quoting_enclave.cpp 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176
  1. /*
  2. * Copyright (C) 2011-2018 Intel Corporation. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. *
  8. * * Redistributions of source code must retain the above copyright
  9. * notice, this list of conditions and the following disclaimer.
  10. * * Redistributions in binary form must reproduce the above copyright
  11. * notice, this list of conditions and the following disclaimer in
  12. * the documentation and/or other materials provided with the
  13. * distribution.
  14. * * Neither the name of Intel Corporation nor the names of its
  15. * contributors may be used to endorse or promote products derived
  16. * from this software without specific prior written permission.
  17. *
  18. * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19. * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20. * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  21. * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  22. * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  23. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  24. * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28. * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29. *
  30. */
  31. #ifndef __linux__
  32. #include "targetver.h"
  33. #endif
  34. // Exclude rarely-used stuff from Windows headers
  35. //#define WIN32_LEAN_AND_MEAN
  36. // Windows Header Files:
  37. //#include <windows.h>
  38. #include "se_types.h"
  39. #include "sgx_quote.h"
  40. #include "aeerror.h"
  41. #include "sgx_tseal.h"
  42. #include "sgx_lfence.h"
  43. #include "epid_pve_type.h"
  44. #include "sgx_utils.h"
  45. #include "ipp_wrapper.h"
  46. #include "epid/common/errors.h"
  47. #include "ae_ipp.h"
  48. #include "epid/member/api.h"
  49. #include "quoting_enclave_t.c"
  50. #include "sgx_tcrypto.h"
  51. #include "se_sig_rl.h"
  52. #include "se_ecdsa_verify_internal.h"
  53. #include "se_quote_internal.h"
  54. #include "pve_qe_common.h"
  55. #include "byte_order.h"
  56. #include "util.h"
  57. #include "qsdk_pub.hh"
  58. #include "isk_pub.hh"
  59. #if !defined(SWAP_4BYTES)
  60. #define SWAP_4BYTES(u32) \
  61. ((uint32_t)(((((unsigned char*)&(u32))[0]) << 24) \
  62. + ((((unsigned char*)&(u32))[1]) << 16) \
  63. + ((((unsigned char*)&(u32))[2]) << 8) \
  64. + (((unsigned char*)&(u32))[3])))
  65. #endif
  66. // Start from 1, and it's little endian.
  67. #define QE_QUOTE_VERSION 2
  68. #define QE_AES_IV_SIZE 12
  69. #define QE_AES_KEY_SIZE 16
  70. #define QE_OAEP_SEED_SIZE 32
  71. /* One field in sgx_quote_t(signature_len) is not part of the quote_body need
  72. to be signed by EPID. So we need to minus sizeof(uint32_t). */
  73. #define QE_QUOTE_BODY_SIZE (sizeof(sgx_quote_t) - sizeof(uint32_t))
  74. /*
  75. * An internal function used to verify EPID Blob, get EPID Group Cert
  76. * and get EPID context, at the same time, you can check whether EPID blob has
  77. * been resealed.
  78. *
  79. * @param p_blob[in, out] Pointer to EPID Blob.
  80. * @param p_is_resealed[out] Whether the EPID Blob has been resealed.
  81. * @param create_context[in] Flag indicates create EPID context or not.
  82. * @param plaintext_epid_data[out] Used to get the plaintext part of epid blob
  83. * @param pp_epid_context[out] Used to get the pointer of the EPID context.
  84. * @return ae_error_t AE_SUCCESS or other error cases.
  85. */
  86. static ae_error_t verify_blob_internal(
  87. uint8_t *p_blob,
  88. uint32_t blob_size,
  89. uint8_t *p_is_resealed,
  90. uint32_t create_context,
  91. se_plaintext_epid_data_sdk_t& plaintext_epid_data,
  92. MemberCtx **pp_epid_context)
  93. {
  94. sgx_status_t se_ret = SGX_SUCCESS;
  95. uint8_t resealed= FALSE;
  96. se_secret_epid_data_sdk_t secret_epid_data;
  97. se_plaintext_epid_data_sik_t plaintext_old_format;
  98. uint32_t plaintext_length;
  99. int is_old_format = 0;
  100. uint32_t decryptedtext_length = sizeof(secret_epid_data);
  101. sgx_sealed_data_t *p_epid_blob = (sgx_sealed_data_t *)p_blob;
  102. uint8_t local_epid_blob[sizeof(*p_epid_blob)
  103. + sizeof(secret_epid_data)
  104. + sizeof(plaintext_epid_data)]
  105. = {0};
  106. // We will use plaintext_old_format as buffer to hold the output of sgx_unseal_data.
  107. // It can be se_plaintext_epid_data_sik_t or se_plaintext_epid_data_sdk_t.
  108. // We use the static assert to reassure plaintext_old_format is big enough.
  109. // If someone changed the definition of these 2 structures and break current assumption,
  110. // it will report error in compile time.
  111. se_static_assert(sizeof(plaintext_old_format)>=sizeof(plaintext_epid_data));
  112. if (sgx_get_encrypt_txt_len(p_epid_blob) != sizeof(se_secret_epid_data_sdk_t)&&
  113. sgx_get_encrypt_txt_len(p_epid_blob) != sizeof(se_secret_epid_data_sik_t)){
  114. return QE_EPIDBLOB_ERROR;
  115. }
  116. plaintext_length = sgx_get_add_mac_txt_len(p_epid_blob);
  117. if(plaintext_length != sizeof(se_plaintext_epid_data_sik_t)&&
  118. plaintext_length != sizeof(se_plaintext_epid_data_sdk_t))
  119. {
  120. return QE_EPIDBLOB_ERROR;
  121. }
  122. memset(&secret_epid_data, 0, sizeof(secret_epid_data));
  123. memset(&plaintext_epid_data, 0, sizeof(plaintext_epid_data));
  124. memset(&plaintext_old_format, 0, sizeof(plaintext_old_format));
  125. se_ret = sgx_unseal_data(p_epid_blob,
  126. (uint8_t *)&plaintext_old_format, // The unsealed plaintext can be old or new format, the buffer is defined as old format because it is bigger
  127. &plaintext_length,
  128. (uint8_t *)&secret_epid_data,
  129. &decryptedtext_length);
  130. if(SGX_SUCCESS != se_ret)
  131. {
  132. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  133. sizeof(secret_epid_data));
  134. return QE_EPIDBLOB_ERROR;
  135. }
  136. //QE will support both epid blob with/without member precomputation
  137. //If the epid blob without member precomputation is used, QE will generate member precomputation and reseal epid blob
  138. if((plaintext_old_format.seal_blob_type != PVE_SEAL_EPID_KEY_BLOB)
  139. || (plaintext_old_format.epid_key_version != EPID_KEY_BLOB_VERSION_SDK&&
  140. plaintext_old_format.epid_key_version != EPID_KEY_BLOB_VERSION_SIK )) //blob_type and key_version are always first two fields of plaintext in both format
  141. {
  142. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  143. sizeof(secret_epid_data));
  144. return QE_EPIDBLOB_ERROR;
  145. }
  146. // Only 2 combinations are legitimate for the tuple epid_key_version|decryptedtext_length|plaintext_length:
  147. // EPID_KEY_BLOB_VERSION_SIK|sizeof(se_secret_epid_data_sik_t)|sizeof(se_plaintext_epid_data_sik_t)
  148. // EPID_KEY_BLOB_VERSION_SDK|sizeof(se_secret_epid_data_sdk_t)|sizeof(se_plaintext_epid_data_sdk_t)
  149. if((plaintext_old_format.epid_key_version == EPID_KEY_BLOB_VERSION_SIK &&
  150. (decryptedtext_length!=sizeof(se_secret_epid_data_sik_t)||plaintext_length!=sizeof(se_plaintext_epid_data_sik_t)))||
  151. (plaintext_old_format.epid_key_version == EPID_KEY_BLOB_VERSION_SDK &&
  152. (decryptedtext_length!=sizeof(se_secret_epid_data_sdk_t)||plaintext_length!=sizeof(se_plaintext_epid_data_sdk_t)))){
  153. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  154. sizeof(secret_epid_data));
  155. return QE_EPIDBLOB_ERROR;
  156. }
  157. // If the input epid blob is in sik format, we will upgrade it to sdk version
  158. if(plaintext_old_format.epid_key_version == EPID_KEY_BLOB_VERSION_SIK){
  159. plaintext_epid_data.seal_blob_type = PVE_SEAL_EPID_KEY_BLOB;
  160. plaintext_epid_data.epid_key_version = EPID_KEY_BLOB_VERSION_SDK;
  161. memcpy(&plaintext_epid_data.equiv_cpu_svn, &plaintext_old_format.equiv_cpu_svn, sizeof(plaintext_old_format.equiv_cpu_svn));
  162. memcpy(&plaintext_epid_data.equiv_pve_isv_svn, &plaintext_old_format.equiv_pve_isv_svn, sizeof(plaintext_old_format.equiv_pve_isv_svn));
  163. memcpy(&plaintext_epid_data.epid_group_cert, &plaintext_old_format.epid_group_cert, sizeof(plaintext_old_format.epid_group_cert));
  164. memcpy(&plaintext_epid_data.qsdk_exp, &plaintext_old_format.qsdk_exp, sizeof(plaintext_old_format.qsdk_exp));
  165. memcpy(&plaintext_epid_data.qsdk_mod, &plaintext_old_format.qsdk_mod, sizeof(plaintext_old_format.qsdk_mod));
  166. memcpy(&plaintext_epid_data.epid_sk, &plaintext_old_format.epid_sk, sizeof(plaintext_old_format.epid_sk));
  167. plaintext_epid_data.xeid = plaintext_old_format.xeid;
  168. memset(&secret_epid_data.member_precomp_data, 0, sizeof(secret_epid_data.member_precomp_data));
  169. is_old_format = 1;
  170. //PrivKey of secret_epid_data are both in offset 0 so that we need not move it
  171. }
  172. else{//SDK version format
  173. memcpy(&plaintext_epid_data, &plaintext_old_format, sizeof(plaintext_epid_data));
  174. }
  175. /* Create report to get current cpu_svn and isv_svn. */
  176. sgx_report_t report;
  177. memset(&report, 0, sizeof(report));
  178. se_ret = sgx_create_report(NULL, NULL, &report);
  179. if(SGX_SUCCESS != se_ret)
  180. {
  181. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  182. sizeof(secret_epid_data));
  183. return QE_UNEXPECTED_ERROR;
  184. }
  185. /* Get the random function pointer. */
  186. BitSupplier rand_func = epid_random_func;
  187. /* Create EPID member context if required. PvE is responsible for verifying
  188. the Cert signature before storing them in the EPID blob. */
  189. if(create_context)
  190. {
  191. EpidStatus epid_ret = kEpidNoErr;
  192. epid_ret = EpidMemberCreate(
  193. &(plaintext_epid_data.epid_group_cert),
  194. (PrivKey*)&(secret_epid_data.epid_private_key),
  195. is_old_format?NULL:&secret_epid_data.member_precomp_data,
  196. rand_func,
  197. NULL,
  198. pp_epid_context);
  199. if(kEpidNoErr != epid_ret)
  200. {
  201. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  202. sizeof(secret_epid_data));
  203. // Make sure the pointer is not pointered to garbage. And according
  204. // to EPID SDK 2.0 API document of EpidMemberCreate, it will not return
  205. // error with memory allocated. So set the pointer to NULL will not
  206. // cause memory leak here.
  207. *pp_epid_context = NULL;
  208. return QE_UNEXPECTED_ERROR;
  209. }
  210. epid_ret = EpidMemberSetHashAlg(*pp_epid_context, kSha256);
  211. if(kEpidNoErr != epid_ret)
  212. {
  213. EpidMemberDelete(pp_epid_context);
  214. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0 ,
  215. sizeof(secret_epid_data));
  216. *pp_epid_context = NULL;
  217. return QE_UNEXPECTED_ERROR;
  218. }
  219. if(is_old_format)
  220. {
  221. epid_ret = EpidMemberWritePrecomp(*pp_epid_context, &secret_epid_data.member_precomp_data);
  222. if(kEpidNoErr != epid_ret)
  223. {
  224. EpidMemberDelete(pp_epid_context);
  225. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  226. sizeof(secret_epid_data));
  227. *pp_epid_context = NULL;
  228. return QE_UNEXPECTED_ERROR;
  229. }
  230. }
  231. }
  232. /* Update the Key Blob using the SEAL Key for the current TCB if the TCB is
  233. upgraded after the Key Blob is generated. Here memcmp cpu_svns might be
  234. different even though they're actually same, but for defense in depth we
  235. will keep this comparison here. And we will also upgrade old format EPID
  236. blob to new format here. */
  237. if((memcmp(&report.body.cpu_svn, &p_epid_blob->key_request.cpu_svn,
  238. sizeof(report.body.cpu_svn)))
  239. || (report.body.isv_svn != p_epid_blob->key_request.isv_svn)
  240. || plaintext_old_format.epid_key_version == EPID_KEY_BLOB_VERSION_SIK)
  241. {
  242. se_ret = sgx_seal_data(sizeof(plaintext_epid_data),
  243. (uint8_t *)&plaintext_epid_data,
  244. sizeof(secret_epid_data),
  245. (uint8_t *)&secret_epid_data,
  246. SGX_TRUSTED_EPID_BLOB_SIZE_SDK,
  247. (sgx_sealed_data_t *)local_epid_blob);
  248. if(SGX_SUCCESS != se_ret)
  249. {
  250. // Clear the output buffer to make sure nothing leaks.
  251. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  252. sizeof(secret_epid_data));
  253. // *pp_epid_context contains pointers, so we cannot simply clear it.
  254. if(pp_epid_context)
  255. {
  256. EpidMemberDelete(pp_epid_context);
  257. *pp_epid_context = NULL;
  258. }
  259. return QE_UNEXPECTED_ERROR;
  260. }
  261. memcpy(p_epid_blob, local_epid_blob, blob_size);
  262. resealed = TRUE;
  263. }
  264. memset_s(&secret_epid_data, sizeof(secret_epid_data), 0,
  265. sizeof(secret_epid_data));
  266. *p_is_resealed = resealed;
  267. return AE_SUCCESS;
  268. }
  269. /*
  270. * External function used to verify EPID Blob and check whether QE has
  271. * been updated.
  272. *
  273. * @param p_blob[in, out] Pointer to EPID Blob.
  274. * @param blob_size[in] The size of EPID Blob, in bytes.
  275. * @param p_is_resealed[out] Whether the EPID Blob is resealed within this function call.
  276. * @return uint32_t AE_SUCCESS or other error cases.
  277. */
  278. uint32_t verify_blob(
  279. uint8_t *p_blob,
  280. uint32_t blob_size,
  281. uint8_t *p_is_resealed)
  282. {
  283. se_plaintext_epid_data_sdk_t plain_text;
  284. /* Actually, some cases here will be checked with code generated by
  285. edger8r. Here we just want to defend in depth. */
  286. if(NULL == p_blob || NULL == p_is_resealed)
  287. return QE_PARAMETER_ERROR;
  288. if(SGX_TRUSTED_EPID_BLOB_SIZE_SDK != blob_size)
  289. return QE_PARAMETER_ERROR;
  290. //
  291. // if we mispredict here and blob_size is too
  292. // small, we might overflow
  293. //
  294. sgx_lfence();
  295. if(!sgx_is_within_enclave(p_blob, blob_size))
  296. return QE_PARAMETER_ERROR;
  297. return verify_blob_internal(p_blob, blob_size,
  298. p_is_resealed, FALSE, plain_text, NULL);
  299. }
  300. /*
  301. * An internal function used to sign the EPID signature on the quote body.
  302. * Prefix "emp_" means it is a pointer points memory outside enclave.
  303. *
  304. * For quote with SIG-RL
  305. * |--------------------------------------------------------------------|
  306. * |sgx_quote_t|wrap_key_t|iv|payload_size|basic_sig|rl_ver|n2|nrp..|mac|
  307. * |--------------------------------------------------------------------|
  308. * For quote without SIG-RL
  309. * |--------------------------------------------------------------|
  310. * |sgx_quote_t|wrap_key_t|iv|payload_size|basic_sig|rl_ver|n2|mac|
  311. * |--------------------------------------------------------------|
  312. *
  313. * @param p_epid_context[in] Pointer to the EPID context.
  314. * @param plaintext[in] Reference to the plain text part of EPID blob.
  315. * @param p_basename[in] The pointer to basename.
  316. * @param emp_sig_rl_entries[in] The pointer to SIG-RL entries.
  317. * @param p_sig_rl_header[in] The header of SIG-RL, within EPC.
  318. * @param p_sig_rl_signature[in] The ecdsa signature of SIG-RL, within EPC.
  319. * @param p_enclave_report[in] The input isv report.
  320. * @param p_nonce[in] The input nonce.
  321. * @param p_qe_report[out] The output buffer for qe_report.
  322. * @param emp_quote[out] The output buffer for quote.
  323. * @param p_quote_body[in] The quote body in EPC.
  324. * @param sign_size[in] size of the signature.
  325. * @return ae_error_t AE_SUCCESS for success, otherwise for errors.
  326. */
  327. static ae_error_t qe_epid_sign(
  328. MemberCtx *p_epid_context,
  329. const se_plaintext_epid_data_sdk_t& plaintext,
  330. const sgx_basename_t *p_basename,
  331. const SigRlEntry *emp_sig_rl_entries,
  332. se_sig_rl_t *p_sig_rl_header,
  333. sgx_ec256_signature_t *p_sig_rl_signature,
  334. const sgx_report_t *p_enclave_report,
  335. const sgx_quote_nonce_t *p_nonce,
  336. sgx_report_t *p_qe_report,
  337. uint8_t *emp_quote,
  338. const sgx_quote_t *p_quote_body,
  339. uint32_t sign_size)
  340. {
  341. ae_error_t ret = AE_SUCCESS;
  342. IppStatus ipp_ret = ippStsNoErr;
  343. sgx_status_t se_ret = SGX_SUCCESS;
  344. EpidStatus epid_ret = kEpidNoErr;
  345. se_wrap_key_t wrap_key;
  346. BasicSignature basic_sig;
  347. BasicSignature encrypted_basic_sig;
  348. uint8_t aes_iv[QUOTE_IV_SIZE] = {0};
  349. uint8_t aes_key[QE_AES_KEY_SIZE] = {0};
  350. uint8_t aes_tag[SGX_SEAL_TAG_SIZE] = {0};
  351. Ipp8u seeds[QE_OAEP_SEED_SIZE] = {0};
  352. sgx_report_data_t qe_report_data = {{0}};
  353. sgx_target_info_t report_target;
  354. sgx_ec256_public_t ec_pub_key;
  355. se_ae_ecdsa_hash_t sig_rl_hash = {{0}};
  356. IppECResult ec_result = ippECValid ;
  357. int aes_context_size = 0;
  358. sgx_sha_state_handle_t sha_context = NULL;
  359. sgx_sha_state_handle_t sha_quote_context = NULL;
  360. IppsAES_GCMState *aes_context = NULL;
  361. IppsRSAPublicKeyState *pub_key = NULL;
  362. int pub_key_size = 0;
  363. uint8_t* pub_key_buffer = NULL;
  364. IppsECCPState *p_ecp = NULL;
  365. memset(&wrap_key, 0, sizeof(wrap_key));
  366. memset(&basic_sig, 0, sizeof(basic_sig));
  367. memset(&encrypted_basic_sig, 0, sizeof(encrypted_basic_sig));
  368. memset(&report_target, 0, sizeof(report_target));
  369. memset(&ec_pub_key, 0, sizeof(ec_pub_key));
  370. se_encrypted_sign_t *emp_p = (se_encrypted_sign_t *)
  371. (((sgx_quote_t *)emp_quote)->signature);
  372. uint8_t* emp_nr = NULL;
  373. uint32_t match = FALSE;
  374. /* Sign the quote body and get the basic signature*/
  375. epid_ret = EpidSignBasic(p_epid_context,
  376. (uint8_t *)const_cast<sgx_quote_t *>(p_quote_body),
  377. (uint32_t)QE_QUOTE_BODY_SIZE,
  378. (uint8_t *)const_cast<sgx_basename_t *>(p_basename),
  379. sizeof(*p_basename),
  380. &basic_sig);
  381. if(kEpidNoErr != epid_ret)
  382. {
  383. ret = QE_UNEXPECTED_ERROR;
  384. goto CLEANUP;
  385. }
  386. /* Prepare the context for SHA256 of quote. */
  387. if(p_qe_report)
  388. {
  389. se_ret = sgx_sha256_init(&sha_quote_context);
  390. if(SGX_SUCCESS != se_ret)
  391. {
  392. ret = QE_UNEXPECTED_ERROR;
  393. goto CLEANUP;
  394. }
  395. // Update hash for nonce.
  396. se_ret = sgx_sha256_update((uint8_t *)const_cast<sgx_quote_nonce_t *>(p_nonce),
  397. sizeof(*p_nonce),
  398. sha_quote_context);
  399. if(SGX_SUCCESS != se_ret)
  400. {
  401. ret = QE_UNEXPECTED_ERROR;
  402. goto CLEANUP;
  403. }
  404. // Update hash for the first part of quote.
  405. se_ret = sgx_sha256_update((uint8_t *)const_cast<sgx_quote_t *>(p_quote_body),
  406. sizeof(*p_quote_body),
  407. sha_quote_context);
  408. if(SGX_SUCCESS != se_ret)
  409. {
  410. ret = QE_UNEXPECTED_ERROR;
  411. goto CLEANUP;
  412. }
  413. }
  414. /* Prepare the context for SHA256 and start calculate the hash of header
  415. * of SIG-RL. */
  416. if(emp_sig_rl_entries)
  417. {
  418. se_ret = sgx_sha256_init(&sha_context);
  419. if(SGX_SUCCESS != se_ret)
  420. {
  421. ret = QE_UNEXPECTED_ERROR;
  422. goto CLEANUP;
  423. }
  424. /* Calculate the hash of SIG-RL header. */
  425. se_ret = sgx_sha256_update((Ipp8u *)p_sig_rl_header,
  426. (uint32_t)(sizeof(se_sig_rl_t) - sizeof(SigRlEntry)),
  427. sha_context);
  428. if(SGX_SUCCESS != se_ret)
  429. {
  430. ret = QE_UNEXPECTED_ERROR;
  431. goto CLEANUP;
  432. }
  433. }
  434. // Start encrypt the signature.
  435. ipp_ret = ippsAES_GCMGetSize(&aes_context_size);
  436. if(ipp_ret != ippStsNoErr){
  437. ret = QE_UNEXPECTED_ERROR;
  438. goto CLEANUP;
  439. }
  440. aes_context = (IppsAES_GCMState *)malloc(aes_context_size);
  441. if(NULL == aes_context)
  442. {
  443. ret = QE_UNEXPECTED_ERROR;
  444. goto CLEANUP;
  445. }
  446. /* Get the random wrap key */
  447. se_ret = sgx_read_rand(aes_key, sizeof(aes_key));
  448. if(SGX_SUCCESS != se_ret)
  449. {
  450. ret = QE_UNEXPECTED_ERROR;
  451. goto CLEANUP;
  452. }
  453. /* Copy the hash of wrap key into output buffer. */
  454. se_static_assert(sizeof(wrap_key.key_hash) == sizeof(sgx_sha256_hash_t));
  455. se_ret = sgx_sha256_msg(aes_key, sizeof(aes_key),
  456. (sgx_sha256_hash_t *)wrap_key.key_hash);
  457. if(SGX_SUCCESS != se_ret)
  458. {
  459. ret = QE_UNEXPECTED_ERROR;
  460. goto CLEANUP;
  461. }
  462. //Start encrypt the wrap key by RSA IPP algorithm.
  463. ipp_ret = create_rsa_pub_key(sizeof(g_qsdk_pub_key_n),
  464. sizeof(g_qsdk_pub_key_e),
  465. g_qsdk_pub_key_n,
  466. g_qsdk_pub_key_e,
  467. &pub_key);
  468. if(ipp_ret != ippStsNoErr)
  469. {
  470. ret = QE_UNEXPECTED_ERROR;
  471. goto CLEANUP;
  472. }
  473. se_ret = sgx_read_rand(seeds, sizeof(seeds));
  474. if(SGX_SUCCESS != se_ret)
  475. {
  476. ret = QE_UNEXPECTED_ERROR;
  477. goto CLEANUP;
  478. }
  479. ipp_ret = ippsRSA_GetBufferSizePublicKey(&pub_key_size, pub_key);
  480. if (ipp_ret != ippStsNoErr)
  481. {
  482. ret = QE_UNEXPECTED_ERROR;
  483. goto CLEANUP;
  484. }
  485. pub_key_buffer = (uint8_t*)malloc(pub_key_size);
  486. if (pub_key_buffer == NULL)
  487. {
  488. ret = QE_UNEXPECTED_ERROR;
  489. goto CLEANUP;
  490. }
  491. ipp_ret = ippsRSAEncrypt_OAEP(aes_key, sizeof(aes_key),
  492. NULL, 0, seeds,
  493. wrap_key.encrypted_key,
  494. pub_key, IPP_ALG_HASH_SHA256,
  495. pub_key_buffer);
  496. if(ipp_ret != ippStsNoErr)
  497. {
  498. ret = QE_UNEXPECTED_ERROR;
  499. goto CLEANUP;
  500. }
  501. ipp_ret = ippsAES_GCMInit(aes_key,
  502. sizeof(aes_key),
  503. aes_context,
  504. aes_context_size);
  505. memset_s(aes_key, sizeof(aes_key), 0, sizeof(aes_key));
  506. if(ipp_ret != ippStsNoErr)
  507. {
  508. ret = QE_UNEXPECTED_ERROR;
  509. goto CLEANUP;
  510. }
  511. /* Create the random AES IV. */
  512. se_ret = sgx_read_rand(aes_iv, sizeof(aes_iv));
  513. if(SGX_SUCCESS != se_ret)
  514. {
  515. ret = QE_UNEXPECTED_ERROR;
  516. goto CLEANUP;
  517. }
  518. /* Copy the wrap_key_t into output buffer. */
  519. memcpy(&emp_p->wrap_key, &wrap_key, sizeof(wrap_key));
  520. /* Copy the AES IV into output buffer. */
  521. memcpy(&emp_p->iv, aes_iv, sizeof(aes_iv));
  522. /* Copy the AES Blob payload size into output buffer. */
  523. memcpy(&emp_p->payload_size, &sign_size, sizeof(sign_size));
  524. ipp_ret = ippsAES_GCMStart(aes_iv, sizeof(aes_iv), NULL, 0,
  525. aes_context);
  526. if(ipp_ret != ippStsNoErr)
  527. {
  528. ret = QE_UNEXPECTED_ERROR;
  529. goto CLEANUP;
  530. }
  531. /* Encrypt the basic signature. */
  532. ipp_ret = ippsAES_GCMEncrypt((Ipp8u *)&basic_sig,
  533. (uint8_t *)&encrypted_basic_sig,
  534. sizeof(encrypted_basic_sig),
  535. aes_context);
  536. if(ipp_ret != ippStsNoErr)
  537. {
  538. ret = QE_UNEXPECTED_ERROR;
  539. goto CLEANUP;
  540. }
  541. /* Copy the encrypted basic signature into output buffer. */
  542. memcpy(&emp_p->basic_sign, &encrypted_basic_sig,
  543. sizeof(encrypted_basic_sig));
  544. if(p_qe_report)
  545. {
  546. se_ret = sgx_sha256_update((uint8_t *)&wrap_key,
  547. sizeof(wrap_key),
  548. sha_quote_context);
  549. if(SGX_SUCCESS != se_ret)
  550. {
  551. ret = QE_UNEXPECTED_ERROR;
  552. goto CLEANUP;
  553. }
  554. se_ret = sgx_sha256_update(aes_iv,
  555. sizeof(aes_iv),
  556. sha_quote_context);
  557. if(SGX_SUCCESS != se_ret)
  558. {
  559. ret = QE_UNEXPECTED_ERROR;
  560. goto CLEANUP;
  561. }
  562. se_ret = sgx_sha256_update((uint8_t *)&sign_size,
  563. sizeof(sign_size),
  564. sha_quote_context);
  565. if(SGX_SUCCESS != se_ret)
  566. {
  567. ret = QE_UNEXPECTED_ERROR;
  568. goto CLEANUP;
  569. }
  570. se_ret = sgx_sha256_update((uint8_t *)&encrypted_basic_sig,
  571. sizeof(encrypted_basic_sig),
  572. sha_quote_context);
  573. if(SGX_SUCCESS != se_ret)
  574. {
  575. ret = QE_UNEXPECTED_ERROR;
  576. goto CLEANUP;
  577. }
  578. }
  579. /* Start process the SIG-RL. */
  580. if(emp_sig_rl_entries)
  581. {
  582. unsigned int entry_count = 0;
  583. unsigned int i = 0;
  584. RLver_t encrypted_rl_ver = {{0}};
  585. RLCount encrypted_n2 = {{0}};
  586. entry_count = lv_ntohl(p_sig_rl_header->sig_rl.n2);//entry count for big endian to little endian
  587. // Continue encrypt the output
  588. ipp_ret = ippsAES_GCMEncrypt((Ipp8u *)&(p_sig_rl_header->sig_rl.version),
  589. (Ipp8u *)&encrypted_rl_ver,
  590. sizeof(encrypted_rl_ver),
  591. aes_context);
  592. if(ipp_ret != ippStsNoErr)
  593. {
  594. ret = QE_UNEXPECTED_ERROR;
  595. goto CLEANUP;
  596. }
  597. ipp_ret = ippsAES_GCMEncrypt((Ipp8u *)&(p_sig_rl_header->sig_rl.n2),
  598. (Ipp8u *)&encrypted_n2,
  599. sizeof(encrypted_n2),
  600. aes_context);
  601. if(ipp_ret != ippStsNoErr)
  602. {
  603. ret = QE_UNEXPECTED_ERROR;
  604. goto CLEANUP;
  605. }
  606. memcpy(&(emp_p->rl_ver), &encrypted_rl_ver,
  607. sizeof(encrypted_rl_ver));
  608. memcpy(&(emp_p->rl_num), &encrypted_n2,
  609. sizeof(encrypted_n2));
  610. if(p_qe_report)
  611. {
  612. se_ret = sgx_sha256_update((uint8_t *)&encrypted_rl_ver,
  613. sizeof(encrypted_rl_ver),
  614. sha_quote_context);
  615. if(SGX_SUCCESS != se_ret)
  616. {
  617. ret = QE_UNEXPECTED_ERROR;
  618. goto CLEANUP;
  619. }
  620. se_ret = sgx_sha256_update((uint8_t *)&encrypted_n2,
  621. sizeof(encrypted_n2),
  622. sha_quote_context);
  623. if(SGX_SUCCESS != se_ret)
  624. {
  625. ret = QE_UNEXPECTED_ERROR;
  626. goto CLEANUP;
  627. }
  628. }
  629. /* Start process the SIG-RL entries one by one. */
  630. emp_nr = emp_p->nrp_mac;
  631. for (i = 0; i < entry_count; i++, emp_nr += sizeof(NrProof))
  632. {
  633. /* Generate non-revoke prove one by one. */
  634. SigRlEntry entry;
  635. NrProof temp_nr;
  636. NrProof encrypted_temp_nr;
  637. memcpy(&entry, emp_sig_rl_entries + i, sizeof(entry));
  638. memset_s(&temp_nr, sizeof(temp_nr), 0, sizeof(temp_nr));
  639. memset_s(&encrypted_temp_nr, sizeof(encrypted_temp_nr), 0, sizeof(encrypted_temp_nr));
  640. epid_ret = EpidNrProve(p_epid_context,
  641. (uint8_t *)const_cast<sgx_quote_t *>(p_quote_body),
  642. (uint32_t)QE_QUOTE_BODY_SIZE,
  643. &basic_sig, // Basic signature with 'b' and 'k' in it
  644. &entry, //Single entry in SigRl composed of 'b' and 'k'
  645. &temp_nr); // The generated non-revoked proof
  646. if(kEpidNoErr != epid_ret)
  647. {
  648. if(kEpidSigRevokedInSigRl == epid_ret)
  649. match = TRUE;
  650. else
  651. {
  652. ret = QE_UNEXPECTED_ERROR;
  653. goto CLEANUP;
  654. }
  655. }
  656. /* Update the hash of SIG-RL */
  657. se_ret = sgx_sha256_update((Ipp8u *)&entry,
  658. sizeof(entry), sha_context);
  659. if(SGX_SUCCESS != se_ret)
  660. {
  661. ret = QE_UNEXPECTED_ERROR;
  662. goto CLEANUP;
  663. }
  664. ipp_ret = ippsAES_GCMEncrypt((Ipp8u *)&temp_nr,
  665. (Ipp8u *)&encrypted_temp_nr,
  666. sizeof(NrProof),
  667. aes_context);
  668. if(ipp_ret != ippStsNoErr)
  669. {
  670. ret = QE_UNEXPECTED_ERROR;
  671. goto CLEANUP;
  672. }
  673. memcpy(emp_nr, &encrypted_temp_nr, sizeof(encrypted_temp_nr));
  674. if(p_qe_report)
  675. {
  676. se_ret = sgx_sha256_update((uint8_t *)&encrypted_temp_nr,
  677. sizeof(encrypted_temp_nr),
  678. sha_quote_context);
  679. if(SGX_SUCCESS != se_ret)
  680. {
  681. ret = QE_UNEXPECTED_ERROR;
  682. goto CLEANUP;
  683. }
  684. }
  685. }
  686. /* Get the final hash of the whole SIG-RL. */
  687. se_ret = sgx_sha256_get_hash(sha_context,
  688. (sgx_sha256_hash_t *)&sig_rl_hash.hash);
  689. if(SGX_SUCCESS != se_ret)
  690. {
  691. ret = QE_UNEXPECTED_ERROR;
  692. goto CLEANUP;
  693. }
  694. /* Verify the integraty of SIG-RL by check ECDSA signature. */
  695. ipp_ret = new_std_256_ecp(&p_ecp);
  696. if(ipp_ret != ippStsNoErr)
  697. {
  698. ret = QE_UNEXPECTED_ERROR;
  699. goto CLEANUP;
  700. }
  701. se_static_assert(sizeof(ec_pub_key) == sizeof(plaintext.epid_sk));
  702. // Both plaintext.epid_sk and ec_pub_key are little endian
  703. memcpy(&ec_pub_key, plaintext.epid_sk, sizeof(ec_pub_key));
  704. // se_ecdsa_verify_internal will take ec_pub_key as little endian
  705. se_ret = se_ecdsa_verify_internal(p_ecp,
  706. &ec_pub_key,
  707. p_sig_rl_signature,
  708. &sig_rl_hash,
  709. &ec_result);
  710. if(SGX_SUCCESS != se_ret)
  711. {
  712. ret = QE_UNEXPECTED_ERROR;
  713. goto CLEANUP;
  714. }
  715. else if(ippECValid != ec_result)
  716. {
  717. ret = QE_SIGRL_ERROR;
  718. goto CLEANUP;
  719. }
  720. else if(match)
  721. {
  722. ret = QE_REVOKED_ERROR;
  723. goto CLEANUP;
  724. }
  725. }
  726. else
  727. {
  728. se_static_assert(sizeof(emp_p->rl_ver) == sizeof(RLver_t));
  729. se_static_assert(sizeof(emp_p->rl_num) == sizeof(RLCount));
  730. uint8_t temp_buf[sizeof(RLver_t) + sizeof(RLCount)] = {0};
  731. uint8_t encrypted_temp_buf[sizeof(temp_buf)] = {0};
  732. ipp_ret = ippsAES_GCMEncrypt(temp_buf,
  733. (Ipp8u *)&encrypted_temp_buf,
  734. sizeof(encrypted_temp_buf),
  735. aes_context);
  736. if(ipp_ret != ippStsNoErr)
  737. {
  738. ret = QE_UNEXPECTED_ERROR;
  739. goto CLEANUP;
  740. }
  741. /* This will copy both encrypted rl_ver and encrypted rl_num into
  742. Output buffer. */
  743. memcpy(&emp_p->rl_ver, &encrypted_temp_buf,
  744. sizeof(encrypted_temp_buf));
  745. if(p_qe_report)
  746. {
  747. se_ret = sgx_sha256_update((uint8_t *)&encrypted_temp_buf,
  748. sizeof(encrypted_temp_buf),
  749. sha_quote_context);
  750. if(SGX_SUCCESS != se_ret)
  751. {
  752. ret = QE_UNEXPECTED_ERROR;
  753. goto CLEANUP;
  754. }
  755. }
  756. }
  757. ipp_ret = ippsAES_GCMGetTag(aes_tag, sizeof(aes_tag), aes_context);
  758. if(ipp_ret != ippStsNoErr)
  759. {
  760. ret = QE_UNEXPECTED_ERROR;
  761. goto CLEANUP;
  762. }
  763. memcpy((uint8_t *)&(emp_p->basic_sign) + sign_size, &aes_tag,
  764. sizeof(aes_tag));
  765. if(p_qe_report)
  766. {
  767. se_ret = sgx_sha256_update(aes_tag, sizeof(aes_tag),
  768. sha_quote_context);
  769. if(SGX_SUCCESS != se_ret)
  770. {
  771. ret = QE_UNEXPECTED_ERROR;
  772. goto CLEANUP;
  773. }
  774. se_ret = sgx_sha256_get_hash(sha_quote_context,
  775. (sgx_sha256_hash_t *)&qe_report_data);
  776. if(SGX_SUCCESS != se_ret)
  777. {
  778. ret = QE_UNEXPECTED_ERROR;
  779. goto CLEANUP;
  780. }
  781. memcpy(&(report_target.attributes),
  782. &(((const sgx_report_t *)p_enclave_report)->body.attributes),
  783. sizeof(report_target.attributes));
  784. memcpy(&(report_target.mr_enclave),
  785. &(((const sgx_report_t *)p_enclave_report)->body.mr_enclave),
  786. sizeof(report_target.mr_enclave));
  787. memcpy(&(report_target.misc_select),
  788. &(((const sgx_report_t *)p_enclave_report)->body.misc_select),
  789. sizeof(report_target.misc_select));
  790. se_ret = sgx_create_report(&report_target, &qe_report_data, p_qe_report);
  791. if(SGX_SUCCESS != se_ret)
  792. {
  793. ret = QE_PARAMETER_ERROR;
  794. goto CLEANUP;
  795. }
  796. }
  797. CLEANUP:
  798. memset_s(aes_key, sizeof(aes_key), 0, sizeof(aes_key));
  799. sgx_sha256_close(sha_context);
  800. sgx_sha256_close(sha_quote_context);
  801. if(aes_context)
  802. free(aes_context);
  803. if(pub_key)
  804. secure_free_rsa_pub_key(sizeof(g_qsdk_pub_key_n), sizeof(g_qsdk_pub_key_e), pub_key);
  805. if(pub_key_buffer)
  806. free(pub_key_buffer);
  807. secure_free_std_256_ecp(p_ecp);
  808. return ret;
  809. }
  810. /*
  811. * External function used to get quote. Prefix "emp_" means it is a pointer
  812. * points memory outside enclave.
  813. *
  814. * @param p_blob[in, out] Pointer to the EPID Blob.
  815. * @param blob_size[in] The size of EPID Blob, in bytes.
  816. * @param p_enclave_report[in] The application enclave's report.
  817. * @param quote_type[in] The type of quote, random based or name based.
  818. * @param p_spid[in] Pointer to SPID.
  819. * @param p_nonce[in] Pointer to nonce.
  820. * @param emp_sig_rl[in] Pointer to SIG-RL.
  821. * @param sig_rl_size[in] The size of SIG-RL, in bytes.
  822. * @param p_qe_report[out] Pointer to QE report, which reportdata is
  823. * sha256(nonce || quote)
  824. * @param emp_quote[out] Pointer to the output buffer for quote.
  825. * @param quote_size[in] The size of emp_quote, in bytes.
  826. * @param pce_isvsvn[in] The ISVSVN of PCE.
  827. * @return ae_error_t AE_SUCCESS for success, otherwise for errors.
  828. */
  829. uint32_t get_quote(
  830. uint8_t *p_blob,
  831. uint32_t blob_size,
  832. const sgx_report_t *p_enclave_report,
  833. sgx_quote_sign_type_t quote_type,
  834. const sgx_spid_t *p_spid,
  835. const sgx_quote_nonce_t *p_nonce,
  836. const uint8_t *emp_sig_rl,
  837. uint32_t sig_rl_size,
  838. sgx_report_t *p_qe_report,
  839. uint8_t *emp_quote,
  840. uint32_t quote_size,
  841. sgx_isv_svn_t pce_isvsvn)
  842. {
  843. ae_error_t ret = AE_SUCCESS;
  844. EpidStatus epid_ret = kEpidNoErr;
  845. MemberCtx *p_epid_context = NULL;
  846. sgx_quote_t quote_body;
  847. uint8_t is_resealed = 0;
  848. sgx_basename_t basename = {{0}};
  849. uint64_t sign_size = 0;
  850. sgx_status_t se_ret = SGX_SUCCESS;
  851. sgx_report_t qe_report;
  852. uint64_t required_buffer_size = 0;
  853. se_sig_rl_t sig_rl_header;
  854. se_plaintext_epid_data_sdk_t plaintext;
  855. sgx_ec256_signature_t ec_signature;
  856. memset(&quote_body, 0, sizeof(quote_body));
  857. memset(&sig_rl_header, 0, sizeof(sig_rl_header));
  858. memset(&plaintext, 0, sizeof(plaintext));
  859. memset(&ec_signature, 0, sizeof(ec_signature));
  860. /* Actually, some cases here will be checked with code generated by
  861. edger8r. Here we just want to defend in depth. */
  862. if((NULL == p_blob)
  863. || (NULL == p_enclave_report)
  864. || (NULL == p_spid)
  865. || (NULL == emp_quote)
  866. || (!quote_size)
  867. || ((NULL != emp_sig_rl) && (sig_rl_size < sizeof(se_sig_rl_t)
  868. + 2 * SE_ECDSA_SIGN_SIZE))
  869. //
  870. // this size check could mispredict and cause us to
  871. // overflow, but we have an lfence below
  872. // that's safe to use for this case
  873. //
  874. || ((NULL == emp_sig_rl) && (sig_rl_size != 0)))
  875. return QE_PARAMETER_ERROR;
  876. if(SGX_TRUSTED_EPID_BLOB_SIZE_SDK != blob_size)
  877. return QE_PARAMETER_ERROR;
  878. //
  879. // this could mispredict and cause us to
  880. // overflow, but we have an lfence below
  881. // that's safe to use for this case
  882. //
  883. if(SGX_LINKABLE_SIGNATURE != quote_type
  884. && SGX_UNLINKABLE_SIGNATURE != quote_type)
  885. return QE_PARAMETER_ERROR;
  886. if(!p_nonce && p_qe_report)
  887. return QE_PARAMETER_ERROR;
  888. if(p_nonce && !p_qe_report)
  889. return QE_PARAMETER_ERROR;
  890. /* To reduce the memory footprint of QE, we should leave sig_rl and
  891. quote buffer outside enclave. */
  892. if(!sgx_is_outside_enclave(emp_sig_rl, sig_rl_size))
  893. return QE_PARAMETER_ERROR;
  894. //
  895. // for user_check SigRL input
  896. // based on quote_size input parameter
  897. //
  898. sgx_lfence();
  899. if(!sgx_is_outside_enclave(emp_quote, quote_size))
  900. return QE_PARAMETER_ERROR;
  901. /* Check whether p_blob is copied into EPC. If we want to reduce the
  902. memory usage, maybe we can leave the p_blob outside EPC. */
  903. if(!sgx_is_within_enclave(p_blob, blob_size))
  904. return QE_PARAMETER_ERROR;
  905. if(!sgx_is_within_enclave(p_enclave_report, sizeof(*p_enclave_report)))
  906. return QE_PARAMETER_ERROR;
  907. if(!sgx_is_within_enclave(p_spid, sizeof(*p_spid)))
  908. return QE_PARAMETER_ERROR;
  909. /* If the code reach here, if p_nonce is NULL, then p_qe_report will be
  910. NULL also. So we only check p_nonce here.*/
  911. if(p_nonce)
  912. {
  913. /* Actually Edger8r will alloc the buffer within EPC, this is just kind
  914. of defense in depth. */
  915. if(!sgx_is_within_enclave(p_nonce, sizeof(*p_nonce)))
  916. return QE_PARAMETER_ERROR;
  917. if(!sgx_is_within_enclave(p_qe_report, sizeof(*p_qe_report)))
  918. return QE_PARAMETER_ERROR;
  919. }
  920. /* Verify the input report. */
  921. if(SGX_SUCCESS != sgx_verify_report(p_enclave_report))
  922. return QE_PARAMETER_ERROR;
  923. /* Verify EPID p_blob and create the context */
  924. ret = verify_blob_internal(p_blob,
  925. blob_size,
  926. &is_resealed,
  927. TRUE,
  928. plaintext,
  929. &p_epid_context);
  930. if(AE_SUCCESS != ret)
  931. goto CLEANUP;
  932. /* If SIG-RL is provided, we should check its size. */
  933. if(emp_sig_rl)
  934. {
  935. uint64_t temp_size = 0;
  936. uint64_t n2 = 0;
  937. memcpy(&sig_rl_header, emp_sig_rl, sizeof(sig_rl_header));
  938. if(sig_rl_header.protocol_version != SE_EPID_SIG_RL_VERSION)
  939. {
  940. ret = QE_PARAMETER_ERROR;
  941. goto CLEANUP;
  942. }
  943. if(sig_rl_header.epid_identifier != SE_EPID_SIG_RL_ID)
  944. {
  945. ret = QE_PARAMETER_ERROR;
  946. goto CLEANUP;
  947. }
  948. if(memcmp(&sig_rl_header.sig_rl.gid, &plaintext.epid_group_cert.gid,
  949. sizeof(sig_rl_header.sig_rl.gid)))
  950. {
  951. ret = QE_PARAMETER_ERROR;
  952. goto CLEANUP;
  953. }
  954. temp_size = se_get_sig_rl_size(&sig_rl_header);
  955. if(temp_size != sig_rl_size)
  956. {
  957. ret = QE_PARAMETER_ERROR;
  958. goto CLEANUP;
  959. }
  960. se_static_assert(sizeof(ec_signature.x) == SE_ECDSA_SIGN_SIZE);
  961. se_static_assert(sizeof(ec_signature.y) == SE_ECDSA_SIGN_SIZE);
  962. memcpy(ec_signature.x,
  963. emp_sig_rl + sig_rl_size - (SE_ECDSA_SIGN_SIZE * 2),
  964. sizeof(ec_signature.x));
  965. SWAP_ENDIAN_32B(ec_signature.x);
  966. memcpy(ec_signature.y,
  967. emp_sig_rl + sig_rl_size - (SE_ECDSA_SIGN_SIZE * 1),
  968. sizeof(ec_signature.y));
  969. SWAP_ENDIAN_32B(ec_signature.y);
  970. n2 = SWAP_4BYTES(sig_rl_header.sig_rl.n2);
  971. temp_size = sizeof(EpidSignature) - sizeof(NrProof)
  972. + n2 * sizeof(NrProof);
  973. if(temp_size > UINT32_MAX)
  974. {
  975. ret = QE_PARAMETER_ERROR;
  976. goto CLEANUP;
  977. }
  978. sign_size = temp_size;
  979. }
  980. else
  981. {
  982. sign_size = sizeof(BasicSignature)
  983. + sizeof(uint32_t) // rl_ver
  984. + sizeof(uint32_t); // rl_num
  985. }
  986. /* Verify sizeof basename is large enough and it should always be true*/
  987. se_static_assert(sizeof(basename) > sizeof(*p_spid));
  988. /* Because basename has already been zeroed,
  989. so we don't need to concatenating with 0s.*/
  990. memcpy(&basename, p_spid, sizeof(*p_spid));
  991. if(SGX_UNLINKABLE_SIGNATURE == quote_type)
  992. {
  993. uint8_t *p = (uint8_t *)&basename + sizeof(*p_spid);
  994. se_ret = sgx_read_rand(p, sizeof(basename) - sizeof(*p_spid));
  995. if(SGX_SUCCESS != se_ret)
  996. {
  997. ret = QE_UNEXPECTED_ERROR;
  998. goto CLEANUP;
  999. }
  1000. }
  1001. epid_ret = EpidRegisterBaseName(p_epid_context, (uint8_t *)&basename,
  1002. sizeof(basename));
  1003. if(kEpidNoErr != epid_ret)
  1004. {
  1005. ret = QE_UNEXPECTED_ERROR;
  1006. goto CLEANUP;
  1007. }
  1008. required_buffer_size = SE_QUOTE_LENGTH_WITHOUT_SIG + sign_size;
  1009. /* We should make sure the buffer size is big enough. */
  1010. if(quote_size < required_buffer_size)
  1011. {
  1012. ret = QE_PARAMETER_ERROR;
  1013. goto CLEANUP;
  1014. }
  1015. //
  1016. // for user_check SigRL input
  1017. // based on n2 field in SigRL
  1018. //
  1019. sgx_lfence();
  1020. /* Copy the data in the report into quote body. */
  1021. memset(emp_quote, 0, quote_size);
  1022. quote_body.version = QE_QUOTE_VERSION;
  1023. quote_body.sign_type = (uint16_t)quote_type;
  1024. quote_body.pce_svn = pce_isvsvn; // Both are little endian
  1025. quote_body.xeid = plaintext.xeid; // Both are little endian
  1026. se_static_assert(sizeof(plaintext.epid_group_cert.gid) == sizeof(uint32_t));
  1027. se_static_assert(sizeof(quote_body.epid_group_id) == sizeof(uint32_t));
  1028. ((uint8_t *)(&quote_body.epid_group_id))[0] = plaintext.epid_group_cert.gid.data[3];
  1029. ((uint8_t *)(&quote_body.epid_group_id))[1] = plaintext.epid_group_cert.gid.data[2];
  1030. ((uint8_t *)(&quote_body.epid_group_id))[2] = plaintext.epid_group_cert.gid.data[1];
  1031. ((uint8_t *)(&quote_body.epid_group_id))[3] = plaintext.epid_group_cert.gid.data[0];
  1032. memcpy(&quote_body.basename, &basename, sizeof(quote_body.basename));
  1033. // Get the QE's report.
  1034. se_ret = sgx_create_report(NULL, NULL, &qe_report);
  1035. if(SGX_SUCCESS != se_ret)
  1036. {
  1037. ret = QE_PARAMETER_ERROR;
  1038. goto CLEANUP;
  1039. }
  1040. // Copy QE's security version in to Quote body.
  1041. quote_body.qe_svn = qe_report.body.isv_svn;
  1042. // Copy the incoming report into Quote body.
  1043. memcpy(&quote_body.report_body, &(p_enclave_report->body),
  1044. sizeof(quote_body.report_body));
  1045. /* Because required_buffer_size is larger than signature_len, so if we
  1046. get here, then no integer overflow will ocur. */
  1047. quote_body.signature_len = (uint32_t)(sizeof(se_wrap_key_t)
  1048. + QUOTE_IV_SIZE
  1049. + sizeof(uint32_t)
  1050. + sign_size
  1051. + sizeof(sgx_mac_t));
  1052. /* Make the signature. */
  1053. ret = qe_epid_sign(p_epid_context,
  1054. plaintext,
  1055. &basename,
  1056. emp_sig_rl ? ((const se_sig_rl_t *)emp_sig_rl)->sig_rl.bk
  1057. : NULL,
  1058. &sig_rl_header,
  1059. &ec_signature,
  1060. p_enclave_report,
  1061. p_nonce,
  1062. p_qe_report,
  1063. emp_quote,
  1064. &quote_body,
  1065. (uint32_t)sign_size);
  1066. if(AE_SUCCESS != ret)
  1067. {
  1068. // Only need to clean the buffer after the fixed length part.
  1069. memset_s(emp_quote + sizeof(sgx_quote_t), quote_size - sizeof(sgx_quote_t),
  1070. 0, quote_size - sizeof(sgx_quote_t));
  1071. goto CLEANUP;
  1072. }
  1073. memcpy(emp_quote, &quote_body, sizeof(sgx_quote_t));
  1074. CLEANUP:
  1075. if(p_epid_context)
  1076. EpidMemberDelete(&p_epid_context);
  1077. return ret;
  1078. }