Merge pull request #353 from skalenetwork/bug/SKALE-4523-validate-buffer-trustedDecryptKey

SKALE-4523 fix buffer length

Merge pull request #353 from skalenetwork/bug/SKALE-4523-validate-buffer-trustedDecryptKey
SKALE-4523 fix buffer length
f87059a9 · Oleh Nikolaiev · GitHub · c92b794b · e5223e23 · f87059a9
Unverified Commit f87059a9 authored Sep 13, 2021 by Oleh Nikolaiev Committed by GitHub Sep 13, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 42 deletions

AESUtils.c secure_enclave/AESUtils.c +30 -25

secure_enclave.c secure_enclave/secure_enclave.c +14 -17

No files found.
--- a/secure_enclave/AESUtils.c
+++ b/secure_enclave/AESUtils.c
@@ -49,11 +49,16 @@ int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsig
        return -2;
    }

+    if (!resultLen) {
+        LOG_ERROR("Null resultLen in AES_encrypt");
+        return -3;
+    }
+
    uint64_t len = strlen(message) + 1;

    if (2 + len + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE > encrBufLen ) {
        LOG_ERROR("Output buffer too small");
-        return -3;
+        return -4;
    }

    SAFE_CHAR_BUF(fullMessage, len + 2);
@@ -97,36 +102,36 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
        return -3;
    }

-    if (!encr_message) {
+    if (!exportable) {
        LOG_ERROR("Null exportable in AES_encrypt");
        return -4;
    }


-  if (length < SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE) {
-      LOG_ERROR("length < SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE");
-      return -1;
-  }
+    if (length < SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE) {
+        LOG_ERROR("length < SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE");
+        return -5;
+    }

-  uint64_t len = length - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE;
+    uint64_t len = length - SGX_AESGCM_MAC_SIZE - SGX_AESGCM_IV_SIZE;

-  if (msgLen < len) {
+    if (msgLen < len) {
        LOG_ERROR("Output buffer not large enough");
-        return -2;
-  }
-
-  sgx_status_t status = sgx_rijndael128GCM_decrypt(&(AES_key[512]),
-                                                   encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE, len,
-                                                   (unsigned char*) message,
-                                                   encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
-                                                   NULL, 0,
-                                                   (sgx_aes_gcm_128bit_tag_t *)encr_message);
-
-  *type = message[0];
-  *exportable = message[1];
-  for (int i = 2; i < strlen(message) + 1; i++) {
-      message[i - 2 ] = message[i];
-  }
-
-  return status;
+        return -6;
+    }
+
+    sgx_status_t status = sgx_rijndael128GCM_decrypt(&(AES_key[512]),
+                                                    encr_message + SGX_AESGCM_MAC_SIZE + SGX_AESGCM_IV_SIZE, len,
+                                                    (unsigned char*) message,
+                                                    encr_message + SGX_AESGCM_MAC_SIZE, SGX_AESGCM_IV_SIZE,
+                                                    NULL, 0,
+                                                    (sgx_aes_gcm_128bit_tag_t *)encr_message);
+
+    *type = message[0];
+    *exportable = message[1];
+    for (int i = 2; i < strlen(message) + 1; i++) {
+        message[i - 2 ] = message[i];
+    }
+
+    return status;
 }
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -597,7 +597,6 @@ void trustedEcdsaSign(int *errStatus, char *errString, uint8_t *encryptedPrivate
    LOG_DEBUG("SGX call completed");
 }

-
 void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivateKey,
                          uint64_t enc_len, char *key) {

@@ -606,24 +605,14 @@ void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivat

    CHECK_STATE(encryptedPrivateKey);
    CHECK_STATE(key);
+    CHECK_STATE( enc_len == strnlen( encryptedPrivateKey, 1024 ) );

    *errStatus = -9;

    uint8_t type = 0;
    uint8_t exportable = 0;

-    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 3072,
-                             &type, &exportable);
-
-    if (exportable != EXPORTABLE) {
-        while (*key != '\0') {
-            *key++ = '0';
-        }
-        *errStatus = -11;
-        snprintf(errString, BUF_LEN, "Key is not exportable");
-        LOG_ERROR(errString);
-        goto clean;
-    }
+    int status = AES_decrypt(encryptedPrivateKey, enc_len, key, 1024, &type, &exportable);

    if (status != 0) {
        *errStatus = status;
@@ -632,22 +621,30 @@ void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivat
        goto clean;
    }

-    *errStatus = -10;
-
-    uint64_t keyLen = strnlen(key, MAX_KEY_LENGTH);
+    size_t keyLen = strnlen(key, MAX_KEY_LENGTH);

    if (keyLen == MAX_KEY_LENGTH) {
+        *errStatus = -10;
        snprintf(errString, BUF_LEN, "Key is not null terminated");
        LOG_ERROR(errString);
        goto clean;
    }

+    if (exportable != EXPORTABLE) {
+        while (*key != '\0') {
+            *key++ = '0';
+        }
+        *errStatus = -11;
+        snprintf(errString, BUF_LEN, "Key is not exportable");
+        LOG_ERROR(errString);
+        goto clean;
+    }
+
    SET_SUCCESS
    clean:
    ;
 }

-
 void trustedEncryptKey(int *errStatus, char *errString, const char *key,
                          uint8_t *encryptedPrivateKey, uint64_t *enc_len) {
    LOG_INFO(__FUNCTION__);