|
@@ -42,7 +42,7 @@
|
|
|
#include "sgx_tcrypto.h"
|
|
|
#include "LocalAttestationCode_t.h"
|
|
|
#include "sgx_tseal.h"
|
|
|
-
|
|
|
+#include "Openssl_crypto.h"
|
|
|
|
|
|
|
|
|
|
|
@@ -80,6 +80,9 @@ static void reverse_byte_array(uint8_t *array, size_t size);
|
|
|
uint32_t one_la_done=0;
|
|
|
static sgx_ec256_public_t short_term_pub_key;
|
|
|
static sgx_ec256_private_t short_term_priv_key;
|
|
|
+unsigned char short_term_private_key_arr[32];
|
|
|
+unsigned char short_term_public_key_arr[64];
|
|
|
+
|
|
|
//sgx_ec256_signature_t generated_signature; // TODO: remove
|
|
|
sgx_measurement_t apache_mr_signer; // TODO: remove
|
|
|
sgx_measurement_t verifier_mr_enclave; // TODO: remove
|
|
@@ -292,25 +295,20 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
|
|
|
// Otherwise: DoS or possible bypass (fake verifier does LA but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave or whatever is in the memory.
|
|
|
if(one_la_done < 1)
|
|
|
return 0xde; // This needs to be called at any point after the first local attestation is done - else, a junk verifier mrenclave will be included in the signature
|
|
|
- // TODO: Comment this
|
|
|
- // memset(&(verifier_mr_enclave.m), 0x55, 32);
|
|
|
|
|
|
// create key pair
|
|
|
- uint32_t ret_status = create_ec_key_pair(&short_term_pub_key, &short_term_priv_key); uint32_t counter;
|
|
|
+ uint32_t ret_status = ec_key_gen(short_term_public_key_arr, short_term_public_key_arr + 32, short_term_private_key_arr); //create_ec_key_pair(&short_term_pub_key, &short_term_priv_key);
|
|
|
+ uint32_t counter;
|
|
|
uint32_t ret_status2;
|
|
|
- if(ret_status!=SGX_SUCCESS)
|
|
|
- return ret_status;
|
|
|
- // serialize public key, append mr_enclave
|
|
|
-// uint8_t* public_key_string = (uint8_t*) malloc(3*SGX_ECP256_KEY_SIZE); // for .edl file - size parameter for serialize is 96 and this fits coz we need to append the mr_enclave to the pub key
|
|
|
- serialize_key_pair_to_string(&short_term_pub_key, NULL, signature_data);
|
|
|
- reverse_byte_array(signature_data, 32);
|
|
|
- reverse_byte_array(signature_data+32, 32);
|
|
|
-
|
|
|
-
|
|
|
- for(counter=32*2; counter<32*3; counter++) // appending mr_enclave
|
|
|
- *(signature_data+counter)=0x55;//verifier_mr_enclave.m[counter]; // TODO: uncomment verifier_mrenclave
|
|
|
-// for(counter=0;counter<32*3;counter++) // TODO: REmove - for checking against js library only
|
|
|
-// *(signature_data+counter)=0x55;
|
|
|
+ if(ret_status!=0)
|
|
|
+ return ret_status;
|
|
|
+ for(counter=0;counter<32;counter++)
|
|
|
+ {
|
|
|
+ *(signature_data + counter) = short_term_public_key_arr[counter]; // public key -> x component
|
|
|
+ *(signature_data + counter + 32) = short_term_public_key_arr[counter + 32]; // public key -> y component
|
|
|
+ *(signature_data + counter + 64) = 0x55; // verifier mr_enclave // TODO: fix this.
|
|
|
+ }
|
|
|
+
|
|
|
// retrieve long-term private key from global variable - apparently, need to create a local copy or it crashes
|
|
|
sgx_ec256_private_t long_term_priv_key;
|
|
|
for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++)
|
|
@@ -318,11 +316,10 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
|
|
|
// sign public key with long-term private key
|
|
|
sgx_ec256_signature_t local_signature; sgx_ecc_state_handle_t ecc_handle;
|
|
|
|
|
|
+ // TODO: For testing/checking purposes only.
|
|
|
for(counter=0;counter<32;counter++)
|
|
|
- *(private_key+counter)=short_term_priv_key.r[counter];
|
|
|
-// uint8_t signature_data2[96];
|
|
|
-// for(counter=0;counter<96;counter++)
|
|
|
-// signature_data2[counter]=0x55;
|
|
|
+ *(private_key+counter)=short_term_private_key_arr[counter]; //short_term_priv_key.r[counter];
|
|
|
+
|
|
|
//// opening context for signature
|
|
|
ret_status = sgx_ecc256_open_context(&ecc_handle);
|
|
|
if(ret_status != SGX_SUCCESS)
|
|
@@ -450,54 +447,20 @@ uint32_t decrypt_client_data(__attribute__((unused)) unsigned char* ip_client_pu
|
|
|
int counter;
|
|
|
for(counter=0;counter<ciphertext_length;counter++)
|
|
|
op_client_data_to_apache[counter]=ip_user_data[counter];
|
|
|
-// return 0;
|
|
|
- sgx_ecc_state_handle_t ecc_handle;
|
|
|
- unsigned char local_ip_client_pub_key[64]; uint32_t ret_status; int valid_point;
|
|
|
- memcpy_equivalent_copy(local_ip_client_pub_key, ip_client_pub_key, 64);
|
|
|
- sgx_ec256_public_t client_pub_key;
|
|
|
- for(counter=0; counter<32; counter++)
|
|
|
- {
|
|
|
- client_pub_key.gx[counter] = *(local_ip_client_pub_key + counter);
|
|
|
- client_pub_key.gy[counter] = *(local_ip_client_pub_key + 32 + counter);
|
|
|
- }
|
|
|
|
|
|
-/* sgx_ec256_public_t temp_client_pub_key;
|
|
|
- sgx_ec256_private_t temp_client_priv_key;
|
|
|
- ret_status=create_ec_key_pair(&temp_client_pub_key, &temp_client_priv_key);
|
|
|
- if(ret_status == SGX_SUCCESS)
|
|
|
- return ret_status;
|
|
|
-*/
|
|
|
-// return ret_status;
|
|
|
- ret_status = sgx_ecc256_open_context(&ecc_handle);
|
|
|
- if(ret_status != SGX_SUCCESS)
|
|
|
- return ret_status;
|
|
|
+ // TODO: Shared key is only needed for testing/verification manually.
|
|
|
+ unsigned char shared_key[32];
|
|
|
+ unsigned char derived_key[32];
|
|
|
+ unsigned long check_ret = compute_shared_ECDHE_key(ip_client_pub_key, ip_client_pub_key + 32, short_term_private_key_arr, shared_key, derived_key);
|
|
|
+ if(check_ret != 0)
|
|
|
+ return check_ret;
|
|
|
|
|
|
- memset(&client_pub_key, 0, sizeof(client_pub_key));
|
|
|
-
|
|
|
-// reverse_byte_array(client_pub_key.gx, sizeof(client_pub_key.gx));
|
|
|
-// reverse_byte_array(client_pub_key.gy, sizeof(client_pub_key.gy));
|
|
|
-
|
|
|
- ret_status = sgx_ecc256_check_point(&client_pub_key, ecc_handle, &valid_point);
|
|
|
- if(valid_point == 0 && ret_status == SGX_SUCCESS)
|
|
|
+ for(counter=0;counter<32;counter++)
|
|
|
{
|
|
|
- return 0x55;
|
|
|
+ op_client_data_to_apache[counter+ciphertext_length] = shared_key[counter];
|
|
|
+ op_client_data_to_apache[counter+ciphertext_length + 32] = derived_key[counter];
|
|
|
}
|
|
|
-
|
|
|
-
|
|
|
- sgx_ec256_private_t local_short_term_priv_key;
|
|
|
- for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++)
|
|
|
- local_short_term_priv_key.r[counter] = short_term_priv_key.r[counter];
|
|
|
-
|
|
|
- sgx_ec256_dh_shared_t dh_key;
|
|
|
- ret_status=sgx_ecc256_compute_shared_dhkey(&local_short_term_priv_key, &client_pub_key, &dh_key, ecc_handle);
|
|
|
- if(ret_status != 0)
|
|
|
- return ret_status;
|
|
|
-
|
|
|
-// memcpy_equivalent_copy(op_client_data_to_apache, dh_key.s, 32);
|
|
|
-
|
|
|
- ret_status = sgx_ecc256_close_context(ecc_handle);
|
|
|
- return ret_status;
|
|
|
-
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
static void reverse_byte_array(uint8_t *array, size_t size)
|