Home Explore Help
Sign In
miti
/
Decryptor
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b9991f04ab
Branches Tags
Decryptor
/
LocalAttestationCode
/
LocalAttestationTrusted.cpp

LocalAttestationTrusted.cpp 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. /*
    2. 

  2.  * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
    3. 

  3.  *
    4. 

  4.  * Redistribution and use in source and binary forms, with or without
    5. 

  5.  * modification, are permitted provided that the following conditions
    6. 

  6.  * are met:
    7. 

  7.  *
    8. 

  8.  *   * Redistributions of source code must retain the above copyright
    9. 

  9.  *     notice, this list of conditions and the following disclaimer.
    10. 

  10.  *   * Redistributions in binary form must reproduce the above copyright
    11. 

  11.  *     notice, this list of conditions and the following disclaimer in
    12. 

  12.  *     the documentation and/or other materials provided with the
    13. 

  13.  *     distribution.
    14. 

  14.  *   * Neither the name of Intel Corporation nor the names of its
    15. 

  15.  *     contributors may be used to endorse or promote products derived
    16. 

  16.  *     from this software without specific prior written permission.
    17. 

  17.  *
    18. 

  18.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
    19. 

  19.  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
    20. 

  20.  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
    21. 

  21.  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
    22. 

  22.  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    23. 

  23.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
    24. 

  24.  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
    25. 

  25.  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
    26. 

  26.  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    27. 

  27.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    28. 

  28.  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    29. 

  29.  *
    30. 

  30.  */
    31. 

  31. 

  32. 

  33. #include "sgx_trts.h"
    34. 

  34. #include "sgx_utils.h"
    35. 

  35. #include "EnclaveMessageExchange.h"
    36. 

  36. #include "sgx_eid.h"
    37. 

  37. #include "error_codes.h"
    38. 

  38. #include "sgx_ecp_types.h"
    39. 

  39. #include "sgx_thread.h"
    40. 

  40. #include "dh_session_protocol.h"
    41. 

  41. #include "sgx_dh.h"
    42. 

  42. #include "sgx_tcrypto.h"
    43. 

  43. #include "LocalAttestationCode_t.h"
    44. 

  44. #include "sgx_tseal.h"
    45. 

  45. 

  46. static class LocalAttestationTrusted{
    47. 

  47.   dh_session_t global_session_info;
    48. 

  48.   uint32_t global_session_id=0;
    49. 

  49.   uint32_t one_successful_la_done;
    50. 

  50.   sgx_ecc_state_handle_t ecc_state;
    51. 

  51.   uint8_t verifier_mr_enclave[32];
    52. 

  52.   SymmetricEncryptionBox symmetricEncryptionBoxApache;
    53. 

  53.   SymmetricEncryptionBox symmetricEncryptionBoxVerifier;
    54. 

  54. 

  55.   extern "C" uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
    56. 

  56.   {
    57. 

  57.   	uint32_t count; sgx_measurement_t given_mr_signer ;
    58. 

  58.   	if(!peer_enclave_identity)
    59. 

  59.   	{
    60. 

  60.   		return INVALID_PARAMETER_ERROR;
    61. 

  61.   	}
    62. 

  62.   	if(one_successful_la_done==0)
    63. 

  63.   	{
    64. 

  64.   		// TODO: Set this attribute in the decryptor object.
    65. 

  65.   		verifier_mr_enclave = peer_enclave_identity->mr_enclave;
    66. 

  66.   		memset(&(apache_mr_signer.m),0x0,SGX_HASH_SIZE); // "initialization"
    67. 

  67.   		one_successful_la_done=1;
    68. 

  68.   	}
    69. 

  69.   	else // apache enclave
    70. 

  70.   	{
    71. 

  71.   		given_mr_signer = peer_enclave_identity->mr_signer;
    72. 

  72.   		int count;
    73. 

  73.   		for(count=0; count<SGX_HASH_SIZE; count++)
    74. 

  74.   		{
    75. 

  75.   			if( given_mr_signer.m[count] != apache_mr_signer.m[count] )
    76. 

  76.   				return ENCLAVE_TRUST_ERROR;
    77. 

  77.   		}
    78. 

  78.       one_successful_la_done ++;
    79. 

  79.   	}
    80. 

  80.   	return SGX_SUCCESS;
    81. 

  81.   }
    82. 

  82. 

  83.   public:
    84. 

  84.     //Handle the request from Source Enclave for a session
    85. 

  85.     ATTESTATION_STATUS session_request(sgx_dh_msg1_t *dh_msg1, uint32_t *session_id)
    86. 

  86.     {
    87. 

  87.         sgx_dh_session_t sgx_dh_session;
    88. 

  88.         sgx_status_t status = SGX_SUCCESS;
    89. 

  89. 

  90.         if(!session_id || !dh_msg1)
    91. 

  91.         {
    92. 

  92.             return INVALID_PARAMETER_ERROR;
    93. 

  93.         }
    94. 

  94. 

  95.         //Intialize the session as a session responder
    96. 

  96.         status = sgx_dh_init_session(SGX_DH_SESSION_RESPONDER, &sgx_dh_session);
    97. 

  97.         if(SGX_SUCCESS != status)
    98. 

  98.         {
    99. 

  99.             return status;
    100. 

  100.         }
    101. 

  101. 

  102.         *session_id=1;
    103. 

  103. 

  104.         global_session_info.status = IN_PROGRESS;
    105. 

  105. 

  106.         //Generate Message1 that will be returned to Source Enclave
    107. 

  107.         status = sgx_dh_responder_gen_msg1((sgx_dh_msg1_t*)dh_msg1, &sgx_dh_session);
    108. 

  108.         if(SGX_SUCCESS != status)
    109. 

  109.           return status;
    110. 

  110. 

  111.         memcpy(&global_session_info.in_progress.dh_session, &sgx_dh_session, sizeof(sgx_dh_session_t));
    112. 

  112. 

  113.         return 0;
    114. 

  114.     }
    115. 

  115. 

  116.     // TODO: Hope to edit the sgx_dh_responder_proc_msg2 call to return 32 byte key.
    117. 

  117.     //Verify Message 2, generate Message3 and exchange Message 3 with Source Enclave
    118. 

  118.     ATTESTATION_STATUS exchange_report(sgx_dh_msg2_t *dh_msg2, sgx_dh_msg3_t *dh_msg3, uint32_t* session_id)
    119. 

  119.     {
    120. 

  120.         sgx_key_128bit_t dh_aek;
    121. 

  121.         sgx_status_t status = SUCCESS;
    122. 

  122.         sgx_dh_session_t sgx_dh_session;
    123. 

  123.         sgx_dh_session_enclave_identity_t initiator_identity;
    124. 

  124.         uint32_t verify_return;
    125. 

  125.         memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
    126. 

  126. 

  127.         if(!dh_msg2 || !dh_msg3)
    128. 

  128.           return INVALID_PARAMETER_ERROR;
    129. 

  129. 

  130.         if(global_session_info.status != IN_PROGRESS)
    131. 

  131.           return INVALID_SESSION; // end_session(); // TODO: DA FUQ RETURN STH HERE.
    132. 

  132. 

  133.         memcpy(&sgx_dh_session, &global_session_info.in_progress.dh_session, sizeof(sgx_dh_session_t));
    134. 

  134. 

  135.         dh_msg3->msg3_body.additional_prop_length = 0;
    136. 

  136. 

  137.         //Process message 2 from source enclave and obtain message 3
    138. 

  138.         status = sgx_dh_responder_proc_msg2(dh_msg2, dh_msg3, &sgx_dh_session, &dh_aek, &initiator_identity);
    139. 

  139.         if(SGX_SUCCESS != status)
    140. 

  140.           return status;
    141. 

  141. 

  142.         //Verify source enclave's trust
    143. 

  143.     	  verify_return = verify_peer_enclave_trust(&initiator_identity);
    144. 

  144.         if(verify_return != 0)
    145. 

  145.          return verify_return;
    146. 

  146. 

  147.     	  if(one_successful_la_done == 1)
    148. 

  148.           symmetricEncryptionBoxVerifier.set_symmetric_key(dh_aek);
    149. 

  149.       	else
    150. 

  150.           symmetricEncryptionBoxApache.set_symmetric_key(dh_aek);
    151. 

  151.         /*
    152. 

  152.         //save the session ID, status and initialize the session nonce
    153. 

  153.         global_session_info.session_id = *session_id;
    154. 

  154.         global_session_info.status = ACTIVE; // This means that you can't keep calling exchange_report over and over again.
    155. 

  155.         global_session_info.active.counter = 0;
    156. 

  156.         memcpy(&global_session_info.active.AEK, &dh_aek, sizeof(sgx_key_128bit_t));
    157. 

  157.         memset(&dh_aek,0, sizeof(sgx_key_128bit_t));
    158. 

  158.         */
    159. 

  159.         return status;
    160. 

  160.     }
    161. 

  161. 

  162.   public:
    163. 

  163.     LocalAttestationTrusted(): symmetricEncryptionBoxApache(), symmetricEncryptionBoxVerifier();
    164. 

  164. };
    165.