Browse Source

Encrypts hardcoded strings in aesgcm (for clientside extension)

dettanym 5 years ago
parent
commit
02c5dc0152
5 changed files with 120 additions and 5 deletions
  1. 11 2
      App/systemLA.cpp
  2. 24 2
      Decryptor/Decryptor.cpp
  3. 1 1
      Decryptor/Decryptor.edl
  4. 79 0
      Decryptor/Openssl_crypto.cpp
  5. 5 0
      Include/Openssl_crypto.h

+ 11 - 2
App/systemLA.cpp

@@ -314,8 +314,8 @@ int decrypt_client_data_wrapper(unsigned char* op_plaintext , uint32_t own_encla
 	// Just so that the ciphertext is returned back to Apache in case decrypt_client_data fails. 
 	for(counter=0;counter<ciphertext_length;counter++)
 		client_data_to_apache[counter]=client_data_from_apache[counter+64];
-
-	Decryptor_decrypt_client_data(own_enclave_id, &sgx_ret_status, client_data_from_apache, ciphertext_length, client_data_from_apache + 64, client_data_to_apache); 
+	uint8_t clen;
+	Decryptor_decrypt_client_data(own_enclave_id, &sgx_ret_status, client_data_from_apache, ciphertext_length, client_data_from_apache + 64, client_data_to_apache, &clen); 
 	if(sgx_ret_status != 0)
 	{
 		printf("decrypt_client_data returned :0x%x\n", sgx_ret_status); fflush(stdout); //return sgx_ret_status; 
@@ -337,6 +337,15 @@ int decrypt_client_data_wrapper(unsigned char* op_plaintext , uint32_t own_encla
         for(counter=ciphertext_length+32;counter<64+ciphertext_length;counter++)
                 printf("0x%02x ", client_data_to_apache[counter]);
 	printf("\n"); fflush(stdout);
+	printf("Ciphertext for the string Miti \n"); 
+        for(counter=ciphertext_length+64;counter<64+ciphertext_length + 4;counter++)
+		printf("%d ", client_data_to_apache[counter]);
+        printf("\n"); fflush(stdout); 
+        printf("Tag for the string Miti \n"); 
+        for(counter=ciphertext_length+64+4;counter<80+ciphertext_length + 4;counter++)
+		printf("%d ", client_data_to_apache[counter]);
+        printf("\n"); fflush(stdout); 
+
 
         protobuf_encrypted_msg.set_msg((void*)  client_data_to_apache, ciphertext_length);// Is this message set tho?
 	if(write_protobuf_msg_to_fd(apache_fd, protobuf_encrypted_msg)!=0)

+ 24 - 2
Decryptor/Decryptor.cpp

@@ -442,7 +442,7 @@ void memcpy_equivalent_copy(uint8_t* dest, uint8_t* src, uint32_t length)
 		*(dest + counter) = *(src + counter); 
 }
 
-uint32_t decrypt_client_data(__attribute__((unused)) unsigned char* ip_client_pub_key, uint32_t ciphertext_length, unsigned char* ip_user_data, unsigned char* op_client_data_to_apache)
+uint32_t decrypt_client_data(__attribute__((unused)) unsigned char* ip_client_pub_key, uint32_t ciphertext_length, unsigned char* ip_user_data, unsigned char* op_client_data_to_apache, uint8_t* clen)
 {
 	int counter;
 	for(counter=0;counter<ciphertext_length;counter++)
@@ -455,12 +455,34 @@ uint32_t decrypt_client_data(__attribute__((unused)) unsigned char* ip_client_pu
 	if(check_ret != 0)
 		return check_ret; 
 
+	// TODO: For debugging only. 
 	for(counter=0;counter<32;counter++)
 	{
 		op_client_data_to_apache[counter+ciphertext_length] = shared_key[counter];
 		op_client_data_to_apache[counter+ciphertext_length + 32] = derived_key[counter];
 	}
-	return 0;
+
+	unsigned char miti[4] = {'M', 'i', 't', 'i'};
+	unsigned char ciphertext1[16];
+	unsigned char tag[16];
+	uint8_t client_iv2[12] = {0,0,0,0, 0,0,0,0, 0,0,0,0};
+
+	int clen1;  
+	int result = aes_gcm(1, derived_key, client_iv2, miti , 4, ciphertext1,  &clen1, tag);
+	*clen = (uint8_t) clen1; 
+	for(counter=0;counter<clen1;counter++)
+	{
+		op_client_data_to_apache[counter+ciphertext_length+64] = ciphertext1[counter];
+	}
+        for(counter=0;counter<16;counter++)
+        {
+                op_client_data_to_apache[counter+ciphertext_length+64+clen1] = tag[counter];
+        }
+
+
+	
+
+	return 0;//result;
 }
 
 static void reverse_byte_array(uint8_t *array, size_t size)

+ 1 - 1
Decryptor/Decryptor.edl

@@ -46,7 +46,7 @@ enclave {
         public uint32_t calculate_sealed_data_size(uint32_t input_size); 
 public uint32_t decrypt_verifiers_message_set_apache_mrsigner([in, size=32] uint8_t* ciphertext, [in, size=16] uint8_t* tag);
 public uint32_t create_and_encrypt_mitigator_header_value([out, size=160] uint8_t* plaintext_sign_data_and_sign, [out, size=160] uint8_t* encrypted_sign_data_and_sign, [out, size=16] uint8_t* tag, [out, size=32] uint8_t* signing_private_key, [out] sgx_ec256_signature_t* sig2);
-public uint32_t decrypt_client_data([in, size=64] unsigned char* client_pub_key, uint32_t ciphertext_length, [in, size=160] unsigned char* user_data, [out, size=160] unsigned char* client_data_to_apache);
+public uint32_t decrypt_client_data([in, size=64] unsigned char* client_pub_key, uint32_t ciphertext_length, [in, size=160] unsigned char* user_data, [out, size=160] unsigned char* client_data_to_apache, [out, size=1] uint8_t* clen);
 //public uint32_t ec_key_gen([out, size=32] unsigned char* pub_key_x, [out, size=32] unsigned char* pub_key_y, [out, size=32] unsigned char* priv_key);
 
 

+ 79 - 0
Decryptor/Openssl_crypto.cpp

@@ -321,5 +321,84 @@ int generate_sha256_hash(const unsigned char *message, size_t message_len, unsig
 	EVP_MD_CTX_destroy(mdctx);
 	return 0; 
 }
+EVP_CIPHER_CTX* ctx; 
 
+// Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption 
+int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag)
+{
+	int len;
+	int ciphertext_len;
+	int reset_return;
+	if(ctx == NULL)
+	{
+		// Create and initialise the context //
+		if(!(ctx = EVP_CIPHER_CTX_new())) { return 0x1; }
+	}
+
+
+	// Initialise the encryption operation. //
+	if(1 != EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv, enc))
+	{
+		reset_return = EVP_CIPHER_CTX_reset(ctx);
+		if(reset_return != 1)
+			return 0xf2;
+		return 0x2;
+	}
+	// Provide the message to be encrypted, and obtain the encrypted output.	 * EVP_EncryptUpdate can be called multiple times if necessary
+	 //
+	if(1 != EVP_CipherUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
+	{
+                reset_return = EVP_CIPHER_CTX_reset(ctx);
+	        if(1 != reset_return)
+			return 0xF3;
+		return 0x3;
+	}
+	ciphertext_len = len;
+
+	if(enc == 0)
+        {
+                if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
+                {
+                       reset_return = EVP_CIPHER_CTX_reset(ctx);
+                       if(1 != reset_return) 
+                                return 0xF5;
+                        return 0x5;
+                }
+        }
+
+
+	// Finalise the encryption. Normally ciphertext bytes may be written at  this stage, but this does not occur in GCM mode
+	 //
+	// TODO: ^^^ Why the heck does it not occur in GCM mode ? 
+	if(1 != EVP_CipherFinal_ex(ctx, ciphertext + len, &len)) 
+	{
+		reset_return = EVP_CIPHER_CTX_reset(ctx);
+                if(1 != reset_return)
+                        return 0xF4;
+                return 0x4;
+	}
+	ciphertext_len += len;
+
+	// Get the tag 
+	if(enc == 1)
+	{
+		if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+		{
+                	reset_return = EVP_CIPHER_CTX_reset(ctx);
+                	if(1 != reset_return) 
+                        	return 0xF5;
+	                return 0x5;
+		}
+	}
+
+	// Clean up //
+	if(1 != EVP_CIPHER_CTX_reset(ctx))
+	{
+		return 0xF0; 
+	}
+
+	*op_ciphertext_len=ciphertext_len; 
+		//EVP_CIPHER_CTX_free(ctx); // TODO: memory leaks here - need to free this for erroneous cases too.
+	return 0;
+}
 

+ 5 - 0
Include/Openssl_crypto.h

@@ -0,0 +1,5 @@
+int ec_key_gen(unsigned char* pub_key_x, unsigned char* pub_key_y, unsigned char* priv_key);
+unsigned long check_key(unsigned char* given_key_x, unsigned char* given_key_y);
+unsigned long compute_shared_ECDHE_key(unsigned char* given_key_x, unsigned char* given_key_y, unsigned char* priv_key, unsigned char* shared_key, unsigned char* derived_key);
+int generate_sha256_hash(const unsigned char *message, size_t message_len, unsigned char *digest);
+int aes_gcm(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, int plaintext_len, unsigned char *ciphertext,  int* op_ciphertext_len, unsigned char* tag);