SKALE-3205

eaa8c60a · kladko · 77425c86 · eaa8c60a · eaa8c60a · eaa8c60a
Unverified Commit eaa8c60a authored Sep 08, 2020 by kladko
Hide whitespace changes
Inline Side-by-side

Showing with 88 additions and 19 deletions

AESUtils.c secure_enclave/AESUtils.c +14 -1

AESUtils.h secure_enclave/AESUtils.h +2 -3

secure_enclave.c secure_enclave/secure_enclave.c +72 -15

No files found.
--- a/secure_enclave/AESUtils.c
+++ b/secure_enclave/AESUtils.c
@@ -86,7 +86,8 @@ int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsig
    return status;
 }
-int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) {
+int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen,
+                uint8_t *type, uint8_t* decryptable){
    if (!message) {
        LOG_ERROR("Null message in AES_encrypt");
@@ -98,6 +99,16 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
        return -2;
    }
+    if (!type) {
+        LOG_ERROR("Null type in AES_encrypt");
+        return -3;
+    }
+    if (!encr_message) {
+        LOG_ERROR("Null decryptable in AES_encrypt");
+        return -4;
+    }
  if (length < SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE) {
      LOG_ERROR("length < SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE");
@@ -120,6 +131,8 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
                                                   NULL, 0,
                                                   (sgx_aes_gcm_128bit_tag_t *)encr_message);
+  *type = message[0];
+  *decryptable = message[1];
  for (int i = 2; i < strlen(message) + 1; i++) {
      message[i - 2 ] = message[i];
  }

--- a/secure_enclave/AESUtils.h
+++ b/secure_enclave/AESUtils.h
@@ -29,10 +29,9 @@ extern sgx_aes_gcm_128bit_key_t AES_DH_key;
 int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrLen,
                unsigned char type, unsigned char decryptable, uint64_t* resultLen);
-int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;
+int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen,
+                uint8_t *type, uint8_t* decryptable) ;
-int AES_encrypt_DH(char *message, uint8_t *encr_message, uint64_t encrLen);
-int AES_decrypt_DH(uint8_t *encr_message, uint64_t length, char *message, uint64_t msgLen) ;
 void derive_DH_Key();

--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -424,7 +424,10 @@ void trustedGenerateEcdsaKeyAES(int *errStatus, char *errString,
                             ECDSA, NON_DECRYPTABLE, enc_len);
    CHECK_STATUS("ecdsa private key encryption failed");
-    status = AES_decrypt(encryptedPrivateKey, *enc_len, skey_str, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    status = AES_decrypt(encryptedPrivateKey, *enc_len, skey_str, BUF_LEN, &type, &decryptable);
    CHECK_STATUS2("ecdsa private key decr failed with status %d");
@@ -454,7 +457,11 @@ void trustedGetPublicEcdsaKeyAES(int *errStatus, char *errString,
    CHECK_STATE(pub_key_x);
    CHECK_STATE(pub_key_y);
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN,
+                             &type, &decryptable);
    CHECK_STATUS2("AES_decrypt failed with status %d");
    skey[enc_len - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE] = '\0';
@@ -533,7 +540,12 @@ void trustedEcdsaSignAES(int *errStatus, char *errString, uint8_t *encryptedPriv
    mpz_init(msgMpz);
    signature sign = signature_init();
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN,
+                             &type, &decryptable);
    CHECK_STATUS2("aes decrypt failed with status %d");
@@ -609,7 +621,16 @@ void trustedDecryptKeyAES(int *errStatus, char *errString, uint8_t *encryptedPri
    *errStatus = -9;
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 3072);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 3072,
+                             &type, &decryptable);
+    if (decryptable != DECRYPTABLE) {
+        *errStatus = -11;
+        snprintf(errString, BUF_LEN, "Key is not exportable");
+    }
    if (status != 0) {
        *errStatus = status;
@@ -653,7 +674,11 @@ void trustedEncryptKeyAES(int *errStatus, char *errString, const char *key,
    SAFE_CHAR_BUF(decryptedKey, BUF_LEN);
-    status = AES_decrypt(encryptedPrivateKey, *enc_len, decryptedKey, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    status = AES_decrypt(encryptedPrivateKey, *enc_len, decryptedKey, BUF_LEN,
+                         &type, &decryptable);
    CHECK_STATUS2("trustedDecryptKey failed with status %d");
@@ -696,7 +721,10 @@ void trustedBlsSignMessageAES(int *errStatus, char *errString, uint8_t *encrypte
    SAFE_CHAR_BUF(key, BUF_LEN);SAFE_CHAR_BUF(sig, BUF_LEN);
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, BUF_LEN, &type, &decryptable);
    CHECK_STATUS("AES decrypt failed")
@@ -747,8 +775,11 @@ trustedGenDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_dkg_s
    SAFE_CHAR_BUF(decr_dkg_secret, DKG_BUFER_LENGTH);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
    status = AES_decrypt(encrypted_dkg_secret, *enc_len, decr_dkg_secret,
-                         DKG_BUFER_LENGTH);
+                         DKG_BUFER_LENGTH, &type, &decryptable);
    CHECK_STATUS("aes decrypt dkg poly failed");
@@ -777,8 +808,11 @@ trustedDecryptDkgSecretAES(int *errStatus, char *errString, uint8_t *encrypted_d
    CHECK_STATE(encrypted_dkg_secret);
    CHECK_STATE(decrypted_dkg_secret);
+    uint8_t  type;
+    uint8_t  decryptable;
    int status = AES_decrypt(encrypted_dkg_secret, enc_len, (char *) decrypted_dkg_secret,
-                             3072);
+                             3072, &type, &decryptable);
    CHECK_STATUS2("aes decrypt data - encrypted_dkg_secret failed with status %d")
@@ -799,8 +833,11 @@ void trustedSetEncryptedDkgPolyAES(int *errStatus, char *errString, uint8_t *enc
    memset(getThreadLocalDecryptedDkgPoly(), 0, DKG_BUFER_LENGTH);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
    int status = AES_decrypt(encrypted_poly, enc_len, (char *) getThreadLocalDecryptedDkgPoly(),
-                             DKG_BUFER_LENGTH);
+                             DKG_BUFER_LENGTH, &type, &decryptable);
    CHECK_STATUS2("sgx_unseal_data - encrypted_poly failed with status %d")
@@ -836,7 +873,10 @@ void trustedGetEncryptedSecretShareAES(int *errStatus, char *errString, uint8_t
    CHECK_STATUS("trustedGenerateEcdsaKeyAES failed");
-    status = AES_decrypt(encrypted_skey, enc_len, skey, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    status = AES_decrypt(encrypted_skey, enc_len, skey, BUF_LEN, &type, &decryptable);
    skey[ECDSA_SKEY_LEN - 1] = 0;
@@ -889,8 +929,11 @@ void trustedGetPublicSharesAES(int *errStatus, char *errString, uint8_t *encrypt
    SAFE_CHAR_BUF(decrypted_dkg_secret, DKG_MAX_SEALED_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
    int status = AES_decrypt(encrypted_dkg_secret, enc_len, decrypted_dkg_secret,
-                             DKG_MAX_SEALED_LEN);
+                             DKG_MAX_SEALED_LEN, &type, &decryptable);
    CHECK_STATUS2("aes decrypt data - encrypted_dkg_secret failed with status %d");
@@ -919,7 +962,11 @@ void trustedDkgVerifyAES(int *errStatus, char *errString, const char *public_sha
    mpz_t s;
    mpz_init(s);
-    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, skey, BUF_LEN,
+                             &type, &decryptable);
    CHECK_STATUS2("AES_decrypt failed (in trustedDkgVerifyAES) with status %d");
@@ -978,8 +1025,12 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
    mpz_t bls_key;
    mpz_init(bls_key);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
-    int status = AES_decrypt(encryptedPrivateKey, key_len, skey, BUF_LEN);
+    int status = AES_decrypt(encryptedPrivateKey, key_len, skey, BUF_LEN,
+                             &type, &decryptable);
    CHECK_STATUS2("aes decrypt failed with status %d");
    skey[ECDSA_SKEY_LEN - 1] = 0;
@@ -1039,7 +1090,7 @@ void trustedCreateBlsKeyAES(int *errStatus, char *errString, const char *s_share
    strncpy(key_share + n_zeroes, arr_skey_str, 65 - n_zeroes);
    key_share[BLS_KEY_LENGTH - 1] = 0;
-    status = AES_encrypt(key_share, encr_bls_key, BUF_LEN, BLS, NON_DECRYPTABLE, enc_bls_key_len);
+    status = AES_encrypt(key_share, encr_bls_key, BUF_LEN, BLS, DECRYPTABLE, enc_bls_key_len);
    CHECK_STATUS2("aes encrypt bls private key failed with status %d ");
@@ -1065,7 +1116,13 @@ trustedGetBlsPubKeyAES(int *errStatus, char *errString, uint8_t *encryptedPrivat
    SAFE_CHAR_BUF(skey_hex, BUF_LEN);
-    int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, BUF_LEN);
+    uint8_t type = 0;
+    uint8_t decryptable = 0;
+    int status = AES_decrypt(encryptedPrivateKey, key_len, skey_hex, BUF_LEN,
+                             &type, &decryptable);
    CHECK_STATUS2("AES decrypt failed %d");