SKALE-3205-restart

77425c86 · kladko · da89bfe3 · 77425c86 · 77425c86 · 77425c86
Unverified Commit 77425c86 authored Sep 08, 2020 by kladko
10 changed files
--- a/BLSCrypto.cpp
+++ b/BLSCrypto.cpp
@@ -86,7 +86,7 @@ void carray2Hex(const unsigned char *d, uint64_t _len, char *_hexArray,
    CHECK_STATE(_hexArrayLen > 2 * _len);
-    for (int j = 0; j < _len; j++) {
+    for (uint64_t j = 0; j < _len; j++) {
        _hexArray[j * 2] = hexval[((d[j] >> 4) & 0xF)];
        _hexArray[j * 2 + 1] = hexval[(d[j]) & 0x0F];
    }
@@ -105,7 +105,7 @@ bool hex2carray(const char *_hex, uint64_t *_bin_len,
    CHECK_STATE(_bin_len)
-    int len = strnlen(_hex, 2 * _max_length + 1);
+    uint64_t len = strnlen(_hex, 2 * _max_length + 1);
    CHECK_STATE(len != 2 * _max_length + 1);
@@ -117,7 +117,7 @@ bool hex2carray(const char *_hex, uint64_t *_bin_len,
    *_bin_len = len / 2;
-    for (int i = 0; i < len / 2; i++) {
+    for (uint64_t i = 0; i < len / 2; i++) {
        int high = char2int((char) _hex[i * 2]);
        int low = char2int((char) _hex[i * 2 + 1]);
@@ -247,7 +247,8 @@ string encryptBLSKeyShare2Hex(int *errStatus, char *err_string, const char *_key
    strncpy(keyArray->data(), _key, BUF_LEN);
    *errStatus = 0;
-    unsigned int encryptedLen = 0;
+    uint64_t encryptedLen = 0;
    sgx_status_t status = trustedEncryptKeyAES(eid, errStatus, errMsg.data(), keyArray->data(), encryptedKey->data(), &encryptedLen);

--- a/DKGCrypto.cpp
+++ b/DKGCrypto.cpp
@@ -135,13 +135,13 @@ string convertG2ToString(const libff::alt_bn128_G2 &elem, int base, const string
 string gen_dkg_poly(int _t) {
    vector<char> errMsg(BUF_LEN, 0);
    int errStatus = 0;
-    uint32_t enc_len = 0;
+    uint64_t enc_len = 0;
    vector <uint8_t> encrypted_dkg_secret(BUF_LEN, 0);
+    sgx_status_t status = trustedGenDkgSecretAES(
+            eid, &errStatus,errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
-    sgx_status_t status = trustedGenDkgSecretAES(eid, &errStatus, errMsg.data(), encrypted_dkg_secret.data(), &enc_len, _t);
    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus, errMsg.data());
    uint64_t length = enc_len;;
@@ -214,7 +214,7 @@ getSecretShares(const string &_polyName, const char *_encryptedPolyHex, const ve
    for (int i = 0; i < _n; i++) {
        vector <uint8_t> encryptedSkey(BUF_LEN, 0);
-        uint32_t decLen;
+        uint64_t decLen;
        vector<char> currentShare(193, 0);
        vector<char> sShareG2(320, 0);
@@ -300,7 +300,7 @@ bool createBLSShare(const string &blsKeyName, const char *s_shares, const char *
        throw SGXException(INVALID_HEX, "Invalid encryptedKeyHex");
    }
-    uint32_t enc_bls_len = 0;
+    uint64_t enc_bls_len = 0;
    sgx_status_t status = trustedCreateBlsKeyAES(eid, &errStatus, errMsg.data(), s_shares, encr_key, decKeyLen, encr_bls_key,
                                                 &enc_bls_len);

--- a/ECDSACrypto.cpp
+++ b/ECDSACrypto.cpp
@@ -54,7 +54,7 @@ vector <string> genECDSAKey() {
    vector<char> pub_key_x(BUF_LEN, 0);
    vector<char> pub_key_y(BUF_LEN, 0);
-    uint32_t enc_len = 0;
+    uint64_t enc_len = 0;
    sgx_status_t status = trustedGenerateEcdsaKeyAES(eid, &errStatus,
                                        errMsg.data(), encr_pr_key.data(), &enc_len,

--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -52,7 +52,7 @@ bool case_insensitive_match(string s1, string s2) {
 void create_test_key() {
    int errStatus = 0;
    vector<char> errMsg(1024, 0);
-    uint32_t enc_len;
+    uint64_t enc_len;
    SAFE_UINT8_BUF(encrypted_key, BUF_LEN);
@@ -109,7 +109,7 @@ shared_ptr <vector<uint8_t>> check_and_set_SEK(const string &SEK) {
    auto encrypted_SEK = make_shared < vector < uint8_t >> (BUF_LEN, 0);
-    uint32_t l = 0;
+    uint64_t l = 0;
    sgx_status_t status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encrypted_SEK->data(), &l,
                                               SEK.c_str());
@@ -127,7 +127,7 @@ void gen_SEK() {
    vector<char> errMsg(1024, 0);
    int err_status = 0;
    vector <uint8_t> encrypted_SEK(1024, 0);
-    uint32_t enc_len = 0;
+    uint64_t enc_len = 0;
    SAFE_CHAR_BUF(SEK, 65);

--- a/SGXWalletServer.cpp
+++ b/SGXWalletServer.cpp
@@ -563,7 +563,7 @@ Json::Value SGXWalletServer::calculateAllBLSPublicKeysImpl(const Json::Value& pu
        vector<string> public_keys = calculateAllBlsPublicKeys(public_shares);
-        if (public_keys.size() != n) {
+        if (public_keys.size() != (uint64_t)n) {
            throw SGXException(UNKNOWN_ERROR, "");
        }

--- a/secure_enclave/AESUtils.c
+++ b/secure_enclave/AESUtils.c
@@ -27,12 +27,24 @@
 #include "stdlib.h"
 #include <string.h>
 #include "AESUtils.h"
 sgx_aes_gcm_128bit_key_t AES_key;
 sgx_aes_gcm_128bit_key_t AES_DH_key;
-int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen) {
+#define SAFE_CHAR_BUF(__X__, __Y__)  ;char __X__ [ __Y__ ]; memset(__X__, 0, __Y__);
+int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsigned  char type,
+                unsigned char decryptable, uint64_t* resultLen) {
+    if (!type) {
+        LOG_ERROR("Null type in AES_encrypt");
+        return -1;
+    }
    if (!message) {
        LOG_ERROR("Null message in AES_encrypt");
@@ -46,19 +58,31 @@ int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen) {
    uint64_t len = strlen(message) + 1;
-    if (len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE > encrLen ) {
+    if (2 + len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE > encrBufLen ) {
        LOG_ERROR("Output buffer too small");
        return -3;
    }
+    SAFE_CHAR_BUF(fullMessage, len + 2);
+    fullMessage[0] = type;
+    fullMessage[1] = decryptable;
+    strncpy(fullMessage + 2, message, len );
+    len = len + 2;
+    message = fullMessage;
    sgx_read_rand(encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE);
-    sgx_status_t status = sgx_rijndael128GCM_encrypt(&AES_key, (uint8_t*)message, strlen(message),
+    sgx_status_t status = sgx_rijndael128GCM_encrypt(&AES_key, (uint8_t*)message, len,
                                                     encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE,
                                                     encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
                                                     NULL, 0,
                                                     (sgx_aes_gcm_128bit_tag_t *) encr_message);
+    *resultLen = len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE;
    return status;
 }
@@ -96,79 +120,19 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
                                                   NULL, 0,
                                                   (sgx_aes_gcm_128bit_tag_t *)encr_message);
-  return status;
+  for (int i = 2; i < strlen(message) + 1; i++) {
-}
+      message[i - 2 ] = message[i];
-int AES_encrypt_DH(char *message, uint8_t *encr_message, uint64_t encrLen) {
-    if (!message) {
-        LOG_ERROR("Null message in AES_encrypt_DH");
-        return -1;
-    }
-    if (!encr_message) {
-        LOG_ERROR("Null encr message in AES_encrypt_DH");
-        return -2;
-    }
-    uint64_t len = strlen(message) + 1;
-    if (len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE > encrLen ) {
-        LOG_ERROR("Output buffer too small");
-        return -3;
  }
-    sgx_read_rand(encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE);
-    sgx_status_t status = sgx_rijndael128GCM_encrypt(&AES_DH_key, (uint8_t*)message, strlen(message),
-                                                     encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE,
-                                                     encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
-                                                     NULL, 0,
-                                                     (sgx_aes_gcm_128bit_tag_t *) encr_message);
  return status;
 }
-int AES_decrypt_DH(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) {
-    if (!message) {
-        LOG_ERROR("Null message in AES_encrypt_DH");
-        return -1;
-    }
-    if (!encr_message) {
-        LOG_ERROR("Null encr message in AES_encrypt_DH");
-        return -2;
-    }
-    if (length < SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE) {
-        LOG_ERROR("length < SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE");
-        return -1;
-    }
-    uint64_t len = length - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE;
-    if (msgLen < len) {
-        LOG_ERROR("Output buffer not large enough");
-        return -2;
-    }
-    sgx_status_t status = sgx_rijndael128GCM_decrypt(&AES_DH_key,
-                                                     encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE, len,
-                                                     (unsigned char*) message,
-                                                     encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
-                                                     NULL, 0,
-                                                     (sgx_aes_gcm_128bit_tag_t *)encr_message);
-    return status;
-}

--- a/secure_enclave/AESUtils.h
+++ b/secure_enclave/AESUtils.h
@@ -27,7 +27,8 @@
 extern sgx_aes_gcm_128bit_key_t AES_key;
 extern sgx_aes_gcm_128bit_key_t AES_DH_key;
-int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen);
+int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen,
+                unsigned char type, unsigned char decryptable, uint64_t* resultLen);
 int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;
 int AES_encrypt_DH(char *message, uint8_t *encr_message, uint64_t encrLen);
@@ -35,5 +36,13 @@ int AES_decrypt_DH(uint8_t *encr_message, uint64_t length, char *message, uint64
 void derive_DH_Key();
+#define ECDSA '1'
+#define BLS '2'
+#define DKG '3'
+#define DECRYPTABLE '1'
+#define NON_DECRYPTABLE '2'
 #endif //SGXD_AESUTILS_H
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -122,7 +122,7 @@ unsigned char *globalRandom = NULL;
        abort(); \
    } else {called = true;};
-void trustedEnclaveInit(uint32_t _logLevel) {
+void trustedEnclaveInit(uint64_t _logLevel) {
    CALL_ONCE
    LOG_INFO(__FUNCTION__);
@@ -232,7 +232,7 @@ void get_global_random(unsigned char *_randBuff, uint64_t _size) {
 void sealHexSEK(int *errStatus, char *errString,
-                        uint8_t *encrypted_sek, uint32_t *enc_len, char *sek_hex) {
+                        uint8_t *encrypted_sek, uint64_t *enc_len, char *sek_hex) {
    CALL_ONCE
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -255,7 +255,7 @@ void sealHexSEK(int *errStatus, char *errString,
                                           (sgx_sealed_data_t *) encrypted_sek);
    CHECK_STATUS("seal SEK failed after SEK generation");
-    uint32_t encrypt_text_length = sgx_get_encrypt_txt_len((const sgx_sealed_data_t *)encrypted_sek);
+    uint64_t encrypt_text_length = sgx_get_encrypt_txt_len((const sgx_sealed_data_t *)encrypted_sek);
    CHECK_STATE(encrypt_text_length = plaintextLen);
@@ -263,7 +263,7 @@ void sealHexSEK(int *errStatus, char *errString,
    SAFE_CHAR_BUF(unsealedKey, BUF_LEN);
    uint32_t decLen = BUF_LEN;
-    uint32_t add_text_length = sgx_get_add_mac_txt_len((const sgx_sealed_data_t *)encrypted_sek);
+    uint64_t add_text_length = sgx_get_add_mac_txt_len((const sgx_sealed_data_t *)encrypted_sek);
    CHECK_STATE(add_text_length == 0);
    CHECK_STATE(sgx_is_within_enclave(encrypted_sek,sizeof(sgx_sealed_data_t)));
    status = sgx_unseal_data((const sgx_sealed_data_t *)encrypted_sek, NULL, NULL,
@@ -279,7 +279,7 @@ void sealHexSEK(int *errStatus, char *errString,
 }
 void trustedGenerateSEK(int *errStatus, char *errString,
-                        uint8_t *encrypted_sek, uint32_t *enc_len, char *sek_hex) {
+                        uint8_t *encrypted_sek, uint64_t *enc_len, char *sek_hex) {
    CALL_ONCE
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -341,7 +341,7 @@ void trustedSetSEK(int *errStatus, char *errString, uint8_t *encrypted_sek) {
 }
 void trustedSetSEK_backup(int *errStatus, char *errString,
-                          uint8_t *encrypted_sek, uint32_t *enc_len, const char *sek_hex) {
+                          uint8_t *encrypted_sek, uint64_t *enc_len, const char *sek_hex) {
    CALL_ONCE
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -370,7 +370,7 @@ void trustedSetSEK_backup(int *errStatus, char *errString,
 void trustedGenerateEcdsaKeyAES(int *errStatus, char *errString,
-                                uint8_t *encryptedPrivateKey, uint32_t *enc_len, char *pub_key_x, char *pub_key_y) {
+                                uint8_t *encryptedPrivateKey, uint64_t *enc_len, char *pub_key_x, char *pub_key_y) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -410,22 +410,21 @@ void trustedGenerateEcdsaKeyAES(int *errStatus, char *errString,
    }
    strncpy(pub_key_y + n_zeroes, arr_y, 1024 - n_zeroes);
-    SAFE_CHAR_BUF(skey_str, ECDSA_SKEY_LEN);SAFE_CHAR_BUF(arr_skey_str, mpz_sizeinbase(skey, ECDSA_SKEY_BASE) + 2);
+    SAFE_CHAR_BUF(skey_str, BUF_LEN);
+    SAFE_CHAR_BUF(arr_skey_str, mpz_sizeinbase(skey, ECDSA_SKEY_BASE) + 2);
    mpz_get_str(arr_skey_str, ECDSA_SKEY_BASE, skey);
    n_zeroes = 64 - strlen(arr_skey_str);
    for (int i = 0; i < n_zeroes; i++) {
        skey_str[i] = '0';
    }
    strncpy(skey_str + n_zeroes, arr_skey_str, 65 - n_zeroes);
-    skey_str[ECDSA_SKEY_LEN - 1] = 0;
    snprintf(errString, BUF_LEN, "skey len is %d\n", (int) strlen(skey_str));
-    int status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN);
+    int status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+                             ECDSA, NON_DECRYPTABLE, enc_len);
    CHECK_STATUS("ecdsa private key encryption failed");
-    *enc_len = strlen(skey_str) + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE;
+    status = AES_decrypt(encryptedPrivateKey, *enc_len, skey_str, BUF_LEN);
-    status = AES_decrypt(encryptedPrivateKey, *enc_len, skey_str, ECDSA_SKEY_LEN);
    CHECK_STATUS2("ecdsa private key decr failed with status %d");
@@ -439,11 +438,11 @@ void trustedGenerateEcdsaKeyAES(int *errStatus, char *errString,
 }
 void trustedGetPublicEcdsaKeyAES(int *errStatus, char *errString,
-                                 uint8_t *encryptedPrivateKey, uint32_t enc_len, char *pub_key_x, char *pub_key_y) {
+                                 uint8_t *encryptedPrivateKey, uint64_t enc_len, char *pub_key_x, char *pub_key_y) {
    LOG_DEBUG(__FUNCTION__);
    INIT_ERROR_STATE
-    SAFE_CHAR_BUF(skey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey, BUF_LEN);
    mpz_t privateKeyMpz;
    mpz_init(privateKeyMpz);
@@ -455,7 +454,7 @@ void trustedGetPublicEcdsaKeyAES(int *errStatus, char *errString,
    CHECK_STATE(pub_key_x);
    CHECK_STATE(pub_key_y);
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, ECDSA_SKEY_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
    CHECK_STATUS2("AES_decrypt failed with status %d");
    skey[enc_len - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE] = '\0';
@@ -515,7 +514,7 @@ void trustedGetPublicEcdsaKeyAES(int *errStatus, char *errString,
 static uint64_t sigCounter = 0;
-void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPrivateKey, uint32_t enc_len,
+void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPrivateKey, uint64_t enc_len,
                         const char *hash, char *sigR, char *sigS, uint8_t *sig_v, int base) {
    LOG_DEBUG(__FUNCTION__);
@@ -526,7 +525,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
    CHECK_STATE(sigR);
    CHECK_STATE(sigS);
-    SAFE_CHAR_BUF(skey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey, BUF_LEN);
    mpz_t privateKeyMpz;
    mpz_init(privateKeyMpz);
@@ -534,7 +533,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
    mpz_init(msgMpz);
    signature sign = signature_init();
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, ECDSA_SKEY_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
    CHECK_STATUS2("aes decrypt failed with status %d");
@@ -600,7 +599,7 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
 void trustedDecryptKeyAES(int *errStatus, char *errString, uint8_t *encryptedPrivateKey,
-                          uint32_t enc_len, char *key) {
+                          uint64_t enc_len, char *key) {
    LOG_DEBUG(__FUNCTION__);
    INIT_ERROR_STATE
@@ -610,7 +609,7 @@ void trustedDecryptKeyAES(int *errStatus, char *errString, uint8_t *encryptedPri
    *errStatus = -9;
-    int status = AES_decrypt_DH(encryptedPrivateKey, enc_len, key, 3072);
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 3072);
    if (status != 0) {
        *errStatus = status;
@@ -636,7 +635,7 @@ void trustedDecryptKeyAES(int *errStatus, char *errString, uint8_t *encryptedPri
 void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
-                          uint8_t *encryptedPrivateKey, uint32_t *enc_len) {
+                          uint8_t *encryptedPrivateKey, uint64_t *enc_len) {
    LOG_INFO(__FUNCTION__);
    *errString = 0;
@@ -647,15 +646,14 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
    *errStatus = UNKNOWN_ERROR;
-    int status = AES_encrypt_DH((char *)key, encryptedPrivateKey, BUF_LEN);
+    int status = AES_encrypt((char *)key, encryptedPrivateKey, BUF_LEN,
+                             DKG, DECRYPTABLE, enc_len);
    CHECK_STATUS2("AES encrypt failed with status %d");
-    *enc_len = strlen(key) + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE;
    SAFE_CHAR_BUF(decryptedKey, BUF_LEN);
-    status = AES_decrypt_DH(encryptedPrivateKey, *enc_len, decryptedKey, BUF_LEN);
+    status = AES_decrypt(encryptedPrivateKey, *enc_len, decryptedKey, BUF_LEN);
    CHECK_STATUS2("trustedDecryptKey failed with status %d");
@@ -671,6 +669,8 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
    if (strncmp(key, decryptedKey, MAX_KEY_LENGTH) != 0) {
        snprintf(errString, BUF_LEN, "Decrypted key does not match original key");
+        LOG_ERROR(key);
+        LOG_ERROR(decryptedKey);
        LOG_ERROR(errString);
        goto clean;
    }
@@ -684,7 +684,7 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
 void trustedBlsSignMessageAES(int *errStatus, char *errString, uint8_t *encryptedPrivateKey,
-                              uint32_t enc_len, char *_hashX,
+                              uint64_t enc_len, char *_hashX,
                              char *_hashY, char *signature) {
    LOG_DEBUG(__FUNCTION__);
    INIT_ERROR_STATE
@@ -726,7 +726,7 @@ void trustedBlsSignMessageAES(int *errStatus, char *errString, uint8_t *encrypte
 }
 void
-trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret, uint32_t *enc_len, size_t _t) {
+trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret, uint64_t *enc_len, size_t _t) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -738,11 +738,12 @@ trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_s
    CHECK_STATUS("gen_dkg_poly failed")
-    status = AES_encrypt(dkg_secret, encrypted_dkg_secret, 3 * BUF_LEN);
+    status = AES_encrypt(dkg_secret, encrypted_dkg_secret, 3 * BUF_LEN,
+                         DKG, DECRYPTABLE, enc_len);
    CHECK_STATUS("SGX AES encrypt DKG poly failed");
-    *enc_len = strlen(dkg_secret) + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE;
    SAFE_CHAR_BUF(decr_dkg_secret, DKG_BUFER_LENGTH);
@@ -768,7 +769,7 @@ trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_s
 void
 trustedDecryptDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret,
-                           uint32_t enc_len,
+                           uint64_t enc_len,
                           uint8_t *decrypted_dkg_secret) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -790,7 +791,7 @@ trustedDecryptDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_d
 }
-void trustedSetEncryptedDkgPolyAES(int *errStatus, char *errString, uint8_t *encrypted_poly, uint32_t enc_len) {
+void trustedSetEncryptedDkgPolyAES(int *errStatus, char *errString, uint8_t *encrypted_poly, uint64_t enc_len) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -810,14 +811,14 @@ void trustedSetEncryptedDkgPolyAES(int *errStatus, char *errString, uint8_t *enc
    LOG_INFO("SGX call completed");
 }
-void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t *encrypted_skey, uint32_t *dec_len,
+void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t *encrypted_skey, uint64_t *dec_len,
                                       char *result_str, char *s_shareG2, char *pub_keyB, uint8_t _t, uint8_t _n,
                                       uint8_t ind) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
-    uint32_t enc_len;
+    uint64_t enc_len;
    int status;
    CHECK_STATE(encrypted_skey);
@@ -827,7 +828,7 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    LOG_DEBUG(__FUNCTION__);
-    SAFE_CHAR_BUF(skey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey, BUF_LEN);
    SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
@@ -835,7 +836,7 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    CHECK_STATUS("trustedGenerateEcdsaKeyAES failed");
-    status = AES_decrypt(encrypted_skey, enc_len, skey, ECDSA_SKEY_LEN);
+    status = AES_decrypt(encrypted_skey, enc_len, skey, BUF_LEN);
    skey[ECDSA_SKEY_LEN - 1] = 0;
@@ -843,13 +844,13 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    *dec_len = enc_len;
-    SAFE_CHAR_BUF(common_key, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(common_key, BUF_LEN);
    status = gen_session_key(skey, pub_keyB, common_key);
    CHECK_STATUS("gen_session_key failed")
-    SAFE_CHAR_BUF(s_share, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(s_share, BUF_LEN);
    status = calc_secret_share(getThreadLocalDecryptedDkgPoly(), s_share, _t, _n, ind);
    CHECK_STATUS("calc secret share failed")
@@ -858,7 +859,7 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    status = calc_secret_shareG2(s_share, s_shareG2);
    CHECK_STATUS("invalid decr secret share");
-    SAFE_CHAR_BUF(cypher, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(cypher, BUF_LEN);
    status=xor_encrypt(common_key, s_share, cypher);
    CHECK_STATUS("xor_encrypt failed")
@@ -875,7 +876,7 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    LOG_INFO("SGX call completed");
 }
-void trustedGetPublicSharesAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret, uint32_t enc_len,
+void trustedGetPublicSharesAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_secret, uint64_t enc_len,
                               char *public_shares,
                               unsigned _t, unsigned _n) {
    LOG_INFO(__FUNCTION__);
@@ -913,26 +914,26 @@ void trustedDkgVerifyAES(int *errStatus, char *errString, const char *public_sha
    CHECK_STATE(s_share);
    CHECK_STATE(encryptedPrivateKey);
-    SAFE_CHAR_BUF(skey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey,BUF_LEN);
    mpz_t s;
    mpz_init(s);
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, ECDSA_SKEY_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
    CHECK_STATUS2("AES_decrypt failed (in trustedDkgVerifyAES) with status %d");
-    SAFE_CHAR_BUF(encr_sshare, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(encr_sshare, BUF_LEN);
    strncpy(encr_sshare, s_share, ECDSA_SKEY_LEN - 1);
-    SAFE_CHAR_BUF(common_key, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(common_key, BUF_LEN);
    status = session_key_recover(skey, s_share, common_key);
    CHECK_STATUS("session_key_recover failed");
-    SAFE_CHAR_BUF(decr_sshare, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(decr_sshare, BUF_LEN);
    status=xor_decrypt(common_key, encr_sshare, decr_sshare);
@@ -954,7 +955,7 @@ void trustedDkgVerifyAES(int *errStatus, char *errString, const char *public_sha
 void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_shares,
                            uint8_t *encryptedPrivateKey, uint64_t key_len, uint8_t *encr_bls_key,
-                            uint32_t *enc_bls_key_len) {
+                            uint64_t *enc_bls_key_len) {
    LOG_INFO(__FUNCTION__);
@@ -964,7 +965,7 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
    CHECK_STATE(encryptedPrivateKey);
    CHECK_STATE(encr_bls_key);
-    SAFE_CHAR_BUF(skey, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey, BUF_LEN);
    mpz_t sum;
    mpz_init(sum);
@@ -978,7 +979,7 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
    mpz_init(bls_key);
-    int status = AES_decrypt(encryptedPrivateKey, key_len, skey, ECDSA_SKEY_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, key_len, skey, BUF_LEN);
    CHECK_STATUS2("aes decrypt failed with status %d");
    skey[ECDSA_SKEY_LEN - 1] = 0;
@@ -1038,12 +1039,10 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
    strncpy(key_share + n_zeroes, arr_skey_str, 65 - n_zeroes);
    key_share[BLS_KEY_LENGTH - 1] = 0;
-    status = AES_encrypt(key_share, encr_bls_key, BUF_LEN);
+    status = AES_encrypt(key_share, encr_bls_key, BUF_LEN, BLS, NON_DECRYPTABLE, enc_bls_key_len);
    CHECK_STATUS2("aes encrypt bls private key failed with status %d ");
-    *enc_bls_key_len = strlen(key_share) + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE;
    SET_SUCCESS
    clean:
@@ -1064,9 +1063,9 @@ trustedGetBlsPubKeyAES(int *errStatus, char *errString, uint8_t *encryptedPrivat
    CHECK_STATE(bls_pub_key);
    CHECK_STATE(encryptedPrivateKey);
-    SAFE_CHAR_BUF(skey_hex, ECDSA_SKEY_LEN);
+    SAFE_CHAR_BUF(skey_hex, BUF_LEN);
-    int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, ECDSA_SKEY_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, BUF_LEN);
    CHECK_STATUS2("AES decrypt failed %d");

--- a/secure_enclave/secure_enclave.edl
+++ b/secure_enclave/secure_enclave.edl
@@ -11,14 +11,14 @@ enclave {
 	trusted {
 		include "sgx_tgmp.h"
-		public void trustedEnclaveInit(uint32_t _logLevel);
+		public void trustedEnclaveInit(uint64_t _logLevel);
        public void trustedGenerateSEK(
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char *err_string,
                                [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_SEK,
-                                [out] uint32_t *enc_len,
+                                [out] uint64_t *enc_len,
                                [out, count = 65] char* hex_SEK);
        public void trustedSetSEK(
@@ -30,14 +30,14 @@ enclave {
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char *err_string,
                                [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_SEK,
-                                [out] uint32_t *enc_len,
+                                [out] uint64_t *enc_len,
                                [in, string] const char* SEK_hex);
        public void trustedGenerateEcdsaKeyAES (
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [out, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
-                                [out] uint32_t *enc_len,
+                                [out] uint64_t *enc_len,
                                [out, count = SMALL_BUF_SIZE] char * pub_key_x,
                                [out, count = SMALL_BUF_SIZE] char * pub_key_y);
@@ -45,7 +45,7 @@ enclave {
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
-                                uint32_t dec_len,
+                                uint64_t dec_len,
                                [out, count = SMALL_BUF_SIZE] char * pub_key_x,
                                [out, count = SMALL_BUF_SIZE] char * pub_key_y);
@@ -53,7 +53,7 @@ enclave {
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
-                                uint32_t enc_len,
+                                uint64_t enc_len,
                                [in, string] const char* hash,
                                [out, count = SMALL_BUF_SIZE] char* sig_r,
                                [out, count = SMALL_BUF_SIZE] char* sig_s,
@@ -65,26 +65,26 @@ enclave {
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = SMALL_BUF_SIZE] const char* key,
                                [out, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
-                                [out] uint32_t *enc_len);
+                                [out] uint64_t *enc_len);
        public void trustedDecryptKeyAES (
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
-                                uint32_t enc_len,
+                                uint64_t enc_len,
                                [out, count = SMALL_BUF_SIZE] char* key );
        public void trustedGenDkgSecretAES (
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [out, count = 3072] uint8_t* encrypted_dkg_secret,
-                                [out] uint32_t * enc_len, size_t _t);
+                                [out] uint64_t * enc_len, size_t _t);
        public void trustedDecryptDkgSecretAES (
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = 3050] uint8_t* encrypted_dkg_secret,
-                                uint32_t enc_len,
+                                uint64_t enc_len,
                                [out, count = 3072] uint8_t* decrypted_dkg_secret
                                );
@@ -92,13 +92,13 @@ enclave {
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = 3050] uint8_t* encrypted_poly,
-                                uint32_t enc_len);
+                                uint64_t enc_len);
        public void trustedGetEncryptedSecretShareAES(
                                [out]int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char *err_string,
                                [out, count = SMALL_BUF_SIZE] uint8_t *encrypted_skey,
-                                [out] uint32_t* dec_len,
+                                [out] uint64_t* dec_len,
                                [out, count = 193] char* result_str,
                                [out, count = 320] char* s_shareG2,
                                [in, string] char* pub_keyB,
@@ -110,7 +110,7 @@ enclave {
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
                                [in, count = 3050] uint8_t* encrypted_dkg_secret,
-                                uint32_t enc_len,
+                                uint64_t enc_len,
                                [out, count = 10000] char* public_shares,
                                unsigned _t,
                                unsigned _n);
@@ -133,13 +133,13 @@ enclave {
                                [in, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
                                uint64_t key_len,
                                [out, count = SMALL_BUF_SIZE] uint8_t * encr_bls_key,
-                                [out] uint32_t *enc_bls_key_len);
+                                [out] uint64_t *enc_bls_key_len);
        public void trustedBlsSignMessageAES (
                                [out] int *errStatus,
                                [out, count = TINY_BUF_SIZE] char* err_string,
                                [in, count = TINY_BUF_SIZE] uint8_t* encrypted_key,
-                                uint32_t enc_len,
+                                uint64_t enc_len,
                                [in, string] char* hashX ,
                                [in, string] char* hashY,
                                [out, count = SMALL_BUF_SIZE] char* signature);

--- a/testw.cpp
+++ b/testw.cpp
@@ -127,7 +127,7 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES keygen and signature test", "[ecdsa-aes
    vector<char> pubKeyX(BUF_LEN, 0);
    vector<char> pubKeyY(BUF_LEN, 0);
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    PRINT_SRC_LINE
    auto status = trustedGenerateEcdsaKeyAES(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
                                             pubKeyX.data(),
@@ -160,7 +160,7 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES key gen", "[ecdsa-aes-key-gen]") {
    vector <uint8_t> encrPrivKey(BUF_LEN, 0);
    vector<char> pubKeyX(BUF_LEN, 0);
    vector<char> pubKeyY(BUF_LEN, 0);
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    PRINT_SRC_LINE
    auto status = trustedGenerateEcdsaKeyAES(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
                                             pubKeyX.data(),
@@ -177,7 +177,8 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES get public key", "[ecdsa-aes-get-pub-ke
    vector <uint8_t> encPrivKey(BUF_LEN, 0);
    vector<char> pubKeyX(BUF_LEN, 0);
    vector<char> pubKeyY(BUF_LEN, 0);
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    PRINT_SRC_LINE
    auto status = trustedGenerateEcdsaKeyAES(eid, &errStatus, errMsg.data(), encPrivKey.data(), &encLen, pubKeyX.data(),
@@ -291,7 +292,7 @@ TEST_CASE_METHOD(TestFixture, "DKG AES gen test", "[dkg-aes-gen]") {
    vector<char> errMsg(BUF_LEN, 0);
    int errStatus = 0;
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    PRINT_SRC_LINE
    auto status = trustedGenDkgSecretAES(eid, &errStatus, errMsg.data(), encryptedDKGSecret.data(), &encLen, 32);
@@ -314,7 +315,7 @@ TEST_CASE_METHOD(TestFixture, "DKG AES public shares test", "[dkg-aes-pub-shares
    vector<char> errMsg(BUF_LEN, 0);
    int errStatus = 0;
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    unsigned t = 32, n = 32;
    PRINT_SRC_LINE
@@ -363,7 +364,7 @@ TEST_CASE_METHOD(TestFixture, "DKG AES encrypted secret shares test", "[dkg-aes-
    vector<char> result(BUF_LEN, 0);
    int errStatus = 0;
-    uint32_t encLen = 0;
+    uint64_t encLen = 0;
    vector <uint8_t> encryptedDKGSecret(BUF_LEN, 0);
    PRINT_SRC_LINE
@@ -694,7 +695,7 @@ TEST_CASE_METHOD(TestFixture, "AES_DKG test", "[aes-dkg]") {
 TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
    int errStatus = 0;
    vector<char> errMsg(BUF_LEN, 0);
-    uint32_t encLen;
+    uint64_t encLen;
    string key = SAMPLE_AES_KEY;
    vector <uint8_t> encrypted_key(BUF_LEN, 0);