Old uncommited code - instrumentation for timing.

App/LocalAttestationUntrusted.cpp

@@ -15,10 +15,14 @@ using namespace google::protobuf::io;
 #include "../Decryptor/Decryptor_u.h"
 #include <iostream>
 #include "LocalAttestationUntrusted.h"
+#include<sys/time.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 
   uint32_t LocalAttestationUntrusted::session_id=0;
   protobuf_sgx_dh_msg1_t LocalAttestationUntrusted::protobuf_msg1;
-
+  uint8_t* LocalAttestationUntrusted::output_ciphertext_plus_tag=NULL;
 
 
   int LocalAttestationUntrusted::read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message)
@@ -131,58 +135,58 @@ using namespace google::protobuf::io;
     return 0;
   }
 
-  int LocalAttestationUntrusted::decrypt_client_data(uint32_t own_enclave_id, int fd)
+  int LocalAttestationUntrusted::decrypt_client_data(uint32_t own_enclave_id, int fd, uint8_t* output_ciphertext_plus_tag, uint8_t* input_ciphertext_plus_tag, int time_file_fd)
   {
     protobuf_post_LA_encrypted_msg_t protobuf_msg;
+    protobuf_post_LA_encrypted_msg_t protobuf_msg_response; 
     unsigned char* protobuf_msg_ptr;
     uint32_t sgx_ret_status=0;
-    uint8_t* input_ciphertext_plus_tag;
     uint32_t input_ciphertext_plus_tag_length;
-  	uint8_t* output_ciphertext_plus_tag;
     uint32_t output_ciphertext_plus_tag_length;
-    int counter;
-
+    struct timeval  tv1, tv2;
+    char time_buf[60] = {0};
+    size_t bytes_written;
+    unsigned long int new_time, old_time; 
+    uint32_t count; 
     if(read_protobuf_msg_from_fd(fd, protobuf_msg)!=0)
-    {
-//	printf("Could not read apache's message post-local attestation\n"); fflush(stdout);
       return 0xfe;
-    }
-//    printf("Clients data\n"); fflush(stdout); 
+      gettimeofday(&tv1, NULL);
 
     input_ciphertext_plus_tag_length = protobuf_msg.msg().length();
-    input_ciphertext_plus_tag = (uint8_t*) malloc(1000); //malloc(input_ciphertext_plus_tag_length);
-    output_ciphertext_plus_tag = (uint8_t*) malloc(1000); //malloc(input_ciphertext_plus_tag_length); 
     protobuf_msg_ptr = (uint8_t*) protobuf_msg.msg().c_str();
 
-    for(counter=0; counter<input_ciphertext_plus_tag_length; counter++)
-    {
-      input_ciphertext_plus_tag[counter] = *(protobuf_msg_ptr + counter);
-//	printf("0x%02x ", input_ciphertext_plus_tag[counter]); 
-    }
     // Just so that the ciphertext - client data - is returned back to Apache in case this function fails.
-    // client data is after public key (64 bytes) + signature (64 bytes) = 128 bytes.
-    for(counter=0; counter<input_ciphertext_plus_tag_length-64; counter++)
-  		output_ciphertext_plus_tag[counter] = input_ciphertext_plus_tag[counter+64];
-	output_ciphertext_plus_tag_length=input_ciphertext_plus_tag_length - 64;
-        protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length); 
+    // client data is after public key (64 bytes) 
+    protobuf_msg_response.set_msg((void*)  protobuf_msg_ptr + 64, input_ciphertext_plus_tag_length - 64);
     
+    for(count=0;count<input_ciphertext_plus_tag_length;count++)
+    {
+	input_ciphertext_plus_tag[count]=protobuf_msg_ptr[count]; 
+    }
+
     // We assume that the output is not changed unless it is successful throughout.
     Decryptor_process_apache_message_generate_response_wrapper(own_enclave_id, &sgx_ret_status, input_ciphertext_plus_tag, input_ciphertext_plus_tag_length, output_ciphertext_plus_tag, &output_ciphertext_plus_tag_length);
-    free(input_ciphertext_plus_tag);
       if(sgx_ret_status==0)
       {
-      	protobuf_msg.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
+      	protobuf_msg_response.set_msg((void*)  output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
       }
-//	else
-//		        printf("\n0x%02x\n", sgx_ret_status); 
-
-/*	printf("Returning this: \n"); 
-	for(counter=0;counter<output_ciphertext_plus_tag_length;counter++)
-		printf("%02x ",output_ciphertext_plus_tag[counter]); 
-	printf("\n"); */
-       free(output_ciphertext_plus_tag);
-     if(write_protobuf_msg_to_fd(fd, protobuf_msg)!=0)
-          return 0xfc;
+        else
+	{
+		printf("\n Error in decryptors call to the process_apache wrapper : 0x%02x\n", sgx_ret_status); 
+		for(count=0;count<output_ciphertext_plus_tag_length;count++)
+			printf("0x%02x ", output_ciphertext_plus_tag[count]); 
+		printf("\n"); fflush(stdout); 
+	}
+
+     if(write_protobuf_msg_to_fd(fd, protobuf_msg_response)!=0)
+     	     return 0xfc;
+
+     gettimeofday(&tv2, NULL);
+     new_time=tv2.tv_usec + tv2.tv_sec * 1000000; 
+     old_time=tv1.tv_usec + tv1.tv_sec * 1000000; 
+     bytes_written=sprintf(time_buf,  "%lu %lu\n", old_time, new_time); 
+     write(time_file_fd, time_buf, bytes_written);
+
   	return 0;
 
   }
@@ -229,23 +233,23 @@ using namespace google::protobuf::io;
     int LocalAttestationUntrusted::post_local_attestation_with_verifier(uint32_t own_enclave_id, int accept_fd)
     {
       uint32_t protobuf_sgx_ret;
-      uint8_t encrypted_apache_mrsigner_and_tag[48];
+      uint8_t encrypted_apache_mrsigner_and_tag[150];
       size_t bytes_read;
 	int count; 
       printf("Here\n"); fflush(stdout);
-      bytes_read=read(accept_fd, encrypted_apache_mrsigner_and_tag, 48);
-    	if(bytes_read!=48)
+      bytes_read=read(accept_fd, encrypted_apache_mrsigner_and_tag, 60);
+    	if(bytes_read!=60)
      	{
            	printf("Not all of the encrypted apache's mrsigner was read from the verifier.\n"); fflush(stdout);
             close(accept_fd);
             return 0xfe;
      	}
 
-      for(count=0;count<48;count++)
+      for(count=0;count<60;count++)
     	  printf("0x%02x ", encrypted_apache_mrsigner_and_tag[count]);
       printf("\n");fflush(stdout);
 
-      Decryptor_process_verifiers_message_wrapper(own_enclave_id, &protobuf_sgx_ret, encrypted_apache_mrsigner_and_tag);
+      Decryptor_process_verifiers_message_wrapper(own_enclave_id, &protobuf_sgx_ret, encrypted_apache_mrsigner_and_tag, 60);
       if(protobuf_sgx_ret!=0)
     	{
         printf("Error in decryption: 0x%x\n", protobuf_sgx_ret); fflush(stdout);
@@ -274,13 +278,14 @@ using namespace google::protobuf::io;
     int LocalAttestationUntrusted::post_local_attestation_with_apache(uint32_t own_enclave_id, int accept_fd)
     {
       protobuf_post_LA_encrypted_msg_t protobuf_encrypted_msg;
-      uint8_t encrypted_sign_data_and_sign_and_tag[176];
-  	  memset(encrypted_sign_data_and_sign_and_tag,0x0,176);
+      uint8_t encrypted_sign_data_and_sign_and_tag[200]; // 176+12 for IV = 188
+	uint32_t op_length;
+  	  memset(encrypted_sign_data_and_sign_and_tag,0x0,200);
 	    uint32_t internal_return_status;
 	    uint32_t count;
 	    uint32_t sgx_ret;
 
-        Decryptor_create_and_encrypt_mitigator_header_H_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag);
+        Decryptor_create_and_encrypt_mitigator_header_H_wrapper(own_enclave_id, &sgx_ret, encrypted_sign_data_and_sign_and_tag, &op_length);
       	if(sgx_ret!=0)
       	{
       		printf("Error in generating encrypted mitigator header:0x%x\n", sgx_ret); fflush(stdout);
@@ -288,13 +293,13 @@ using namespace google::protobuf::io;
           return 0xf3;
       	}
 
-      	for(count=0;count<176;count++)
+      	for(count=0;count<op_length;count++)
       	{
       		printf("0x%02x ", encrypted_sign_data_and_sign_and_tag[count]);
       	}
       	printf("\n"); fflush(stdout);
 
-      	protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, 176);
+      	protobuf_encrypted_msg.set_msg((void*)encrypted_sign_data_and_sign_and_tag, op_length);
       	if(write_protobuf_msg_to_fd(accept_fd, protobuf_encrypted_msg) != 0)
         {
           printf("Not all of the mitigator token H was written to the Apache.\n"); fflush(stdout);
@@ -306,12 +311,20 @@ using namespace google::protobuf::io;
 	for(count=0;count<64;count++)
 		printf("%02x ",public_key[count]); 
 	printf("\n"); fflush(stdout);
+	
+        uint8_t* output_ciphertext_plus_tag = (uint8_t*) malloc(4100); // 12 bytes for ciphertext iv + 16 bytes for ciphertext tag = 28 byte 
+	uint8_t* input_ciphertext_plus_tag = (uint8_t*) malloc(4100); 
+
+	int time_file_fd=open("decryptor_time.txt", O_APPEND | O_WRONLY);
 
   	  do {
-      	internal_return_status = decrypt_client_data(own_enclave_id, accept_fd);
+      	internal_return_status = decrypt_client_data(own_enclave_id, accept_fd, output_ciphertext_plus_tag, input_ciphertext_plus_tag, time_file_fd);
       } while(internal_return_status==0);
+
+
       close(accept_fd);
+	free(output_ciphertext_plus_tag); 
+	free(input_ciphertext_plus_tag);
       return internal_return_status;
-
-      return 0; }
+}
 

CommonOpensslCode/Openssl_crypto.cpp

@@ -24,7 +24,7 @@ int generate_sha256_hash(const unsigned char *message, size_t message_len, unsig
 	if(EVP_DigestFinal_ex(mdctx, digest, &digest_len) != 1)
 		return 0x4;
 
-	if(digest_len != 32)
+	if(digest_en != 32)
 		return 0x5;
 
 	EVP_MD_CTX_destroy(mdctx);
@@ -55,7 +55,7 @@ int ecdh_key_gen(unsigned char* public_key_x, unsigned char* public_key_y, unsig
 	if (0 == EC_KEY_set_group (keypair, ecdh_group)) {
 		EC_KEY_free(keypair);
 		EC_GROUP_free(ecdh_group);
-		return 0x43;
+		return 0x66;
 	}
 
 	// TODO: Check return values.
@@ -416,7 +416,7 @@ int aes_gcm_128(int enc, unsigned char *key, unsigned char *iv, unsigned char* p
                 reset_return = EVP_CIPHER_CTX_reset(ctx);
 	        if(1 != reset_return)
 			return 0xF3;
-		return 0x3;
+		return ERR_get_error();
 	}
 	ciphertext_len = len;
 	

Decryptor/Decryptor.cpp

@@ -29,9 +29,6 @@
  *
  */
 
-// question 1: When should I call the create_mitigator_header_H function? It can be called as early as verify_peer_enclave_trust. Or as late as when encrypt_mitigator_header_H_to_apache is called. But then you need to make sure that successful_la_count is right for that.
-// question 2: nightmare about the process_message_generate_response function.
-
 #include "Decryptor.h"
 #include "sgx_tseal.h"
 #include "sgx_tcrypto.h"
@@ -48,6 +45,8 @@
         uint8_t Decryptor::apache_mr_signer[32] = {0};
         unsigned int successful_la_count;
         uint8_t Decryptor::plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64] = {0};
+        uint8_t Decryptor::first_decryption_output[1092] = {0};
+        uint8_t Decryptor::plaintext_client_data[1000] = {0};
 
 
   // INTERNAL
@@ -87,9 +86,9 @@
   }
 
   // EXTERNAL ECALL.
-  uint32_t Decryptor::create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag)
+  uint32_t Decryptor::create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag, uint32_t* op_length)
   {
-      uint32_t temp_ciphertext_token_H_plus_tag_length;
+      uint32_t temp_ciphertext_token_H_iv_tag_length;
     	uint32_t internal_return_status;
         uint8_t plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64] = {0x42};
 
@@ -100,8 +99,9 @@
       if(internal_return_status != 0)
         return internal_return_status;
 
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_mitigator_header_H, ECDH_PUBLIC_KEY_SIZE + 32 + 64, ciphertext_token_H_plus_tag, &temp_ciphertext_token_H_plus_tag_length);
-    	return 0;
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_mitigator_header_H, ECDH_PUBLIC_KEY_SIZE + 32 + 64, ciphertext_token_H_plus_tag, &temp_ciphertext_token_H_iv_tag_length);
+	*op_length = temp_ciphertext_token_H_iv_tag_length;
+    	return internal_return_status;
     }
 
   // INTERNAL. done. But there might be one more return statement for the case when get_keypair returns sth (it is non void).
@@ -122,15 +122,12 @@
     uint8_t* ciphertext_plus_tag;
     uint32_t ciphertext_plus_tag_length;
     uint32_t internal_return_status;
-    // and now I will derive a shared key from the plaintext_client_public_key
+
+    // I will derive a shared key from the plaintext_client_public_key
     internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
     if(internal_return_status != 0)
       return internal_return_status;
 
-//    hybridEncryptionBoxClient.get_symmetric_key(plaintext_client_data); 
-//    *plaintext_client_data_length = 16; 
-//    return 0; 
-
     // and then I will decrypt the rest of the client data with that key.
     ciphertext_plus_tag = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
     ciphertext_plus_tag_length = total_length - ECDH_PUBLIC_KEY_SIZE;
@@ -218,16 +215,16 @@
       return 0;
     }
 
-  uint32_t Decryptor::process_verifiers_message(uint8_t* input_ciphertext_plus_tag)
+  uint32_t Decryptor::process_verifiers_message(uint8_t* input_ciphertext_plus_tag, uint32_t length)
   {
-        uint8_t first_decryption_output[48];
+        uint8_t first_decryption_output[150];
         uint32_t first_decryption_output_length;
         uint32_t  internal_return_status;
         uint32_t counter;
         if(successful_la_count != 1) // else, the untrusted application can call this on the first message by apache and cause the verifier to set its mrsigner.
           return 0x23;
 
-        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext_plus_tag, 48, first_decryption_output, &first_decryption_output_length);
+        internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, input_ciphertext_plus_tag, length, first_decryption_output, &first_decryption_output_length);
         if(internal_return_status != 0)
 	  return internal_return_status;
 	
@@ -244,30 +241,21 @@
   // EXTERNAL. DONE.
   uint32_t Decryptor::process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext_plus_tag, uint32_t* output_ciphertext_plus_tag_length)
   {
-      uint8_t *first_decryption_output, *plaintext_client_data, *final_encryption_output;
-      uint32_t first_decryption_output_length, plaintext_client_data_length, final_encryption_output_length;
-      uint32_t internal_return_status, counter;
+      uint32_t first_decryption_output_length, plaintext_client_data_length;
+      uint32_t internal_return_status;
       // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
-      first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
+      // first, I decrypt the message from the target enclave, to get the client's public key and ciphertext data (and tag and IV) 
       internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length, first_decryption_output, &first_decryption_output_length);
       if(internal_return_status != 0)
-      {
-        free(first_decryption_output);
-        return internal_return_status;
-     }
-
-      plaintext_client_data = (uint8_t*) malloc(first_decryption_output_length); // you will need less than this coz public key size.
+      	return internal_return_status;
+	
+	// then I obtain the plaintext client data, using the client's public key and own key to ultimately decrypt the client's ciphertext data
       internal_return_status = initialize_symmetric_key_decrypt_client_data(first_decryption_output, first_decryption_output_length, plaintext_client_data, &plaintext_client_data_length);
-      free(first_decryption_output);
       if(internal_return_status != 0)
-      {
-	free(plaintext_client_data); 
         return internal_return_status;
-      }
 
-      // then I will encrypt the resulting first_decryption_output to the apache enclave.
-      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, output_ciphertext_plus_tag, output_ciphertext_plus_tag_length);
-      free(plaintext_client_data);
+      // then I will encrypt the plaintext data to the target enclave.
+      internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, output_ciphertext_plus_tag, output_ciphertext_plus_tag_length); 
 	return internal_return_status; 
     }
 
@@ -314,3 +302,9 @@
 	{
 		hybridEncryptionBoxClient.get_public_key(output); 
 	}
+
+
+void Decryptor::testing_get_apache_iv(uint8_t* op)
+{
+	//	symmetricEncryptionBoxApache.get_iv(op);
+}

Decryptor/Decryptor.edl

@@ -40,15 +40,16 @@ enclave {
       #define SEALED_SIZE 656  // =0x300 (0x290 is the size of the sealed message when both the public(0x40) and private key(0x20) are included)
       public uint32_t create_and_seal_long_term_signing_key_pair_wrapper([out, size=4] uint32_t* sealed_data_length, [out,size=SEALED_SIZE] uint8_t* sealed_data);
       public uint32_t unseal_and_restore_long_term_signing_key_pair_wrapper([in, size=SEALED_SIZE] uint8_t* sealed_data, [in, size=4] uint32_t* sgx_sealed_data_length);
-      public uint32_t create_and_encrypt_mitigator_header_H_wrapper([out, size=176] uint8_t* ciphertext_token_H_plus_tag);
+      public uint32_t create_and_encrypt_mitigator_header_H_wrapper([out, size=200] uint8_t* ciphertext_token_H_plus_tag, [out] uint32_t* length); // would be 188 in length
       // Apache mrsigner = 32 bytes + tag on encryption = 16 bytes.
-      // public uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper([in, size=48] uint8_t* ciphertext_plus_tag);
+      // public uint32_t decrypt_verifiers_message_set_apache_mrsigner_wrapper([in, size=60] uint8_t* ciphertext_plus_tag);
       // NEED AT LEAST: 64 bytes for public key of client, plus 64 bytes of signature over it, plus 16 bytes of tag over any encryption = 144 bytes. Msg length = 144 bytes + Length of form field
-      public uint32_t process_apache_message_generate_response_wrapper([in, size=1000] uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, [out, size=1000] uint8_t* output_ciphertext, [out,size=4] uint32_t* output_ciphertext_plus_tag_length);
-      public uint32_t process_verifiers_message_wrapper([in, size=48] uint8_t* input_ciphertext);
+      
+	public uint32_t process_apache_message_generate_response_wrapper([in, size=4100] uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, [out, size=4100] uint8_t* output_ciphertext, [out,size=4] uint32_t* output_ciphertext_plus_tag_length);
+      public uint32_t process_verifiers_message_wrapper([in, size=60] uint8_t* input_ciphertext, uint32_t length);
       public        void get_verifier_mrenclave_apache_mrsigner_wrapper([out, size=64] uint8_t* output);
 	public void get_short_term_public_key_wrapper([out, size=64] uint8_t* output); 
   	public void get_long_term_verification_key_wrapper([out, size=64] uint8_t* output);
-
+	public void get_apache_iv([out, size=12] uint8_t* output); 
     };
   };

Decryptor/Decryptor.h

@@ -11,6 +11,9 @@ class Decryptor {
   static SymmetricEncryptionBox symmetricEncryptionBoxVerifier;
   static uint8_t apache_mr_signer[32]; // = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; 
   static uint8_t plaintext_mitigator_header_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64];
+  static uint8_t first_decryption_output[1092]; // 1000 bytes of ciphertext data + 12 IV + 16 Tag + 64 clients public key
+  static uint8_t plaintext_client_data[1000]; 
+
 
   static uint32_t create_mitigator_token_M(uint8_t* token);
   static uint32_t create_mitigator_header_H(uint8_t* signature_data_and_signature);
@@ -20,15 +23,15 @@ class Decryptor {
     static void calculate_sealed_keypair_size(uint32_t* output_length); 
     static uint32_t verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t* given_mr_signer, uint8_t* dhaek);
     static uint32_t create_and_seal_long_term_signing_key_pair(uint32_t* sealed_data_length, uint8_t* sealed_data);
-    static uint32_t create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag);
+    static uint32_t create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag, uint32_t* length);
     static uint32_t unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length);
     static uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext_plus_tag);
     static uint32_t process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext, uint32_t* output_ciphertext_plus_tag_length);
-    static uint32_t process_verifiers_message(uint8_t* input_ciphertext);
+    static uint32_t process_verifiers_message(uint8_t* input_ciphertext, uint32_t length);
 	static  void testing_get_verifier_mrenclave_apache_mrsigner(uint8_t* output); 
 	static void testing_get_short_term_public_key(uint8_t* output); 
   static void testing_long_term_verification_key(uint8_t* output); 
-
+	static void testing_get_apache_iv(uint8_t*); 
   };
 
 //ECDSASignatureBox Decryptor::signatureBox(); 

Decryptor/DecryptorWrapper.cpp

@@ -7,14 +7,14 @@ uint32_t process_apache_message_generate_response_wrapper(uint8_t* input_ciphert
   return Decryptor::process_apache_message_generate_response(input_ciphertext, input_ciphertext_plus_tag_length, output_ciphertext, output_ciphertext_plus_tag_length);
 }
 
-uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext)
+uint32_t process_verifiers_message_wrapper(uint8_t* input_ciphertext, uint32_t length)
 {
-  return Decryptor::process_verifiers_message(input_ciphertext);
+  return Decryptor::process_verifiers_message(input_ciphertext, length);
 }
 
-uint32_t create_and_encrypt_mitigator_header_H_wrapper(uint8_t* ciphertext_token_H_plus_tag)
+uint32_t create_and_encrypt_mitigator_header_H_wrapper(uint8_t* ciphertext_token_H_plus_tag, uint32_t* length)
 {
-  return Decryptor::create_and_encrypt_mitigator_header_H(ciphertext_token_H_plus_tag);
+  return Decryptor::create_and_encrypt_mitigator_header_H(ciphertext_token_H_plus_tag, length);
 }
 
 void calculate_sealed_keypair_size_wrapper(uint32_t* length)
@@ -46,3 +46,8 @@ void get_long_term_verification_key_wrapper(uint8_t* output)
 {
 	Decryptor::testing_long_term_verification_key(output);
 }
+
+void get_apache_iv(uint8_t* op)
+{
+	Decryptor::testing_get_apache_iv(op);
+}

Decryptor/SymmetricEncryptionBox.cpp

@@ -1,25 +1,31 @@
 #include "Openssl_crypto.h"
 #include "SymmetricEncryptionBox.h"
-
+#include "sgx_trts.h"
   // increments last 4 bytes (in big-endian order)
-  uint32_t SymmetricEncryptionBox::aes_gcm_increment_iv_internal_call(uint8_t* iv)  {
-  	uint32_t counter;
-  	for(counter=11;counter>7;counter--)
-  	{
-  		if(iv[counter] == 0xff)
-  		{
-  			if(counter - 1 == 7)
-  				return 0xff;
-  			iv[counter-1] = 0x01;
-  			iv[counter] = 0x0;
-  		}
-  		else
-  			iv[counter] += 1;
-  	}
-  	return 0;
-  }
-
+/*    uint32_t SymmetricEncryptionBox::recursive_incrementer(uint32_t counter, uint32_t min_counter) 
+{
+	if(min_counter>counter)
+		return 0xfe;
+	if(iv[counter] != 0xff)
+	{
+		iv[counter]+=1; 
+		return 0; 
+	}
+	else
+	{
+		iv[counter]=0;
+		if(counter!=min_counter)
+			// counter-1 refers to the overall counter in the iv string (counter+1 for little endian)
+			return recursive_incrementer(counter-1,min_counter); 
+		else
+			return 0xff; 
+	}
+}
 
+ uint32_t SymmetricEncryptionBox::aes_gcm_increment_iv()  {
+        return recursive_incrementer(11, 8); 
+  }
+*/
   void SymmetricEncryptionBox::set_symmetric_key(uint8_t* given_key)
   {
     uint32_t counter;
@@ -38,21 +44,38 @@
   uint32_t SymmetricEncryptionBox::encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length)
   {
     uint32_t actual_plaintext_length=plaintext_length; 
-    uint8_t tag[16];uint32_t counter;
-    if(enc == 0)
+    uint8_t tag[16];uint32_t counter, return_status;
+	uint8_t iv[12]; 
+    if(enc == 0) // decryption
 	{
-		for(counter=0;counter<16;counter++)
-			tag[counter] = plaintext[counter + plaintext_length - 16]; 
-		actual_plaintext_length-=16;
+                for(counter=0;counter<16;counter++)
+                        tag[counter]=plaintext[counter+plaintext_length-16]; 
+		for(counter=0;counter<12;counter++)
+			iv[counter]=plaintext[counter+plaintext_length-28]; 
+		actual_plaintext_length-=28; 
+	}
+	else // encryption
+	{
+		return_status=sgx_read_rand(iv, 12); 
+		if(return_status != 0)
+			return return_status;
 	}
-    uint32_t return_status = aes_gcm_128(enc, symmetric_key, iv, plaintext, actual_plaintext_length, ciphertext, ciphertext_length, tag);
-	if(enc == 1)
+    return_status = aes_gcm_128(enc, symmetric_key, iv, plaintext, actual_plaintext_length, ciphertext, ciphertext_length, tag);
+	if(enc == 1 && return_status ==0)
 	{
+                for(counter=0;counter<12;counter++)
+                        ciphertext[counter + *ciphertext_length] = iv[counter];
 		for(counter=0;counter<16;counter++)
-			ciphertext[counter + *ciphertext_length] = tag[counter];
-		*ciphertext_length=*ciphertext_length + 16;
+			ciphertext[counter + 12 + *ciphertext_length] = tag[counter];
+		*ciphertext_length=*ciphertext_length + 28;
 	}
-//    if(return_status == 0)
-//      aes_gcm_increment_iv_internal_call(iv);
     return return_status;
   }
+
+/*  void SymmetricEncryptionBox::get_iv(uint8_t* op_iv)
+  {
+	uint32_t counter;
+	for(counter=0;counter<12;counter++)
+		op_iv[counter]=iv[counter];
+  }
+*/

Include/LocalAttestationUntrusted.h

@@ -17,10 +17,9 @@ using namespace google::protobuf::io;
 class LocalAttestationUntrusted {
   static   uint32_t session_id;
   static protobuf_sgx_dh_msg1_t protobuf_msg1;
-
-  static int decrypt_client_data(uint32_t own_enclave_id, int apache_fd);
+  static uint8_t* output_ciphertext_plus_tag;
+  static int decrypt_client_data(uint32_t own_enclave_id, int apache_fd, uint8_t* output_ciphertext_plus_tag, uint8_t* input_ciphertext_plus_tag, int time_fd);
   static uint32_t local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd);
-//  uint32_t LocalAttestationUntrusted::local_attestation_msg2_msg3(uint32_t own_enclave_id, int accept_fd)
 
   static int write_protobuf_msg_to_fd(int accept_fd, google::protobuf::MessageLite& message);
   static int read_protobuf_msg_from_fd(int accept_fd, google::protobuf::MessageLite& message);

Include/SymmetricEncryptionBox.h

@@ -2,15 +2,10 @@
 #define SYMMETRICENCRYPTIONBOX_H
 #include "Openssl_crypto.h"
 class SymmetricEncryptionBox {
-  uint8_t iv[12];
   uint8_t symmetric_key[16]; // SHA256 used with ECDHE -> or AES whatever symmetric_key.
-  // increments last 4 bytes (in big-endian order)
-  uint32_t aes_gcm_increment_iv_internal_call(uint8_t* iv);
   public:
-//    SymmetricEncryptionBox();
     void set_symmetric_key(uint8_t* given_key);
     void get_symmetric_key(uint8_t* op_key); 
     uint32_t encrypt_decrypt(int enc, uint8_t* plaintext, uint32_t plaintext_length, uint8_t* ciphertext, uint32_t* ciphertext_length);
-//    ~SymmetricEncryptionBox();
 };
 #endif