Decryptor.cpp 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. /*
  2. * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #include "Decryptor.h"
  32. #include "sgx_tseal.h"
  33. #include "sgx_tcrypto.h"
  34. #include "sgx_dh.h"
  35. #include "datatypes.h"
  36. #include "error_codes.h"
  37. ECDSASignatureBox Decryptor::signatureBox;
  38. HybridEncryptionBox Decryptor::hybridEncryptionBoxClient;
  39. SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxApache;
  40. SymmetricEncryptionBox Decryptor::symmetricEncryptionBoxVerifier;
  41. uint8_t Decryptor::verifier_mr_enclave[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
  42. uint8_t Decryptor::apache_mr_signer[32] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
  43. uint32_t Decryptor::create_mitigator_token_M(uint8_t* token)
  44. {
  45. uint32_t internal_return_status;
  46. uint32_t counter;
  47. // create short-term ECDH key pair
  48. internal_return_status = hybridEncryptionBoxClient.generate_keypair();
  49. if(internal_return_status == NULL)
  50. return 0xff;
  51. hybridEncryptionBoxClient.get_public_key(token);
  52. // create token: concatenate short-term keypair with verifiers mrenclave.
  53. for(counter=0;counter<32;counter++)
  54. *(token + counter + ECDH_PUBLIC_KEY_SIZE) = verifier_mr_enclave[counter];
  55. return 0;
  56. }
  57. uint32_t Decryptor::create_mitigator_header_H(uint8_t* signature_data, uint8_t* signature)
  58. {
  59. uint32_t internal_return_status;
  60. uint8_t local_signature[64];
  61. uint8_t local_signature_data[ECDH_PUBLIC_KEY_SIZE + 32];
  62. uint32_t counter;
  63. // Otherwise: DoS or possible bypass (fake verifier does LA but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave or whatever is in the memory.
  64. if(LocalAttestationTrusted::get_one_successful_la_done() < 1)
  65. return 0xde; // This needs to be called at any point after the first local attestation is done - else, a junk verifier mrenclave will be included in the signature
  66. internal_return_status = Decryptor::create_mitigator_token_M(local_signature_data);
  67. if(internal_return_status != 0x0)
  68. return internal_return_status;
  69. internal_return_status = signatureBox.sign(local_signature_data, ECDH_PUBLIC_KEY_SIZE + 32, local_signature);
  70. if(internal_return_status != 0x0)
  71. return internal_return_status;
  72. for(counter=0;counter<ECDH_PUBLIC_KEY_SIZE + 32;counter++)
  73. signature_data[counter] = local_signature_data[counter];
  74. for(counter=0;counter<64;counter++)
  75. signature[counter] = local_signature[counter];
  76. return 0;
  77. }
  78. // done. But there might be one more return statement for the case when get_keypair returns sth (it is non void).
  79. uint32_t Decryptor::create_long_term_signing_keypair(uint8_t* private_public_key_string)
  80. {
  81. uint32_t internal_return_status;
  82. internal_return_status = signatureBox.generate_keypair();
  83. if(internal_return_status != 0)
  84. return internal_return_status;
  85. signatureBox.get_keypair(private_public_key_string);
  86. return 0;
  87. }
  88. uint32_t Decryptor::initialize_symmetric_key_decrypt_client_data(uint8_t* plaintext_client_public_key_plus_encrypted_data_plus_tag, uint32_t total_length, uint8_t* plaintext_client_data, uint32_t* plaintext_client_data_length)
  89. {
  90. uint8_t* ciphertext;
  91. uint32_t ciphertext_length;
  92. uint8_t* tag;
  93. uint32_t internal_return_status;
  94. // and now I will derive a shared key from the plaintext_client_public_key
  95. internal_return_status = hybridEncryptionBoxClient.initialize_symmetric_key(plaintext_client_public_key_plus_encrypted_data_plus_tag);
  96. if(internal_return_status != 0)
  97. return internal_return_status;
  98. // and then I will decrypt the rest of the client data with that key.
  99. ciphertext = plaintext_client_public_key_plus_encrypted_data_plus_tag + ECDH_PUBLIC_KEY_SIZE;
  100. ciphertext_length = total_length - ECDH_PUBLIC_KEY_SIZE - 16;
  101. tag = ciphertext + ciphertext_length;
  102. internal_return_status = hybridEncryptionBoxClient.encrypt_decrypt(0, ciphertext, ciphertext_length, plaintext_client_data, plaintext_client_data_length, tag);
  103. return internal_return_status;
  104. }
  105. // DONE.
  106. uint32_t Decryptor::create_and_seal_long_term_signing_key_pair(uint32_t* sealed_data_length, uint8_t* sealed_data)
  107. {
  108. uint32_t sgx_libcall_status;
  109. uint32_t internal_return_status;
  110. uint32_t temp_sealed_data_length;
  111. uint8_t* temp_sealed_data;
  112. uint8_t private_public_key_string[ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE];
  113. uint32_t counter;
  114. temp_sealed_data_length = sgx_calc_sealed_data_size(0, ECDH_PUBLIC_KEY_SIZE + ECDH_PRIVATE_KEY_SIZE);
  115. if(temp_sealed_data_length == 0xFFFFFFFF)
  116. return 0x01;
  117. internal_return_status = create_long_term_signing_keypair(private_public_key_string);
  118. temp_sealed_data = (uint8_t*) malloc(temp_sealed_data_length);
  119. sgx_libcall_status = sgx_seal_data(0, NULL, 3*SGX_ECP256_KEY_SIZE, private_public_key_string, temp_sealed_data_length, (sgx_sealed_data_t*) temp_sealed_data);
  120. if(sgx_libcall_status != SGX_SUCCESS)
  121. {
  122. free(temp_sealed_data);
  123. return sgx_libcall_status;
  124. }
  125. for(counter=0;counter<temp_sealed_data_length;counter++)
  126. *(sealed_data + counter)=*(temp_sealed_data + counter);
  127. *sealed_data_length = temp_sealed_data_length;
  128. free(temp_sealed_data);
  129. return 0;
  130. }
  131. // DONE.
  132. uint32_t Decryptor::create_and_encrypt_mitigator_header_H(uint8_t* ciphertext_token_H_plus_tag)
  133. {
  134. uint32_t counter;
  135. uint8_t sign_data_and_sign[ECDH_PUBLIC_KEY_SIZE + 32 + 64];
  136. uint8_t temp_ciphertext_token_H[ECDH_PUBLIC_KEY_SIZE + 32 + 64 + 10];
  137. uint8_t temp_tag[16];
  138. uint32_t temp_ciphertext_token_H_length;
  139. uint32_t internal_return_status;
  140. internal_return_status = create_mitigator_header_H(sign_data_and_sign, sign_data_and_sign + ECDH_PUBLIC_KEY_SIZE + 32);
  141. if(internal_return_status != 0)
  142. return internal_return_status;
  143. internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, sign_data_and_sign, ECDH_PUBLIC_KEY_SIZE + 32 + 64, temp_ciphertext_token_H, &temp_ciphertext_token_H_length, temp_tag);
  144. if(internal_return_status != 0)
  145. return internal_return_status;
  146. if(temp_ciphertext_token_H_length != 160)
  147. return 0x45;
  148. for(counter=0; counter<160; counter++)
  149. {
  150. *(ciphertext_token_H_plus_tag + counter) = *(temp_ciphertext_token_H + counter);
  151. }
  152. for(counter=0; counter<16; counter++)
  153. {
  154. *(ciphertext_token_H_plus_tag + counter) = *(temp_tag + counter);
  155. }
  156. return 0;
  157. }
  158. // DONE.
  159. uint32_t Decryptor::unseal_and_restore_long_term_signing_key_pair(uint8_t* sealed_data, uint32_t* sgx_sealed_data_length)
  160. {
  161. uint32_t temp_plaintext_length;
  162. uint8_t* temp_plaintext;
  163. uint32_t counter;
  164. uint32_t ret_status;
  165. uint8_t* temp_sealed_data ;
  166. temp_sealed_data = (uint8_t*) malloc(*sgx_sealed_data_length);
  167. for(counter=0;counter<*sgx_sealed_data_length;counter++)
  168. *(temp_sealed_data+counter)=*(sealed_data+counter);
  169. temp_plaintext_length = sgx_get_encrypt_txt_len((sgx_sealed_data_t*)sealed_data);
  170. if(temp_plaintext_length == 0xffffffff)
  171. return 0xFFFFFFFF;
  172. temp_plaintext = (uint8_t*)malloc( temp_plaintext_length );
  173. ret_status = sgx_unseal_data((sgx_sealed_data_t*)temp_sealed_data, NULL, 0, temp_plaintext, &temp_plaintext_length);
  174. free(temp_sealed_data);
  175. if(ret_status != SGX_SUCCESS)
  176. {
  177. free(temp_plaintext);
  178. return ret_status;
  179. }
  180. signatureBox.set_private_public_key(temp_plaintext, temp_plaintext + ECDH_PRIVATE_KEY_SIZE);
  181. free(temp_plaintext);
  182. return 0;
  183. }
  184. // DONE.
  185. uint32_t Decryptor::decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext_plus_tag)
  186. {
  187. uint8_t temp_apache_mrsigner[32+10];
  188. uint32_t temp_apache_mrsigner_length;
  189. uint32_t internal_return_status;
  190. uint32_t counter;
  191. uint8_t* tag;
  192. tag = ciphertext_plus_tag + 32;
  193. internal_return_status = symmetricEncryptionBoxVerifier.encrypt_decrypt(0, ciphertext_plus_tag, 32, temp_apache_mrsigner, &temp_apache_mrsigner_length, tag);
  194. if(internal_return_status != 0)
  195. return internal_return_status;
  196. if(temp_apache_mrsigner_length != 32)
  197. return 0x33;
  198. for(counter=0; counter<32; counter++)
  199. {
  200. apache_mr_signer[counter] = *(temp_apache_mrsigner + counter);
  201. }
  202. return 0;
  203. }
  204. // DONE.
  205. uint32_t Decryptor::process_apache_message_generate_response(uint8_t* input_ciphertext, uint32_t input_ciphertext_plus_tag_length, uint8_t* output_ciphertext_plus_tag, uint32_t* output_ciphertext_plus_tag_length)
  206. {
  207. uint8_t *first_decryption_output, *plaintext_client_data, *temp_output_ciphertext;
  208. uint32_t first_decryption_output_length, plaintext_client_data_length;
  209. uint32_t temp_output_ciphertext_length, internal_return_status;
  210. uint8_t temp_output_tag[16]; uint32_t counter;
  211. // TODO: May be have temporary variables for input ciphertext as they can't be passed directly to functions?
  212. first_decryption_output = (uint8_t*) malloc(input_ciphertext_plus_tag_length);
  213. internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(0, input_ciphertext, input_ciphertext_plus_tag_length, first_decryption_output, &first_decryption_output_length, input_ciphertext + input_ciphertext_plus_tag_length - 16);
  214. if(internal_return_status != 0)
  215. {
  216. free(first_decryption_output);
  217. return internal_return_status;
  218. }
  219. plaintext_client_data = (uint8_t*) malloc(first_decryption_output_length); // you will need less than this coz public key size.
  220. internal_return_status = initialize_symmetric_key_decrypt_client_data(first_decryption_output, first_decryption_output_length, plaintext_client_data, &plaintext_client_data_length);
  221. free(first_decryption_output);
  222. if(internal_return_status != 0)
  223. return internal_return_status;
  224. temp_output_ciphertext = (uint8_t*) malloc(plaintext_client_data_length + 20);
  225. // then I will encrypt the resulting first_decryption_output to the apache enclave.
  226. internal_return_status = symmetricEncryptionBoxApache.encrypt_decrypt(1, plaintext_client_data, plaintext_client_data_length, temp_output_ciphertext, &temp_output_ciphertext_length, temp_output_tag);
  227. free(plaintext_client_data);
  228. if(internal_return_status != 0)
  229. {
  230. free(temp_output_ciphertext);
  231. return internal_return_status;
  232. }
  233. for(counter=0; counter<temp_output_ciphertext_length; counter++)
  234. output_ciphertext_plus_tag[counter] = temp_output_ciphertext[counter];
  235. free(temp_output_ciphertext);
  236. for(counter=0; counter<16;counter++)
  237. output_ciphertext_plus_tag[counter] = temp_output_tag[counter];
  238. *output_ciphertext_plus_tag_length = temp_output_ciphertext_length + 16;
  239. return 0;
  240. }
  241. uint32_t Decryptor::verify_peer_enclave_trust(uint8_t* given_mr_enclave, uint8_t* given_mr_signer, uint8_t* dhaek)
  242. {
  243. uint32_t count;
  244. if(LocalAttestationTrusted::get_one_successful_la_done() == 0)
  245. {
  246. for(count=0; count<SGX_HASH_SIZE; count++)
  247. verifier_mr_enclave[count] = given_mr_enclave[count];
  248. symmetricEncryptionBoxVerifier.set_symmetric_key(dhaek);
  249. }
  250. else // apache enclave
  251. {
  252. for(count=0; count<SGX_HASH_SIZE; count++)
  253. {
  254. if( given_mr_signer[count] != apache_mr_signer[count] )
  255. return ENCLAVE_TRUST_ERROR;
  256. }
  257. symmetricEncryptionBoxApache.set_symmetric_key(dhaek);
  258. }
  259. return SGX_SUCCESS;
  260. }