Merge pull request #395 from skalenetwork/430_firewall_self_analysis

430 firewall self analysis
skalenetwork · Aug 5, 2022 · 6f4b347 · 6f4b347
2 parents 89b700e + 7015258
commit 6f4b347
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -10,6 +10,7 @@ RUN bash -c "make -j$(nproc)"
 RUN ccache -sz
 RUN mkdir -p /usr/src/sdk/sgx_data
 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/
 RUN rm  /opt/intel/sgxsdk/lib64/*_sim.so
 ENTRYPOINT ["/usr/src/sdk/start.sh"]
diff --git a/DockerfileRelease b/DockerfileRelease
@@ -12,6 +12,7 @@ RUN ccache -sz
 RUN cd scripts && ./sign_enclave.bash
 RUN mkdir -p /usr/src/sdk/sgx_data
 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/
 RUN rm /opt/intel/sgxsdk/lib64/*_sim.so
 RUN rm /usr/src/sdk/secure_enclave/secure_enclave*.so

diff --git a/DockerfileSimulation b/DockerfileSimulation
@@ -15,6 +15,7 @@ RUN ./autoconf.bash && \
     mkdir -p /usr/src/sdk/sgx_data
 
 COPY docker/start.sh ./
+COPY docker/check_firewall.py ./
 RUN rm -rf /usr/src/sdk/sgx-sdk-build/
 
 ENTRYPOINT ["/usr/src/sdk/start.sh"]
diff --git a/docker/check_firewall.py b/docker/check_firewall.py
@@ -0,0 +1,44 @@
+#! /usr/bin/python
+
+import requests
+import re
+import torpy
+
+from torpy import TorClient
+
+
+def get_my_external_ip():
+    try:
+        res = requests.get("http://checkip.dyndns.org/")
+        myIp = re.compile('(\d{1,3}\.){3}\d{1,3}').search(res.text).group()
+        return myIp
+    except:
+        return ""
+
+print("Analyzing firewall security.")
+print("Determining external IP address")
+
+ip = get_my_external_ip()
+
+if (ip == ""):
+    print("sgxwallet does not have an external IP")
+    print("No firewall problems detected.")
+    exit(0)
+
+print("sgxwallet has the following external IP: " + ip)
+
+try:
+    with TorClient() as tor:
+        # Choose random guard node and create 3-hops circuit
+        print("Connecting to TOR network ...");
+        with tor.create_circuit(1) as circuit:
+            print("Connected to TOR network. Connecting to sgxwallet from a random external IP."
+                  " This may take up to a minute.")
+            # Create tor stream to host
+            with circuit.create_stream((ip, 1027)) as stream:
+                print("SECURITY PROBLEM: Could connect to port 1027 of sgxwallet " + ip + " from a random external IP")
+                print("Firewall is not working properly. Fix the firewall and then start sgx wallet")
+                exit(1)
+except:
+    print("Analysis complete. No firewall problems detected.")
+    exit(0)
diff --git a/docker/start.sh b/docker/start.sh
@@ -46,7 +46,7 @@ echo "Test run requested"
 sleep 5
 ./testw.py
 else
-sleep 3
+/usr/src/sdk/check_firewall.py
 ./sgxwallet $1 $2 $3 $4 $5 $6
 fi