Added in new decryptor ecalls and internal calls for multiple ciphertext

fields. Links correctly.

Decryptor/Decryptor.cpp

@@ -85,22 +85,34 @@
   }
 
   // INTERNAL.
-  uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length)
+  uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(
+          uint8_t* client_public_key_plus_ciphertext_fields, uint32_t* client_public_key_plus_ciphertext_fields_lengths,
+          uint32_t number_of_ciphertext_fields,
+          uint8_t* plaintext_fields, uint32_t* plaintext_field_lengths)
   {
-    uint8_t* ciphertext_plus_tag;
-    uint32_t ciphertext_plus_tag_length;
-    uint32_t internal_return_status;
+    uint8_t *ciphertext_field_ptr, *plaintext_field_ptr;
+    uint32_t plaintext_field_length, ciphertext_field_length, internal_return_status, counter;
 
     // I will derive a shared key from the plaintext_client_public_key
-    internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
+    internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(client_public_key_plus_ciphertext_fields);
     if(internal_return_status != 0)
       return internal_return_status;
 
     // and then I will decrypt the rest of the client data with that key.
-    ciphertext_plus_tag = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
-    ciphertext_plus_tag_length = total_length - ECDH_PUBLIC_KEY_SIZE;
+    ciphertext_field_ptr = client_public_key_plus_ciphertext_fields + client_public_key_plus_ciphertext_fields_lengths[0]; // tag = 16 bytes, iv = 12 bytes.
+    plaintext_field_ptr = plaintext_fields;
+    for(counter=0; counter<number_of_ciphertext_fields; counter++)
+    {
+        ciphertext_field_length = client_public_key_plus_ciphertext_fields_lengths[counter+1];
+        internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext_field_ptr,
+              ciphertext_field_length, plaintext_field_ptr, &plaintext_field_length);
+        if(internal_return_status != 0)
+            return internal_return_status;
+        plaintext_field_ptr += plaintext_field_length;
+        ciphertext_field_ptr += ciphertext_field_length;
 
-    internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext_plus_tag, ciphertext_plus_tag_length, plaintext_client_data, plaintext_client_data_length);
+        plaintext_field_lengths[counter] = plaintext_field_length;
+    }
     return internal_return_status;
   }
 
@@ -206,33 +218,109 @@
         return 0;
   }
 
-  uint32_t Decryptor::decrypt_client_data(
-          uint8_t* input_ciphertext,
-        uint32_t input_ciphertext_length,
-        uint32_t* input_sizes_array,
-        uint32_t input_sizes_array_length)
-  {
-      /*
-      // check if the buffer is allocated outside
-      if (sgx_is_outside_enclave(val, sz) != 1)
-          abort();
-
-      // fence after sgx_is_outside_enclave check
-      sgx_lfence();
-      */
-      return 0;
-  }
+  // INTERNAL.
+    uint32_t Decryptor::encrypt_decrypt_to_apache(uint32_t encrypt_decrypt,
+                                                    uint8_t* double_ciphertext,
+                                                  uint32_t* double_ciphertext_fields_lengths,
+                                                  uint32_t number_of_double_ciphertext_fields,
+                                                  uint8_t* ciphertext,
+                                                  uint32_t* ciphertext_length,
+                                                  uint32_t* ciphertext_fields_lengths)
+    {
+        uint32_t ciphertext_field_length, field_counter, temp_total_ciphertext_length, internal_return_status;
+        unsigned char *ciphertext_arr_ptr, *double_ciphertext_arr_ptr;
+
+        double_ciphertext_arr_ptr = double_ciphertext;
+        ciphertext_arr_ptr = ciphertext;
+
+        // decrypt each set of bytes of length input_sizes_array[counter] of the input_ciphertext
+        for(field_counter=0; field_counter<number_of_double_ciphertext_fields; field_counter++)
+        {
+            internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(encrypt_decrypt, double_ciphertext_arr_ptr,
+                                                                                  double_ciphertext_fields_lengths[field_counter],
+                                                                                  ciphertext_arr_ptr, &ciphertext_field_length);
+            if(internal_return_status != 0)
+                return internal_return_status;
+
+            double_ciphertext_arr_ptr += double_ciphertext_fields_lengths[field_counter];
+            ciphertext_arr_ptr += ciphertext_field_length;
+            ciphertext_fields_lengths[field_counter] = ciphertext_field_length;
+            temp_total_ciphertext_length += ciphertext_field_length;
+        }
+
+        *ciphertext_length = temp_total_ciphertext_length;
+        return 0;
+    }
 
+  uint32_t Decryptor::process_apache_message_generate_response(
+            uint8_t* double_ciphertext,
+            uint32_t double_ciphertext_length,
+            uint32_t* double_ciphertext_fields_lengths,
+            uint32_t number_of_double_ciphertext_fields,
+            uint8_t* output_ciphertext,
+            uint32_t* output_sizes_array)
+{
+      unsigned char *incoming_ciphertext, *plaintext;
+      uint32_t *incoming_ciphertext_fields_lengths, *plaintext_fields_lengths;
+      uint32_t internal_return_status, output_ciphertext_length, ciphertext_length;
+
+      // UPPER BOUND - technically: double_ciphertext_length - (number_of_double_ciphertext_fields * 28)
+      incoming_ciphertext = (unsigned char*) malloc(double_ciphertext_length);
+      incoming_ciphertext_fields_lengths = (uint32_t*) malloc(number_of_double_ciphertext_fields);
+
+      internal_return_status = encrypt_decrypt_to_apache(0,
+              double_ciphertext,
+              double_ciphertext_fields_lengths,
+              number_of_double_ciphertext_fields,
+              incoming_ciphertext,
+              &ciphertext_length,
+              incoming_ciphertext_fields_lengths);
+
+      if(internal_return_status != 0)
+      {
+          free(incoming_ciphertext);
+          free(incoming_ciphertext_fields_lengths);
+          return internal_return_status;
+      }
+
+      plaintext = (unsigned char*) malloc(ciphertext_length);
+      plaintext_fields_lengths = (uint32_t*) malloc(number_of_double_ciphertext_fields); // -1 technically.
+      internal_return_status=initialize_symmetric_key_decrypt_client_data(
+            incoming_ciphertext, incoming_ciphertext_fields_lengths,
+            number_of_double_ciphertext_fields - 1,
+            plaintext, plaintext_fields_lengths);
+      free(incoming_ciphertext);
+      free(incoming_ciphertext_fields_lengths);
+      if(internal_return_status != 0)
+      {
+        free(plaintext);
+        free(plaintext_fields_lengths);
+        return internal_return_status;
+      }
+
+      internal_return_status = encrypt_decrypt_to_apache(1,
+                                                       plaintext,
+                                                       plaintext_fields_lengths,
+                                                       number_of_double_ciphertext_fields-1,
+                                                       output_ciphertext,
+                                                       &output_ciphertext_length,
+                                                       output_sizes_array);
+      free(plaintext);
+      free(plaintext_fields_lengths);
+      return internal_return_status;
+  }
 
 
-// EXTERNAL. DONE.
+    /*
+    // EXTERNAL. DONE.
   uint32_t Decryptor::process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext_plus_tag, uint32_t* output_ciphertext_plus_tag_length)
   {
       uint32_t first_decryption_output_length, plaintext_client_data_length;
       uint32_t internal_return_status;
       // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
       // first, I decrypt the message from the target enclave, to get the client's public key and ciphertext data (and tag and IV) 
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length, first_decryption_output, &first_decryption_output_length);
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length,
+              first_decryption_output, &first_decryption_output_length);
       if(internal_return_status != 0)
       	return internal_return_status;
 	
@@ -245,6 +333,7 @@
       internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, output_ciphertext_plus_tag, output_ciphertext_plus_tag_length); 
 	return internal_return_status; 
     }
+    */
 
   // INTERNAL.
   uint32_t Decryptor::verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t* given_mr_signer, uint8_t* dhaek)

Decryptor/Decryptor.edl

@@ -46,8 +46,14 @@ enclave {
       // Apache mrsigner = 32 bytes + tag on encryption = 16 bytes.
       // public uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper([in, size=60] uint8_t* ciphertext_plus_tag);
       // NEED AT LEAST: 64 bytes for public key of client, plus 64 bytes of signature over it, plus 16 bytes of tag over any encryption = 144 bytes. Msg length = 144 bytes + Length of form field
-      
-	public uint32_t process_apache_message_generate_response_wrapper([in, size=4100] uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, [out, size=4100] uint8_t* output_ciphertext, [out,size=4] uint32_t* output_ciphertext_plus_tag_length);
+      public uint32_t process_apache_message_generate_response_wrapper(
+              [in, size=input_ciphertext_length] uint8_t* input_ciphertext,
+              uint32_t input_ciphertext_length,
+              [in, size=input_sizes_array_length] uint32_t* input_sizes_array,
+              uint32_t input_sizes_array_length,
+              [out, size=input_ciphertext_length] uint8_t* output_ciphertext,
+              [out, size=input_sizes_array_length] uint32_t* output_sizes_array);
+	//public uint32_t process_apache_message_generate_response_wrapper([in, size=4100] uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, [out, size=4100] uint8_t* output_ciphertext, [out,size=4] uint32_t* output_ciphertext_plus_tag_length);
       public uint32_t process_verifiers_message_wrapper([in, size=60] uint8_t* input_ciphertext, uint32_t length);
       public        void get_verifier_mrenclave_apache_mrsigner_wrapper([out, size=64] uint8_t* output);
 	public void get_short_term_public_key_wrapper([out, size=64] uint8_t* output); 

Decryptor/DecryptorWrapper.cpp

@@ -1,13 +1,30 @@
 #include <stdint.h>
 #include "../TrustedInclude/Decryptor.h"
 #include "Decryptor_t.h"
-
+/*
 uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext,
         uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext,
         uint32_t* output_ciphertext_plus_tag_length)
 {
   return Decryptor::process_apache_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
 }
+*/
+uint32_t process_apache_message_generate_response_wrapper(
+        uint8_t* double_ciphertext,
+        uint32_t double_ciphertext_length,
+        uint32_t* double_ciphertext_fields_lengths,
+        uint32_t number_of_double_ciphertext_fields,
+        uint8_t* output_ciphertext,
+        uint32_t* output_sizes_array)
+{
+    return Decryptor::process_apache_message_generate_response(
+            double_ciphertext,
+            double_ciphertext_length,
+            double_ciphertext_fields_lengths,
+            number_of_double_ciphertext_fields,
+            output_ciphertext,
+            output_sizes_array);
+}
 
 uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext, uint32_t length)
 {
@@ -54,14 +71,6 @@ void get_apache_iv(uint8_t* op)
 	Decryptor::testing_get_apache_iv(op);
 }
 
-uint32_t decrypt_client_data_wrapper(uint8_t* input_ciphertext,
-        uint32_t input_ciphertext_length,
-        uint32_t* input_sizes_array,
-        uint32_t input_sizes_array_length)
-{
-    return Decryptor::decrypt_client_data(input_ciphertext, input_ciphertext_length, input_sizes_array, input_sizes_array_length);
-}
-
 uint32_t session_request_wrapper(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
 {
     // return LA::session_request(dh_msg1, session_id);

TrustedInclude/Decryptor.h

@@ -12,10 +12,21 @@ class Decryptor {
   static uint8_t first_decryption_output[1092]; // 1000 bytes of ciphertext data + 12 IV + 16 Tag + 64 clients public key
   static uint8_t plaintext_client_data[1000];
 
-  static uint32_t create_mitigator_token_M(uint8_t* token);
+    static uint32_t create_mitigator_token_M(uint8_t* token);
   static uint32_t create_mitigator_header_H(uint8_t* signature_data_and_signature);
   static uint32_t create_long_term_signing_keypair(uint8_t* private_public_key_string);
-  static uint32_t initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length);
+  // static uint32_t initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length);
+  static uint32_t initialize_symmetric_key_decrypt_client_data(
+          uint8_t* client_public_key_plus_ciphertext_fields, uint32_t* client_public_key_plus_ciphertext_fields_lengths,
+          uint32_t number_of_ciphertext_fields,
+          uint8_t* plaintext_fields, uint32_t* plaintext_field_lengths);
+    static uint32_t encrypt_decrypt_to_apache(uint32_t encrypt_decrypt,
+                                              uint8_t* double_ciphertext,
+                                              uint32_t* double_ciphertext_fields_lengths,
+                                              uint32_t number_of_double_ciphertext_fields,
+                                              uint8_t* ciphertext,
+                                              uint32_t* ciphertext_length,
+                                              uint32_t* ciphertext_fields_lengths);
   static uint32_t get_decrypted_client_data(uint8_t* array, uint32_t array_length);
 public:
     static void calculate_sealed_keypair_size(size_t* output_length);
@@ -24,12 +35,15 @@ public:
     static uint32_t create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag, uint32_t* length);
     static uint32_t unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, size_t* sgx_sealed_data_length);
     static uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext_plus_tag);
-    static uint32_t process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
+    // static uint32_t process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
+    static uint32_t process_apache_message_generate_response(
+            uint8_t* double_ciphertext,
+            uint32_t double_ciphertext_length,
+            uint32_t* double_ciphertext_fields_lengths,
+            uint32_t number_of_double_ciphertext_fields,
+            uint8_t* output_ciphertext,
+            uint32_t* output_sizes_array);
     static uint32_t process_verifiers_message(uint8_t* input_ciphertext, uint32_t length);
-    static uint32_t decrypt_client_data( uint8_t* input_ciphertext,
-            uint32_t input_ciphertext_length,
-            uint32_t* input_sizes_array,
-            uint32_t input_sizes_array_length);
     static  void testing_get_verifier_mrenclave_apache_mrsigner(uint8_t* output);
 	static void testing_get_short_term_public_key(uint8_t* output); 
     static void testing_long_term_verification_key(uint8_t* output);

TrustedInclude/DecryptorWrapper.h

@@ -5,7 +5,10 @@ uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_d
 uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
 uint32_t process_verifiers_message(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length);
 void get_short_term_public_key_wrapper(uint8_t* output);
-uint32_t decrypt_client_data_wrapper(uint8_t* input_ciphertext,
-        uint32_t input_ciphertext_length,
-        uint32_t* input_sizes_array,
-        uint32_t input_sizes_array_length);
+uint32_t process_apache_message_generate_response_wrapper(
+        uint8_t* double_ciphertext,
+        uint32_t double_ciphertext_length,
+        uint32_t* double_ciphertext_fields_lengths,
+        uint32_t number_of_double_ciphertext_fields,
+        uint8_t* output_ciphertext,
+        uint32_t* output_sizes_array);