SKALE-3636-sgx-server-anti-dos-protections

3e67868f · kladko · eca53241 · 3e67868f · 3e67868f · 3e67868f
Unverified Commit 3e67868f authored Dec 04, 2020 by kladko
9 changed files
--- a/BLSCrypto.cpp
+++ b/BLSCrypto.cpp
@@ -214,10 +214,10 @@ bool sign_aes(const char *_encryptedKeyHex, const char *_hashHex, size_t _t, siz

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
            status = trustedBlsSignMessage(eid, &errStatus, errMsg.data(), encryptedKey,
                                              sz, xStrArg, yStrArg, signature);
-    RESTART_END
+    SEMAPHORE_END


    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());
@@ -256,10 +256,10 @@ string encryptBLSKeyShare2Hex(int *errStatus, char *err_string, const char *_key

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedEncryptKey(eid, errStatus, errMsg.data(), keyArray->data(), encryptedKey->data(),
                                      &encryptedLen);
-    RESTART_END_POINTER
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, *errStatus, errMsg.data());


--- a/BLSPrivateKeyShareSGX.cpp
+++ b/BLSPrivateKeyShareSGX.cpp
@@ -149,10 +149,10 @@ string BLSPrivateKeyShareSGX::signWithHelperSGXstr(

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedBlsSignMessage(eid, &errStatus, errMsg.data(), encryptedKey,
                                          encryptedKeyHex->size() / 2, xStrArg, yStrArg, signature);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());


--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -137,10 +137,10 @@ string gen_dkg_poly(int _t) {
    sgx_status_t status = SGX_SUCCESS;


-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedGenDkgSecret(
                eid, &errStatus, errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -177,10 +177,10 @@ vector <vector<string>> get_verif_vect(const string& encryptedPolyHex, int t, in
    sgx_status_t status = SGX_SUCCESS;


-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedGetPublicShares(eid, &errStatus, errMsg.data(), encrDKGPoly.data(), encLen,
                                           pubShares.data(), t, n);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -368,10 +368,10 @@ verifyShares(const char *publicShares, const char *encr_sshare, const char *encr

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedDkgVerify(eid, &errStatus, errMsg.data(), pshares, encr_sshare, encr_key, decKeyLen, t,
                                     ind, &result);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -404,10 +404,10 @@ verifySharesV2(const char *publicShares, const char *encr_sshare, const char *en

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedDkgVerifyV2(eid, &errStatus, errMsg.data(), pshares, encr_sshare, encr_key, decKeyLen, t,
                                     ind, &result);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -435,10 +435,10 @@ bool createBLSShare(const string &blsKeyName, const char *s_shares, const char *

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedCreateBlsKey(eid, &errStatus, errMsg.data(), s_shares, encr_key, decKeyLen, encr_bls_key,
                                        &enc_bls_len);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -469,9 +469,9 @@ vector <string> getBLSPubKey(const char *encryptedKeyHex) {

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedGetBlsPubKey(eid, &errStatus, errMsg1.data(), encrKey, decKeyLen, pubKey);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());

@@ -556,9 +556,9 @@ string decryptDHKey(const string &polyName, int ind) {

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedDecryptKey(eid, &errStatus, errMsg1.data(), encryptedDHKey, dhEncLen, DHKey);
-    RESTART_END
+    SEMAPHORE_END
    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data())

    return DHKey;

--- a/ECDSACrypto.cpp
+++ b/ECDSACrypto.cpp
@@ -59,11 +59,11 @@ vector <string> genECDSAKey() {

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedGenerateEcdsaKey(eid, &errStatus,
                                   errMsg.data(), encr_pr_key.data(), &enc_len,
                                   pub_key_x.data(), pub_key_y.data());
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus,errMsg.data());

@@ -101,10 +101,10 @@ string getECDSAPubKey(const std::string& _encryptedKeyHex) {

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedGetPublicEcdsaKey(eid, &errStatus,
                                             errMsg.data(), encrPrKey.data(), enc_len, pubKeyX.data(), pubKeyY.data());
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data())

@@ -190,12 +190,12 @@ vector <string> ecdsaSignHash(const std::string& encryptedKeyHex, const char *ha

    sgx_status_t status = SGX_SUCCESS;

-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedEcdsaSign(eid, &errStatus,
                            errMsg.data(), encryptedKey.data(), decLen, hashHex,
                            signatureR.data(),
                            signatureS.data(), &signatureV, base);
-    RESTART_END
+    SEMAPHORE_END

    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());

@@ -242,10 +242,10 @@ string encryptECDSAKey(const string& _key) {
    uint64_t enc_len = 0;

    sgx_status_t status = SGX_SUCCESS;
-    RESTART_BEGIN
+    SEMAPHORE_BEGIN
        status = trustedEncryptKey(eid, &errStatus, errString.data(), key.data(),
                                   encryptedKey.data(), &enc_len);
-    RESTART_END
+    SEMAPHORE_END

    if (status != 0) {
        throw SGXException(status, string("Could not encrypt ECDSA key: " + string(errString.begin(), errString.end())).c_str());

--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -48,6 +48,7 @@

 #include <unistd.h>

+
 #include "ServerInit.h"

 #include "Log.h"
@@ -55,6 +56,11 @@
 using namespace std;

 std::shared_timed_mutex sgxInitMutex;
+
+// MAX 200 threads can call enclave
+boost::interprocess::interprocess_semaphore enclaveSemaphore(200);
+
+
 uint64_t initTime;

 void setFullOptions(uint64_t _logLevel, int _useHTTPS, int _autoconfirm, int _enterBackupKey) {
@@ -117,7 +123,7 @@ void SGXWalletServer::printDB() {
 #ifdef SGX_HW_SIM
 #define NUM_THREADS 16
 #else
-#define NUM_THREADS 200
+#define NUM_THREADS 1024
 #endif


@@ -241,14 +247,14 @@ recursive_mutex SGXWalletServer::ecdsaRequestsLock;

 void SGXWalletServer::checkForDuplicate(map <string, string> &_map, recursive_mutex &_m,
                                        const string &_key,
-                       const string &_value) {
+                                        const string &_value) {

    LOCK(_m);
    if (_map.count(_key) && _map.at(_key) == _value) {
        usleep(100 * 1000);
        spdlog::warn(string("Received an identical request from the client:") + __FUNCTION__);
    }
-    _map[_key] =  _value;
+    _map[_key] = _value;
 }


@@ -295,9 +301,11 @@ SGXWalletServer::blsSignMessageHashImpl(const string &_keyShareName, const strin

        value = readFromDb(_keyShareName);

+
        if (!bls_sign(value->c_str(), _messageHash.c_str(), t, n, signature.data())) {
            throw SGXException(-1, "Could not sign data ");
        }
+
    } HANDLE_SGX_EXCEPTION(result)



--- a/SGXWalletServer.hpp
+++ b/SGXWalletServer.hpp
@@ -25,6 +25,8 @@
 #define SGXWALLET_SGXWALLETSERVER_HPP


+
+
 #include <jsonrpccpp/server/connectors/httpserver.h>

 #include "abstractstubserver.h"
@@ -35,6 +37,9 @@ using namespace std;
 #define STRINGIFY(x) #x
 #define TOSTRING(x) STRINGIFY(x)

+
+
+
 class SGXWalletServer : public AbstractStubServer {
    static shared_ptr<SGXWalletServer> server;
    static shared_ptr<HttpServer> httpServer;

--- a/VERSION
+++ b/VERSION
-1.59.1
\ No newline at end of file
+1.64.1
\ No newline at end of file
--- a/common.h
+++ b/common.h
@@ -101,16 +101,28 @@ BOOST_THROW_EXCEPTION(runtime_error(__ERR_STRING__)); \
 extern std::shared_timed_mutex sgxInitMutex;
 extern uint64_t initTime;

-#ifdef SGX_HW_SIM
-#define ENCLAVE_RESTART_PERIOD_S 5
-#else
-#define ENCLAVE_RESTART_PERIOD_S 60 * 10
-#endif
-
 #define LOCK(__X__) std::lock_guard<std::recursive_mutex> __LOCK__(__X__);
 #define READ_LOCK(__X__) std::shared_lock<std::shared_timed_mutex> __LOCK__(__X__);
 #define WRITE_LOCK(__X__) std::unique_lock<std::shared_timed_mutex> __LOCK__(__X__);


+#include <boost/interprocess/sync/interprocess_semaphore.hpp>
+
+// max of 200 threads can call enclave at a time
+extern boost::interprocess::interprocess_semaphore enclaveSemaphore;
+
+class semaphore_guard {
+    boost::interprocess::interprocess_semaphore &sem;
+public:
+    semaphore_guard(boost::interprocess::interprocess_semaphore &_semaphore) : sem(_semaphore) {
+        sem.wait();
+    }
+
+    ~semaphore_guard() {
+        sem.post();
+    }
+};
+
+

 #endif //SGXWALLET_COMMON_H
--- a/sgxwallet_common.h
+++ b/sgxwallet_common.h
@@ -110,32 +110,10 @@ extern bool autoconfirm;
 #define TEST_VALUE "1234567890"


-#define RESTART_BEGIN \
-int __ATTEMPTS__ = 0; \
-do {\
-__ATTEMPTS__++; \
-{\
-READ_LOCK(sgxInitMutex);
-
-#define RESTART_END \
-} \
-if (status != SGX_SUCCESS || errStatus == 3) { \
-spdlog::error(__FUNCTION__);                   \
-spdlog::error("Exiting sgx on status errStatus... {} {}", status, errStatus);                    \
-safeExit(); \
-} \
-} while ((status != SGX_SUCCESS || errStatus == 3) && __ATTEMPTS__ < 2);
-
-
-
-#define RESTART_END_POINTER \
-} \
-if (status != SGX_SUCCESS || *errStatus == 3) { \
-spdlog::error(__FUNCTION__);\
-spdlog::error("Restarting sgx on status errStatus... {} {}", status, *errStatus);                            \
-safeExit(); \
-} \
-} while ((status != SGX_SUCCESS || *errStatus == 3) && __ATTEMPTS__ < 2);
+#define SEMAPHORE_BEGIN { semaphore_guard __ENCLAVE__GUARD__(enclaveSemaphore) ;
+
+#define SEMAPHORE_END }
+


 #endif //SGXWALLET_SGXWALLET_COMMON_H