pcl_tSeal.cpp 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. /* Content from sdk/tseal/tSeal.cpp */
  32. #include <stdint.h>
  33. #include <stdlib.h>
  34. #include <sgx_tseal.h>
  35. #ifdef SE_SIM
  36. #include <deriv.h>
  37. #endif // #ifdef SE_SIM
  38. #include <pcl_common.h>
  39. #include <pcl_internal.h>
  40. #include <pcl_unseal_internal.h>
  41. //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  42. // pcl_unseal_data()
  43. // PCL version of sgx_unseal_data (needed since the SGX SDK is unavailable at this point)
  44. // Parameters:
  45. // [IN] p_sealed_data - pointer to sealed key blob
  46. // [OUT] p_additional_MACtext - additional text to MAC
  47. // [IN] additional_MACtext_length - length of additional text
  48. // [OUT] p_decrypted_text - buffer to fill with decrypted data
  49. // [IN] decrypted_text_length - length of p_decrypted_text buffer
  50. // Return Value:
  51. // SGX_SUCCESS or error codes
  52. sgx_status_t pcl_unseal_data(const sgx_sealed_data_t *p_sealed_data, uint8_t *p_additional_MACtext,
  53. uint32_t *p_additional_MACtext_length, uint8_t *p_decrypted_text, uint32_t *p_decrypted_text_length)
  54. {
  55. sgx_status_t err = SGX_ERROR_UNEXPECTED;
  56. // Ensure the the sgx_sealed_data_t members are all inside enclave before using them.
  57. if ((p_sealed_data == NULL) || (!pcl_is_within_enclave(p_sealed_data,sizeof(sgx_sealed_data_t))))
  58. {
  59. return SGX_ERROR_INVALID_PARAMETER;
  60. }
  61. uint32_t encrypt_text_length = pcl_get_encrypt_txt_len(p_sealed_data);
  62. if (encrypt_text_length == UINT32_MAX)
  63. {
  64. return SGX_ERROR_MAC_MISMATCH; // Return error indicating the blob is corrupted
  65. }
  66. uint32_t aad_text_length = pcl_get_aad_mac_txt_len(p_sealed_data);
  67. if (aad_text_length == UINT32_MAX)
  68. {
  69. return SGX_ERROR_MAC_MISMATCH; // Return error indicating the blob is corrupted
  70. }
  71. uint32_t sealedDataSize = pcl_calc_sealed_data_size(aad_text_length, encrypt_text_length);
  72. if (sealedDataSize == UINT32_MAX)
  73. {
  74. return SGX_ERROR_MAC_MISMATCH; // Return error indicating the blob is corrupted
  75. }
  76. //
  77. // Check parameters
  78. //
  79. // Ensure sealed data blob is within an enclave during the sealing process
  80. if (!pcl_is_within_enclave(p_sealed_data,sealedDataSize))
  81. {
  82. return SGX_ERROR_INVALID_PARAMETER;
  83. }
  84. if ((aad_text_length > 0) && ((p_additional_MACtext == NULL) || (p_additional_MACtext_length == NULL)))
  85. {
  86. return SGX_ERROR_INVALID_PARAMETER;
  87. }
  88. if ((encrypt_text_length < 1) || (p_decrypted_text == NULL) || (p_decrypted_text_length == NULL))
  89. {
  90. return SGX_ERROR_INVALID_PARAMETER;
  91. }
  92. if (!pcl_is_within_enclave(p_decrypted_text,encrypt_text_length))
  93. {
  94. return SGX_ERROR_INVALID_PARAMETER;
  95. }
  96. if (!pcl_is_within_enclave(p_decrypted_text_length,sizeof(p_decrypted_text_length)))
  97. {
  98. return SGX_ERROR_INVALID_PARAMETER;
  99. }
  100. // Ensure aad data does not cross enclave boundary
  101. if ((aad_text_length > 0) &&
  102. (!(pcl_is_within_enclave(p_additional_MACtext,aad_text_length) || pcl_is_outside_enclave(p_additional_MACtext, aad_text_length))))
  103. {
  104. return SGX_ERROR_INVALID_PARAMETER;
  105. }
  106. if ((*p_decrypted_text_length) < encrypt_text_length)
  107. {
  108. return SGX_ERROR_INVALID_PARAMETER;
  109. }
  110. uint32_t additional_MACtext_length = (NULL != p_additional_MACtext_length) ? *p_additional_MACtext_length : 0;
  111. if (additional_MACtext_length != aad_text_length) {
  112. return SGX_ERROR_INVALID_PARAMETER;
  113. }
  114. err = pcl_unseal_data_helper(p_sealed_data, p_additional_MACtext, aad_text_length,
  115. p_decrypted_text, encrypt_text_length);
  116. if (err == SGX_SUCCESS)
  117. {
  118. *p_decrypted_text_length = encrypt_text_length;
  119. if (p_additional_MACtext_length != NULL)
  120. *p_additional_MACtext_length = aad_text_length;
  121. }
  122. else
  123. {
  124. // Scrub p_decrypted_text
  125. pcl_volatile_memset((volatile void*)p_decrypted_text, 0, encrypt_text_length);
  126. }
  127. return err;
  128. }