sgx_tcrypto.h 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588
  1. /*
  2. * Copyright (C) 2011-2016 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. /**
  32. * File: sgx_tcrypto.h
  33. * Description:
  34. * Interface for generic crypto library APIs required in SDK implementation.
  35. */
  36. #ifndef _SGX_TCRYPTO_H_
  37. #define _SGX_TCRYPTO_H_
  38. #include "sgx.h"
  39. #include "sgx_defs.h"
  40. #define SGX_SHA256_HASH_SIZE 32
  41. #define SGX_ECP256_KEY_SIZE 32
  42. #define SGX_NISTP_ECP256_KEY_SIZE (SGX_ECP256_KEY_SIZE/sizeof(uint32_t))
  43. #define SGX_AESGCM_IV_SIZE 12
  44. #define SGX_AESGCM_KEY_SIZE 16
  45. #define SGX_AESGCM_MAC_SIZE 16
  46. #define SGX_CMAC_KEY_SIZE 16
  47. #define SGX_CMAC_MAC_SIZE 16
  48. #define SGX_AESCTR_KEY_SIZE 16
  49. typedef struct _sgx_ec256_dh_shared_t
  50. {
  51. uint8_t s[SGX_ECP256_KEY_SIZE];
  52. } sgx_ec256_dh_shared_t;
  53. typedef struct _sgx_ec256_private_t
  54. {
  55. uint8_t r[SGX_ECP256_KEY_SIZE];
  56. } sgx_ec256_private_t;
  57. typedef struct _sgx_ec256_public_t
  58. {
  59. uint8_t gx[SGX_ECP256_KEY_SIZE];
  60. uint8_t gy[SGX_ECP256_KEY_SIZE];
  61. } sgx_ec256_public_t;
  62. typedef struct _sgx_ec256_signature_t
  63. {
  64. uint32_t x[SGX_NISTP_ECP256_KEY_SIZE];
  65. uint32_t y[SGX_NISTP_ECP256_KEY_SIZE];
  66. } sgx_ec256_signature_t;
  67. typedef void* sgx_sha_state_handle_t;
  68. typedef void* sgx_cmac_state_handle_t;
  69. typedef void* sgx_ecc_state_handle_t;
  70. typedef uint8_t sgx_sha256_hash_t[SGX_SHA256_HASH_SIZE];
  71. typedef uint8_t sgx_aes_gcm_128bit_key_t[SGX_AESGCM_KEY_SIZE];
  72. typedef uint8_t sgx_aes_gcm_128bit_tag_t[SGX_AESGCM_MAC_SIZE];
  73. typedef uint8_t sgx_cmac_128bit_key_t[SGX_CMAC_KEY_SIZE];
  74. typedef uint8_t sgx_cmac_128bit_tag_t[SGX_CMAC_MAC_SIZE];
  75. typedef uint8_t sgx_aes_ctr_128bit_key_t[SGX_AESCTR_KEY_SIZE];
  76. typedef enum {
  77. SGX_EC_VALID, /* validation pass successfully */
  78. SGX_EC_COMPOSITE_BASE, /* field based on composite */
  79. SGX_EC_COMPLICATED_BASE, /* number of non-zero terms in the polynomial (> PRIME_ARR_MAX) */
  80. SGX_EC_IS_ZERO_DISCRIMINANT,/* zero discriminant */
  81. SGX_EC_COMPOSITE_ORDER, /* composite order of base point */
  82. SGX_EC_INVALID_ORDER, /* invalid base point order */
  83. SGX_EC_IS_WEAK_MOV, /* weak Meneze-Okamoto-Vanstone reduction attack */
  84. SGX_EC_IS_WEAK_SSA, /* weak Semaev-Smart,Satoh-Araki reduction attack */
  85. SGX_EC_IS_SUPER_SINGULAR, /* supersingular curve */
  86. SGX_EC_INVALID_PRIVATE_KEY, /* !(0 < Private < order) */
  87. SGX_EC_INVALID_PUBLIC_KEY, /* (order*PublicKey != Infinity) */
  88. SGX_EC_INVALID_KEY_PAIR, /* (Private*BasePoint != PublicKey) */
  89. SGX_EC_POINT_OUT_OF_GROUP, /* out of group (order*P != Infinity) */
  90. SGX_EC_POINT_IS_AT_INFINITY,/* point (P=(Px,Py)) at Infinity */
  91. SGX_EC_POINT_IS_NOT_VALID, /* point (P=(Px,Py)) out-of EC */
  92. SGX_EC_POINT_IS_EQUAL, /* compared points are equal */
  93. SGX_EC_POINT_IS_NOT_EQUAL, /* compared points are different */
  94. SGX_EC_INVALID_SIGNATURE /* invalid signature */
  95. } sgx_generic_ecresult_t;
  96. #ifdef __cplusplus
  97. extern "C" {
  98. #endif
  99. /** SHA Hashing functions - NOTE: ONLY 256-bit is supported.
  100. *
  101. * NOTE: Use sgx_sha256_msg if the src pointer contains the complete msg to perform hash (Option 1)
  102. * Else use the Init, Update, Update, ..., Final procedure (Option 2)
  103. * Option 1: If the complete dataset is available for hashing, sgx_sha256_msg
  104. * is a single API call for generating the 256bit hash for the given dataset.
  105. * Return: If source pointer or hash pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  106. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  107. * Option 2: If the hash is to be performed over multiple data sets, then use:
  108. * A. sgx_sha256_init - to create the context - context memory is allocated by this function.
  109. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  110. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  111. * B. sgx_sha256_update - updates hash based on input source data
  112. * This function should be called for each chunk of data to be
  113. * included in the hash including the 1st and final chunks.
  114. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  115. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  116. * C. sgx_sha256_get_hash - function obtains the hash value
  117. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  118. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  119. * D. sgx_sha256_close - SHOULD BE CALLED to FREE context memory
  120. * Upon completing the process of computing a hash over a set of data
  121. * or sets of data, this function is used to free the context.
  122. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  123. *
  124. * Parameters:
  125. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  126. * Inputs: uint8_t *p_src - Pointer to the input stream to be hashed
  127. * uint32_t src_len - Length of the input stream to be hashed
  128. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  129. */
  130. sgx_status_t SGXAPI sgx_sha256_msg(const uint8_t *p_src, uint32_t src_len, sgx_sha256_hash_t *p_hash);
  131. /** Allocates and initializes sha256 state
  132. *
  133. * Parameters:
  134. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  135. * Output: sgx_sha_state_handle_t *p_sha_handle - Pointer to the handle of the SHA256 state
  136. */
  137. sgx_status_t SGXAPI sgx_sha256_init(sgx_sha_state_handle_t* p_sha_handle);
  138. /** Updates sha256 has calculation based on the input message
  139. *
  140. * Parameters:
  141. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  142. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  143. * uint8_t *p_src - Pointer to the input stream to be hashed
  144. * uint32_t src_len - Length of the input stream to be hashed
  145. */
  146. sgx_status_t SGXAPI sgx_sha256_update(const uint8_t *p_src, uint32_t src_len, sgx_sha_state_handle_t sha_handle);
  147. /** Returns Hash calculation
  148. *
  149. * Parameters:
  150. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  151. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  152. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  153. */
  154. sgx_status_t SGXAPI sgx_sha256_get_hash(sgx_sha_state_handle_t sha_handle, sgx_sha256_hash_t *p_hash);
  155. /** Cleans up SHA state
  156. *
  157. * Parameters:
  158. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  159. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  160. */
  161. sgx_status_t SGXAPI sgx_sha256_close(sgx_sha_state_handle_t sha_handle);
  162. /**Rijndael AES-GCM - Only 128-bit key AES-GCM Encryption/Decryption is supported
  163. *
  164. * The Galois/Counter Mode (GCM) is a mode of operation of the AES algorithm.
  165. * GCM [NIST SP 800-38D] uses a variation of the Counter mode of operation for encryption.
  166. * GCM assures authenticity of the confidential data (of up to about 64 GB per invocation)
  167. * using a universal hash function defined over a binary finite field (the Galois field).
  168. *
  169. * GCM can also provide authentication assurance for additional data
  170. * (of practically unlimited length per invocation) that is not encrypted.
  171. * GCM provides stronger authentication assurance than a (non-cryptographic) checksum or
  172. * error detecting code. In particular, GCM can detect both accidental modifications of
  173. * the data and intentional, unauthorized modifications.
  174. *
  175. * sgx_rijndael128GCM_encrypt:
  176. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  177. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  178. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  179. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  180. * If out of enclave memory then SGX_ERROR_OUT_OF_MEMORY is returned.
  181. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  182. *
  183. * sgx_rijndael128GCM_decrypt:
  184. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  185. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  186. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  187. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  188. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  189. * If the input MAC does not match the calculated MAC, SGX_ERROR_MAC_MISMATCH is returned.
  190. *
  191. * Parameters:
  192. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  193. * Inputs: sgx_aes_gcm_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  194. * Size MUST BE 128-bits
  195. * uint8_t *p_src - Pointer to the input stream to be encrypted/decrypted
  196. * uint32_t src_len - Length of the input stream to be encrypted/decrypted
  197. * uint8_t *p_iv - Pointer to the initialization vector
  198. * uint32_t iv_len - Length of the initialization vector - MUST BE 12 (bytes)
  199. * NIST AES-GCM recommended IV size = 96 bits
  200. * uint8_t *p_aad - Pointer to the input stream of additional authentication data
  201. * uint32_t aad_len - Length of the additional authentication data stream
  202. * sgx_aes_gcm_128bit_tag_t *p_in_mac - Pointer to the expected MAC in decryption process
  203. * Output: uint8_t *p_dst - Pointer to the cipher text for encryption or clear text for decryption. Size of buffer should be >= src_len.
  204. * sgx_aes_gcm_128bit_tag_t *p_out_mac - Pointer to the MAC generated from encryption process
  205. * NOTE: Wrapper is responsible for confirming decryption tag matches encryption tag
  206. */
  207. sgx_status_t SGXAPI sgx_rijndael128GCM_encrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  208. const uint8_t *p_src,
  209. uint32_t src_len,
  210. uint8_t *p_dst,
  211. const uint8_t *p_iv,
  212. uint32_t iv_len,
  213. const uint8_t *p_aad,
  214. uint32_t aad_len,
  215. sgx_aes_gcm_128bit_tag_t *p_out_mac);
  216. sgx_status_t SGXAPI sgx_rijndael128GCM_decrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  217. const uint8_t *p_src,
  218. uint32_t src_len,
  219. uint8_t *p_dst,
  220. const uint8_t *p_iv,
  221. uint32_t iv_len,
  222. const uint8_t *p_aad,
  223. uint32_t aad_len,
  224. const sgx_aes_gcm_128bit_tag_t *p_in_mac);
  225. /** Message Authentication Rijndael 128 CMAC - Only 128-bit key size is supported.
  226. * NOTE: Use sgx_rijndael128_cmac_msg if the src ptr contains the complete msg to perform hash (Option 1)
  227. * Else use the Init, Update, Update, ..., Final, Close procedure (Option 2)
  228. * Option 1: If the complete dataset is available for hashing, sgx_rijndael128_cmac_msg
  229. * is a single API call for generating the 128-bit hash for the given dataset.
  230. * Return: If source, key, or MAC pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  231. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  232. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  233. * Option 2: If the hash is to be performed over multiple data sets, then use:
  234. * A. sgx_cmac128_init - to create the context - context memory is allocated by this function.
  235. * Return: If key pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  236. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  237. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  238. * B. sgx_cmac128_update - updates hash based on input source data
  239. * This function should be called for each chunk of data to be
  240. * included in the hash including the 1st and final chunks.
  241. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  242. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  243. * C. sgx_cmac128_final - function obtains the hash value
  244. * Upon completing the process of computing a hash over a set of data or sets of data,
  245. * this function populates the hash value.
  246. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  247. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  248. * D. sgx_cmac128_close - SHOULD BE CALLED to clean up the CMAC state
  249. * Upon populating the hash value over a set of data or sets of data,
  250. * this function is used to free the CMAC state.
  251. * Return: If CMAC state pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  252. *
  253. * Parameters:
  254. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  255. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  256. * uint8_t *p_src - Pointer to the input stream to be MAC’d
  257. * uint32_t src_len - Length of the input stream to be MAC’d
  258. * Output: sgx_cmac_gcm_128bit_tag_t *p_mac - Pointer to the resultant MAC
  259. */
  260. sgx_status_t SGXAPI sgx_rijndael128_cmac_msg(const sgx_cmac_128bit_key_t *p_key,
  261. const uint8_t *p_src,
  262. uint32_t src_len,
  263. sgx_cmac_128bit_tag_t *p_mac);
  264. /** Allocates and initializes CMAC state.
  265. *
  266. * Parameters:
  267. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  268. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  269. * Output: sgx_cmac_state_handle_t *p_cmac_handle - Pointer to the handle of the CMAC state
  270. */
  271. sgx_status_t SGXAPI sgx_cmac128_init(const sgx_cmac_128bit_key_t *p_key, sgx_cmac_state_handle_t* p_cmac_handle);
  272. /** Updates CMAC has calculation based on the input message.
  273. *
  274. * Parameters:
  275. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  276. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  277. * uint8_t *p_src - Pointer to the input stream to be hashed
  278. * uint32_t src_len - Length of the input stream to be hashed
  279. */
  280. sgx_status_t SGXAPI sgx_cmac128_update(const uint8_t *p_src, uint32_t src_len, sgx_cmac_state_handle_t cmac_handle);
  281. /** Returns Hash calculation and clean up CMAC state.
  282. *
  283. * Parameters:
  284. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  285. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  286. * Output: sgx_cmac_128bit_tag_t *p_hash - Resultant hash from operation
  287. */
  288. sgx_status_t SGXAPI sgx_cmac128_final(sgx_cmac_state_handle_t cmac_handle, sgx_cmac_128bit_tag_t *p_hash);
  289. /** Clean up the CMAC state
  290. *
  291. * Parameters:
  292. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  293. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  294. */
  295. sgx_status_t SGXAPI sgx_cmac128_close(sgx_cmac_state_handle_t cmac_handle);
  296. /** AES-CTR 128-bit - Only 128-bit key size is supported.
  297. *
  298. * These functions encrypt/decrypt the input data stream of a variable length according
  299. * to the CTR mode as specified in [NIST SP 800-38A]. The counter can be thought of as
  300. * an IV which increments on successive encryption or decrytion calls. For a given
  301. * dataset or data stream the incremented counter block should be used on successive
  302. * calls of the encryption/decryption process for that given stream. However for
  303. * new or different datasets/streams, the same counter should not be reused, instead
  304. * intialize the counter for the new data set.
  305. *
  306. * sgx_aes_ctr_encrypt
  307. * Return: If source, key, counter, or destination pointer is NULL,
  308. * SGX_ERROR_INVALID_PARAMETER is returned.
  309. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  310. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  311. * sgx_aes_ctr_decrypt
  312. * Return: If source, key, counter, or destination pointer is NULL,
  313. * SGX_ERROR_INVALID_PARAMETER is returned.
  314. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  315. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  316. *
  317. * Parameters:
  318. * Return:
  319. * sgx_status_t - SGX_SUCCESS or failure as defined
  320. * in sgx_error.h
  321. * Inputs:
  322. * sgx_aes_128bit_key_t *p_key - Pointer to the key used in
  323. * encryption/decryption operation
  324. * uint8_t *p_src - Pointer to the input stream to be
  325. * encrypted/decrypted
  326. * uint32_t src_len - Length of the input stream to be
  327. * encrypted/decrypted
  328. * uint8_t *p_ctr - Pointer to the counter block
  329. * uint32_t ctr_inc_bits - Number of bits in counter to be
  330. * incremented
  331. * Output:
  332. * uint8_t *p_dst - Pointer to the cipher text.
  333. * Size of buffer should be >= src_len.
  334. */
  335. sgx_status_t SGXAPI sgx_aes_ctr_encrypt(
  336. const sgx_aes_ctr_128bit_key_t *p_key,
  337. const uint8_t *p_src,
  338. const uint32_t src_len,
  339. uint8_t *p_ctr,
  340. const uint32_t ctr_inc_bits,
  341. uint8_t *p_dst);
  342. sgx_status_t SGXAPI sgx_aes_ctr_decrypt(
  343. const sgx_aes_ctr_128bit_key_t *p_key,
  344. const uint8_t *p_src,
  345. const uint32_t src_len,
  346. uint8_t *p_ctr,
  347. const uint32_t ctr_inc_bits,
  348. uint8_t *p_dst);
  349. /**
  350. * Elliptic Curve Cryptography based on GF(p), 256 bit.
  351. *
  352. * Elliptic curve cryptosystems (ECCs) implement a different way of creating public keys.
  353. * Because elliptic curve calculation is based on the addition of the rational points in
  354. * the (x,y) plane and it is difficult to solve a discrete logarithm from these points,
  355. * a higher level of security is achieved through the cryptographic schemes that use the
  356. * elliptic curves. The cryptographic systems that encrypt messages by using the properties
  357. * of elliptic curves are hard to attack due to the extreme complexity of deciphering the
  358. * private key.
  359. *
  360. * Use of elliptic curves allows for shorter public key length and encourage cryptographers
  361. * to create cryptosystems with the same or higher encryption strength as the RSA or DSA
  362. * cryptosystems. Because of the relatively short key length, ECCs do encryption and decryption
  363. * faster on the hardware that requires less computation processing volumes. For example, with
  364. * a key length of 150-350 bits, ECCs provide the same encryption strength as the cryptosystems
  365. * who have to use 600 -1400 bits.
  366. *
  367. * ECCP stands for Elliptic Curve Cryptography Prime and these functions include operations
  368. * over a prime finite field GF(p).
  369. *
  370. */
  371. /** Allocates and initializes ecc context.
  372. * The function initializes the context of the elliptic curve cryptosystem over the
  373. * prime finite field GF(p). This function allocates and initializes the ecc context.
  374. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  375. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  376. * Parameters:
  377. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  378. * Output: sgx_ecc_state_handle_t *p_ecc_handle - Pointer to the handle of the ECC crypto system
  379. */
  380. sgx_status_t SGXAPI sgx_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle);
  381. /** Cleans up ecc context.
  382. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  383. * Parameters:
  384. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  385. * Output: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  386. */
  387. sgx_status_t SGXAPI sgx_ecc256_close_context(sgx_ecc_state_handle_t ecc_handle);
  388. /** Populates private/public key pair.
  389. * NOTE: Caller code allocates memory for Private & Public key pointers to be populated
  390. *
  391. * The function generates a private key p_private and computes a public key p_public of the
  392. * elliptic cryptosystem over a finite field GF(p).
  393. *
  394. * The private key p_private is a number that lies in the range of [1, n-1] where n is
  395. * the order of the elliptic curve base point.
  396. *
  397. * The public key p_public is an elliptic curve point such that p_public = p_private ?G,
  398. * where G is the base point of the elliptic curve.
  399. *
  400. * The context of the point p_public as an elliptic curve point must be created by using
  401. * the function sgx_ecc256_open_context.
  402. *
  403. * Return: If context, public key, or private key pointer is NULL,
  404. * SGX_ERROR_INVALID_PARAMETER is returned.
  405. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  406. * Parameters:
  407. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  408. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  409. * Outputs: sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  410. * sgx_ec256_public_t *p_public - Pointer to the public key - LITTLE ENDIAN
  411. */
  412. sgx_status_t SGXAPI sgx_ecc256_create_key_pair(sgx_ec256_private_t *p_private,
  413. sgx_ec256_public_t *p_public,
  414. sgx_ecc_state_handle_t ecc_handle);
  415. /** Checks whether the input point is a valid point on the given elliptic curve.
  416. * Parameters:
  417. * Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h
  418. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system
  419. * sgx_ec256_public_t *p_point - Pointer to perform validity check on - LITTLE ENDIAN
  420. * Output: int *p_valid - Return 0 if the point is an invalid point on ECC curve
  421. */
  422. sgx_status_t SGXAPI sgx_ecc256_check_point(const sgx_ec256_public_t *p_point,
  423. const sgx_ecc_state_handle_t ecc_handle,
  424. int *p_valid);
  425. /** Computes DH shared key based on own (local) private key and remote public Ga Key.
  426. * NOTE: Caller code allocates memory for Shared key pointer to be populated
  427. *
  428. * The function computes a secret number bnShare, which is a secret key shared between
  429. * two participants of the cryptosystem.
  430. *
  431. * In cryptography, metasyntactic names such as Alice as Bob are normally used as examples
  432. * and in discussions and stand for participant A and participant B.
  433. *
  434. * Both participants (Alice and Bob) use the cryptosystem for receiving a common secret point
  435. * on the elliptic curve called a secret key. To receive a secret key, participants apply the
  436. * Diffie-Hellman key-agreement scheme involving public key exchange. The value of the secret
  437. * key entirely depends on participants.
  438. *
  439. * According to the scheme, Alice and Bob perform the following operations:
  440. * 1. Alice calculates her own public key pubKeyA by using her private key
  441. * privKeyA: pubKeyA = privKeyA ?G, where G is the base point of the elliptic curve.
  442. * 2. Alice passes the public key to Bob.
  443. * 3. Bob calculates his own public key pubKeyB by using his private key
  444. * privKeyB: pubKeyB = privKeyB ?G, where G is a base point of the elliptic curve.
  445. * 4. Bob passes the public key to Alice.
  446. * 5. Alice gets Bob's public key and calculates the secret point shareA. When calculating,
  447. * she uses her own private key and Bob's public key and applies the following formula:
  448. * shareA = privKeyA ?pubKeyB = privKeyA ?privKeyB ?G.
  449. * 6. Bob gets Alice's public key and calculates the secret point shareB. When calculating,
  450. * he uses his own private key and Alice's public key and applies the following formula:
  451. * shareB = privKeyB ?pubKeyA = privKeyB ?privKeyA ?G.
  452. *
  453. * Because the following equation is true privKeyA ?privKeyB ?G = privKeyB ?privKeyA ?G,
  454. * the result of both calculations is the same, that is, the equation shareA = shareB is true.
  455. * The secret point serves as a secret key.
  456. *
  457. * Shared secret bnShare is an x-coordinate of the secret point on the elliptic curve. The elliptic
  458. * curve domain parameters must be hitherto defined by the function: sgx_ecc256_open_context.
  459. *
  460. * Return: If context, public key, private key, or shared key pointer is NULL,
  461. * SGX_ERROR_INVALID_PARAMETER is returned.
  462. * If the remote public key is not a valid point on the elliptic curve,
  463. * SGX_ERROR_INVALID_PARAMETER is returned.
  464. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  465. *
  466. * Parameters:
  467. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  468. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  469. * sgx_ec256_private_t *p_private_b - Pointer to the local private key - LITTLE ENDIAN
  470. * sgx_ec256_public_t *p_public_ga - Pointer to the remote public key - LITTLE ENDIAN
  471. * Output: sgx_ec256_dh_shared_t *p_shared_key - Pointer to the shared DH key - LITTLE ENDIAN
  472. */
  473. sgx_status_t SGXAPI sgx_ecc256_compute_shared_dhkey(sgx_ec256_private_t *p_private_b,
  474. sgx_ec256_public_t *p_public_ga,
  475. sgx_ec256_dh_shared_t *p_shared_key,
  476. sgx_ecc_state_handle_t ecc_handle);
  477. /** Computes signature for data based on private key.
  478. *
  479. * A message digest is a fixed size number derived from the original message with
  480. * an applied hash function over the binary code of the message. (SHA256 in this case)
  481. * The signer's private key and the message digest are used to create a signature.
  482. *
  483. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  484. * which the given function computes.
  485. *
  486. * The scheme used for computing a digital signature is of the ECDSA scheme,
  487. * an elliptic curve of the DSA scheme.
  488. *
  489. * The keys can be generated and set up by the function: sgx_ecc256_create_key_pair.
  490. *
  491. * The elliptic curve domain parameters must be created by function:
  492. * sgx_ecc256_open_context
  493. *
  494. * Return: If context, private key, signature or data pointer is NULL,
  495. * SGX_ERROR_INVALID_PARAMETER is returned.
  496. * If the signature creation process fails then SGX_ERROR_UNEXPECTED is returned.
  497. *
  498. * Parameters:
  499. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  500. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  501. * sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  502. * uint8_t *p_data - Pointer to the data to be signed
  503. * uint32_t data_size - Size of the data to be signed
  504. * Output: ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN
  505. */
  506. sgx_status_t SGXAPI sgx_ecdsa_sign(const uint8_t *p_data,
  507. uint32_t data_size,
  508. sgx_ec256_private_t *p_private,
  509. sgx_ec256_signature_t *p_signature,
  510. sgx_ecc_state_handle_t ecc_handle);
  511. /** Verifies the signature for the given data based on the public key.
  512. *
  513. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  514. * which could be created by function: sgx_ecdsa_sign. The scheme used for computing a
  515. * digital signature is of the ECDSA scheme, an elliptic curve of the DSA scheme.
  516. *
  517. * The typical result of the digital signature verification is one of the two values:
  518. * SGX_Generic_ECValid - Digital signature is valid
  519. * SGX_Generic_ECInvalidSignature - Digital signature is not valid
  520. *
  521. * The elliptic curve domain parameters must be created by function:
  522. * sgx_ecc256_open_context
  523. *
  524. * Return: If context, public key, signature, result or data pointer is NULL,
  525. * SGX_ERROR_INVALID_PARAMETER is returned.
  526. * If the verification process fails then SGX_ERROR_UNEXPECTED is returned.
  527. * Parameters:
  528. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  529. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  530. * sgx_ec256_public_t *p_public - Pointer to the public key
  531. * uint8_t *p_data - Pointer to the data to be signed
  532. * uint32_t data_size - Size of the data to be signed
  533. * sgx_ec256_signature_t *p_signature - Pointer to the signature
  534. * Output: uint8_t *p_result - Pointer to the result of verification check
  535. */
  536. sgx_status_t SGXAPI sgx_ecdsa_verify(const uint8_t *p_data,
  537. uint32_t data_size,
  538. const sgx_ec256_public_t *p_public,
  539. sgx_ec256_signature_t *p_signature,
  540. uint8_t *p_result,
  541. sgx_ecc_state_handle_t ecc_handle);
  542. #ifdef __cplusplus
  543. }
  544. #endif
  545. #endif