Works with extension but crashes in case we actually try to decrypt data

App/App.cpp

@@ -206,7 +206,7 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
                 printf("%02x", verification_key[counter + 32]);
         printf("\n"); fflush(stdout); 
 
-/*
+
     int server_fd, accept_fd;
     ret_status = LocalAttestationUntrusted::prepare_local_attestation_as_responder_msg1(e2_enclave_id);
     if(ret_status !=0)
@@ -268,7 +268,7 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       sgx_destroy_enclave(e2_enclave_id);
       return 0xFFFFFF01;
     }
-*/
+
     sgx_destroy_enclave(e2_enclave_id);
 
     return 0;

App/LocalAttestationUntrusted.cpp

@@ -135,7 +135,7 @@ using namespace google::protobuf::io;
   {
     protobuf_post_LA_encrypted_msg_t protobuf_msg;
     unsigned char* protobuf_msg_ptr;
-    uint32_t sgx_ret_status;
+    uint32_t sgx_ret_status=0;
     uint8_t* input_ciphertext_plus_tag;
     uint32_t input_ciphertext_plus_tag_length;
   	uint8_t* output_ciphertext_plus_tag;
@@ -143,31 +143,43 @@ using namespace google::protobuf::io;
     int counter;
 
     if(read_protobuf_msg_from_fd(fd, protobuf_msg)!=0)
+    {
+	printf("Could not read apache's message post-local attestation\n"); fflush(stdout);
       return 0xfe;
+    }
+    printf("Clients data\n"); fflush(stdout); 
 
     input_ciphertext_plus_tag_length = protobuf_msg.msg().length();
     // TODO: MAKE SURE THIS IS NOT 0XFFFFFFFF.
     input_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
-    output_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length - 128 + 10); //128 = client public key token length?
+    output_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length); //128 = client public key token length?
     protobuf_msg_ptr = (uint8_t*) protobuf_msg.msg().c_str();
 
     for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
+    {
       input_ciphertext_plus_tag[counter] = *(protobuf_msg_ptr + counter);
-
+	printf("0x%02x ", input_ciphertext_plus_tag[counter]); 
+    }
     // Just so that the ciphertext - client data - is returned back to Apache in case this function fails.
     // client data is after public key (64 bytes) + signature (64 bytes) = 128 bytes.
-    for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
-  		output_ciphertext_plus_tag[counter] = input_ciphertext_plus_tag[counter+128];
-
+    for(counter=64; counter<input_ciphertext_plus_tag_length; counter++)
+  		output_ciphertext_plus_tag[counter] = input_ciphertext_plus_tag[counter];
+	output_ciphertext_plus_tag_length=input_ciphertext_plus_tag_length;
+        protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length); 
+    
     // We assume that the output is not changed unless it is successful throughout.
     // Return value is not sent back..
-    Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext_plus_tag, &output_ciphertext_plus_tag_length);
+//    Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext_plus_tag, &output_ciphertext_plus_tag_length);
     free(input_ciphertext_plus_tag);
-      protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
-      free(output_ciphertext_plus_tag);
-    	if(write_protobuf_msg_to_fd(fd, protobuf_msg)!=0)
-    	  return 0xfc;
+      if(sgx_ret_status!=0)
+      {
+      	protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
+      }
+       free(output_ciphertext_plus_tag);
+     if(write_protobuf_msg_to_fd(fd, protobuf_msg)!=0)
+          return 0xfc;
   	return 0;
+
   }
 
  
@@ -258,7 +270,6 @@ using namespace google::protobuf::io;
     {
       protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
       uint8_t encrypted_sign_data_and_sign_and_tag[176];
-      int apache_fd=accept_fd;
   	  memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
 	    uint32_t internal_return_status;
 	    uint32_t count;
@@ -279,7 +290,7 @@ using namespace google::protobuf::io;
       	printf("\n"); fflush(stdout);
 
       	protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, 176);
-      	if(write_protobuf_msg_to_fd(apache_fd, protobuf_encrypted_msg) != 0)
+      	if(write_protobuf_msg_to_fd(accept_fd, protobuf_encrypted_msg) != 0)
         {
           printf("Not all of the mitigator token H was written to the Apache.\n"); fflush(stdout);
           close(accept_fd);

Decryptor/Decryptor.cpp

@@ -119,8 +119,8 @@
   // INTERNAL.
   uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length)
   {
-    uint8_t* ciphertext;
-    uint32_t ciphertext_length;
+    uint8_t* ciphertext_plus_tag;
+    uint32_t ciphertext_plus_tag_length;
     uint32_t internal_return_status;
     // and now I will derive a shared key from the plaintext_client_public_key
     internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
@@ -128,10 +128,10 @@
       return internal_return_status;
 
     // and then I will decrypt the rest of the client data with that key.
-    ciphertext = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
-    ciphertext_length = total_length - ECDH_PUBLIC_KEY_SIZE - 16;
+    ciphertext_plus_tag = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
+    ciphertext_plus_tag_length = total_length - ECDH_PUBLIC_KEY_SIZE;
 
-    internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext, ciphertext_length, plaintext_client_data, plaintext_client_data_length);
+    internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext_plus_tag, ciphertext_plus_tag_length, plaintext_client_data, plaintext_client_data_length);
     return internal_return_status;
   }
 
@@ -223,7 +223,7 @@
         if(successful_la_count != 1) // else, the untrusted application can call this on the first message by apache and cause the verifier to set its mrsigner.
           return 0x23;
 
-        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext_plus_tag, 32, first_decryption_output, &first_decryption_output_length);
+        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext_plus_tag, 48, first_decryption_output, &first_decryption_output_length);
         if(internal_return_status != 0)
 	  return internal_return_status;
 	
@@ -245,7 +245,7 @@
       uint32_t internal_return_status;
       // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
       first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length - 16, first_decryption_output, &first_decryption_output_length);
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length, first_decryption_output, &first_decryption_output_length);
       if(internal_return_status != 0)
       {
         free(first_decryption_output);
@@ -256,14 +256,14 @@
       internal_return_status = initialize_symmetric_key_decrypt_client_data(first_decryption_output, first_decryption_output_length, plaintext_client_data, &plaintext_client_data_length);
       free(first_decryption_output);
       if(internal_return_status != 0)
+      {
+	free(plaintext_client_data); 
         return internal_return_status;
-
+      }
       // then I will encrypt the resulting first_decryption_output to the apache enclave.
       internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
       free(plaintext_client_data);
-      if(internal_return_status != 0)
         return internal_return_status;
-      return 0;
     }
 
   // INTERNAL.

Decryptor/SymmetricEncryptionBox.cpp

@@ -37,13 +37,15 @@
   // TODO: IMPORTANT - CHECK IF WE NEED TO DO THE AES GCM INCREMENT IV FOR DECRYPTION TOO.
   uint32_t SymmetricEncryptionBox::encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
   {
+    uint32_t actual_plaintext_length=plaintext_length; 
     uint8_t tag[16];uint32_t counter;
     if(enc == 0)
 	{
 		for(counter=0;counter<16;counter++)
-			tag[counter] = plaintext[counter + plaintext_length]; 
+			tag[counter] = plaintext[counter + plaintext_length - 16]; 
+		actual_plaintext_length-=16;
 	}
-    uint32_t return_status = aes_gcm_128(enc, symmetric_key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
+    uint32_t return_status = aes_gcm_128(enc, symmetric_key, iv, plaintext, actual_plaintext_length, ciphertext, ciphertext_length, tag);
 	if(enc == 1)
 	{
 		for(counter=0;counter<16;counter++)