Works with verifier.

App/App.cpp

@@ -197,7 +197,7 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
 
     close(sealed_signing_key_fd);
 
-    int server_fd;
+    int server_fd, accept_fd;
     ret_status = LocalAttestationUntrusted::prepare_local_attestation_as_responder_msg1(e2_enclave_id);
     if(ret_status !=0)
     {
@@ -205,18 +205,18 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       return ret_status;
     }
 
-    server_fd=LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(3824)
+    server_fd=LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(3824);
     if(server_fd <=0)
     {
       printf("Error in setting up server socket."); fflush(stdout);
       sgx_destroy_enclave(e2_enclave_id);
       return server_fd;
     }
-    printf("Successfully set up a socket to communicate with the Apache enclave.\n");
+    printf("Successfully set up a socket to communicate with the verifier enclave.\n");
     fflush(stdout);
 
     // LA with the verifier
-    ret_status = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id, server_fd);
+    ret_status = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id, server_fd, &accept_fd);
     if(ret_status!=0)
     {
       printf("local attestation - with the verifier - did not successfully return: %x\n", ret_status); fflush(stdout);
@@ -224,7 +224,7 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       return 0xFFFFFFFF;
     }
 
-    ret_status = LocalAttestationUntrusted::post_local_attestation_with_verifier(e2_enclave_id, server_fd);
+    ret_status = LocalAttestationUntrusted::post_local_attestation_with_verifier(e2_enclave_id, accept_fd);
     if(ret_status!=0)
     {
       printf("post local attestation - with the verifier - did not successfully return: %x\n", ret_status); fflush(stdout);
@@ -232,7 +232,17 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       return 0xFFFFFF01;
     }
 
-    server_fd = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id,server_fd);
+    server_fd=LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(3824);
+    if(server_fd <=0)
+    {
+      printf("Error in setting up server socket."); fflush(stdout);
+      sgx_destroy_enclave(e2_enclave_id);
+      return server_fd;
+    }
+    printf("Successfully set up a socket to communicate with the Apache enclave.\n");
+    fflush(stdout);
+
+    ret_status = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id,server_fd,&accept_fd);
     if(ret_status<=0)
     {
       printf("local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);
@@ -240,7 +250,7 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       return 0xFFFFFFFF;
     }
 
-    ret_status = LocalAttestationUntrusted::post_local_attestation_with_apache(e2_enclave_id,server_fd);
+    ret_status = LocalAttestationUntrusted::post_local_attestation_with_apache(e2_enclave_id,accept_fd);
     if(ret_status!=0)
     {
       printf("post local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);

App/LocalAttestationUntrusted.cpp

@@ -14,12 +14,14 @@ using namespace google::protobuf::io;
 #include "protobufLAInitiator.h"
 #include "../Decryptor/Decryptor_u.h"
 #include <iostream>
+#include "LocalAttestationUntrusted.h"
 
-class LocalAttestationUntrusted {
-  uint32_t session_id;
-  protobuf_sgx_dh_msg1_t protobuf_msg1;
+  uint32_t LocalAttestationUntrusted::session_id=0;
+  protobuf_sgx_dh_msg1_t LocalAttestationUntrusted::protobuf_msg1;
 
-  int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
+
+
+  int LocalAttestationUntrusted::read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
   {
     ZeroCopyInputStream* raw_input;
     CodedInputStream* coded_input;
@@ -48,7 +50,7 @@ class LocalAttestationUntrusted {
     return 0;
   }
 
-  int write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& message)
+  int LocalAttestationUntrusted::write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& message)
   {
     ZeroCopyOutputStream* raw_output = new FileOutputStream(accept_fd);
     CodedOutputStream* coded_output  = new CodedOutputStream(raw_output);
@@ -68,7 +70,7 @@ class LocalAttestationUntrusted {
   }
 
   // Sets up a socket to bind and listen to the given port. Returns FD of the socket on success, -1 on failure (and prints a msg to stdout with the errno)
-  int set_up_socket_listen(int port,   sockaddr_in* address)
+  int LocalAttestationUntrusted::set_up_socket(int port,   sockaddr_in* address)
   {
     int server_fd = 0;
 
@@ -104,7 +106,7 @@ class LocalAttestationUntrusted {
     return server_fd;
   }
 
-  uint32_t local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd)
+  uint32_t LocalAttestationUntrusted::local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd)
   {
     uint32_t protobuf_sgx_ret;
     protobuf_sgx_dh_msg2_t protobuf_msg2;
@@ -118,7 +120,7 @@ class LocalAttestationUntrusted {
 
     // TODO: Edit function signature in the definition: last argument read_or_write is used to control the flow of the untrusted program:
     // no point in doing this as it is untrusted. Have an attribute in its class for it..
-    protobuf_sgx_ret = process_protobuf_dh_msg2_generate_protobuf_dh_msg3(own_enclave_id, protobuf_msg2, protobuf_msg3, &session_id);
+    protobuf_sgx_ret = process_protobuf_dh_msg2_generate_protobuf_dh_msg3(own_enclave_id, protobuf_msg2, protobuf_msg3, &LocalAttestationUntrusted::session_id);
     if(protobuf_sgx_ret != 0)
     {
         printf("Error in generate_protobuf_dh_msg2: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
@@ -129,7 +131,7 @@ class LocalAttestationUntrusted {
     return 0;
   }
 
-  int decrypt_client_data(uint32_t own_enclave_id, int fd)
+  int LocalAttestationUntrusted::decrypt_client_data(uint32_t own_enclave_id, int fd)
   {
     protobuf_post_LA_encrypted_msg_t protobuf_msg;
     unsigned char* protobuf_msg_ptr;
@@ -159,7 +161,7 @@ class LocalAttestationUntrusted {
 
     // We assume that the output is not changed unless it is successful throughout.
     // Return value is not sent back..
-    Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext, &output_ciphertext_plus_tag_length);
+    Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext_plus_tag, &output_ciphertext_plus_tag_length);
     free(input_ciphertext_plus_tag);
       protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
       free(output_ciphertext_plus_tag);
@@ -168,12 +170,12 @@ class LocalAttestationUntrusted {
   	return 0;
   }
 
-  public:
-    int prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id) //, int port)
+ 
+    int LocalAttestationUntrusted::prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id) //, int port)
     {
       uint32_t protobuf_sgx_ret;
       int temp_server_fd=0;
-      protobuf_sgx_ret = generate_protobuf_dh_msg1(own_enclave_id, protobuf_msg1, session_id);
+      protobuf_sgx_ret = generate_protobuf_dh_msg1(own_enclave_id, protobuf_msg1, &LocalAttestationUntrusted::session_id);
       if(protobuf_sgx_ret != 0)
       {
         printf("Error in generate_protobuf_dh_msg1: 0x%x", protobuf_sgx_ret); fflush(stdout); return protobuf_sgx_ret;
@@ -181,14 +183,14 @@ class LocalAttestationUntrusted {
       return 0;
     }
 
-    int setup_socket_for_local_attestation_requests(int port)
+    int LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(int port)
     {
       struct sockaddr_in own_addr;
       return set_up_socket(port, &own_addr);
     }
 
     // TODO: CHANGED SIGNATURE.
-    int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd, int* accept_fd)
+    int LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd, int* accept_fd)
     {
       uint32_t protobuf_sgx_ret;
       struct sockaddr_storage apache_addr;
@@ -203,19 +205,19 @@ class LocalAttestationUntrusted {
       }
       *accept_fd=temp_accept_fd;
 
-      protobuf_sgx_ret = local_attestation_msg2_msg3(own_enclave_id, accept_fd);
+      protobuf_sgx_ret = local_attestation_msg2_msg3(own_enclave_id, temp_accept_fd);
       return protobuf_sgx_ret;
     }
 
-    int post_local_attestation_with_verifier(uint32_t own_enclave_id, int accept_fd)
+    int LocalAttestationUntrusted::post_local_attestation_with_verifier(uint32_t own_enclave_id, int accept_fd)
     {
       uint32_t protobuf_sgx_ret;
       uint8_t encrypted_apache_mrsigner_and_tag[48];
       size_t bytes_read;
-
+	int count; 
       printf("Here\n"); fflush(stdout);
       bytes_read=read(accept_fd, encrypted_apache_mrsigner_and_tag, 48);
-    	if(bytes_read_post_la!=48)
+    	if(bytes_read!=48)
      	{
            	printf("Not all of the encrypted apache's mrsigner was read from the verifier.\n"); fflush(stdout);
             close(accept_fd);
@@ -226,20 +228,33 @@ class LocalAttestationUntrusted {
     	  printf("0x%02x ", encrypted_apache_mrsigner_and_tag[count]);
       printf("\n");fflush(stdout);
 
-      Decryptor_process_verifiers_message_wrapper(own_enclave_id, &sgx_ret, encrypted_apache_mrsigner_and_tag);
-      if(sgx_ret!=0)
+      Decryptor_process_verifiers_message_wrapper(own_enclave_id, &protobuf_sgx_ret, encrypted_apache_mrsigner_and_tag);
+      if(protobuf_sgx_ret!=0)
     	{
-        printf("Error in decryption: 0x%x\n", sgx_ret); fflush(stdout);
+        printf("Error in decryption: 0x%x\n", protobuf_sgx_ret); fflush(stdout);
         close(accept_fd);
-        return sgx_ret;
+        return protobuf_sgx_ret;
     	}
 
       printf("Successful decryption\n"); fflush(stdout);
       close(accept_fd);
+	uint8_t output[64];
+      Decryptor_get_verifier_mrenclave_apache_mrsigner_wrapper(own_enclave_id, output); 
+	uint32_t counter;  
+	for(counter=0; counter<32; counter++)
+		printf("0x%x ", output[counter]);
+	printf("/n"); 
+        for(counter=32; counter<64; counter++)
+                printf("0x%x ", output[counter]);
+        printf("/n"); 
+
+	fflush(stdout);
+
       return 0;
+
     }
 
-    int post_local_attestation_with_apache(uint32_t own_enclave_id, int accept_fd)
+    int LocalAttestationUntrusted::post_local_attestation_with_apache(uint32_t own_enclave_id, int accept_fd)
     {
       protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
       uint8_t encrypted_sign_data_and_sign_and_tag[176];
@@ -247,9 +262,9 @@ class LocalAttestationUntrusted {
   	  memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
 	    uint32_t internal_return_status;
 	    uint32_t count;
-	    sgx_status_t sgx_ret;
+	    uint32_t sgx_ret;
 
-        Decryptor_encrypt_mitigator_header_H_to_apache_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag);
+        Decryptor_create_and_encrypt_mitigator_header_H_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag);
       	if(sgx_ret!=0)
       	{
       		printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout);
@@ -279,4 +294,4 @@ class LocalAttestationUntrusted {
       return internal_return_status;
 
       return 0; }
-};
+

App/protobufLAInitiator.cpp

@@ -21,8 +21,7 @@ int generate_protobuf_dh_msg1(uint32_t own_enclave_id, protobuf_sgx_dh_msg1_t& p
   return 0;
 }
 
-// TODO: Edit this to remove the read argument and edit the ecall too.
-int process_protobuf_dh_msg2_generate_protobuf_dh_msg3(uint32_t own_enclave_id, protobuf_sgx_dh_msg2_t& protobuf_msg2, protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id, uint8_t* read)
+int process_protobuf_dh_msg2_generate_protobuf_dh_msg3(uint32_t own_enclave_id, protobuf_sgx_dh_msg2_t& protobuf_msg2, protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id)
 {
   uint32_t ret_status;
   sgx_dh_msg2_t dh_msg2;            //Diffie-Hellman Message 2

CommonOpensslCode/Openssl_crypto.cpp

@@ -388,7 +388,7 @@ int compute_ecdsa_signature(unsigned char* signature_data, uint32_t signature_da
 // plaintext in case of decryption, should always contain the actual ciphertext length, that is, minus the tag
 // ciphertext in case of encryption consists of ciphertext plus tag and op_ciphertext_len should similarly also consist of ciphertext_length plus 16.
 // Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
-int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len)
+int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, unsigned char* tag)
 {
 	int len;
 	int ciphertext_len;
@@ -399,15 +399,16 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 		if(!(ctx = EVP_CIPHER_CTX_new())) { return 0x1; }
 	}
 
-
+	
 	// Initialise the encryption operation. //
-	if(1 != EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv, enc))
+	if(1 != EVP_CipherInit_ex(ctx, EVP_aes_128_gcm(), NULL, key, iv, enc))
 	{
 		reset_return = EVP_CIPHER_CTX_reset(ctx);
 		if(reset_return != 1)
 			return 0xf2;
 		return 0x2;
 	}
+	
 	// Provide the message to be encrypted, and obtain the encrypted output.	 * EVP_EncryptUpdate can be called multiple times if necessary
 	 //
 	if(1 != EVP_CipherUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
@@ -418,10 +419,10 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 		return 0x3;
 	}
 	ciphertext_len = len;
-
+	
 	if(enc == 0)
         {
-                if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, plaintext + plaintext_len))
+                if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
                 {
                        reset_return = EVP_CIPHER_CTX_reset(ctx);
                        if(1 != reset_return)
@@ -430,7 +431,6 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
                 }
         }
 
-
 	// Finalise the encryption. Normally ciphertext bytes may be written at  this stage, but this does not occur in GCM mode
 	 //
 	// TODO: ^^^ Why the heck does it not occur in GCM mode ?
@@ -446,14 +446,14 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 	// Get the tag
 	if(enc == 1)
 	{
-		if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, ciphertext + ciphertext_len))
+		if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
 		{
                 	reset_return = EVP_CIPHER_CTX_reset(ctx);
                 	if(1 != reset_return)
                         	return 0xF5;
 	                return 0x5;
 		}
-		ciphertext_len += 16;
+		//ciphertext_len += 16;
 	}
 
 	// Clean up //
@@ -463,7 +463,6 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 	}
 
 	*op_ciphertext_len=ciphertext_len;
-		//EVP_CIPHER_CTX_free(ctx); // TODO: memory leaks here - need to free this for erroneous cases too.
 	return 0;
 }
 

Decryptor/Decryptor.cpp

@@ -47,7 +47,7 @@
         uint8_t Decryptor::verifier_mr_enclave[32] = {0};
         uint8_t Decryptor::apache_mr_signer[32] = {0};
         unsigned int successful_la_count;
-        uint8_t Decryptor::plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64]={0};
+        uint8_t Decryptor::plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64] = {0};
 
 
   // INTERNAL
@@ -78,7 +78,7 @@
     if(internal_return_status != 0x0)
       return internal_return_status;
 
-    internal_return_status = signatureBox.sign(local_signature_data_and_signature, ECDH_PUBLIC_KEY_SIZE + 32, local_signature_and_signature + ECDH_PUBLIC_KEY_SIZE + 32);
+    internal_return_status = signatureBox.sign(local_signature_data_and_signature, ECDH_PUBLIC_KEY_SIZE + 32, local_signature_data_and_signature + ECDH_PUBLIC_KEY_SIZE + 32);
     if(internal_return_status != 0x0)
       return internal_return_status;
     for(counter=0;counter<ECDH_PUBLIC_KEY_SIZE + 32 + 64;counter++)
@@ -87,7 +87,7 @@
   }
 
   // EXTERNAL ECALL.
-  uint32_t Decryptor::encrypt_mitigator_header_H_to_apache(uint8_t* ciphertext_token_H_plus_tag)
+  uint32_t Decryptor::create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag)
   {
     	uint32_t counter;
     	uint8_t sign_data_and_sign[ECDH_PUBLIC_KEY_SIZE + 32 + 64 + 10];
@@ -212,33 +212,26 @@
       return 0;
     }
 
-  uint32_t Decryptor::process_verifiers_message(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length)
+  uint32_t Decryptor::process_verifiers_message(uint8_t* input_ciphertext_plus_tag)
   {
-        uint8_t *first_decryption_output, *plaintext_client_data, *temp_output_ciphertext;
-        uint32_t first_decryption_output_length, plaintext_client_data_length;
-        uint32_t temp_output_ciphertext_length, internal_return_status;
-        uint8_t temp_output_tag[16]; uint32_t counter;
+        uint8_t *first_decryption_output;
+        uint32_t first_decryption_output_length;
+        uint32_t  internal_return_status;
+        uint32_t counter;
         if(successful_la_count != 1) // else, the untrusted application can call this on the first message by apache and cause the verifier to set its mrsigner.
           return 0x23;
-        // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
-        first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
-        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length - 16, first_decryption_output, &first_decryption_output_length);
+
+        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext_plus_tag, 32, first_decryption_output, &first_decryption_output_length);
         if(internal_return_status != 0)
-        {
-          free(first_decryption_output);
           return internal_return_status;
-        }
 
-        if(first_decryption_output_length != 32)
-        {
-          free(first_decryption_output);
+        if(first_decryption_output_length != 32) 
           return 0x33;
-        }
+        
         for(counter=0; counter<32; counter++)
-        {
           apache_mr_signer[counter] = *(first_decryption_output + counter);
-        }
-        free(first_decryption_output);
+        
+        
         return 0;
   }
 
@@ -299,3 +292,14 @@
   {
 	*output_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE);
 }
+
+
+	void Decryptor::get_verifier_mrenclave_apache_mrsigner(uint8_t* output)
+	{
+		uint32_t counter;
+		for(counter=0; counter<32;counter++)
+		{
+			output[counter]=verifier_mr_enclave[counter];
+			output[counter+32]=apache_mr_signer[counter];
+		}
+	}

Decryptor/Decryptor.edl

@@ -42,8 +42,11 @@ enclave {
       public uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper([in, size=SEALED_SIZE] uint8_t* sealed_data, [in, size=4] uint32_t* sgx_sealed_data_length);
       public uint32_t create_and_encrypt_mitigator_header_H_wrapper([out, size=176] uint8_t* ciphertext_token_H_plus_tag);
       // Apache mrsigner = 32 bytes + tag on encryption = 16 bytes.
-      public uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper([in, size=48] uint8_t* ciphertext_plus_tag);
+      // public uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper([in, size=48] uint8_t* ciphertext_plus_tag);
       // NEED AT LEAST: 64 bytes for public key of client, plus 64 bytes of signature over it, plus 16 bytes of tag over any encryption = 144 bytes. Msg length = 144 bytes + Length of form field
       public uint32_t process_apache_message_generate_response_wrapper([in, size=256] uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, [out, size=256] uint8_t* output_ciphertext, [out,size=4] uint32_t* output_ciphertext_plus_tag_length);
+      public uint32_t process_verifiers_message_wrapper([in, size=48] uint8_t* input_ciphertext);
+      public        void get_verifier_mrenclave_apache_mrsigner_wrapper([out, size=64] uint8_t* output);
+
     };
   };

Decryptor/Decryptor.h

@@ -1,4 +1,4 @@
-#include <map>
+//#include <map>
 #include "ECDSASignatureBox.h"
 #include "HybridEncryptionBox.h"
 #include "LocalAttestationTrusted.h"
@@ -6,13 +6,14 @@
 class Decryptor {
   static ECDSASignatureBox signatureBox;
   static HybridEncryptionBox hybridEncryptionBoxClient;
-//  static LocalAttestationTrusted localAttestation;
   static uint8_t verifier_mr_enclave[32]; // =  {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
   static SymmetricEncryptionBox symmetricEncryptionBoxApache;
   static SymmetricEncryptionBox symmetricEncryptionBoxVerifier;
   static uint8_t apache_mr_signer[32]; // = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; 
+  static uint8_t plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64];
+
   static uint32_t create_mitigator_token_M(uint8_t* token);
-  static uint32_t create_mitigator_header_H(uint8_t* signature_data, uint8_t* signature);
+  static uint32_t create_mitigator_header_H(uint8_t* signature_data_and_signature);
   static uint32_t create_long_term_signing_keypair(uint8_t* private_public_key_string);
   static uint32_t initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length);
   public:
@@ -23,6 +24,9 @@ class Decryptor {
     static uint32_t unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length);
     static uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext_plus_tag);
     static uint32_t process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
+    static uint32_t process_verifiers_message(uint8_t* input_ciphertext);
+	static  void get_verifier_mrenclave_apache_mrsigner(uint8_t* output); 
+
   };
 
 //ECDSASignatureBox Decryptor::signatureBox(); 

Decryptor/DecryptorWrapper.cpp

@@ -2,19 +2,19 @@
 #include "Decryptor.h"
 #include "Decryptor_t.h"
 
-uint32_t process_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
+uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
 {
-  return Decryptor::process_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
+  return Decryptor::process_apache_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
 }
 
-uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length)//, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
+uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext)
 {
-  return Decryptor::process_verifiers_message(input_ciphertext, input_ciphertext_plus_tag_length);
+  return Decryptor::process_verifiers_message(input_ciphertext);
 }
 
-uint32_t encrypt_mitigator_header_H_to_apache_wrapper(uint8_t* ciphertext_token_H_plus_tag)
+uint32_t create_and_encrypt_mitigator_header_H_wrapper(uint8_t* ciphertext_token_H_plus_tag)
 {
-  return Decryptor::encrypt_mitigator_header_H_to_apache(ciphertext_token_H_plus_tag);
+  return Decryptor::create_and_encrypt_mitigator_header_H(ciphertext_token_H_plus_tag);
 }
 
 void calculate_sealed_keypair_size_wrapper(uint32_t* length)
@@ -31,3 +31,8 @@ uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_d
 {
   return Decryptor::unseal_and_restore_long_term_signing_key_pair(sealed_data, sgx_sealed_data_length);
 }
+
+void get_verifier_mrenclave_apache_mrsigner_wrapper(uint8_t* output)
+{
+	return Decryptor::get_verifier_mrenclave_apache_mrsigner(output);
+}

Decryptor/SymmetricEncryptionBox.cpp

@@ -23,21 +23,33 @@
   void SymmetricEncryptionBox::set_symmetric_key(uint8_t* given_key)
   {
     uint32_t counter;
-    for(counter=0; counter<32; counter++)
+    for(counter=0; counter<16; counter++)
       symmetric_key[counter] = given_key[counter];
   }
 
     void SymmetricEncryptionBox::get_symmetric_key(uint8_t* op_key)
     {
 	    uint32_t counter;
-	    for(counter=0; counter<32; counter++)
+	    for(counter=0; counter<16; counter++)
 	      op_key[counter] = symmetric_key[counter];
     }
 
   // TODO: IMPORTANT - CHECK IF WE NEED TO DO THE AES GCM INCREMENT IV FOR DECRYPTION TOO.
   uint32_t SymmetricEncryptionBox::encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
   {
-    uint32_t return_status = aes_gcm_256(enc, symmetric_key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length);
+    uint8_t tag[16];uint32_t counter;
+    if(enc == 0)
+	{
+		for(counter=0;counter<16;counter++)
+			tag[counter] = plaintext[counter + plaintext_length]; 
+	}
+    uint32_t return_status = aes_gcm_256(enc, symmetric_key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
+	if(enc == 1)
+	{
+		for(counter=0;counter<16;counter++)
+			ciphertext[counter] = tag[counter];
+		ciphertext_length+=16;
+	}
     if(return_status == 0)
       aes_gcm_increment_iv_internal_call(iv);
     return return_status;

Include/LocalAttestationUntrusted.h

@@ -18,15 +18,17 @@ class LocalAttestationUntrusted {
   static   uint32_t session_id;
   static protobuf_sgx_dh_msg1_t protobuf_msg1;
 
-  static int decrypt_client_data_wrapper(uint32_t own_enclave_id, int apache_fd);
+  static int decrypt_client_data(uint32_t own_enclave_id, int apache_fd);
   static uint32_t local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd);
+//  uint32_t LocalAttestationUntrusted::local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd)
+
   static int write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& message);
   static int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message);
   static int set_up_socket(int port,   sockaddr_in* address);
 public:
-  int setup_socket_for_local_attestation_requests(int port);
-  static int prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id, int port);
-  static int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd);
+  static int setup_socket_for_local_attestation_requests(int port);
+  static int prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id);
+  static int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd, int * accept_fd);
   static int post_local_attestation_with_verifier(uint32_t own_enclave_id, int apache_fd);
   static int post_local_attestation_with_apache(uint32_t own_enclave_id, int apache_fd);
 };

Include/Openssl_crypto.h

@@ -4,6 +4,6 @@ int ecdh_key_gen(unsigned char* pub_key_x, unsigned char* pub_key_y, unsigned ch
 unsigned long check_ecdh_public_key(unsigned char* given_key_x, unsigned char* given_key_y);
 unsigned long compute_ecdh_shared_key(unsigned char* given_key_x, unsigned char* given_key_y, unsigned char* priv_key, unsigned char* derived_key);
 int generate_sha256_hash(const unsigned char *message, size_t message_len, unsigned char *digest);
-int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, unsigned char* tag);
+int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, uint8_t* tag);
 int base64_decoding_wrapper(unsigned char* src, unsigned char* dest, uint32_t length);
 int compute_ecdsa_signature(unsigned char* signature_data, uint32_t signature_data_length, unsigned char* own_private_key, unsigned char* signature); 

Include/SymmetricEncryptionBox.h

@@ -3,14 +3,14 @@
 #include "Openssl_crypto.h"
 class SymmetricEncryptionBox {
   uint8_t iv[12];
-  uint8_t symmetric_key[32]; // SHA256 used with ECDHE -> or AES whatever symmetric_key.
+  uint8_t symmetric_key[16]; // SHA256 used with ECDHE -> or AES whatever symmetric_key.
   // increments last 4 bytes (in big-endian order)
   uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv);
   public:
 //    SymmetricEncryptionBox();
     void set_symmetric_key(uint8_t* given_key);
     void get_symmetric_key(uint8_t* op_key); 
-    uint32_t encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length, uint8_t* tag);
+    uint32_t encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length);
 //    ~SymmetricEncryptionBox();
 };
 #endif

Makefile

@@ -271,7 +271,7 @@ App/%.o: App/%.cpp Decryptor/Decryptor_u.h #Enclave3/Enclave3_u.h
 	@$(CXX) $(App_Compile_Flags) -c $< -o $@
 	@echo "CXX  <=  $<"
 
-$(App_Name): $(App_Cpp_Objects) App/Decryptor_u.o #$(App_Cpp_Objects)# $(UnTrustLib_Name)
+$(App_Name): App/App.o App/LocalAttestationUntrusted.o App/protobufLAInitiator.o App/protobufSgxLATransformsInitiator.o App/ProtobufLAMessages.pb.o   App/Decryptor_u.o #$(App_Cpp_Objects)# $(UnTrustLib_Name)
 	@$(CXX) -Wl,--no-undefined $^ -o $@ $(App_Link_Flags)
 	@echo "LINK =>  $@"
 
@@ -315,4 +315,4 @@ $(Enclave_Name_2): Decryptor.so
 .PHONY: clean
 
 clean:
-	@rm -rf .config_* $(App_Name) *.so *.a App/*.o Decryptor/*.o Decryptor/*_t.* Decryptor/*_u.* LocalAttestationCode/*.o LocalAttestationCode/*_t.*
+	@rm -rf .config_* $(App_Name) *.so *.a App/*.o Decryptor/*.o Decryptor/*_t.* Decryptor/*_u.* LocalAttestationCode/*.o LocalAttestationCode/*_t.* CommonOpensslCode/*.o