Browse Source

Made some changes to untrusted part

dettanym 5 years ago
parent
commit
bfbc956b54

+ 35 - 28
App/App.cpp

@@ -39,7 +39,7 @@
 #include<unistd.h>
 #include<unistd.h>
 // for sealing - sgx_calc_sealed_data_size
 // for sealing - sgx_calc_sealed_data_size
 #include "sgx_tseal.h"
 #include "sgx_tseal.h"
-#include "LocalAttestationUntrusted.h" 
+#include "LocalAttestationUntrusted.h"
 
 
 
 
 // For reading from/writing to file -sealing.
 // For reading from/writing to file -sealing.
@@ -92,11 +92,11 @@ uint32_t read_from_fd(int fd, uint8_t* msg, uint32_t* expected_msg_length)
 
 
 uint32_t unseal_signing_key_pair_from_disk(int fd, size_t sealed_msg_length_in_file)
 uint32_t unseal_signing_key_pair_from_disk(int fd, size_t sealed_msg_length_in_file)
 {
 {
-  uint32_t ret_status=0, length=sealed_msg_length_in_file, counter=0; 
-  uint8_t* sealed_data;  
+  uint32_t ret_status=0, length=sealed_msg_length_in_file, counter=0;
+  uint8_t* sealed_data;
 
 
-  sealed_data = (uint8_t*) malloc(0x300); //TODO: Get length of the sealed msg and try to read that much from the file. 
-	// May be pass the length of the file as input to this function and check that it is at least as much as the output of the sgx call. 
+  sealed_data = (uint8_t*) malloc(0x300); //TODO: Get length of the sealed msg and try to read that much from the file.
+	// May be pass the length of the file as input to this function and check that it is at least as much as the output of the sgx call.
   ret_status = read_from_fd(fd, sealed_data, &length);
   ret_status = read_from_fd(fd, sealed_data, &length);
   if(ret_status != 0)
   if(ret_status != 0)
   {
   {
@@ -107,7 +107,7 @@ uint32_t unseal_signing_key_pair_from_disk(int fd, size_t sealed_msg_length_in_f
   for(counter=0;counter<length;counter++)
   for(counter=0;counter<length;counter++)
 	printf("%x ", *(sealed_data+counter));
 	printf("%x ", *(sealed_data+counter));
   printf("\n");  fflush(stdout);
   printf("\n");  fflush(stdout);
- 
+
   Decryptor_unseal_and_restore_long_term_signing_key_pair_wrapper(e2_enclave_id, &ret_status, sealed_data, &length);
   Decryptor_unseal_and_restore_long_term_signing_key_pair_wrapper(e2_enclave_id, &ret_status, sealed_data, &length);
   free(sealed_data);
   free(sealed_data);
   return ret_status;
   return ret_status;
@@ -115,14 +115,14 @@ uint32_t unseal_signing_key_pair_from_disk(int fd, size_t sealed_msg_length_in_f
 
 
 uint32_t create_and_seal_signing_key_pair_to_disk(int fd)
 uint32_t create_and_seal_signing_key_pair_to_disk(int fd)
 {
 {
-  uint32_t ret_status=0, length=0, counter=0; 
-  uint8_t* sealed_data;  
+  uint32_t ret_status=0, length=0, counter=0;
+  uint8_t* sealed_data;
 
 
-  Decryptor_calculate_sealed_keypair_size_wrapper(e2_enclave_id, &length); 
+  Decryptor_calculate_sealed_keypair_size_wrapper(e2_enclave_id, &length);
   if(length == 0xFFFFFFFF)
   if(length == 0xFFFFFFFF)
     return 0xFFFFFFFF;
     return 0xFFFFFFFF;
-  sealed_data=(uint8_t*) malloc(length); // 0x300); // TODO: Shouldn't it be malloc of length? 
-        printf("length: %d\n", length); fflush(stdout); 
+  sealed_data=(uint8_t*) malloc(length); // 0x300); // TODO: Shouldn't it be malloc of length?
+        printf("length: %d\n", length); fflush(stdout);
 
 
   Decryptor_create_and_seal_long_term_signing_key_pair_wrapper(e2_enclave_id, &ret_status, &length, sealed_data);
   Decryptor_create_and_seal_long_term_signing_key_pair_wrapper(e2_enclave_id, &ret_status, &length, sealed_data);
   if(ret_status != SGX_SUCCESS)
   if(ret_status != SGX_SUCCESS)
@@ -131,9 +131,9 @@ uint32_t create_and_seal_signing_key_pair_to_disk(int fd)
     free(sealed_data);
     free(sealed_data);
     return 0xFFFFFFFF;
     return 0xFFFFFFFF;
   }
   }
-  printf("It returned sgx_success\n"); fflush(stdout); 
-  for(counter=0; counter<length; counter++) 
-	printf("%02x ", sealed_data[counter]); 
+  printf("It returned sgx_success\n"); fflush(stdout);
+  for(counter=0; counter<length; counter++)
+	printf("%02x ", sealed_data[counter]);
   ret_status = write_to_fd(fd, sealed_data, &length);
   ret_status = write_to_fd(fd, sealed_data, &length);
   free(sealed_data);
   free(sealed_data);
 
 
@@ -171,34 +171,41 @@ int main(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[])
       struct stat st; ret_status = fstat(sealed_signing_key_fd, &st);
       struct stat st; ret_status = fstat(sealed_signing_key_fd, &st);
       if(ret_status != 0)
       if(ret_status != 0)
       {
       {
-	perror("error in finding the file size. -  ");
+	       perror("error in finding the file size. -  ");
         fflush(stderr);
         fflush(stderr);
-	return 0xffffffff;
+	       return 0xffffffff;
 
 
       }
       }
       sealed_msg_length_in_file = st.st_size;
       sealed_msg_length_in_file = st.st_size;
     if(sealed_msg_length_in_file == 0) //if(start == end && start != -1)
     if(sealed_msg_length_in_file == 0) //if(start == end && start != -1)
       // TODO: file is empty. create signing key pair.
       // TODO: file is empty. create signing key pair.
       // int start = lseek(sealed_signing_key_fd, 0, SEEK_SET);
       // int start = lseek(sealed_signing_key_fd, 0, SEEK_SET);
-{ printf("Creating new keypair.\n"); fflush(stdout);     ret_status = create_and_seal_signing_key_pair_to_disk(sealed_signing_key_fd); }
-    else 
-{ printf("Unsealing keypair.\n"); fflush(stdout);      ret_status = unseal_signing_key_pair_from_disk(sealed_signing_key_fd, sealed_msg_length_in_file); }
-    
+      { printf("Creating new keypair.\n"); fflush(stdout);     ret_status = create_and_seal_signing_key_pair_to_disk(sealed_signing_key_fd); }
+    else
+    { printf("Unsealing keypair.\n"); fflush(stdout);      ret_status = unseal_signing_key_pair_from_disk(sealed_signing_key_fd, sealed_msg_length_in_file); }
+
      if(ret_status != 0)
      if(ret_status != 0)
       {
       {
-	printf("Some error \n");
+	       printf("Some error \n");
 //        printf("\n %d error in generating the ecdsa signing key pair \n", errno);
 //        printf("\n %d error in generating the ecdsa signing key pair \n", errno);
-        fflush(stdout);    
-sgx_destroy_enclave(e2_enclave_id);
+        fflush(stdout);
+        sgx_destroy_enclave(e2_enclave_id);
 
 
         return 0xFFFFFFFF;
         return 0xFFFFFFFF;
-      } 
+      }
 
 
 
 
     close(sealed_signing_key_fd);
     close(sealed_signing_key_fd);
 
 
     int server_fd;
     int server_fd;
-    server_fd = LocalAttestationUntrusted::prepare_local_attestation_as_responder_fd_and_msg1(e2_enclave_id, 3824);
+    ret_status = LocalAttestationUntrusted::prepare_local_attestation_as_responder_msg1(e2_enclave_id);
+    if(ret_status !=0)
+    {
+      printf("Could not prepare_local_attestation_as_responder_msg1"); fflush(stdout); sgx_destroy_enclave(e2_enclave_id);
+      return ret_status;
+    }
+
+    server_fd=LocalAttestationUntrusted::setup_socket_for_local_attestation_requests(3824)
     if(server_fd <=0)
     if(server_fd <=0)
     {
     {
       printf("Error in setting up server socket."); fflush(stdout);
       printf("Error in setting up server socket."); fflush(stdout);
@@ -217,7 +224,7 @@ sgx_destroy_enclave(e2_enclave_id);
       return 0xFFFFFFFF;
       return 0xFFFFFFFF;
     }
     }
 
 
-    ret_status = LocalAttestationUntrusted::post_local_attestation_with_verifier(e2_enclave_id);
+    ret_status = LocalAttestationUntrusted::post_local_attestation_with_verifier(e2_enclave_id, server_fd);
     if(ret_status!=0)
     if(ret_status!=0)
     {
     {
       printf("post local attestation - with the verifier - did not successfully return: %x\n", ret_status); fflush(stdout);
       printf("post local attestation - with the verifier - did not successfully return: %x\n", ret_status); fflush(stdout);
@@ -225,7 +232,7 @@ sgx_destroy_enclave(e2_enclave_id);
       return 0xFFFFFF01;
       return 0xFFFFFF01;
     }
     }
 
 
-    server_fd = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id,3825);
+    server_fd = LocalAttestationUntrusted::local_attestation_as_responder_msg2_msg3(e2_enclave_id,server_fd);
     if(ret_status<=0)
     if(ret_status<=0)
     {
     {
       printf("local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);
       printf("local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);
@@ -233,7 +240,7 @@ sgx_destroy_enclave(e2_enclave_id);
       return 0xFFFFFFFF;
       return 0xFFFFFFFF;
     }
     }
 
 
-    ret_status = LocalAttestationUntrusted::post_local_attestation_with_apache(e2_enclave_id);
+    ret_status = LocalAttestationUntrusted::post_local_attestation_with_apache(e2_enclave_id,server_fd);
     if(ret_status!=0)
     if(ret_status!=0)
     {
     {
       printf("post local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);
       printf("post local attestation - with the apache - did not successfully return: %x\n", ret_status); fflush(stdout);

+ 49 - 57
App/LocalAttestationUntrusted.cpp

@@ -16,8 +16,6 @@ using namespace google::protobuf::io;
 #include <iostream>
 #include <iostream>
 
 
 class LocalAttestationUntrusted {
 class LocalAttestationUntrusted {
-  int server_fd;
-  int accept_fd;
   uint32_t session_id;
   uint32_t session_id;
   protobuf_sgx_dh_msg1_t protobuf_msg1;
   protobuf_sgx_dh_msg1_t protobuf_msg1;
 
 
@@ -128,36 +126,33 @@ class LocalAttestationUntrusted {
 
 
     if(write_protobuf_msg_to_fd(accept_fd, protobuf_msg3)!=0)
     if(write_protobuf_msg_to_fd(accept_fd, protobuf_msg3)!=0)
       return 0x3;
       return 0x3;
-    return 0; 
+    return 0;
   }
   }
 
 
-  int decrypt_client_data_wrapper(uint32_t own_enclave_id, int apache_fd)
+  int decrypt_client_data(uint32_t own_enclave_id, int fd)
   {
   {
-
     protobuf_post_LA_encrypted_msg_t protobuf_msg;
     protobuf_post_LA_encrypted_msg_t protobuf_msg;
     unsigned char* protobuf_msg_ptr;
     unsigned char* protobuf_msg_ptr;
     uint32_t sgx_ret_status;
     uint32_t sgx_ret_status;
-    // TODO: THIS SHOULD BE WAYYYY GREATER THAN 144 -> CLIENTS PUBLIC KEY (64)+ ENCRYPTION TAG (16)+ SIGNATURE (64) + CLIENT DATA
-    // 144 + client data length
     uint8_t* input_ciphertext_plus_tag;
     uint8_t* input_ciphertext_plus_tag;
     uint32_t input_ciphertext_plus_tag_length;
     uint32_t input_ciphertext_plus_tag_length;
   	uint8_t* output_ciphertext_plus_tag;
   	uint8_t* output_ciphertext_plus_tag;
     uint32_t output_ciphertext_plus_tag_length;
     uint32_t output_ciphertext_plus_tag_length;
     int counter;
     int counter;
 
 
-    if(read_protobuf_msg_from_fd(apache_fd, protobuf_msg)!=0)
+    if(read_protobuf_msg_from_fd(fd, protobuf_msg)!=0)
       return 0xfe;
       return 0xfe;
 
 
     input_ciphertext_plus_tag_length = protobuf_msg.msg().length();
     input_ciphertext_plus_tag_length = protobuf_msg.msg().length();
     // TODO: MAKE SURE THIS IS NOT 0XFFFFFFFF.
     // TODO: MAKE SURE THIS IS NOT 0XFFFFFFFF.
     input_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
     input_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
-    output_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length - 128 + 10);
+    output_ciphertext_plus_tag = (uint8_t*) malloc(input_ciphertext_plus_tag_length - 128 + 10); //128 = client public key token length?
     protobuf_msg_ptr = (uint8_t*) protobuf_msg.msg().c_str();
     protobuf_msg_ptr = (uint8_t*) protobuf_msg.msg().c_str();
 
 
     for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
     for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
       input_ciphertext_plus_tag[counter] = *(protobuf_msg_ptr + counter);
       input_ciphertext_plus_tag[counter] = *(protobuf_msg_ptr + counter);
 
 
-    // Just so that the ciphertext - client data - is returned back to Apache in case decrypt_client_data fails.
+    // Just so that the ciphertext - client data - is returned back to Apache in case this function fails.
     // client data is after public key (64 bytes) + signature (64 bytes) = 128 bytes.
     // client data is after public key (64 bytes) + signature (64 bytes) = 128 bytes.
     for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
     for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
   		output_ciphertext_plus_tag[counter] = input_ciphertext_plus_tag[counter+128];
   		output_ciphertext_plus_tag[counter] = input_ciphertext_plus_tag[counter+128];
@@ -166,10 +161,10 @@ class LocalAttestationUntrusted {
     // Return value is not sent back..
     // Return value is not sent back..
     Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext, &output_ciphertext_plus_tag_length);
     Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext, &output_ciphertext_plus_tag_length);
     free(input_ciphertext_plus_tag);
     free(input_ciphertext_plus_tag);
-    protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
-    free(output_ciphertext_plus_tag);
-  	if(write_protobuf_msg_to_fd(apache_fd, protobuf_msg)!=0)
-  	  return 0xfc;
+      protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
+      free(output_ciphertext_plus_tag);
+    	if(write_protobuf_msg_to_fd(fd, protobuf_msg)!=0)
+    	  return 0xfc;
   	return 0;
   	return 0;
   }
   }
 
 
@@ -186,17 +181,14 @@ class LocalAttestationUntrusted {
       return 0;
       return 0;
     }
     }
 
 
-   int setup_socket_for_local_attestation_requests( int port )
-   {
-      struct sockaddr_in own_addr; 
+    int setup_socket_for_local_attestation_requests(int port)
+    {
+      struct sockaddr_in own_addr;
       return set_up_socket(port, &own_addr);
       return set_up_socket(port, &own_addr);
-   }
-
-
-
+    }
 
 
     // TODO: CHANGED SIGNATURE.
     // TODO: CHANGED SIGNATURE.
-    int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd)
+    int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd, int* accept_fd)
     {
     {
       uint32_t protobuf_sgx_ret;
       uint32_t protobuf_sgx_ret;
       struct sockaddr_storage apache_addr;
       struct sockaddr_storage apache_addr;
@@ -209,15 +201,15 @@ class LocalAttestationUntrusted {
         printf("Error in accepting %d", errno); fflush(stdout);
         printf("Error in accepting %d", errno); fflush(stdout);
         return temp_accept_fd;
         return temp_accept_fd;
       }
       }
-      accept_fd=temp_accept_fd;
+      *accept_fd=temp_accept_fd;
 
 
       protobuf_sgx_ret = local_attestation_msg2_msg3(own_enclave_id, accept_fd);
       protobuf_sgx_ret = local_attestation_msg2_msg3(own_enclave_id, accept_fd);
       return protobuf_sgx_ret;
       return protobuf_sgx_ret;
-*/ return 0;    }
+    }
 
 
-    int post_local_attestation_with_verifier(uint32_t own_enclave_id)
+    int post_local_attestation_with_verifier(uint32_t own_enclave_id, int accept_fd)
     {
     {
-/*      uint32_t protobuf_sgx_ret;
+      uint32_t protobuf_sgx_ret;
       uint8_t encrypted_apache_mrsigner_and_tag[48];
       uint8_t encrypted_apache_mrsigner_and_tag[48];
       size_t bytes_read;
       size_t bytes_read;
 
 
@@ -234,7 +226,7 @@ class LocalAttestationUntrusted {
     	  printf("0x%02x ", encrypted_apache_mrsigner_and_tag[count]);
     	  printf("0x%02x ", encrypted_apache_mrsigner_and_tag[count]);
       printf("\n");fflush(stdout);
       printf("\n");fflush(stdout);
 
 
-      Decryptor_decrypt_verifiers_message_set_apache_mrsigner_wrapper(own_enclave_id, &sgx_ret, encrypted_apache_mrsigner_and_tag);
+      Decryptor_process_verifiers_message_wrapper(own_enclave_id, &sgx_ret, encrypted_apache_mrsigner_and_tag);
       if(sgx_ret!=0)
       if(sgx_ret!=0)
     	{
     	{
         printf("Error in decryption: 0x%x\n", sgx_ret); fflush(stdout);
         printf("Error in decryption: 0x%x\n", sgx_ret); fflush(stdout);
@@ -244,47 +236,47 @@ class LocalAttestationUntrusted {
 
 
       printf("Successful decryption\n"); fflush(stdout);
       printf("Successful decryption\n"); fflush(stdout);
       close(accept_fd);
       close(accept_fd);
-*/      return 0;
+      return 0;
     }
     }
 
 
-    int post_local_attestation_with_apache(uint32_t own_enclave_id)
+    int post_local_attestation_with_apache(uint32_t own_enclave_id, int accept_fd)
     {
     {
-/*
       protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
       protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
       uint8_t encrypted_sign_data_and_sign_and_tag[176];
       uint8_t encrypted_sign_data_and_sign_and_tag[176];
       int apache_fd=accept_fd;
       int apache_fd=accept_fd;
   	  memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
   	  memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
-	uint32_t internal_return_status; 
-	uint32_t count; 
-	sgx_status_t sgx_ret; 
+	    uint32_t internal_return_status;
+	    uint32_t count;
+	    sgx_status_t sgx_ret;
+
+        Decryptor_encrypt_mitigator_header_H_to_apache_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag);
+      	if(sgx_ret!=0)
+      	{
+      		printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout);
+          close(accept_fd);
+          return 0xf3;
+      	}
+
+      	for(count=0;count<176;count++)
+      	{
+      		printf("0x%02x ", encrypted_sign_data_and_sign_and_tag[count]);
+      	}
+      	printf("\n"); fflush(stdout);
+
+      	protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, 176);
+      	if(write_protobuf_msg_to_fd(apache_fd, protobuf_encrypted_msg) != 0)
+        {
+          printf("Not all of the mitigator token H was written to the Apache.\n"); fflush(stdout);
+          close(accept_fd);
+          return 0xfe;
+        }
 
 
-      Decryptor_create_and_encrypt_mitigator_header_H_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag);
-    	if(sgx_ret!=0)
-    	{
-    		printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout);
-        close(accept_fd);
-        return 0xf3;
-    	}
-
-    	for(count=0;count<176;count++)
-    	{
-    		printf("0x%02x ", encrypted_sign_data_and_sign_and_tag[count]);
-    	}
-    	printf("\n"); fflush(stdout);
-
-    	protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, 176);
-    	if(write_protobuf_msg_to_fd(apache_fd, protobuf_encrypted_msg) != 0)
-      {
-        printf("Not all of the mitigator token H was written to the Apache.\n"); fflush(stdout);
-        close(accept_fd);
-        return 0xfe;
-      }
 
 
   	  do {
   	  do {
-      	internal_return_status = decrypt_client_data_wrapper(own_enclave_id, apache_fd);
+      	internal_return_status = decrypt_client_data(own_enclave_id, accept_fd);
       } while(internal_return_status==0);
       } while(internal_return_status==0);
       close(accept_fd);
       close(accept_fd);
       return internal_return_status;
       return internal_return_status;
-*/ 
-return 0; }
+
+      return 0; }
 };
 };

+ 6 - 3
CommonOpensslCode/Openssl_crypto.cpp

@@ -385,8 +385,10 @@ int compute_ecdsa_signature(unsigned char* signature_data, uint32_t signature_da
 		return 0;
 		return 0;
 }
 }
 
 
+// plaintext in case of decryption, should always contain the actual ciphertext length, that is, minus the tag
+// ciphertext in case of encryption consists of ciphertext plus tag and op_ciphertext_len should similarly also consist of ciphertext_length plus 16.
 // Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
 // Code adapted from here: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
-int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len, unsigned char* tag)
+int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* plaintext, uint32_t plaintext_len, unsigned char *ciphertext,  uint32_t* op_ciphertext_len)
 {
 {
 	int len;
 	int len;
 	int ciphertext_len;
 	int ciphertext_len;
@@ -419,7 +421,7 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 
 
 	if(enc == 0)
 	if(enc == 0)
         {
         {
-                if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
+                if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, plaintext + plaintext_len))
                 {
                 {
                        reset_return = EVP_CIPHER_CTX_reset(ctx);
                        reset_return = EVP_CIPHER_CTX_reset(ctx);
                        if(1 != reset_return)
                        if(1 != reset_return)
@@ -444,13 +446,14 @@ int aes_gcm_256(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
 	// Get the tag
 	// Get the tag
 	if(enc == 1)
 	if(enc == 1)
 	{
 	{
-		if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+		if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, ciphertext + ciphertext_len))
 		{
 		{
                 	reset_return = EVP_CIPHER_CTX_reset(ctx);
                 	reset_return = EVP_CIPHER_CTX_reset(ctx);
                 	if(1 != reset_return)
                 	if(1 != reset_return)
                         	return 0xF5;
                         	return 0xF5;
 	                return 0x5;
 	                return 0x5;
 		}
 		}
+		ciphertext_len += 16;
 	}
 	}
 
 
 	// Clean up //
 	// Clean up //

+ 113 - 127
Decryptor/Decryptor.cpp

@@ -29,6 +29,9 @@
  *
  *
  */
  */
 
 
+// question 1: When should I call the create_mitigator_header_H function? It can be called as early as verify_peer_enclave_trust. Or as late as when encrypt_mitigator_header_H_to_apache is called. But then you need to make sure that successful_la_count is right for that.
+// question 2: nightmare about the process_message_generate_response function.
+
 #include "Decryptor.h"
 #include "Decryptor.h"
 #include "sgx_tseal.h"
 #include "sgx_tseal.h"
 #include "sgx_tcrypto.h"
 #include "sgx_tcrypto.h"
@@ -37,15 +40,18 @@
 #include "error_codes.h"
 #include "error_codes.h"
 
 
 
 
-        ECDSASignatureBox Decryptor::signatureBox; 
-        HybridEncryptionBox Decryptor::hybridEncryptionBoxClient; 
-        SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxApache; 
+        ECDSASignatureBox Decryptor::signatureBox;
+        HybridEncryptionBox Decryptor::hybridEncryptionBoxClient;
+        SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxApache;
         SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxVerifier;
         SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxVerifier;
-        uint8_t Decryptor::verifier_mr_enclave[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; 
-        uint8_t Decryptor::apache_mr_signer[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
+        uint8_t Decryptor::verifier_mr_enclave[32] = {0};
+        uint8_t Decryptor::apache_mr_signer[32] = {0};
+        unsigned int successful_la_count;
+        uint8_t Decryptor::plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64]={0};
 
 
 
 
-   uint32_t Decryptor::create_mitigator_token_M(uint8_t* token)
+  // INTERNAL
+  uint32_t Decryptor::create_mitigator_token_M(uint8_t* token)
   {
   {
     uint32_t internal_return_status;
     uint32_t internal_return_status;
     uint32_t counter;
     uint32_t counter;
@@ -62,30 +68,50 @@
     return 0;
     return 0;
   }
   }
 
 
-  uint32_t Decryptor::create_mitigator_header_H(uint8_t* signature_data, uint8_t* signature)
+  // INTERNAL
+  uint32_t Decryptor::create_mitigator_header_H(uint8_t* signature_data_and_signature)
   {
   {
     uint32_t internal_return_status;
     uint32_t internal_return_status;
-    uint8_t local_signature[64];
-    uint8_t local_signature_data[ECDH_PUBLIC_KEY_SIZE + 32];
+    uint8_t local_signature_data_and_signature[ECDH_PUBLIC_KEY_SIZE + 32 + 64];
     uint32_t counter;
     uint32_t counter;
-    // Otherwise: DoS or possible bypass (fake verifier does LA  but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave  or whatever is in the memory.
-    if(LocalAttestationTrusted::get_one_successful_la_done() < 1)
-      return 0xde;  //  This needs to be called at any point after the first local attestation is done - else, a junk verifier mrenclave will be included in the signature
-    internal_return_status = Decryptor::create_mitigator_token_M(local_signature_data);
+    internal_return_status = Decryptor::create_mitigator_token_M(local_signature_data_and_signature);
     if(internal_return_status != 0x0)
     if(internal_return_status != 0x0)
       return internal_return_status;
       return internal_return_status;
 
 
-    internal_return_status = signatureBox.sign(local_signature_data, ECDH_PUBLIC_KEY_SIZE + 32, local_signature);
+    internal_return_status = signatureBox.sign(local_signature_data_and_signature, ECDH_PUBLIC_KEY_SIZE + 32, local_signature_and_signature + ECDH_PUBLIC_KEY_SIZE + 32);
     if(internal_return_status != 0x0)
     if(internal_return_status != 0x0)
       return internal_return_status;
       return internal_return_status;
-    for(counter=0;counter<ECDH_PUBLIC_KEY_SIZE + 32;counter++)
-      signature_data[counter] = local_signature_data[counter];
-    for(counter=0;counter<64;counter++)
-      signature[counter] = local_signature[counter];
+    for(counter=0;counter<ECDH_PUBLIC_KEY_SIZE + 32 + 64;counter++)
+      signature_data_and_signature[counter] = local_signature_data_and_signature[counter];
     return 0;
     return 0;
   }
   }
 
 
-  // done. But there might be one more return statement for the case when get_keypair returns sth (it is non void).
+  // EXTERNAL ECALL.
+  uint32_t Decryptor::encrypt_mitigator_header_H_to_apache(uint8_t* ciphertext_token_H_plus_tag)
+  {
+    	uint32_t counter;
+    	uint8_t sign_data_and_sign[ECDH_PUBLIC_KEY_SIZE + 32 + 64 + 10];
+      uint8_t temp_tag[16];
+      uint32_t temp_ciphertext_token_H_length;
+    	uint32_t internal_return_status;
+
+      if(successful_la_count != 2)
+        return 0x33;
+
+      internal_return_status = create_mitigator_header_H(plaintext_mitigator_header_H);
+      if(internal_return_status != 0)
+        return internal_return_status;
+
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_mitigator_header_H, ECDH_PUBLIC_KEY_SIZE + 32 + 64, ciphertext_token_H_plus_tag, &temp_ciphertext_token_H_length);
+      if(internal_return_status != 0)
+        return internal_return_status;
+
+      if(temp_ciphertext_token_H_length != 160)
+        return 0x45;
+    	return 0;
+    }
+
+  // INTERNAL. done. But there might be one more return statement for the case when get_keypair returns sth (it is non void).
   uint32_t Decryptor::create_long_term_signing_keypair(uint8_t* private_public_key_string)
   uint32_t Decryptor::create_long_term_signing_keypair(uint8_t* private_public_key_string)
   {
   {
     uint32_t internal_return_status;
     uint32_t internal_return_status;
@@ -97,11 +123,11 @@
     return 0;
     return 0;
   }
   }
 
 
+  // INTERNAL.
   uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length)
   uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length)
   {
   {
     uint8_t* ciphertext;
     uint8_t* ciphertext;
     uint32_t ciphertext_length;
     uint32_t ciphertext_length;
-    uint8_t* tag;
     uint32_t internal_return_status;
     uint32_t internal_return_status;
     // and now I will derive a shared key from the plaintext_client_public_key
     // and now I will derive a shared key from the plaintext_client_public_key
     internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
     internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
@@ -111,91 +137,53 @@
     // and then I will decrypt the rest of the client data with that key.
     // and then I will decrypt the rest of the client data with that key.
     ciphertext = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
     ciphertext = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
     ciphertext_length = total_length - ECDH_PUBLIC_KEY_SIZE - 16;
     ciphertext_length = total_length - ECDH_PUBLIC_KEY_SIZE - 16;
-    tag = ciphertext + ciphertext_length;
 
 
-    internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext, ciphertext_length, plaintext_client_data, plaintext_client_data_length, tag);
+    internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext, ciphertext_length, plaintext_client_data, plaintext_client_data_length);
     return internal_return_status;
     return internal_return_status;
   }
   }
 
 
-
-    // DONE.
-    uint32_t Decryptor::create_and_seal_long_term_signing_key_pair(uint32_t* sealed_data_length, uint8_t* sealed_data)
-    {
+  // EXTERNAL. DONE.
+  uint32_t Decryptor::create_and_seal_long_term_signing_key_pair(uint32_t* sealed_data_length, uint8_t* sealed_data)
+  {
         uint32_t sgx_libcall_status;
         uint32_t sgx_libcall_status;
         uint32_t internal_return_status;
         uint32_t internal_return_status;
         uint32_t temp_sealed_data_length;
         uint32_t temp_sealed_data_length;
         uint8_t* temp_sealed_data;
         uint8_t* temp_sealed_data;
         uint8_t private_public_key_string[ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE];
         uint8_t private_public_key_string[ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE];
         uint32_t counter;
         uint32_t counter;
-	
+
         temp_sealed_data_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE);
         temp_sealed_data_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE);
         if(temp_sealed_data_length == 0xFFFFFFFF)
         if(temp_sealed_data_length == 0xFFFFFFFF)
           return 0x01;
           return 0x01;
 
 
-	
+
         temp_sealed_data = (uint8_t*) malloc(temp_sealed_data_length);
         temp_sealed_data = (uint8_t*) malloc(temp_sealed_data_length);
-	
+
         internal_return_status = create_long_term_signing_keypair(private_public_key_string);
         internal_return_status = create_long_term_signing_keypair(private_public_key_string);
-	if(internal_return_status != 0)
-	{
-		free(temp_sealed_data); 
-		return internal_return_status;
-	}
-	
-/*	for(counter=0; counter<temp_sealed_data_length; counter++) 
-		temp_sealed_data[counter]=counter;
- */	
+      	if(internal_return_status != 0)
+      	{
+      		free(temp_sealed_data);
+      		return internal_return_status;
+      	}
+
         sgx_libcall_status = sgx_seal_data(0, NULL, 3*SGX_ECP256_KEY_SIZE, private_public_key_string, temp_sealed_data_length, (sgx_sealed_data_t*) temp_sealed_data);
         sgx_libcall_status = sgx_seal_data(0, NULL, 3*SGX_ECP256_KEY_SIZE, private_public_key_string, temp_sealed_data_length, (sgx_sealed_data_t*) temp_sealed_data);
         if(sgx_libcall_status != SGX_SUCCESS)
         if(sgx_libcall_status != SGX_SUCCESS)
         {
         {
           free(temp_sealed_data);
           free(temp_sealed_data);
           return sgx_libcall_status;
           return sgx_libcall_status;
         }
         }
-	
+
         for(counter=0;counter<temp_sealed_data_length;counter++)
         for(counter=0;counter<temp_sealed_data_length;counter++)
     			*(sealed_data + counter)= *(temp_sealed_data + counter);
     			*(sealed_data + counter)= *(temp_sealed_data + counter);
-	*sealed_data_length = temp_sealed_data_length;
+	      *sealed_data_length = temp_sealed_data_length;
         free(temp_sealed_data);
         free(temp_sealed_data);
-	
-        return 0;
-    }
 
 
-    // DONE.
-    uint32_t Decryptor::create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag)
-    {
-    	uint32_t counter;
-    	uint8_t sign_data_and_sign[ECDH_PUBLIC_KEY_SIZE + 32 + 64];
-      uint8_t temp_ciphertext_token_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64 + 10];
-      uint8_t temp_tag[16];
-      uint32_t temp_ciphertext_token_H_length;
-    	uint32_t internal_return_status;
-
-      internal_return_status = create_mitigator_header_H(sign_data_and_sign, sign_data_and_sign + ECDH_PUBLIC_KEY_SIZE + 32);
-    	if(internal_return_status != 0)
-      	return internal_return_status;
-
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, sign_data_and_sign, ECDH_PUBLIC_KEY_SIZE + 32 + 64, temp_ciphertext_token_H, &temp_ciphertext_token_H_length, temp_tag);
-      if(internal_return_status != 0)
-        return internal_return_status;
-
-      if(temp_ciphertext_token_H_length != 160)
-        return 0x45;
-
-      for(counter=0; counter<160; counter++)
-      {
-        *(ciphertext_token_H_plus_tag + counter) = *(temp_ciphertext_token_H + counter);
-      }
-      for(counter=0; counter<16; counter++)
-      {
-        *(ciphertext_token_H_plus_tag + counter) = *(temp_tag + counter);
-      }
-
-    	return 0;
+        return 0;
     }
     }
 
 
-    // DONE.
-    uint32_t Decryptor::unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length)
-    {
+  // EXTERNAL. DONE.
+  uint32_t Decryptor::unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length)
+  {
       uint32_t temp_plaintext_length;
       uint32_t temp_plaintext_length;
       uint8_t* temp_plaintext;
       uint8_t* temp_plaintext;
       uint32_t counter;
       uint32_t counter;
@@ -224,39 +212,45 @@
       return 0;
       return 0;
     }
     }
 
 
-    // DONE.
-    uint32_t Decryptor::decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext_plus_tag)
-    {
-      uint8_t temp_apache_mrsigner[32+10];
-      uint32_t temp_apache_mrsigner_length;
-      uint32_t internal_return_status;
-      uint32_t counter;
-      uint8_t* tag;
-
-      tag = ciphertext_plus_tag + 32;
-      internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, ciphertext_plus_tag, 32, temp_apache_mrsigner, &temp_apache_mrsigner_length, tag);
-      if(internal_return_status != 0)
-        return internal_return_status;
-      if(temp_apache_mrsigner_length != 32)
-        return 0x33;
+  uint32_t Decryptor::process_verifiers_message(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length)
+  {
+        uint8_t *first_decryption_output, *plaintext_client_data, *temp_output_ciphertext;
+        uint32_t first_decryption_output_length, plaintext_client_data_length;
+        uint32_t temp_output_ciphertext_length, internal_return_status;
+        uint8_t temp_output_tag[16]; uint32_t counter;
+        if(successful_la_count != 1) // else, the untrusted application can call this on the first message by apache and cause the verifier to set its mrsigner.
+          return 0x23;
+        // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
+        first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
+        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length - 16, first_decryption_output, &first_decryption_output_length);
+        if(internal_return_status != 0)
+        {
+          free(first_decryption_output);
+          return internal_return_status;
+        }
 
 
-      for(counter=0; counter<32; counter++)
-      {
-        apache_mr_signer[counter] = *(temp_apache_mrsigner + counter);
-      }
-      return 0;
-    }
+        if(first_decryption_output_length != 32)
+        {
+          free(first_decryption_output);
+          return 0x33;
+        }
+        for(counter=0; counter<32; counter++)
+        {
+          apache_mr_signer[counter] = *(first_decryption_output + counter);
+        }
+        free(first_decryption_output);
+        return 0;
+  }
 
 
-    // DONE.
-    uint32_t Decryptor::process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext_plus_tag, uint32_t* output_ciphertext_plus_tag_length)
-    {
-      uint8_t *first_decryption_output, *plaintext_client_data, *temp_output_ciphertext;
+  // EXTERNAL. DONE.
+  uint32_t Decryptor::process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext_plus_tag, uint32_t* output_ciphertext_plus_tag_length)
+  {
+      uint8_t *first_decryption_output, *plaintext_client_data;
       uint32_t first_decryption_output_length, plaintext_client_data_length;
       uint32_t first_decryption_output_length, plaintext_client_data_length;
-	uint32_t temp_output_ciphertext_length, internal_return_status;
-      uint8_t temp_output_tag[16]; uint32_t counter; 
+      uint32_t internal_return_status;
       // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
       // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
       first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
       first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length, first_decryption_output, &first_decryption_output_length, input_ciphertext + input_ciphertext_plus_tag_length - 16);
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length - 16, first_decryption_output, &first_decryption_output_length);
       if(internal_return_status != 0)
       if(internal_return_status != 0)
       {
       {
         free(first_decryption_output);
         free(first_decryption_output);
@@ -269,33 +263,24 @@
       if(internal_return_status != 0)
       if(internal_return_status != 0)
         return internal_return_status;
         return internal_return_status;
 
 
-      temp_output_ciphertext = (uint8_t*) malloc(plaintext_client_data_length + 20);
       // then I will encrypt the resulting first_decryption_output to the apache enclave.
       // then I will encrypt the resulting first_decryption_output to the apache enclave.
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, temp_output_ciphertext, &temp_output_ciphertext_length, temp_output_tag);
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
       free(plaintext_client_data);
       free(plaintext_client_data);
       if(internal_return_status != 0)
       if(internal_return_status != 0)
-      {
-        free(temp_output_ciphertext);
         return internal_return_status;
         return internal_return_status;
-      }
-
-      for(counter=0; counter<temp_output_ciphertext_length; counter++)
-        output_ciphertext_plus_tag[counter] = temp_output_ciphertext[counter];
-      free(temp_output_ciphertext);
-      for(counter=0; counter<16;counter++)
-	output_ciphertext_plus_tag[counter] = temp_output_tag[counter];
-      *output_ciphertext_plus_tag_length = temp_output_ciphertext_length + 16;
       return 0;
       return 0;
     }
     }
 
 
-uint32_t Decryptor::verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t* given_mr_signer, uint8_t* dhaek)
-{
-        uint32_t count; 
-        if(LocalAttestationTrusted::get_one_successful_la_done() == 0)
+  // INTERNAL.
+  uint32_t Decryptor::verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t* given_mr_signer, uint8_t* dhaek)
+  {
+        uint32_t count;
+        uint32_t internal_return_status;
+        if(successful_la_count == 0) // verifier enclave
         {
         {
                 for(count=0; count<SGX_HASH_SIZE; count++)
                 for(count=0; count<SGX_HASH_SIZE; count++)
                         verifier_mr_enclave[count] = given_mr_enclave[count];
                         verifier_mr_enclave[count] = given_mr_enclave[count];
-		symmetricEncryptionBoxVerifier.set_symmetric_key(dhaek); 
+		            symmetricEncryptionBoxVerifier.set_symmetric_key(dhaek);
         }
         }
         else // apache enclave
         else // apache enclave
         {
         {
@@ -304,12 +289,13 @@ uint32_t Decryptor::verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t
                         if( given_mr_signer[count] != apache_mr_signer[count] )
                         if( given_mr_signer[count] != apache_mr_signer[count] )
                                 return ENCLAVE_TRUST_ERROR;
                                 return ENCLAVE_TRUST_ERROR;
                 }
                 }
-		symmetricEncryptionBoxApache.set_symmetric_key(dhaek); 
+		            symmetricEncryptionBoxApache.set_symmetric_key(dhaek);
         }
         }
+        successful_la_count ++;
         return SGX_SUCCESS;
         return SGX_SUCCESS;
   }
   }
 
 
-void Decryptor::calculate_sealed_keypair_size(uint32_t* output_length)
-{
-	*output_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE); 
-} 
+  void Decryptor::calculate_sealed_keypair_size(uint32_t* output_length)
+  {
+	*output_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE);
+}

+ 13 - 37
Decryptor/DecryptorWrapper.cpp

@@ -1,57 +1,33 @@
 #include <stdint.h>
 #include <stdint.h>
 #include "Decryptor.h"
 #include "Decryptor.h"
-#include "Decryptor_t.h" 
-/*void initialize()
-{
-	ECDSASignatureBox Decryptor::signatureBox(); 
-	HybridEncryptionBox Decryptor::hybridEncryptionBoxClient(); 
-	SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxApache(); 
-	SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxVerifier();
-	uint8_t Decryptor::verifier_mr_enclave = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; 
-	uint8_t Decryptor::apache_mr_signer = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-}
-*/
-uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
+#include "Decryptor_t.h"
+
+uint32_t process_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
 {
 {
-  return Decryptor::process_apache_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
+  return Decryptor::process_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
 }
 }
 
 
-uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper(uint8_t* ciphertext_plus_tag)
+uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length)//, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length)
 {
 {
-  return Decryptor::decrypt_verifiers_message_set_apache_mrsigner(ciphertext_plus_tag);
+  return Decryptor::process_verifiers_message(input_ciphertext, input_ciphertext_plus_tag_length);
 }
 }
 
 
-uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length)
+uint32_t encrypt_mitigator_header_H_to_apache_wrapper(uint8_t* ciphertext_token_H_plus_tag)
 {
 {
-  return Decryptor::unseal_and_restore_long_term_signing_key_pair(sealed_data, sgx_sealed_data_length);
+  return Decryptor::encrypt_mitigator_header_H_to_apache(ciphertext_token_H_plus_tag);
 }
 }
 
 
 void calculate_sealed_keypair_size_wrapper(uint32_t* length)
 void calculate_sealed_keypair_size_wrapper(uint32_t* length)
 {
 {
-  Decryptor::calculate_sealed_keypair_size(length); 
+  Decryptor::calculate_sealed_keypair_size(length);
 }
 }
 
 
-uint32_t create_and_encrypt_mitigator_header_H_wrapper(uint8_t* ciphertext_token_H_plus_tag)
+uint32_t create_and_seal_long_term_signing_key_pair_wrapper(uint32_t* sealed_data_length, uint8_t* sealed_data)
 {
 {
-  return Decryptor::create_and_encrypt_mitigator_header_H(ciphertext_token_H_plus_tag);
+     return Decryptor::create_and_seal_long_term_signing_key_pair(sealed_data_length, sealed_data);
 }
 }
 
 
-uint32_t create_and_seal_long_term_signing_key_pair_wrapper(uint32_t* sealed_data_length, uint8_t* sealed_data)
+uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length)
 {
 {
-/*	uint32_t counter;
-        for(counter=0; counter< 0x290; counter++) 
-                sealed_data[counter]=counter;
-	return 0; 
-*/
-/*
-	uint8_t* temp_sealed_data = (uint8_t*) malloc(0x300); 
-	uint32_t temp_sealed_data_length; 
-*/       return Decryptor::create_and_seal_long_term_signing_key_pair(sealed_data_length, sealed_data);
-
-/*	uint32_t counter;
-	for(counter=0; counter<temp_sealed_data_length; counter++)
-		sealed_data[counter] = temp_sealed_data[counter]; 
-	*sealed_data_length = temp_sealed_data_length; 
-        return ret_status; 
-*/
+  return Decryptor::unseal_and_restore_long_term_signing_key_pair(sealed_data, sgx_sealed_data_length);
 }
 }

+ 2 - 3
Decryptor/SymmetricEncryptionBox.cpp

@@ -35,11 +35,10 @@
     }
     }
 
 
   // TODO: IMPORTANT - CHECK IF WE NEED TO DO THE AES GCM INCREMENT IV FOR DECRYPTION TOO.
   // TODO: IMPORTANT - CHECK IF WE NEED TO DO THE AES GCM INCREMENT IV FOR DECRYPTION TOO.
-  uint32_t SymmetricEncryptionBox::encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length, uint8_t* tag)
+  uint32_t SymmetricEncryptionBox::encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
   {
   {
-    uint32_t return_status = aes_gcm_256(enc, symmetric_key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length, tag);
+    uint32_t return_status = aes_gcm_256(enc, symmetric_key, iv, plaintext, plaintext_length, ciphertext, ciphertext_length);
     if(return_status == 0)
     if(return_status == 0)
       aes_gcm_increment_iv_internal_call(iv);
       aes_gcm_increment_iv_internal_call(iv);
     return return_status;
     return return_status;
   }
   }
-

+ 5 - 5
Include/DecryptorWrapper.h

@@ -1,6 +1,6 @@
-#include <stdint.h> 
-uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length); 
-uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper(uint8_t* ciphertext_plus_tag);
+#include <stdint.h>
+uint32_t encrypt_mitigator_header_H_to_apache_wrapper(uint8_t* ciphertext_token_H_plus_tag);
+uint32_t create_and_seal_long_term_signing_key_pair_wrapper(uint32_t* sealed_data_length, uint8_t* sealed_data);
 uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length);
 uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length);
-uint32_t create_and_encrypt_mitigator_header_H_wrapper(uint8_t* ciphertext_token_H_plus_tag); 
-uint32_t create_and_seal_long_term_signing_key_pair_wrapper(uint32_t* sealed_data_length, uint8_t* sealed_data); 
+uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
+uint32_t process_verifiers_message(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length);

+ 0 - 13
Include/LocalAttestationTrusted.h

@@ -42,22 +42,9 @@
 
 
 class LocalAttestationTrusted {
 class LocalAttestationTrusted {
   static dh_session_t global_session_info;
   static dh_session_t global_session_info;
-  static uint32_t global_session_id;
-  static uint32_t one_successful_la_done;
-  static sgx_ecc_state_handle_t ecc_state;
 public:
 public:
     static uint32_t session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id);
     static uint32_t session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id);
     static uint32_t exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t* session_id);
     static uint32_t exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t* session_id);
-    static uint32_t get_one_successful_la_done(); 
-
-//    LocalAttestationTrusted();
 };
 };
 
 
-//	dh_session_t LocalAttestationTrusted::global_session_info; 
-//	uint32_t LocalAttestationTrusted::one_successful_la_done=0; 
-
-//#ifdef __cplusplus
-//}
-//#endif
-
 #endif
 #endif

+ 4 - 5
Include/LocalAttestationUntrusted.h

@@ -15,8 +15,6 @@ using namespace google::protobuf::io;
 
 
 
 
 class LocalAttestationUntrusted {
 class LocalAttestationUntrusted {
-  static int server_fd;
-  static int accept_fd;
   static   uint32_t session_id;
   static   uint32_t session_id;
   static protobuf_sgx_dh_msg1_t protobuf_msg1;
   static protobuf_sgx_dh_msg1_t protobuf_msg1;
 
 
@@ -26,8 +24,9 @@ class LocalAttestationUntrusted {
   static int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message);
   static int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message);
   static int set_up_socket(int port,   sockaddr_in* address);
   static int set_up_socket(int port,   sockaddr_in* address);
 public:
 public:
-  static int prepare_local_attestation_as_responder_fd_and_msg1(uint32_t own_enclave_id, int port);
+  int setup_socket_for_local_attestation_requests(int port);
+  static int prepare_local_attestation_as_responder_msg1(uint32_t own_enclave_id, int port);
   static int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd);
   static int local_attestation_as_responder_msg2_msg3(uint32_t own_enclave_id, int server_fd);
-  static int post_local_attestation_with_verifier(uint32_t own_enclave_id);
-  static int post_local_attestation_with_apache(uint32_t own_enclave_id);
+  static int post_local_attestation_with_verifier(uint32_t own_enclave_id, int apache_fd);
+  static int post_local_attestation_with_apache(uint32_t own_enclave_id, int apache_fd);
 };
 };

+ 3 - 26
LocalAttestationCode/LocalAttestationTrusted.cpp

@@ -31,21 +31,15 @@
 
 
 // #include <stdint.h>
 // #include <stdint.h>
 #include "LocalAttestationTrusted.h"
 #include "LocalAttestationTrusted.h"
-#include "Decryptor.h" 
+#include "Decryptor.h"
 #include "error_codes.h"
 #include "error_codes.h"
 #include "datatypes.h"
 #include "datatypes.h"
 #include "sgx_tcrypto.h"
 #include "sgx_tcrypto.h"
 #include "sgx_dh.h"
 #include "sgx_dh.h"
 
 
-      dh_session_t LocalAttestationTrusted::global_session_info; 
-      uint32_t LocalAttestationTrusted::one_successful_la_done=0; 
+      dh_session_t LocalAttestationTrusted::global_session_info;
 
 
 
 
-uint32_t LocalAttestationTrusted::get_one_successful_la_done()
-{
-  return one_successful_la_done;
-}
-
 //Handle the request from Source Enclave for a session
 //Handle the request from Source Enclave for a session
 uint32_t LocalAttestationTrusted::session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
 uint32_t LocalAttestationTrusted::session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
 {
 {
@@ -108,8 +102,6 @@ uint32_t LocalAttestationTrusted::exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh
     	verify_return = Decryptor::verify_peer_enclave_trust(initiator_identity.mr_enclave.m, initiator_identity.mr_signer.m, dh_aek);
     	verify_return = Decryptor::verify_peer_enclave_trust(initiator_identity.mr_enclave.m, initiator_identity.mr_signer.m, dh_aek);
         if(verify_return != 0)
         if(verify_return != 0)
          return verify_return;
          return verify_return;
-	else
-		one_successful_la_done++; 
 
 
         /*
         /*
         //save the session ID, status and initialize the session nonce
         //save the session ID, status and initialize the session nonce
@@ -119,20 +111,5 @@ uint32_t LocalAttestationTrusted::exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh
         memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
         memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
         memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
         memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
         */
         */
-        return status;
+        return 0;
     }
     }
-/*
-void LocalAttestationTrusted::get_verifier_mr_enclave(uint8_t* op_mr_enclave)
-{
-  uint32_t counter;
-  for(counter=0; counter<32; counter++)
-    op_mr_enclave[counter] = verifier_mr_enclave[counter];
-}
-
-void LocalAttestationTrusted::set_apache_mr_signer(uint8_t* ip_mr_signer)
-{
-  uint32_t counter;
-  for(counter=0; counter<32; counter++)
-    apache_mr_signer[counter] = ip_mr_signer[counter];
-}
-*/

BIN
sealed_signing_key.txt