Decryptor/LocalAttestationCode/LocalAttestationTrusted.cpp

/*
 * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   * Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *   * Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in
 *     the documentation and/or other materials provided with the
 *     distribution.
 *   * Neither the name of Intel Corporation nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

// #include <stdint.h>
#include "LocalAttestationTrusted.h"
uint32_t LocalAttestationTrusted::is_one_successful_la_done()
{
  return one_successful_la_done;
}


uint32_t LocalAttestationTrusted::verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
{
  	uint32_t count; sgx_measurement_t given_mr_signer ;
  	if(!peer_enclave_identity)
  	{
  		return INVALID_PARAMETER_ERROR;
  	}
  	if(one_successful_la_done==0)
  	{
  		// TODO: Set this attribute in the decryptor object.
                for(count=0; count<SGX_HASH_SIZE; count++)
	 		verifier_mr_enclave[count] = peer_enclave_identity->mr_enclave.m[count];
  		one_successful_la_done=1;
  	}
  	else // apache enclave
  	{
  		given_mr_signer = peer_enclave_identity->mr_signer;
  		int count;
  		for(count=0; count<SGX_HASH_SIZE; count++)
  		{
  			if( given_mr_signer.m[count] != apache_mr_signer[count] )
  				return ENCLAVE_TRUST_ERROR;
  		}
      one_successful_la_done ++;
  	}
  	return SGX_SUCCESS;
  }

//Handle the request from Source Enclave for a session
uint32_t LocalAttestationTrusted::session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
{
        sgx_dh_session_t sgx_dh_session;
        sgx_status_t status = SGX_SUCCESS;

        if(!session_id || !dh_msg1)
        {
            return INVALID_PARAMETER_ERROR;
        }

        //Intialize the session as a session responder
        status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session);
        if(SGX_SUCCESS != status)
        {
            return status;
        }

        *session_id=1;

        global_session_info.status = IN_PROGRESS;

        //Generate Message1 that will be returned to Source Enclave
        status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t*)dh_msg1, &sgx_dh_session);
        if(SGX_SUCCESS != status)
          return status;

        memcpy(&global_session_info.in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t));

        return 0;
    }

// TODO: Hope to edit the sgx_dh_responder_proc_msg2 call to return 32 byte key.
//Verify Message 2, generate Message3 and exchange Message 3 with Source Enclave
uint32_t LocalAttestationTrusted::exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t* session_id)
{
        sgx_key_128bit_t dh_aek;
        uint32_t status = 0;
        sgx_dh_session_t sgx_dh_session;
        sgx_dh_session_enclave_identity_t initiator_identity;
        uint32_t verify_return;
        memset(&dh_aek,0, sizeof(sgx_key_128bit_t));

        if(!dh_msg2 || !dh_msg3)
          return INVALID_PARAMETER_ERROR;

        if(global_session_info.status != IN_PROGRESS)
          return INVALID_SESSION; // end_session(); // TODO: DA FUQ RETURN STH HERE.

        memcpy(&sgx_dh_session, &global_session_info.in_progress.dh_session, sizeof(sgx_dh_session_t));

        dh_msg3->msg3_body.additional_prop_length = 0;

        //Process message 2 from source enclave and obtain message 3
        status = sgx_dh_responder_proc_msg2(dh_msg2, dh_msg3, &sgx_dh_session, &dh_aek, &initiator_identity);
        if(SGX_SUCCESS != status)
          return status;

        //Verify source enclave's trust
    	  verify_return = verify_peer_enclave_trust(&initiator_identity);
        if(verify_return != 0)
         return verify_return;

    	  if(one_successful_la_done == 1)
          symmetricEncryptionBoxVerifier.set_symmetric_key(dh_aek);
      	else
          symmetricEncryptionBoxApache.set_symmetric_key(dh_aek);
        /*
        //save the session ID, status and initialize the session nonce
        global_session_info.session_id = *session_id;
        global_session_info.status = ACTIVE; // This means that you can't keep calling exchange_report over and over again.
        global_session_info.active.counter = 0;
        memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
        memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
        */
        return status;
    }

void LocalAttestationTrusted::get_verifier_mr_enclave(uint8_t* op_mr_enclave)
{
  uint32_t counter;
  for(counter=0; counter<32; counter++)
    op_mr_enclave[counter] = verifier_mr_enclave[counter];
}

void LocalAttestationTrusted::set_apache_mr_signer(uint8_t* ip_mr_signer)
{
  uint32_t counter;
  for(counter=0; counter<32; counter++)
    apache_mr_signer[counter] = ip_mr_signer[counter];
}