general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix local attestation demo to use new PAL API and sdk 2.9.1

Browse Source 
Also format the code.
This commit is contained in:
Hui, Chunyang 2020-06-03 03:29:06 +00:00 committed by tate.thl
parent 8c113eb8a2
commit 3939899e76
7 changed files with 288 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
demos/local_attestation/AppInitiator/app.cpp
View File

@ -17,60 +17,83 @@
pthread_t thread;
sgx_enclave_id_t initiator_enclave_id = 0;
void* attestation(void *arg);
void *attestation(void *arg);
int main(int argc, char* argv[])
{
int main(int argc, char *argv[]) {
int update = 0;
sgx_launch_token_t token = {0};
sgx_status_t status;
int exit_status = 0;
const char* occlum_instance_dir = ".occlum";
const char* cmd_path = "/bin/responder"; // Prepare cmd path and arguments
const char* cmd_args[] = {NULL};
const char *occlum_instance_dir = ".occlum";
const char *cmd_path = "/bin/responder"; // Prepare cmd path and arguments
const char *cmd_args[] = {NULL};
// create ECDH initiator enclave
status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update, &initiator_enclave_id, NULL);
if (status != SGX_SUCCESS)
{
printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status);
status = sgx_create_enclave(ENCLAVE_INITIATOR_NAME, SGX_DEBUG_FLAG, &token, &update,
&initiator_enclave_id, NULL);
if (status != SGX_SUCCESS) {
printf("failed to load enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME,
status);
return -1;
}
printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME);
if (occlum_pal_init(occlum_instance_dir) < 0)
{
struct occlum_pal_attr attr {
.instance_dir = occlum_instance_dir,
.log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"),
};
if (occlum_pal_init(&attr) < 0) {
return EXIT_FAILURE;
}
if (pthread_create(&thread, NULL, attestation, NULL) < 0)
{
if (pthread_create(&thread, NULL, attestation, NULL) < 0) {
printf("pthread_create failed\n");
return -1;
}
// Use Occlum PAL to execute the cmd
if (occlum_pal_exec(cmd_path, cmd_args, &exit_status) < 0)
{
// Use Occlum PAL to create new process for the responder
struct occlum_stdio_fds io_fds = {
.stdin_fd = STDIN_FILENO,
.stdout_fd = STDOUT_FILENO,
.stderr_fd = STDERR_FILENO,
};
int libos_tid = 0;
struct occlum_pal_create_process_args create_process_args = {
.path = cmd_path,
.argv = cmd_args,
.env = NULL,
.stdio = (const struct occlum_stdio_fds *) &io_fds,
.pid = &libos_tid,
};
if (occlum_pal_create_process(&create_process_args) < 0) {
return EXIT_FAILURE;
}
// execute the responder process
struct occlum_pal_exec_args exec_args = {
.pid = libos_tid,
.exit_value = &exit_status,
};
if (occlum_pal_exec(&exec_args) < 0) {
return EXIT_FAILURE;
}
// wait for end and destroy
if (pthread_join(thread, NULL) < 0)
{
if (pthread_join(thread, NULL) < 0) {
printf("pthread_join failed\n");
return -1;
}
status = sgx_destroy_enclave(initiator_enclave_id);
if (status != SGX_SUCCESS)
{
printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME, status);
if (status != SGX_SUCCESS) {
printf("failed to destroy enclave %s, error code is 0x%x.\n", ENCLAVE_INITIATOR_NAME,
status);
return -1;
}
if (occlum_pal_destroy() < 0)
{
if (occlum_pal_destroy() < 0) {
printf("occlum_pal_destroy failed, errno is %d\n", errno);
return -1;
}
@ -81,24 +104,23 @@ int main(int argc, char* argv[])
// create ECDH session using initiator enclave
// it would create ECDH session with responder enclave running in another process
void* attestation(void *arg)
{
void *attestation(void *arg) {
sgx_status_t status;
uint32_t ret_status;
sleep(3);
sleep(5);
status = test_create_session(initiator_enclave_id, &ret_status);
if (status != SGX_SUCCESS || ret_status != 0)
{
printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
if (status != SGX_SUCCESS || ret_status != 0) {
printf("failed to establish secure channel: ECALL return 0x%x, error code is 0x%x.\n",
status, ret_status);
return NULL;
}
printf("succeed to establish secure channel.\n");
status = test_message_exchange(initiator_enclave_id, &ret_status);
if (status != SGX_SUCCESS || ret_status != 0)
{
printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
if (status != SGX_SUCCESS || ret_status != 0) {
printf("test_message_exchange Ecall failed: ECALL return 0x%x, error code is 0x%x.\n",
status, ret_status);
sgx_destroy_enclave(initiator_enclave_id);
return NULL;
}
@ -106,9 +128,9 @@ void* attestation(void *arg)
// close ECDH session
status = test_close_session(initiator_enclave_id, &ret_status);
if (status != SGX_SUCCESS || ret_status != 0)
{
printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n", status, ret_status);
if (status != SGX_SUCCESS || ret_status != 0) {
printf("test_close_session Ecall failed: ECALL return 0x%x, error code is 0x%x.\n",
status, ret_status);
return NULL;
}
printf("Succeed to close session.\n");

316
demos/local_attestation/AppResponder/proc_msg.c
View File

@ -12,17 +12,15 @@
#define SAFE_FREE(ptr) {if (NULL != (ptr)) {free(ptr); (ptr) = NULL;}}
#define MESSAGE_EXCHANGE 0x0
int proc(FIFO_MSG * message);
int proc(FIFO_MSG *message);
extern int m_shutdown;
typedef struct _secure_message_t
{
typedef struct _secure_message_t {
uint32_t session_id; //Session ID identifyting the session to which the message belongs
sgx_aes_gcm_data_t message_aes_gcm_data;
} secure_message_t;
typedef struct _ms_in_msg_exchange_t
{
typedef struct _ms_in_msg_exchange_t {
uint32_t msg_type; //Type of Call E2E or general message exchange
uint32_t target_fn_id; //Function Id to be called in Destination. Is valid only when msg_type=ENCLAVE_TO_ENCLAVE_CALL
uint32_t inparam_buff_len; //Length of the serialized input parameters
@ -30,8 +28,7 @@ typedef struct _ms_in_msg_exchange_t
} ms_in_msg_exchange_t;
//Format of the return value and output function parameter structure
typedef struct _ms_out_msg_exchange_t
{
typedef struct _ms_out_msg_exchange_t {
uint32_t retval_len; //Length of the return value
uint32_t ret_outparam_buff_len; //Length of the serialized return value and output parameters
char ret_outparam_buff[1]; //Serialized return value and output parameters
@ -42,29 +39,26 @@ typedef struct _ms_out_msg_exchange_t
* Parameter Description:
* [input] clientfd: this is client's connection id. After generating ECDH message 1, server would send back response through this connection id.
* */
int generate_and_send_session_msg1_resp(int clientfd)
{
int generate_and_send_session_msg1_resp(int clientfd) {
int retcode = 0;
uint32_t status = 0;
sgx_status_t ret = SGX_SUCCESS;
SESSION_MSG1_RESP msg1resp;
FIFO_MSG * fifo_resp = NULL;
FIFO_MSG *fifo_resp = NULL;
size_t respmsgsize;
memset(&msg1resp, 0, sizeof(SESSION_MSG1_RESP));
// call responder enclave to generate ECDH message 1
ret = session_request(&msg1resp.dh_msg1, &msg1resp.sessionid);
if (ret != SGX_SUCCESS)
{
if (ret != SGX_SUCCESS) {
printf("failed to do ECALL session_request.\n");
return -1;
}
respmsgsize = sizeof(FIFO_MSG) + sizeof(SESSION_MSG1_RESP);
fifo_resp = (FIFO_MSG *)malloc(respmsgsize);
if (!fifo_resp)
{
if (!fifo_resp) {
printf("memory allocation failure.\n");
return -1;
}
@ -76,8 +70,7 @@ int generate_and_send_session_msg1_resp(int clientfd)
memcpy(fifo_resp->msgbuf, &msg1resp, sizeof(SESSION_MSG1_RESP));
//send message 1 to client
if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1)
{
if (send(clientfd, (char *)(fifo_resp), (int)(respmsgsize), 0) == -1) {
printf("fail to send msg1 response.\n");
retcode = -1;
}
@ -90,21 +83,20 @@ int generate_and_send_session_msg1_resp(int clientfd)
* [input] clientfd: this is client's connection id
* [input] msg2: this contains ECDH message 2 received from client
* */
int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
{
int process_exchange_report(int clientfd, SESSION_MSG2 *msg2) {
uint32_t status = 0;
sgx_status_t ret = SGX_SUCCESS;
FIFO_MSG *response;
SESSION_MSG3 * msg3;
SESSION_MSG3 *msg3;
size_t msgsize;
if (!msg2)
if (!msg2) {
return -1;
}
msgsize = sizeof(FIFO_MSG_HEADER) + sizeof(SESSION_MSG3);
response = (FIFO_MSG *)malloc(msgsize);
if (!response)
{
if (!response) {
printf("memory allocation failure\n");
return -1;
}
@ -118,16 +110,14 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
// call responder enclave to process ECDH message 2 and generate message 3
ret = exchange_report(&msg2->dh_msg2, &msg3->dh_msg3, msg2->sessionid);
if (ret != SGX_SUCCESS)
{
if (ret != SGX_SUCCESS) {
printf("Enclave Response_exchange_report failure.\n");
free(response);
return -1;
}
// send ECDH message 3 to client
if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1)
{
if (send(clientfd, (char *)(response), (int)(msgsize), 0) == -1) {
printf("server_send() failure.\n");
free(response);
return -1;
@ -137,111 +127,114 @@ int process_exchange_report(int clientfd, SESSION_MSG2 * msg2)
return 0;
}
uint32_t get_message_exchange_response(uint32_t inp_secret_data)
{
uint32_t get_message_exchange_response(uint32_t inp_secret_data) {
uint32_t secret_response;
printf("secret=0x%x\n",inp_secret_data);
printf("secret=0x%x\n", inp_secret_data);
//User should use more complex encryption method to protect their secret, below is just a simple example
secret_response = inp_secret_data & 0x11111111;
return secret_response;
}
int umarshal_message_exchange_request(uint32_t* inp_secret_data, ms_in_msg_exchange_t* ms)
{
char* buff;
int umarshal_message_exchange_request(uint32_t *inp_secret_data,
ms_in_msg_exchange_t *ms) {
char *buff;
size_t len;
if(!inp_secret_data || !ms)
if (!inp_secret_data || !ms) {
return -1;
}
buff = ms->inparam_buff;
len = ms->inparam_buff_len;
if(len != sizeof(uint32_t))
if (len != sizeof(uint32_t)) {
return -1;
}
memcpy(inp_secret_data, buff, sizeof(uint32_t));
return 0;
}
int marshal_message_exchange_response(char** resp_buffer, size_t* resp_length, uint32_t secret_response)
{
int marshal_message_exchange_response(char **resp_buffer, size_t *resp_length,
uint32_t secret_response) {
ms_out_msg_exchange_t *ms;
size_t secret_response_len, ms_len;
size_t retval_len, ret_param_len;
if(!resp_length)
if (!resp_length) {
return -1;
}
secret_response_len = sizeof(secret_response);
retval_len = secret_response_len;
ret_param_len = secret_response_len;
ms_len = sizeof(ms_out_msg_exchange_t) + ret_param_len;
ms = (ms_out_msg_exchange_t *)malloc(ms_len);
if(!ms)
if (!ms) {
return -1;
}
ms->retval_len = (uint32_t)retval_len;
ms->ret_outparam_buff_len = (uint32_t)ret_param_len;
memcpy(&ms->ret_outparam_buff, &secret_response, secret_response_len);
*resp_buffer = (char*)ms;
*resp_buffer = (char *)ms;
*resp_length = ms_len;
return 0;
}
int message_exchange_response_generator(char* decrypted_data,
char** resp_buffer,
size_t* resp_length)
{
int message_exchange_response_generator(char *decrypted_data,
char **resp_buffer,
size_t *resp_length) {
ms_in_msg_exchange_t *ms;
uint32_t inp_secret_data;
uint32_t out_secret_data;
if(!decrypted_data || !resp_length)
if (!decrypted_data || !resp_length) {
return -1;
}
ms = (ms_in_msg_exchange_t *)decrypted_data;
if(umarshal_message_exchange_request(&inp_secret_data,ms) <0)
if (umarshal_message_exchange_request(&inp_secret_data, ms) < 0) {
return -1;
}
out_secret_data = get_message_exchange_response(inp_secret_data);
if(marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data) < 0)
if (marshal_message_exchange_response(resp_buffer, resp_length, out_secret_data) < 0) {
return -1;
}
return 0;
}
int generate_response(secure_message_t* req_message,
int generate_response(secure_message_t *req_message,
size_t req_message_size,
size_t max_payload_size,
secure_message_t* resp_message,
secure_message_t *resp_message,
size_t resp_message_size,
uint32_t session_id)
{
uint32_t session_id) {
#define TAG_SIZE 16
const uint8_t* plaintext;
const uint8_t *plaintext;
uint32_t plaintext_length;
uint8_t *decrypted_data;
uint32_t decrypted_data_length;
uint32_t plain_text_offset;
ms_in_msg_exchange_t * ms;
ms_in_msg_exchange_t *ms;
size_t resp_data_length;
size_t resp_message_calc_size;
char* resp_data;
char *resp_data;
uint8_t l_tag[TAG_SIZE];
size_t header_size, expected_payload_size;
dh_session_t *session_info;
secure_message_t* temp_resp_message;
secure_message_t *temp_resp_message;
uint32_t ret;
sgx_status_t status;
plaintext = (const uint8_t*)(" ");
plaintext = (const uint8_t *)(" ");
plaintext_length = 0;
if(!req_message || !resp_message)
{
if (!req_message || !resp_message) {
return -1;
}
//Get the session information from the map corresponding to the source enclave id
session_info= get_session_info(session_id);
if (session_info == NULL) return -1;
session_info = get_session_info(session_id);
if (session_info == NULL) { return -1; }
//Set the decrypted data length to the payload size obtained from the message
decrypted_data_length = req_message->message_aes_gcm_data.payload_size;
@ -249,26 +242,27 @@ int generate_response(secure_message_t* req_message,
expected_payload_size = req_message_size - header_size;
//Verify the size of the payload
if(expected_payload_size != decrypted_data_length)
if (expected_payload_size != decrypted_data_length) {
return -1;
}
memset(&l_tag, 0, 16);
plain_text_offset = decrypted_data_length;
decrypted_data = (uint8_t*)malloc(decrypted_data_length);
if(!decrypted_data)
{
decrypted_data = (uint8_t *)malloc(decrypted_data_length);
if (!decrypted_data) {
return -1;
}
memset(decrypted_data, 0, decrypted_data_length);
status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK, req_message->message_aes_gcm_data.payload,
status = sgx_rijndael128GCM_decrypt(&session_info->active.AEK,
req_message->message_aes_gcm_data.payload,
decrypted_data_length, decrypted_data,
(uint8_t *)(&(req_message->message_aes_gcm_data.reserved)),
sizeof(req_message->message_aes_gcm_data.reserved), &(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length,
sizeof(req_message->message_aes_gcm_data.reserved),
&(req_message->message_aes_gcm_data.payload[plain_text_offset]), plaintext_length,
&req_message->message_aes_gcm_data.payload_tag);
if(SGX_SUCCESS != status)
{
if (SGX_SUCCESS != status) {
SAFE_FREE(decrypted_data);
return -1;
}
@ -277,55 +271,50 @@ int generate_response(secure_message_t* req_message,
ms = (ms_in_msg_exchange_t *)decrypted_data;
// Verify if the nonce obtained in the request is equal to the session nonce
if((uint32_t)*(req_message->message_aes_gcm_data.reserved) != session_info->active.counter || *(req_message->message_aes_gcm_data.reserved) > ((2^32)-2))
{
if ((uint32_t) * (req_message->message_aes_gcm_data.reserved) !=
session_info->active.counter ||
*(req_message->message_aes_gcm_data.reserved) > ((2 ^ 32) - 2)) {
SAFE_FREE(decrypted_data);
return -1;
}
if(ms->msg_type == MESSAGE_EXCHANGE)
{
if (ms->msg_type == MESSAGE_EXCHANGE) {
//Call the generic secret response generator for message exchange
ret = message_exchange_response_generator((char*)decrypted_data, &resp_data, &resp_data_length);
if(ret !=0)
{
ret = message_exchange_response_generator((char *)decrypted_data, &resp_data,
&resp_data_length);
if (ret != 0) {
SAFE_FREE(decrypted_data);
SAFE_FREE(resp_data);
return -1;
}
}
else
{
} else {
SAFE_FREE(decrypted_data);
return -1;
}
if(resp_data_length > max_payload_size)
{
if (resp_data_length > max_payload_size) {
SAFE_FREE(resp_data);
SAFE_FREE(decrypted_data);
return -1;
}
resp_message_calc_size = sizeof(secure_message_t)+ resp_data_length;
resp_message_calc_size = sizeof(secure_message_t) + resp_data_length;
if(resp_message_calc_size > resp_message_size)
{
if (resp_message_calc_size > resp_message_size) {
SAFE_FREE(resp_data);
SAFE_FREE(decrypted_data);
return -1;
}
//Code to build the response back to the Source Enclave
temp_resp_message = (secure_message_t*)malloc(resp_message_calc_size);
if(!temp_resp_message)
{
temp_resp_message = (secure_message_t *)malloc(resp_message_calc_size);
if (!temp_resp_message) {
SAFE_FREE(resp_data);
SAFE_FREE(decrypted_data);
return -1;
}
memset(temp_resp_message,0,sizeof(secure_message_t)+ resp_data_length);
memset(temp_resp_message, 0, sizeof(secure_message_t) + resp_data_length);
const uint32_t data2encrypt_length = (uint32_t)resp_data_length;
temp_resp_message->session_id = session_info->session_id;
temp_resp_message->message_aes_gcm_data.payload_size = data2encrypt_length;
@ -334,25 +323,26 @@ int generate_response(secure_message_t* req_message,
session_info->active.counter = session_info->active.counter + 1;
//Set the response nonce as the session nonce
memcpy(&temp_resp_message->message_aes_gcm_data.reserved,&session_info->active.counter,sizeof(session_info->active.counter));
memcpy(&temp_resp_message->message_aes_gcm_data.reserved, &session_info->active.counter,
sizeof(session_info->active.counter));
//Prepare the response message with the encrypted payload
status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t*)resp_data, data2encrypt_length,
status = sgx_rijndael128GCM_encrypt(&session_info->active.AEK, (uint8_t *)resp_data,
data2encrypt_length,
(uint8_t *)(&(temp_resp_message->message_aes_gcm_data.payload)),
(uint8_t *)(&(temp_resp_message->message_aes_gcm_data.reserved)),
sizeof(temp_resp_message->message_aes_gcm_data.reserved), plaintext, plaintext_length,
&(temp_resp_message->message_aes_gcm_data.payload_tag));
if(SGX_SUCCESS != status)
{
if (SGX_SUCCESS != status) {
SAFE_FREE(resp_data);
SAFE_FREE(decrypted_data);
SAFE_FREE(temp_resp_message);
return -1;
}
memset(resp_message, 0, sizeof(secure_message_t)+ resp_data_length);
memcpy(resp_message, temp_resp_message, sizeof(secure_message_t)+ resp_data_length);
memset(resp_message, 0, sizeof(secure_message_t) + resp_data_length);
memcpy(resp_message, temp_resp_message, sizeof(secure_message_t) + resp_data_length);
SAFE_FREE(decrypted_data);
SAFE_FREE(resp_data);
@ -361,41 +351,37 @@ int generate_response(secure_message_t* req_message,
return 0;
}
int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
{
int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg) {
uint32_t status = 0;
sgx_status_t ret = SGX_SUCCESS;
secure_message_t *resp_message = NULL;
FIFO_MSG * fifo_resp = NULL;
FIFO_MSG *fifo_resp = NULL;
size_t resp_message_size;
if (!req_msg)
{
if (!req_msg) {
printf("invalid parameter.\n");
return -1;
}
resp_message_size = sizeof(secure_message_t) + req_msg->max_payload_size;
//Allocate memory for the response message
resp_message = (secure_message_t*)malloc(resp_message_size);
if (!resp_message)
{
resp_message = (secure_message_t *)malloc(resp_message_size);
if (!resp_message) {
printf("memory allocation failure.\n");
return -1;
}
memset(resp_message, 0, resp_message_size);
ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size, req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id);
if (ret <0)
{
ret = generate_response( (secure_message_t *)req_msg->buf, req_msg->size,
req_msg->max_payload_size, resp_message, resp_message_size, req_msg->session_id);
if (ret < 0) {
printf("EnclaveResponder_generate_response error.\n");
free(resp_message);
return -1;
}
fifo_resp = (FIFO_MSG *)malloc(sizeof(FIFO_MSG) + resp_message_size);
if (!fifo_resp)
{
if (!fifo_resp) {
printf("memory allocation failure.\n");
free(resp_message);
return -1;
@ -408,8 +394,8 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
free(resp_message);
if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size), 0) == -1)
{
if (send(clientfd, (char *)(fifo_resp), sizeof(FIFO_MSG) + (int)(resp_message_size),
0) == -1) {
printf("server_send() failure.\n");
free(fifo_resp);
return -1;
@ -418,100 +404,88 @@ int process_msg_transfer(int clientfd, FIFO_MSGBODY_REQ *req_msg)
return 0;
}
int process_close_req(int clientfd, SESSION_CLOSE_REQ * close_req)
{
int process_close_req(int clientfd, SESSION_CLOSE_REQ *close_req) {
uint32_t status = 0;
sgx_status_t ret = SGX_SUCCESS;
FIFO_MSG close_ack;
if (!close_req)
if (!close_req) {
return -1;
}
// call responder enclave to close this session
ret = end_session( close_req->session_id);
if (ret != SGX_SUCCESS)
if (ret != SGX_SUCCESS) {
return -1;
}
// send back response
close_ack.header.type = FIFO_DH_CLOSE_RESP;
close_ack.header.size = 0;
if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1)
{
if (send(clientfd, (char *)(&close_ack), sizeof(FIFO_MSG), 0) == -1) {
printf("server_send() failure.\n");
return -1;
}
return 0;
}
int proc (FIFO_MSG * message)
{
if (message == NULL) return 0;
switch (message->header.type)
{
case FIFO_DH_REQ_MSG1:
{
// process ECDH session connection request
int clientfd = message->header.sockfd;
int proc (FIFO_MSG *message) {
if (message == NULL) { return 0; }
switch (message->header.type) {
case FIFO_DH_REQ_MSG1: {
// process ECDH session connection request
int clientfd = message->header.sockfd;
if (generate_and_send_session_msg1_resp(clientfd) != 0) {
printf("failed to generate and send session msg1 resp.\n");
break;
} else { printf("generate and send session msg1 resp.\n"); }
if (generate_and_send_session_msg1_resp(clientfd) != 0)
{
printf("failed to generate and send session msg1 resp.\n");
break;
}
else printf("generate and send session msg1 resp.\n");
break;
}
break;
case FIFO_DH_MSG2: {
// process ECDH message 2
int clientfd = message->header.sockfd;
SESSION_MSG2 *msg2 = NULL;
msg2 = (SESSION_MSG2 *)message->msgbuf;
case FIFO_DH_MSG2:
{
// process ECDH message 2
int clientfd = message->header.sockfd;
SESSION_MSG2 * msg2 = NULL;
msg2 = (SESSION_MSG2 *)message->msgbuf;
if (process_exchange_report(clientfd, msg2) != 0)
{
printf("failed to process exchange_report request.\n");
break;
if (process_exchange_report(clientfd, msg2) != 0) {
printf("failed to process exchange_report request.\n");
break;
} else { printf(" process exchange_report request.\n"); }
}
else printf(" process exchange_report request.\n");
}
break;
case FIFO_DH_MSG_REQ:
{
// process message transfer request
int clientfd = message->header.sockfd;
FIFO_MSGBODY_REQ *msg = NULL;
break;
case FIFO_DH_MSG_REQ: {
// process message transfer request
int clientfd = message->header.sockfd;
FIFO_MSGBODY_REQ *msg = NULL;
msg = (FIFO_MSGBODY_REQ *)message->msgbuf;
msg = (FIFO_MSGBODY_REQ *)message->msgbuf;
if (process_msg_transfer(clientfd, msg) != 0)
{
printf("failed to process message transfer request.\n");
break;
if (process_msg_transfer(clientfd, msg) != 0) {
printf("failed to process message transfer request.\n");
break;
}
}
}
break;
break;
case FIFO_DH_CLOSE_REQ:
{
// process message close request
int clientfd = message->header.sockfd;
case FIFO_DH_CLOSE_REQ: {
// process message close request
int clientfd = message->header.sockfd;
SESSION_CLOSE_REQ * closereq = NULL;
closereq = (SESSION_CLOSE_REQ *)message->msgbuf;
process_close_req(clientfd, closereq);
printf("process close_requestt request.\n");
m_shutdown = 1;
}
break;
default:
{
printf("Unknown message.\n");
}
break;
SESSION_CLOSE_REQ *closereq = NULL;
closereq = (SESSION_CLOSE_REQ *)message->msgbuf;
process_close_req(clientfd, closereq);
printf("process close_requestt request.\n");
m_shutdown = 1;
}
break;
default: {
printf("Unknown message.\n");
}
break;
}
free(message);
}

2
demos/local_attestation/AppResponder/proc_msg.h
View File

@ -1,5 +1,5 @@
#ifndef _PROC_MSG_H_
#define _PROC_MSG_H_
#include "fifo_def.h"
int proc(FIFO_MSG * message);
int proc(FIFO_MSG *message);
#endif

91
demos/local_attestation/AppResponder/responder.c
View File

@ -20,8 +20,7 @@
int m_server_sock_fd;
int m_shutdown;
int server_init()
{
int server_init() {
struct sockaddr_in srv_addr;
memset(&srv_addr, 0, sizeof(srv_addr));
@ -30,22 +29,19 @@ int server_init()
srv_addr.sin_port = htons(SERVER_PORT);
m_server_sock_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);;
if (m_server_sock_fd == -1)
{
if (m_server_sock_fd == -1) {
printf("socket initiazation error: %d\n", errno);
return -1;
}
int bind_result = bind(m_server_sock_fd, (struct sockaddr*)&srv_addr, sizeof(srv_addr));
if (bind_result == -1)
{
int bind_result = bind(m_server_sock_fd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
if (bind_result == -1) {
printf("bind error: %d\n", errno);
close(m_server_sock_fd);
return -1;
}
if (listen(m_server_sock_fd, BACKLOG) == -1)
{
if (listen(m_server_sock_fd, BACKLOG) == -1) {
printf("listen error: %d\n", errno);
close(m_server_sock_fd);
return -1;
@ -55,8 +51,7 @@ int server_init()
return 0;
}
int work()
{
int work() {
int client_fds[CONCURRENT_MAX] = {0};
fd_set server_fd_set;
int max_fd = -1;
@ -65,42 +60,37 @@ int work()
char recv_msg[BUFFER_SIZE];
int ret;
while (!m_shutdown)
{
while (!m_shutdown) {
// set 10s timeout for select()
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&server_fd_set);
// listening on server socket
FD_SET(m_server_sock_fd, &server_fd_set);
if (max_fd < m_server_sock_fd)
if (max_fd < m_server_sock_fd) {
max_fd = m_server_sock_fd;
}
// listening on all client connections
for(int i =0; i < CONCURRENT_MAX; i++)
{
if(client_fds[i] != 0)
{
for (int i = 0; i < CONCURRENT_MAX; i++) {
if (client_fds[i] != 0) {
FD_SET(client_fds[i], &server_fd_set);
if(max_fd < client_fds[i])
if (max_fd < client_fds[i]) {
max_fd = client_fds[i];
}
}
}
ret = select(max_fd + 1, &server_fd_set, NULL, NULL, &tv);
if (ret < 0)
{
if (ret < 0) {
printf("Warning: server would shutdown\n");
continue;
}
else if(ret == 0)
{
} else if (ret == 0) {
// timeout
continue;
}
if(FD_ISSET(m_server_sock_fd, &server_fd_set))
{
if (FD_ISSET(m_server_sock_fd, &server_fd_set)) {
// if there is new connection request
struct sockaddr_in clt_addr;
socklen_t len = sizeof(clt_addr);
@ -108,54 +98,45 @@ int work()
// accept this connection request
int client_sock_fd = accept(m_server_sock_fd, (struct sockaddr *)&clt_addr, &len);
if (client_sock_fd > 0)
{
if (client_sock_fd > 0) {
// add new connection to connection pool if it's not full
int index = -1;
for(int i = 0; i < CONCURRENT_MAX; i++)
{
if(client_fds[i] == 0)
{
for (int i = 0; i < CONCURRENT_MAX; i++) {
if (client_fds[i] == 0) {
index = i;
client_fds[i] = client_sock_fd;
break;
}
}
if(index < 0)
{
if (index < 0) {
printf("server reach maximum connection!\n");
bzero(input_msg, BUFFER_SIZE);
strcpy(input_msg, "server reach maximum connection\n");
send(client_sock_fd, input_msg, BUFFER_SIZE, 0);
}
}
else if (client_sock_fd < 0)
{
} else if (client_sock_fd < 0) {
printf("server: accept() return failure, %s, would exit.\n", strerror(errno));
close(m_server_sock_fd);
break;
}
}
for(int i =0; i < CONCURRENT_MAX; i++)
{
if ((client_fds[i] !=0)
&& (FD_ISSET(client_fds[i], &server_fd_set)))
{
for (int i = 0; i < CONCURRENT_MAX; i++) {
if ((client_fds[i] != 0)
&& (FD_ISSET(client_fds[i], &server_fd_set))) {
// there is request messages from client connectsions
FIFO_MSG * msg;
FIFO_MSG *msg;
bzero(recv_msg, BUFFER_SIZE);
long byte_num = recv(client_fds[i], recv_msg, BUFFER_SIZE, 0);
if (byte_num > 0)
{
if(byte_num > BUFFER_SIZE)
if (byte_num > 0) {
if (byte_num > BUFFER_SIZE) {
byte_num = BUFFER_SIZE;
}
recv_msg[byte_num] = '\0';
msg = (FIFO_MSG *)malloc(byte_num);
if (!msg)
{
if (!msg) {
printf("memory allocation failure\n");
continue;
}
@ -163,13 +144,9 @@ int work()
memcpy(msg, recv_msg, byte_num);
msg->header.sockfd = client_fds[i];
proc(msg);
}
else if(byte_num < 0)
{
} else if (byte_num < 0) {
printf("failed to receive message.\n");
}
else
{
} else {
// client connect is closed
FD_CLR(client_fds[i], &server_fd_set);
close(client_fds[i]);
@ -180,13 +157,11 @@ int work()
}
}
int main()
{
int main() {
int rc;
rc = server_init();
if (rc != 0)
{
if (rc != 0) {
printf("server init failure\n");
return rc;
}

107
demos/local_attestation/AppResponder/session.c
View File

@ -3,8 +3,7 @@
#include "session.h"
#define MAX_SESSION_COUNT 16
typedef struct _session_id_tracker_t
{
typedef struct _session_id_tracker_t {
uint32_t session_id;
} session_id_tracker_t;
@ -14,42 +13,41 @@ int is_session_id_valid(uint32_t session_id);
session_id_tracker_t *g_session_id_tracker[MAX_SESSION_COUNT];
dh_session_t g_dest_session_info_map[MAX_SESSION_COUNT];
uint32_t g_session_count = 0;
int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
{
if(!peer_enclave_identity)
int verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t *peer_enclave_identity) {
if (!peer_enclave_identity) {
return ERROR;
}
if(!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED))
if (!(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED)) {
return ERROR;
}
return SUCCESS;
}
int session_request(sgx_dh_msg1_t *dh_msg1,
uint32_t *session_id )
{
uint32_t *session_id ) {
sgx_dh_session_t sgx_dh_session;
sgx_status_t status = SGX_SUCCESS;
if(!session_id || !dh_msg1)
{
if (!session_id || !dh_msg1) {
return ERROR;
}
//Intialize the session as a session responder
status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session);
if(SGX_SUCCESS != status)
{
if (SGX_SUCCESS != status) {
printf("sgx_dh_init_session failed\n");
return ERROR;
}
//get a new SessionID
if (generate_session_id(session_id) < 0)
return ERROR; //no more sessions available
if (generate_session_id(session_id) < 0) {
return ERROR; //no more sessions available
}
//Allocate memory for the session id tracker
g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof(session_id_tracker_t));
if(!g_session_id_tracker[*session_id])
{
g_session_id_tracker[*session_id] = (session_id_tracker_t *)malloc(sizeof(
session_id_tracker_t));
if (!g_session_id_tracker[*session_id]) {
printf("g_session_id_tracker failed\n");
return ERROR;
}
@ -58,14 +56,14 @@ int session_request(sgx_dh_msg1_t *dh_msg1,
g_session_id_tracker[*session_id]->session_id = *session_id;
//Generate Message1 that will be returned to Source Enclave
status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t*)dh_msg1, &sgx_dh_session);
if(SGX_SUCCESS != status)
{
status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t *)dh_msg1, &sgx_dh_session);
if (SGX_SUCCESS != status) {
free(g_session_id_tracker[*session_id]);
printf("sgx_dh_responder_gen_msg1 failed\n");
return ERROR;
}
memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t));
memcpy(&g_dest_session_info_map[*session_id].in_progress.dh_session, &sgx_dh_session,
sizeof(sgx_dh_session_t));
//Store the session information under the correspoding source enlave id key
g_dest_session_info_map[*session_id].status = IN_PROGRESS;
@ -73,22 +71,19 @@ int session_request(sgx_dh_msg1_t *dh_msg1,
}
int exchange_report(sgx_dh_msg2_t *dh_msg2,
sgx_dh_msg3_t *dh_msg3,
uint32_t session_id)
{
uint32_t session_id) {
sgx_key_128bit_t dh_aek; // Session key
dh_session_t *session_info;
int status = SUCCESS;
sgx_dh_session_t sgx_dh_session;
sgx_dh_session_enclave_identity_t initiator_identity;
if(!dh_msg2 || !dh_msg3|| !is_session_id_valid(session_id))
{
if (!dh_msg2 || !dh_msg3 || !is_session_id_valid(session_id)) {
return ERROR;
}
memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
do
{
memset(&dh_aek, 0, sizeof(sgx_key_128bit_t));
do {
//Retreive the session information for the corresponding source enclave id
session_info = &g_dest_session_info_map[session_id];
@ -101,16 +96,14 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2,
&sgx_dh_session,
&dh_aek,
&initiator_identity);
if(SGX_SUCCESS != se_ret)
{
if (SGX_SUCCESS != se_ret) {
status = ERROR;
printf("sgx_dh_responder_proc_msg2 failed\n");
break;
}
//Verify source enclave's trust
if(verify_peer_enclave_trust(&initiator_identity) != SUCCESS)
{
if (verify_peer_enclave_trust(&initiator_identity) != SUCCESS) {
status = ERROR;
break;
}
@ -120,39 +113,34 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2,
session_info->status = ACTIVE;
session_info->active.counter = 0;
memcpy(session_info->active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
memset(&dh_aek, 0, sizeof(sgx_key_128bit_t));
g_session_count++;
}
while(0);
} while (0);
if(status != SUCCESS)
{
if (status != SUCCESS) {
end_session(session_id);
}
return status;
}
int end_session(uint32_t session_id)
{
int end_session(uint32_t session_id) {
int status = SUCCESS;
int i;
dh_session_t *session_info;
if (!is_session_id_valid(session_id)) return ERROR;
if (!is_session_id_valid(session_id)) { return ERROR; }
//Get the session information from the map corresponding to the source enclave id
session_info = &g_dest_session_info_map[session_id];
//Erase the session information for the current session
//Update the session id tracker
if (g_session_count > 0)
{
if (g_session_count > 0) {
//check if session exists
for (i=1; i <= MAX_SESSION_COUNT; i++)
{
if(g_session_id_tracker[i-1] != NULL && g_session_id_tracker[i-1]->session_id == session_id)
{
memset(g_session_id_tracker[i-1], 0, sizeof(session_id_tracker_t));
free(g_session_id_tracker[i-1]);
for (i = 1; i <= MAX_SESSION_COUNT; i++) {
if (g_session_id_tracker[i - 1] != NULL &&
g_session_id_tracker[i - 1]->session_id == session_id) {
memset(g_session_id_tracker[i - 1], 0, sizeof(session_id_tracker_t));
free(g_session_id_tracker[i - 1]);
g_session_count--;
break;
}
@ -161,32 +149,27 @@ int end_session(uint32_t session_id)
return status;
}
int is_session_id_valid(uint32_t session_id)
{
if (session_id >= MAX_SESSION_COUNT|| session_id <0) return 0;
int is_session_id_valid(uint32_t session_id) {
if (session_id >= MAX_SESSION_COUNT || session_id < 0) { return 0; }
return (g_session_id_tracker[session_id] != NULL);
}
dh_session_t* get_session_info(uint32_t session_id )
{
if (!is_session_id_valid(session_id))
dh_session_t *get_session_info(uint32_t session_id ) {
if (!is_session_id_valid(session_id)) {
return NULL;
}
return &(g_dest_session_info_map[session_id]);
}
int generate_session_id(uint32_t *session_id)
{
if(!session_id)
{
int generate_session_id(uint32_t *session_id) {
if (!session_id) {
return ERROR;
}
//if the session structure is untintialized, set that as the next session ID
for (int i = 0; i < MAX_SESSION_COUNT; i++)
{
if (g_session_id_tracker[i] == NULL)
{
for (int i = 0; i < MAX_SESSION_COUNT; i++) {
if (g_session_id_tracker[i] == NULL) {
*session_id = i;
return SUCCESS;
}

2
demos/local_attestation/AppResponder/session.h
View File

@ -17,6 +17,6 @@ int exchange_report(sgx_dh_msg2_t *dh_msg2,
sgx_dh_msg3_t *dh_msg3,
uint32_t session_id);
int end_session(uint32_t session_id);
dh_session_t* get_session_info(uint32_t session_id );
dh_session_t *get_session_info(uint32_t session_id );
#endif

8
demos/local_attestation/download_src_and_build_deps.sh
View File

@ -1,4 +1,5 @@
#!/usr/bin/env bash
set -e
export CC=occlum-gcc
export CXX=occlum-g++
@ -7,6 +8,7 @@ THISDIR="$(dirname $(readlink -f $0))"
INSTALLDIR="/usr/local/occlum/x86_64-linux-musl"
DEPSDIR="$THISDIR/deps"
TARGET_SO="$DEPSDIR/openssl/libcrypto.so"
SGX_VER="2.9.1"
mkdir -p $DEPSDIR || exit 1
@ -32,20 +34,19 @@ if [ ! -f "$TARGET_SO" ] ; then
--openssldir=/usr/local/occlum/ssl \
--with-rand-seed=rdcpu \
no-zlib no-async no-tests && \
make -j${nproc} && \
make -j${nproc} && make install && \
echo "Build openssl successfully" || exit 1
else
echo "The openssl library is aleady existent"
fi
SGX_VER=2.8
# Download SGX SDK
SGX_SDK="${DEPSDIR}/linux-sgx-sdk"
if [ ! -d "$SGX_SDK" ] ; then
echo "Downloading linux-sgx-sdk ..."
cd "$DEPSDIR" && \
wget https://github.com/intel/linux-sgx/archive/sgx_$SGX_VER.tar.gz && \
tar -xvzf "sgx_$(SGX_VER).tar.gz" && \
tar -xvzf sgx_$SGX_VER.tar.gz && \
mv linux-sgx-sgx_$SGX_VER linux-sgx-sdk && \
echo "Download sgx-sdk successfully" || exit 1
else
@ -75,6 +76,7 @@ cd - >/dev/null 2>&1
echo "DiffieHellmanLibrary is ready"
# Copy header files from linux-sgx-sdk local attestation demo
cd $THISDIR
mkdir -p Include
cp $SGX_SDK/SampleCode/LocalAttestation/Include/{datatypes.h,\
dh_session_protocol.h,\