|
|
@@ -399,6 +399,7 @@ uint32_t calculate_sealed_data_size( uint32_t input_size)
|
|
|
|
|
|
// ip_key will always be within the enclave.
|
|
|
// enc = 1 for encryption and 0 for decryption, like openssl api
|
|
|
+// TODO: Rename this - it's actually 128 bit encryption.
|
|
|
uint32_t aes_gcm_192_call(uint32_t enc, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* op_plaintext, uint32_t* op_plaintext_length, uint8_t* tag)
|
|
|
{
|
|
|
uint32_t counter;
|
|
|
@@ -464,11 +465,12 @@ uint32_t decrypt_client_data(unsigned char* ip_encrypted_client_pub_key_and_data
|
|
|
uint32_t temp_array_valid_length;
|
|
|
unsigned char client_iv[12]={0,0,0,0, 0,0,0,0, 0,0,0,0};
|
|
|
|
|
|
- for(counter=0;counter<ip_encrypted_client_pub_key_and_data_length;counter++)
|
|
|
+ for(counter=64;counter<ip_encrypted_client_pub_key_and_data_length;counter++)
|
|
|
op_client_data[counter]=ip_encrypted_client_pub_key_and_data[counter];
|
|
|
*clen = (uint8_t) ip_encrypted_client_pub_key_and_data_length;
|
|
|
|
|
|
temp_array = (unsigned char*) malloc(ip_encrypted_client_pub_key_and_data_length);
|
|
|
+/*
|
|
|
// TODO: Remove aes_gcm_internal_call function - upgrade to using openssl's aesgcm 192 bit enc
|
|
|
// TODO: Change the returned 2nd length o/p to be incoming length - tag length for decryption and incoming length + 16 for encryption
|
|
|
ret = aes_gcm_192_call(0, apache_key, apache_iv, ip_encrypted_client_pub_key_and_data, ip_encrypted_client_pub_key_and_data_length, temp_array, &temp_array_valid_length, ip_encrypted_client_pub_key_and_data + ip_encrypted_client_pub_key_and_data_length - 16);
|
|
|
@@ -477,6 +479,53 @@ uint32_t decrypt_client_data(unsigned char* ip_encrypted_client_pub_key_and_data
|
|
|
free(temp_array);
|
|
|
return ret;
|
|
|
}
|
|
|
+
|
|
|
+ for(counter=0; counter<temp_array_valid_length; counter++)
|
|
|
+ op_client_data[counter] = temp_array[counter];
|
|
|
+ *clen = temp_array_valid_length;
|
|
|
+ free(temp_array);
|
|
|
+ return 0;
|
|
|
+*/
|
|
|
+
|
|
|
+ // Temp_array = {X component of public key (32 bytes), Y component of public key (32 bytes), client data encrypted to decryptor (x), tag for client data encrypted to decryptor (16 bytes)
|
|
|
+ // therefore, length x = temp_array_valid_length - 64 (for public key) - 16 (for own tag)
|
|
|
+ plaintext_client_public_key = ip_encrypted_client_pub_key_and_data; // temp_array;
|
|
|
+ client_data_encrypted_to_decryptor = ip_encrypted_client_pub_key_and_data + 64;
|
|
|
+ client_data_encrypted_to_decryptor_length = ip_encrypted_client_pub_key_and_data_length; // temp_array_valid_length - 64 - 16;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = ip_encrypted_client_pub_key_and_data + 64 + ip_encrypted_client_pub_key_and_data_length; //temp_array + 64 + client_data_encrypted_to_decryptor_length;
|
|
|
+
|
|
|
+ check_ret = compute_ecdh_shared_key(plaintext_client_public_key, plaintext_client_public_key + 32, short_term_private_key_arr, derived_key);
|
|
|
+ if(check_ret != 0)
|
|
|
+ {
|
|
|
+ plaintext_client_public_key = NULL;
|
|
|
+ client_data_encrypted_to_decryptor = NULL;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
+ free(temp_array);
|
|
|
+ return check_ret;
|
|
|
+ }
|
|
|
+/*
|
|
|
+ check_ret = aes_gcm(0, derived_key, client_iv, client_data_encrypted_to_decryptor, client_data_encrypted_to_decryptor_length, temp_array, &temp_array_valid_length, tag_for_client_data_encrypted_to_decryptor);
|
|
|
+ if(check_ret != 0)
|
|
|
+ {
|
|
|
+ plaintext_client_public_key = NULL;
|
|
|
+ client_data_encrypted_to_decryptor = NULL;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
+ free(temp_array);
|
|
|
+ return check_ret;
|
|
|
+ }
|
|
|
+*/
|
|
|
+ for(counter=0;counter<32;counter++)
|
|
|
+ op_client_data[counter]=derived_key[counter];
|
|
|
+
|
|
|
+// for(counter=0; counter<temp_array_valid_length; counter++)
|
|
|
+// op_client_data[counter] = temp_array[counter];
|
|
|
+// for(counter=0; counter<16; counter++)
|
|
|
+// op_client_data[temp_array_valid_length + counter] = tag_for_client_data_encrypted_to_decryptor[counter];
|
|
|
+
|
|
|
+// *clen = temp_array_valid_length + 16;
|
|
|
+ *clen = 32;
|
|
|
+ return 0;
|
|
|
+/*
|
|
|
// Temp_array = {X component of public key (32 bytes), Y component of public key (32 bytes), client data encrypted to decryptor (x), tag for client data encrypted to decryptor (16 bytes)
|
|
|
// therefore, length x = temp_array_valid_length - 64 (for public key) - 16 (for own tag)
|
|
|
plaintext_client_public_key = temp_array;
|
|
|
@@ -510,7 +559,7 @@ uint32_t decrypt_client_data(unsigned char* ip_encrypted_client_pub_key_and_data
|
|
|
{
|
|
|
for(counter=0; counter<client_data_encrypted_to_apache_length; counter++)
|
|
|
op_client_data[counter] = client_data_encrypted_to_apache[counter];
|
|
|
- for(counter=0; counter<16; counter++)
|
|
|
+ for(counter=0; counter<16; counter++) // TODO: This overwrites the first 16 bytes of the array written in the line above (WTF is going on)
|
|
|
op_client_data[counter] = tag_for_client_data_encrypted_to_apache[counter];
|
|
|
*clen = (uint8_t) client_data_encrypted_to_apache_length + 16; // Need to give in the total wire length
|
|
|
}
|
|
|
@@ -520,5 +569,7 @@ uint32_t decrypt_client_data(unsigned char* ip_encrypted_client_pub_key_and_data
|
|
|
tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
free(temp_array);
|
|
|
free(client_data_encrypted_to_apache);
|
|
|
+
|
|
|
return ret;
|
|
|
+*/
|
|
|
}
|
dettanym