123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 |
- /*
- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Intel Corporation nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
- #include "sgx_trts.h"
- #include "sgx_utils.h"
- #include "EnclaveMessageExchange.h"
- #include "sgx_eid.h"
- #include "error_codes.h"
- #include "sgx_ecp_types.h"
- #include "sgx_thread.h"
- #include "dh_session_protocol.h"
- #include "sgx_dh.h"
- #include "sgx_tcrypto.h"
- #include "LocalAttestationCode_t.h"
- #include "sgx_tseal.h"
- static class LocalAttestationTrusted{
- dh_session_t global_session_info;
- uint32_t global_session_id=0;
- uint32_t one_successful_la_done;
- sgx_ecc_state_handle_t ecc_state;
- uint8_t verifier_mr_enclave[32];
- SymmetricEncryptionBox symmetricEncryptionBoxApache;
- SymmetricEncryptionBox symmetricEncryptionBoxVerifier;
- extern "C" uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
- {
- uint32_t count; sgx_measurement_t given_mr_signer ;
- if(!peer_enclave_identity)
- {
- return INVALID_PARAMETER_ERROR;
- }
- if(one_successful_la_done==0)
- {
- // TODO: Set this attribute in the decryptor object.
- verifier_mr_enclave = peer_enclave_identity->mr_enclave;
- memset(&(apache_mr_signer.m),0x0,SGX_HASH_SIZE); // "initialization"
- one_successful_la_done=1;
- }
- else // apache enclave
- {
- given_mr_signer = peer_enclave_identity->mr_signer;
- int count;
- for(count=0; count<SGX_HASH_SIZE; count++)
- {
- if( given_mr_signer.m[count] != apache_mr_signer.m[count] )
- return ENCLAVE_TRUST_ERROR;
- }
- one_successful_la_done ++;
- }
- return SGX_SUCCESS;
- }
- public:
- //Handle the request from Source Enclave for a session
- ATTESTATION_STATUS session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
- {
- sgx_dh_session_t sgx_dh_session;
- sgx_status_t status = SGX_SUCCESS;
- if(!session_id || !dh_msg1)
- {
- return INVALID_PARAMETER_ERROR;
- }
- //Intialize the session as a session responder
- status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session);
- if(SGX_SUCCESS != status)
- {
- return status;
- }
- *session_id=1;
- global_session_info.status = IN_PROGRESS;
- //Generate Message1 that will be returned to Source Enclave
- status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t*)dh_msg1, &sgx_dh_session);
- if(SGX_SUCCESS != status)
- return status;
- memcpy(&global_session_info.in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t));
- return 0;
- }
- // TODO: Hope to edit the sgx_dh_responder_proc_msg2 call to return 32 byte key.
- //Verify Message 2, generate Message3 and exchange Message 3 with Source Enclave
- ATTESTATION_STATUS exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t* session_id)
- {
- sgx_key_128bit_t dh_aek;
- sgx_status_t status = SUCCESS;
- sgx_dh_session_t sgx_dh_session;
- sgx_dh_session_enclave_identity_t initiator_identity;
- uint32_t verify_return;
- memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
- if(!dh_msg2 || !dh_msg3)
- return INVALID_PARAMETER_ERROR;
- if(global_session_info.status != IN_PROGRESS)
- return INVALID_SESSION; // end_session(); // TODO: DA FUQ RETURN STH HERE.
- memcpy(&sgx_dh_session, &global_session_info.in_progress.dh_session, sizeof(sgx_dh_session_t));
- dh_msg3->msg3_body.additional_prop_length = 0;
- //Process message 2 from source enclave and obtain message 3
- status = sgx_dh_responder_proc_msg2(dh_msg2, dh_msg3, &sgx_dh_session, &dh_aek, &initiator_identity);
- if(SGX_SUCCESS != status)
- return status;
- //Verify source enclave's trust
- verify_return = verify_peer_enclave_trust(&initiator_identity);
- if(verify_return != 0)
- return verify_return;
- if(one_successful_la_done == 1)
- symmetricEncryptionBoxVerifier.set_symmetric_key(dh_aek);
- else
- symmetricEncryptionBoxApache.set_symmetric_key(dh_aek);
- /*
- //save the session ID, status and initialize the session nonce
- global_session_info.session_id = *session_id;
- global_session_info.status = ACTIVE; // This means that you can't keep calling exchange_report over and over again.
- global_session_info.active.counter = 0;
- memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
- memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
- */
- return status;
- }
- public:
- LocalAttestationTrusted(): symmetricEncryptionBoxApache(), symmetricEncryptionBoxVerifier();
- };
|