Fix local attestation demo to use new PAL API and sdk 2.9.1

Also format the code.
2020-06-03 03:29:06 +00:00 · 2020-06-03 03:29:06 +00:00 · 3939899e76
commit 3939899e76
parent 8c113eb8a2
7 changed files with 288 additions and 332 deletions
--- a/demos/local_attestation/AppInitiator/app.cpp
+++ b/demos/local_attestation/AppInitiator/app.cpp
@ -19,8 +19,7 @@ pthread_t thread;
 sgx_enclave_id_t initiator_enclave_id = 0;
 void *attestation(void *arg);
-int main(int argc, char* argv[])
+int main(int argc, char *argv[]) {
 {
    int update = 0;
    sgx_launch_token_t token = {0};
    sgx_status_t status;
@ -30,47 +29,71 @@ int main(int argc, char* argv[])
    const char *cmd_args[] = {NULL};
    // create ECDH initiator enclave
-    status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update, &initiator_enclave_id, NULL);
+    status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update,
-    if (status != SGX_SUCCESS)
+                                &initiator_enclave_id, NULL);
-    {
+    if (status != SGX_SUCCESS) {
-        printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status);
+        printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME,
               status);
        return -1;
    }
    printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME);
-    if (occlum_pal_init(occlum_instance_dir) < 0)
+    struct occlum_pal_attr attr {
-    {
+        .instance_dir = occlum_instance_dir,
        .log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"),
    };
    if (occlum_pal_init(&attr) < 0) {
        return EXIT_FAILURE;
    }
-    if (pthread_create(&thread, NULL, attestation, NULL) < 0)
+    if (pthread_create(&thread, NULL, attestation, NULL) < 0) {
    {
        printf("pthread_create failed\n");
        return -1;
    }
-    // Use Occlum PAL to execute the cmd
+    // Use Occlum PAL to create new process for the responder
-    if (occlum_pal_exec(cmd_path, cmd_args, &exit_status) < 0)
+    struct occlum_stdio_fds io_fds = {
-    {
+        .stdin_fd = STDIN_FILENO,
        .stdout_fd = STDOUT_FILENO,
        .stderr_fd = STDERR_FILENO,
    };
    int libos_tid = 0;
    struct occlum_pal_create_process_args create_process_args = {
        .path = cmd_path,
        .argv = cmd_args,
        .env = NULL,
        .stdio = (const struct occlum_stdio_fds *) &io_fds,
        .pid = &libos_tid,
    };
    if (occlum_pal_create_process(&create_process_args) < 0) {
        return EXIT_FAILURE;
    }
    // execute the responder process
    struct occlum_pal_exec_args exec_args = {
        .pid = libos_tid,
        .exit_value = &exit_status,
    };
    if (occlum_pal_exec(&exec_args) < 0) {
        return EXIT_FAILURE;
    }
    // wait for end and destroy
-    if (pthread_join(thread, NULL) < 0)
+    if (pthread_join(thread, NULL) < 0) {
    {
        printf("pthread_join failed\n");
        return -1;
    }
    status = sgx_destroy_enclave(initiator_enclave_id);
-    if (status != SGX_SUCCESS)
+    if (status != SGX_SUCCESS) {
-    {
+        printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME,
-        printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status);
+               status);
        return -1;
    }
-    if (occlum_pal_destroy() < 0)
+    if (occlum_pal_destroy() < 0) {
    {
        printf("occlum_pal_destroy failed, errno is %d\n", errno);
        return -1;
    }
@ -81,24 +104,23 @@ int main(int argc, char* argv[])
 // create ECDH session using initiator enclave
 // it would create ECDH session with responder enclave running in another process
-void* attestation(void *arg)
+void *attestation(void *arg) {
 {
    sgx_status_t status;
    uint32_t ret_status;
-    sleep(3);
+    sleep(5);
    status = test_create_session(initiator_enclave_id, &ret_status);
-    if (status != SGX_SUCCESS || ret_status != 0)
+    if (status != SGX_SUCCESS || ret_status != 0) {
-    {
+        printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n",
-        printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
+               status, ret_status);
        return NULL;
    }
    printf("succeed to establish secure channel.\n");
    status = test_message_exchange(initiator_enclave_id, &ret_status);
-    if (status != SGX_SUCCESS || ret_status != 0)
+    if (status != SGX_SUCCESS || ret_status != 0) {
-    {
+        printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n",
-        printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
+               status, ret_status);
        sgx_destroy_enclave(initiator_enclave_id);
        return NULL;
    }
@ -106,9 +128,9 @@ void* attestation(void *arg)
    // close ECDH session
    status = test_close_session(initiator_enclave_id, &ret_status);
-    if (status != SGX_SUCCESS || ret_status != 0)
+    if (status != SGX_SUCCESS || ret_status != 0) {
-    {
+        printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n",
-        printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
+               status, ret_status);
        return NULL;
    }
    printf("Succeed to close session.\n");
--- a/demos/local_attestation/AppResponder/proc_msg.c
+++ b/demos/local_attestation/AppResponder/proc_msg.c
@ -15,14 +15,12 @@
 int proc(FIFO_MSG *message);
 extern int m_shutdown;
-typedef struct _secure_message_t
+typedef struct _secure_message_t {
 {
    uint32_t session_id; //Session ID identifyting the session to which the message belongs
    sgx_aes_gcm_data_t message_aes_gcm_data;
 } secure_message_t;
-typedef struct _ms_in_msg_exchange_t
+typedef struct _ms_in_msg_exchange_t {
 {
    uint32_t msg_type; //Type of Call E2E or general message exchange
    uint32_t target_fn_id; //Function Id to be called in Destination. Is valid only when msg_type=ENCLAVE_TO_ENCLAVE_CALL
    uint32_t inparam_buff_len; //Length of the serialized input parameters
@ -30,8 +28,7 @@ typedef struct _ms_in_msg_exchange_t
 } ms_in_msg_exchange_t;
 //Format of the return value and output function parameter structure
-typedef struct _ms_out_msg_exchange_t
+typedef struct _ms_out_msg_exchange_t {
 {
    uint32_t retval_len; //Length of the return value
    uint32_t ret_outparam_buff_len; //Length of the serialized return value and output parameters
    char ret_outparam_buff[1]; //Serialized return value and output parameters
@ -42,8 +39,7 @@ typedef struct _ms_out_msg_exchange_t
 * Parameter Description:
 *  [input] clientfd: this is client's connection id. After generating ECDH message 1, server would send back response through this connection id.
 * */
-int generate_and_send_session_msg1_resp(int clientfd)
+int generate_and_send_session_msg1_resp(int clientfd) {
 {
    int retcode = 0;
    uint32_t status = 0;
    sgx_status_t ret = SGX_SUCCESS;
@ -55,16 +51,14 @@ int generate_and_send_session_msg1_resp(int clientfd)
    // call responder enclave to generate ECDH message 1
    ret = session_request(&msg1resp.dh_msg1, &msg1resp.sessionid);
-    if (ret != SGX_SUCCESS)
+    if (ret != SGX_SUCCESS) {
    {
        printf("failed to do ECALL session_request.\n");
        return -1;
    }
    respmsgsize = sizeof(FIFO_MSG) + sizeof(SESSION_MSG1_RESP);
    fifo_resp = (FIFO_MSG *)malloc(respmsgsize);
-    if (!fifo_resp)
+    if (!fifo_resp) {
    {
        printf("memory allocation failure.\n");
        return -1;
    }
@ -76,8 +70,7 @@ int generate_and_send_session_msg1_resp(int clientfd)
    memcpy(fifo_resp->msgbuf, &msg1resp, sizeof(SESSION_MSG1_RESP));
    //send message 1 to client
-    if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1)
+    if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1) {
    {
        printf("fail to send msg1 response.\n");
        retcode = -1;
    }
@ -90,21 +83,20 @@ int generate_and_send_session_msg1_resp(int clientfd)
 *  [input] clientfd: this is client's connection id
 *  [input] msg2: this contains ECDH message 2 received from client
 * */
-int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
+int process_exchange_report(int clientfd, SESSION_MSG2 *msg2) {
 {
    uint32_t status = 0;
    sgx_status_t ret = SGX_SUCCESS;
    FIFO_MSG *response;
    SESSION_MSG3 *msg3;
    size_t msgsize;
-    if (!msg2)
+    if (!msg2) {
        return -1;
    }
    msgsize = sizeof(FIFO_MSG_HEADER) + sizeof(SESSION_MSG3);
    response = (FIFO_MSG *)malloc(msgsize);
-    if (!response)
+    if (!response) {
    {
        printf("memory allocation failure\n");
        return -1;
    }
@ -118,16 +110,14 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
    // call responder enclave to process ECDH message 2 and generate message 3
    ret = exchange_report(&msg2->dh_msg2, &msg3->dh_msg3, msg2->sessionid);
-    if (ret != SGX_SUCCESS)
+    if (ret != SGX_SUCCESS) {
    {
        printf("Enclave Response_exchange_report failure.\n");
        free(response);
        return -1;
    }
    // send ECDH message 3 to client
-    if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1)
+    if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1) {
    {
        printf("server_send() failure.\n");
        free(response);
        return -1;
@ -137,8 +127,7 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
    return 0;
 }
-uint32_t get_message_exchange_response(uint32_t inp_secret_data)
+uint32_t get_message_exchange_response(uint32_t inp_secret_data) {
 {
    uint32_t secret_response;
    printf("secret=0x%x\n", inp_secret_data);
    //User should use more complex encryption method to protect their secret, below is just a simple example
@ -147,35 +136,39 @@ uint32_t get_message_exchange_response(uint32_t inp_secret_data)
    return secret_response;
 }
-int  umarshal_message_exchange_request(uint32_t* inp_secret_data, ms_in_msg_exchange_t* ms)
+int  umarshal_message_exchange_request(uint32_t *inp_secret_data,
-{
+                                       ms_in_msg_exchange_t *ms) {
    char *buff;
    size_t len;
-    if(!inp_secret_data || !ms)
+    if (!inp_secret_data || !ms) {
        return -1;
    }
    buff = ms->inparam_buff;
    len = ms->inparam_buff_len;
-    if(len != sizeof(uint32_t))
+    if (len != sizeof(uint32_t)) {
        return -1;
    }
    memcpy(inp_secret_data, buff, sizeof(uint32_t));
    return 0;
 }
-int  marshal_message_exchange_response(char** resp_buffer, size_t* resp_length, uint32_t secret_response)
+int  marshal_message_exchange_response(char **resp_buffer, size_t *resp_length,
-{
+                                       uint32_t secret_response) {
    ms_out_msg_exchange_t *ms;
    size_t secret_response_len, ms_len;
    size_t retval_len, ret_param_len;
-    if(!resp_length)
+    if (!resp_length) {
        return -1;
    }
    secret_response_len = sizeof(secret_response);
    retval_len = secret_response_len;
    ret_param_len = secret_response_len;
    ms_len = sizeof(ms_out_msg_exchange_t) + ret_param_len;
    ms = (ms_out_msg_exchange_t *)malloc(ms_len);
-    if(!ms)
+    if (!ms) {
        return -1;
    }
    ms->retval_len = (uint32_t)retval_len;
    ms->ret_outparam_buff_len = (uint32_t)ret_param_len;
@ -186,24 +179,26 @@ int  marshal_message_exchange_response(char** resp_buffer, size_t* resp_length,
 }
 int  message_exchange_response_generator(char *decrypted_data,
        char **resp_buffer,
-        size_t* resp_length)
+        size_t *resp_length) {
 {
    ms_in_msg_exchange_t *ms;
    uint32_t inp_secret_data;
    uint32_t out_secret_data;
-    if(!decrypted_data || !resp_length)
+    if (!decrypted_data || !resp_length) {
        return -1;
    }
    ms = (ms_in_msg_exchange_t *)decrypted_data;
-    if(umarshal_message_exchange_request(&inp_secret_data,ms) <0)
+    if (umarshal_message_exchange_request(&inp_secret_data, ms) < 0) {
        return -1;
    }
    out_secret_data = get_message_exchange_response(inp_secret_data);
-    if(marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data)  < 0)
+    if (marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data)  < 0) {
        return -1;
    }
    return 0;
 }
@ -212,8 +207,7 @@ int generate_response(secure_message_t* req_message,
                      size_t max_payload_size,
                      secure_message_t *resp_message,
                      size_t resp_message_size,
-                      uint32_t session_id)
+                      uint32_t session_id) {
 {
 #define TAG_SIZE        16
    const uint8_t *plaintext;
    uint32_t plaintext_length;
@ -234,14 +228,13 @@ int generate_response(secure_message_t* req_message,
    plaintext = (const uint8_t *)(" ");
    plaintext_length = 0;
-    if(!req_message || !resp_message)
+    if (!req_message || !resp_message) {
    {
        return -1;
    }
    //Get the session information from the map corresponding to the source enclave id
    session_info = get_session_info(session_id);
-    if (session_info == NULL) return -1;
+    if (session_info == NULL) { return -1; }
    //Set the decrypted data length to the payload size obtained from the message
    decrypted_data_length = req_message->message_aes_gcm_data.payload_size;
@ -249,26 +242,27 @@ int generate_response(secure_message_t* req_message,
    expected_payload_size = req_message_size - header_size;
    //Verify the size of the payload
-    if(expected_payload_size != decrypted_data_length)
+    if (expected_payload_size != decrypted_data_length) {
        return -1;
    }
    memset(&l_tag, 0, 16);
    plain_text_offset = decrypted_data_length;
    decrypted_data = (uint8_t *)malloc(decrypted_data_length);
-    if(!decrypted_data)
+    if (!decrypted_data) {
    {
        return -1;
    }
    memset(decrypted_data, 0, decrypted_data_length);
-    status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK, req_message->message_aes_gcm_data.payload,
+    status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK,
                                        req_message->message_aes_gcm_data.payload,
                                        decrypted_data_length, decrypted_data,
                                        (uint8_t *)(&(req_message->message_aes_gcm_data.reserved)),
-                                        sizeof(req_message->message_aes_gcm_data.reserved), &(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length,
+                                        sizeof(req_message->message_aes_gcm_data.reserved),
                                        &(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length,
                                        &req_message->message_aes_gcm_data.payload_tag);
-    if(SGX_SUCCESS != status)
+    if (SGX_SUCCESS != status) {
    {
        SAFE_FREE(decrypted_data);
        return -1;
    }
@ -277,32 +271,29 @@ int generate_response(secure_message_t* req_message,
    ms = (ms_in_msg_exchange_t *)decrypted_data;
    // Verify if the nonce obtained in the request is equal to the session nonce
-    if((uint32_t)*(req_message->message_aes_gcm_data.reserved) != session_info->active.counter || *(req_message->message_aes_gcm_data.reserved) > ((2^32)-2))
+    if ((uint32_t) * (req_message->message_aes_gcm_data.reserved) !=
-    {
+            session_info->active.counter ||
            *(req_message->message_aes_gcm_data.reserved) > ((2 ^ 32) - 2)) {
        SAFE_FREE(decrypted_data);
        return -1;
    }
-    if(ms->msg_type == MESSAGE_EXCHANGE)
+    if (ms->msg_type == MESSAGE_EXCHANGE) {
    {
        //Call the generic secret response generator for message exchange
-        ret = message_exchange_response_generator((char*)decrypted_data, &resp_data, &resp_data_length);
+        ret = message_exchange_response_generator((char *)decrypted_data, &resp_data,
-        if(ret !=0)
+                &resp_data_length);
-        {
+        if (ret != 0) {
            SAFE_FREE(decrypted_data);
            SAFE_FREE(resp_data);
            return -1;
        }
-    }
+    } else {
    else
    {
        SAFE_FREE(decrypted_data);
        return -1;
    }
-    if(resp_data_length > max_payload_size)
+    if (resp_data_length > max_payload_size) {
    {
        SAFE_FREE(resp_data);
        SAFE_FREE(decrypted_data);
        return -1;
@ -310,8 +301,7 @@ int generate_response(secure_message_t* req_message,
    resp_message_calc_size = sizeof(secure_message_t) + resp_data_length;
-    if(resp_message_calc_size > resp_message_size)
+    if (resp_message_calc_size > resp_message_size) {
    {
        SAFE_FREE(resp_data);
        SAFE_FREE(decrypted_data);
        return -1;
@ -319,8 +309,7 @@ int generate_response(secure_message_t* req_message,
    //Code to build the response back to the Source Enclave
    temp_resp_message = (secure_message_t *)malloc(resp_message_calc_size);
-    if(!temp_resp_message)
+    if (!temp_resp_message) {
    {
        SAFE_FREE(resp_data);
        SAFE_FREE(decrypted_data);
        return -1;
@ -334,17 +323,18 @@ int generate_response(secure_message_t* req_message,
    session_info->active.counter = session_info->active.counter + 1;
    //Set the response nonce as the session nonce
-    memcpy(&temp_resp_message->message_aes_gcm_data.reserved,&session_info->active.counter,sizeof(session_info->active.counter));
+    memcpy(&temp_resp_message->message_aes_gcm_data.reserved, &session_info->active.counter,
           sizeof(session_info->active.counter));
    //Prepare the response message with the encrypted payload
-    status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t*)resp_data, data2encrypt_length,
+    status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t *)resp_data,
                                        data2encrypt_length,
                                        (uint8_t *)(&(temp_resp_message->message_aes_gcm_data.payload)),
                                        (uint8_t *)(&(temp_resp_message->message_aes_gcm_data.reserved)),
                                        sizeof(temp_resp_message->message_aes_gcm_data.reserved), plaintext, plaintext_length,
                                        &(temp_resp_message->message_aes_gcm_data.payload_tag));
-    if(SGX_SUCCESS != status)
+    if (SGX_SUCCESS != status) {
    {
        SAFE_FREE(resp_data);
        SAFE_FREE(decrypted_data);
        SAFE_FREE(temp_resp_message);
@ -361,16 +351,14 @@ int generate_response(secure_message_t* req_message,
    return 0;
 }
-int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
+int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) {
 {
    uint32_t status = 0;
    sgx_status_t ret = SGX_SUCCESS;
    secure_message_t *resp_message = NULL;
    FIFO_MSG *fifo_resp = NULL;
    size_t resp_message_size;
-    if (!req_msg)
+    if (!req_msg) {
    {
        printf("invalid parameter.\n");
        return -1;
    }
@ -378,24 +366,22 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
    resp_message_size = sizeof(secure_message_t) + req_msg->max_payload_size;
    //Allocate memory for the response message
    resp_message = (secure_message_t *)malloc(resp_message_size);
-    if (!resp_message)
+    if (!resp_message) {
    {
        printf("memory allocation failure.\n");
        return -1;
    }
    memset(resp_message, 0, resp_message_size);
-    ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size, req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id);
+    ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size,
-    if (ret <0)
+                             req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id);
-    {
+    if (ret < 0) {
        printf("EnclaveResponder_generate_response error.\n");
        free(resp_message);
        return -1;
    }
    fifo_resp = (FIFO_MSG *)malloc(sizeof(FIFO_MSG) + resp_message_size);
-    if (!fifo_resp)
+    if (!fifo_resp) {
    {
        printf("memory allocation failure.\n");
        free(resp_message);
        return -1;
@ -408,8 +394,8 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
    free(resp_message);
-    if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size), 0) == -1)
+    if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size),
-    {
+             0) == -1) {
        printf("server_send() failure.\n");
        free(fifo_resp);
        return -1;
@ -418,85 +404,74 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
    return 0;
 }
-int process_close_req(int clientfd, SESSION_CLOSE_REQ * close_req)
+int process_close_req(int clientfd, SESSION_CLOSE_REQ *close_req) {
 {
    uint32_t status = 0;
    sgx_status_t ret = SGX_SUCCESS;
    FIFO_MSG close_ack;
-    if (!close_req)
+    if (!close_req) {
        return -1;
    }
    // call responder enclave to close this session
    ret = end_session( close_req->session_id);
-    if (ret != SGX_SUCCESS)
+    if (ret != SGX_SUCCESS) {
        return -1;
    }
    // send back response
    close_ack.header.type = FIFO_DH_CLOSE_RESP;
    close_ack.header.size = 0;
-    if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1)
+    if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1) {
    {
        printf("server_send() failure.\n");
        return -1;
    }
    return 0;
 }
-int proc (FIFO_MSG * message)
+int proc (FIFO_MSG *message) {
-{
+    if (message == NULL) { return 0; }
-    if (message == NULL) return 0;
+    switch (message->header.type) {
-    switch (message->header.type)
+        case FIFO_DH_REQ_MSG1: {
    {
    case FIFO_DH_REQ_MSG1:
    {
            // process ECDH session connection request
            int clientfd = message->header.sockfd;
-        if (generate_and_send_session_msg1_resp(clientfd) != 0)
+            if (generate_and_send_session_msg1_resp(clientfd) != 0) {
        {
                printf("failed to generate and send session msg1 resp.\n");
                break;
-        }
+            } else { printf("generate and send session msg1 resp.\n"); }
        else printf("generate and send session msg1 resp.\n");
        }
        break;
-    case FIFO_DH_MSG2:
+        case FIFO_DH_MSG2: {
    {
            // process ECDH message 2
            int clientfd = message->header.sockfd;
            SESSION_MSG2 *msg2 = NULL;
            msg2 = (SESSION_MSG2 *)message->msgbuf;
-        if (process_exchange_report(clientfd, msg2) != 0)
+            if (process_exchange_report(clientfd, msg2) != 0) {
        {
                printf("failed to process exchange_report request.\n");
                break;
-        }
+            } else { printf(" process exchange_report request.\n"); }
        else printf(" process exchange_report request.\n");
        }
        break;
-    case FIFO_DH_MSG_REQ:
+        case FIFO_DH_MSG_REQ: {
    {
            // process message transfer request
            int clientfd = message->header.sockfd;
            FIFO_MSGBODY_REQ *msg = NULL;
            msg = (FIFO_MSGBODY_REQ *)message->msgbuf;
-        if (process_msg_transfer(clientfd, msg) != 0)
+            if (process_msg_transfer(clientfd, msg) != 0) {
        {
                printf("failed to process message transfer request.\n");
                break;
            }
        }
        break;
-    case FIFO_DH_CLOSE_REQ:
+        case FIFO_DH_CLOSE_REQ: {
    {
            // process message close request
            int clientfd = message->header.sockfd;
@ -507,8 +482,7 @@ int proc (FIFO_MSG * message)
            m_shutdown = 1;
        }
        break;
-    default:
+        default: {
    {
            printf("Unknown message.\n");
        }
        break;
--- a/demos/local_attestation/AppResponder/responder.c
+++ b/demos/local_attestation/AppResponder/responder.c
@ -20,8 +20,7 @@
 int m_server_sock_fd;
 int m_shutdown;
-int server_init()
+int server_init() {
 {
    struct sockaddr_in srv_addr;
    memset(&srv_addr, 0, sizeof(srv_addr));
@ -30,22 +29,19 @@ int server_init()
    srv_addr.sin_port = htons(SERVER_PORT);
    m_server_sock_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);;
-    if (m_server_sock_fd == -1)
+    if (m_server_sock_fd == -1) {
    {
        printf("socket initiazation error: %d\n", errno);
        return -1;
    }
    int bind_result = bind(m_server_sock_fd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
-    if (bind_result == -1)
+    if (bind_result == -1) {
    {
        printf("bind error: %d\n", errno);
        close(m_server_sock_fd);
        return -1;
    }
-    if (listen(m_server_sock_fd, BACKLOG) == -1)
+    if (listen(m_server_sock_fd, BACKLOG) == -1) {
    {
        printf("listen error: %d\n", errno);
        close(m_server_sock_fd);
        return -1;
@ -55,8 +51,7 @@ int server_init()
    return 0;
 }
-int work()
+int work() {
 {
    int client_fds[CONCURRENT_MAX] = {0};
    fd_set server_fd_set;
    int max_fd = -1;
@ -65,42 +60,37 @@ int work()
    char recv_msg[BUFFER_SIZE];
    int ret;
-    while (!m_shutdown)
+    while (!m_shutdown) {
    {
        // set 10s timeout for select()
        tv.tv_sec = 10;
        tv.tv_usec = 0;
        FD_ZERO(&server_fd_set);
        // listening on server socket
        FD_SET(m_server_sock_fd, &server_fd_set);
-        if (max_fd < m_server_sock_fd)
+        if (max_fd < m_server_sock_fd) {
            max_fd = m_server_sock_fd;
        }
        // listening on all client connections
-        for(int i =0; i < CONCURRENT_MAX; i++)
+        for (int i = 0; i < CONCURRENT_MAX; i++) {
-        {
+            if (client_fds[i] != 0) {
            if(client_fds[i] != 0)
            {
                FD_SET(client_fds[i], &server_fd_set);
-                if(max_fd < client_fds[i])
+                if (max_fd < client_fds[i]) {
                    max_fd = client_fds[i];
                }
            }
        }
        ret = select(max_fd + 1, &server_fd_set, NULL, NULL, &tv);
-        if (ret < 0)
+        if (ret < 0) {
        {
            printf("Warning: server would shutdown\n");
            continue;
-        }
+        } else if (ret == 0) {
        else if(ret == 0)
        {
            // timeout
            continue;
        }
-        if(FD_ISSET(m_server_sock_fd, &server_fd_set))
+        if (FD_ISSET(m_server_sock_fd, &server_fd_set)) {
        {
            // if there is new connection request
            struct sockaddr_in clt_addr;
            socklen_t len = sizeof(clt_addr);
@ -108,54 +98,45 @@ int work()
            // accept this connection request
            int client_sock_fd = accept(m_server_sock_fd, (struct sockaddr *)&clt_addr, &len);
-            if (client_sock_fd > 0)
+            if (client_sock_fd > 0) {
            {
                // add new connection to connection pool if it's not full
                int index = -1;
-                for(int i = 0; i < CONCURRENT_MAX; i++)
+                for (int i = 0; i < CONCURRENT_MAX; i++) {
-                {
+                    if (client_fds[i] == 0) {
                    if(client_fds[i] == 0)
                    {
                        index = i;
                        client_fds[i] = client_sock_fd;
                        break;
                    }
                }
-                if(index < 0)
+                if (index < 0) {
                {
                    printf("server reach maximum connection!\n");
                    bzero(input_msg, BUFFER_SIZE);
                    strcpy(input_msg, "server reach maximum connection\n");
                    send(client_sock_fd, input_msg, BUFFER_SIZE, 0);
                }
-            }
+            } else if (client_sock_fd < 0) {
            else if (client_sock_fd < 0)
            {
                printf("server: accept() return failure, %s, would exit.\n", strerror(errno));
                close(m_server_sock_fd);
                break;
            }
        }
-        for(int i =0; i < CONCURRENT_MAX; i++)
+        for (int i = 0; i < CONCURRENT_MAX; i++) {
        {
            if ((client_fds[i] != 0)
-                    && (FD_ISSET(client_fds[i], &server_fd_set)))
+                    && (FD_ISSET(client_fds[i], &server_fd_set))) {
            {
                // there is request messages from client connectsions
                FIFO_MSG *msg;
                bzero(recv_msg, BUFFER_SIZE);
                long byte_num = recv(client_fds[i], recv_msg, BUFFER_SIZE, 0);
-                if (byte_num > 0)
+                if (byte_num > 0) {
-                {
+                    if (byte_num > BUFFER_SIZE) {
                    if(byte_num > BUFFER_SIZE)
                        byte_num = BUFFER_SIZE;
                    }
                    recv_msg[byte_num] = '\0';
                    msg = (FIFO_MSG *)malloc(byte_num);
-                    if (!msg)
+                    if (!msg) {
                    {
                        printf("memory allocation failure\n");
                        continue;
                    }
@ -163,13 +144,9 @@ int work()
                    memcpy(msg, recv_msg, byte_num);
                    msg->header.sockfd = client_fds[i];
                    proc(msg);
-                }
+                } else if (byte_num < 0) {
                else if(byte_num < 0)
                {
                    printf("failed to receive message.\n");
-                }
+                } else {
                else
                {
                    // client connect is closed
                    FD_CLR(client_fds[i], &server_fd_set);
                    close(client_fds[i]);
@ -180,13 +157,11 @@ int work()
    }
 }
-int main()
+int main() {
 {
    int rc;
    rc = server_init();
-    if (rc != 0)
+    if (rc != 0) {
    {
        printf("server init failure\n");
        return rc;
    }
--- a/demos/local_attestation/AppResponder/session.c
+++ b/demos/local_attestation/AppResponder/session.c
@ -3,8 +3,7 @@
 #include "session.h"
 #define MAX_SESSION_COUNT  16
-typedef struct _session_id_tracker_t
+typedef struct _session_id_tracker_t {
 {
    uint32_t          session_id;
 } session_id_tracker_t;
@ -14,42 +13,41 @@ int is_session_id_valid(uint32_t session_id);
 session_id_tracker_t *g_session_id_tracker[MAX_SESSION_COUNT];
 dh_session_t g_dest_session_info_map[MAX_SESSION_COUNT];
 uint32_t g_session_count = 0;
-int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
+int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t *peer_enclave_identity) {
-{
+    if (!peer_enclave_identity) {
    if(!peer_enclave_identity)
        return ERROR;
    }
-    if(!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED))
+    if (!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED)) {
        return ERROR;
    }
    return SUCCESS;
 }
 int  session_request(sgx_dh_msg1_t *dh_msg1,
-                     uint32_t *session_id )
+                     uint32_t *session_id ) {
 {
    sgx_dh_session_t sgx_dh_session;
    sgx_status_t status = SGX_SUCCESS;
-    if(!session_id || !dh_msg1)
+    if (!session_id || !dh_msg1) {
    {
        return ERROR;
    }
    //Intialize the session as a session responder
    status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session);
-    if(SGX_SUCCESS != status)
+    if (SGX_SUCCESS != status) {
    {
        printf("sgx_dh_init_session failed\n");
        return ERROR;
    }
    //get a new SessionID
-    if (generate_session_id(session_id) < 0)
+    if (generate_session_id(session_id) < 0) {
        return ERROR;    //no more sessions available
    }
    //Allocate memory for the session id tracker
-    g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof(session_id_tracker_t));
+    g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof(
-    if(!g_session_id_tracker[*session_id])
+                                            session_id_tracker_t));
-    {
+    if (!g_session_id_tracker[*session_id]) {
        printf("g_session_id_tracker  failed\n");
        return ERROR;
    }
@ -59,13 +57,13 @@ int  session_request(sgx_dh_msg1_t *dh_msg1,
    //Generate Message1 that will be returned to Source Enclave
    status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t *)dh_msg1, &sgx_dh_session);
-    if(SGX_SUCCESS != status)
+    if (SGX_SUCCESS != status) {
    {
        free(g_session_id_tracker[*session_id]);
        printf("sgx_dh_responder_gen_msg1  failed\n");
        return ERROR;
    }
-    memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t));
+    memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session,
           sizeof(sgx_dh_session_t));
    //Store the session information under the correspoding source enlave id key
    g_dest_session_info_map[*session_id].status = IN_PROGRESS;
@ -73,22 +71,19 @@ int  session_request(sgx_dh_msg1_t *dh_msg1,
 }
 int exchange_report(sgx_dh_msg2_t *dh_msg2,
                    sgx_dh_msg3_t *dh_msg3,
-                    uint32_t session_id)
+                    uint32_t session_id) {
 {
    sgx_key_128bit_t dh_aek;   // Session key
    dh_session_t *session_info;
    int  status = SUCCESS;
    sgx_dh_session_t sgx_dh_session;
    sgx_dh_session_enclave_identity_t initiator_identity;
-    if(!dh_msg2 || !dh_msg3|| !is_session_id_valid(session_id))
+    if (!dh_msg2 || !dh_msg3 || !is_session_id_valid(session_id)) {
    {
        return ERROR;
    }
    memset(&dh_aek, 0, sizeof(sgx_key_128bit_t));
-    do
+    do {
    {
        //Retreive the session information for the corresponding source enclave id
        session_info  = &g_dest_session_info_map[session_id];
@ -101,16 +96,14 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2,
                              &sgx_dh_session,
                              &dh_aek,
                              &initiator_identity);
-        if(SGX_SUCCESS != se_ret)
+        if (SGX_SUCCESS != se_ret) {
        {
            status = ERROR;
            printf("sgx_dh_responder_proc_msg2 failed\n");
            break;
        }
        //Verify source enclave's trust
-        if(verify_peer_enclave_trust(&initiator_identity) != SUCCESS)
+        if (verify_peer_enclave_trust(&initiator_identity) != SUCCESS) {
        {
            status = ERROR;
            break;
        }
@ -122,35 +115,30 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2,
        memcpy(session_info->active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
        memset(&dh_aek, 0, sizeof(sgx_key_128bit_t));
        g_session_count++;
-    }
+    } while (0);
    while(0);
-    if(status != SUCCESS)
+    if (status != SUCCESS) {
    {
        end_session(session_id);
    }
    return status;
 }
-int end_session(uint32_t session_id)
+int end_session(uint32_t session_id) {
 {
    int status = SUCCESS;
    int i;
    dh_session_t *session_info;
-    if (!is_session_id_valid(session_id)) return ERROR;
+    if (!is_session_id_valid(session_id)) { return ERROR; }
    //Get the session information from the map corresponding to the source enclave id
    session_info = &g_dest_session_info_map[session_id];
    //Erase the session information for the current session
    //Update the session id tracker
-    if (g_session_count > 0)
+    if (g_session_count > 0) {
    {
        //check if session exists
-        for (i=1; i <= MAX_SESSION_COUNT; i++)
+        for (i = 1; i <= MAX_SESSION_COUNT; i++) {
-        {
+            if (g_session_id_tracker[i - 1] != NULL &&
-            if(g_session_id_tracker[i-1] != NULL && g_session_id_tracker[i-1]->session_id == session_id)
+                    g_session_id_tracker[i - 1]->session_id == session_id) {
            {
                memset(g_session_id_tracker[i - 1], 0, sizeof(session_id_tracker_t));
                free(g_session_id_tracker[i - 1]);
                g_session_count--;
@ -161,32 +149,27 @@ int end_session(uint32_t session_id)
    return status;
 }
-int is_session_id_valid(uint32_t session_id)
+int is_session_id_valid(uint32_t session_id) {
-{
+    if (session_id >= MAX_SESSION_COUNT || session_id < 0) { return 0; }
    if (session_id >= MAX_SESSION_COUNT|| session_id <0) return 0;
    return (g_session_id_tracker[session_id] != NULL);
 }
-dh_session_t* get_session_info(uint32_t session_id )
+dh_session_t *get_session_info(uint32_t session_id ) {
-{
+    if (!is_session_id_valid(session_id)) {
    if (!is_session_id_valid(session_id))
        return NULL;
    }
    return &(g_dest_session_info_map[session_id]);
 }
-int generate_session_id(uint32_t *session_id)
+int generate_session_id(uint32_t *session_id) {
-{
+    if (!session_id) {
    if(!session_id)
    {
        return ERROR;
    }
    //if the session structure is untintialized, set that as the next session ID
-    for (int i = 0; i < MAX_SESSION_COUNT; i++)
+    for (int i = 0; i < MAX_SESSION_COUNT; i++) {
-    {
+        if (g_session_id_tracker[i] == NULL) {
        if (g_session_id_tracker[i] == NULL)
        {
            *session_id = i;
            return SUCCESS;
        }
--- a/demos/local_attestation/download_src_and_build_deps.sh
+++ b/demos/local_attestation/download_src_and_build_deps.sh
@ -1,4 +1,5 @@
 #!/usr/bin/env bash
 set -e
 export CC=occlum-gcc
 export CXX=occlum-g++
@ -7,6 +8,7 @@ THISDIR="$(dirname $(readlink -f $0))"
 INSTALLDIR="/usr/local/occlum/x86_64-linux-musl"
 DEPSDIR="$THISDIR/deps"
 TARGET_SO="$DEPSDIR/openssl/libcrypto.so"
 SGX_VER="2.9.1"
 mkdir -p $DEPSDIR || exit 1
@ -32,20 +34,19 @@ if [ ! -f "$TARGET_SO" ] ; then
      --openssldir=/usr/local/occlum/ssl \
      --with-rand-seed=rdcpu \
      no-zlib no-async no-tests && \
-    make -j${nproc} && \
+    make -j${nproc} && make install && \
    echo "Build openssl successfully" || exit 1
 else
    echo "The openssl library is aleady existent"
 fi
 SGX_VER=2.8
 # Download SGX SDK
 SGX_SDK="${DEPSDIR}/linux-sgx-sdk"
 if [ ! -d "$SGX_SDK" ] ; then
    echo "Downloading linux-sgx-sdk ..."
    cd "$DEPSDIR" && \
    wget https://github.com/intel/linux-sgx/archive/sgx_$SGX_VER.tar.gz && \
-    tar -xvzf "sgx_$(SGX_VER).tar.gz" && \
+    tar -xvzf sgx_$SGX_VER.tar.gz && \
    mv linux-sgx-sgx_$SGX_VER linux-sgx-sdk && \
    echo "Download sgx-sdk successfully" || exit 1
 else
@ -75,6 +76,7 @@ cd - >/dev/null 2>&1
 echo "DiffieHellmanLibrary is ready"
 # Copy header files from linux-sgx-sdk local attestation demo
 cd $THISDIR
 mkdir -p Include
 cp $SGX_SDK/SampleCode/LocalAttestation/Include/{datatypes.h,\
 dh_session_protocol.h,\