/*
* Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* * Neither the name of Intel Corporation nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include <assert.h>
#include "isv_enclave_t.h"
#include "sgx_tkey_exchange.h"
#include "sgx_tcrypto.h"
#include "string.h"
// This is the public EC key of the SP. The corresponding private EC key is
// used by the SP to sign data used in the remote attestation SIGMA protocol
// to sign channel binding data in MSG2. A successful verification of the
// signature confirms the identity of the SP to the ISV app in remote
// attestation secure channel binding. The public EC key should be hardcoded in
// the enclave or delivered in a trustworthy manner. The use of a spoofed public
// EC key in the remote attestation with secure channel binding session may lead
// to a security compromise. Every different SP the enlcave communicates to
// must have a unique SP public key. Delivery of the SP public key is
// determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key
// based on NIST P-256
static const sgx_ec256_public_t g_sp_pub_key = {
{
0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf,
0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad,
0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d,
0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38
},
{
0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b,
0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2,
0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28,
0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06
}
};
// Used to store the secret passed by the SP in the sample code. The
// size is forced to be 8 bytes. Expected value is
// 0x01,0x02,0x03,0x04,0x0x5,0x0x6,0x0x7
uint8_t g_secret[8] = {0};
#ifdef SUPPLIED_KEY_DERIVATION
#pragma message ("Supplied key derivation function is used.")
typedef struct _hash_buffer_t
{
uint8_t counter[4];
sgx_ec256_dh_shared_t shared_secret;
uint8_t algorithm_id[4];
} hash_buffer_t;
const char ID_U[] = "SGXRAENCLAVE";
const char ID_V[] = "SGXRASERVER";
// Derive two keys from shared key and key id.
bool derive_key(
const sgx_ec256_dh_shared_t *p_shared_key,
uint8_t key_id,
sgx_ec_key_128bit_t *first_derived_key,
sgx_ec_key_128bit_t *second_derived_key)
{
sgx_status_t sgx_ret = SGX_SUCCESS;
hash_buffer_t hash_buffer;
sgx_sha_state_handle_t sha_context;
sgx_sha256_hash_t key_material;
memset(&hash_buffer, 0, sizeof(hash_buffer_t));
/* counter in big endian */
hash_buffer.counter[3] = key_id;
/*convert from little endian to big endian */
for (size_t i = 0; i < sizeof(sgx_ec256_dh_shared_t); i++)
{
hash_buffer.shared_secret.s[i] = p_shared_key->s[sizeof(p_shared_key->s)-1 - i];
}
sgx_ret = sgx_sha256_init(&sha_context);
if (sgx_ret != SGX_SUCCESS)
{
return false;
}
sgx_ret = sgx_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context);
if (sgx_ret != SGX_SUCCESS)
{
sgx_sha256_close(sha_context);
return false;
}
sgx_ret = sgx_sha256_update((uint8_t*)&ID_U, sizeof(ID_U), sha_context);
if (sgx_ret != SGX_SUCCESS)
{
sgx_sha256_close(sha_context);
return false;
}
sgx_ret = sgx_sha256_update((uint8_t*)&ID_V, sizeof(ID_V), sha_context);
if (sgx_ret != SGX_SUCCESS)
{
sgx_sha256_close(sha_context);
return false;
}
sgx_ret = sgx_sha256_get_hash(sha_context, &key_material);
if (sgx_ret != SGX_SUCCESS)
{
sgx_sha256_close(sha_context);
return false;
}
sgx_ret = sgx_sha256_close(sha_context);
assert(sizeof(sgx_ec_key_128bit_t)* 2 == sizeof(sgx_sha256_hash_t));
memcpy(first_derived_key, &key_material, sizeof(sgx_ec_key_128bit_t));
memcpy(second_derived_key, (uint8_t*)&key_material + sizeof(sgx_ec_key_128bit_t), sizeof(sgx_ec_key_128bit_t));
// memset here can be optimized away by compiler, so please use memset_s on
// windows for production code and similar functions on other OSes.
memset(&key_material, 0, sizeof(sgx_sha256_hash_t));
return true;
}
//isv defined key derivation function id
#define ISV_KDF_ID 2
typedef enum _derive_key_type_t
{
DERIVE_KEY_SMK_SK = 0,
DERIVE_KEY_MK_VK,
} derive_key_type_t;
sgx_status_t key_derivation(const sgx_ec256_dh_shared_t* shared_key,
uint16_t kdf_id,
sgx_ec_key_128bit_t* smk_key,
sgx_ec_key_128bit_t* sk_key,
sgx_ec_key_128bit_t* mk_key,
sgx_ec_key_128bit_t* vk_key)
{
bool derive_ret = false;
if (NULL == shared_key)
{
return SGX_ERROR_INVALID_PARAMETER;
}
if (ISV_KDF_ID != kdf_id)
{
//fprintf(stderr, "\nError, key derivation id mismatch in [%s].", __FUNCTION__);
return SGX_ERROR_KDF_MISMATCH;
}
derive_ret = derive_key(shared_key, DERIVE_KEY_SMK_SK,
smk_key, sk_key);
if (derive_ret != true)
{
//fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
return SGX_ERROR_UNEXPECTED;
}
derive_ret = derive_key(shared_key, DERIVE_KEY_MK_VK,
mk_key, vk_key);
if (derive_ret != true)
{
//fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
return SGX_ERROR_UNEXPECTED;
}
return SGX_SUCCESS;
}
#else
#pragma message ("Default key derivation function is used.")
#endif
// This ecall is a wrapper of sgx_ra_init to create the trusted
// KE exchange key context needed for the remote attestation
// SIGMA API's. Input pointers aren't checked since the trusted stubs
// copy them into EPC memory.
//
// @param b_pse Indicates whether the ISV app is using the
// platform services.
// @param p_context Pointer to the location where the returned
// key context is to be copied.
//
// @return Any error return from the create PSE session if b_pse
// is true.
// @return Any error returned from the trusted key exchange API
// for creating a key context.
sgx_status_t enclave_init_ra(
int b_pse,
sgx_ra_context_t *p_context)
{
// isv enclave call to trusted key exchange library.
sgx_status_t ret;
if(b_pse)
{
int busy_retry_times = 2;
do{
ret = sgx_create_pse_session();
}while (ret == SGX_ERROR_BUSY && busy_retry_times--);
if (ret != SGX_SUCCESS)
return ret;
}
#ifdef SUPPLIED_KEY_DERIVATION
ret = sgx_ra_init_ex(&g_sp_pub_key, b_pse, key_derivation, p_context);
#else
ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context);
#endif
if(b_pse)
{
sgx_close_pse_session();
return ret;
}
return ret;
}
// Closes the tKE key context used during the SIGMA key
// exchange.
//
// @param context The trusted KE library key context.
//
// @return Return value from the key context close API
sgx_status_t SGXAPI enclave_ra_close(
sgx_ra_context_t context)
{
sgx_status_t ret;
ret = sgx_ra_close(context);
return ret;
}
// Verify the mac sent in att_result_msg from the SP using the
// MK key. Input pointers aren't checked since the trusted stubs
// copy them into EPC memory.
//
//
// @param context The trusted KE library key context.
// @param p_message Pointer to the message used to produce MAC
// @param message_size Size in bytes of the message.
// @param p_mac Pointer to the MAC to compare to.
// @param mac_size Size in bytes of the MAC
//
// @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect.
// @return Any error produced by tKE API to get SK key.
// @return Any error produced by the AESCMAC function.
// @return SGX_ERROR_MAC_MISMATCH - MAC compare fails.
sgx_status_t verify_att_result_mac(sgx_ra_context_t context,
uint8_t* p_message,
size_t message_size,
uint8_t* p_mac,
size_t mac_size)
{
sgx_status_t ret;
sgx_ec_key_128bit_t mk_key;
if(mac_size != sizeof(sgx_mac_t))
{
ret = SGX_ERROR_INVALID_PARAMETER;
return ret;
}
if(message_size > UINT32_MAX)
{
ret = SGX_ERROR_INVALID_PARAMETER;
return ret;
}
do {
uint8_t mac[SGX_CMAC_MAC_SIZE] = {0};
ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key);
if(SGX_SUCCESS != ret)
{
break;
}
ret = sgx_rijndael128_cmac_msg(&mk_key,
p_message,
(uint32_t)message_size,
&mac);
if(SGX_SUCCESS != ret)
{
break;
}
if(0 == consttime_memequal(p_mac, mac, sizeof(mac)))
{
ret = SGX_ERROR_MAC_MISMATCH;
break;
}
}
while(0);
return ret;
}
// Generate a secret information for the SP encrypted with SK.
// Input pointers aren't checked since the trusted stubs copy
// them into EPC memory.
//
// @param context The trusted KE library key context.
// @param p_secret Message containing the secret.
// @param secret_size Size in bytes of the secret message.
// @param p_gcm_mac The pointer the the AESGCM MAC for the
// message.
//
// @return SGX_ERROR_INVALID_PARAMETER - secret size if
// incorrect.
// @return Any error produced by tKE API to get SK key.
// @return Any error produced by the AESGCM function.
// @return SGX_ERROR_UNEXPECTED - the secret doesn't match the
// expected value.
sgx_status_t put_secret_data(
sgx_ra_context_t context,
uint8_t *p_secret,
uint32_t secret_size,
uint8_t *p_gcm_mac)
{
sgx_status_t ret = SGX_SUCCESS;
sgx_ec_key_128bit_t sk_key;
do {
if(secret_size != 8)
{
ret = SGX_ERROR_INVALID_PARAMETER;
break;
}
ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key);
if(SGX_SUCCESS != ret)
{
break;
}
uint8_t aes_gcm_iv[12] = {0};
ret = sgx_rijndael128GCM_decrypt(&sk_key,
p_secret,
secret_size,
&g_secret[0],
&aes_gcm_iv[0],
12,
NULL,
0,
(const sgx_aes_gcm_128bit_tag_t *)
(p_gcm_mac));
uint32_t i;
bool secret_match = true;
for(i=0;i<secret_size;i++)
{
if(g_secret[i] != i)
{
secret_match = false;
}
}
if(!secret_match)
{
ret = SGX_ERROR_UNEXPECTED;
}
// Once the server has the shared secret, it should be sealed to
// persistent storage for future use. This will prevents having to
// perform remote attestation until the secret goes stale. Once the
// enclave is created again, the secret can be unsealed.
} while(0);
return ret;
}