From a9d894a97df560ade155c4b7719a73f55f718fcc Mon Sep 17 00:00:00 2001 From: Paul Zinselmeyer Date: Sat, 6 Jul 2024 17:25:06 +0200 Subject: [PATCH] [Assignment-7] app restructure and cleanup --- 7-SGX_Hands-on/README.md | 13 ++ 7-SGX_Hands-on/src/Makefile | 2 +- 7-SGX_Hands-on/src/app/employee.c | 136 ++++++++++++++ 7-SGX_Hands-on/src/app/employee.h | 23 +++ 7-SGX_Hands-on/src/app/main.c | 6 +- 7-SGX_Hands-on/src/app/proxy.c | 128 ++++--------- 7-SGX_Hands-on/src/app/proxysetup.c | 270 +++------------------------- 7-SGX_Hands-on/src/app/proxysetup.h | 4 +- 7-SGX_Hands-on/src/app/util.c | 55 +++++- 7-SGX_Hands-on/src/app/util.h | 12 ++ 10 files changed, 304 insertions(+), 345 deletions(-) create mode 100644 7-SGX_Hands-on/README.md create mode 100644 7-SGX_Hands-on/src/app/employee.c create mode 100644 7-SGX_Hands-on/src/app/employee.h diff --git a/7-SGX_Hands-on/README.md b/7-SGX_Hands-on/README.md new file mode 100644 index 0000000..7e2dc08 --- /dev/null +++ b/7-SGX_Hands-on/README.md @@ -0,0 +1,13 @@ +# Usage +## Setup +Initialize the Enclave keypair by executing: +`./signatureproxy proxysetup -pkey > ` + +## Sign +1. Create employee signature using `./signatureproxy employee -firm -ekey > ` + This step can also be done using OpenSSL: `openssl dgst -sha256 -sign -out -in ` +2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey -epub -firm > ` + The enclave verifies the employee signature and signs the firmware if the signature is valid. +3. Verify signature using `cat | ./signatureproxy embedded -firm -ppub ` + This step can also be done using OpenSSL: `openssl dgst -sha256 -verify -signature ` + diff --git a/7-SGX_Hands-on/src/Makefile b/7-SGX_Hands-on/src/Makefile index df2209d..5049582 100644 --- a/7-SGX_Hands-on/src/Makefile +++ b/7-SGX_Hands-on/src/Makefile @@ -74,7 +74,7 @@ else Urts_Library_Name := sgx_urts endif -App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/intermediary.c app/util.c +App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/employee.c app/util.c App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) diff --git a/7-SGX_Hands-on/src/app/employee.c b/7-SGX_Hands-on/src/app/employee.c new file mode 100644 index 0000000..4a770df --- /dev/null +++ b/7-SGX_Hands-on/src/app/employee.c @@ -0,0 +1,136 @@ +#include +#include +#include +#include +#include +#include + +#include "employee.h" +#include "util.h" + +#include +#include +#include + +#define HASH_BYTES 32 +#define HASH_CHUNK_BYTES 32 +#define KEY_BYTES 32 + +struct EmployeeArgs { + char* key_path; + char* firmware_path; +}; + +char* employee_syntax(void) { + return + "employee mock up implementation of the employee binary\n" + " outputs signature on stdout\n" + " WARNING: output is in binary format, may mess up terminal\n" + " -ekey file path of the PEM encoded private key of the employee\n" + " -firm path of the firmware\n"; +} + +int handle_employee(int argc, char** argv) { + struct EmployeeArgs args = { + NULL, + NULL + }; + FILE* key_file = NULL; + uint8_t* firmware_buf; + size_t firmware_len; + EVP_PKEY* key = NULL; + EVP_MD_CTX *mdctx = NULL; + size_t sig_len; + unsigned char* sig = NULL; + + /* + * Parse Input + */ + + int i = 0; + while(i < argc) { + if(strcmp(argv[i], "-ekey")==0 && argc-i >=2){ + args.key_path = argv[i+1]; + i += 2; + }else if(strcmp(argv[i], "-firm")==0 && argc-i >=2){ + args.firmware_path = argv[i+1]; + i += 2; + }else + syntax_exit(); + } + + if(args.key_path == NULL) + syntax_exit(); + + /* + * Load Signing Key + */ + + key_file = fopen(args.key_path, "rb"); + if(key_file == NULL){ + perror("Error opening key file"); + exit (EXIT_FAILURE); + } + key = PEM_read_PrivateKey(key_file, &key, NULL, NULL); + if(key == NULL) { + fprintf(stderr, "failed to read key\n"); + exit (EXIT_FAILURE); + } + + fclose(key_file); + + /* + * Sign Firmware + */ + + + mdctx = EVP_MD_CTX_new(); + if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, key) != 1) { + fprintf(stderr, "Message digest initialization failed.\n"); + exit (EXIT_FAILURE); + } + + if (load_file(args.firmware_path, &firmware_buf, &firmware_len) != 0) { + fprintf(stderr, "failed to read firmware\n"); + exit (EXIT_FAILURE); + } + + if (EVP_DigestSignUpdate(mdctx, firmware_buf, firmware_len) != 1) { + printf("Message digest update failed.\n"); + exit(EXIT_FAILURE); + } + free(firmware_buf); + + // call with empty sig to get length + if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) != 1) { + printf("Message digest finalization failed.\n"); + exit (EXIT_FAILURE); + } + + // allocate signature buffer + sig = malloc(sizeof(unsigned char) * sig_len); + if(sig == NULL){ + perror("could not initialize digest buffer"); + exit (EXIT_FAILURE); + } + + // load signature into buffer + if (EVP_DigestSignFinal(mdctx, sig, &sig_len) != 1) { + printf("Message digest finalization failed.\n"); + exit (EXIT_FAILURE); + } + + fwrite(sig, sig_len, 1, stdout); + if (ferror(stdout) != 0) { + fprintf(stdout, "failed to write signature to stdout\n"); + exit (EXIT_FAILURE); + } + + fflush(stdout); + + // free all allocated resources + free(sig); + EVP_MD_CTX_free(mdctx); + EVP_PKEY_free(key); + exit (EXIT_SUCCESS); +} diff --git a/7-SGX_Hands-on/src/app/employee.h b/7-SGX_Hands-on/src/app/employee.h new file mode 100644 index 0000000..4717674 --- /dev/null +++ b/7-SGX_Hands-on/src/app/employee.h @@ -0,0 +1,23 @@ +#ifndef _APP_INTERMEDIARY_H_ +#define _APP_INTERMEDIARY_H_ + + +/* + * @brief getter for employee subcommand syntax string + * + * @returns null-terminated syntax string + */ +char* employee_syntax(void); + +/* + * @brief CLI implementation for the "employee" subcommand + * + * @param argc number of arguments with command and subcommand stripped + * @param argv arguments with command and subcommand stripped + * + * @returns 0 on success, else error with output on stderr + */ +int handle_employee(int argc, char** argv); + + +#endif diff --git a/7-SGX_Hands-on/src/app/main.c b/7-SGX_Hands-on/src/app/main.c index a02e06c..cd22445 100644 --- a/7-SGX_Hands-on/src/app/main.c +++ b/7-SGX_Hands-on/src/app/main.c @@ -1,7 +1,7 @@ #include #include -#include "intermediary.h" +#include "employee.h" #include "proxy.h" #include "proxysetup.h" #include "util.h" @@ -16,8 +16,8 @@ int main(int argc, char** argv) { char* command = argv[1]; - if(strcmp(command, "intermediary")==0) - handle_intermediary(argc-2, argv+2); + if(strcmp(command, "employee")==0) + handle_employee(argc-2, argv+2); else if (strcmp(command, "proxy")==0) handle_proxy(argc-2, argv+2); else if (strcmp(command, "proxysetup")==0) diff --git a/7-SGX_Hands-on/src/app/proxy.c b/7-SGX_Hands-on/src/app/proxy.c index 4533622..70974e8 100644 --- a/7-SGX_Hands-on/src/app/proxy.c +++ b/7-SGX_Hands-on/src/app/proxy.c @@ -5,18 +5,13 @@ #include #include -#include -#include -#include -#include #include +#include +#include #include -#include -#include -#include #include "enclave_u.h" #include "proxy.h" @@ -36,10 +31,10 @@ char* proxy_syntax(void) { " expects intermediary signature on stdin\n" " outputs proxied signature on stdout\n" " WARNING: output is binary format, may mess up terminal\n" - " -s file path of the sealed proxy key\n" - " -t file path of the sgx token\n" + " -pkey file path of the sealed proxy key\n" " -epub path of the PEM encoded employee public key\n" - " -firm path of the firmware\n"; + " -firm path of the firmware\n" + " -token (optional) file path of the sgx token\n"; } static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) @@ -208,18 +203,18 @@ cleanup: } static int ECDSA_SIG_to_sgx_signature(ECDSA_SIG* ecdsa_sig, sgx_ec256_signature_t* sgx_signature) { - BIGNUM* r = NULL; - BIGNUM* s = NULL; + const BIGNUM* r = NULL; + const BIGNUM* s = NULL; int ret; r = ECDSA_SIG_get0_r(ecdsa_sig); s = ECDSA_SIG_get0_s(ecdsa_sig); - ret = BN_bn2lebinpad(r, sgx_signature->x, SGX_ECP256_KEY_SIZE); + ret = BN_bn2lebinpad(r, (unsigned char*)sgx_signature->x, SGX_ECP256_KEY_SIZE); if (ret == -1) return (1); - ret = BN_bn2lebinpad(s, sgx_signature->y, SGX_ECP256_KEY_SIZE); + ret = BN_bn2lebinpad(s, (unsigned char*)sgx_signature->y, SGX_ECP256_KEY_SIZE); if (ret == -1) return (2); @@ -286,10 +281,10 @@ int handle_proxy(int argc, char** argv) { NULL, NULL }; - FILE* sealed_file; - FILE* firmware_file; - uint8_t *sealed; - int sealed_size; + uint8_t* sealed; + size_t sealed_len; + uint8_t* firmware; + size_t firmware_len; unsigned char* ecdsa_signature_data; size_t ecdsa_signature_size = 0; uint8_t signature[70]; @@ -303,10 +298,10 @@ int handle_proxy(int argc, char** argv) { int i = 0; while(i < argc) { - if(strcmp(argv[i], "-s")==0 && argc-i >=2){ + if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){ args.sealed_key_file_path = argv[i+1]; i += 2; - }else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ + }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){ args.sgx_token_path = argv[i+1]; i += 2; }else if(strcmp(argv[i], "-epub")==0 && argc-i >=2){ @@ -322,7 +317,6 @@ int handle_proxy(int argc, char** argv) { if(args.sealed_key_file_path == NULL || args.employee_public_key_path == NULL || args.firmware_path == NULL) syntax_exit(); - /* * Read Signature Input */ @@ -330,27 +324,27 @@ int handle_proxy(int argc, char** argv) { ecdsa_signature_data = malloc(1024); if (ecdsa_signature_data == NULL) { perror("failed to allocate signature"); - exit(1); + exit (EXIT_FAILURE); } ecdsa_signature_size = fread(ecdsa_signature_data, 1, 1024, stdin); if (ferror(stdin) != 0) { fprintf(stderr, "failed to read signature from stdin\n"); - exit(1); + exit (EXIT_FAILURE); } ecdsa_signature = ECDSA_SIG_new(); - ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, &ecdsa_signature_data, ecdsa_signature_size); + ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, (const unsigned char**)&ecdsa_signature_data, ecdsa_signature_size); ecdsa_signature_data = NULL; if (ecdsa_signature == NULL) { - fprintf(stderr, "failed to read signature"); - exit(1); + fprintf(stderr, "failed to read signature\n"); + exit (EXIT_FAILURE); } if (ECDSA_SIG_to_sgx_signature(ecdsa_signature, &sgx_signature) != 0) { fprintf(stderr, "failed to transform signature\n"); - exit(1); + exit (EXIT_FAILURE); } ECDSA_SIG_free(ecdsa_signature); ecdsa_signature = NULL; @@ -372,90 +366,42 @@ int handle_proxy(int argc, char** argv) { } key = PEM_read_PUBKEY(key_file, &key, NULL, NULL); if(key == NULL) { - fprintf(stderr, "failed to read employee public key"); - exit(1); + fprintf(stderr, "failed to read employee public key\n"); + exit (EXIT_FAILURE); } fclose(key_file); sgx_ec256_public_t sgx_public; if (EVP_PKEY_to_sgx_public(key, &sgx_public) != 0) { - fprintf(stderr, "failed transform employee public key"); - exit(1); - } - - /* - * Read Sealed Proxy Keypair - */ - - sealed_file = fopen(args.sealed_key_file_path, "rb"); - if(sealed_file == NULL){ - perror("Error opening sealed_key_file file"); - exit(1); - } - - ret = get_sealed_size(get_global_eid(), &sealed_size); - if (ret != SGX_SUCCESS) { - print_error_message(ret); - exit (1); - } - sealed = malloc(sizeof(uint8_t)*sealed_size); - if (sealed == NULL) { - fprintf(stderr, "failed to allocate for sealed key"); - exit(1); - } - - size_t sealed_read = fread(sealed, sealed_size, 1, sealed_file); - if (sealed_read != 1) { - fprintf(stderr, "failed to read sealed private key"); + fprintf(stderr, "failed transform employee public key\n"); exit (EXIT_FAILURE); } - fclose(sealed_file); - - /* - * Read Firmware - */ - int firmware_file_des = open(args.firmware_path, O_RDWR); - if(firmware_file_des == 0){ - perror("Error opening firmware file"); - exit(EXIT_FAILURE); - } - - struct stat stat; - if (fstat(firmware_file_des, &stat) != 0) { - perror("failed to get firmware size"); + //Read Sealed Proxy Keypair + if (load_file(args.sealed_key_file_path, &sealed, &sealed_len)!=0){ + fprintf(stderr, "failed to read sealed key\n"); exit (EXIT_FAILURE); } - firmware_file = fopen(args.firmware_path, "rb"); - if(firmware_file == NULL){ - perror("Error opening firmware file"); - exit(EXIT_FAILURE); - } - - size_t firmware_size = stat.st_size; - uint8_t* firmware_buf = malloc(firmware_size); - if (firmware_buf == NULL) { - perror("failed to allocate firmware buffer"); - exit (EXIT_FAILURE); - } - - if (fread(firmware_buf, firmware_size, 1, firmware_file) != 1 || ferror(firmware_file) != 0) { + // Read Firmware + if (load_file(args.firmware_path, &firmware, &firmware_len)!=0){ fprintf(stderr, "failed to read firmware\n"); exit (EXIT_FAILURE); } - fclose(firmware_file); /* * Use Enclave To Resign the Firmware */ - sign_firmware(get_global_eid(), &ret, firmware_buf, firmware_size, sealed, sealed_size, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature); + sign_firmware(get_global_eid(), &ret, firmware, firmware_len, sealed, sealed_len, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature); if (ret != SGX_SUCCESS) { - print_error_message(ret); + sgx_print_error_message(ret); exit (1); } + free(sealed); + free(firmware); + /* * Output Signature */ @@ -483,9 +429,5 @@ int handle_proxy(int argc, char** argv) { free(ecdsa_signature_data); ECDSA_SIG_free(ecdsa_signature); - free(sealed); - exit(0); + exit (EXIT_SUCCESS); } - - - diff --git a/7-SGX_Hands-on/src/app/proxysetup.c b/7-SGX_Hands-on/src/app/proxysetup.c index e0e94dc..be4709d 100644 --- a/7-SGX_Hands-on/src/app/proxysetup.c +++ b/7-SGX_Hands-on/src/app/proxysetup.c @@ -5,16 +5,14 @@ #include #include -#include -#include -#include -#include #include +#include +#include #include #include "enclave_u.h" -#include "proxy.h" +#include "proxysetup.h" #include "util.h" struct ProxysetupArgs { @@ -24,14 +22,12 @@ struct ProxysetupArgs { char* proxysetup_syntax(void) { return - "proxysetup implementation of the enclave-powered SignatureProxy\n" - " outputs public key on stdout\n" - " -s file path of the sealed proxy key\n" - " -t file path of the sgx token\n"; + "proxysetup implementation of the enclave-powered SignatureProxy\n" + " outputs public key on stdout\n" + " -pkey file path of the sealed proxy key\n" + " -token (optional) file path of the sgx token\n"; } - - static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) { EVP_PKEY *evp_key = NULL; @@ -133,217 +129,16 @@ static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) return evp_key; } -static int EVP_PKEY_to_sgx_public(EVP_PKEY* ecdsa_key, sgx_ec256_public_t* sgx_public) { - EC_GROUP* group = NULL; - EC_POINT *point = NULL; - BIGNUM* pub_x = NULL; - BIGNUM* pub_y = NULL; - size_t ec_key_buf_len = 0; - unsigned char ec_key_buf[1024]; - int ret; - int retval; - - group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); - if (group == NULL) - return 1; - - point = EC_POINT_new(group); - if (point == NULL) - return 2; - - ret = EVP_PKEY_get_octet_string_param(ecdsa_key, OSSL_PKEY_PARAM_PUB_KEY, ec_key_buf, 1024, &ec_key_buf_len); - if (ret != 1) - return 3; - - ret = EC_POINT_oct2point(group, point, ec_key_buf, ec_key_buf_len, NULL); - if (ret != 1){ - retval = 4; - goto cleanup; - } - - pub_x = BN_new(); - pub_y = BN_new(); - - ret = EC_POINT_get_affine_coordinates(group, point, pub_x, pub_y, NULL); - if (ret != 1){ - retval = 5; - goto cleanup; - } - - ret = BN_bn2lebinpad(pub_x, sgx_public->gx, SGX_ECP256_KEY_SIZE); - if (ret == -1){ - retval = 6; - goto cleanup; - } - - ret = BN_bn2lebinpad(pub_y, sgx_public->gy, SGX_ECP256_KEY_SIZE); - if (ret == -1){ - retval = 7; - goto cleanup; - } - -cleanup: - if (pub_x != NULL) - BN_clear_free(pub_x); - if (pub_y != NULL) - BN_clear_free(pub_y); - if (point != NULL) - EC_POINT_clear_free(point); - if (group != NULL) - EC_GROUP_free(group); - - return (retval); -} - -/* -sgx_status_t pfz_ecdsa_verify_hash(const uint8_t *p_data, - const sgx_ec256_public_t *p_public, - const sgx_ec256_signature_t *p_signature, - uint8_t *p_result, - sgx_ecc_state_handle_t ecc_handle) -{ - if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) || - (p_data == NULL) || (p_result == NULL)) { - return SGX_ERROR_INVALID_PARAMETER; - } - - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *public_key = NULL; - BIGNUM *bn_r = NULL; - BIGNUM *bn_s = NULL; - ECDSA_SIG *ecdsa_sig = NULL; - unsigned char *sig_data = NULL; - size_t sig_size = 0; - sgx_status_t retval = SGX_ERROR_UNEXPECTED; - int ret = -1; - - *p_result = SGX_EC_INVALID_SIGNATURE; - - do { - public_key = pfz_get_pub_key_from_coords(p_public, ecc_handle); - if(NULL == public_key) { - break; - } - // converts the x value of the signature, represented as positive integer in little-endian into a BIGNUM - // - bn_r = BN_lebin2bn((unsigned char*)p_signature->x, sizeof(p_signature->x), 0); - if (NULL == bn_r) { - break; - } - - // converts the y value of the signature, represented as positive integer in little-endian into a BIGNUM - // - bn_s = BN_lebin2bn((unsigned char*)p_signature->y, sizeof(p_signature->y), 0); - if (NULL == bn_s) { - break; - } - - - // allocates a new ECDSA_SIG structure (note: this function also allocates the BIGNUMs) and initialize it - // - ecdsa_sig = ECDSA_SIG_new(); - if (NULL == ecdsa_sig) { - retval = SGX_ERROR_OUT_OF_MEMORY; - break; - } - - // setes the r and s values of ecdsa_sig - // calling this function transfers the memory management of the values to the ECDSA_SIG object, - // and therefore the values that have been passed in should not be freed directly after this function has been called - // - if (1 != ECDSA_SIG_set0(ecdsa_sig, bn_r, bn_s)) { - ECDSA_SIG_free(ecdsa_sig); - ecdsa_sig = NULL; - break; - } - sig_size = i2d_ECDSA_SIG(ecdsa_sig, &sig_data); - if (sig_size <= 0) { - break; - } - ctx = EVP_PKEY_CTX_new(public_key, NULL); - if (!ctx) { - break; - } - if (1 != EVP_PKEY_verify_init(ctx)) { - break; - } - if (1 != EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256())) { - break; - } - ret = EVP_PKEY_verify(ctx, sig_data, sig_size, p_data, SGX_SHA256_HASH_SIZE); - if (ret < 0) { - break; - } - - // sets the p_result based on verification result - // - if (ret == 1) - *p_result = SGX_EC_VALID; - - retval = SGX_SUCCESS; - } while(0); - - if (ecdsa_sig) { - ECDSA_SIG_free(ecdsa_sig); - bn_r = NULL; - bn_s = NULL; - } - if (ctx) - EVP_PKEY_CTX_free(ctx); - if (public_key) - EVP_PKEY_free(public_key); - if (bn_r) - BN_clear_free(bn_r); - if (bn_s) - BN_clear_free(bn_s); - - return retval; -} - - -sgx_status_t pfz_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle) -{ - if (p_ecc_handle == NULL) { - return SGX_ERROR_INVALID_PARAMETER; - } - - sgx_status_t retval = SGX_SUCCESS; - - EC_GROUP* ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); - if (NULL == ec_group) { - retval = SGX_ERROR_UNEXPECTED; - } else { - *p_ecc_handle = (void*)ec_group; - } - return retval; -} - -sgx_status_t pfz_ecdsa_verify(const uint8_t *p_data, - uint32_t data_size, - const sgx_ec256_public_t *p_public, - const sgx_ec256_signature_t *p_signature, - uint8_t *p_result, - sgx_ecc_state_handle_t ecc_handle) -{ - if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) || - (p_data == NULL) || (data_size < 1) || (p_result == NULL)) { - return SGX_ERROR_INVALID_PARAMETER; - } - unsigned char digest[SGX_SHA256_HASH_SIZE] = { 0 }; - - SHA256((const unsigned char *)p_data, data_size, (unsigned char *)digest); - return (pfz_ecdsa_verify_hash(digest, p_public, p_signature, p_result, ecc_handle)); -} -*/ - int handle_proxysetup(int argc, char** argv) { struct ProxysetupArgs args = { NULL, NULL }; - FILE* sealed_file; - + int sealed_size; + uint8_t* sealed; + sgx_ec256_public_t sgx_public_key; + EVP_PKEY* public_key; sgx_status_t sgx_ret; /* @@ -352,10 +147,10 @@ int handle_proxysetup(int argc, char** argv) { int i = 0; while(i < argc) { - if(strcmp(argv[i], "-s")==0 && argc-i >=2){ + if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){ args.sealed_key_file_path = argv[i+1]; i += 2; - }else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ + }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){ args.sgx_token_path = argv[i+1]; i += 2; }else @@ -370,7 +165,7 @@ int handle_proxysetup(int argc, char** argv) { */ if (initialize_enclave(args.sgx_token_path) != 0) - exit(1); + exit (EXIT_FAILURE); /* * Setup Sealed Keypair @@ -379,19 +174,18 @@ int handle_proxysetup(int argc, char** argv) { sealed_file = fopen(args.sealed_key_file_path, "wb"); if(sealed_file == NULL){ perror("Error opening sealed_key_file file"); - exit(1); + exit (EXIT_FAILURE); } - int sealed_size; sgx_ret = get_sealed_size(get_global_eid(), &sealed_size); if (sgx_ret != SGX_SUCCESS) { - print_error_message(sgx_ret); - exit (1); + sgx_print_error_message(sgx_ret); + exit (EXIT_FAILURE); } - uint8_t* sealed = malloc(sizeof(uint8_t)*sealed_size); + sealed = malloc(sizeof(uint8_t)*sealed_size); if (sealed == NULL) { fprintf(stderr, "failed to allocate for sealed key"); - exit(1); + exit (EXIT_FAILURE); } /* @@ -400,8 +194,8 @@ int handle_proxysetup(int argc, char** argv) { generate_key_pair(get_global_eid(), &sgx_ret, sealed, sealed_size); if (sgx_ret != SGX_SUCCESS) { - print_error_message(sgx_ret); - exit (1); + sgx_print_error_message(sgx_ret); + exit (EXIT_FAILURE); } /* @@ -410,7 +204,7 @@ int handle_proxysetup(int argc, char** argv) { if (fwrite(sealed, sealed_size, 1, sealed_file) != 1 || ferror(sealed_file) != 0) { fprintf(stderr, "failed to write sealed key"); - exit(1); + exit (EXIT_FAILURE); } fflush(sealed_file); fclose(sealed_file); @@ -419,27 +213,21 @@ int handle_proxysetup(int argc, char** argv) { * Fetch Public Key From Enclave And Print */ - sgx_ec256_public_t sgx_public_key; get_public_key(get_global_eid(), &sgx_ret, sealed, sealed_size, (uint8_t*)&sgx_public_key); if (sgx_ret != SGX_SUCCESS) { - print_error_message(sgx_ret); - exit (1); - } - - EVP_PKEY* public_key = sgx_public_to_EVP_PKEY(&sgx_public_key); - - if (PEM_write_PUBKEY(stdout, public_key, NULL, NULL) != 1) { - fprintf(stderr, "could not write publickey\n"); + sgx_print_error_message(sgx_ret); exit (EXIT_FAILURE); } + public_key = sgx_public_to_EVP_PKEY(&sgx_public_key); + if (PEM_write_PUBKEY(stdout, public_key) != 1) { + fprintf(stderr, "could not write publickey\n"); + exit (EXIT_FAILURE); + } fflush(stdout); EVP_PKEY_free(public_key); free(sealed); - exit(0); + exit (EXIT_SUCCESS); } - - - diff --git a/7-SGX_Hands-on/src/app/proxysetup.h b/7-SGX_Hands-on/src/app/proxysetup.h index e4cf0f3..dfe0cd2 100644 --- a/7-SGX_Hands-on/src/app/proxysetup.h +++ b/7-SGX_Hands-on/src/app/proxysetup.h @@ -1,5 +1,5 @@ -#ifndef _APP_PROXY_H_ -#define _APP_PROXY_H_ +#ifndef _APP_PROXYSETUP_H_ +#define _APP_PROXYSETUP_H_ /* diff --git a/7-SGX_Hands-on/src/app/util.c b/7-SGX_Hands-on/src/app/util.c index 8faf5e1..3a49bf2 100644 --- a/7-SGX_Hands-on/src/app/util.c +++ b/7-SGX_Hands-on/src/app/util.c @@ -1,11 +1,16 @@ #include +#include #include #include +#include +#include +#include + +#include "employee.h" #include "util.h" #include "proxy.h" #include "proxysetup.h" -#include "intermediary.h" static char* BIN_NAME = "SignatureProxy"; @@ -24,8 +29,8 @@ void syntax_exit(void) { "\n" "%s"; - printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax(), proxysetup_syntax()); - exit(1); + printf(syntax, BIN_NAME, employee_syntax(), proxy_syntax(), proxysetup_syntax()); + exit (EXIT_FAILURE); } void set_bin_name(char* bin_name) { @@ -118,7 +123,7 @@ static sgx_errlist_t sgx_errlist[] = { }; /* Check error conditions for loading enclave */ -void print_error_message(sgx_status_t ret) +void sgx_print_error_message(sgx_status_t ret) { size_t idx = 0; size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0]; @@ -161,7 +166,7 @@ int initialize_enclave(char* token_path) { ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL); if (ret != SGX_SUCCESS) { - print_error_message(ret); + sgx_print_error_message(ret); return (1); } @@ -183,3 +188,43 @@ int initialize_enclave(char* token_path) { sgx_enclave_id_t get_global_eid(void){ return global_eid; } + +int load_file(const char* path, uint8_t** data, size_t* data_len) { + FILE* file; + size_t file_size; + uint8_t* buf; + + int file_des = open(path, O_RDWR); + if(file_des == 0) + return (1); + + struct stat stat; + if (fstat(file_des, &stat) != 0){ + close(file_des); + return (2); + } + + close(file_des); + + file_size = stat.st_size; + buf = malloc(file_size); + if (buf == NULL) + return (3); + + file = fopen(path, "rb"); + if(file == NULL){ + free(buf); + return (4); + } + + if (fread(buf, file_size, 1, file) != 1 || ferror(file) != 0) { + free(buf); + fclose(file); + return (5); + } + + fclose(file); + *data = buf; + *data_len = file_size; + return (0); +} diff --git a/7-SGX_Hands-on/src/app/util.h b/7-SGX_Hands-on/src/app/util.h index 05d43e0..9e87278 100644 --- a/7-SGX_Hands-on/src/app/util.h +++ b/7-SGX_Hands-on/src/app/util.h @@ -18,4 +18,16 @@ int initialize_enclave(char* token_path); sgx_enclave_id_t get_global_eid(void); +/* + * @brief loads a file completely into the HEAP + * + * Loads a File into HEAP and returns a dynamically allocated buffer. + * + * @param path path of the file + * @param data allocated buffer output + * @param data_len length of the allocated buffer + * @returns 0 on success, non zero on error + */ +int load_file(const char* path, uint8_t** data, size_t* data_len); + #endif