kaist-ina / sgx-tor Goto Github PK

Tor anonymity network for SGX

C++ 1.85% C 79.46% Makefile 3.43% Shell 1.64% M4 0.28% Python 0.18% Batchfile 0.13% Perl 10.19% DIGITAL Command Language 0.82% Assembly 1.54% eC 0.01% HTML 0.03% Scheme 0.01% CMake 0.01% SAS 0.01% CLIPS 0.01% Pascal 0.12% Ada 0.16% C# 0.10% Module Management System 0.01%

sgx-tor's People

Contributors

Stargazers

Watchers

Forkers

jim8y simonzsx supertanglang wangke0809 tianxiang999 awesome-security chanheehan0630 ypjiang2020 bellyfat ajgappmark leonechen yuhala gema-arta

sgx-tor's Issues

PrivateKey is leaked

in Enclave/TorSGX/control.c line 3883:

 tor_asprintf(&buf,
                   "250-ServiceID=%s\r\n"
                   "250-PrivateKey=%s:%s\r\n"
                   "250 OK\r\n",
                   service_id,
                   key_new_alg,
                   key_new_blob); // ====> PrivateKey is leaked

in file Enclave/TorSGX/compat.c line 624:

int
tor_asprintf(char **strp, const char *fmt, ...)
{
  int r;
  va_list args;
  va_start(args, fmt);
  r = tor_vasprintf(strp, fmt, args); //  ====> PrivateKey is flowed into args
  va_end(args);
  if (!*strp || r < 0) {
    log_err(LD_BUG, "Internal error in asprintf");
    tor_assert(0);
  }
  return r;
}

int
tor_vasprintf(char **strp, const char *fmt, va_list args)
{
  /* use a temporary variable in case *strp is in args. */
  char *strp_tmp=NULL;
#ifdef HAVE_VASPRINTF
  /* If the platform gives us one, use it. */
  int r = vasprintf(&strp_tmp, fmt, args);
  if (r < 0)
    *strp = NULL;
  else
    *strp = strp_tmp;
  return r;
#elif defined(HAVE__VSCPRINTF)
  /* On Windows, _vsnprintf won't tell us the length of the string if it
   * overflows, so we need to use _vcsprintf to tell how much to allocate */
  int len, r;
  len = _vscprintf(fmt, args);
  if (len < 0) {
    *strp = NULL;
    return -1;
  }
  strp_tmp = tor_malloc(len + 1);
  r = vsnprintf(strp_tmp, len+1, fmt, args);
  if (r != len) {
    tor_free(strp_tmp);
    *strp = NULL;
    return -1;
  }
  *strp = strp_tmp;
  return len;
#else
  /* Everywhere else, we have a decent vsnprintf that tells us how many
   * characters we need.  We give it a try on a short buffer first, since
   * it might be nice to avoid the second vsnprintf call.
   */
  char buf[128];
  int len, r;
  va_list tmp_args;
  va_copy(tmp_args, args); // =============> private key flowed into tmp_args
  len = vsnprintf(buf, sizeof(buf), fmt, tmp_args); 
  va_end(tmp_args);
  if (len < (int)sizeof(buf)) {
    *strp = tor_strdup(buf);
    return len;
  }
  strp_tmp = tor_malloc(len+1); // strp_tmp points to memory outside enclave
  r = vsnprintf(strp_tmp, len+1, fmt, args);// =============> private key flowed into strp_tmp ， so privateKey is writed out, this is a sensitive information leakage.
  if (r != len) {
    tor_free(strp_tmp);
    *strp = NULL;
    return -1;
  }
  *strp = strp_tmp;
  return len;
#endif
}

still build failed when I turned to sdk version 1.6,need help!!!

when I built libEvent_SGX:

client private key is leaked.

hi,sir
I think there is a securty issue here:
in file Enclave/TorSGX/rendservice.c:

Create private key for client

if (client->client_key) {
      char *client_key_out = NULL;
      if (crypto_pk_write_private_key_to_string(client->client_key,
                                                &client_key_out, &len) != 0) {
        log_warn(LD_BUG, "Internal error: "
                 "crypto_pk_write_private_key_to_string() failed.");
        goto err;
      }
      if (rend_get_service_id(client->client_key, service_id)<0) {
        log_warn(LD_BUG, "Internal error: couldn't encode service ID.");
        /*
         * len is string length, not buffer length, but last byte is NUL
         * anyway.
         */
        memwipe(client_key_out, 0, len);
        tor_free(client_key_out);
        goto err;
      }
      written = tor_snprintf(buf + written, sizeof(buf) - written,
                             "client-key\n%s", client_key_out); // ===========>1. the private is written into buf
      memwipe(client_key_out, 0, len);
      tor_free(client_key_out);
      if (written < 0) {
        log_warn(LD_BUG, "Could not write client entry.");
        goto err;
      }
    }

    if (sgx_fputs(buf, cfile) < 0) { // ===========>2. buf is passed to  function sgx_fputs
      log_warn(LD_FS, "Could not append client entry to file: %s",
               strerror(errno));
      goto err;
    }

in file Enclave/TorSGX/TorSGX.cpp:

int sgx_fputs(const char *str, sgx_file *f)
{
	if(f == NULL || str == NULL) {
		printf("sgx_fputs: Error! sgx_fputs: wrong arguments (NULL)\n");
		return -1;
	}
	int retv = -1;
	long seek = f->seek;
	long content_len = f->content_len;
	long n = strlen(str);
	long mem_size = f->content_len > n + seek ? f->content_len : n + seek;	
	char *new_cont = (char *)sgx_calloc(1, mem_size); // // ===========>3. calloc memory , HOWEVER, the memory new_cont  points to is UNTRUSTED.  
	if (f->content != NULL) {
		int remain = content_len - seek - n;
		remain = remain > 0 ? remain : 0;
		memcpy(new_cont, f->content, seek); 
		memcpy(new_cont+seek, str, n);	//===========>4. client private key is copied to memory outside Enclave.
		memcpy(new_cont+seek+n, f->content, remain);
		f->content_len = seek+n+remain;	
		f->seek = seek+n;
		sgx_free(f->content);
		f->content = new_cont;
	}
	else {
		memcpy(new_cont, str, n);
		f->content_len = n;
		f->seek = n;
		f->content = new_cont;
	}	
	f->mtime = time(NULL);
	retv = n;
	return retv;
}

When the connection fails, the request url is leaked.

When the connection fails, the request url is leaked. This does not satisfy the requirements of an anonymous network

SSL * s_connect(int sock, char * dest_url)
{
	SSL *ssl;
	int server = 0;
	if (g_ctx == NULL) {
		puts("SSL_CTX is NULL!");
		abort();
	}
	ssl = SSL_new(g_ctx);
	SSL_set_fd(ssl, sock);
	if (SSL_connect(ssl) != 1) {
		printf("Error: Could not build a SSL session to: %s.\n", dest_url); // ========>leak
	}
	else {
		//printf("Successfully enabled SSL/TLS session to: %s.\n", dest_url);
	}
	//printf("Finished SSL/TLS connection with server: %s.\n", dest_url);
	return ssl;
}

'bufferevent_openssl.lo' failed

when i ran 'make' after ran './configure', i got this result.

Makefile:899: recipe for target 'bufferevent_openssl.lo' failed
make[2]: *** [bufferevent_openssl.lo] Error 1
make[2]: Leaving directory '/home/sgx/SGX-Tor/Enclave/TrustedLibrary/LibEvent_SGX'
Makefile:963: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/sgx/SGX-Tor/Enclave/TrustedLibrary/LibEvent_SGX'
Makefile:689: recipe for target 'all' failed
make: *** [all] Error 2

what should i do?

Compilation Issue Ubuntu

Hi all!
I am trying to compile your project on an Ubuntu 18.10.

I just cloned the repo and run:

cd (rootdir)/Enclave/TrustedLibrary/LibEvent_SGX
./configure
make

But I get this error:

bufferevent_openssl.c:237:2: note: (near initialization for 'methods_bufferevent')
bufferevent_openssl.c:228:19: error: storage size of 'methods_bufferevent' isn't known
 static BIO_METHOD methods_bufferevent = {

Could you help me, please?