SKALE-3151-cannot decrypt storage key

1f6064e7 · kladko · b3f3290e · 1f6064e7 · 1f6064e7
Unverified Commit 1f6064e7 authored Aug 21, 2020 by kladko
Show whitespace changes
Inline Side-by-side

Showing with 53 additions and 30 deletions

VERSION VERSION +1 -1

secure_enclave.c secure_enclave/secure_enclave.c +52 -29

No files found.
--- a/VERSION
+++ b/VERSION
-1.56.0
+1.57.0
\ No newline at end of file
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -189,43 +189,40 @@ void get_global_random(unsigned char *_randBuff, uint64_t _size) {
 }
-void trustedGenerateSEK(int *errStatus, char *errString,
+void sealHexSEK(int *errStatus, char *errString,
-                        uint8_t *encrypted_SEK, uint32_t *enc_len, char *SEK_hex) {
+                        uint8_t *encrypted_sek, uint32_t *enc_len, char *sek_hex) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
-    CHECK_STATE(encrypted_SEK);
+    CHECK_STATE(encrypted_sek);
-    CHECK_STATE(SEK_hex);
+    CHECK_STATE(sek_hex);
-    RANDOM_CHAR_BUF(SEK_raw, SGX_AESGCM_KEY_SIZE);
-    uint32_t hex_aes_key_length = SGX_AESGCM_KEY_SIZE * 2;
+    uint64_t plaintextLen = strlen(sek_hex + 1);
-    carray2Hex((uint8_t*) SEK_raw, SGX_AESGCM_KEY_SIZE, SEK_hex);
-    memcpy(AES_key, SEK_raw, SGX_AESGCM_KEY_SIZE);
-    uint32_t sealedLen = sgx_calc_sealed_data_size(0, hex_aes_key_length + 1);
+    uint64_t sealedLen = sgx_calc_sealed_data_size(0, plaintextLen);
    sgx_attributes_t attribute_mask;
    attribute_mask.flags = 0xfffffffffffffff3;
    attribute_mask.xfrm = 0x0;
    sgx_misc_select_t misc = 0xF0000000;
-    sgx_status_t status = sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE, attribute_mask, misc, 0, NULL, hex_aes_key_length + 1, (uint8_t *) SEK_hex, sealedLen,
+    sgx_status_t status = sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE, attribute_mask, misc, 0, NULL, plaintextLen, (uint8_t *) sek_hex, sealedLen,
-                                        (sgx_sealed_data_t *) encrypted_SEK);
+                                           (sgx_sealed_data_t *) encrypted_sek);
    CHECK_STATUS("seal SEK failed after SEK generation");
-    uint32_t encrypt_text_length = sgx_get_encrypt_txt_len((const sgx_sealed_data_t *)encrypted_SEK);
+    uint32_t encrypt_text_length = sgx_get_encrypt_txt_len((const sgx_sealed_data_t *)encrypted_sek);
-    CHECK_STATE(encrypt_text_length = hex_aes_key_length + 1);
+    CHECK_STATE(encrypt_text_length = plaintextLen);
    SAFE_CHAR_BUF(unsealedKey, BUF_LEN);
    uint32_t decLen = BUF_LEN;
-    uint32_t add_text_length = sgx_get_add_mac_txt_len((const sgx_sealed_data_t *)encrypted_SEK);
+    uint32_t add_text_length = sgx_get_add_mac_txt_len((const sgx_sealed_data_t *)encrypted_sek);
    CHECK_STATE(add_text_length == 0);
-    CHECK_STATE(sgx_is_within_enclave(encrypted_SEK,sizeof(sgx_sealed_data_t)));
+    CHECK_STATE(sgx_is_within_enclave(encrypted_sek,sizeof(sgx_sealed_data_t)));
-    status = sgx_unseal_data((const sgx_sealed_data_t *)encrypted_SEK, NULL, NULL,
+    status = sgx_unseal_data((const sgx_sealed_data_t *)encrypted_sek, NULL, NULL,
                             (uint8_t *) unsealedKey, &decLen );
    CHECK_STATUS("seal/unseal SEK failed after SEK generation in unseal");
@@ -237,16 +234,42 @@ void trustedGenerateSEK(int *errStatus, char *errString,
    LOG_INFO("SGX call completed");
 }
-void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_SEK) {
+void trustedGenerateSEK(int *errStatus, char *errString,
+                        uint8_t *encrypted_sek, uint32_t *enc_len, char *sek_hex) {
+    LOG_INFO(__FUNCTION__);
+    INIT_ERROR_STATE
+    CHECK_STATE(encrypted_sek);
+    CHECK_STATE(sek_hex);
+    RANDOM_CHAR_BUF(SEK_raw, SGX_AESGCM_KEY_SIZE);
+    carray2Hex((uint8_t*) SEK_raw, SGX_AESGCM_KEY_SIZE, sek_hex);
+    memcpy(AES_key, SEK_raw, SGX_AESGCM_KEY_SIZE);
+    sealHexSEK(errStatus, errString, encrypted_sek, enc_len, sek_hex);
+    if (errStatus != 0) {
+        LOG_ERROR("sealHexSEK failed");
+        goto clean;
+    }
+    SET_SUCCESS
+    clean:
+    ;
+    LOG_INFO("SGX call completed");
+}
+void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_sek) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
-    CHECK_STATE(encrypted_SEK);
+    CHECK_STATE(encrypted_sek);
    SAFE_CHAR_BUF(aes_key_hex, BUF_LEN);
    uint32_t dec_len;
    sgx_status_t status = sgx_unseal_data(
-            (const sgx_sealed_data_t *) encrypted_SEK, NULL, 0,
+            (const sgx_sealed_data_t *) encrypted_sek, NULL, 0,
            (uint8_t *)aes_key_hex, &dec_len);
    CHECK_STATUS2("sgx unseal SEK failed with status %d");
@@ -262,17 +285,17 @@ void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_SEK) {
 }
 void trustedSetSEK_backup(int *errStatus, char *errString,
-                          uint8_t *encrypted_SEK, uint32_t *enc_len, const char *SEK_hex) {
+                          uint8_t *encrypted_sek, uint32_t *enc_len, const char *sek_hex) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
-    CHECK_STATE(encrypted_SEK);
+    CHECK_STATE(encrypted_sek);
-    CHECK_STATE(SEK_hex);
+    CHECK_STATE(sek_hex);
    uint64_t len;
-    hex2carray(SEK_hex, &len, (uint8_t *) AES_key);
+    hex2carray(sek_hex, &len, (uint8_t *) AES_key);
-    uint32_t sealedLen = sgx_calc_sealed_data_size(0, strlen(SEK_hex) + 1);
+    uint32_t sealedLen = sgx_calc_sealed_data_size(0, strlen(sek_hex) + 1);
    sgx_attributes_t attribute_mask;
@@ -282,8 +305,8 @@ void trustedSetSEK_backup(int *errStatus, char *errString,
    sgx_misc_select_t misc = 0xF0000000;
    sgx_status_t status = sgx_seal_data_ex(SGX_KEYPOLICY_MRENCLAVE,
-                                           attribute_mask, misc, 0, NULL, strlen(SEK_hex) + 1, (uint8_t *) SEK_hex, sealedLen,
+                                           attribute_mask, misc, 0, NULL, strlen(sek_hex) + 1, (uint8_t *) sek_hex, sealedLen,
-                                        (sgx_sealed_data_t *) encrypted_SEK);
+                                        (sgx_sealed_data_t *) encrypted_sek);
    CHECK_STATUS2("seal SEK failed with status %d")