Merge branch 'develop' into SECURE_ENCLAVE_CHANGES

47a9b257 · Stan Kladko · GitHub · 28264b8e · 553187f1 · 47a9b257
Unverified Commit 47a9b257 authored Nov 13, 2020 by Stan Kladko Committed by GitHub Nov 13, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 39 deletions

SEKManager.cpp SEKManager.cpp +11 -5

SEKManager.h SEKManager.h +2 -1

SGXWalletServer.cpp SGXWalletServer.cpp +34 -29

sgxwallet_common.h sgxwallet_common.h +3 -4

No files found.
--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -205,11 +205,17 @@ void gen_SEK() {

 }

-void  reinitEnclave() {
-    // unfortunately process needs to be restarted to reinit enclave
-    // exiting with error code 3 (SGX_OUT_OF_MEMORY), so docker container can restart the
-    // wallet
-    exit(3);
+
+static std::atomic<int> isSgxWalletExiting(0);
+
+void  safeExit() {
+
+    // this is to make sure exit is only called once if called from multiple threads
+
+    auto previousValue = isSgxWalletExiting.exchange(1);
+
+    if (previousValue != 1)
+        exit(3);
 }

 void setSEK(shared_ptr <string> hex_encrypted_SEK) {

--- a/SEKManager.h
+++ b/SEKManager.h
@@ -47,7 +47,8 @@ EXTERNC void initSEK();

 EXTERNC void setSEK();

-EXTERNC void reinitEnclave();
+EXTERNC void safeExit();
+




--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -111,6 +111,14 @@ void SGXWalletServer::printDB() {
    LevelDB::getLevelDb()->visitKeys(&v, 100000000);
 }

+
+#ifdef SGX_HW_SIM
+#define NUM_THREADS 16
+#else
+#define NUM_THREADS 64
+#endif
+
+
 int SGXWalletServer::initHttpsServer(bool _checkCerts) {
    spdlog::info("Entering {}", __FUNCTION__);
    string rootCAPath = string(SGXDATA_FOLDER) + "cert_data/rootCA.pem";
@@ -147,14 +155,9 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {
    }


-    int numThreads = 64;
-
-#ifdef SGX_HW_SIM
-   numThreads = 16; 
-#endif
-
+    httpServer = make_shared<HttpServer>(BASE_PORT, certPath, keyPath, rootCAPath, _checkCerts,
+                                         NUM_THREADS);

-    httpServer = make_shared<HttpServer>(BASE_PORT, certPath, keyPath, rootCAPath, _checkCerts, numThreads);
    server = make_shared<SGXWalletServer>(*httpServer,
                                          JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)

@@ -169,7 +172,8 @@ int SGXWalletServer::initHttpsServer(bool _checkCerts) {

 int SGXWalletServer::initHttpServer() { //without ssl
    spdlog::info("Entering {}", __FUNCTION__);
-    httpServer = make_shared<HttpServer>(BASE_PORT + 3);
+    httpServer = make_shared<HttpServer>(BASE_PORT + 3, "", "", "", false,
+                                         NUM_THREADS);
    server = make_shared<SGXWalletServer>(*httpServer,
                                          JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)
    if (!server->StartListening()) {
@@ -275,25 +279,25 @@ Json::Value SGXWalletServer::importECDSAKeyImpl(const string &_keyShare,
    result["encryptedKey"] = "";

    try {
-      if (!checkECDSAKeyName(_keyShareName)) {
-          throw SGXException(INVALID_ECDSA_KEY_NAME, "Invalid ECDSA key name");
-      }
+        if (!checkECDSAKeyName(_keyShareName)) {
+            throw SGXException(INVALID_ECDSA_KEY_NAME, "Invalid ECDSA key name");
+        }

-      string hashTmp = _keyShare;
-      if (hashTmp[0] == '0' && (hashTmp[1] == 'x' || hashTmp[1] == 'X')) {
-          hashTmp.erase(hashTmp.begin(), hashTmp.begin() + 2);
-      }
+        string hashTmp = _keyShare;
+        if (hashTmp[0] == '0' && (hashTmp[1] == 'x' || hashTmp[1] == 'X')) {
+            hashTmp.erase(hashTmp.begin(), hashTmp.begin() + 2);
+        }

-      if (!checkHex(hashTmp)) {
-          throw SGXException(INVALID_HEX, "Invalid ECDSA key share, please use hex");
-      }
+        if (!checkHex(hashTmp)) {
+            throw SGXException(INVALID_HEX, "Invalid ECDSA key share, please use hex");
+        }

-      string encryptedKey = encryptECDSAKey(hashTmp);
+        string encryptedKey = encryptECDSAKey(hashTmp);

-      writeDataToDB(_keyShareName, encryptedKey);
+        writeDataToDB(_keyShareName, encryptedKey);

-      result["encryptedKey"] = encryptedKey;
-      result["publicKey"] = getECDSAPubKey(encryptedKey);
+        result["encryptedKey"] = encryptedKey;
+        result["publicKey"] = getECDSAPubKey(encryptedKey);
    } HANDLE_SGX_EXCEPTION(result)

    RETURN_SUCCESS(result);
@@ -580,7 +584,7 @@ Json::Value SGXWalletServer::getBLSPublicKeyShareImpl(const string &_blsKeyName)
    RETURN_SUCCESS(result);
 }

-Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value& publicShares, int t, int n) {
+Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value &publicShares, int t, int n) {
    spdlog::info("Entering {}", __FUNCTION__);
    INIT_RESULT(result)

@@ -607,14 +611,14 @@ Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value& pu
            }
        }

-        vector<string> public_shares(n);
+        vector <string> public_shares(n);
        for (int i = 0; i < n; ++i) {
            public_shares[i] = publicShares[i].asString();
        }

-        vector<string> public_keys = calculateAllBlsPublicKeys(public_shares);
+        vector <string> public_keys = calculateAllBlsPublicKeys(public_shares);

-        if (public_keys.size() != (uint64_t)n) {
+        if (public_keys.size() != (uint64_t) n) {
            throw SGXException(UNKNOWN_ERROR, "");
        }

@@ -762,11 +766,11 @@ Json::Value SGXWalletServer::getBLSPublicKeyShare(const string &blsKeyName) {
    return getBLSPublicKeyShareImpl(blsKeyName);
 }

-Json::Value SGXWalletServer::calculateAllBLSPublicKeys(const Json::Value& publicShares, int t, int n) {
+Json::Value SGXWalletServer::calculateAllBLSPublicKeys(const Json::Value &publicShares, int t, int n) {
    return calculateAllBLSPublicKeysImpl(publicShares, t, n);
 }

-Json::Value SGXWalletServer::importECDSAKey(const std::string& keyShare, const std::string& keyShareName) {
+Json::Value SGXWalletServer::importECDSAKey(const std::string &keyShare, const std::string &keyShareName) {
    return importECDSAKeyImpl(keyShare, keyShareName);
 }

@@ -787,7 +791,8 @@ SGXWalletServer::importBLSKeyShare(const string &_keyShare, const string &_keySh
    return importBLSKeyShareImpl(_keyShare, _keyShareName);
 }

-Json::Value SGXWalletServer::blsSignMessageHash(const string &_keyShareName, const string &_messageHash, int _t, int _n) {
+Json::Value
+SGXWalletServer::blsSignMessageHash(const string &_keyShareName, const string &_messageHash, int _t, int _n) {
    return blsSignMessageHashImpl(_keyShareName, _messageHash, _t, _n);
 }


--- a/sgxwallet_common.h
+++ b/sgxwallet_common.h
@@ -121,8 +121,8 @@ READ_LOCK(sgxInitMutex);
 } \
 if (status != SGX_SUCCESS || errStatus == 3) { \
 spdlog::error(__FUNCTION__);                   \
-spdlog::error("Restarting sgx on status errStatus... {} {}", status, errStatus);                    \
-reinitEnclave(); \
+spdlog::error("Exiting sgx on status errStatus... {} {}", status, errStatus);                    \
+safeExit(); \
 } \
 } while ((status != SGX_SUCCESS || errStatus == 3) && __ATTEMPTS__ < 2);

@@ -133,10 +133,9 @@ reinitEnclave(); \
 if (status != SGX_SUCCESS || *errStatus == 3) { \
 spdlog::error(__FUNCTION__);\
 spdlog::error("Restarting sgx on status errStatus... {} {}", status, *errStatus);                            \
-reinitEnclave(); \
+safeExit(); \
 } \
 } while ((status != SGX_SUCCESS || *errStatus == 3) && __ATTEMPTS__ < 2);


-
 #endif //SGXWALLET_SGXWALLET_COMMON_H