Updated demo application with cleaner output messages, including hex …

…of encrypted messages. Added --ignore-valid flag to trusted client to speed up testing.
keystone-enclave · Jan 10, 2019 · ef0960e · ef0960e
1 parent cb4ab4f
commit ef0960e
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 30 deletions.
diff --git a/enclave-host.cpp b/enclave-host.cpp
@@ -1,5 +1,3 @@
-#include <stdio.h>
-#include <string.h>
 #include <iostream>
 #include <fstream>
 #include <sys/types.h>
@@ -8,10 +6,17 @@
 #include <netdb.h> 
 #include <unistd.h>
 #include <cstdio>
+#include <sstream>
+#include <iostream>
+#include <iomanip>
+#include <string>
+#include <cstring>
 #include "keystone.h"
 #include "edge_wrapper.h"
 #include "encl_message.h"
 
+#define PRINT_MESSAGE_BUFFERS 1
+
 /* We hardcode these for demo purposes. */
 const char* enc_path = "server_eapp.eapp_riscv";
 const char* runtime_path = "eyrie-rt";
@@ -35,6 +40,17 @@ byte* recv_buffer(size_t* len){
   return reply;
 }
 
+void print_hex_data(unsigned char* data, size_t len){
+  unsigned int i;
+  std::string str;
+  for(i=0; i<len; i+=1){
+    std::stringstream ss;
+    ss << std::setfill('0') << std::setw(2) << std::hex << (uintptr_t)data[i];
+    str += ss.str();
+  }
+  printf("%s\n",str.c_str());
+}
+
 unsigned long print_buffer(char* str){
   printf("[SE] %s",str);
   return strlen(str);
@@ -46,7 +62,10 @@ void print_value(unsigned long val){
 }
 
 void send_reply(void* data, size_t len){
-  printf("[EH] Sending encrypted reply\n");
+  printf("[EH] Sending encrypted reply:\n");
+
+  if( PRINT_MESSAGE_BUFFERS ) print_hex_data((unsigned char*)data, len);
+
   send_buffer((byte*)data, len);
 }
 
@@ -61,7 +80,8 @@ encl_message_t wait_for_message(){
 
   void* buffer = recv_buffer(&len);
 
-  printf("[EH] Got an encrypted message\n");
+  printf("[EH] Got an encrypted message:\n");
+  if( PRINT_MESSAGE_BUFFERS ) print_hex_data((unsigned char*)buffer, len);
 
   /* This happens here */
   encl_message_t message;

diff --git a/include/enclave_expected_hash.h b/include/enclave_expected_hash.h
@@ -1,9 +1,9 @@
 unsigned char enclave_expected_hash[] = {
-  0x04, 0x15, 0x1f, 0x8b, 0x05, 0x8d, 0x16, 0x5f, 0x36, 0xb1, 0x83, 0x41,
-  0x37, 0x9b, 0x82, 0x00, 0xac, 0x67, 0xb2, 0x62, 0x99, 0x0d, 0xf2, 0xf6,
-  0x2d, 0x9c, 0x91, 0x80, 0x66, 0x96, 0x3d, 0x10, 0x7f, 0xbd, 0x5f, 0x82,
-  0xc0, 0xd7, 0x22, 0x74, 0x00, 0x7f, 0x4a, 0x04, 0x79, 0x1c, 0xfa, 0x52,
-  0xd0, 0x8d, 0x7d, 0x22, 0xe5, 0x84, 0x67, 0xf5, 0x03, 0x57, 0x4f, 0x89,
-  0xfd, 0x8b, 0xe9, 0x15
+  0xb0, 0xe2, 0xf7, 0x06, 0xfb, 0xe9, 0x4e, 0xe8, 0x14, 0x19, 0x93, 0x8e,
+  0x60, 0x4a, 0x5e, 0x21, 0x8a, 0x83, 0x09, 0x5e, 0x97, 0x16, 0x08, 0xc0,
+  0x5e, 0xc1, 0x18, 0x89, 0x47, 0x01, 0x89, 0xec, 0x38, 0xcb, 0xe0, 0x9b,
+  0x79, 0x44, 0x71, 0x9b, 0xda, 0xb2, 0x0b, 0x50, 0x12, 0x43, 0x08, 0xd3,
+  0x6f, 0xc0, 0x1b, 0x9b, 0x0b, 0xdd, 0x1d, 0xc0, 0xe9, 0x15, 0xe1, 0x37,
+  0xd2, 0x7f, 0xd1, 0x91
 };
 unsigned int enclave_expected_hash_len = 64;
diff --git a/server_eapp/channel.c b/server_eapp/channel.c
@@ -10,13 +10,13 @@ void channel_init(){
   randombytes_set_implementation(&randombytes_salsa20_implementation);
 
   if(sodium_init() < 0 ){
-    ocall_print_buffer("SE: Sodium init failed, exiting\n");
+    ocall_print_buffer("[C] Sodium init failed, exiting\n");
     EAPP_RETURN(1);
   }
 
   /* Generate our keys */
   if(crypto_kx_keypair(server_pk, server_sk) != 0){
-    ocall_print_buffer("SE: Unable to generate keypair, exiting\n");
+    ocall_print_buffer("[C] Unable to generate keypair, exiting\n");
     EAPP_RETURN(1);
   }
 
@@ -27,7 +27,7 @@ void channel_establish(){
   /* Ask libsodium to generate session keys based on the recv'd pk */
 
   if(crypto_kx_server_session_keys(rx, tx, server_pk, server_sk, client_pk) != 0) {
-    ocall_print_buffer("SE: Unable to generate seesion keys, exiting\n");
+    ocall_print_buffer("[C] Unable to generate seesion keys, exiting\n");
     EAPP_RETURN(1);
   }
 
@@ -41,17 +41,16 @@ int channel_recv(unsigned char* msg_buffer, size_t len, size_t* datalen){
      access */
   size_t clen = len - crypto_secretbox_NONCEBYTES;
   unsigned char* nonceptr = &(msg_buffer[clen]);
-
+  
   if (crypto_secretbox_open_easy(msg_buffer, msg_buffer, clen, nonceptr, rx) != 0){
-    ocall_print_buffer("SE: Invalid message, ignoring\n");
+    ocall_print_buffer("[C] Invalid message, ignoring\n");
     return -1;
   }
-
   size_t ptlen = len - crypto_secretbox_NONCEBYTES - crypto_secretbox_MACBYTES;
 
   size_t unpad_len;
   if( sodium_unpad(&unpad_len, msg_buffer, ptlen, MSG_BLOCKSIZE) != 0){
-    ocall_print_buffer("SE: Invalid message padding, ignoring\n");
+    ocall_print_buffer("[C] Invalid message padding, ignoring\n");
     return -1;
   }
 
@@ -74,15 +73,15 @@ void channel_send(unsigned char* msg, size_t len, unsigned char* buffer){
   memcpy(buffer, msg, len);
 
   if (sodium_pad(&buf_padded_len, buffer, len, MSG_BLOCKSIZE, BLOCK_UP(len)) != 0) {
-    ocall_print_buffer("SE: Unable to pad message, exiting\n");
+    ocall_print_buffer("[C] Unable to pad message, exiting\n");
     EAPP_RETURN(1);
   }
 
   unsigned char* nonceptr = &(buffer[crypto_secretbox_MACBYTES+buf_padded_len]);
   randombytes_buf(nonceptr, crypto_secretbox_NONCEBYTES);
 
   if(crypto_secretbox_easy(buffer, buffer, buf_padded_len, nonceptr, tx) != 0){
-    ocall_print_buffer("SE: Unable to encrypt message, exiting\n");
+    ocall_print_buffer("[C] Unable to encrypt message, exiting\n");
     EAPP_RETURN(1);
   }
 

diff --git a/server_eapp/server_eapp.c b/server_eapp/server_eapp.c
@@ -27,19 +27,18 @@ void handle_messages(){
     size_t wordmsg_len;
 
     if(calc_msg == NULL){
-      ocall_print_buffer("SE: Message too large to store, ignoring\n");
+      ocall_print_buffer("Message too large to store, ignoring\n");
       continue;
     }
 
     copy_from_shared(calc_msg, msg.offset, msg.size);
-
-    if( channel_recv((unsigned char*)calc_msg, msg.size, &wordmsg_len) != 0){
+    if(channel_recv((unsigned char*)calc_msg, msg.size, &wordmsg_len) != 0){
       free(calc_msg);
       continue;
     }
 
     if(calc_msg->msg_type == CALC_MSG_EXIT){
-      ocall_print_buffer("SE: Received exit, exiting\n");
+      ocall_print_buffer("Received exit, exiting\n");
       EAPP_RETURN(0);
     }
 
@@ -51,7 +50,7 @@ void handle_messages(){
     size_t reply_size =channel_get_send_size(sizeof(int));
     unsigned char* reply_buffer = malloc(reply_size);
     if(reply_buffer == NULL){
-      ocall_print_buffer("SE: Reply too large to allocate, no reply sent\n");
+      ocall_print_buffer("Reply too large to allocate, no reply sent\n");
       continue;
     }
 

diff --git a/trusted_client/client.cpp b/trusted_client/client.cpp
@@ -36,11 +36,18 @@ byte* recv_buffer(size_t* len){
 
 int main(int argc, char *argv[])
 {
+  int ignore_valid = 0;
   if(argc < 2) {
     printf("Usage %s hostname\n", argv[0]);
     exit(-1);
   }
 
+  if(argc >= 3){
+    if(strcmp(argv[2],"--ignore-valid") == 0){
+      ignore_valid =1;
+    }
+  }
+
   fd_sock = socket(AF_INET, SOCK_STREAM, 0);
   if(fd_sock < 0){
     printf("No socket\n");
@@ -66,7 +73,7 @@ int main(int argc, char *argv[])
 
   size_t report_size;
   byte* report_buffer = recv_buffer(&report_size);
-  trusted_client_get_report(report_buffer);
+  trusted_client_get_report(report_buffer, ignore_valid);
   free(report_buffer);
 
   /* Send pubkey */

diff --git a/trusted_client/trusted_client.cpp b/trusted_client/trusted_client.cpp
@@ -47,7 +47,7 @@ byte* trusted_client_pubkey(size_t* len){
   return (byte*)client_pk;
 }
 
-void trusted_client_get_report(void* buffer){
+void trusted_client_get_report(void* buffer, int ignore_valid){
 
   Report report;
   report.fromBytes((unsigned char*)buffer);
@@ -57,12 +57,17 @@ void trusted_client_get_report(void* buffer){
   		    sm_expected_hash,
   		    _sanctum_dev_public_key))
   {
-    printf("[TC]Attestation signature and enclave hash are valid\n");
+    printf("[TC] Attestation signature and enclave hash are valid\n");
   }
   else
   {
-    printf("[TC]Attestation report is NOT valid\n");
-    trusted_client_exit();
+    printf("[TC] Attestation report is NOT valid\n");
+    if( ignore_valid ){
+      printf("[TC] Ignore Validation was set, CONTINUING WITH INVALID REPORT\n");
+    }
+    else{
+      trusted_client_exit();
+    }
   }
 
   if(report.getDataSize() !=  crypto_kx_PUBLICKEYBYTES){

diff --git a/trusted_client/trusted_client.h b/trusted_client/trusted_client.h
@@ -17,7 +17,7 @@ typedef unsigned char byte;
 void trusted_client_exit();
 void trusted_client_init();
 byte* trusted_client_pubkey(size_t* len);
-void trusted_client_get_report(void* buffer);
+void trusted_client_get_report(void* buffer, int ignore_valid);
 int trusted_client_read_reply(unsigned char* data, size_t len);
 void send_exit_message();
 void send_wc_message(char* buffer);