Merge branch 'develop' into bug/SKALE-3481-nightly

0cb0dc09 · kladko · c5bf4d54 · 3f490811 · 0cb0dc09 · 0cb0dc09
Unverified Commit 0cb0dc09 authored Nov 17, 2020 by kladko
17 changed files
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
 name: Build, test and push SGX container
-on: [push]
+on:
+  workflow_dispatch:
+  push:
 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-18.04
    env:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
+      - name: Fail, if older Github Actions machine. Click "Re-run jobs"
+        run: cat /proc/cpuinfo | grep avx512
      - name: Login to docker
        run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
      - uses: actions/checkout@v1
@@ -15,7 +19,10 @@ jobs:
      - name: build
        run: python3 scripts/docker_build.py Dockerfile sgxwallet ${GITHUB_SHA}
      - name: deploy docker image
-        if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
+        if: |
+          contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
+          contains(github.ref, 'master') || contains(github.ref, 'stable') ||
+          contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
        run : |
          export BRANCH=${GITHUB_REF##*/}
          echo "Branch $BRANCH"

--- a/.github/workflows/dockerimagebase.yml
+++ b/.github/workflows/dockerimagebase.yml
 name: Build base container
 on:
+  workflow_dispatch:
  push:
    tags:
      - build_base*
@@ -10,6 +11,8 @@ jobs:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
+    - name: Fail, if older Github Actions machine
+      run: cat /proc/cpuinfo | grep avx512
    - name: Login to docker
      run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
    - uses: actions/checkout@v1

--- a/.github/workflows/dockerimagerelease.yml
+++ b/.github/workflows/dockerimagerelease.yml
 name: Build, test and push release SGX container
-on: [push]
+on:
+  workflow_dispatch:
+  push:
 jobs:
  build:
    runs-on: ubuntu-18.04
@@ -7,6 +9,8 @@ jobs:
      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
+      - name: Fail, if older Github Actions machine. Click "Re-run jobs"
+        run: cat /proc/cpuinfo | grep avx512
      - name: Login to docker
        run: docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD}
      - uses: actions/checkout@v1
@@ -15,7 +19,10 @@ jobs:
      - name: build
        run: python3 scripts/docker_build.py Dockerfile sgxwallet ${GITHUB_SHA}
      - name: deploy docker image
-        if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
+        if: |
+          contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
+          contains(github.ref, 'master') || contains(github.ref, 'stable') ||
+          contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
        run : |
          export BRANCH=${GITHUB_REF##*/}
          echo "Branch $BRANCH"

--- a/.github/workflows/dockerimagesim.yml
+++ b/.github/workflows/dockerimagesim.yml
 name: Build, test and push sim mode container
-on: [push]
+on:
+  workflow_dispatch:
+  push:
 jobs:
  build:
    runs-on: ubuntu-18.04
@@ -7,6 +9,8 @@ jobs:
        DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
    steps:
+    - name: Fail, if older Github Actions machine. Click "Re-run jobs"
+      run: cat /proc/cpuinfo | grep avx512
    - name: Check that /dev/urandom exists
      run: ls /dev/urandom
    - name: Login to docker
@@ -15,7 +19,10 @@ jobs:
    - name: submodule update
      run: git submodule update --init --recursive
    - name: build container for release
-      if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
+      if: |
+        contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
+        contains(github.ref, 'master') || contains(github.ref, 'stable') ||
+        contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
      run: |
        export BRANCH=${GITHUB_REF##*/}
        echo "Branch $BRANCH"
@@ -30,7 +37,10 @@ jobs:
    - name: test
      run: python3 scripts/docker_test.py DockerfileSimulation sgxwalletsim
    - name: deploy docker image
-      if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
+      if: |
+            contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
+            contains(github.ref, 'master') || contains(github.ref, 'stable') ||
+            contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
      run : |
        export BRANCH=${GITHUB_REF##*/}
        echo "Branch $BRANCH"

--- a/.gitmodules
+++ b/.gitmodules
@@ -16,3 +16,7 @@
 [submodule "sgx-software-enable"]
 	path = sgx-software-enable
 	url = https://github.com/intel/sgx-software-enable
+[submodule "secure_enclave/secp256k1-sgx"]
+	path = secure_enclave/secp256k1-sgx
+	url = https://github.com/bl4ck5un/secp256k1-sgx
+	branch = master
--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -197,7 +197,7 @@ vector <vector<string>> getVerificationVectorMult(const std::string& encryptedPo

    vector<vector<string>> result(t);

-    for (size_t i = 0; i < t; ++i) {
+    for (int i = 0; i < t; ++i) {
        libff::alt_bn128_G2 current_coefficient;
        current_coefficient.X.c0 = libff::alt_bn128_Fq(verificationVector[i][0].c_str());
        current_coefficient.X.c1 = libff::alt_bn128_Fq(verificationVector[i][1].c_str());
@@ -224,7 +224,7 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
    CHECK_STATE(_encryptedPolyHex);

    vector<char> hexEncrKey(BUF_LEN, 0);
-    vector<char> errMsg1(BUF_LEN, 0);
+    vector<char> errMsg(BUF_LEN, 0);
    vector <uint8_t> encrDKGPoly(BUF_LEN, 0);
    int errStatus = 0;
    uint64_t encLen = 0;
@@ -238,10 +238,6 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve

    READ_LOCK(sgxInitMutex);

-    status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), encLen);
-
-    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());
-
    string result;

    for (int i = 0; i < _n; i++) {
@@ -259,26 +255,22 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
        spdlog::debug("pubKeyB is {}", pub_keyB);

        sgx_status_t status = SGX_SUCCESS;
-        status = trustedGetEncryptedSecretShare(eid, &errStatus, errMsg1.data(), encryptedSkey.data(), &decLen,
+        status = trustedGetEncryptedSecretShare(eid, &errStatus,
+                                                errMsg.data(),
+                                                encrDKGPoly.data(), encLen,
+                                                encryptedSkey.data(), &decLen,
                                                   currentShare.data(), sShareG2.data(), pubKeyB.data(), _t, _n,
                                                   i + 1);

-        HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());
+        HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

-        spdlog::debug("cur_share is {}", currentShare.data());

        result += string(currentShare.data());

-        spdlog::debug("dec len is {}", decLen);
        hexEncrKey = carray2Hex(encryptedSkey.data(), decLen);
        string dhKeyName = "DKG_DH_KEY_" + _polyName + "_" + to_string(i) + ":";

-        spdlog::debug("hexEncr DH Key: { }", hexEncrKey.data());
-        spdlog::debug("name to write to db is {}", dhKeyName);
-
        string shareG2_name = "shareG2_" + _polyName + "_" + to_string(i) + ":";
-        spdlog::debug("name to write to db is {}", shareG2_name);
-        spdlog::debug("s_shareG2: {}", sShareG2.data());

        SGXWalletServer::writeDataToDB(dhKeyName, hexEncrKey.data());
        SGXWalletServer::writeDataToDB(shareG2_name, sShareG2.data());

--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -205,10 +205,16 @@ void gen_SEK() {

 }

-void  reinitEnclave() {
-    // unfortunately process needs to be restarted to reinit enclave
-    // exiting with error code 3 (SGX_OUT_OF_MEMORY), so docker container can restart the
-    // wallet
+
+static std::atomic<int> isSgxWalletExiting(0);
+
+void  safeExit() {
+
+    // this is to make sure exit is only called once if called from multiple threads
+
+    auto previousValue = isSgxWalletExiting.exchange(1);
+
+    if (previousValue != 1)
        exit(3);
 }


--- a/SEKManager.h
+++ b/SEKManager.h
@@ -47,7 +47,8 @@ EXTERNC void initSEK();

 EXTERNC void setSEK();

-EXTERNC void reinitEnclave();
+EXTERNC void safeExit();
+




--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -111,6 +111,14 @@ void SGXWalletServer::printDB() {
    LevelDB::getLevelDb()->visitKeys(&v, 100000000);
 }

+
+#ifdef SGX_HW_SIM
+#define NUM_THREADS 16
+#else
+#define NUM_THREADS 64
+#endif
+
+
 int SGXWalletServer::initHttpsServer(bool _checkCerts) {
    spdlog::info("Entering {}", __FUNCTION__);
    string rootCAPath = string(SGXDATA_FOLDER) + "cert_data/rootCA.pem";
@@ -147,14 +155,9 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {
    }


-    int numThreads = 64;
+    httpServer = make_shared<HttpServer>(BASE_PORT, certPath, keyPath, rootCAPath, _checkCerts,
+                                         NUM_THREADS);

-#if SGX_MODE == SIM
-   numThreads = 16; 
-#endif
-
-
-    httpServer = make_shared<HttpServer>(BASE_PORT, certPath, keyPath, rootCAPath, _checkCerts, numThreads);
    server = make_shared<SGXWalletServer>(*httpServer,
                                          JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)

@@ -169,7 +172,8 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {

 int SGXWalletServer::initHttpServer() { //without ssl
    spdlog::info("Entering {}", __FUNCTION__);
-    httpServer = make_shared<HttpServer>(BASE_PORT + 3);
+    httpServer = make_shared<HttpServer>(BASE_PORT + 3, "", "", "", false,
+                                         NUM_THREADS);
    server = make_shared<SGXWalletServer>(*httpServer,
                                          JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)
    if (!server->StartListening()) {
@@ -580,7 +584,7 @@ Json::Value SGXWalletServer::getBLSPublicKeyShareImpl(const string &_blsKeyName)
    RETURN_SUCCESS(result);
 }

-Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value& publicShares, int t, int n) {
+Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value &publicShares, int t, int n) {
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -607,14 +611,14 @@ Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value& pu
            }
        }

-        vector<string> public_shares(n);
+        vector <string> public_shares(n);
        for (int i = 0; i < n; ++i) {
            public_shares[i] = publicShares[i].asString();
        }

-        vector<string> public_keys = calculateAllBlsPublicKeys(public_shares);
+        vector <string> public_keys = calculateAllBlsPublicKeys(public_shares);

-        if (public_keys.size() != (uint64_t)n) {
+        if (public_keys.size() != (uint64_t) n) {
            throw SGXException(UNKNOWN_ERROR, "");
        }

@@ -762,11 +766,11 @@ Json::Value SGXWalletServer::getBLSPublicKeyShare(const string &blsKeyName) {
    return getBLSPublicKeyShareImpl(blsKeyName);
 }

-Json::Value SGXWalletServer::calculateAllBLSPublicKeys(const Json::Value& publicShares, int t, int n) {
+Json::Value SGXWalletServer::calculateAllBLSPublicKeys(const Json::Value &publicShares, int t, int n) {
    return calculateAllBLSPublicKeysImpl(publicShares, t, n);
 }

-Json::Value SGXWalletServer::importECDSAKey(const std::string& keyShare, const std::string& keyShareName) {
+Json::Value SGXWalletServer::importECDSAKey(const std::string &keyShare, const std::string &keyShareName) {
    return importECDSAKeyImpl(keyShare, keyShareName);
 }

@@ -787,7 +791,8 @@ SGXWalletServer::importBLSKeyShare(const string &_keyShare, const string &_keySh
    return importBLSKeyShareImpl(_keyShare, _keyShareName);
 }

-Json::Value SGXWalletServer::blsSignMessageHash(const string &_keyShareName, const string &_messageHash, int _t, int _n) {
+Json::Value
+SGXWalletServer::blsSignMessageHash(const string &_keyShareName, const string &_messageHash, int _t, int _n) {
    return blsSignMessageHashImpl(_keyShareName, _messageHash, _t, _n);
 }


--- a/VERSION
+++ b/VERSION
-1.58.6
\ No newline at end of file
+1.58.7
\ No newline at end of file
--- a/common.h
+++ b/common.h
@@ -101,7 +101,7 @@ BOOST_THROW_EXCEPTION(runtime_error(__ERR_STRING__)); \
 extern std::shared_timed_mutex sgxInitMutex;
 extern uint64_t initTime;

-#if SGX_MODE == SIM
+#ifdef SGX_HW_SIM
 #define ENCLAVE_RESTART_PERIOD_S 5
 #else
 #define ENCLAVE_RESTART_PERIOD_S 60 * 10

--- a/secure_enclave/EnclaveCommon.cpp
+++ b/secure_enclave/EnclaveCommon.cpp
@@ -82,8 +82,8 @@ string *stringFromFq(libff::alt_bn128_Fq *_fq) {

    try {
        _fq->as_bigint().to_mpz(t);
-        char *tmp = mpz_get_str(arr, 10, t);
-        ret = new string(tmp);
+        mpz_get_str(arr, 10, t);
+        ret = new string(arr);
    } catch (exception &e) {
        LOG_ERROR(e.what());
        goto clean;
@@ -107,13 +107,13 @@ string *stringFromG1(libff::alt_bn128_G1 *_g1) {
    try {
        _g1->to_affine_coordinates();

-        auto sX = stringFromFq(&_g1->X);
+        sX = stringFromFq(&_g1->X);

        if (!sX) {
            goto clean;
        }

-        auto sY = stringFromFq(&_g1->Y);
+        sY = stringFromFq(&_g1->Y);

        if (!sY) {
            goto clean;
@@ -131,8 +131,8 @@ string *stringFromG1(libff::alt_bn128_G1 *_g1) {

    clean:

-    SAFE_FREE(sX);
-    SAFE_FREE(sY);
+    SAFE_DELETE(sX);
+    SAFE_DELETE(sY);

    return ret;

@@ -226,7 +226,7 @@ bool enclave_sign(const char *_keyString, const char *_hashXString, const char *
    }

    try {
-        auto key = keyFromString(_keyString);
+        key = keyFromString(_keyString);

        if (!key) {
            LOG_ERROR("Null key");
@@ -243,7 +243,7 @@ bool enclave_sign(const char *_keyString, const char *_hashXString, const char *

        sign.to_affine_coordinates();

-        auto r = stringFromG1(&sign);
+        r = stringFromG1(&sign);

        memset(sig, 0, BUF_LEN);


--- a/secp256k1-sgx @ 5f235e8e
+++ b/secp256k1-sgx @ 5f235e8e
+Subproject commit 5f235e8e9e821cd972c4a57afdfe47a7fe83acd0
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -163,7 +163,7 @@ void trustedEnclaveInit(uint64_t _logLevel) {
    LOG_INFO("SECURITY WARNING: sgxwallet is running in INSECURE DEBUG MODE! NEVER USE IN PRODUCTION!");
 #endif

-#if SGX_MODE == SIM
+#ifdef SGX_HW_SIM
    LOG_INFO("SECURITY WARNING: sgxwallet is running in INSECURE SIMULATION MODE! NEVER USE IN PRODUCTION!");
 #endif

@@ -847,10 +847,14 @@ void trustedSetEncryptedDkgPoly(int *errStatus, char *errString, uint8_t *encryp
    LOG_INFO("SGX call completed");
 }

-void trustedGetEncryptedSecretShare(int *errStatus, char *errString, uint8_t *encrypted_skey, uint64_t *dec_len,
+
+void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
+                                    uint8_t *_encrypted_poly,  uint64_t _enc_len,
+                                    uint8_t *encrypted_skey, uint64_t *dec_len,
                                       char *result_str, char *s_shareG2, char *pub_keyB, uint8_t _t, uint8_t _n,
                                       uint8_t ind) {

+
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE

@@ -864,6 +868,11 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString, uint8_t *en

    LOG_DEBUG(__FUNCTION__);

+    trustedSetEncryptedDkgPoly(&status, errString, _encrypted_poly, _enc_len);
+
+    CHECK_STATUS2("trustedSetEncryptedDkgPoly failed with status %d ");
+
+
    SAFE_CHAR_BUF(skey, BUF_LEN);

    SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
@@ -1118,8 +1127,6 @@ trustedGetBlsPubKey(int *errStatus, char *errString, uint8_t *encryptedPrivateKe
    uint8_t type = 0;
    uint8_t exportable = 0;

-
-
    int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, BUF_LEN,
                             &type, &exportable);


--- a/secure_enclave/secure_enclave.edl
+++ b/secure_enclave/secure_enclave.edl
@@ -88,15 +88,15 @@ enclave {
                                [out, count = 3072] uint8_t* decrypted_dkg_secret
                                );

-        public void trustedSetEncryptedDkgPoly(
-                                [out] int *errStatus,
-                                [out, count = SMALL_BUF_SIZE] char* err_string,
-                                [in, count = 3050] uint8_t* encrypted_poly,
-                                uint64_t enc_len);
+
+
+

        public void trustedGetEncryptedSecretShare(
                                [out]int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char *err_string,
+                                [in, count = 3050] uint8_t* encrypted_poly,
+                                uint64_t enc_len,
                                [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_skey,
                                [out] uint64_t* dec_len,
                                [out, count = 193] char* result_str,

--- a/sgxwallet_common.h
+++ b/sgxwallet_common.h
@@ -121,8 +121,8 @@ READ_LOCK(sgxInitMutex);
 } \
 if (status != SGX_SUCCESS || errStatus == 3) { \
 spdlog::error(__FUNCTION__);                   \
-spdlog::error("Restarting sgx on status errStatus... {} {}", status, errStatus);                    \
-reinitEnclave(); \
+spdlog::error("Exiting sgx on status errStatus... {} {}", status, errStatus);                    \
+safeExit(); \
 } \
 } while ((status != SGX_SUCCESS || errStatus == 3) && __ATTEMPTS__ < 2);

@@ -133,10 +133,9 @@ reinitEnclave(); \
 if (status != SGX_SUCCESS || *errStatus == 3) { \
 spdlog::error(__FUNCTION__);\
 spdlog::error("Restarting sgx on status errStatus... {} {}", status, *errStatus);                            \
-reinitEnclave(); \
+safeExit(); \
 } \
 } while ((status != SGX_SUCCESS || *errStatus == 3) && __ATTEMPTS__ < 2);


-
 #endif //SGXWALLET_SGXWALLET_COMMON_H
--- a/testw.cpp
+++ b/testw.cpp
@@ -370,20 +370,15 @@ TEST_CASE_METHOD(TestFixture, "DKG AES encrypted secret shares test", "[dkg-aes-
    REQUIRE(status == SGX_SUCCESS);
    REQUIRE(errStatus == SGX_SUCCESS);

-    uint64_t enc_len = encLen;
-
-    PRINT_SRC_LINE
-    status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg.data(), encryptedDKGSecret.data(), enc_len);
-    REQUIRE(status == SGX_SUCCESS);
-    REQUIRE(errStatus == SGX_SUCCESS);
-
    vector <uint8_t> encrPRDHKey(BUF_LEN, 0);

    string pub_keyB = SAMPLE_PUBLIC_KEY_B;

    vector<char> s_shareG2(BUF_LEN, 0);
    PRINT_SRC_LINE
-    status = trustedGetEncryptedSecretShare(eid, &errStatus, errMsg.data(), encrPRDHKey.data(), &encLen,
+    status = trustedGetEncryptedSecretShare(eid, &errStatus,errMsg.data(),
+                                            encryptedDKGSecret.data(), encLen,
+                                            encrPRDHKey.data(), &encLen,
                                               result.data(),
                                               s_shareG2.data(),
                                               (char *) pub_keyB.data(), 2, 2, 1);
@@ -779,8 +774,8 @@ TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encrypted_key.data(), encLen, decr_key.data());

    REQUIRE(status == 0);
-    REQUIRE(errStatus == 0);
    REQUIRE(key.compare(decr_key.data()) == 0);
+    REQUIRE(errStatus == 0);
 }