|
|
@@ -63,7 +63,10 @@ uint32_t create_ec_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* pr
|
|
|
void serialize_key_pair_to_string( sgx_ec256_public_t* pub_key, sgx_ec256_private_t* signing_priv_key, uint8_t* private_public_key_string);
|
|
|
void deserialize_string_to_key_pair(uint8_t* private_public_key_string, sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
|
|
|
uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signature_data, __attribute__((unused)) uint8_t* signature, __attribute__((unused)) uint8_t* private_key, __attribute__((unused)) sgx_ec256_signature_t* sig2);
|
|
|
-uint32_t aes_gcm_internal_call(uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* tag, uint8_t* op_plaintext, uint32_t enc);
|
|
|
+uint32_t aes_gcm_192_call(uint32_t enc, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* op_plaintext, uint32_t* op_plaintext_length, uint8_t* tag);
|
|
|
+
|
|
|
+
|
|
|
+//uint32_t aes_gcm_internal_call(uint32_t enc, uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* op_plaintext, uint8_t* tag);
|
|
|
void memcpy_equivalent_copy(uint8_t* dest, uint8_t* src, uint32_t length);
|
|
|
|
|
|
uint32_t verify_mitigator_header_value(uint8_t* signature_data, uint8_t* signature, sgx_ec256_public_t* pub_key);
|
|
|
@@ -143,7 +146,8 @@ uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv)
|
|
|
// (I.e. if it is not called then DoS
|
|
|
uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext, uint8_t* tag)
|
|
|
{
|
|
|
- uint32_t internal_ret_status= aes_gcm_internal_call(ciphertext, 32, verifier_key, verifier_iv , tag, (uint8_t*) &(apache_mr_signer.m), 0);
|
|
|
+ uint32_t length;
|
|
|
+ uint32_t internal_ret_status= aes_gcm_192_call(0, verifier_key, verifier_iv, ciphertext, 32, (uint8_t*) &(apache_mr_signer.m), &length, tag);
|
|
|
return internal_ret_status;
|
|
|
}
|
|
|
|
|
|
@@ -151,7 +155,7 @@ uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext, uint
|
|
|
uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag, uint8_t* signing_private_key, __attribute__((unused)) sgx_ec256_signature_t* sig2)
|
|
|
|
|
|
{
|
|
|
- uint32_t count;
|
|
|
+ uint32_t count; uint32_t length;
|
|
|
uint8_t sign_data_and_sign[160];
|
|
|
uint32_t ret_status=create_mitigator_header_value(sign_data_and_sign, sign_data_and_sign+96, signing_private_key, sig2);
|
|
|
if(ret_status != SGX_SUCCESS)
|
|
|
@@ -160,7 +164,7 @@ uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_
|
|
|
for(count=0; count<160; count++)
|
|
|
*(plaintext_sign_data_and_sign+count)=sign_data_and_sign[count];
|
|
|
|
|
|
- ret_status = aes_gcm_internal_call(sign_data_and_sign, 160, apache_key, apache_iv, tag, encrypted_sign_data_and_sign, 1);
|
|
|
+ ret_status = aes_gcm_192_call(1, apache_key, apache_iv, sign_data_and_sign, 160, encrypted_sign_data_and_sign, &length, tag);
|
|
|
// ret_status = encrypt_internal(sign_data_and_sign, 160, tag, encrypted_sign_data_and_sign);
|
|
|
aes_gcm_increment_iv_internal_call(apache_iv);
|
|
|
return ret_status;
|
|
|
@@ -395,7 +399,7 @@ uint32_t calculate_sealed_data_size( uint32_t input_size)
|
|
|
|
|
|
// ip_key will always be within the enclave.
|
|
|
// enc = 1 for encryption and 0 for decryption, like openssl api
|
|
|
-uint32_t aes_gcm_internal_call(uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* tag, uint8_t* op_plaintext, uint32_t enc)
|
|
|
+uint32_t aes_gcm_192_call(uint32_t enc, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* op_plaintext, uint32_t* op_plaintext_length, uint8_t* tag)
|
|
|
{
|
|
|
uint32_t counter;
|
|
|
if(ip_ciphertext == NULL)
|
|
|
@@ -428,6 +432,7 @@ uint32_t aes_gcm_internal_call(uint8_t* ip_ciphertext, uint32_t ip_ciphertext_le
|
|
|
memcpy_equivalent_copy(op_plaintext, op_plaintext_in_enclave, ip_ciphertext_len);
|
|
|
if(enc)
|
|
|
memcpy_equivalent_copy(tag, tag_in_enclave, 16);
|
|
|
+ *op_plaintext_length = ip_ciphertext_len;
|
|
|
}
|
|
|
|
|
|
free(ip_ciphertext_in_enclave); free(op_plaintext_in_enclave);
|
|
|
@@ -442,68 +447,78 @@ void memcpy_equivalent_copy(uint8_t* dest, uint8_t* src, uint32_t length)
|
|
|
*(dest + counter) = *(src + counter);
|
|
|
}
|
|
|
|
|
|
-uint32_t decrypt_client_data(unsigned char* ip_client_pub_key, unsigned char* ip_base64_encrypted_client_data, uint32_t base64_encrypted_client_data_length, unsigned char* op_client_data_to_apache, uint8_t* clen)
|
|
|
+// Output buffer should be of length at least equal to the second argument.
|
|
|
+uint32_t decrypt_client_data(unsigned char* ip_encrypted_client_pub_key_and_data, uint32_t ip_encrypted_client_pub_key_and_data_length, unsigned char* op_client_data, uint8_t* clen)
|
|
|
{
|
|
|
- unsigned int counter; unsigned long check_ret; uint32_t ret; int ret2;
|
|
|
+ unsigned int counter; unsigned long check_ret; uint32_t ret;
|
|
|
unsigned char derived_key[32];
|
|
|
- unsigned char* ip_encrypted_client_data;
|
|
|
- int ip_encrypted_client_data_length;
|
|
|
- unsigned char* plaintext_client_data;
|
|
|
+ unsigned char* plaintext_client_public_key;
|
|
|
+ unsigned char* plaintext_client_data;
|
|
|
+ unsigned char* client_data_encrypted_to_decryptor;
|
|
|
+ uint32_t client_data_encrypted_to_decryptor_length;
|
|
|
+ unsigned char* tag_for_client_data_encrypted_to_decryptor;
|
|
|
+ unsigned char* client_data_encrypted_to_apache;
|
|
|
+ uint32_t client_data_encrypted_to_apache_length;
|
|
|
+ unsigned char tag_for_client_data_encrypted_to_apache[16];
|
|
|
+ unsigned char* temp_array;
|
|
|
+ uint32_t temp_array_valid_length;
|
|
|
unsigned char client_iv[12]={0,0,0,0, 0,0,0,0, 0,0,0,0};
|
|
|
- int op_encrypted_client_data_length; // As the internal enclave aes gcm function wont work with external pointers
|
|
|
|
|
|
- for(counter=0;counter<base64_encrypted_client_data_length;counter++)
|
|
|
- op_client_data_to_apache[counter]=ip_base64_encrypted_client_data[counter];
|
|
|
- *clen = (uint8_t) base64_encrypted_client_data_length;
|
|
|
+ for(counter=0;counter<ip_encrypted_client_pub_key_and_data_length;counter++)
|
|
|
+ op_client_data[counter]=ip_encrypted_client_pub_key_and_data[counter];
|
|
|
+ *clen = (uint8_t) ip_encrypted_client_pub_key_and_data_length;
|
|
|
|
|
|
- check_ret = compute_ecdh_shared_key(ip_client_pub_key, ip_client_pub_key + 32, short_term_private_key_arr, derived_key);
|
|
|
+ temp_array = (unsigned char*) malloc(ip_encrypted_client_pub_key_and_data_length);
|
|
|
+ // TODO: Remove aes_gcm_internal_call function - upgrade to using openssl's aesgcm 192 bit enc
|
|
|
+ // TODO: Change the returned 2nd length o/p to be incoming length - tag length for decryption and incoming length + 16 for encryption
|
|
|
+ ret = aes_gcm_192_call(0, apache_key, apache_iv, ip_encrypted_client_pub_key_and_data, ip_encrypted_client_pub_key_and_data_length, temp_array, &temp_array_valid_length, ip_encrypted_client_pub_key_and_data + ip_encrypted_client_pub_key_and_data_length - 16);
|
|
|
+ if(ret != 0)
|
|
|
+ {
|
|
|
+ free(temp_array);
|
|
|
+ return ret;
|
|
|
+ }
|
|
|
+ // Temp_array = {X component of public key (32 bytes), Y component of public key (32 bytes), client data encrypted to decryptor (x), tag for client data encrypted to decryptor (16 bytes)
|
|
|
+ // therefore, length x = temp_array_valid_length - 64 (for public key) - 16 (for own tag)
|
|
|
+ plaintext_client_public_key = temp_array;
|
|
|
+ client_data_encrypted_to_decryptor = temp_array + 64;
|
|
|
+ client_data_encrypted_to_decryptor_length = temp_array_valid_length - 64 - 16;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = temp_array + 64 + client_data_encrypted_to_decryptor_length;
|
|
|
+
|
|
|
+ check_ret = compute_ecdh_shared_key(plaintext_client_public_key, plaintext_client_public_key + 32, short_term_private_key_arr, derived_key);
|
|
|
if(check_ret != 0)
|
|
|
- return check_ret;
|
|
|
-
|
|
|
- // TODO: For debugging only.
|
|
|
-// for(counter=0;counter<32;counter++)
|
|
|
-// op_client_data_to_apache[counter + base64_encrypted_client_data_length + 32] = derived_key[counter];
|
|
|
-
|
|
|
- ip_encrypted_client_data = (unsigned char*) malloc(base64_encrypted_client_data_length*3/4); // ciphertext length will be a multiple of 4; this is the maximum length.
|
|
|
- ip_encrypted_client_data_length = base64_decoding_wrapper(ip_base64_encrypted_client_data, ip_encrypted_client_data, base64_encrypted_client_data_length);
|
|
|
- if(ip_encrypted_client_data_length == -1)
|
|
|
{
|
|
|
- free(ip_encrypted_client_data);
|
|
|
- return 0x33; //ret;
|
|
|
+ plaintext_client_public_key = NULL;
|
|
|
+ client_data_encrypted_to_decryptor = NULL;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
+ free(temp_array);
|
|
|
+ return check_ret;
|
|
|
}
|
|
|
|
|
|
- for(counter=0; counter<ip_encrypted_client_data_length; counter++)
|
|
|
- op_client_data_to_apache[counter] = ip_encrypted_client_data[counter];
|
|
|
- *clen = (uint8_t) ip_encrypted_client_data_length;
|
|
|
-
|
|
|
- plaintext_client_data = (unsigned char*) malloc(ip_encrypted_client_data_length);
|
|
|
- check_ret = aes_gcm(0, derived_key, client_iv, ip_encrypted_client_data, ip_encrypted_client_data_length - 16, plaintext_client_data, &op_encrypted_client_data_length, ip_encrypted_client_data + (ip_encrypted_client_data_length - 16));
|
|
|
+ check_ret = aes_gcm(0, derived_key, client_iv, client_data_encrypted_to_decryptor, client_data_encrypted_to_decryptor_length, temp_array, &temp_array_valid_length, tag_for_client_data_encrypted_to_decryptor);
|
|
|
if(check_ret != 0)
|
|
|
{
|
|
|
- free(ip_encrypted_client_data);
|
|
|
- free(plaintext_client_data);
|
|
|
+ plaintext_client_public_key = NULL;
|
|
|
+ client_data_encrypted_to_decryptor = NULL;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
+ free(temp_array);
|
|
|
return check_ret;
|
|
|
}
|
|
|
|
|
|
- // TODO: Encryption here - with aes128bit gcm to apache.
|
|
|
- for(counter=0; counter<op_encrypted_client_data_length; counter++)
|
|
|
- op_client_data_to_apache[counter] = plaintext_client_data[counter];
|
|
|
- *clen = (uint8_t) op_encrypted_client_data_length;
|
|
|
- free(ip_encrypted_client_data);
|
|
|
- free(plaintext_client_data);
|
|
|
-
|
|
|
- return 0;//result;
|
|
|
-}
|
|
|
+ client_data_encrypted_to_apache = (uint8_t*) malloc(temp_array_valid_length);
|
|
|
+ ret = aes_gcm_192_call(1, apache_key, apache_iv, temp_array, temp_array_valid_length, client_data_encrypted_to_apache, &client_data_encrypted_to_apache_length, tag_for_client_data_encrypted_to_apache);
|
|
|
+ if(ret == 0)
|
|
|
+ {
|
|
|
+ for(counter=0; counter<client_data_encrypted_to_apache_length; counter++)
|
|
|
+ op_client_data[counter] = client_data_encrypted_to_apache[counter];
|
|
|
+ for(counter=0; counter<16; counter++)
|
|
|
+ op_client_data[counter] = tag_for_client_data_encrypted_to_apache[counter];
|
|
|
+ *clen = (uint8_t) client_data_encrypted_to_apache_length + 16; // Need to give in the total wire length
|
|
|
+ }
|
|
|
|
|
|
-/*
|
|
|
-static void reverse_byte_array(uint8_t *array, size_t size)
|
|
|
-{
|
|
|
- size_t i = 0;
|
|
|
- for(i = 0; i < size / 2; i++)
|
|
|
- {
|
|
|
- uint8_t temp = array[i];
|
|
|
- array[i] = array[size - i - 1];
|
|
|
- array[size - i - 1] = temp;
|
|
|
- }
|
|
|
+ plaintext_client_public_key = NULL;
|
|
|
+ client_data_encrypted_to_decryptor = NULL;
|
|
|
+ tag_for_client_data_encrypted_to_decryptor = NULL;
|
|
|
+ free(temp_array);
|
|
|
+ free(client_data_encrypted_to_apache);
|
|
|
+ return ret;
|
|
|
}
|
|
|
-*/
|
dettanym