SKALE-3228

32ccd711 · kladko · 4fd8c4d2 · 32ccd711 · 32ccd711 · 32ccd711
Unverified Commit 32ccd711 authored Sep 07, 2020 by kladko
Hide whitespace changes
Inline Side-by-side

Showing with 94 additions and 5 deletions

AESUtils.c secure_enclave/AESUtils.c +83 -0

AESUtils.h secure_enclave/AESUtils.h +6 -3

secure_enclave.c secure_enclave/secure_enclave.c +5 -2

No files found.
--- a/secure_enclave/AESUtils.c
+++ b/secure_enclave/AESUtils.c
@@ -29,6 +29,9 @@

 #include "AESUtils.h"

+sgx_aes_gcm_128bit_key_t AES_key;
+sgx_aes_gcm_128bit_key_t AES_DH_key;
+
 int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen) {

    if (!message) {
@@ -95,3 +98,83 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t

  return status;
 }
+
+
+
+
+int AES_encrypt_DH(char *message, uint8_t *encr_message, uint64_t encrLen) {
+
+    if (!message) {
+        LOG_ERROR("Null message in AES_encrypt_DH");
+        return -1;
+    }
+
+    if (!encr_message) {
+        LOG_ERROR("Null encr message in AES_encrypt_DH");
+        return -2;
+    }
+
+    uint64_t len = strlen(message) + 1;
+
+    if (len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE > encrLen ) {
+        LOG_ERROR("Output buffer too small");
+        return -3;
+    }
+
+    sgx_read_rand(encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE);
+
+    sgx_status_t status = sgx_rijndael128GCM_encrypt(&AES_DH_key, (uint8_t*)message, strlen(message),
+                                                     encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE,
+                                                     encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
+                                                     NULL, 0,
+                                                     (sgx_aes_gcm_128bit_tag_t *) encr_message);
+
+    return status;
+}
+
+int AES_decrypt_DH(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) {
+
+    if (!message) {
+        LOG_ERROR("Null message in AES_encrypt_DH");
+        return -1;
+    }
+
+    if (!encr_message) {
+        LOG_ERROR("Null encr message in AES_encrypt_DH");
+        return -2;
+    }
+
+
+    if (length < SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE) {
+        LOG_ERROR("length < SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE");
+        return -1;
+    }
+
+
+
+    uint64_t len = length - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE;
+
+    if (msgLen < len) {
+        LOG_ERROR("Output buffer not large enough");
+        return -2;
+    }
+
+    sgx_status_t status = sgx_rijndael128GCM_decrypt(&AES_DH_key,
+                                                     encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE, len,
+                                                     (unsigned char*) message,
+                                                     encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
+                                                     NULL, 0,
+                                                     (sgx_aes_gcm_128bit_tag_t *)encr_message);
+
+    return status;
+}
+
+
+
+
+
+
+void derive_DH_Key() {
+    memcpy(AES_DH_key, AES_key, SGX_AESGCM_KEY_SIZE );
+}
+
--- a/secure_enclave/AESUtils.h
+++ b/secure_enclave/AESUtils.h
@@ -24,13 +24,16 @@
 #ifndef SGXD_AESUTILS_H
 #define SGXD_AESUTILS_H

-sgx_aes_gcm_128bit_key_t AES_key;
+extern sgx_aes_gcm_128bit_key_t AES_key;
+extern sgx_aes_gcm_128bit_key_t AES_DH_key;

 int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen);
 int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;

-int AES_encrypt_dh(char *message, uint8_t *encr_message, uint64_t encrLen);
-int AES_decrypt_dh(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;
+int AES_encrypt_DH(char *message, uint8_t *encr_message, uint64_t encrLen);
+int AES_decrypt_DH(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;
+
+void derive_DH_Key();


 #endif //SGXD_AESUTILS_H
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -292,6 +292,7 @@ void trustedGenerateSEK(int *errStatus, char *errString,

    carray2Hex((uint8_t*) SEK_raw, SGX_AESGCM_KEY_SIZE, sek_hex);
    memcpy(AES_key, SEK_raw, SGX_AESGCM_KEY_SIZE);
+    derive_DH_Key();

    sealHexSEK(errStatus, errString, encrypted_sek, enc_len, sek_hex);

@@ -331,6 +332,7 @@ void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_sek) {


    hex2carray(aes_key_hex, &len, (uint8_t *) AES_key);
+    derive_DH_Key();

    SET_SUCCESS
    clean:
@@ -349,6 +351,7 @@ void trustedSetSEK_backup(int *errStatus, char *errString,

    uint64_t len;
    hex2carray(sek_hex, &len, (uint8_t *) AES_key);
+    derive_DH_Key();

    sealHexSEK(errStatus, errString, encrypted_sek, enc_len, (char *)sek_hex);

@@ -607,7 +610,7 @@ void trustedDecryptKeyAES(int *errStatus, char *errString, uint8_t *encryptedPri

    *errStatus = -9;

-    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 3072);
+    int status = AES_decrypt_DH(encryptedPrivateKey, enc_len, key, 3072);

    if (status != 0) {
        *errStatus = status;
@@ -644,7 +647,7 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,

    *errStatus = UNKNOWN_ERROR;

-    int status = AES_encrypt((char *)key, encryptedPrivateKey, BUF_LEN);
+    int status = AES_encrypt_DH((char *)key, encryptedPrivateKey, BUF_LEN);

    CHECK_STATUS2("AES encrypt failed with status %d");