Modified ecalls and interface for post-LA AES encryption and decryption functions. Seems to work

App/App.cpp

@@ -219,16 +219,16 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       }
       printf("\n Recovered the ecdsa key pair successfully - gx, gy\n");
       for(counter=0;counter<32;counter++)
-	printf("0x%x ",pub_key.gx[counter]);
-      printf("\n");
+	printf("%02x",pub_key.gx[31-counter]);
+//      printf("\n");
       for(counter=0;counter<32;counter++)
-	        printf("0x%x ",pub_key.gy[counter]);
+	        printf("%02x",pub_key.gy[31-counter]);
       printf("\n");
       fflush(stdout);
     }
 
     close(sealed_signing_key_fd);
-    
+  
     // LA with the verifier 
     ret_status=local_attestation_initiator(3824, e2_enclave_id);
     if(ret_status!=0)
@@ -246,16 +246,16 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
 
 
 
-/*
-    // LA with the apache - currently set to return failure - should change it to success when the code to send the mrsigner from the verifier to the decryptor is added- TODO: <--- that 
+
+/*    // LA with the apache - currently set to return failure - should change it to success when the code to send the mrsigner from the verifier to the decryptor is added- TODO: <--- that 
     ret_status=local_attestation_initiator(3826, e2_enclave_id); // TODO: Change port or sth
     if(ret_status!=0)
     {
         printf("local attestation - with apache - did not successfully return: %x\n", ret_status); fflush(stdout);     sgx_destroy_enclave(e2_enclave_id);
 return 0xFFFFFFFF;
 
-    }*/
-    // TODO: Continue with other msgs - send sign(enc | verifier mr_enclave)
+    }
+*/    // TODO: Continue with other msgs - send sign(enc | verifier mr_enclave)
     sgx_destroy_enclave(e2_enclave_id);
 
     return 0;

App/protobufLAInitiator.cpp

@@ -52,68 +52,3 @@ int process_protobuf_dh_msg2_generate_protobuf_dh_msg3(uint32_t own_enclave_id,
   fflush(stdout);
   return 0;
 }
-
-int decrypt_wrapper(uint32_t own_enclave_id, uint8_t* ciphertext, uint32_t ciphertext_len,  uint8_t* tag , uint8_t* plaintext)
-{
-	uint32_t ret_status;	
-        printf("received tag: \n"); fflush(stdout); 
-        uint32_t count;
-        for(count=0;count<16;count++) 
-                printf("0x%02x ",tag[count]);
-        printf("\n"); fflush(stdout); 
-        for(count=0;count<ciphertext_len;count++) 
-                printf("0x%02x ",ciphertext[count]);
-        printf("\n"); fflush(stdout); 
-	Decryptor_decrypt(own_enclave_id, &ret_status, ciphertext, ciphertext_len, tag, plaintext); 
-	if(ret_status!=0)
-        {
-                printf("encryption/decryption failed\n"); fflush(stdout); 
-        //        return ret_status;
-        }
-//	else {
-        printf("received ciphertext: \n"); fflush(stdout); 
-//        uint32_t count;
-        for(count=0;count<32;count++) 
-                printf("0x%x ",ciphertext[count]);
-        printf("\n"); fflush(stdout); 
-        printf("received plaintext: \n"); fflush(stdout); 
-        for(count=0;count<32;count++) 
-                printf("0x%x ",plaintext[count]);
-        printf("\n"); fflush(stdout); 
-//	}
-
-	return ret_status;
-}
-
-int encrypt_wrapper(uint32_t own_enclave_id, uint8_t* ciphertext, uint32_t ciphertext_len,  uint8_t* tag , uint8_t* plaintext)
-{
-        uint32_t ret_status;
-        printf("received tag: \n"); fflush(stdout);
-        uint32_t count;
-        for(count=0;count<16;count++)
-                printf("0x%02x ",tag[count]);
-        printf("\n"); fflush(stdout);
-        for(count=0;count<ciphertext_len;count++)
-                printf("0x%02x ",ciphertext[count]);
-        printf("\n"); fflush(stdout);
-        Decryptor_encrypt(own_enclave_id, &ret_status, ciphertext, ciphertext_len, tag, plaintext);
-        if(ret_status!=0)
-        {
-                printf("encryption/decryption failed\n"); fflush(stdout);
-        //        return ret_status;
-        }
-//      else {
-        printf("received ciphertext: \n"); fflush(stdout);
-//        uint32_t count;
-        for(count=0;count<32;count++)
-                printf("0x%x ",ciphertext[count]);
-        printf("\n"); fflush(stdout);
-        printf("received plaintext: \n"); fflush(stdout);
-        for(count=0;count<32;count++)
-                printf("0x%x ",plaintext[count]);
-        printf("\n"); fflush(stdout);
-//      }
-
-        return ret_status;
-}
-

App/systemLA.cpp

@@ -171,22 +171,23 @@ int local_attestation_initiator(int port, uint32_t own_enclave_id)
   	printf("\n");fflush(stdout); 
 //  sgx_ret=decrypt_wrapper(own_enclave_id, encrypted_apache_mrsigner_and_tag, 32, encrypted_apache_mrsigner_and_tag+32 , plaintext); 
 Decryptor_decrypt_verifiers_message_set_apache_mrsigner(own_enclave_id, &sgx_ret, encrypted_apache_mrsigner_and_tag, encrypted_apache_mrsigner_and_tag+32);
-
  	 if(sgx_ret!=0)
 	  {
 	printf("Error in decryption: 0x%x\n", sgx_ret); fflush(stdout); return sgx_ret; 
 	  }
 	  printf("Successful decryption\n"); fflush(stdout); 
+//Decryptor_aes_gcm_internal_call(own_enclave_id, &sgx_ret, NULL, 0, NULL, NULL, NULL, NULL); 
+
   }
   else 
   {
 	uint8_t encrypted_sign_data_and_sign_and_tag[176];
 	memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
 	uint8_t plaintext_sign_data_and_sign[160];
-	
+	uint8_t plaintext_priv_key[32];	
 //uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag);
-
-	Decryptor_create_and_encrypt_mitigator_header_value(own_enclave_id, &sgx_ret, plaintext_sign_data_and_sign, encrypted_sign_data_and_sign_and_tag , encrypted_sign_data_and_sign_and_tag+160);
+	sgx_ec256_signature_t sig2;
+	Decryptor_create_and_encrypt_mitigator_header_value(own_enclave_id, &sgx_ret, plaintext_sign_data_and_sign, encrypted_sign_data_and_sign_and_tag , encrypted_sign_data_and_sign_and_tag+160, plaintext_priv_key,&sig2);
 	if(sgx_ret!=0)
 	{
 		printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout); return 0xf3;
@@ -194,7 +195,6 @@ Decryptor_decrypt_verifiers_message_set_apache_mrsigner(own_enclave_id, &sgx_ret
 	for(count=0;count<160;count++)
 	{
 		printf("0x%02x ", encrypted_sign_data_and_sign_and_tag[count]);
-
 	}
 	printf("\n"); fflush(stdout); 
 	printf("Plaintext Signature data:\n"); fflush(stdout); 
@@ -207,14 +207,34 @@ Decryptor_decrypt_verifiers_message_set_apache_mrsigner(own_enclave_id, &sgx_ret
 	
 	printf("Plaintext signature: \n"); fflush(stdout); 
 //        printf("Signature data:\n"); fflush(stdout); 
-        for(count=0;count<64;count++)
+        for(count=0;count<32;count++)
         {
-                printf("0x%02x ", plaintext_sign_data_and_sign[count+96]);
+                printf("%02x", plaintext_sign_data_and_sign[count+96]);
+        }
+	printf("\n"); fflush(stdout);
+        for(count=32;count<64;count++)
+        {
+                printf("%02x", plaintext_sign_data_and_sign[count+96]);
 
         }
-        printf("\n"); fflush(stdout);
 
+        printf("\n"); fflush(stdout);
+	printf("Heres the private key used to sign this \n"); // TODO: Remove this printf and the private key parts to the ecall
+	for(count=0;count<32;count++)
+		printf("%02x", plaintext_priv_key[31-count]);
+        printf("\n"); fflush(stdout);
+	for(count=0;count<8;count++)
+	{
+		printf("%02x ", sig2.x[count]);
+	}
+	printf("\n"); fflush(stdout);
 
+        for(count=0;count<8;count++)
+        {
+                printf("%02x ", sig2.y[count]);
+        }
+        printf("\n"); fflush(stdout);
+        
 	// TODO: code to write signature data first	
 	bytes_written_post_la=write(accept_fd, encrypted_sign_data_and_sign_and_tag, 176);
 	  if(bytes_written_post_la!=176)

Decryptor/Decryptor.cpp

@@ -44,11 +44,24 @@
 #include "LocalAttestationCode_t.h"
 #include "sgx_tseal.h"
 
+//extern dh_session_t global_session_info;
+uint8_t apache_iv[12] = {0,0,0,0, 0,0,0,0, 0,0,0,0};
+uint8_t client_iv[12] = {0,0,0,0, 0,0,0,0, 0,0,0,0};
+uint8_t verifier_iv[12] = {0,0,0,0, 0,0,0,0, 0,0,0,0};
+extern uint8_t apache_key[16]; 
+extern uint8_t verifier_key[16]; 
+
+
+//uint32_t client_iv=0; 
+
 // internal-internal
 uint32_t create_ec_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
 void serialize_key_pair_to_string( sgx_ec256_public_t* pub_key, sgx_ec256_private_t* signing_priv_key, uint8_t* private_public_key_string);
 void deserialize_string_to_key_pair(uint8_t* private_public_key_string, sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key); 
-uint32_t create_mitigator_header_value(uint8_t* signature_data, uint8_t* signature); 
+uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signature_data, __attribute__((unused)) uint8_t* signature, __attribute__((unused)) uint8_t* private_key,  __attribute__((unused)) sgx_ec256_signature_t* sig2); 
+uint32_t aes_gcm_internal_call(uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* tag, uint8_t* op_plaintext, uint32_t enc);
+void memcpy_equivalent_copy(uint8_t* dest, uint8_t* src, uint32_t length);
+
 uint32_t verify_mitigator_header_value(uint8_t* signature_data, uint8_t* signature, sgx_ec256_public_t* pub_key);
 
 uint32_t calculate_sealed_data_size( uint32_t input_size) ; 
@@ -56,14 +69,13 @@ uint32_t create_and_seal_ecdsa_signing_key_pair(__attribute__((unused))   sgx_ec
 uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_ec256_public_t* pub_key, uint8_t* sealed_data, size_t* sgx_sealed_data_length);
 
 uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext, uint8_t* tag);
-//uint32_t create_and_encrypt_mitigator_header_value(uint8_t* signature_data, uint8_t* signature, uint8_t* tag);
-uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag, sgx_ec256_public_t* pub_key);
+uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag, uint8_t* signing_private_key, __attribute__((unused)) sgx_ec256_signature_t* sig2);
 
 
 uint32_t one_la_done=0; 
 static sgx_ec256_public_t short_term_pub_key;
 static sgx_ec256_private_t short_term_priv_key; 
-sgx_ec256_signature_t generated_signature; // TODO: remove 
+//sgx_ec256_signature_t generated_signature; // TODO: remove 
 sgx_measurement_t apache_mr_signer; // TODO: remove 
 sgx_measurement_t verifier_mr_enclave; // TODO: remove 
 static sgx_ec256_private_t signing_priv_key; 
@@ -77,8 +89,12 @@ extern "C" uint32_t verify_peer_enclave_trust(__attribute__((unused))  sgx_dh_se
 	}
 	if(one_la_done==0)
 	{
-                for(count=0; count<SGX_HASH_SIZE; count++)
-			verifier_mr_enclave.m[count]=peer_enclave_identity->mr_enclave.m[count]; 
+//		return 0x55;
+		//sgx_measurement_t local_mr_enclave;
+		verifier_mr_enclave = peer_enclave_identity->mr_enclave;
+//		memset(&(verifier_mr_enclave.m),0x0, SGX_HASH_SIZE) ; 
+//                for(count=0; count<SGX_HASH_SIZE; count++)
+//			(&verifier_mr_enclave)->m[count]=0x55;//peer_enclave_identity->mr_enclave.m[count]; 
 		memset(&(apache_mr_signer.m),0x0,SGX_HASH_SIZE); // "initialization" 
 		one_la_done=1;
 
@@ -98,33 +114,50 @@ extern "C" uint32_t verify_peer_enclave_trust(__attribute__((unused))  sgx_dh_se
 	return SGX_SUCCESS;
 }
 
+// increments last 4 bytes (in big-endian order) 
+uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv)
+{
+	uint32_t counter;
+	for(counter=11;counter>7;counter--)
+	{
+		if(iv[counter] == 0xff) 
+		{
+			if(counter - 1 == 7)
+				return 0xff; 
+			iv[counter-1] = 0x01;
+			iv[counter] = 0x0;  
+		}
+		else
+			iv[counter] += 1; 
+	}
+	return 0; 
+}
+
+// TODO: change global_session_info to two different dh_sessions 
 // This needs to be called after the first local attestation is successful - otherwise, the internal apache_mr_signer.m will not be set properly for the comparison of the mrsigner for the 2nd LA in verify_peer_enclave_trust. 
 // (I.e. if it is not called then DoS 
 uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext, uint8_t* tag)
 {
-return 	decrypt(ciphertext, 32, tag, (uint8_t*) &(apache_mr_signer.m)); 
-//	if(mrsigner_decryption_successful !=0)
-//		return mrsigner_decryption_successful; 
+	uint32_t internal_ret_status= aes_gcm_internal_call(ciphertext, 32, verifier_key, verifier_iv , tag, (uint8_t*) &(apache_mr_signer.m), 0);
+	return internal_ret_status;
 }
 
 // signature_data - 96 bytes, encrypted_signature assumed to be at least 64 bytes, tag - at least 16 bytes
-uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag)
+uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag, uint8_t* signing_private_key, __attribute__((unused)) sgx_ec256_signature_t* sig2)
+
 {
 	uint32_t count;
 	uint8_t sign_data_and_sign[160]; 
-	uint32_t ret_status=create_mitigator_header_value(sign_data_and_sign, sign_data_and_sign+96);
+	uint32_t ret_status=create_mitigator_header_value(sign_data_and_sign, sign_data_and_sign+96, signing_private_key, sig2);
 	if(ret_status != SGX_SUCCESS)
-        {
-		//      printf("Could not generate or sign another keypair for client-side, error:%x.\n", ret_status); fflush(stdout);
-		return 0xFFFFFFDD;
-	}
-//	ret_status=verify_mitigator_header_value(sign_data_and_sign, sign_data_and_sign+96, pub_key); 
-//	if(ret_status !=0)
-//		return ret_status; 
+        	return 0xFFFFFFDD;
+	// TODO: Remove - just for troubleshooting
 	for(count=0; count<160; count++)
 		*(plaintext_sign_data_and_sign+count)=sign_data_and_sign[count]; 
 
-	ret_status = encrypt_internal(sign_data_and_sign, 160, tag, encrypted_sign_data_and_sign); 
+	ret_status = aes_gcm_internal_call(sign_data_and_sign, 160, apache_key, apache_iv, tag, encrypted_sign_data_and_sign, 1); 
+//	ret_status = encrypt_internal(sign_data_and_sign, 160, tag, encrypted_sign_data_and_sign); 
+	aes_gcm_increment_iv_internal_call(apache_iv); 
 	return ret_status; 
 }
 
@@ -227,13 +260,6 @@ uint32_t create_and_seal_ecdsa_signing_key_pair(__attribute__((unused))   sgx_ec
     return ret_status; // SGX_SUCCESS; 
 }
 
-/*
-uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_ec256_public_t* pub_key, __attribute__((unused))  uint8_t* sealed_data, __attribute__((unused))   uint32_t* sgx_sealed_data_length)
-{
-	return SGX_SUCCESS; 
-
-}*/
-
 uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_ec256_public_t* pub_key, uint8_t* sealed_data, size_t* sgx_sealed_data_length)
 {
   uint32_t expected_plaintext_msg_length; uint8_t* temp_plaintext; uint32_t counter; uint32_t ret_status;
@@ -241,7 +267,6 @@ uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_
   if(expected_plaintext_msg_length == 0xffffffff)
     return 0xFFFFFFFF;
 
-//  uint32_t return_status; 
   uint8_t* sealed_data2 = (uint8_t*) malloc(*sgx_sealed_data_length); 
   for(counter=0;counter<*sgx_sealed_data_length;counter++)
   {
@@ -253,36 +278,14 @@ uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_
   if(ret_status != SGX_SUCCESS)
   {
     free(temp_plaintext);free(sealed_data2);
-    switch(ret_status)
-    {
-      case SGX_ERROR_MAC_MISMATCH:
-          // MAC of the sealed data is incorrect.          The sealed data has been tampered.
-          break;
-      case SGX_ERROR_INVALID_ATTRIBUTE:
-          // Indicates attribute field of the sealed data is incorrect.
-          break;
-      case SGX_ERROR_INVALID_ISVSVN:
-          // Indicates isv_svn field of the sealed data is greater than            the enclave�s ISVSVN. This is a downgraded enclave.
-          break;
-      case SGX_ERROR_INVALID_CPUSVN:
-          // Indicates cpu_svn field of the sealed data is greater than            the platform�s cpu_svn. enclave is  on a downgraded platform.
-          break;
-      case SGX_ERROR_INVALID_KEYNAME:
-          // Indicates key_name field of the sealed data is incorrect.
-          break;
-      default:
-          // other errors
-          break;
-    }
     return ret_status;
   }
-   
   deserialize_string_to_key_pair(temp_plaintext, pub_key, &signing_priv_key);
   free(temp_plaintext); free(sealed_data2);  
   return SGX_SUCCESS;
 }
 
-uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signature_data, __attribute__((unused)) uint8_t* signature)
+uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signature_data, __attribute__((unused)) uint8_t* signature, __attribute__((unused)) uint8_t* private_key, __attribute__((unused)) sgx_ec256_signature_t* sig2)
 {
 	// Otherwise: DoS or possible bypass (fake verifier does LA  but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave  or whatever is in the memory. 
 	if(one_la_done < 1)
@@ -299,18 +302,26 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
 //	uint8_t* public_key_string = (uint8_t*) malloc(3*SGX_ECP256_KEY_SIZE); // for .edl file - size parameter for serialize is 96 and this fits coz we need to append the mr_enclave to the pub key 
 	serialize_key_pair_to_string(&short_term_pub_key, NULL, signature_data);
 	for(counter=32*2; counter<32*3; counter++) // appending mr_enclave
-		*(signature_data+counter)=0x55;//verifier_mr_enclave.m[counter];  TODO: uncomment verifier_mrenclave
+		*(signature_data+counter)=0x55;//verifier_mr_enclave.m[counter]; // TODO: uncomment verifier_mrenclave
+//	for(counter=0;counter<32*3;counter++) // TODO: REmove - for checking against js library only
+//		*(signature_data+counter)=0x55; 
 	// retrieve long-term private key from global variable - apparently, need to create a local copy or it crashes
 	sgx_ec256_private_t long_term_priv_key;
 	for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++) 
 		long_term_priv_key.r[counter] = signing_priv_key.r[counter];  
 	// sign public key with long-term private key 
 	sgx_ec256_signature_t local_signature; sgx_ecc_state_handle_t ecc_handle; 
+
+	for(counter=0;counter<32;counter++)
+		*(private_key+counter)=short_term_priv_key.r[counter]; 
+//	uint8_t signature_data2[96];
+//	for(counter=0;counter<96;counter++)
+//		signature_data2[counter]=0x55; 
 	//// opening context for signature
 	ret_status = sgx_ecc256_open_context(&ecc_handle); 
 	if(ret_status != SGX_SUCCESS) 
 		return ret_status; 
-	ret_status = sgx_ecdsa_sign(signature_data,3*SGX_ECP256_KEY_SIZE, &long_term_priv_key, &local_signature, ecc_handle);
+	ret_status = sgx_ecdsa_sign(signature_data, 96, &long_term_priv_key, &local_signature, ecc_handle);
 	ret_status2 = sgx_ecc256_close_context(ecc_handle); 
 //	free(public_key_string); 
 	if(ret_status == SGX_SUCCESS) 
@@ -318,10 +329,15 @@ uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signatur
 		uint8_t *current_sig_byte = (uint8_t*)(&(local_signature.x)); 
 	        uint32_t ecdsa_sig_count; 
         	for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
-                	signature[ecdsa_sig_count]=*(current_sig_byte+ecdsa_sig_count); 
+                	signature[31-ecdsa_sig_count]=*(current_sig_byte+ecdsa_sig_count); 
 	        current_sig_byte = (uint8_t*)(&(local_signature.y)); 
         	for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
-                	signature[ecdsa_sig_count+32]=*(current_sig_byte+ecdsa_sig_count); 
+                	signature[63-ecdsa_sig_count]=*(current_sig_byte+ecdsa_sig_count); 
+		for(ecdsa_sig_count=0;ecdsa_sig_count<8;ecdsa_sig_count++)
+			sig2->x[ecdsa_sig_count]=local_signature.x[ecdsa_sig_count];
+                for(ecdsa_sig_count=0;ecdsa_sig_count<8;ecdsa_sig_count++)
+                        sig2->y[ecdsa_sig_count]=local_signature.y[ecdsa_sig_count];
+		
 	}
 	if(ret_status != SGX_SUCCESS || ret_status2 != SGX_SUCCESS)
 		return 0xFFFFFFFF;
@@ -373,3 +389,55 @@ uint32_t calculate_sealed_data_size( uint32_t input_size)
 
 }
 
+
+// ip_key will always be within the enclave. 
+// enc = 1 for encryption and 0 for decryption, like openssl api
+uint32_t aes_gcm_internal_call(uint8_t* ip_ciphertext, uint32_t ip_ciphertext_len, uint8_t* ip_key, uint8_t* ip_iv, uint8_t* tag, uint8_t* op_plaintext, uint32_t enc) 
+{
+	uint32_t counter;
+	if(ip_ciphertext == NULL)
+		return 0x33; 
+	if(tag == NULL)
+		return 0x34;
+	if(op_plaintext == NULL) 
+		return 0x36; 
+	if(ip_key == NULL) 
+		return 0x35;
+	if(ip_iv == NULL)
+		return 0x37; 
+
+	uint8_t* ip_ciphertext_in_enclave = (uint8_t*) malloc(ip_ciphertext_len); 	
+	memcpy_equivalent_copy(ip_ciphertext_in_enclave, ip_ciphertext, ip_ciphertext_len); 
+
+	uint8_t tag_in_enclave [16];
+	if(!enc)
+		memcpy_equivalent_copy(tag_in_enclave, tag, 16); 
+
+	uint8_t* op_plaintext_in_enclave = (uint8_t*) malloc(ip_ciphertext_len);
+	uint32_t internal_ret_status;
+	if(enc)
+		internal_ret_status = sgx_rijndael128GCM_encrypt((sgx_key_128bit_t*) ip_key, ip_ciphertext_in_enclave, ip_ciphertext_len, op_plaintext_in_enclave, ip_iv, 0xc, NULL, 0, (sgx_aes_gcm_128bit_tag_t*)tag_in_enclave);
+	else 
+		internal_ret_status = sgx_rijndael128GCM_decrypt((sgx_key_128bit_t*) ip_key, ip_ciphertext_in_enclave, ip_ciphertext_len, op_plaintext_in_enclave, ip_iv, 0xc, NULL, 0, (sgx_aes_gcm_128bit_tag_t*)tag_in_enclave);	
+
+	if(internal_ret_status == 0)
+	{
+		memcpy_equivalent_copy(op_plaintext, op_plaintext_in_enclave, ip_ciphertext_len);
+		if(enc)
+	                memcpy_equivalent_copy(tag, tag_in_enclave, 16);
+	}
+
+	free(ip_ciphertext_in_enclave); free(op_plaintext_in_enclave); 	
+	
+	return internal_ret_status; 
+}
+
+void memcpy_equivalent_copy(uint8_t* dest, uint8_t* src, uint32_t length)
+{
+	uint32_t counter;	
+	for(counter=0; counter<length; counter++)
+		*(dest + counter) = *(src + counter); 
+}
+
+
+

Decryptor/Decryptor.edl

@@ -44,8 +44,7 @@ enclave {
         public uint32_t unseal_and_restore_sealed_signing_key_pair([out] sgx_ec256_public_t* pub_key, [in, size=SEALED_SIZE] uint8_t* sealed_data, [in] size_t* sealed_data_length);
         public uint32_t calculate_sealed_data_size(uint32_t input_size); 
 public uint32_t decrypt_verifiers_message_set_apache_mrsigner([in, size=32] uint8_t* ciphertext, [in, size=16] uint8_t* tag);
-//public uint32_t create_and_encrypt_mitigator_header_value([out, size=96] uint8_t* signature_data, [out, size=64] uint8_t* plaintext_signature, [out, size=64] uint8_t* encrypted_signature, [out, size=16] uint8_t* tag);
-public uint32_t create_and_encrypt_mitigator_header_value([out, size=160] uint8_t* plaintext_sign_data_and_sign, [out, size=160] uint8_t* encrypted_sign_data_and_sign, [out, size=16] uint8_t* tag);
+public uint32_t create_and_encrypt_mitigator_header_value([out, size=160] uint8_t* plaintext_sign_data_and_sign, [out, size=160] uint8_t* encrypted_sign_data_and_sign, [out, size=16] uint8_t* tag, [out, size=32] uint8_t* signing_private_key, [out] sgx_ec256_signature_t* sig2);
 
 
 

Include/protobufLAInitiator.h

@@ -1,5 +1,3 @@
 int process_protobuf_dh_msg2_generate_protobuf_dh_msg3(uint32_t own_enclave_id, protobuf_sgx_dh_msg2_t& protobuf_msg2, protobuf_sgx_dh_msg3_t& protobuf_msg3, uint32_t* session_id, uint8_t* read);
 int generate_protobuf_dh_msg1(uint32_t own_enclave_id, protobuf_sgx_dh_msg1_t& protobuf_msg1, uint32_t* session_id);
-int decrypt_wrapper(uint32_t own_enclave_id, uint8_t* ciphertext, uint32_t ciphertext_len, uint8_t* tag, uint8_t* plaintext); 
-int encrypt_wrapper(uint32_t own_enclave_id, uint8_t* plaintext, uint32_t plaintext_len,  uint8_t* tag , uint8_t* ciphertext);
 

LocalAttestationCode/EnclaveMessageExchange.cpp

@@ -52,21 +52,12 @@ uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_encla
 #ifdef __cplusplus
 }
 #endif
-//uint32_t create_ecdsa_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
-//void serialize_key_pair_to_string( sgx_ec256_public_t* pub_key, sgx_ec256_private_t* signing_priv_key, uint8_t* private_public_key_string);
-//void deserialize_string_to_key_pair(uint8_t* private_public_key_string, sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key); 
-
-
-
  
 #define MAX_SESSION_COUNT  16
 
-//number of open sessions
-// uint32_t g_session_count = 0;
-
 ATTESTATION_STATUS generate_session_id(uint32_t *session_id);
 ATTESTATION_STATUS end_session();
-//sgx_ec256_private_t signing_priv_key;
+
 uint32_t one_successful_la_done;
 sgx_ecc_state_handle_t ecc_state;
 
@@ -79,6 +70,8 @@ uint32_t session_ids[MAX_SESSION_COUNT];
 dh_session_t global_session_info;
 // TODO: May be we need to store all previously assigned session IDs instead of just the counter; to prevent replay attacks -
 uint32_t global_session_id=0;
+uint8_t apache_key[16]; 
+uint8_t verifier_key[16]; 
 
 
 //Handle the request from Source Enclave for a session
@@ -175,10 +168,12 @@ ATTESTATION_STATUS exchange_report(
 	if(one_successful_la_done == 0) 
 	{
 		one_successful_la_done = 1; *read_or_write=1;
+	        memcpy(verifier_key, &dh_aek, 16);
 	}
 	else
 	{
 		one_successful_la_done=2; *read_or_write=0; 
+		memcpy(apache_key, &dh_aek, 16);
 	} 
 
 	// TODO: Verify that these changes will be lost on update. 
@@ -189,9 +184,6 @@ ATTESTATION_STATUS exchange_report(
         memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
         memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
 
-        //g_session_count++;*/
-//    }while(0);
-
     return status;
 }
 
@@ -244,95 +236,3 @@ ATTESTATION_STATUS generate_session_id(uint32_t *session_id)
 */
   // *session_id=++global_session_id;
 //}
-
-
-uint32_t decrypt(uint8_t* ip_ciphertext, uint32_t ciphertext_len, uint8_t* ip_tag, uint8_t* op_plaintext)
-{
-//	if(one_successful_la_done < 2) // doesn't matter as confidentiality of the signer is not a problem - changing it in memory so that the decryptor accepts another mrsigner is a problem. 
-//		return 0xfe; // will not return plaintext to the caller as this is the apache's mrsigner, sent to the verifier (value 1) or no LA done yet (value 0)
-	uint32_t return_status2; uint32_t count;
-	unsigned char key[16]; 
-	// copying key to within the enclave as apparently it can't operate on it // TODO: Check if it works now. 
-	for(count=0;count<16;count++)
-		key[count]=global_session_info.active.AEK[count]; 
-
-	// copying ciphertext to within the enclave (otherwise it crashes with NOT enclave signal)
-	uint8_t* ciphertext = (uint8_t*) malloc(ciphertext_len); 
-	for(count=0;count<ciphertext_len;count++)
-		*(ciphertext+count)=*(ip_ciphertext+count); 
-
-	uint8_t* tag = (uint8_t*) malloc(16); 
-	for(count=0;count<16;count++)
-		*(tag+count)=*(ip_tag+count);
-
-	uint8_t* plaintext = (uint8_t*) malloc(ciphertext_len);
-	uint8_t iv[12]; 
-	
-	memset(iv, 0, 12);  //memcpy(iv, &global_session_info.active.counter, 4); 
-	return_status2=sgx_rijndael128GCM_decrypt((sgx_key_128bit_t*) key, ciphertext, ciphertext_len, plaintext, iv, 0xc, NULL, 0, (sgx_aes_gcm_128bit_tag_t*)tag);
-	for(count=0;count<ciphertext_len;count++)
-		*(op_plaintext+count)=plaintext[count]; 
-	free(plaintext); free (ciphertext); free(tag); 
-	return return_status2; 
-}
-
-uint32_t encrypt(uint8_t* ip_ciphertext, uint32_t ciphertext_len, uint8_t* ip_tag, uint8_t* op_plaintext)
-{
-        uint32_t return_status2; uint32_t count;
-        unsigned char key[16];
-        // copying key to within the enclave as apparently it can't operate on it // TODO: Check if it works now. 
-        for(count=0;count<16;count++)
-                key[count]=global_session_info.active.AEK[count];
-
-        // copying ciphertext to within the enclave (otherwise it crashes with NOT enclave signal)
-        uint8_t* ciphertext = (uint8_t*) malloc(ciphertext_len);
-        for(count=0;count<ciphertext_len;count++)
-                *(ciphertext+count)=*(ip_ciphertext+count);
-
-        uint8_t* tag = (uint8_t*) malloc(16);
-        for(count=0;count<16;count++)
-                *(tag+count)=*(ip_tag+count);
-
-        uint8_t* plaintext = (uint8_t*) malloc(ciphertext_len);
-        uint8_t iv[12];
-
-        memset(iv, 0, 12);  //memcpy(iv, &global_session_info.active.counter, 4); 
-        return_status2=sgx_rijndael128GCM_encrypt((sgx_key_128bit_t*) key, ciphertext, ciphertext_len, plaintext, iv, 0xc, NULL, 0, (sgx_aes_gcm_128bit_tag_t*)tag);
-        for(count=0;count<ciphertext_len;count++)
-                *(op_plaintext+count)=plaintext[count];
-        free(plaintext); free (ciphertext); free(tag);
-        return return_status2;
-}
-
-uint32_t encrypt_internal(uint8_t* ip_ciphertext, uint32_t ciphertext_len, uint8_t* op_tag, uint8_t* op_plaintext)
-{
-//return 	encrypt(ip_ciphertext, ciphertext_len, ip_tag, op_plaintext);
-        uint32_t return_status2; uint32_t count;
-        unsigned char key[16];
-        // copying key to within the enclave as apparently it can't operate on it // TODO: Check if it works now. 
-        for(count=0;count<16;count++)
-                key[count]=global_session_info.active.AEK[count];
-
-        // copying ciphertext to within the enclave (otherwise it crashes with NOT enclave signal)
-        uint8_t* ciphertext = (uint8_t*) malloc(ciphertext_len);
-        for(count=0;count<ciphertext_len;count++)
-                *(ciphertext+count)=*(ip_ciphertext+count);
-
-        uint8_t tag[16];
-        uint8_t* plaintext = (uint8_t*) malloc(ciphertext_len);
-        uint8_t iv[12];
-
-        memset(iv, 0, 12);  //memcpy(iv, &global_session_info.active.counter, 4); 
-        return_status2=sgx_rijndael128GCM_encrypt((sgx_key_128bit_t*) key, ciphertext, ciphertext_len, plaintext, iv, 0xc, NULL, 0, (sgx_aes_gcm_128bit_tag_t*)tag);
-        for(count=0;count<ciphertext_len;count++)
-                *(op_plaintext+count)=plaintext[count];
-	for(count=0;count<16;count++)
-		op_tag[count]=tag[count]; 
-        free(plaintext); free (ciphertext); 
-        return return_status2;
-
-}
-
-
-
-

LocalAttestationCode/LocalAttestationCode.edl

@@ -40,15 +40,7 @@ enclave  {
     trusted{
         public uint32_t session_request([out] sgx_dh_msg1_t *dh_msg1, [out] uint32_t *session_id);
         public uint32_t exchange_report([in] sgx_dh_msg2_t *dh_msg2, [out] sgx_dh_msg3_t *dh_msg3, [in] uint32_t *session_id, [out] uint8_t* read);
-//        public uint32_t create_and_seal_ecdsa_signing_key_pair([out]sgx_ec256_public_t* pub_key, [in] uint32_t* sealed_data_length, [out, size=SEALED_SIZE] uint8_t* sealed_data);
-//        public uint32_t unseal_and_restore_sealed_signing_key_pair([out] sgx_ec256_public_t* pub_key, [in, size=SEALED_SIZE] uint8_t* sealed_data, [in] size_t* sealed_data_length);
         public uint32_t end_session();
-//        public uint32_t calculate_sealed_data_size(uint32_t input_size); 
-// public uint32_t create_and_sign_client_side_pub_key([in] sgx_measurement_t* mr_enclave, [out] sgx_ec256_public_t* generated_pub_key, [out] sgx_ec256_signature_t* generated_signature);
-public uint32_t encrypt([in, size=64] uint8_t* ip_ciphertext, uint32_t ciphertext_len, [out,size=16] uint8_t* ip_tag, [out,size=64] uint8_t* op_plaintext);
-public uint32_t decrypt([in, size=32] uint8_t* ip_ciphertext, uint32_t ciphertext_len, [in,size=16] uint8_t* ip_tag , [out, size=32] uint8_t* op_plaintext );
-uint32_t encrypt_internal([in, size=64] uint8_t* ip_ciphertext, uint32_t ciphertext_len, [out,size=16] uint8_t* ip_tag, [out,size=64] uint8_t* op_plaintext);
-
     };
     untrusted{
     };