NationalSecurityAgency · bit-bender · Jan 8, 2025 · Jan 8, 2025 · Jan 8, 2025 · Jan 8, 2025
diff --git a/Makefile b/Makefile
@@ -13,6 +13,7 @@ DOC_DIR ?= doc
 LIB_DIR ?= lib
 LOGGER_DIR ?= logger
 UTILS_DIR ?= utils
+KMIP_LIB_DIR ?= /usr/local/lib
 
 # Specify kmyth applications (main) directories/files
 MAIN_SRC_DIR = $(SRC_DIR)/main
@@ -277,8 +278,10 @@ SOFLAGS = -shared#                       compile/link shared library
 SOFLAGS += -fPIC#
 
 # Specify linker flags
-LDFLAGS = -Llib#                         link path for libkmyth-*.so
-LDFLAGS += -Wl,-rpath=lib#               runtime path for libkmyth-*.so
+LDFLAGS = -Llib#                         link path for libkmyth-*.so*
+LDFLAGS += -L$(KMIP_LIB_DIR)#            link path for libkmip*.so*
+LDFLAGS += -Wl,-rpath=lib#               runtime path for libkmyth-*.so*
+LDFLAGS += -Wl,-rpath=$(KMIP_LIB_DIR)#   runtime path for libkmip*.so*
 
 #====================== END: TOOL CONFIGURATION ==============================
 
@@ -301,9 +304,9 @@ libs: clean-backups \
       $(LIB_DIR)/libkmyth-tpm.so
 
 .PHONY: nsl
-nsl:	clean-backups \
-	$(BIN_DIR)/nsl-client \
-	$(BIN_DIR)/nsl-server
+nsl: clean-backups \
+     $(BIN_DIR)/nsl-client \
+     $(BIN_DIR)/nsl-server
 
 .PHONY: utils-lib
 utils-lib: clean-backups $(LIB_DIR)/libkmyth-utils.so

diff --git a/sgx/Makefile b/sgx/Makefile
@@ -34,10 +34,13 @@
 SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= SIM
 SGX_ARCH ?= x64
+
 SGX_SSL_UNTRUSTED_LIB_PATH ?= /opt/intel/sgxssl/lib64/
 SGX_SSL_TRUSTED_LIB_PATH ?= /opt/intel/sgxssl/lib64/
 SGX_SSL_INCLUDE_PATH ?= /opt/intel/sgxssl/include/
 
+KMIP_LIB_PATH ?= /usr/local/lib
+
 TEST_ENCLAVE_HEADER_TRUSTED ?= '"kmyth_sgx_test_enclave_t.h"'
 TEST_ENCLAVE_HEADER_UNTRUSTED ?= '"kmyth_sgx_test_enclave_u.h"'
 
@@ -108,7 +111,7 @@ ifeq ($(SGX_DEBUG), 1)
 else ifeq ($(SGX_PRERELEASE), 1)
 	SGX_COMMON_CFLAGS += -DNDEBUG -DEDEBUG -UDEBUG
 else
-	GX_COMMON_CFLAGS += -DNDEBUG -UEDEBUG -UDEBUG
+	SGX_COMMON_CFLAGS += -DNDEBUG -UEDEBUG -UDEBUG
 endif
 
 SGX_COMMON_CXXFLAGS := $(SGX_COMMON_FLAGS)
@@ -172,13 +175,15 @@ Demo_App_Cpp_Flags += $(SGX_COMMON_CXXFLAGS)
 Common_App_Link_Flags := $(SGX_COMMON_CFLAGS)
 Common_App_Link_Flags += -L$(SGX_LIBRARY_PATH)
 Common_App_Link_Flags += -L$(SGX_SSL_UNTRUSTED_LIB_PATH)
+Common_App_link_Flags += -L$(KMIP_LIB_PATH)
 Common_App_Link_Flags += -l$(Urts_Library_Name)
 Common_App_Link_Flags += -lsgx_usgxssl
 Common_App_Link_Flags += -lpthread
 Common_App_Link_Flags += -lkmyth-utils
 Common_App_Link_Flags += -lkmyth-logger
 Common_App_Link_Flags += -lkmyth-tpm
 Common_App_Link_Flags += -lkmip
+Common_App_Link_Flags += -Wl,-rpath=$(KMIP_LIB_PATH)
 
 ifneq ($(SGX_MODE), HW)
 	Common_App_Link_Flags += -lsgx_uae_service_sim
@@ -398,19 +403,18 @@ ifneq ($(Build_Mode), HW_RELEASE)
 	@echo "==================================================================================================="
 	@echo ""
 	@$(CURDIR)/$(Server_Name) -k demo/data/server_priv.pem \
-	                          -c demo/data/server_cert.pem \
-	                          -C demo/data/ca_cert.pem \
+	                          -l demo/data/server_cert.pem \
+	                          -c demo/data/ca_cert.pem \
 	                          -p 7001 &
 	@sleep 1
-	@$(CURDIR)/$(Proxy_Name) -r demo/data/proxy_priv.pem \
-	                         -c demo/data/proxy_cert.pem \
-	                         -u demo/data/client_cert.pem \
+	@$(CURDIR)/$(Proxy_Name) -k demo/data/proxy_priv.pem \
+	                         -l demo/data/proxy_cert.pem \
+	                         -r demo/data/client_cert.pem \
 	                         -p 7000 \
-	                         -R demo/data/proxy_priv.pem \
-	                         -U demo/data/proxy_cert.pem \
-	                         -C demo/data/ca_cert.pem \
-	                         -I localhost \
-	                         -N demoServer \
+	                         -K demo/data/proxy_priv.pem \
+	                         -L demo/data/proxy_cert.pem \
+	                         -R 127.0.0.1 \
+	                         -c demo/data/ca_cert.pem \
 	                         -P 7001 \
 	                         -m 1 &
 	@sleep 1
@@ -490,7 +494,8 @@ test/enclave/msg_util.o: untrusted/src/util/msg_util.c
 	@$(CC) $(Test_App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-test/enclave/$(Test_Enclave_Name)_u.c: $(SGX_EDGER8R) test/enclave/$(Test_Enclave_Name).edl
+test/enclave/$(Test_Enclave_Name)_u.c: \
+        $(SGX_EDGER8R) test/enclave/$(Test_Enclave_Name).edl
 	@cd test/enclave && $(SGX_EDGER8R) --untrusted $(Test_Enclave_Name).edl \
                                        --search-path $(SGX_SDK)/include \
                                        --search-path . \
@@ -502,20 +507,19 @@ test/enclave/$(Test_Enclave_Name)_u.o: test/enclave/$(Test_Enclave_Name)_u.c
 	@$(CC) $(Test_App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-$(Test_App_Name): $(Test_App_Source_Files) test/enclave/$(Test_Enclave_Name)_u.o \
-                                           test/enclave/ec_key_cert_marshal.o \
-                                           test/enclave/ec_key_cert_unmarshal.o \
-                                           test/enclave/ecdh_util.o \
-                                           test/enclave/retrieve_key_protocol.o \
-                                           test/enclave/msg_util.o \
-                                           test/enclave/protocol_ocall.o \
-                                           test/enclave/memory_ocall.o \
-                                           test/enclave/log_ocall.o
+$(Test_App_Name): $(Test_App_Source_Files) \
+                  test/enclave/$(Test_Enclave_Name)_u.o \
+                  test/enclave/ec_key_cert_marshal.o \
+                  test/enclave/ec_key_cert_unmarshal.o \
+                  test/enclave/ecdh_util.o \
+                  test/enclave/retrieve_key_protocol.o \
+                  test/enclave/msg_util.o \
+                  test/enclave/protocol_ocall.o \
+                  test/enclave/memory_ocall.o \
+                  test/enclave/log_ocall.o
 	@$(CC) $^ -o $@ $(Test_App_C_Flags) $(Test_App_Link_Flags)
 	@echo "LINK =>  $@"
 
-
-
 ######## Demo App Objects ########
 
 demo/enclave/msg_util.o: untrusted/src/util/msg_util.c
@@ -534,7 +538,8 @@ demo/enclave/protocol_ocall.o: untrusted/src/ocall/protocol_ocall.c
 	@$(CC) $(Demo_App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-demo/enclave/$(Demo_Enclave_Name)_u.c: $(SGX_EDGER8R) demo/enclave/$(Demo_Enclave_Name).edl
+demo/enclave/$(Demo_Enclave_Name)_u.c: \
+		$(SGX_EDGER8R) demo/enclave/$(Demo_Enclave_Name).edl
 	@cd demo/enclave && $(SGX_EDGER8R) --untrusted $(Demo_Enclave_Name).edl \
 	                                   --search-path $(SGX_SDK)/include \
 	                                   --search-path . \
@@ -546,7 +551,8 @@ demo/enclave/$(Demo_Enclave_Name)_u.o: demo/enclave/$(Demo_Enclave_Name)_u.c
 	@$(CC) $(Demo_App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-demo/enclave/$(DEMO_ENCLAVE_HEADER_UNTRUSTED): demo/enclave/$(Demo_Enclave_Name)_u.c
+demo/enclave/$(DEMO_ENCLAVE_HEADER_UNTRUSTED): \
+		demo/enclave/$(Demo_Enclave_Name)_u.c
 
 demo/obj/%.o: demo/src/app/%.c demo/enclave/$(DEMO_ENCLAVE_HEADER_UNTRUSTED)
 	@$(CC) $(Demo_App_C_Flags) -c $< -o $@
@@ -603,7 +609,8 @@ $(Proxy_Name): demo/obj/tls_proxy.o \
 
 ######## Test Enclave Objects ########
 
-test/enclave/$(Test_Enclave_Name)_t.c: $(SGX_EDGER8R) test/enclave/$(Test_Enclave_Name).edl
+test/enclave/$(Test_Enclave_Name)_t.c: \
+		$(SGX_EDGER8R) test/enclave/$(Test_Enclave_Name).edl
 	@cd test/enclave && $(SGX_EDGER8R) --trusted $(Test_Enclave_Name).edl \
 	                                   --search-path $(SGX_SDK)/include \
 	                                   --search-path . \
@@ -687,15 +694,17 @@ test: test-all
 .PHONY: test-clean
 
 test-clean:
-	@rm -f test/enclave/*_t.h test/enclave/*_u.h test/enclave/*_t.c test/enclave/*_u.c
+	@rm -f test/enclave/*_t.h test/enclave/*_u.h
+	@rm -f test/enclave/*_t.c test/enclave/*_u.c
 	@rm -f test/enclave/*.o test/enclave/*.so
 	@rm -rf test/bin
 	@rm -f $(Enclave_Signing_Key)
 
 
 ######## Demo Enclave Objects ########
 
-demo/enclave/$(Demo_Enclave_Name)_t.c: $(SGX_EDGER8R) demo/enclave/$(Demo_Enclave_Name).edl
+demo/enclave/$(Demo_Enclave_Name)_t.c: \
+		$(SGX_EDGER8R) demo/enclave/$(Demo_Enclave_Name).edl
 	@cd demo/enclave && $(SGX_EDGER8R) --trusted $(Demo_Enclave_Name).edl \
 	                                   --search-path $(SGX_SDK)/include \
 	                                   --search-path . \
@@ -707,11 +716,13 @@ demo/enclave/$(Demo_Enclave_Name)_t.o: demo/enclave/$(Demo_Enclave_Name)_t.c
 	@$(CC) $(Demo_Enclave_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-demo/enclave/kmyth_enclave_memory_util.o: trusted/src/util/kmyth_enclave_memory_util.c 
+demo/enclave/kmyth_enclave_memory_util.o: \
+		trusted/src/util/kmyth_enclave_memory_util.c 
 	@$(CC) $(Demo_Enclave_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-demo/enclave/sgx_retrieve_key_impl.o: trusted/src/wrapper/sgx_retrieve_key_impl.c 
+demo/enclave/sgx_retrieve_key_impl.o: \
+		trusted/src/wrapper/sgx_retrieve_key_impl.c 
 	@$(CC) $(Demo_Enclave_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
@@ -723,7 +734,8 @@ demo/enclave/kmyth_enclave_unseal.o: trusted/src/ecall/kmyth_enclave_unseal.cpp
 	@$(CXX) $(Demo_Enclave_Cpp_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-demo/enclave/kmyth_enclave_retrieve_key.o: trusted/src/ecall/kmyth_enclave_retrieve_key.cpp
+demo/enclave/kmyth_enclave_retrieve_key.o: \
+		trusted/src/ecall/kmyth_enclave_retrieve_key.cpp
 	@$(CXX) $(Demo_Enclave_Cpp_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
@@ -755,7 +767,8 @@ demo/enclave/$(Demo_Enclave_Lib): demo/enclave/$(Demo_Enclave_Name)_t.o \
 	@$(CXX) $^ -o $@ $(Demo_Enclave_Link_Flags)
 	@echo "LINK =>  $@"
 
-demo/enclave/$(Demo_Signed_Enclave_Name): demo/enclave/$(Demo_Enclave_Lib) $(Enclave_Signing_Key)
+demo/enclave/$(Demo_Signed_Enclave_Name): \
+		demo/enclave/$(Demo_Enclave_Lib) $(Enclave_Signing_Key)
 	@$(SGX_ENCLAVE_SIGNER) sign -key $(Enclave_Signing_Key) \
 	                            -enclave demo/enclave/$(Demo_Enclave_Lib) \
 	                            -out $@ \
@@ -776,7 +789,8 @@ demo/data/server_cert.pem: demo/data/gen_test_keys_certs.bash
 .PHONY: demo-clean
 
 demo-clean:
-	@rm -f demo/enclave/*_u.h demo/enclave/*_t.h demo/enclave/*_u.c demo/enclave/*_t.c
+	@rm -f demo/enclave/*_u.h demo/enclave/*_t.h
+	@rm -f demo/enclave/*_u.c demo/enclave/*_t.c
 	@rm -f demo/enclave/*.o demo/enclave/*.so
 	@rm -f demo/data/*.pem
 	@rm -rf demo/obj

diff --git a/sgx/common/src/retrieve_key_protocol.c b/sgx/common/src/retrieve_key_protocol.c
@@ -271,6 +271,7 @@ int parse_client_hello_msg(ECDHMessage * msg_in,
   {
     kmyth_sgx_log(LOG_ERR, "error unmarshaling client identity bytes");
     free(client_id_bytes);
+    X509_NAME_free(client_id);
     free(client_eph_pub_bytes);
     free(msg_sig_bytes);
     return EXIT_FAILURE;
@@ -292,6 +293,24 @@ int parse_client_hello_msg(ECDHMessage * msg_in,
 
   // verify that identity in 'Client Hello' message matches the client
   // certificate pre-loaded into it's peer (TLS proxy for server)
+  char msg[128] = { 0 };
+  char temp_name[64] = { 0 };
+  strncat(msg, "client ID from Client Hello message: ", 63);
+  X509_NAME_get_text_by_NID(client_id,
+                            NID_commonName,
+                            (char *) temp_name,
+                            63);
+  strncat(msg, temp_name, 64);
+  kmyth_sgx_log(LOG_DEBUG, msg);
+  memset(msg, 0, 128);
+  memset(temp_name, 0, 64);
+  strncat(msg, "client ID from pre-loaded certificate: ", 63);
+  X509_NAME_get_text_by_NID(expected_client_id,
+                            NID_commonName,
+                            (char *) temp_name,
+                            63);
+  strncat(msg, temp_name, 64);
+  kmyth_sgx_log(LOG_DEBUG, msg);
   if (0 != X509_NAME_cmp(client_id, expected_client_id))
   {
     kmyth_sgx_log(LOG_ERR, "'Client Hello' - unexpected client identity");
@@ -630,6 +649,24 @@ int parse_server_hello_msg(ECDHMessage * msg_in,
 
   // verify that identity in 'Server Hello' message matches the server
   // certificate pre-loaded into it's peer (enclave client)
+  char msg[128] = { 0 };
+  char temp_name[64] = { 0 };
+  strncat(msg, "server ID from Server Hello message: ", 63);
+  X509_NAME_get_text_by_NID(rcvd_server_id,
+                            NID_commonName,
+                            (char *) temp_name,
+                            63);
+  strncat(msg, temp_name, 64);
+  kmyth_sgx_log(LOG_DEBUG, msg);
+  memset(msg, 0, 128);
+  memset(temp_name, 0, 64);
+  strncat(msg, "server ID from pre-loaded certificate: ", 63);
+  X509_NAME_get_text_by_NID(rcvd_server_id,
+                            NID_commonName,
+                            (char *) temp_name,
+                            63);
+  strncat(msg, temp_name, 64);
+  kmyth_sgx_log(LOG_DEBUG, msg);
   if (0 != X509_NAME_cmp(rcvd_server_id, expected_server_id))
   {
     kmyth_sgx_log(LOG_ERR, "'Server Hello' - unexpected server identity");

diff --git a/sgx/demo/data/openssl.cnf b/sgx/demo/data/openssl.cnf
@@ -44,7 +44,7 @@ CN                      = "TestProxy"
 [ dn_server ]
 C                       = "US"
 O                       = "kmyth"
-CN                      = "TestServer"
+CN                      = "DemoServer"
 
 [ v3_ext_ca ]
 subjectKeyIdentifier    = hash
@@ -68,12 +68,12 @@ basicConstraints        = CA:false
 
 [ alt_names_client ]
 IP.0                    = 127.0.0.1
-DNS.0                   = localhost.enclaveAppClient
+DNS.0                   = localhost
 
 [ alt_names_proxy ]
 IP.0                    = 127.0.0.1
-DNS.0                   = localhost.proxy
+DNS.0                   = localhost
 
 [ alt_names_server ]
 IP.0                    = 127.0.0.1
-DNS.0                   = localhost.demoServer 
+DNS.0                   = localhost 
diff --git a/sgx/demo/include/node/demo_kmip_server.h b/sgx/demo/include/node/demo_kmip_server.h
@@ -51,14 +51,11 @@ typedef struct DemoServer
  * @brief Command-line options for the 'demo server' application
  */
 static const struct option demo_kmip_server_longopts[] = {
-  // TLS connection info
-  {"server-key", required_argument, 0, 'k'},
-  {"server-cert", required_argument, 0, 'c'},
-  {"ca-cert", required_argument, 0, 'C'},
-  // network options
-  {"port", required_argument, 0, 'p'},
-  // Misc
+  {"ca-cert", required_argument, 0, 'c'},
   {"help", no_argument, 0, 'h'},
+  {"local-key", required_argument, 0, 'k'},
+  {"local-cert", required_argument, 0, 'l'},
+  {"port", required_argument, 0, 'p'},
   {0, 0, 0, 0}
 };
 

diff --git a/sgx/demo/include/node/tls_proxy.h b/sgx/demo/include/node/tls_proxy.h
@@ -33,20 +33,17 @@ typedef struct TLSProxy
  * @brief Command-line options for the 'TLS proxy' application
  */
 static const struct option proxy_longopts[] = {
-  // ECDH connection info
-  {"local-port", required_argument, 0, 'p'},
-  {"private", required_argument, 0, 'r'},
-  {"public", required_argument, 0, 'u'},
-  // TLS connection info
-  {"remote-ip", required_argument, 0, 'I'},
-  {"remote-port", required_argument, 0, 'P'},
-  {"ca-path", required_argument, 0, 'C'},
-  {"client-key", required_argument, 0, 'R'},
-  {"client-cert", required_argument, 0, 'U'},
-  // Test options
-  {"maxconn", required_argument, 0, 'm'},
-  // Misc
+  {"ca-cert", required_argument, 0, 'c'},
+  {"ecdh-port", required_argument, 0, 'p'},
+  {"ecdh-local-key", required_argument, 0, 'k'},
+  {"ecdh-local-cert", required_argument, 0, 'l'},
+  {"ecdh-remote-cert", required_argument, 0, 'r'},
   {"help", no_argument, 0, 'h'},
+  {"maxconn", required_argument, 0, 'm'},
+  {"tls-port", required_argument, 0, 'P'},
+  {"tls-local-key", required_argument, 0, 'K'},
+  {"tls-local-cert", required_argument, 0, 'L'},
+  {"tls-remote-addr", required_argument, 0, 'R'},
   {0, 0, 0, 0}
 };