Home Explore Help
Sign In
miti
/
Decryptor
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Compiled and linked against working copy of ECDHE key generation (Mitigator header) + shared secret + derived key code. Can port ECDSA signing code to openssl for clarity.

dettanym 5 years ago
parent
c508171e76
commit
61c3e45943
2 changed files with 40 additions and 77 deletions
Split View Show Diff Stats
  1. 12 12
      App/systemLA.cpp
  2. 28 65
      Decryptor/Decryptor.cpp

+ 12 - 12
App/systemLA.cpp
View File 

@@ -305,26 +305,17 @@ int decrypt_client_data_wrapper(unsigned char* op_plaintext , uint32_t own_encla
 
 
 	uint32_t ciphertext_length = protobuf_encrypted_msg_string.length()-64; // we hope it's greater than 0 
 
-	unsigned char pub_key[64];
 
         printf("Key in big endian form:\n"); fflush(stdout); 
         for(counter=0; counter<64; counter++)
 
                 printf("0x%02x ", *(client_data_from_apache + counter)); 
         printf("\n"); fflush(stdout); 
 
-	for(counter=0; counter<32; counter++)
 
-	{
 
-		*(pub_key + counter) = *(client_data_from_apache + 31 - counter); 
-		*(pub_key + 32 + counter) = *(client_data_from_apache + 63 - counter); 
-	}
 
-
 
-	printf("Key in lil endian form:\n"); fflush(stdout); 
-	for(counter=0; counter<64; counter++)
 
-		printf("0x%02x ", *(pub_key + counter)); 
-	printf("\n"); fflush(stdout); 
 	unsigned char client_data_to_apache[160+64]; //ciphertext_length); 
+	// Just so that the ciphertext is returned back to Apache in case decrypt_client_data fails. 
 	for(counter=0;counter<ciphertext_length;counter++)
 
 		client_data_to_apache[counter]=client_data_from_apache[counter+64];
 
-	Decryptor_decrypt_client_data(own_enclave_id, &sgx_ret_status, pub_key, ciphertext_length, client_data_from_apache + 64, client_data_to_apache); 
+
 
+	Decryptor_decrypt_client_data(own_enclave_id, &sgx_ret_status, client_data_from_apache, ciphertext_length, client_data_from_apache + 64, client_data_to_apache); 
 	if(sgx_ret_status != 0)
 
 	{
 
 		printf("decrypt_client_data returned :0x%x\n", sgx_ret_status); fflush(stdout); //return sgx_ret_status; 
@@ -338,6 +329,15 @@ int decrypt_client_data_wrapper(unsigned char* op_plaintext , uint32_t own_encla
 
 	for(counter=0;counter<ciphertext_length;counter++)
 
 		printf("0x%02x ", client_data_to_apache[counter]);
 
 	printf("\n"); fflush(stdout);
 
+	printf("Following shared secret was established.\n"); 
+	for(counter=ciphertext_length;counter<32+ciphertext_length;counter++)
 
+                printf("0x%02x ", client_data_to_apache[counter]);
 
+        printf("\n"); fflush(stdout);
 
+        printf("Following key was derived.\n"); 
+        for(counter=ciphertext_length+32;counter<64+ciphertext_length;counter++)
 
+                printf("0x%02x ", client_data_to_apache[counter]);
 
+	printf("\n"); fflush(stdout);
 
+
 
         protobuf_encrypted_msg.set_msg((void*)  client_data_to_apache, ciphertext_length);// Is this message set tho?
 
 	if(write_protobuf_msg_to_fd(apache_fd, protobuf_encrypted_msg)!=0)
 
 	{

+ 28 - 65
Decryptor/Decryptor.cpp
View File 

@@ -42,7 +42,7 @@
 
 #include "sgx_tcrypto.h"
 
 #include "LocalAttestationCode_t.h"
 
 #include "sgx_tseal.h"
 
-
 
+#include "Openssl_crypto.h"
 
 
 
 
@@ -80,6 +80,9 @@ static void reverse_byte_array(uint8_t *array, size_t size);
 
 uint32_t one_la_done=0; 
 static sgx_ec256_public_t short_term_pub_key;
 
 static sgx_ec256_private_t short_term_priv_key; 
+unsigned char short_term_private_key_arr[32]; 
+unsigned char short_term_public_key_arr[64];
 
+
 
 //sgx_ec256_signature_t generated_signature; // TODO: remove 
 sgx_measurement_t apache_mr_signer; // TODO: remove 
 sgx_measurement_t verifier_mr_enclave; // TODO: remove 
@@ -292,25 +295,20 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
 
 	// Otherwise: DoS or possible bypass (fake verifier does LA  but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave  or whatever is in the memory. 
 	if(one_la_done < 1)
 
 		return 0xde;  //  This needs to be called at any point after the first local attestation is done - else, a junk verifier mrenclave will be included in the signature
 
-	// TODO: Comment this
 
-	// memset(&(verifier_mr_enclave.m), 0x55, 32); 
 
 	// create key pair
 
-	uint32_t ret_status = create_ec_key_pair(&short_term_pub_key, &short_term_priv_key);  uint32_t counter;
 
+	uint32_t ret_status = ec_key_gen(short_term_public_key_arr, short_term_public_key_arr + 32, short_term_private_key_arr); //create_ec_key_pair(&short_term_pub_key, &short_term_priv_key);  
+	uint32_t counter;
 
 	uint32_t ret_status2;
 
-        if(ret_status!=SGX_SUCCESS)
 
-           return ret_status;
 
-	// serialize public key, append mr_enclave 
-//	uint8_t* public_key_string = (uint8_t*) malloc(3*SGX_ECP256_KEY_SIZE); // for .edl file - size parameter for serialize is 96 and this fits coz we need to append the mr_enclave to the pub key 
-	serialize_key_pair_to_string(&short_term_pub_key, NULL, signature_data);
 
-	reverse_byte_array(signature_data, 32);
 
-	reverse_byte_array(signature_data+32, 32);
 
-
 
-
 
-	for(counter=32*2; counter<32*3; counter++) // appending mr_enclave
 
-		*(signature_data+counter)=0x55;//verifier_mr_enclave.m[counter]; // TODO: uncomment verifier_mrenclave
 
-//	for(counter=0;counter<32*3;counter++) // TODO: REmove - for checking against js library only
 
-//		*(signature_data+counter)=0x55; 
+        if(ret_status!=0)
 
+           return ret_status; 
+	for(counter=0;counter<32;counter++)
 
+	{
 
+		*(signature_data + counter) = short_term_public_key_arr[counter]; // public key -> x component
 
+		*(signature_data + counter + 32) = short_term_public_key_arr[counter + 32]; // public key -> y component
 
+		*(signature_data + counter + 64) = 0x55; // verifier mr_enclave // TODO: fix this. 
+	}
 
+	
 	// retrieve long-term private key from global variable - apparently, need to create a local copy or it crashes
 
 	sgx_ec256_private_t long_term_priv_key;
 
 	for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++) 
@@ -318,11 +316,10 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
 
 	// sign public key with long-term private key 
 	sgx_ec256_signature_t local_signature; sgx_ecc_state_handle_t ecc_handle; 
 
+	// TODO: For testing/checking purposes only. 
 	for(counter=0;counter<32;counter++)
 
-		*(private_key+counter)=short_term_priv_key.r[counter]; 
-//	uint8_t signature_data2[96];
 
-//	for(counter=0;counter<96;counter++)
 
-//		signature_data2[counter]=0x55; 
+		*(private_key+counter)=short_term_private_key_arr[counter];  //short_term_priv_key.r[counter]; 
+
 
 	//// opening context for signature
 
 	ret_status = sgx_ecc256_open_context(&ecc_handle); 
 	if(ret_status != SGX_SUCCESS) 
@@ -450,54 +447,20 @@ uint32_t decrypt_client_data(__attribute__((unused)) unsigned char* ip_client_pu
 
 	int counter;
 
 	for(counter=0;counter<ciphertext_length;counter++)
 
 		op_client_data_to_apache[counter]=ip_user_data[counter]; 
-//	return 0;
 
-	sgx_ecc_state_handle_t ecc_handle;
 
-	unsigned char local_ip_client_pub_key[64]; uint32_t ret_status; int valid_point; 
-	memcpy_equivalent_copy(local_ip_client_pub_key, ip_client_pub_key, 64);	
-	sgx_ec256_public_t client_pub_key; 
-	for(counter=0; counter<32; counter++)
 
-	{
 
-		client_pub_key.gx[counter] = *(local_ip_client_pub_key + counter); 
-		client_pub_key.gy[counter] = *(local_ip_client_pub_key + 32 + counter); 
-	}
 
 
-/*	sgx_ec256_public_t temp_client_pub_key; 
-	sgx_ec256_private_t temp_client_priv_key; 
-	ret_status=create_ec_key_pair(&temp_client_pub_key, &temp_client_priv_key); 
-	if(ret_status == SGX_SUCCESS) 
-		return ret_status; 
-*/
 
-//	return ret_status;
 
-        ret_status = sgx_ecc256_open_context(&ecc_handle); 
-        if(ret_status != SGX_SUCCESS) 
-                return ret_status; 
+	// TODO: Shared key is only needed for testing/verification manually. 
+	unsigned char shared_key[32];
 
+	unsigned char derived_key[32]; 
+	unsigned long check_ret = compute_shared_ECDHE_key(ip_client_pub_key, ip_client_pub_key + 32, short_term_private_key_arr, shared_key, derived_key);
 
+	if(check_ret != 0)
 
+		return check_ret; 
 
-	memset(&client_pub_key, 0, sizeof(client_pub_key));
 
-
 
-//	reverse_byte_array(client_pub_key.gx, sizeof(client_pub_key.gx));
 
-//	reverse_byte_array(client_pub_key.gy, sizeof(client_pub_key.gy));
 
-
 
-        ret_status = sgx_ecc256_check_point(&client_pub_key, ecc_handle, &valid_point); 
-	if(valid_point == 0 && ret_status == SGX_SUCCESS)
 
+	for(counter=0;counter<32;counter++)
 
 	{
 
-		return 0x55;
 
+		op_client_data_to_apache[counter+ciphertext_length] = shared_key[counter];
 
+		op_client_data_to_apache[counter+ciphertext_length + 32] = derived_key[counter];
 
 	}
 
-
 
-
 
-	sgx_ec256_private_t local_short_term_priv_key;
 
-        for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++) 
-                local_short_term_priv_key.r[counter] = short_term_priv_key.r[counter];  
-
 
-	sgx_ec256_dh_shared_t dh_key; 
-	ret_status=sgx_ecc256_compute_shared_dhkey(&local_short_term_priv_key, &client_pub_key, &dh_key, ecc_handle); 
-	if(ret_status != 0)
 
-		return ret_status; 
-
 
-//	memcpy_equivalent_copy(op_client_data_to_apache, dh_key.s, 32); 
-	
-	ret_status = sgx_ecc256_close_context(ecc_handle); 
-	return ret_status; 
-
 
+	return 0;
 
 }
 
 
 static void reverse_byte_array(uint8_t *array, size_t size)