Merge pull request #395 from skalenetwork/430_firewall_self_analysis

430 firewall self analysis

Merge pull request #395 from skalenetwork/430_firewall_self_analysis
430 firewall self analysis
6f4b347b · Stan Kladko · GitHub · 89b700ef · 7015258b · 6f4b347b
Unverified Commit 6f4b347b authored 2 years ago by Stan Kladko Committed by GitHub 2 years ago
Showing with 48 additions and 1 deletion

Dockerfile Dockerfile +1 -0

DockerfileRelease DockerfileRelease +1 -0

DockerfileSimulation DockerfileSimulation +1 -0

check_firewall.py docker/check_firewall.py +44 -0

start.sh docker/start.sh +1 -1

No files found.
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,7 @@ RUN bash -c "make -j$(nproc)"
 RUN ccache -sz
 RUN mkdir -p /usr/src/sdk/sgx_data
 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/
 RUN rm  /opt/intel/sgxsdk/lib64/*_sim.so
 ENTRYPOINT ["/usr/src/sdk/start.sh"]
--- a/DockerfileRelease
+++ b/DockerfileRelease
@@ -12,6 +12,7 @@ RUN ccache -sz
 RUN cd scripts && ./sign_enclave.bash
 RUN mkdir -p /usr/src/sdk/sgx_data
 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/
 RUN rm /opt/intel/sgxsdk/lib64/*_sim.so
 RUN rm /usr/src/sdk/secure_enclave/secure_enclave*.so

--- a/DockerfileSimulation
+++ b/DockerfileSimulation
@@ -15,6 +15,7 @@ RUN ./autoconf.bash && \
    mkdir -p /usr/src/sdk/sgx_data

 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/

 ENTRYPOINT ["/usr/src/sdk/start.sh"]
--- a/docker/check_firewall.py
+++ b/docker/check_firewall.py
+#! /usr/bin/python
+
+import requests
+import re
+import torpy
+
+from torpy import TorClient
+
+
+def get_my_external_ip():
+    try:
+        res = requests.get("http://checkip.dyndns.org/")
+        myIp = re.compile('(\d{1,3}\.){3}\d{1,3}').search(res.text).group()
+        return myIp
+    except:
+        return ""
+
+print("Analyzing firewall security.")
+print("Determining external IP address")
+
+ip = get_my_external_ip()
+
+if (ip == ""):
+    print("sgxwallet does not have an external IP")
+    print("No firewall problems detected.")
+    exit(0)
+
+print("sgxwallet has the following external IP: " + ip)
+
+try:
+    with TorClient() as tor:
+        # Choose random guard node and create 3-hops circuit
+        print("Connecting to TOR network ...");
+        with tor.create_circuit(1) as circuit:
+            print("Connected to TOR network. Connecting to sgxwallet from a random external IP."
+                  " This may take up to a minute.")
+            # Create tor stream to host
+            with circuit.create_stream((ip, 1027)) as stream:
+                print("SECURITY PROBLEM: Could connect to port 1027 of sgxwallet " + ip + " from a random external IP")
+                print("Firewall is not working properly. Fix the firewall and then start sgx wallet")
+                exit(1)
+except:
+    print("Analysis complete. No firewall problems detected.")
+    exit(0)
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -46,7 +46,7 @@ echo "Test run requested"
 sleep 5
 ./testw.py
 else
-sleep 3
+/usr/src/sdk/check_firewall.py
 ./sgxwallet $1 $2 $3 $4 $5 $6
 fi