp_secret_data, ms) < 0) { return -1; + } out_secret_data = get_message_exchange_response(inp_secret_data); - if(marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data) < 0) + if (marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data) < 0) { return -1; + } return 0; } -int generate_response(secure_message_t* req_message, +int generate_response(secure_message_t *req_message, size_t req_message_size, size_t max_payload_size, - secure_message_t* resp_message, + secure_message_t *resp_message, size_t resp_message_size, - uint32_t session_id) -{ + uint32_t session_id) { #define TAG_SIZE 16 - const uint8_t* plaintext; + const uint8_t *plaintext; uint32_t plaintext_length; uint8_t *decrypted_data; uint32_t decrypted_data_length; uint32_t plain_text_offset; - ms_in_msg_exchange_t * ms; + ms_in_msg_exchange_t *ms; size_t resp_data_length; size_t resp_message_calc_size; - char* resp_data; + char *resp_data; uint8_t l_tag[TAG_SIZE]; size_t header_size, expected_payload_size; dh_session_t *session_info; - secure_message_t* temp_resp_message; + secure_message_t *temp_resp_message; uint32_t ret; sgx_status_t status; - plaintext = (const uint8_t*)(" "); + plaintext = (const uint8_t *)(" "); plaintext_length = 0; - if(!req_message || !resp_message) - { + if (!req_message || !resp_message) { return -1; } //Get the session information from the map corresponding to the source enclave id - session_info= get_session_info(session_id); - if (session_info == NULL) return -1; + session_info = get_session_info(session_id); + if (session_info == NULL) { return -1; } //Set the decrypted data length to the payload size obtained from the message decrypted_data_length = req_message->message_aes_gcm_data.payload_size; @@ -249,26 +242,27 @@ int generate_response(secure_message_t* req_message, expected_payload_size = req_message_size - header_size; //Verify the size of the payload - if(expected_payload_size != decrypted_data_length) + if (expected_payload_size != decrypted_data_length) { return -1; + } memset(&l_tag, 0, 16); plain_text_offset = decrypted_data_length; - decrypted_data = (uint8_t*)malloc(decrypted_data_length); - if(!decrypted_data) - { + decrypted_data = (uint8_t *)malloc(decrypted_data_length); + if (!decrypted_data) { return -1; } memset(decrypted_data, 0, decrypted_data_length); - status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK, req_message->message_aes_gcm_data.payload, + status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK, + req_message->message_aes_gcm_data.payload, decrypted_data_length, decrypted_data, (uint8_t *)(&(req_message->message_aes_gcm_data.reserved)), - sizeof(req_message->message_aes_gcm_data.reserved), &(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length, + sizeof(req_message->message_aes_gcm_data.reserved), + &(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length, &req_message->message_aes_gcm_data.payload_tag); - if(SGX_SUCCESS != status) - { + if (SGX_SUCCESS != status) { SAFE_FREE(decrypted_data); return -1; } @@ -277,55 +271,50 @@ int generate_response(secure_message_t* req_message, ms = (ms_in_msg_exchange_t *)decrypted_data; // Verify if the nonce obtained in the request is equal to the session nonce - if((uint32_t)*(req_message->message_aes_gcm_data.reserved) != session_info->active.counter || *(req_message->message_aes_gcm_data.reserved) > ((2^32)-2)) - { + if ((uint32_t) * (req_message->message_aes_gcm_data.reserved) != + session_info->active.counter || + *(req_message->message_aes_gcm_data.reserved) > ((2 ^ 32) - 2)) { SAFE_FREE(decrypted_data); return -1; } - if(ms->msg_type == MESSAGE_EXCHANGE) - { + if (ms->msg_type == MESSAGE_EXCHANGE) { //Call the generic secret response generator for message exchange - ret = message_exchange_response_generator((char*)decrypted_data, &resp_data, &resp_data_length); - if(ret !=0) - { + ret = message_exchange_response_generator((char *)decrypted_data, &resp_data, + &resp_data_length); + if (ret != 0) { SAFE_FREE(decrypted_data); SAFE_FREE(resp_data); return -1; } - } - else - { + } else { SAFE_FREE(decrypted_data); return -1; } - if(resp_data_length > max_payload_size) - { + if (resp_data_length > max_payload_size) { SAFE_FREE(resp_data); SAFE_FREE(decrypted_data); return -1; } - resp_message_calc_size = sizeof(secure_message_t)+ resp_data_length; + resp_message_calc_size = sizeof(secure_message_t) + resp_data_length; - if(resp_message_calc_size > resp_message_size) - { + if (resp_message_calc_size > resp_message_size) { SAFE_FREE(resp_data); SAFE_FREE(decrypted_data); return -1; } //Code to build the response back to the Source Enclave - temp_resp_message = (secure_message_t*)malloc(resp_message_calc_size); - if(!temp_resp_message) - { + temp_resp_message = (secure_message_t *)malloc(resp_message_calc_size); + if (!temp_resp_message) { SAFE_FREE(resp_data); SAFE_FREE(decrypted_data); return -1; } - memset(temp_resp_message,0,sizeof(secure_message_t)+ resp_data_length); + memset(temp_resp_message, 0, sizeof(secure_message_t) + resp_data_length); const uint32_t data2encrypt_length = (uint32_t)resp_data_length; temp_resp_message->session_id = session_info->session_id; temp_resp_message->message_aes_gcm_data.payload_size = data2encrypt_length; @@ -334,25 +323,26 @@ int generate_response(secure_message_t* req_message, session_info->active.counter = session_info->active.counter + 1; //Set the response nonce as the session nonce - memcpy(&temp_resp_message->message_aes_gcm_data.reserved,&session_info->active.counter,sizeof(session_info->active.counter)); + memcpy(&temp_resp_message->message_aes_gcm_data.reserved, &session_info->active.counter, + sizeof(session_info->active.counter)); //Prepare the response message with the encrypted payload - status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t*)resp_data, data2encrypt_length, + status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t *)resp_data, + data2encrypt_length, (uint8_t *)(&(temp_resp_message->message_aes_gcm_data.payload)), (uint8_t *)(&(temp_resp_message->message_aes_gcm_data.reserved)), sizeof(temp_resp_message->message_aes_gcm_data.reserved), plaintext, plaintext_length, &(temp_resp_message->message_aes_gcm_data.payload_tag)); - if(SGX_SUCCESS != status) - { + if (SGX_SUCCESS != status) { SAFE_FREE(resp_data); SAFE_FREE(decrypted_data); SAFE_FREE(temp_resp_message); return -1; } - memset(resp_message, 0, sizeof(secure_message_t)+ resp_data_length); - memcpy(resp_message, temp_resp_message, sizeof(secure_message_t)+ resp_data_length); + memset(resp_message, 0, sizeof(secure_message_t) + resp_data_length); + memcpy(resp_message, temp_resp_message, sizeof(secure_message_t) + resp_data_length); SAFE_FREE(decrypted_data); SAFE_FREE(resp_data); @@ -361,41 +351,37 @@ int generate_response(secure_message_t* req_message, return 0; } -int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) -{ +int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) { uint32_t status = 0; sgx_status_t ret = SGX_SUCCESS; secure_message_t *resp_message = NULL; - FIFO_MSG * fifo_resp = NULL; + FIFO_MSG *fifo_resp = NULL; size_t resp_message_size; - if (!req_msg) - { + if (!req_msg) { printf("invalid parameter.\n"); return -1; } resp_message_size = sizeof(secure_message_t) + req_msg->max_payload_size; //Allocate memory for the response message - resp_message = (secure_message_t*)malloc(resp_message_size); - if (!resp_message) - { + resp_message = (secure_message_t *)malloc(resp_message_size); + if (!resp_message) { printf("memory allocation failure.\n"); return -1; } memset(resp_message, 0, resp_message_size); - ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size, req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id); - if (ret <0) - { + ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size, + req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id); + if (ret < 0) { printf("EnclaveResponder_generate_response error.\n"); free(resp_message); return -1; } fifo_resp = (FIFO_MSG *)malloc(sizeof(FIFO_MSG) + resp_message_size); - if (!fifo_resp) - { + if (!fifo_resp) { printf("memory allocation failure.\n"); free(resp_message); return -1; @@ -408,8 +394,8 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) free(resp_message); - if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size), 0) == -1) - { + if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size), + 0) == -1) { printf("server_send() failure.\n"); free(fifo_resp); return -1; @@ -418,100 +404,88 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) return 0; } -int process_close_req(int clientfd, SESSION_CLOSE_REQ * close_req) -{ +int process_close_req(int clientfd, SESSION_CLOSE_REQ *close_req) { uint32_t status = 0; sgx_status_t ret = SGX_SUCCESS; FIFO_MSG close_ack; - if (!close_req) + if (!close_req) { return -1; + } // call responder enclave to close this session ret = end_session( close_req->session_id); - if (ret != SGX_SUCCESS) + if (ret != SGX_SUCCESS) { return -1; + } // send back response close_ack.header.type = FIFO_DH_CLOSE_RESP; close_ack.header.size = 0; - if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1) - { + if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1) { printf("server_send() failure.\n"); return -1; } return 0; } -int proc (FIFO_MSG * message) -{ - if (message == NULL) return 0; - switch (message->header.type) - { - case FIFO_DH_REQ_MSG1: - { - // process ECDH session connection request - int clientfd = message->header.sockfd; +int proc (FIFO_MSG *message) { + if (message == NULL) { return 0; } + switch (message->header.type) { + case FIFO_DH_REQ_MSG1: { + // process ECDH session connection request + int clientfd = message->header.sockfd; + + if (generate_and_send_session_msg1_resp(clientfd) != 0) { + printf("failed to generate and send session msg1 resp.\n"); + break; + } else { printf("generate and send session msg1 resp.\n"); } - if (generate_and_send_session_msg1_resp(clientfd) != 0) - { - printf("failed to generate and send session msg1 resp.\n"); - break; } - else printf("generate and send session msg1 resp.\n"); + break; - } - break; + case FIFO_DH_MSG2: { + // process ECDH message 2 + int clientfd = message->header.sockfd; + SESSION_MSG2 *msg2 = NULL; + msg2 = (SESSION_MSG2 *)message->msgbuf; - case FIFO_DH_MSG2: - { - // process ECDH message 2 - int clientfd = message->header.sockfd; - SESSION_MSG2 * msg2 = NULL; - msg2 = (SESSION_MSG2 *)message->msgbuf; - - if (process_exchange_report(clientfd, msg2) != 0) - { - printf("failed to process exchange_report request.\n"); - break; + if (process_exchange_report(clientfd, msg2) != 0) { + printf("failed to process exchange_report request.\n"); + break; + } else { printf(" process exchange_report request.\n"); } } - else printf(" process exchange_report request.\n"); - } - break; - case FIFO_DH_MSG_REQ: - { - // process message transfer request - int clientfd = message->header.sockfd; - FIFO_MSGBODY_REQ *msg = NULL; + break; + case FIFO_DH_MSG_REQ: { + // process message transfer request + int clientfd = message->header.sockfd; + FIFO_MSGBODY_REQ *msg = NULL; - msg = (FIFO_MSGBODY_REQ *)message->msgbuf; + msg = (FIFO_MSGBODY_REQ *)message->msgbuf; - if (process_msg_transfer(clientfd, msg) != 0) - { - printf("failed to process message transfer request.\n"); - break; + if (process_msg_transfer(clientfd, msg) != 0) { + printf("failed to process message transfer request.\n"); + break; + } } - } - break; + break; - case FIFO_DH_CLOSE_REQ: - { - // process message close request - int clientfd = message->header.sockfd; + case FIFO_DH_CLOSE_REQ: { + // process message close request + int clientfd = message->header.sockfd; - SESSION_CLOSE_REQ * closereq = NULL; - closereq = (SESSION_CLOSE_REQ *)message->msgbuf; - process_close_req(clientfd, closereq); - printf("process close_requestt request.\n"); - m_shutdown = 1; - } - break; - default: - { - printf("Unknown message.\n"); - } - break; + SESSION_CLOSE_REQ *closereq = NULL; + closereq = (SESSION_CLOSE_REQ *)message->msgbuf; + process_close_req(clientfd, closereq); + printf("process close_requestt request.\n"); + m_shutdown = 1; + } + break; + default: { + printf("Unknown message.\n"); + } + break; } free(message); } diff --git a/demos/local_attestation/AppResponder/proc_msg.h b/demos/local_attestation/AppResponder/proc_msg.h index 19f4b772..51573af4 100644 --- a/demos/local_attestation/AppResponder/proc_msg.h +++ b/demos/local_attestation/AppResponder/proc_msg.h @@ -1,5 +1,5 @@ #ifndef _PROC_MSG_H_ #define _PROC_MSG_H_ #include "fifo_def.h" -int proc(FIFO_MSG * message); +int proc(FIFO_MSG *message); #endif diff --git a/demos/local_attestation/AppResponder/responder.c b/demos/local_attestation/AppResponder/responder.c index c6e9ad55..fa210ecd 100644 --- a/demos/local_attestation/AppResponder/responder.c +++ b/demos/local_attestation/AppResponder/responder.c @@ -20,8 +20,7 @@ int m_server_sock_fd; int m_shutdown; -int server_init() -{ +int server_init() { struct sockaddr_in srv_addr; memset(&srv_addr, 0, sizeof(srv_addr)); @@ -30,22 +29,19 @@ int server_init() srv_addr.sin_port = htons(SERVER_PORT); m_server_sock_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);; - if (m_server_sock_fd == -1) - { + if (m_server_sock_fd == -1) { printf("socket initiazation error: %d\n", errno); return -1; } - int bind_result = bind(m_server_sock_fd, (struct sockaddr*)&srv_addr, sizeof(srv_addr)); - if (bind_result == -1) - { + int bind_result = bind(m_server_sock_fd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); + if (bind_result == -1) { printf("bind error: %d\n", errno); close(m_server_sock_fd); return -1; } - if (listen(m_server_sock_fd, BACKLOG) == -1) - { + if (listen(m_server_sock_fd, BACKLOG) == -1) { printf("listen error: %d\n", errno); close(m_server_sock_fd); return -1; @@ -55,8 +51,7 @@ int server_init() return 0; } -int work() -{ +int work() { int client_fds[CONCURRENT_MAX] = {0}; fd_set server_fd_set; int max_fd = -1; @@ -65,42 +60,37 @@ int work() char recv_msg[BUFFER_SIZE]; int ret; - while (!m_shutdown) - { + while (!m_shutdown) { // set 10s timeout for select() tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&server_fd_set); // listening on server socket FD_SET(m_server_sock_fd, &server_fd_set); - if (max_fd < m_server_sock_fd) + if (max_fd < m_server_sock_fd) { max_fd = m_server_sock_fd; + } // listening on all client connections - for(int i =0; i < CONCURRENT_MAX; i++) - { - if(client_fds[i] != 0) - { + for (int i = 0; i < CONCURRENT_MAX; i++) { + if (client_fds[i] != 0) { FD_SET(client_fds[i], &server_fd_set); - if(max_fd < client_fds[i]) + if (max_fd < client_fds[i]) { max_fd = client_fds[i]; + } } } ret = select(max_fd + 1, &server_fd_set, NULL, NULL, &tv); - if (ret < 0) - { + if (ret < 0) { printf("Warning: server would shutdown\n"); continue; - } - else if(ret == 0) - { + } else if (ret == 0) { // timeout continue; } - if(FD_ISSET(m_server_sock_fd, &server_fd_set)) - { + if (FD_ISSET(m_server_sock_fd, &server_fd_set)) { // if there is new connection request struct sockaddr_in clt_addr; socklen_t len = sizeof(clt_addr); @@ -108,54 +98,45 @@ int work() // accept this connection request int client_sock_fd = accept(m_server_sock_fd, (struct sockaddr *)&clt_addr, &len); - if (client_sock_fd > 0) - { + if (client_sock_fd > 0) { // add new connection to connection pool if it's not full int index = -1; - for(int i = 0; i < CONCURRENT_MAX; i++) - { - if(client_fds[i] == 0) - { + for (int i = 0; i < CONCURRENT_MAX; i++) { + if (client_fds[i] == 0) { index = i; client_fds[i] = client_sock_fd; break; } } - if(index < 0) - { + if (index < 0) { printf("server reach maximum connection!\n"); bzero(input_msg, BUFFER_SIZE); strcpy(input_msg, "server reach maximum connection\n"); send(client_sock_fd, input_msg, BUFFER_SIZE, 0); } - } - else if (client_sock_fd < 0) - { + } else if (client_sock_fd < 0) { printf("server: accept() return failure, %s, would exit.\n", strerror(errno)); close(m_server_sock_fd); break; } } - for(int i =0; i < CONCURRENT_MAX; i++) - { - if ((client_fds[i] !=0) - && (FD_ISSET(client_fds[i], &server_fd_set))) - { + for (int i = 0; i < CONCURRENT_MAX; i++) { + if ((client_fds[i] != 0) + && (FD_ISSET(client_fds[i], &server_fd_set))) { // there is request messages from client connectsions - FIFO_MSG * msg; + FIFO_MSG *msg; bzero(recv_msg, BUFFER_SIZE); long byte_num = recv(client_fds[i], recv_msg, BUFFER_SIZE, 0); - if (byte_num > 0) - { - if(byte_num > BUFFER_SIZE) + if (byte_num > 0) { + if (byte_num > BUFFER_SIZE) { byte_num = BUFFER_SIZE; + } recv_msg[byte_num] = '\0'; msg = (FIFO_MSG *)malloc(byte_num); - if (!msg) - { + if (!msg) { printf("memory allocation failure\n"); continue; } @@ -163,13 +144,9 @@ int work() memcpy(msg, recv_msg, byte_num); msg->header.sockfd = client_fds[i]; proc(msg); - } - else if(byte_num < 0) - { + } else if (byte_num < 0) { printf("failed to receive message.\n"); - } - else - { + } else { // client connect is closed FD_CLR(client_fds[i], &server_fd_set); close(client_fds[i]); @@ -180,13 +157,11 @@ int work() } } -int main() -{ +int main() { int rc; rc = server_init(); - if (rc != 0) - { + if (rc != 0) { printf("server init failure\n"); return rc; } diff --git a/demos/local_attestation/AppResponder/session.c b/demos/local_attestation/AppResponder/session.c index da6e005b..58add9dc 100644 --- a/demos/local_attestation/AppResponder/session.c +++ b/demos/local_attestation/AppResponder/session.c @@ -3,8 +3,7 @@ #include "session.h" #define MAX_SESSION_COUNT 16 -typedef struct _session_id_tracker_t -{ +typedef struct _session_id_tracker_t { uint32_t session_id; } session_id_tracker_t; @@ -14,42 +13,41 @@ int is_session_id_valid(uint32_t session_id); session_id_tracker_t *g_session_id_tracker[MAX_SESSION_COUNT]; dh_session_t g_dest_session_info_map[MAX_SESSION_COUNT]; uint32_t g_session_count = 0; -int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity) -{ - if(!peer_enclave_identity) +int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t *peer_enclave_identity) { + if (!peer_enclave_identity) { return ERROR; + } - if(!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED)) + if (!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED)) { return ERROR; + } return SUCCESS; } int session_request(sgx_dh_msg1_t *dh_msg1, - uint32_t *session_id ) -{ + uint32_t *session_id ) { sgx_dh_session_t sgx_dh_session; sgx_status_t status = SGX_SUCCESS; - if(!session_id || !dh_msg1) - { + if (!session_id || !dh_msg1) { return ERROR; } //Intialize the session as a session responder status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session); - if(SGX_SUCCESS != status) - { + if (SGX_SUCCESS != status) { printf("sgx_dh_init_session failed\n"); return ERROR; } //get a new SessionID - if (generate_session_id(session_id) < 0) - return ERROR; //no more sessions available + if (generate_session_id(session_id) < 0) { + return ERROR; //no more sessions available + } //Allocate memory for the session id tracker - g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof(session_id_tracker_t)); - if(!g_session_id_tracker[*session_id]) - { + g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof( + session_id_tracker_t)); + if (!g_session_id_tracker[*session_id]) { printf("g_session_id_tracker failed\n"); return ERROR; } @@ -58,14 +56,14 @@ int session_request(sgx_dh_msg1_t *dh_msg1, g_session_id_tracker[*session_id]->session_id = *session_id; //Generate Message1 that will be returned to Source Enclave - status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t*)dh_msg1, &sgx_dh_session); - if(SGX_SUCCESS != status) - { + status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t *)dh_msg1, &sgx_dh_session); + if (SGX_SUCCESS != status) { free(g_session_id_tracker[*session_id]); printf("sgx_dh_responder_gen_msg1 failed\n"); return ERROR; } - memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t)); + memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session, + sizeof(sgx_dh_session_t)); //Store the session information under the correspoding source enlave id key g_dest_session_info_map[*session_id].status = IN_PROGRESS; @@ -73,22 +71,19 @@ int session_request(sgx_dh_msg1_t *dh_msg1, } int exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, - uint32_t session_id) -{ + uint32_t session_id) { sgx_key_128bit_t dh_aek; // Session key dh_session_t *session_info; int status = SUCCESS; sgx_dh_session_t sgx_dh_session; sgx_dh_session_enclave_identity_t initiator_identity; - if(!dh_msg2 || !dh_msg3|| !is_session_id_valid(session_id)) - { + if (!dh_msg2 || !dh_msg3 || !is_session_id_valid(session_id)) { return ERROR; } - memset(&dh_aek,0, sizeof(sgx_key_128bit_t)); - do - { + memset(&dh_aek, 0, sizeof(sgx_key_128bit_t)); + do { //Retreive the session information for the corresponding source enclave id session_info = &g_dest_session_info_map[session_id]; @@ -101,16 +96,14 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2, &sgx_dh_session, &dh_aek, &initiator_identity); - if(SGX_SUCCESS != se_ret) - { + if (SGX_SUCCESS != se_ret) { status = ERROR; printf("sgx_dh_responder_proc_msg2 failed\n"); break; } //Verify source enclave's trust - if(verify_peer_enclave_trust(&initiator_identity) != SUCCESS) - { + if (verify_peer_enclave_trust(&initiator_identity) != SUCCESS) { status = ERROR; break; } @@ -120,39 +113,34 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2, session_info->status = ACTIVE; session_info->active.counter = 0; memcpy(session_info->active.AEK, &dh_aek, sizeof(sgx_key_128bit_t)); - memset(&dh_aek,0, sizeof(sgx_key_128bit_t)); + memset(&dh_aek, 0, sizeof(sgx_key_128bit_t)); g_session_count++; - } - while(0); + } while (0); - if(status != SUCCESS) - { + if (status != SUCCESS) { end_session(session_id); } return status; } -int end_session(uint32_t session_id) -{ +int end_session(uint32_t session_id) { int status = SUCCESS; int i; dh_session_t *session_info; - if (!is_session_id_valid(session_id)) return ERROR; + if (!is_session_id_valid(session_id)) { return ERROR; } //Get the session information from the map corresponding to the source enclave id session_info = &g_dest_session_info_map[session_id]; //Erase the session information for the current session //Update the session id tracker - if (g_session_count > 0) - { + if (g_session_count > 0) { //check if session exists - for (i=1; i <= MAX_SESSION_COUNT; i++) - { - if(g_session_id_tracker[i-1] != NULL && g_session_id_tracker[i-1]->session_id == session_id) - { - memset(g_session_id_tracker[i-1], 0, sizeof(session_id_tracker_t)); - free(g_session_id_tracker[i-1]); + for (i = 1; i <= MAX_SESSION_COUNT; i++) { + if (g_session_id_tracker[i - 1] != NULL && + g_session_id_tracker[i - 1]->session_id == session_id) { + memset(g_session_id_tracker[i - 1], 0, sizeof(session_id_tracker_t)); + free(g_session_id_tracker[i - 1]); g_session_count--; break; } @@ -161,32 +149,27 @@ int end_session(uint32_t session_id) return status; } -int is_session_id_valid(uint32_t session_id) -{ - if (session_id >= MAX_SESSION_COUNT|| session_id <0) return 0; +int is_session_id_valid(uint32_t session_id) { + if (session_id >= MAX_SESSION_COUNT || session_id < 0) { return 0; } return (g_session_id_tracker[session_id] != NULL); } -dh_session_t* get_session_info(uint32_t session_id ) -{ - if (!is_session_id_valid(session_id)) +dh_session_t *get_session_info(uint32_t session_id ) { + if (!is_session_id_valid(session_id)) { return NULL; + } return &(g_dest_session_info_map[session_id]); } -int generate_session_id(uint32_t *session_id) -{ - if(!session_id) - { +int generate_session_id(uint32_t *session_id) { + if (!session_id) { return ERROR; } //if the session structure is untintialized, set that as the next session ID - for (int i = 0; i < MAX_SESSION_COUNT; i++) - { - if (g_session_id_tracker[i] == NULL) - { + for (int i = 0; i < MAX_SESSION_COUNT; i++) { + if (g_session_id_tracker[i] == NULL) { *session_id = i; return SUCCESS; } diff --git a/demos/local_attestation/AppResponder/session.h b/demos/local_attestation/AppResponder/session.h index 2e784210..7936e7ca 100644 --- a/demos/local_attestation/AppResponder/session.h +++ b/demos/local_attestation/AppResponder/session.h @@ -17,6 +17,6 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t session_id); int end_session(uint32_t session_id); -dh_session_t* get_session_info(uint32_t session_id ); +dh_session_t *get_session_info(uint32_t session_id ); #endif diff --git a/demos/local_attestation/download_src_and_build_deps.sh b/demos/local_attestation/download_src_and_build_deps.sh index 96c05f5a..6b41f5a0 100755 --- a/demos/local_attestation/download_src_and_build_deps.sh +++ b/demos/local_attestation/download_src_and_build_deps.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +set -e export CC=occlum-gcc export CXX=occlum-g++ @@ -7,6 +8,7 @@ THISDIR="$(dirname $(readlink -f $0))" INSTALLDIR="/usr/local/occlum/x86_64-linux-musl" DEPSDIR="$THISDIR/deps" TARGET_SO="$DEPSDIR/openssl/libcrypto.so" +SGX_VER="2.9.1" mkdir -p $DEPSDIR || exit 1 @@ -32,20 +34,19 @@ if [ ! -f "$TARGET_SO" ] ; then --openssldir=/usr/local/occlum/ssl \ --with-rand-seed=rdcpu \ no-zlib no-async no-tests && \ - make -j${nproc} && \ + make -j${nproc} && make install && \ echo "Build openssl successfully" || exit 1 else echo "The openssl library is aleady existent" fi -SGX_VER=2.8 # Download SGX SDK SGX_SDK="${DEPSDIR}/linux-sgx-sdk" if [ ! -d "$SGX_SDK" ] ; then echo "Downloading linux-sgx-sdk ..." cd "$DEPSDIR" && \ wget https://github.com/intel/linux-sgx/archive/sgx_$SGX_VER.tar.gz && \ - tar -xvzf "sgx_$(SGX_VER).tar.gz" && \ + tar -xvzf sgx_$SGX_VER.tar.gz && \ mv linux-sgx-sgx_$SGX_VER linux-sgx-sdk && \ echo "Download sgx-sdk successfully" || exit 1 else @@ -75,6 +76,7 @@ cd - >/dev/null 2>&1 echo "DiffieHellmanLibrary is ready" # Copy header files from linux-sgx-sdk local attestation demo +cd $THISDIR mkdir -p Include cp $SGX_SDK/SampleCode/LocalAttestation/Include/{datatypes.h,\ dh_session_protocol.h,\