SKALE-3170-Fixed backup restore

SEKManager.cpp

@@ -84,9 +84,7 @@ void create_test_key() {
 }
 
 
-
-
-bool check_SEK(const string &SEK) {
+shared_ptr <vector<uint8_t>> check_and_set_SEK(const string &SEK) {
     shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
     vector <uint8_t> encr_test_key(BUF_LEN, 0);
     uint64_t len;
@@ -99,41 +97,44 @@ bool check_SEK(const string &SEK) {
     vector<char> errMsg(1024, 0);
     int err_status = 0;
 
-    vector <uint8_t> encr_SEK(1024, 0);
+    auto encrypted_SEK = make_shared < vector < uint8_t >> (1024, 0);
 
     uint32_t l = len;
 
-    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &l, SEK.c_str());
+    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encrypted_SEK->data(), &l, SEK.c_str());
+
     if (status != SGX_SUCCESS) {
-        cerr << "RPCException thrown with status " << status << endl;
-        throw SGXException(status, errMsg.data());
+        spdlog::error("trustedSetSEK_backup failed with error code {}", status);
+        exit(-1);
     }
 
     if (err_status != 0) {
-        cerr << "RPCException thrown with status " << err_status << endl;
-        throw SGXException(err_status, errMsg.data());
+        spdlog::error("trustedSetSEK_backup failed with error status {}", status);
+        exit(-1);
     }
 
     status = trustedDecryptKeyAES(eid, &err_status, errMsg.data(), encr_test_key.data(), len, decr_key.data());
     if (status != SGX_SUCCESS || err_status != 0) {
-        spdlog::error("failed to decrypt test key");
+        spdlog::error("Failed to decrypt test key");
         spdlog::error(errMsg.data());
         exit(-1);
     }
 
     string test_key = TEST_VALUE;
     if (test_key.compare(decr_key.data()) != 0) {
-        cerr << "decrypted key is " << decr_key.data() << endl;
         spdlog::error("Invalid SEK");
-        return false;
+        exit(-1);
     }
-    return true;
+
+    encrypted_SEK->resize(l);
+
+    return encrypted_SEK;
 }
 
 void gen_SEK() {
     vector<char> errMsg(1024, 0);
     int err_status = 0;
-    vector <uint8_t> encr_SEK(1024, 0);
+    vector <uint8_t> encrypted_SEK(1024, 0);
     uint32_t enc_len = 0;
 
     char SEK[65];
@@ -141,7 +142,7 @@ void gen_SEK() {
 
     spdlog::error("Generating backup key. Will be stored in backup_key.txt ... ");
 
-    status = trustedGenerateSEK(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK);
+    status = trustedGenerateSEK(eid, &err_status, errMsg.data(), encrypted_SEK.data(), &enc_len, SEK);
 
     if (status != SGX_SUCCESS) {
         throw SGXException(status, errMsg.data());
@@ -157,7 +158,7 @@ void gen_SEK() {
 
     vector<char> hexEncrKey(2 * enc_len + 1, 0);
 
-    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
+    carray2Hex(encrypted_SEK.data(), enc_len, hexEncrKey.data());
 
     ofstream sek_file(BACKUP_PATH);
     sek_file.clear();
@@ -186,20 +187,20 @@ void gen_SEK() {
     create_test_key();
 }
 
-void trustedSetSEK(shared_ptr <string> hex_encr_SEK) {
+void trustedSetSEK(shared_ptr <string> hex_encrypted_SEK) {
     vector<char> errMsg(1024, 0);
     int err_status = 0;
 
-    uint8_t encr_SEK[BUF_LEN];
-    memset(encr_SEK, 0, BUF_LEN);
+    uint8_t encrypted_SEK[BUF_LEN];
+    memset(encrypted_SEK, 0, BUF_LEN);
 
     uint64_t len;
 
-    if (!hex2carray(hex_encr_SEK->c_str(), &len, encr_SEK)) {
+    if (!hex2carray(hex_encrypted_SEK->c_str(), &len, encrypted_SEK)) {
         throw SGXException(INVALID_HEX, "Invalid encrypted SEK Hex");
     }
 
-    status = trustedSetSEK(eid, &err_status, errMsg.data(), encr_SEK);
+    status = trustedSetSEK(eid, &err_status, errMsg.data(), encrypted_SEK);
     if (status != SGX_SUCCESS) {
         cerr << "RPCException thrown" << endl;
         throw SGXException(status, errMsg.data());
@@ -214,10 +215,8 @@ void trustedSetSEK(shared_ptr <string> hex_encr_SEK) {
 #include "experimental/filesystem"
 
 void enter_SEK() {
-    vector<char> errMsg(1024, 0);
-    int err_status = 0;
-    vector <uint8_t> encr_SEK(BUF_LEN, 0);
-    uint32_t enc_len;
+    vector<char> errMsg(BUF_LEN, 0);
+
 
     shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
     if (test_key_ptr == nullptr) {
@@ -238,27 +237,18 @@ void enter_SEK() {
     string sek((istreambuf_iterator<char>(sek_file)),
                istreambuf_iterator<char>());
 
-    while (!checkHex(sek, 16) || !check_SEK(sek)) {
-        spdlog::error("Invalid key");
-        exit(-1);
-    }
-
     spdlog::info("Setting backup key ...");
 
-    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, sek.c_str());
-    if (status != SGX_SUCCESS) {
-        spdlog::error("RPCException thrown with status {}", status);
-        throw SGXException(status, errMsg.data());
-    }
-
-    if (err_status != 0) {
-        spdlog::error("trustedSetSEK_backup returned err_status {}", err_status);
+    while (!checkHex(sek, 16)) {
+        spdlog::error("Invalid hex in key");
         exit(-1);
     }
 
-    vector<char> hexEncrKey(2 * enc_len + 1, 0);
+    auto encrypted_SEK = check_and_set_SEK(sek);
+
+    vector<char> hexEncrKey(BUF_LEN, 0);
 
-    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
+    carray2Hex(encrypted_SEK->data(), encrypted_SEK->size(), hexEncrKey.data());
 
     spdlog::info("Got sealed storage encryption key.");
 
@@ -272,15 +262,15 @@ void enter_SEK() {
 }
 
 void initSEK() {
-    shared_ptr <string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
+    shared_ptr <string> encrypted_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
     if (enterBackupKey) {
         enter_SEK();
     } else {
-        if (encr_SEK_ptr == nullptr) {
+        if (encrypted_SEK_ptr == nullptr) {
             spdlog::warn("SEK was not created yet. Going to create SEK");
             gen_SEK();
         } else {
-            trustedSetSEK(encr_SEK_ptr);
+            trustedSetSEK(encrypted_SEK_ptr);
         }
     }
 }

secure_enclave/Makefile.in

@@ -323,8 +323,7 @@ AM_CFLAGS = @SGX_ENCLAVE_CFLAGS@
 AM_CPPFLAGS = @SGX_ENCLAVE_CPPFLAGS@ -Wall \
 	-Wno-implicit-function-declaration $(TGMP_CPPFLAGS) \
 	-I./third_party/SCIPR -I../third_party/SCIPR \
-	-I../sgx-sdk-build/sgxsdk/include/libcxx \
-	-I../intel-sgx-ssl/Linux/package/include
+	-I../sgx-sdk-build/sgxsdk/include/libcxx
 AM_CXXFLAGS = @SGX_ENCLAVE_CXXFLAGS@ @SGX_ENCLAVE_CFLAGS@ -fno-builtin \
 	-fstack-protector-strong
 AM_LDFLAGS = @SGX_ENCLAVE_LDFLAGS@ $(TGMP_LDFLAGS) -L./tgmp-build/lib \
@@ -344,7 +343,7 @@ secure_enclave_SOURCES = secure_enclave_t.c secure_enclave_t.h \
                 ../third_party/SCIPR/libff/algebra/curves/alt_bn128/alt_bn128_g1.cpp $(ENCLAVE_KEY) $(ENCLAVE_CONFIG)
 
 secure_enclave_LDADD = @SGX_ENCLAVE_LDADD@
-SGX_EXTRA_TLIBS = -lsgx_tgmp -lsgx_tservice  -lsgx_urts -lsgx_tcxx ../intel-sgx-ssl/Linux/package/lib64/libsgx_tsgxssl_crypto.a
+SGX_EXTRA_TLIBS = -lsgx_tgmp -lsgx_tservice  -lsgx_urts -lsgx_tcxx 
 all: all-am
 
 .SUFFIXES:

secure_enclave/secure_enclave.c

@@ -84,7 +84,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
         goto clean;}
 
 #define CHECK_STATUS(__ERRMESSAGE__) if (status != SGX_SUCCESS) { \
-snprintf(errString, BUF_LEN, __ERRMESSAGE__); \
+LOG_ERROR(__FUNCTION__); \
+snprintf(errString, BUF_LEN, "failed with status %d : %s",  status,  __ERRMESSAGE__); \
 LOG_ERROR(errString); \
 *errStatus = status; \
 goto clean; \
@@ -114,12 +115,12 @@ unsigned char *globalRandom;
 
 
 #define CALL_ONCE \
-    static bool called = false;\
+    static volatile bool called = false;\
     if (called)  { \
         LOG_ERROR(__FUNCTION__); \
-        LOG_ERROR("called twice. Aborting!"); \
+        LOG_ERROR("This function shouldnt be called twice. Aborting!"); \
         abort(); \
-    }
+    } else {called = true;};
 
 void trustedEnclaveInit(uint32_t _logLevel) {
     CALL_ONCE
@@ -273,7 +274,7 @@ void sealHexSEK(int *errStatus, char *errString,
 
     SET_SUCCESS
     clean:
-    ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -294,14 +295,14 @@ void trustedGenerateSEK(int *errStatus, char *errString,
 
     sealHexSEK(errStatus, errString, encrypted_sek, enc_len, sek_hex);
 
-    if (errStatus != 0) {
+    if (*errStatus != 0) {
         LOG_ERROR("sealHexSEK failed");
         goto clean;
     }
 
     SET_SUCCESS
     clean:
-    ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -333,7 +334,7 @@ void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_sek) {
 
     SET_SUCCESS
     clean:
-    ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -351,7 +352,7 @@ void trustedSetSEK_backup(int *errStatus, char *errString,
 
     sealHexSEK(errStatus, errString, encrypted_sek, enc_len, (char *)sek_hex);
 
-    if (errStatus != 0) {
+    if (*errStatus != 0) {
         LOG_ERROR("sealHexSEK failed");
         goto clean;
     }
@@ -359,6 +360,7 @@ void trustedSetSEK_backup(int *errStatus, char *errString,
     SET_SUCCESS
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -429,6 +431,7 @@ void trustedGenerateEcdsaKeyAES(int *errStatus, char *errString,
     mpz_clear(seed);
     mpz_clear(skey);
     point_clear(Pkey);
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -495,7 +498,16 @@ void trustedGetPublicEcdsaKeyAES(int *errStatus, char *errString,
     mpz_clear(privateKeyMpz);
     point_clear(pKey);
     point_clear(pKey_test);
-    LOG_DEBUG("SGX call completed");
+
+    static uint64_t counter = 0;
+
+    if (counter % 1000 == 0) {
+        LOG_INFO(__FUNCTION__);
+        LOG_INFO("Thousand SGX calls completed");
+    }
+
+    counter++;
+
 }
 
 static uint64_t sigCounter = 0;
@@ -579,6 +591,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
     mpz_clear(privateKeyMpz);
     mpz_clear(msgMpz);
     signature_free(sign);
+    LOG_DEBUG(__FUNCTION__ );
     LOG_DEBUG("SGX call completed");
 }
 
@@ -662,6 +675,7 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
     SET_SUCCESS
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -745,6 +759,7 @@ trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_s
     SET_SUCCESS
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -767,6 +782,7 @@ trustedDecryptDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_d
 
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -787,6 +803,7 @@ void trustedSetEncryptedDkgPolyAES(int *errStatus, char *errString, uint8_t *enc
     SET_SUCCESS
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -851,6 +868,7 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
 
     clean:
     ;
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -927,6 +945,7 @@ void trustedDkgVerifyAES(int *errStatus, char *errString, const char *public_sha
     clean:
 
     mpz_clear(s);
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -1028,6 +1047,7 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
     mpz_clear(bls_key);
     mpz_clear(sum);
     mpz_clear(q);
+    LOG_INFO(__FUNCTION__ );
     LOG_INFO("SGX call completed");
 }
 
@@ -1054,7 +1074,12 @@ trustedGetBlsPubKeyAES(int *errStatus, char *errString, uint8_t *encryptedPrivat
     CHECK_STATUS("could not calculate bls public key");
 
     SET_SUCCESS
+    static uint64_t counter = 0;
     clean:
-    ;
-    LOG_DEBUG("SGX call completed");
+    if (counter % 1000 == 0) {
+        LOG_INFO(__FUNCTION__);
+        LOG_INFO("Thousand SGX calls completed");
+    }
+
+    counter++;
 }