sgx_tcrypto.h 36 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674
  1. /*
  2. * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. /**
  32. * File: sgx_tcrypto.h
  33. * Description:
  34. * Interface for generic crypto library APIs required in SDK implementation.
  35. */
  36. #ifndef _SGX_TCRYPTO_H_
  37. #define _SGX_TCRYPTO_H_
  38. #include "sgx.h"
  39. #include "sgx_defs.h"
  40. #define SGX_SHA256_HASH_SIZE 32
  41. #define SGX_ECP256_KEY_SIZE 32
  42. #define SGX_NISTP_ECP256_KEY_SIZE (SGX_ECP256_KEY_SIZE/sizeof(uint32_t))
  43. #define SGX_AESGCM_IV_SIZE 12
  44. #define SGX_AESGCM_KEY_SIZE 16
  45. #define SGX_AESGCM_MAC_SIZE 16
  46. #define SGX_CMAC_KEY_SIZE 16
  47. #define SGX_CMAC_MAC_SIZE 16
  48. #define SGX_AESCTR_KEY_SIZE 16
  49. #define SGX_RSA3072_KEY_SIZE 384
  50. #define SGX_RSA3072_PRI_EXP_SIZE 384
  51. #define SGX_RSA3072_PUB_EXP_SIZE 4
  52. typedef struct _sgx_ec256_dh_shared_t
  53. {
  54. uint8_t s[SGX_ECP256_KEY_SIZE];
  55. } sgx_ec256_dh_shared_t;
  56. typedef struct _sgx_ec256_dh_shared512_t
  57. {
  58. uint8_t x[SGX_ECP256_KEY_SIZE];
  59. uint8_t y[SGX_ECP256_KEY_SIZE];
  60. } sgx_ec256_dh_shared512_t;
  61. typedef struct _sgx_ec256_private_t
  62. {
  63. uint8_t r[SGX_ECP256_KEY_SIZE];
  64. } sgx_ec256_private_t;
  65. typedef struct _sgx_ec256_public_t
  66. {
  67. uint8_t gx[SGX_ECP256_KEY_SIZE];
  68. uint8_t gy[SGX_ECP256_KEY_SIZE];
  69. } sgx_ec256_public_t;
  70. typedef struct _sgx_ec256_signature_t
  71. {
  72. uint32_t x[SGX_NISTP_ECP256_KEY_SIZE];
  73. uint32_t y[SGX_NISTP_ECP256_KEY_SIZE];
  74. } sgx_ec256_signature_t;
  75. typedef struct _sgx_rsa3072_public_key_t
  76. {
  77. uint8_t mod[SGX_RSA3072_KEY_SIZE];
  78. uint8_t exp[SGX_RSA3072_PUB_EXP_SIZE];
  79. } sgx_rsa3072_public_key_t;
  80. typedef struct _sgx_rsa3072_private_key_t
  81. {
  82. uint8_t mod[SGX_RSA3072_KEY_SIZE];
  83. uint8_t exp[SGX_RSA3072_PRI_EXP_SIZE];
  84. } sgx_rsa3072_private_key_t;
  85. typedef uint8_t sgx_rsa3072_signature_t[SGX_RSA3072_KEY_SIZE];
  86. typedef void* sgx_sha_state_handle_t;
  87. typedef void* sgx_cmac_state_handle_t;
  88. typedef void* sgx_ecc_state_handle_t;
  89. typedef uint8_t sgx_sha256_hash_t[SGX_SHA256_HASH_SIZE];
  90. typedef uint8_t sgx_aes_gcm_128bit_key_t[SGX_AESGCM_KEY_SIZE];
  91. typedef uint8_t sgx_aes_gcm_128bit_tag_t[SGX_AESGCM_MAC_SIZE];
  92. typedef uint8_t sgx_cmac_128bit_key_t[SGX_CMAC_KEY_SIZE];
  93. typedef uint8_t sgx_cmac_128bit_tag_t[SGX_CMAC_MAC_SIZE];
  94. typedef uint8_t sgx_aes_ctr_128bit_key_t[SGX_AESCTR_KEY_SIZE];
  95. typedef enum {
  96. SGX_EC_VALID, /* validation pass successfully */
  97. SGX_EC_COMPOSITE_BASE, /* field based on composite */
  98. SGX_EC_COMPLICATED_BASE, /* number of non-zero terms in the polynomial (> PRIME_ARR_MAX) */
  99. SGX_EC_IS_ZERO_DISCRIMINANT,/* zero discriminant */
  100. SGX_EC_COMPOSITE_ORDER, /* composite order of base point */
  101. SGX_EC_INVALID_ORDER, /* invalid base point order */
  102. SGX_EC_IS_WEAK_MOV, /* weak Meneze-Okamoto-Vanstone reduction attack */
  103. SGX_EC_IS_WEAK_SSA, /* weak Semaev-Smart,Satoh-Araki reduction attack */
  104. SGX_EC_IS_SUPER_SINGULAR, /* supersingular curve */
  105. SGX_EC_INVALID_PRIVATE_KEY, /* !(0 < Private < order) */
  106. SGX_EC_INVALID_PUBLIC_KEY, /* (order*PublicKey != Infinity) */
  107. SGX_EC_INVALID_KEY_PAIR, /* (Private*BasePoint != PublicKey) */
  108. SGX_EC_POINT_OUT_OF_GROUP, /* out of group (order*P != Infinity) */
  109. SGX_EC_POINT_IS_AT_INFINITY,/* point (P=(Px,Py)) at Infinity */
  110. SGX_EC_POINT_IS_NOT_VALID, /* point (P=(Px,Py)) out-of EC */
  111. SGX_EC_POINT_IS_EQUAL, /* compared points are equal */
  112. SGX_EC_POINT_IS_NOT_EQUAL, /* compared points are different */
  113. SGX_EC_INVALID_SIGNATURE /* invalid signature */
  114. } sgx_generic_ecresult_t;
  115. typedef enum {
  116. SGX_RSA_VALID, /* validation pass successfully */
  117. SGX_RSA_INVALID_SIGNATURE /* invalid signature */
  118. } sgx_rsa_result_t;
  119. #ifdef __cplusplus
  120. extern "C" {
  121. #endif
  122. /** SHA Hashing functions - NOTE: ONLY 256-bit is supported.
  123. *
  124. * NOTE: Use sgx_sha256_msg if the src pointer contains the complete msg to perform hash (Option 1)
  125. * Else use the Init, Update, Update, ..., Final procedure (Option 2)
  126. * Option 1: If the complete dataset is available for hashing, sgx_sha256_msg
  127. * is a single API call for generating the 256bit hash for the given dataset.
  128. * Return: If source pointer or hash pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  129. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  130. * Option 2: If the hash is to be performed over multiple data sets, then use:
  131. * A. sgx_sha256_init - to create the context - context memory is allocated by this function.
  132. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  133. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  134. * B. sgx_sha256_update - updates hash based on input source data
  135. * This function should be called for each chunk of data to be
  136. * included in the hash including the 1st and final chunks.
  137. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  138. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  139. * C. sgx_sha256_get_hash - function obtains the hash value
  140. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  141. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  142. * D. sgx_sha256_close - SHOULD BE CALLED to FREE context memory
  143. * Upon completing the process of computing a hash over a set of data
  144. * or sets of data, this function is used to free the context.
  145. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  146. *
  147. * Parameters:
  148. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  149. * Inputs: uint8_t *p_src - Pointer to the input stream to be hashed
  150. * uint32_t src_len - Length of the input stream to be hashed
  151. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  152. */
  153. sgx_status_t SGXAPI sgx_sha256_msg(const uint8_t *p_src, uint32_t src_len, sgx_sha256_hash_t *p_hash);
  154. /** Allocates and initializes sha256 state
  155. *
  156. * Parameters:
  157. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  158. * Output: sgx_sha_state_handle_t *p_sha_handle - Pointer to the handle of the SHA256 state
  159. */
  160. sgx_status_t SGXAPI sgx_sha256_init(sgx_sha_state_handle_t* p_sha_handle);
  161. /** Updates sha256 has calculation based on the input message
  162. *
  163. * Parameters:
  164. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  165. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  166. * uint8_t *p_src - Pointer to the input stream to be hashed
  167. * uint32_t src_len - Length of the input stream to be hashed
  168. */
  169. sgx_status_t SGXAPI sgx_sha256_update(const uint8_t *p_src, uint32_t src_len, sgx_sha_state_handle_t sha_handle);
  170. /** Returns Hash calculation
  171. *
  172. * Parameters:
  173. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  174. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  175. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  176. */
  177. sgx_status_t SGXAPI sgx_sha256_get_hash(sgx_sha_state_handle_t sha_handle, sgx_sha256_hash_t *p_hash);
  178. /** Cleans up SHA state
  179. *
  180. * Parameters:
  181. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  182. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  183. */
  184. sgx_status_t SGXAPI sgx_sha256_close(sgx_sha_state_handle_t sha_handle);
  185. /**Rijndael AES-GCM - Only 128-bit key AES-GCM Encryption/Decryption is supported
  186. *
  187. * The Galois/Counter Mode (GCM) is a mode of operation of the AES algorithm.
  188. * GCM [NIST SP 800-38D] uses a variation of the Counter mode of operation for encryption.
  189. * GCM assures authenticity of the confidential data (of up to about 64 GB per invocation)
  190. * using a universal hash function defined over a binary finite field (the Galois field).
  191. *
  192. * GCM can also provide authentication assurance for additional data
  193. * (of practically unlimited length per invocation) that is not encrypted.
  194. * GCM provides stronger authentication assurance than a (non-cryptographic) checksum or
  195. * error detecting code. In particular, GCM can detect both accidental modifications of
  196. * the data and intentional, unauthorized modifications.
  197. *
  198. * sgx_rijndael128GCM_encrypt:
  199. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  200. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  201. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  202. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  203. * If out of enclave memory then SGX_ERROR_OUT_OF_MEMORY is returned.
  204. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  205. *
  206. * sgx_rijndael128GCM_decrypt:
  207. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  208. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  209. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  210. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  211. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  212. * If the input MAC does not match the calculated MAC, SGX_ERROR_MAC_MISMATCH is returned.
  213. *
  214. * Parameters:
  215. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  216. * Inputs: sgx_aes_gcm_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  217. * Size MUST BE 128-bits
  218. * uint8_t *p_src - Pointer to the input stream to be encrypted/decrypted
  219. * uint32_t src_len - Length of the input stream to be encrypted/decrypted
  220. * uint8_t *p_iv - Pointer to the initialization vector
  221. * uint32_t iv_len - Length of the initialization vector - MUST BE 12 (bytes)
  222. * NIST AES-GCM recommended IV size = 96 bits
  223. * uint8_t *p_aad - Pointer to the input stream of additional authentication data
  224. * uint32_t aad_len - Length of the additional authentication data stream
  225. * sgx_aes_gcm_128bit_tag_t *p_in_mac - Pointer to the expected MAC in decryption process
  226. * Output: uint8_t *p_dst - Pointer to the cipher text for encryption or clear text for decryption. Size of buffer should be >= src_len.
  227. * sgx_aes_gcm_128bit_tag_t *p_out_mac - Pointer to the MAC generated from encryption process
  228. * NOTE: Wrapper is responsible for confirming decryption tag matches encryption tag
  229. */
  230. sgx_status_t SGXAPI sgx_rijndael128GCM_encrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  231. const uint8_t *p_src,
  232. uint32_t src_len,
  233. uint8_t *p_dst,
  234. const uint8_t *p_iv,
  235. uint32_t iv_len,
  236. const uint8_t *p_aad,
  237. uint32_t aad_len,
  238. sgx_aes_gcm_128bit_tag_t *p_out_mac);
  239. sgx_status_t SGXAPI sgx_rijndael128GCM_decrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  240. const uint8_t *p_src,
  241. uint32_t src_len,
  242. uint8_t *p_dst,
  243. const uint8_t *p_iv,
  244. uint32_t iv_len,
  245. const uint8_t *p_aad,
  246. uint32_t aad_len,
  247. const sgx_aes_gcm_128bit_tag_t *p_in_mac);
  248. /** Message Authentication Rijndael 128 CMAC - Only 128-bit key size is supported.
  249. * NOTE: Use sgx_rijndael128_cmac_msg if the src ptr contains the complete msg to perform hash (Option 1)
  250. * Else use the Init, Update, Update, ..., Final, Close procedure (Option 2)
  251. * Option 1: If the complete dataset is available for hashing, sgx_rijndael128_cmac_msg
  252. * is a single API call for generating the 128-bit hash for the given dataset.
  253. * Return: If source, key, or MAC pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  254. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  255. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  256. * Option 2: If the hash is to be performed over multiple data sets, then use:
  257. * A. sgx_cmac128_init - to create the context - context memory is allocated by this function.
  258. * Return: If key pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  259. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  260. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  261. * B. sgx_cmac128_update - updates hash based on input source data
  262. * This function should be called for each chunk of data to be
  263. * included in the hash including the 1st and final chunks.
  264. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  265. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  266. * C. sgx_cmac128_final - function obtains the hash value
  267. * Upon completing the process of computing a hash over a set of data or sets of data,
  268. * this function populates the hash value.
  269. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  270. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  271. * D. sgx_cmac128_close - SHOULD BE CALLED to clean up the CMAC state
  272. * Upon populating the hash value over a set of data or sets of data,
  273. * this function is used to free the CMAC state.
  274. * Return: If CMAC state pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  275. *
  276. * Parameters:
  277. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  278. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  279. * uint8_t *p_src - Pointer to the input stream to be MAC’d
  280. * uint32_t src_len - Length of the input stream to be MAC’d
  281. * Output: sgx_cmac_gcm_128bit_tag_t *p_mac - Pointer to the resultant MAC
  282. */
  283. sgx_status_t SGXAPI sgx_rijndael128_cmac_msg(const sgx_cmac_128bit_key_t *p_key,
  284. const uint8_t *p_src,
  285. uint32_t src_len,
  286. sgx_cmac_128bit_tag_t *p_mac);
  287. /** Allocates and initializes CMAC state.
  288. *
  289. * Parameters:
  290. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  291. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  292. * Output: sgx_cmac_state_handle_t *p_cmac_handle - Pointer to the handle of the CMAC state
  293. */
  294. sgx_status_t SGXAPI sgx_cmac128_init(const sgx_cmac_128bit_key_t *p_key, sgx_cmac_state_handle_t* p_cmac_handle);
  295. /** Updates CMAC has calculation based on the input message.
  296. *
  297. * Parameters:
  298. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  299. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  300. * uint8_t *p_src - Pointer to the input stream to be hashed
  301. * uint32_t src_len - Length of the input stream to be hashed
  302. */
  303. sgx_status_t SGXAPI sgx_cmac128_update(const uint8_t *p_src, uint32_t src_len, sgx_cmac_state_handle_t cmac_handle);
  304. /** Returns Hash calculation and clean up CMAC state.
  305. *
  306. * Parameters:
  307. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  308. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  309. * Output: sgx_cmac_128bit_tag_t *p_hash - Resultant hash from operation
  310. */
  311. sgx_status_t SGXAPI sgx_cmac128_final(sgx_cmac_state_handle_t cmac_handle, sgx_cmac_128bit_tag_t *p_hash);
  312. /** Clean up the CMAC state
  313. *
  314. * Parameters:
  315. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  316. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  317. */
  318. sgx_status_t SGXAPI sgx_cmac128_close(sgx_cmac_state_handle_t cmac_handle);
  319. /** AES-CTR 128-bit - Only 128-bit key size is supported.
  320. *
  321. * These functions encrypt/decrypt the input data stream of a variable length according
  322. * to the CTR mode as specified in [NIST SP 800-38A]. The counter can be thought of as
  323. * an IV which increments on successive encryption or decrytion calls. For a given
  324. * dataset or data stream the incremented counter block should be used on successive
  325. * calls of the encryption/decryption process for that given stream. However for
  326. * new or different datasets/streams, the same counter should not be reused, instead
  327. * intialize the counter for the new data set.
  328. *
  329. * sgx_aes_ctr_encrypt
  330. * Return: If source, key, counter, or destination pointer is NULL,
  331. * SGX_ERROR_INVALID_PARAMETER is returned.
  332. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  333. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  334. * sgx_aes_ctr_decrypt
  335. * Return: If source, key, counter, or destination pointer is NULL,
  336. * SGX_ERROR_INVALID_PARAMETER is returned.
  337. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  338. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  339. *
  340. * Parameters:
  341. * Return:
  342. * sgx_status_t - SGX_SUCCESS or failure as defined
  343. * in sgx_error.h
  344. * Inputs:
  345. * sgx_aes_128bit_key_t *p_key - Pointer to the key used in
  346. * encryption/decryption operation
  347. * uint8_t *p_src - Pointer to the input stream to be
  348. * encrypted/decrypted
  349. * uint32_t src_len - Length of the input stream to be
  350. * encrypted/decrypted
  351. * uint8_t *p_ctr - Pointer to the counter block
  352. * uint32_t ctr_inc_bits - Number of bits in counter to be
  353. * incremented
  354. * Output:
  355. * uint8_t *p_dst - Pointer to the cipher text.
  356. * Size of buffer should be >= src_len.
  357. */
  358. sgx_status_t SGXAPI sgx_aes_ctr_encrypt(
  359. const sgx_aes_ctr_128bit_key_t *p_key,
  360. const uint8_t *p_src,
  361. const uint32_t src_len,
  362. uint8_t *p_ctr,
  363. const uint32_t ctr_inc_bits,
  364. uint8_t *p_dst);
  365. sgx_status_t SGXAPI sgx_aes_ctr_decrypt(
  366. const sgx_aes_ctr_128bit_key_t *p_key,
  367. const uint8_t *p_src,
  368. const uint32_t src_len,
  369. uint8_t *p_ctr,
  370. const uint32_t ctr_inc_bits,
  371. uint8_t *p_dst);
  372. /**
  373. * Elliptic Curve Cryptography based on GF(p), 256 bit.
  374. *
  375. * Elliptic curve cryptosystems (ECCs) implement a different way of creating public keys.
  376. * Because elliptic curve calculation is based on the addition of the rational points in
  377. * the (x,y) plane and it is difficult to solve a discrete logarithm from these points,
  378. * a higher level of security is achieved through the cryptographic schemes that use the
  379. * elliptic curves. The cryptographic systems that encrypt messages by using the properties
  380. * of elliptic curves are hard to attack due to the extreme complexity of deciphering the
  381. * private key.
  382. *
  383. * Use of elliptic curves allows for shorter public key length and encourage cryptographers
  384. * to create cryptosystems with the same or higher encryption strength as the RSA or DSA
  385. * cryptosystems. Because of the relatively short key length, ECCs do encryption and decryption
  386. * faster on the hardware that requires less computation processing volumes. For example, with
  387. * a key length of 150-350 bits, ECCs provide the same encryption strength as the cryptosystems
  388. * who have to use 600 -1400 bits.
  389. *
  390. * ECCP stands for Elliptic Curve Cryptography Prime and these functions include operations
  391. * over a prime finite field GF(p).
  392. *
  393. */
  394. /** Allocates and initializes ecc context.
  395. * The function initializes the context of the elliptic curve cryptosystem over the
  396. * prime finite field GF(p). This function allocates and initializes the ecc context.
  397. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  398. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  399. * Parameters:
  400. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  401. * Output: sgx_ecc_state_handle_t *p_ecc_handle - Pointer to the handle of the ECC crypto system
  402. */
  403. sgx_status_t SGXAPI sgx_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle);
  404. /** Cleans up ecc context.
  405. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  406. * Parameters:
  407. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  408. * Output: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  409. */
  410. sgx_status_t SGXAPI sgx_ecc256_close_context(sgx_ecc_state_handle_t ecc_handle);
  411. /** Populates private/public key pair.
  412. * NOTE: Caller code allocates memory for Private & Public key pointers to be populated
  413. *
  414. * The function generates a private key p_private and computes a public key p_public of the
  415. * elliptic cryptosystem over a finite field GF(p).
  416. *
  417. * The private key p_private is a number that lies in the range of [1, n-1] where n is
  418. * the order of the elliptic curve base point.
  419. *
  420. * The public key p_public is an elliptic curve point such that p_public = p_private *G,
  421. * where G is the base point of the elliptic curve.
  422. *
  423. * The context of the point p_public as an elliptic curve point must be created by using
  424. * the function sgx_ecc256_open_context.
  425. *
  426. * Return: If context, public key, or private key pointer is NULL,
  427. * SGX_ERROR_INVALID_PARAMETER is returned.
  428. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  429. * Parameters:
  430. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  431. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  432. * Outputs: sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  433. * sgx_ec256_public_t *p_public - Pointer to the public key - LITTLE ENDIAN
  434. */
  435. sgx_status_t SGXAPI sgx_ecc256_create_key_pair(sgx_ec256_private_t *p_private,
  436. sgx_ec256_public_t *p_public,
  437. sgx_ecc_state_handle_t ecc_handle);
  438. /** Checks whether the input point is a valid point on the given elliptic curve.
  439. * Parameters:
  440. * Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h
  441. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system
  442. * sgx_ec256_public_t *p_point - Pointer to perform validity check on - LITTLE ENDIAN
  443. * Output: int *p_valid - Return 0 if the point is an invalid point on ECC curve
  444. */
  445. sgx_status_t SGXAPI sgx_ecc256_check_point(const sgx_ec256_public_t *p_point,
  446. const sgx_ecc_state_handle_t ecc_handle,
  447. int *p_valid);
  448. /** Computes DH shared key based on own (local) private key and remote public Ga Key.
  449. * NOTE: Caller code allocates memory for Shared key pointer to be populated
  450. *
  451. * The function computes a secret number bnShare, which is a secret key shared between
  452. * two participants of the cryptosystem.
  453. *
  454. * In cryptography, metasyntactic names such as Alice as Bob are normally used as examples
  455. * and in discussions and stand for participant A and participant B.
  456. *
  457. * Both participants (Alice and Bob) use the cryptosystem for receiving a common secret point
  458. * on the elliptic curve called a secret key. To receive a secret key, participants apply the
  459. * Diffie-Hellman key-agreement scheme involving public key exchange. The value of the secret
  460. * key entirely depends on participants.
  461. *
  462. * According to the scheme, Alice and Bob perform the following operations:
  463. * 1. Alice calculates her own public key pubKeyA by using her private key
  464. * privKeyA: pubKeyA = privKeyA *G, where G is the base point of the elliptic curve.
  465. * 2. Alice passes the public key to Bob.
  466. * 3. Bob calculates his own public key pubKeyB by using his private key
  467. * privKeyB: pubKeyB = privKeyB *G, where G is a base point of the elliptic curve.
  468. * 4. Bob passes the public key to Alice.
  469. * 5. Alice gets Bob's public key and calculates the secret point shareA. When calculating,
  470. * she uses her own private key and Bob's public key and applies the following formula:
  471. * shareA = privKeyA *pubKeyB = privKeyA *privKeyB *G.
  472. * 6. Bob gets Alice's public key and calculates the secret point shareB. When calculating,
  473. * he uses his own private key and Alice's public key and applies the following formula:
  474. * shareB = privKeyB *pubKeyA = privKeyB *privKeyA *G.
  475. *
  476. * Because the following equation is true privKeyA *privKeyB *G = privKeyB *privKeyA *G,
  477. * the result of both calculations is the same, that is, the equation shareA = shareB is true.
  478. * The secret point serves as a secret key.
  479. *
  480. * Shared secret bnShare is an x-coordinate of the secret point on the elliptic curve. The elliptic
  481. * curve domain parameters must be hitherto defined by the function: sgx_ecc256_open_context.
  482. *
  483. * Return: If context, public key, private key, or shared key pointer is NULL,
  484. * SGX_ERROR_INVALID_PARAMETER is returned.
  485. * If the remote public key is not a valid point on the elliptic curve,
  486. * SGX_ERROR_INVALID_PARAMETER is returned.
  487. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  488. *
  489. * Parameters:
  490. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  491. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  492. * sgx_ec256_private_t *p_private_b - Pointer to the local private key - LITTLE ENDIAN
  493. * sgx_ec256_public_t *p_public_ga - Pointer to the remote public key - LITTLE ENDIAN
  494. * Output: sgx_ec256_dh_shared_t *p_shared_key - Pointer to the shared DH key - LITTLE ENDIAN
  495. */
  496. sgx_status_t SGXAPI sgx_ecc256_compute_shared_dhkey(sgx_ec256_private_t *p_private_b,
  497. sgx_ec256_public_t *p_public_ga,
  498. sgx_ec256_dh_shared_t *p_shared_key,
  499. sgx_ecc_state_handle_t ecc_handle);
  500. /* Computes 512-bit DH shared key based on private B key (local) and remote public Ga Key
  501. * Parameters:
  502. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  503. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  504. * sgx_ec256_private_t *p_private_b - Pointer to the local private key
  505. * sgx_ec256_public_t *p_public_ga - Pointer to the remote public key
  506. * Output: sgx_ec256_dh_shared512_t *p_shared_key - Pointer to the 512-bit shared DH key
  507. */
  508. sgx_status_t SGXAPI sgx_ecc256_compute_shared_dhkey512(sgx_ec256_private_t *p_private_b,
  509. sgx_ec256_public_t *p_public_ga,
  510. sgx_ec256_dh_shared512_t *p_shared_key,
  511. sgx_ecc_state_handle_t ecc_handle);
  512. /** Computes signature for data based on private key.
  513. *
  514. * A message digest is a fixed size number derived from the original message with
  515. * an applied hash function over the binary code of the message. (SHA256 in this case)
  516. * The signer's private key and the message digest are used to create a signature.
  517. *
  518. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  519. * which the given function computes.
  520. *
  521. * The scheme used for computing a digital signature is of the ECDSA scheme,
  522. * an elliptic curve of the DSA scheme.
  523. *
  524. * The keys can be generated and set up by the function: sgx_ecc256_create_key_pair.
  525. *
  526. * The elliptic curve domain parameters must be created by function:
  527. * sgx_ecc256_open_context
  528. *
  529. * Return: If context, private key, signature or data pointer is NULL,
  530. * SGX_ERROR_INVALID_PARAMETER is returned.
  531. * If the signature creation process fails then SGX_ERROR_UNEXPECTED is returned.
  532. *
  533. * Parameters:
  534. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  535. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  536. * sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  537. * uint8_t *p_data - Pointer to the data to be signed
  538. * uint32_t data_size - Size of the data to be signed
  539. * Output: ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN
  540. */
  541. sgx_status_t SGXAPI sgx_ecdsa_sign(const uint8_t *p_data,
  542. uint32_t data_size,
  543. sgx_ec256_private_t *p_private,
  544. sgx_ec256_signature_t *p_signature,
  545. sgx_ecc_state_handle_t ecc_handle);
  546. /** Verifies the signature for the given data based on the public key.
  547. *
  548. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  549. * which could be created by function: sgx_ecdsa_sign. The scheme used for computing a
  550. * digital signature is of the ECDSA scheme, an elliptic curve of the DSA scheme.
  551. *
  552. * The typical result of the digital signature verification is one of the two values:
  553. * SGX_Generic_ECValid - Digital signature is valid
  554. * SGX_Generic_ECInvalidSignature - Digital signature is not valid
  555. *
  556. * The elliptic curve domain parameters must be created by function:
  557. * sgx_ecc256_open_context
  558. *
  559. * Return: If context, public key, signature, result or data pointer is NULL,
  560. * SGX_ERROR_INVALID_PARAMETER is returned.
  561. * If the verification process fails then SGX_ERROR_UNEXPECTED is returned.
  562. * Parameters:
  563. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  564. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  565. * sgx_ec256_public_t *p_public - Pointer to the public key
  566. * uint8_t *p_data - Pointer to the data to be signed
  567. * uint32_t data_size - Size of the data to be signed
  568. * sgx_ec256_signature_t *p_signature - Pointer to the signature
  569. * Output: uint8_t *p_result - Pointer to the result of verification check
  570. */
  571. sgx_status_t SGXAPI sgx_ecdsa_verify(const uint8_t *p_data,
  572. uint32_t data_size,
  573. const sgx_ec256_public_t *p_public,
  574. sgx_ec256_signature_t *p_signature,
  575. uint8_t *p_result,
  576. sgx_ecc_state_handle_t ecc_handle);
  577. /** Computes signature for a given data based on RSA 3072 private key
  578. *
  579. * A digital signature over a message consists of a 3072 bit number.
  580. *
  581. * Return: If private key, signature or data pointer is NULL,
  582. * SGX_ERROR_INVALID_PARAMETER is returned.
  583. * If the signing process fails then SGX_ERROR_UNEXPECTED is returned.
  584. * Parameters:
  585. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  586. * Inputs: uint8_t *p_data - Pointer to the data to be signed
  587. * uint32_t data_size - Size of the data to be signed
  588. * sgx_rsa3072_private_key_t *p_private - Pointer to the private key
  589. * Output: sgx_rsa3072_signature_t *p_signature - Pointer to the signature output
  590. */
  591. sgx_status_t sgx_rsa3072_sign(const uint8_t *p_data,
  592. uint32_t data_size,
  593. const sgx_rsa3072_private_key_t *p_private,
  594. sgx_rsa3072_signature_t *p_signature);
  595. /** Verifies the signature for the given data based on the RSA 3072 public key.
  596. *
  597. * A digital signature over a message consists of a 3072 bit number.
  598. *
  599. * The typical result of the digital signature verification is one of the two values:
  600. * SGX_Generic_ECValid - Digital signature is valid
  601. * SGX_Generic_ECInvalidSignature - Digital signature is not valid
  602. *
  603. * Return: If public key, signature, result or data pointer is NULL,
  604. * SGX_ERROR_INVALID_PARAMETER is returned.
  605. * If the verification process fails then SGX_ERROR_UNEXPECTED is returned.
  606. * Parameters:
  607. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  608. * Inputs: uint8_t *p_data - Pointer to the data to be verified
  609. * uint32_t data_size - Size of the data to be verified
  610. * sgx_rsa3072_public_key_t *p_public - Pointer to the public key
  611. * sgx_rsa3072_signature_t *p_signature - Pointer to the signature
  612. * Output: sgx_rsa_result_t *p_result - Pointer to the result of verification check
  613. */
  614. sgx_status_t sgx_rsa3072_verify(const uint8_t *p_data,
  615. uint32_t data_size,
  616. const sgx_rsa3072_public_key_t *p_public,
  617. const sgx_rsa3072_signature_t *p_signature,
  618. sgx_rsa_result_t *p_result);
  619. #ifdef __cplusplus
  620. }
  621. #endif
  622. #endif