Merge pull request #220 from skalenetwork/SECURE_ENCLAVE_CHANGES

Secure enclave changes

.gitmodules

@@ -16,3 +16,7 @@
 [submodule "sgx-software-enable"]
 	path = sgx-software-enable
 	url = https://github.com/intel/sgx-software-enable
+[submodule "secure_enclave/secp256k1-sgx"]
+	path = secure_enclave/secp256k1-sgx
+	url = https://github.com/bl4ck5un/secp256k1-sgx
+	branch = master

DKGCrypto.cpp

@@ -197,7 +197,7 @@ vector <vector<string>> getVerificationVectorMult(const std::string& encryptedPo
 
     vector<vector<string>> result(t);
 
-    for (size_t i = 0; i < t; ++i) {
+    for (int i = 0; i < t; ++i) {
         libff::alt_bn128_G2 current_coefficient;
         current_coefficient.X.c0 = libff::alt_bn128_Fq(verificationVector[i][0].c_str());
         current_coefficient.X.c1 = libff::alt_bn128_Fq(verificationVector[i][1].c_str());
@@ -224,7 +224,7 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
     CHECK_STATE(_encryptedPolyHex);
 
     vector<char> hexEncrKey(BUF_LEN, 0);
-    vector<char> errMsg1(BUF_LEN, 0);
+    vector<char> errMsg(BUF_LEN, 0);
     vector <uint8_t> encrDKGPoly(BUF_LEN, 0);
     int errStatus = 0;
     uint64_t encLen = 0;
@@ -238,10 +238,6 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
 
     READ_LOCK(sgxInitMutex);
 
-    status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg1.data(), encrDKGPoly.data(), encLen);
-
-    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());
-
     string result;
 
     for (int i = 0; i < _n; i++) {
@@ -259,26 +255,22 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
         spdlog::debug("pubKeyB is {}", pub_keyB);
 
         sgx_status_t status = SGX_SUCCESS;
-        status = trustedGetEncryptedSecretShare(eid, &errStatus, errMsg1.data(), encryptedSkey.data(), &decLen,
+        status = trustedGetEncryptedSecretShare(eid, &errStatus,
+                                                errMsg.data(),
+                                                encrDKGPoly.data(), encLen,
+                                                encryptedSkey.data(), &decLen,
                                                    currentShare.data(), sShareG2.data(), pubKeyB.data(), _t, _n,
                                                    i + 1);
 
-        HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg1.data());
+        HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());
 
-        spdlog::debug("cur_share is {}", currentShare.data());
 
         result += string(currentShare.data());
 
-        spdlog::debug("dec len is {}", decLen);
         hexEncrKey = carray2Hex(encryptedSkey.data(), decLen);
         string dhKeyName = "DKG_DH_KEY_" + _polyName + "_" + to_string(i) + ":";
 
-        spdlog::debug("hexEncr DH Key: { }", hexEncrKey.data());
-        spdlog::debug("name to write to db is {}", dhKeyName);
-
         string shareG2_name = "shareG2_" + _polyName + "_" + to_string(i) + ":";
-        spdlog::debug("name to write to db is {}", shareG2_name);
-        spdlog::debug("s_shareG2: {}", sShareG2.data());
 
         SGXWalletServer::writeDataToDB(dhKeyName, hexEncrKey.data());
         SGXWalletServer::writeDataToDB(shareG2_name, sShareG2.data());

SGXWalletServer.cpp

@@ -157,6 +157,7 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {
 
     httpServer = make_shared<HttpServer>(BASE_PORT, certPath, keyPath, rootCAPath, _checkCerts,
                                          NUM_THREADS);
+
     server = make_shared<SGXWalletServer>(*httpServer,
                                           JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)
 

VERSION

-1.58.6
+1.58.7
\ No newline at end of file

common.h

@@ -101,7 +101,7 @@ BOOST_THROW_EXCEPTION(runtime_error(__ERR_STRING__)); \
 extern std::shared_timed_mutex sgxInitMutex;
 extern uint64_t initTime;
 
-#if SGX_MODE == SIM
+#ifdef SGX_HW_SIM
 #define ENCLAVE_RESTART_PERIOD_S 5
 #else
 #define ENCLAVE_RESTART_PERIOD_S 60 * 10

secure_enclave/EnclaveCommon.cpp

@@ -82,8 +82,8 @@ string *stringFromFq(libff::alt_bn128_Fq *_fq) {
 
     try {
         _fq->as_bigint().to_mpz(t);
-        char *tmp = mpz_get_str(arr, 10, t);
-        ret = new string(tmp);
+        mpz_get_str(arr, 10, t);
+        ret = new string(arr);
     } catch (exception &e) {
         LOG_ERROR(e.what());
         goto clean;
@@ -107,13 +107,13 @@ string *stringFromG1(libff::alt_bn128_G1 *_g1) {
     try {
         _g1->to_affine_coordinates();
 
-        auto sX = stringFromFq(&_g1->X);
+        sX = stringFromFq(&_g1->X);
 
         if (!sX) {
             goto clean;
         }
 
-        auto sY = stringFromFq(&_g1->Y);
+        sY = stringFromFq(&_g1->Y);
 
         if (!sY) {
             goto clean;
@@ -131,8 +131,8 @@ string *stringFromG1(libff::alt_bn128_G1 *_g1) {
 
     clean:
 
-    SAFE_FREE(sX);
-    SAFE_FREE(sY);
+    SAFE_DELETE(sX);
+    SAFE_DELETE(sY);
 
     return ret;
 
@@ -226,7 +226,7 @@ bool enclave_sign(const char *_keyString, const char *_hashXString, const char *
     }
 
     try {
-        auto key = keyFromString(_keyString);
+        key = keyFromString(_keyString);
 
         if (!key) {
             LOG_ERROR("Null key");
@@ -243,7 +243,7 @@ bool enclave_sign(const char *_keyString, const char *_hashXString, const char *
 
         sign.to_affine_coordinates();
 
-        auto r = stringFromG1(&sign);
+        r = stringFromG1(&sign);
 
         memset(sig, 0, BUF_LEN);
 

secp256k1-sgx @ 5f235e8e

+Subproject commit 5f235e8e9e821cd972c4a57afdfe47a7fe83acd0

secure_enclave/secure_enclave.c

@@ -163,7 +163,7 @@ void trustedEnclaveInit(uint64_t _logLevel) {
     LOG_INFO("SECURITY WARNING: sgxwallet is running in INSECURE DEBUG MODE! NEVER USE IN PRODUCTION!");
 #endif
 
-#if SGX_MODE == SIM
+#ifdef SGX_HW_SIM
     LOG_INFO("SECURITY WARNING: sgxwallet is running in INSECURE SIMULATION MODE! NEVER USE IN PRODUCTION!");
 #endif
 
@@ -847,10 +847,14 @@ void trustedSetEncryptedDkgPoly(int *errStatus, char *errString, uint8_t *encryp
     LOG_INFO("SGX call completed");
 }
 
-void trustedGetEncryptedSecretShare(int *errStatus, char *errString, uint8_t *encrypted_skey, uint64_t *dec_len,
+
+void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
+                                    uint8_t *_encrypted_poly,  uint64_t _enc_len,
+                                    uint8_t *encrypted_skey, uint64_t *dec_len,
                                        char *result_str, char *s_shareG2, char *pub_keyB, uint8_t _t, uint8_t _n,
                                        uint8_t ind) {
 
+
     LOG_INFO(__FUNCTION__);
     INIT_ERROR_STATE
 
@@ -864,6 +868,11 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString, uint8_t *en
 
     LOG_DEBUG(__FUNCTION__);
 
+    trustedSetEncryptedDkgPoly(&status, errString, _encrypted_poly, _enc_len);
+
+    CHECK_STATUS2("trustedSetEncryptedDkgPoly failed with status %d ");
+
+
     SAFE_CHAR_BUF(skey, BUF_LEN);
 
     SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
@@ -1118,8 +1127,6 @@ trustedGetBlsPubKey(int *errStatus, char *errString, uint8_t *encryptedPrivateKe
     uint8_t type = 0;
     uint8_t exportable = 0;
 
-
-
     int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, BUF_LEN,
                              &type, &exportable);
 

secure_enclave/secure_enclave.edl

@@ -88,15 +88,15 @@ enclave {
                                 [out, count = 3072] uint8_t* decrypted_dkg_secret
                                 );
 
-        public void trustedSetEncryptedDkgPoly(
-                                [out] int *errStatus,
-                                [out, count = SMALL_BUF_SIZE] char* err_string,
-                                [in, count = 3050] uint8_t* encrypted_poly,
-                                uint64_t enc_len);
+
+
+
 
         public void trustedGetEncryptedSecretShare(
                                 [out]int *errStatus,
                                 [out, count = SMALL_BUF_SIZE] char *err_string,
+                                [in, count = 3050] uint8_t* encrypted_poly,
+                                uint64_t enc_len,
                                 [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_skey,
                                 [out] uint64_t* dec_len,
                                 [out, count = 193] char* result_str,

testw.cpp

@@ -370,20 +370,15 @@ TEST_CASE_METHOD(TestFixture, "DKG AES encrypted secret shares test", "[dkg-aes-
     REQUIRE(status == SGX_SUCCESS);
     REQUIRE(errStatus == SGX_SUCCESS);
 
-    uint64_t enc_len = encLen;
-
-    PRINT_SRC_LINE
-    status = trustedSetEncryptedDkgPoly(eid, &errStatus, errMsg.data(), encryptedDKGSecret.data(), enc_len);
-    REQUIRE(status == SGX_SUCCESS);
-    REQUIRE(errStatus == SGX_SUCCESS);
-
     vector <uint8_t> encrPRDHKey(BUF_LEN, 0);
 
     string pub_keyB = SAMPLE_PUBLIC_KEY_B;
 
     vector<char> s_shareG2(BUF_LEN, 0);
     PRINT_SRC_LINE
-    status = trustedGetEncryptedSecretShare(eid, &errStatus, errMsg.data(), encrPRDHKey.data(), &encLen,
+    status = trustedGetEncryptedSecretShare(eid, &errStatus,errMsg.data(),
+                                            encryptedDKGSecret.data(), encLen,
+                                            encrPRDHKey.data(), &encLen,
                                                result.data(),
                                                s_shareG2.data(),
                                                (char *) pub_keyB.data(), 2, 2, 1);
@@ -779,8 +774,8 @@ TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
     status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encrypted_key.data(), encLen, decr_key.data());
 
     REQUIRE(status == 0);
-    REQUIRE(errStatus == 0);
     REQUIRE(key.compare(decr_key.data()) == 0);
+    REQUIRE(errStatus == 0);
 }