123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397 |
- /*
- * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Intel Corporation nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
- #include <assert.h>
- #include "isv_enclave_t.h"
- #include "sgx_tkey_exchange.h"
- #include "sgx_tcrypto.h"
- #include "string.h"
- // This is the public EC key of the SP. The corresponding private EC key is
- // used by the SP to sign data used in the remote attestation SIGMA protocol
- // to sign channel binding data in MSG2. A successful verification of the
- // signature confirms the identity of the SP to the ISV app in remote
- // attestation secure channel binding. The public EC key should be hardcoded in
- // the enclave or delivered in a trustworthy manner. The use of a spoofed public
- // EC key in the remote attestation with secure channel binding session may lead
- // to a security compromise. Every different SP the enlcave communicates to
- // must have a unique SP public key. Delivery of the SP public key is
- // determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key
- // based on NIST P-256
- static const sgx_ec256_public_t g_sp_pub_key = {
- {
- 0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf,
- 0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad,
- 0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d,
- 0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38
- },
- {
- 0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b,
- 0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2,
- 0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28,
- 0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06
- }
- };
- // Used to store the secret passed by the SP in the sample code. The
- // size is forced to be 8 bytes. Expected value is
- // 0x01,0x02,0x03,0x04,0x0x5,0x0x6,0x0x7
- uint8_t g_secret[8] = {0};
- #ifdef SUPPLIED_KEY_DERIVATION
- #pragma message ("Supplied key derivation function is used.")
- typedef struct _hash_buffer_t
- {
- uint8_t counter[4];
- sgx_ec256_dh_shared_t shared_secret;
- uint8_t algorithm_id[4];
- } hash_buffer_t;
- const char ID_U[] = "SGXRAENCLAVE";
- const char ID_V[] = "SGXRASERVER";
- // Derive two keys from shared key and key id.
- bool derive_key(
- const sgx_ec256_dh_shared_t *p_shared_key,
- uint8_t key_id,
- sgx_ec_key_128bit_t *first_derived_key,
- sgx_ec_key_128bit_t *second_derived_key)
- {
- sgx_status_t sgx_ret = SGX_SUCCESS;
- hash_buffer_t hash_buffer;
- sgx_sha_state_handle_t sha_context;
- sgx_sha256_hash_t key_material;
- memset(&hash_buffer, 0, sizeof(hash_buffer_t));
- /* counter in big endian */
- hash_buffer.counter[3] = key_id;
- /*convert from little endian to big endian */
- for (size_t i = 0; i < sizeof(sgx_ec256_dh_shared_t); i++)
- {
- hash_buffer.shared_secret.s[i] = p_shared_key->s[sizeof(p_shared_key->s)-1 - i];
- }
- sgx_ret = sgx_sha256_init(&sha_context);
- if (sgx_ret != SGX_SUCCESS)
- {
- return false;
- }
- sgx_ret = sgx_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context);
- if (sgx_ret != SGX_SUCCESS)
- {
- sgx_sha256_close(sha_context);
- return false;
- }
- sgx_ret = sgx_sha256_update((uint8_t*)&ID_U, sizeof(ID_U), sha_context);
- if (sgx_ret != SGX_SUCCESS)
- {
- sgx_sha256_close(sha_context);
- return false;
- }
- sgx_ret = sgx_sha256_update((uint8_t*)&ID_V, sizeof(ID_V), sha_context);
- if (sgx_ret != SGX_SUCCESS)
- {
- sgx_sha256_close(sha_context);
- return false;
- }
- sgx_ret = sgx_sha256_get_hash(sha_context, &key_material);
- if (sgx_ret != SGX_SUCCESS)
- {
- sgx_sha256_close(sha_context);
- return false;
- }
- sgx_ret = sgx_sha256_close(sha_context);
- assert(sizeof(sgx_ec_key_128bit_t)* 2 == sizeof(sgx_sha256_hash_t));
- memcpy(first_derived_key, &key_material, sizeof(sgx_ec_key_128bit_t));
- memcpy(second_derived_key, (uint8_t*)&key_material + sizeof(sgx_ec_key_128bit_t), sizeof(sgx_ec_key_128bit_t));
- // memset here can be optimized away by compiler, so please use memset_s on
- // windows for production code and similar functions on other OSes.
- memset(&key_material, 0, sizeof(sgx_sha256_hash_t));
- return true;
- }
- //isv defined key derivation function id
- #define ISV_KDF_ID 2
- typedef enum _derive_key_type_t
- {
- DERIVE_KEY_SMK_SK = 0,
- DERIVE_KEY_MK_VK,
- } derive_key_type_t;
- sgx_status_t key_derivation(const sgx_ec256_dh_shared_t* shared_key,
- uint16_t kdf_id,
- sgx_ec_key_128bit_t* smk_key,
- sgx_ec_key_128bit_t* sk_key,
- sgx_ec_key_128bit_t* mk_key,
- sgx_ec_key_128bit_t* vk_key)
- {
- bool derive_ret = false;
- if (NULL == shared_key)
- {
- return SGX_ERROR_INVALID_PARAMETER;
- }
- if (ISV_KDF_ID != kdf_id)
- {
- //fprintf(stderr, "\nError, key derivation id mismatch in [%s].", __FUNCTION__);
- return SGX_ERROR_KDF_MISMATCH;
- }
- derive_ret = derive_key(shared_key, DERIVE_KEY_SMK_SK,
- smk_key, sk_key);
- if (derive_ret != true)
- {
- //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
- return SGX_ERROR_UNEXPECTED;
- }
- derive_ret = derive_key(shared_key, DERIVE_KEY_MK_VK,
- mk_key, vk_key);
- if (derive_ret != true)
- {
- //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
- return SGX_ERROR_UNEXPECTED;
- }
- return SGX_SUCCESS;
- }
- #else
- #pragma message ("Default key derivation function is used.")
- #endif
- // This ecall is a wrapper of sgx_ra_init to create the trusted
- // KE exchange key context needed for the remote attestation
- // SIGMA API's. Input pointers aren't checked since the trusted stubs
- // copy them into EPC memory.
- //
- // @param b_pse Indicates whether the ISV app is using the
- // platform services.
- // @param p_context Pointer to the location where the returned
- // key context is to be copied.
- //
- // @return Any error return from the create PSE session if b_pse
- // is true.
- // @return Any error returned from the trusted key exchange API
- // for creating a key context.
- sgx_status_t enclave_init_ra(
- int b_pse,
- sgx_ra_context_t *p_context)
- {
- // isv enclave call to trusted key exchange library.
- sgx_status_t ret;
- if(b_pse)
- {
- int busy_retry_times = 2;
- do{
- ret = sgx_create_pse_session();
- }while (ret == SGX_ERROR_BUSY && busy_retry_times--);
- if (ret != SGX_SUCCESS)
- return ret;
- }
- #ifdef SUPPLIED_KEY_DERIVATION
- ret = sgx_ra_init_ex(&g_sp_pub_key, b_pse, key_derivation, p_context);
- #else
- ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context);
- #endif
- if(b_pse)
- {
- sgx_close_pse_session();
- return ret;
- }
- return ret;
- }
- // Closes the tKE key context used during the SIGMA key
- // exchange.
- //
- // @param context The trusted KE library key context.
- //
- // @return Return value from the key context close API
- sgx_status_t SGXAPI enclave_ra_close(
- sgx_ra_context_t context)
- {
- sgx_status_t ret;
- ret = sgx_ra_close(context);
- return ret;
- }
- // Verify the mac sent in att_result_msg from the SP using the
- // MK key. Input pointers aren't checked since the trusted stubs
- // copy them into EPC memory.
- //
- //
- // @param context The trusted KE library key context.
- // @param p_message Pointer to the message used to produce MAC
- // @param message_size Size in bytes of the message.
- // @param p_mac Pointer to the MAC to compare to.
- // @param mac_size Size in bytes of the MAC
- //
- // @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect.
- // @return Any error produced by tKE API to get SK key.
- // @return Any error produced by the AESCMAC function.
- // @return SGX_ERROR_MAC_MISMATCH - MAC compare fails.
- sgx_status_t verify_att_result_mac(sgx_ra_context_t context,
- uint8_t* p_message,
- size_t message_size,
- uint8_t* p_mac,
- size_t mac_size)
- {
- sgx_status_t ret;
- sgx_ec_key_128bit_t mk_key;
- if(mac_size != sizeof(sgx_mac_t))
- {
- ret = SGX_ERROR_INVALID_PARAMETER;
- return ret;
- }
- if(message_size > UINT32_MAX)
- {
- ret = SGX_ERROR_INVALID_PARAMETER;
- return ret;
- }
- do {
- uint8_t mac[SGX_CMAC_MAC_SIZE] = {0};
- ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key);
- if(SGX_SUCCESS != ret)
- {
- break;
- }
- ret = sgx_rijndael128_cmac_msg(&mk_key,
- p_message,
- (uint32_t)message_size,
- &mac);
- if(SGX_SUCCESS != ret)
- {
- break;
- }
- if(0 == consttime_memequal(p_mac, mac, sizeof(mac)))
- {
- ret = SGX_ERROR_MAC_MISMATCH;
- break;
- }
- }
- while(0);
- return ret;
- }
- // Generate a secret information for the SP encrypted with SK.
- // Input pointers aren't checked since the trusted stubs copy
- // them into EPC memory.
- //
- // @param context The trusted KE library key context.
- // @param p_secret Message containing the secret.
- // @param secret_size Size in bytes of the secret message.
- // @param p_gcm_mac The pointer the the AESGCM MAC for the
- // message.
- //
- // @return SGX_ERROR_INVALID_PARAMETER - secret size if
- // incorrect.
- // @return Any error produced by tKE API to get SK key.
- // @return Any error produced by the AESGCM function.
- // @return SGX_ERROR_UNEXPECTED - the secret doesn't match the
- // expected value.
- sgx_status_t put_secret_data(
- sgx_ra_context_t context,
- uint8_t *p_secret,
- uint32_t secret_size,
- uint8_t *p_gcm_mac)
- {
- sgx_status_t ret = SGX_SUCCESS;
- sgx_ec_key_128bit_t sk_key;
- do {
- if(secret_size != 8)
- {
- ret = SGX_ERROR_INVALID_PARAMETER;
- break;
- }
- ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key);
- if(SGX_SUCCESS != ret)
- {
- break;
- }
- uint8_t aes_gcm_iv[12] = {0};
- ret = sgx_rijndael128GCM_decrypt(&sk_key,
- p_secret,
- secret_size,
- &g_secret[0],
- &aes_gcm_iv[0],
- 12,
- NULL,
- 0,
- (const sgx_aes_gcm_128bit_tag_t *)
- (p_gcm_mac));
- uint32_t i;
- bool secret_match = true;
- for(i=0;i<secret_size;i++)
- {
- if(g_secret[i] != i)
- {
- secret_match = false;
- }
- }
- if(!secret_match)
- {
- ret = SGX_ERROR_UNEXPECTED;
- }
- // Once the server has the shared secret, it should be sealed to
- // persistent storage for future use. This will prevents having to
- // perform remote attestation until the secret goes stale. Once the
- // enclave is created again, the secret can be unsealed.
- } while(0);
- return ret;
- }
|