sgx_tcrypto.h 42 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. /**
  32. * File: sgx_tcrypto.h
  33. * Description:
  34. * Interface for generic crypto library APIs required in SDK implementation.
  35. */
  36. #ifndef _SGX_TCRYPTO_H_
  37. #define _SGX_TCRYPTO_H_
  38. #include "sgx.h"
  39. #include "sgx_defs.h"
  40. #include "stdlib.h"
  41. #define SGX_SHA256_HASH_SIZE 32
  42. #define SGX_ECP256_KEY_SIZE 32
  43. #define SGX_NISTP_ECP256_KEY_SIZE (SGX_ECP256_KEY_SIZE/sizeof(uint32_t))
  44. #define SGX_AESGCM_IV_SIZE 12
  45. #define SGX_AESGCM_KEY_SIZE 16
  46. #define SGX_AESGCM_MAC_SIZE 16
  47. #define SGX_CMAC_KEY_SIZE 16
  48. #define SGX_CMAC_MAC_SIZE 16
  49. #define SGX_AESCTR_KEY_SIZE 16
  50. #define SGX_RSA3072_KEY_SIZE 384
  51. #define SGX_RSA3072_PRI_EXP_SIZE 384
  52. #define SGX_RSA3072_PUB_EXP_SIZE 4
  53. typedef struct _sgx_ec256_dh_shared_t
  54. {
  55. uint8_t s[SGX_ECP256_KEY_SIZE];
  56. } sgx_ec256_dh_shared_t;
  57. typedef struct _sgx_ec256_private_t
  58. {
  59. uint8_t r[SGX_ECP256_KEY_SIZE];
  60. } sgx_ec256_private_t;
  61. typedef struct _sgx_ec256_public_t
  62. {
  63. uint8_t gx[SGX_ECP256_KEY_SIZE];
  64. uint8_t gy[SGX_ECP256_KEY_SIZE];
  65. } sgx_ec256_public_t;
  66. typedef struct _sgx_ec256_signature_t
  67. {
  68. uint32_t x[SGX_NISTP_ECP256_KEY_SIZE];
  69. uint32_t y[SGX_NISTP_ECP256_KEY_SIZE];
  70. } sgx_ec256_signature_t;
  71. typedef struct _sgx_rsa3072_public_key_t
  72. {
  73. uint8_t mod[SGX_RSA3072_KEY_SIZE];
  74. uint8_t exp[SGX_RSA3072_PUB_EXP_SIZE];
  75. } sgx_rsa3072_public_key_t;
  76. typedef struct _sgx_rsa3072_key_t
  77. {
  78. uint8_t mod[SGX_RSA3072_KEY_SIZE];
  79. uint8_t d[SGX_RSA3072_PRI_EXP_SIZE];
  80. uint8_t e[SGX_RSA3072_PUB_EXP_SIZE];
  81. } sgx_rsa3072_key_t;
  82. typedef uint8_t sgx_rsa3072_signature_t[SGX_RSA3072_KEY_SIZE];
  83. typedef void* sgx_sha_state_handle_t;
  84. typedef void* sgx_cmac_state_handle_t;
  85. typedef void* sgx_ecc_state_handle_t;
  86. typedef uint8_t sgx_sha256_hash_t[SGX_SHA256_HASH_SIZE];
  87. typedef uint8_t sgx_aes_gcm_128bit_key_t[SGX_AESGCM_KEY_SIZE];
  88. typedef uint8_t sgx_aes_gcm_128bit_tag_t[SGX_AESGCM_MAC_SIZE];
  89. typedef uint8_t sgx_cmac_128bit_key_t[SGX_CMAC_KEY_SIZE];
  90. typedef uint8_t sgx_cmac_128bit_tag_t[SGX_CMAC_MAC_SIZE];
  91. typedef uint8_t sgx_aes_ctr_128bit_key_t[SGX_AESCTR_KEY_SIZE];
  92. typedef enum {
  93. SGX_EC_VALID, /* validation pass successfully */
  94. SGX_EC_COMPOSITE_BASE, /* field based on composite */
  95. SGX_EC_COMPLICATED_BASE, /* number of non-zero terms in the polynomial (> PRIME_ARR_MAX) */
  96. SGX_EC_IS_ZERO_DISCRIMINANT,/* zero discriminant */
  97. SGX_EC_COMPOSITE_ORDER, /* composite order of base point */
  98. SGX_EC_INVALID_ORDER, /* invalid base point order */
  99. SGX_EC_IS_WEAK_MOV, /* weak Meneze-Okamoto-Vanstone reduction attack */
  100. SGX_EC_IS_WEAK_SSA, /* weak Semaev-Smart,Satoh-Araki reduction attack */
  101. SGX_EC_IS_SUPER_SINGULAR, /* supersingular curve */
  102. SGX_EC_INVALID_PRIVATE_KEY, /* !(0 < Private < order) */
  103. SGX_EC_INVALID_PUBLIC_KEY, /* (order*PublicKey != Infinity) */
  104. SGX_EC_INVALID_KEY_PAIR, /* (Private*BasePoint != PublicKey) */
  105. SGX_EC_POINT_OUT_OF_GROUP, /* out of group (order*P != Infinity) */
  106. SGX_EC_POINT_IS_AT_INFINITY,/* point (P=(Px,Py)) at Infinity */
  107. SGX_EC_POINT_IS_NOT_VALID, /* point (P=(Px,Py)) out-of EC */
  108. SGX_EC_POINT_IS_EQUAL, /* compared points are equal */
  109. SGX_EC_POINT_IS_NOT_EQUAL, /* compared points are different */
  110. SGX_EC_INVALID_SIGNATURE /* invalid signature */
  111. } sgx_generic_ecresult_t;
  112. typedef enum {
  113. SGX_RSA_VALID, /* validation pass successfully */
  114. SGX_RSA_INVALID_SIGNATURE /* invalid signature */
  115. } sgx_rsa_result_t;
  116. typedef enum {
  117. SGX_RSA_PRIVATE_KEY, /* RSA private key state */
  118. SGX_RSA_PUBLIC_KEY /* RSA public key state */
  119. } sgx_rsa_key_type_t;
  120. #define N_SIZE_IN_BYTES 384
  121. #define E_SIZE_IN_BYTES 4
  122. #define D_SIZE_IN_BYTES 384
  123. #define P_SIZE_IN_BYTES 192
  124. #define Q_SIZE_IN_BYTES 192
  125. #define DMP1_SIZE_IN_BYTES 192
  126. #define DMQ1_SIZE_IN_BYTES 192
  127. #define IQMP_SIZE_IN_BYTES 192
  128. #define N_SIZE_IN_UINT N_SIZE_IN_BYTES/sizeof(unsigned int)
  129. #define E_SIZE_IN_UINT E_SIZE_IN_BYTES/sizeof(unsigned int)
  130. #define D_SIZE_IN_UINT D_SIZE_IN_BYTES/sizeof(unsigned int)
  131. #define P_SIZE_IN_UINT P_SIZE_IN_BYTES/sizeof(unsigned int)
  132. #define Q_SIZE_IN_UINT Q_SIZE_IN_BYTES/sizeof(unsigned int)
  133. #define DMP1_SIZE_IN_UINT DMP1_SIZE_IN_BYTES/sizeof(unsigned int)
  134. #define DMQ1_SIZE_IN_UINT DMQ1_SIZE_IN_BYTES/sizeof(unsigned int)
  135. #define IQMP_SIZE_IN_UINT IQMP_SIZE_IN_BYTES/sizeof(unsigned int)
  136. typedef struct _rsa_params_t {
  137. unsigned int n[N_SIZE_IN_UINT];
  138. unsigned int e[E_SIZE_IN_UINT];
  139. unsigned int d[D_SIZE_IN_UINT];
  140. unsigned int p[P_SIZE_IN_UINT];
  141. unsigned int q[Q_SIZE_IN_UINT];
  142. unsigned int dmp1[DMP1_SIZE_IN_UINT];
  143. unsigned int dmq1[DMQ1_SIZE_IN_UINT];
  144. unsigned int iqmp[IQMP_SIZE_IN_UINT];
  145. }rsa_params_t;
  146. #ifdef __cplusplus
  147. extern "C" {
  148. #endif
  149. /** SHA Hashing functions - NOTE: ONLY 256-bit is supported.
  150. *
  151. * NOTE: Use sgx_sha256_msg if the src pointer contains the complete msg to perform hash (Option 1)
  152. * Else use the Init, Update, Update, ..., Final procedure (Option 2)
  153. * Option 1: If the complete dataset is available for hashing, sgx_sha256_msg
  154. * is a single API call for generating the 256bit hash for the given dataset.
  155. * Return: If source pointer or hash pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  156. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  157. * Option 2: If the hash is to be performed over multiple data sets, then use:
  158. * A. sgx_sha256_init - to create the context - context memory is allocated by this function.
  159. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  160. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  161. * B. sgx_sha256_update - updates hash based on input source data
  162. * This function should be called for each chunk of data to be
  163. * included in the hash including the 1st and final chunks.
  164. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  165. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  166. * C. sgx_sha256_get_hash - function obtains the hash value
  167. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  168. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  169. * D. sgx_sha256_close - SHOULD BE CALLED to FREE context memory
  170. * Upon completing the process of computing a hash over a set of data
  171. * or sets of data, this function is used to free the context.
  172. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  173. *
  174. * Parameters:
  175. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  176. * Inputs: uint8_t *p_src - Pointer to the input stream to be hashed
  177. * uint32_t src_len - Length of the input stream to be hashed
  178. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  179. */
  180. sgx_status_t SGXAPI sgx_sha256_msg(const uint8_t *p_src, uint32_t src_len, sgx_sha256_hash_t *p_hash);
  181. /** Allocates and initializes sha256 state
  182. *
  183. * Parameters:
  184. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  185. * Output: sgx_sha_state_handle_t *p_sha_handle - Pointer to the handle of the SHA256 state
  186. */
  187. sgx_status_t SGXAPI sgx_sha256_init(sgx_sha_state_handle_t* p_sha_handle);
  188. /** Updates sha256 has calculation based on the input message
  189. *
  190. * Parameters:
  191. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  192. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  193. * uint8_t *p_src - Pointer to the input stream to be hashed
  194. * uint32_t src_len - Length of the input stream to be hashed
  195. */
  196. sgx_status_t SGXAPI sgx_sha256_update(const uint8_t *p_src, uint32_t src_len, sgx_sha_state_handle_t sha_handle);
  197. /** Returns Hash calculation
  198. *
  199. * Parameters:
  200. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  201. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  202. * Output: sgx_sha256_hash_t *p_hash - Resultant hash from operation
  203. */
  204. sgx_status_t SGXAPI sgx_sha256_get_hash(sgx_sha_state_handle_t sha_handle, sgx_sha256_hash_t *p_hash);
  205. /** Cleans up SHA state
  206. *
  207. * Parameters:
  208. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  209. * Input: sgx_sha_state_handle_t sha_handle - Handle to the SHA256 state
  210. */
  211. sgx_status_t SGXAPI sgx_sha256_close(sgx_sha_state_handle_t sha_handle);
  212. /**Rijndael AES-GCM - Only 128-bit key AES-GCM Encryption/Decryption is supported
  213. *
  214. * The Galois/Counter Mode (GCM) is a mode of operation of the AES algorithm.
  215. * GCM [NIST SP 800-38D] uses a variation of the Counter mode of operation for encryption.
  216. * GCM assures authenticity of the confidential data (of up to about 64 GB per invocation)
  217. * using a universal hash function defined over a binary finite field (the Galois field).
  218. *
  219. * GCM can also provide authentication assurance for additional data
  220. * (of practically unlimited length per invocation) that is not encrypted.
  221. * GCM provides stronger authentication assurance than a (non-cryptographic) checksum or
  222. * error detecting code. In particular, GCM can detect both accidental modifications of
  223. * the data and intentional, unauthorized modifications.
  224. *
  225. * sgx_rijndael128GCM_encrypt:
  226. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  227. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  228. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  229. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  230. * If out of enclave memory then SGX_ERROR_OUT_OF_MEMORY is returned.
  231. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  232. *
  233. * sgx_rijndael128GCM_decrypt:
  234. * Return: If key, source, destination, MAC, or IV pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  235. * If AAD size is > 0 and the AAD pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  236. * If the Source Length is < 1, SGX_ERROR_INVALID_PARAMETER is returned.
  237. * IV Length must = 12 (bytes) or SGX_ERROR_INVALID_PARAMETER is returned.
  238. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  239. * If the input MAC does not match the calculated MAC, SGX_ERROR_MAC_MISMATCH is returned.
  240. *
  241. * Parameters:
  242. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  243. * Inputs: sgx_aes_gcm_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  244. * Size MUST BE 128-bits
  245. * uint8_t *p_src - Pointer to the input stream to be encrypted/decrypted
  246. * uint32_t src_len - Length of the input stream to be encrypted/decrypted
  247. * uint8_t *p_iv - Pointer to the initialization vector
  248. * uint32_t iv_len - Length of the initialization vector - MUST BE 12 (bytes)
  249. * NIST AES-GCM recommended IV size = 96 bits
  250. * uint8_t *p_aad - Pointer to the input stream of additional authentication data
  251. * uint32_t aad_len - Length of the additional authentication data stream
  252. * sgx_aes_gcm_128bit_tag_t *p_in_mac - Pointer to the expected MAC in decryption process
  253. * Output: uint8_t *p_dst - Pointer to the cipher text for encryption or clear text for decryption. Size of buffer should be >= src_len.
  254. * sgx_aes_gcm_128bit_tag_t *p_out_mac - Pointer to the MAC generated from encryption process
  255. * NOTE: Wrapper is responsible for confirming decryption tag matches encryption tag
  256. */
  257. sgx_status_t SGXAPI sgx_rijndael128GCM_encrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  258. const uint8_t *p_src,
  259. uint32_t src_len,
  260. uint8_t *p_dst,
  261. const uint8_t *p_iv,
  262. uint32_t iv_len,
  263. const uint8_t *p_aad,
  264. uint32_t aad_len,
  265. sgx_aes_gcm_128bit_tag_t *p_out_mac);
  266. sgx_status_t SGXAPI sgx_rijndael128GCM_decrypt(const sgx_aes_gcm_128bit_key_t *p_key,
  267. const uint8_t *p_src,
  268. uint32_t src_len,
  269. uint8_t *p_dst,
  270. const uint8_t *p_iv,
  271. uint32_t iv_len,
  272. const uint8_t *p_aad,
  273. uint32_t aad_len,
  274. const sgx_aes_gcm_128bit_tag_t *p_in_mac);
  275. /** Message Authentication Rijndael 128 CMAC - Only 128-bit key size is supported.
  276. * NOTE: Use sgx_rijndael128_cmac_msg if the src ptr contains the complete msg to perform hash (Option 1)
  277. * Else use the Init, Update, Update, ..., Final, Close procedure (Option 2)
  278. * Option 1: If the complete dataset is available for hashing, sgx_rijndael128_cmac_msg
  279. * is a single API call for generating the 128-bit hash for the given dataset.
  280. * Return: If source, key, or MAC pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  281. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  282. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  283. * Option 2: If the hash is to be performed over multiple data sets, then use:
  284. * A. sgx_cmac128_init - to create the context - context memory is allocated by this function.
  285. * Return: If key pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  286. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  287. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  288. * B. sgx_cmac128_update - updates hash based on input source data
  289. * This function should be called for each chunk of data to be
  290. * included in the hash including the 1st and final chunks.
  291. * Return: If source pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  292. * If hash function fails then SGX_ERROR_UNEXPECTED is returned.
  293. * C. sgx_cmac128_final - function obtains the hash value
  294. * Upon completing the process of computing a hash over a set of data or sets of data,
  295. * this function populates the hash value.
  296. * Return: If hash pointer or context pointer are NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  297. * If the function fails then SGX_ERROR_UNEXPECTED is returned.
  298. * D. sgx_cmac128_close - SHOULD BE CALLED to clean up the CMAC state
  299. * Upon populating the hash value over a set of data or sets of data,
  300. * this function is used to free the CMAC state.
  301. * Return: If CMAC state pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  302. *
  303. * Parameters:
  304. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  305. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  306. * uint8_t *p_src - Pointer to the input stream to be MAC'd
  307. * uint32_t src_len - Length of the input stream to be MAC'd
  308. * Output: sgx_cmac_gcm_128bit_tag_t *p_mac - Pointer to the resultant MAC
  309. */
  310. sgx_status_t SGXAPI sgx_rijndael128_cmac_msg(const sgx_cmac_128bit_key_t *p_key,
  311. const uint8_t *p_src,
  312. uint32_t src_len,
  313. sgx_cmac_128bit_tag_t *p_mac);
  314. /** Allocates and initializes CMAC state.
  315. *
  316. * Parameters:
  317. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  318. * Inputs: sgx_cmac_128bit_key_t *p_key - Pointer to the key used in encryption/decryption operation
  319. * Output: sgx_cmac_state_handle_t *p_cmac_handle - Pointer to the handle of the CMAC state
  320. */
  321. sgx_status_t SGXAPI sgx_cmac128_init(const sgx_cmac_128bit_key_t *p_key, sgx_cmac_state_handle_t* p_cmac_handle);
  322. /** Updates CMAC has calculation based on the input message.
  323. *
  324. * Parameters:
  325. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  326. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  327. * uint8_t *p_src - Pointer to the input stream to be hashed
  328. * uint32_t src_len - Length of the input stream to be hashed
  329. */
  330. sgx_status_t SGXAPI sgx_cmac128_update(const uint8_t *p_src, uint32_t src_len, sgx_cmac_state_handle_t cmac_handle);
  331. /** Returns Hash calculation and clean up CMAC state.
  332. *
  333. * Parameters:
  334. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  335. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  336. * Output: sgx_cmac_128bit_tag_t *p_hash - Resultant hash from operation
  337. */
  338. sgx_status_t SGXAPI sgx_cmac128_final(sgx_cmac_state_handle_t cmac_handle, sgx_cmac_128bit_tag_t *p_hash);
  339. /** Clean up the CMAC state
  340. *
  341. * Parameters:
  342. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  343. * Input: sgx_cmac_state_handle_t cmac_handle - Handle to the CMAC state
  344. */
  345. sgx_status_t SGXAPI sgx_cmac128_close(sgx_cmac_state_handle_t cmac_handle);
  346. /** AES-CTR 128-bit - Only 128-bit key size is supported.
  347. *
  348. * These functions encrypt/decrypt the input data stream of a variable length according
  349. * to the CTR mode as specified in [NIST SP 800-38A]. The counter can be thought of as
  350. * an IV which increments on successive encryption or decryption calls. For a given
  351. * dataset or data stream the incremented counter block should be used on successive
  352. * calls of the encryption/decryption process for that given stream. However for
  353. * new or different datasets/streams, the same counter should not be reused, instead
  354. * intialize the counter for the new data set.
  355. * Note: SGXSSL based version doesn't support user given ctr_inc_bits. It use OpenSSL's implementation
  356. * which divide the counter block into two parts ([IV][counter])
  357. *
  358. * sgx_aes_ctr_encrypt
  359. * Return: If source, key, counter, or destination pointer is NULL,
  360. * SGX_ERROR_INVALID_PARAMETER is returned.
  361. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  362. * If the encryption process fails then SGX_ERROR_UNEXPECTED is returned.
  363. * sgx_aes_ctr_decrypt
  364. * Return: If source, key, counter, or destination pointer is NULL,
  365. * SGX_ERROR_INVALID_PARAMETER is returned.
  366. * If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  367. * If the decryption process fails then SGX_ERROR_UNEXPECTED is returned.
  368. *
  369. * Parameters:
  370. * Return:
  371. * sgx_status_t - SGX_SUCCESS or failure as defined
  372. * in sgx_error.h
  373. * Inputs:
  374. * sgx_aes_128bit_key_t *p_key - Pointer to the key used in
  375. * encryption/decryption operation
  376. * uint8_t *p_src - Pointer to the input stream to be
  377. * encrypted/decrypted
  378. * uint32_t src_len - Length of the input stream to be
  379. * encrypted/decrypted
  380. * uint8_t *p_ctr - Pointer to the counter block
  381. * uint32_t ctr_inc_bits - Number of bits in counter to be
  382. * incremented
  383. * Output:
  384. * uint8_t *p_dst - Pointer to the cipher text.
  385. * Size of buffer should be >= src_len.
  386. */
  387. sgx_status_t SGXAPI sgx_aes_ctr_encrypt(
  388. const sgx_aes_ctr_128bit_key_t *p_key,
  389. const uint8_t *p_src,
  390. const uint32_t src_len,
  391. uint8_t *p_ctr,
  392. const uint32_t ctr_inc_bits,
  393. uint8_t *p_dst);
  394. sgx_status_t SGXAPI sgx_aes_ctr_decrypt(
  395. const sgx_aes_ctr_128bit_key_t *p_key,
  396. const uint8_t *p_src,
  397. const uint32_t src_len,
  398. uint8_t *p_ctr,
  399. const uint32_t ctr_inc_bits,
  400. uint8_t *p_dst);
  401. /**
  402. * Elliptic Curve Cryptography based on GF(p), 256 bit.
  403. *
  404. * Elliptic curve cryptosystems (ECCs) implement a different way of creating public keys.
  405. * Because elliptic curve calculation is based on the addition of the rational points in
  406. * the (x,y) plane and it is difficult to solve a discrete logarithm from these points,
  407. * a higher level of security is achieved through the cryptographic schemes that use the
  408. * elliptic curves. The cryptographic systems that encrypt messages by using the properties
  409. * of elliptic curves are hard to attack due to the extreme complexity of deciphering the
  410. * private key.
  411. *
  412. * Use of elliptic curves allows for shorter public key length and encourage cryptographers
  413. * to create cryptosystems with the same or higher encryption strength as the RSA or DSA
  414. * cryptosystems. Because of the relatively short key length, ECCs do encryption and decryption
  415. * faster on the hardware that requires less computation processing volumes. For example, with
  416. * a key length of 150-350 bits, ECCs provide the same encryption strength as the cryptosystems
  417. * who have to use 600 -1400 bits.
  418. *
  419. * ECCP stands for Elliptic Curve Cryptography Prime and these functions include operations
  420. * over a prime finite field GF(p).
  421. *
  422. */
  423. /** Allocates and initializes ecc context.
  424. * The function initializes the context of the elliptic curve cryptosystem over the
  425. * prime finite field GF(p). This function allocates and initializes the ecc context.
  426. * Return: If out of enclave memory, SGX_ERROR_OUT_OF_MEMORY is returned.
  427. * If context creation fails then SGX_ERROR_UNEXPECTED is returned.
  428. * Parameters:
  429. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  430. * Output: sgx_ecc_state_handle_t *p_ecc_handle - Pointer to the handle of the ECC crypto system
  431. */
  432. sgx_status_t SGXAPI sgx_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle);
  433. /** Cleans up ecc context.
  434. * Return: If context pointer is NULL, SGX_ERROR_INVALID_PARAMETER is returned.
  435. * Parameters:
  436. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  437. * Output: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  438. */
  439. sgx_status_t SGXAPI sgx_ecc256_close_context(sgx_ecc_state_handle_t ecc_handle);
  440. /** Populates private/public key pair.
  441. * NOTE: Caller code allocates memory for Private & Public key pointers to be populated
  442. *
  443. * The function generates a private key p_private and computes a public key p_public of the
  444. * elliptic cryptosystem over a finite field GF(p).
  445. *
  446. * The private key p_private is a number that lies in the range of [1, n-1] where n is
  447. * the order of the elliptic curve base point.
  448. *
  449. * The public key p_public is an elliptic curve point such that p_public = p_private *G,
  450. * where G is the base point of the elliptic curve.
  451. *
  452. * The context of the point p_public as an elliptic curve point must be created by using
  453. * the function sgx_ecc256_open_context.
  454. *
  455. * Return: If context, public key, or private key pointer is NULL,
  456. * SGX_ERROR_INVALID_PARAMETER is returned.
  457. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  458. * Parameters:
  459. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  460. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  461. * Outputs: sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  462. * sgx_ec256_public_t *p_public - Pointer to the public key - LITTLE ENDIAN
  463. */
  464. sgx_status_t SGXAPI sgx_ecc256_create_key_pair(sgx_ec256_private_t *p_private,
  465. sgx_ec256_public_t *p_public,
  466. sgx_ecc_state_handle_t ecc_handle);
  467. /** Checks whether the input point is a valid point on the given elliptic curve.
  468. * Parameters:
  469. * Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h
  470. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system
  471. * sgx_ec256_public_t *p_point - Pointer to perform validity check on - LITTLE ENDIAN
  472. * Output: int *p_valid - Return 0 if the point is an invalid point on ECC curve
  473. */
  474. sgx_status_t SGXAPI sgx_ecc256_check_point(const sgx_ec256_public_t *p_point,
  475. const sgx_ecc_state_handle_t ecc_handle,
  476. int *p_valid);
  477. /** Computes DH shared key based on own (local) private key and remote public Ga Key.
  478. * NOTE: Caller code allocates memory for Shared key pointer to be populated
  479. *
  480. * The function computes a secret number bnShare, which is a secret key shared between
  481. * two participants of the cryptosystem.
  482. *
  483. * In cryptography, metasyntactic names such as Alice as Bob are normally used as examples
  484. * and in discussions and stand for participant A and participant B.
  485. *
  486. * Both participants (Alice and Bob) use the cryptosystem for receiving a common secret point
  487. * on the elliptic curve called a secret key. To receive a secret key, participants apply the
  488. * Diffie-Hellman key-agreement scheme involving public key exchange. The value of the secret
  489. * key entirely depends on participants.
  490. *
  491. * According to the scheme, Alice and Bob perform the following operations:
  492. * 1. Alice calculates her own public key pubKeyA by using her private key
  493. * privKeyA: pubKeyA = privKeyA *G, where G is the base point of the elliptic curve.
  494. * 2. Alice passes the public key to Bob.
  495. * 3. Bob calculates his own public key pubKeyB by using his private key
  496. * privKeyB: pubKeyB = privKeyB *G, where G is a base point of the elliptic curve.
  497. * 4. Bob passes the public key to Alice.
  498. * 5. Alice gets Bob's public key and calculates the secret point shareA. When calculating,
  499. * she uses her own private key and Bob's public key and applies the following formula:
  500. * shareA = privKeyA *pubKeyB = privKeyA *privKeyB *G.
  501. * 6. Bob gets Alice's public key and calculates the secret point shareB. When calculating,
  502. * he uses his own private key and Alice's public key and applies the following formula:
  503. * shareB = privKeyB *pubKeyA = privKeyB *privKeyA *G.
  504. *
  505. * Because the following equation is true privKeyA *privKeyB *G = privKeyB *privKeyA *G,
  506. * the result of both calculations is the same, that is, the equation shareA = shareB is true.
  507. * The secret point serves as a secret key.
  508. *
  509. * Shared secret bnShare is an x-coordinate of the secret point on the elliptic curve. The elliptic
  510. * curve domain parameters must be hitherto defined by the function: sgx_ecc256_open_context.
  511. *
  512. * Return: If context, public key, private key, or shared key pointer is NULL,
  513. * SGX_ERROR_INVALID_PARAMETER is returned.
  514. * If the remote public key is not a valid point on the elliptic curve,
  515. * SGX_ERROR_INVALID_PARAMETER is returned.
  516. * If the key creation process fails then SGX_ERROR_UNEXPECTED is returned.
  517. *
  518. * Parameters:
  519. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  520. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  521. * sgx_ec256_private_t *p_private_b - Pointer to the local private key - LITTLE ENDIAN
  522. * sgx_ec256_public_t *p_public_ga - Pointer to the remote public key - LITTLE ENDIAN
  523. * Output: sgx_ec256_dh_shared_t *p_shared_key - Pointer to the shared DH key - LITTLE ENDIAN
  524. */
  525. sgx_status_t SGXAPI sgx_ecc256_compute_shared_dhkey(sgx_ec256_private_t *p_private_b,
  526. sgx_ec256_public_t *p_public_ga,
  527. sgx_ec256_dh_shared_t *p_shared_key,
  528. sgx_ecc_state_handle_t ecc_handle);
  529. /** Computes signature for data based on private key.
  530. *
  531. * A message digest is a fixed size number derived from the original message with
  532. * an applied hash function over the binary code of the message. (SHA256 in this case)
  533. * The signer's private key and the message digest are used to create a signature.
  534. *
  535. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  536. * which the given function computes.
  537. *
  538. * The scheme used for computing a digital signature is of the ECDSA scheme,
  539. * an elliptic curve of the DSA scheme.
  540. *
  541. * The keys can be generated and set up by the function: sgx_ecc256_create_key_pair.
  542. *
  543. * The elliptic curve domain parameters must be created by function:
  544. * sgx_ecc256_open_context
  545. *
  546. * Return: If context, private key, signature or data pointer is NULL,
  547. * SGX_ERROR_INVALID_PARAMETER is returned.
  548. * If the signature creation process fails then SGX_ERROR_UNEXPECTED is returned.
  549. *
  550. * Parameters:
  551. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  552. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  553. * sgx_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN
  554. * uint8_t *p_data - Pointer to the data to be signed
  555. * uint32_t data_size - Size of the data to be signed
  556. * Output: ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN
  557. */
  558. sgx_status_t SGXAPI sgx_ecdsa_sign(const uint8_t *p_data,
  559. uint32_t data_size,
  560. sgx_ec256_private_t *p_private,
  561. sgx_ec256_signature_t *p_signature,
  562. sgx_ecc_state_handle_t ecc_handle);
  563. /** Verifies the signature for the given data based on the public key.
  564. *
  565. * A digital signature over a message consists of a pair of large numbers, 256-bits each,
  566. * which could be created by function: sgx_ecdsa_sign. The scheme used for computing a
  567. * digital signature is of the ECDSA scheme, an elliptic curve of the DSA scheme.
  568. *
  569. * The typical result of the digital signature verification is one of the two values:
  570. * SGX_Generic_ECValid - Digital signature is valid
  571. * SGX_Generic_ECInvalidSignature - Digital signature is not valid
  572. *
  573. * The elliptic curve domain parameters must be created by function:
  574. * sgx_ecc256_open_context
  575. *
  576. * Return: If context, public key, signature, result or data pointer is NULL,
  577. * SGX_ERROR_INVALID_PARAMETER is returned.
  578. * If the verification process fails then SGX_ERROR_UNEXPECTED is returned.
  579. * Parameters:
  580. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  581. * Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system
  582. * sgx_ec256_public_t *p_public - Pointer to the public key
  583. * uint8_t *p_data - Pointer to the data to be signed
  584. * uint32_t data_size - Size of the data to be signed
  585. * sgx_ec256_signature_t *p_signature - Pointer to the signature
  586. * Output: uint8_t *p_result - Pointer to the result of verification check
  587. */
  588. sgx_status_t SGXAPI sgx_ecdsa_verify(const uint8_t *p_data,
  589. uint32_t data_size,
  590. const sgx_ec256_public_t *p_public,
  591. sgx_ec256_signature_t *p_signature,
  592. uint8_t *p_result,
  593. sgx_ecc_state_handle_t ecc_handle);
  594. /** Computes signature for a given data based on RSA 3072 private key
  595. *
  596. * A digital signature over a message consists of a 3072 bit number.
  597. *
  598. * Return: If private key, signature or data pointer is NULL,
  599. * SGX_ERROR_INVALID_PARAMETER is returned.
  600. * If the signing process fails then SGX_ERROR_UNEXPECTED is returned.
  601. * Parameters:
  602. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  603. * Inputs: uint8_t *p_data - Pointer to the data to be signed
  604. * uint32_t data_size - Size of the data to be signed
  605. * sgx_rsa3072_key_t *p_key - Pointer to the RSA key.
  606. * Note: In IPP based version p_key->e is unused, hence it can be NULL.
  607. * Output: sgx_rsa3072_signature_t *p_signature - Pointer to the signature output
  608. */
  609. sgx_status_t sgx_rsa3072_sign(const uint8_t *p_data,
  610. uint32_t data_size,
  611. const sgx_rsa3072_key_t *p_key,
  612. sgx_rsa3072_signature_t *p_signature);
  613. /** Verifies the signature for the given data based on the RSA 3072 public key.
  614. *
  615. * A digital signature over a message consists of a 3072 bit number.
  616. *
  617. * The typical result of the digital signature verification is one of the two values:
  618. * SGX_Generic_ECValid - Digital signature is valid
  619. * SGX_Generic_ECInvalidSignature - Digital signature is not valid
  620. *
  621. * Return: If public key, signature, result or data pointer is NULL,
  622. * SGX_ERROR_INVALID_PARAMETER is returned.
  623. * If the verification process fails then SGX_ERROR_UNEXPECTED is returned.
  624. * Parameters:
  625. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  626. * Inputs: uint8_t *p_data - Pointer to the data to be verified
  627. * uint32_t data_size - Size of the data to be verified
  628. * sgx_rsa3072_public_key_t *p_public - Pointer to the public key
  629. * sgx_rsa3072_signature_t *p_signature - Pointer to the signature
  630. * Output: sgx_rsa_result_t *p_result - Pointer to the result of verification check
  631. */
  632. sgx_status_t sgx_rsa3072_verify(const uint8_t *p_data,
  633. uint32_t data_size,
  634. const sgx_rsa3072_public_key_t *p_public,
  635. const sgx_rsa3072_signature_t *p_signature,
  636. sgx_rsa_result_t *p_result);
  637. /** Create RSA key pair with <n_byte_size> key size and <e_byte_size> public exponent.
  638. *
  639. * Parameters:
  640. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  641. * Inputs: p_e [In/Out] Pointer to the public exponent e.
  642. * n_byte_size [In] Size in bytes of the key modulus.
  643. * e_byte_size [In] Size in bytes of the key public exponent.
  644. * Output: p_* [Out] Pointer to the matching key parameter/factor buffer.
  645. */
  646. sgx_status_t sgx_create_rsa_key_pair(int n_byte_size, int e_byte_size, unsigned char *p_n, unsigned char *p_d, unsigned char *p_e,
  647. unsigned char *p_p, unsigned char *p_q, unsigned char *p_dmp1,
  648. unsigned char *p_dmq1, unsigned char *p_iqmp);
  649. /** Decrypt ciphertext [pin_data] using RSA private key, with OAEP SHA-256
  650. *
  651. * Parameters:
  652. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  653. * Inputs: rsa_key - Pointer to the RSA private key.
  654. * pin_data - Pointer to the input ciphertext buffer.
  655. * pin_len - Ciphertext buffer size.
  656. * Output: pout_data - Pointer to the output buffer.
  657. * pout_len - Pointer to amount of data written.
  658. *
  659. */
  660. sgx_status_t sgx_rsa_priv_decrypt_sha256(void* rsa_key, unsigned char* pout_data, size_t* pout_len, const unsigned char* pin_data, const size_t pin_len);
  661. /** Encrypt input data [pin_data] using RSA public key, with OAEP SHA-256
  662. *
  663. * Parameters:
  664. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  665. * Inputs: rsa_key - Pointer to the RSA public key.
  666. * pin_data - Pointer to the input data buffer.
  667. * pin_len - Input buffer size.
  668. * Output: pout_data - Pointer to the output buffer.
  669. * pout_len - Pointer to amount of data (ciphertext) written.
  670. *
  671. */
  672. sgx_status_t sgx_rsa_pub_encrypt_sha256(void* rsa_key, unsigned char* pout_data, size_t* pout_len, const unsigned char* pin_data, const size_t pin_len);
  673. /** Create RSA private key using input buffer factors in little endian.
  674. *
  675. * Parameters:
  676. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  677. * Inputs: mod_size - Size in bytes of the key modulus.
  678. * exp_size - Size in bytes of the public exponent e.
  679. * p_rsa_key_e - Pointer to the public exponent e buffer.
  680. * p_rsa_key_p - Pointer to the prime number p.
  681. * p_rsa_key_q - Pointer to the prime number q.
  682. * p_rsa_key_dmp1 - Pointer to dmp1 [d mod (p-1)].
  683. * p_rsa_key_dmq1 - Pointer to dmq1 [d mod (q-1)].
  684. * p_rsa_key_iqmp - Pointer to iqmp [q^-1 mod p].
  685. * Output: new_pri_key2 - Pointer to the generated private key.
  686. *
  687. */
  688. sgx_status_t sgx_create_rsa_priv2_key(int mod_size, int exp_size, const unsigned char *p_rsa_key_e, const unsigned char *p_rsa_key_p, const unsigned char *p_rsa_key_q,
  689. const unsigned char *p_rsa_key_dmp1, const unsigned char *p_rsa_key_dmq1, const unsigned char *p_rsa_key_iqmp,
  690. void **new_pri_key2);
  691. /** Create RSA public key using input buffer factors in little endian.
  692. *
  693. * Parameters:
  694. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  695. * Inputs: mod_size - Size in bytes of the key modulus.
  696. * exp_size - Size in bytes of the public exponent e.
  697. * le_n - Pointer to the modulus n buffer.
  698. * le_e - Pointer to the public exponent e buffer.
  699. * Output: new_pub_key1 - Pointer to the generated public key.
  700. *
  701. */
  702. sgx_status_t sgx_create_rsa_pub1_key(int mod_size, int exp_size, const unsigned char *le_n, const unsigned char *le_e, void **new_pub_key1);
  703. /** Clear and free RSA key which was generated by one of the Tcrypto "sgx_create_rsa_*" APIs.
  704. *
  705. * Parameters:
  706. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  707. * Inputs: p_rsa_key - Pointer to the RSA key.
  708. * (Note: All input parameters below are relevant only when using IPP based tcrypto library)
  709. * key_type - key state type, relevant only when using IPP based tcrypto library.
  710. * Possible options {SGX_RSA_PRIVATE_KEY, SGX_RSA_PUBLIC_KEY}
  711. * mod_size - RSA key modulus size.
  712. * exp_size - RSA key public exponent size.
  713. * Output:
  714. *
  715. */
  716. sgx_status_t sgx_free_rsa_key(void *p_rsa_key, sgx_rsa_key_type_t key_type, int mod_size, int exp_size);
  717. /** Create an ECDSA private key based on input random seed.
  718. *
  719. * Parameters:
  720. * Return: sgx_status_t - SGX_SUCCESS or failure as defined in sgx_error.h
  721. * Inputs: hash_drg - Input seed
  722. * hash_drg_len - Seed len
  723. * sgx_nistp256_r_m1 -
  724. * sgx_nistp256_r_m1_len - nistp256 len
  725. * Output: out_key - ECDSA private key
  726. * out_key_len - ECDSA private key length
  727. *
  728. */
  729. sgx_status_t sgx_calculate_ecdsa_priv_key(const unsigned char* hash_drg, int hash_drg_len,
  730. const unsigned char* sgx_nistp256_r_m1, int sgx_nistp256_r_m1_len,
  731. unsigned char* out_key, int out_key_len);
  732. #ifdef __cplusplus
  733. }
  734. #endif
  735. #endif