312 lines
9.8 KiB
C++
312 lines
9.8 KiB
C++
|
#include <stdarg.h>
|
||
|
#include <stdio.h>
|
||
|
|
||
|
#include <assert.h>
|
||
|
#include "isv_enclave_t.h"
|
||
|
#include "sgx_tkey_exchange.h"
|
||
|
#include "sgx_tcrypto.h"
|
||
|
#include "string.h"
|
||
|
|
||
|
// This is the public EC key of the SP. The corresponding private EC key is
|
||
|
// used by the SP to sign data used in the remote attestation SIGMA protocol
|
||
|
// to sign channel binding data in MSG2. A successful verification of the
|
||
|
// signature confirms the identity of the SP to the ISV app in remote
|
||
|
// attestation secure channel binding. The public EC key should be hardcoded in
|
||
|
// the enclave or delivered in a trustworthy manner. The use of a spoofed public
|
||
|
// EC key in the remote attestation with secure channel binding session may lead
|
||
|
// to a security compromise. Every different SP the enlcave communicates to
|
||
|
// must have a unique SP public key. Delivery of the SP public key is
|
||
|
// determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key
|
||
|
// based on NIST P-256
|
||
|
static const sgx_ec256_public_t g_sp_pub_key = {
|
||
|
{
|
||
|
0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf,
|
||
|
0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad,
|
||
|
0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d,
|
||
|
0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38
|
||
|
},
|
||
|
{
|
||
|
0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b,
|
||
|
0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2,
|
||
|
0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28,
|
||
|
0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06
|
||
|
}
|
||
|
|
||
|
};
|
||
|
|
||
|
|
||
|
#ifdef SUPPLIED_KEY_DERIVATION
|
||
|
|
||
|
#pragma message ("Supplied key derivation function is used.")
|
||
|
|
||
|
typedef struct _hash_buffer_t {
|
||
|
uint8_t counter[4];
|
||
|
sgx_ec256_dh_shared_t shared_secret;
|
||
|
uint8_t algorithm_id[4];
|
||
|
} hash_buffer_t;
|
||
|
|
||
|
const char ID_U[] = "SGXRAENCLAVE";
|
||
|
const char ID_V[] = "SGXRASERVER";
|
||
|
|
||
|
// Derive two keys from shared key and key id.
|
||
|
bool derive_key(
|
||
|
const sgx_ec256_dh_shared_t *p_shared_key,
|
||
|
uint8_t key_id,
|
||
|
sgx_ec_key_128bit_t *first_derived_key,
|
||
|
sgx_ec_key_128bit_t *second_derived_key) {
|
||
|
sgx_status_t sgx_ret = SGX_SUCCESS;
|
||
|
hash_buffer_t hash_buffer;
|
||
|
sgx_sha_state_handle_t sha_context;
|
||
|
sgx_sha256_hash_t key_material;
|
||
|
|
||
|
memset(&hash_buffer, 0, sizeof(hash_buffer_t));
|
||
|
/* counter in big endian */
|
||
|
hash_buffer.counter[3] = key_id;
|
||
|
|
||
|
/*convert from little endian to big endian */
|
||
|
for (size_t i = 0; i < sizeof(sgx_ec256_dh_shared_t); i++) {
|
||
|
hash_buffer.shared_secret.s[i] = p_shared_key->s[sizeof(p_shared_key->s)-1 - i];
|
||
|
}
|
||
|
|
||
|
sgx_ret = sgx_sha256_init(&sha_context);
|
||
|
if (sgx_ret != SGX_SUCCESS) {
|
||
|
return false;
|
||
|
}
|
||
|
sgx_ret = sgx_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context);
|
||
|
if (sgx_ret != SGX_SUCCESS) {
|
||
|
sgx_sha256_close(sha_context);
|
||
|
return false;
|
||
|
}
|
||
|
sgx_ret = sgx_sha256_update((uint8_t*)&ID_U, sizeof(ID_U), sha_context);
|
||
|
if (sgx_ret != SGX_SUCCESS) {
|
||
|
sgx_sha256_close(sha_context);
|
||
|
return false;
|
||
|
}
|
||
|
sgx_ret = sgx_sha256_update((uint8_t*)&ID_V, sizeof(ID_V), sha_context);
|
||
|
if (sgx_ret != SGX_SUCCESS) {
|
||
|
sgx_sha256_close(sha_context);
|
||
|
return false;
|
||
|
}
|
||
|
sgx_ret = sgx_sha256_get_hash(sha_context, &key_material);
|
||
|
if (sgx_ret != SGX_SUCCESS) {
|
||
|
sgx_sha256_close(sha_context);
|
||
|
return false;
|
||
|
}
|
||
|
sgx_ret = sgx_sha256_close(sha_context);
|
||
|
|
||
|
assert(sizeof(sgx_ec_key_128bit_t)* 2 == sizeof(sgx_sha256_hash_t));
|
||
|
memcpy(first_derived_key, &key_material, sizeof(sgx_ec_key_128bit_t));
|
||
|
memcpy(second_derived_key, (uint8_t*)&key_material + sizeof(sgx_ec_key_128bit_t), sizeof(sgx_ec_key_128bit_t));
|
||
|
|
||
|
// memset here can be optimized away by compiler, so please use memset_s on
|
||
|
// windows for production code and similar functions on other OSes.
|
||
|
memset(&key_material, 0, sizeof(sgx_sha256_hash_t));
|
||
|
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
//isv defined key derivation function id
|
||
|
#define ISV_KDF_ID 2
|
||
|
|
||
|
typedef enum _derive_key_type_t {
|
||
|
DERIVE_KEY_SMK_SK = 0,
|
||
|
DERIVE_KEY_MK_VK,
|
||
|
} derive_key_type_t;
|
||
|
|
||
|
sgx_status_t key_derivation(const sgx_ec256_dh_shared_t* shared_key,
|
||
|
uint16_t kdf_id,
|
||
|
sgx_ec_key_128bit_t* smk_key,
|
||
|
sgx_ec_key_128bit_t* sk_key,
|
||
|
sgx_ec_key_128bit_t* mk_key,
|
||
|
sgx_ec_key_128bit_t* vk_key) {
|
||
|
bool derive_ret = false;
|
||
|
|
||
|
if (NULL == shared_key) {
|
||
|
return SGX_ERROR_INVALID_PARAMETER;
|
||
|
}
|
||
|
|
||
|
if (ISV_KDF_ID != kdf_id) {
|
||
|
//fprintf(stderr, "\nError, key derivation id mismatch in [%s].", __FUNCTION__);
|
||
|
return SGX_ERROR_KDF_MISMATCH;
|
||
|
}
|
||
|
|
||
|
derive_ret = derive_key(shared_key, DERIVE_KEY_SMK_SK,
|
||
|
smk_key, sk_key);
|
||
|
if (derive_ret != true) {
|
||
|
//fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
|
||
|
return SGX_ERROR_UNEXPECTED;
|
||
|
}
|
||
|
|
||
|
derive_ret = derive_key(shared_key, DERIVE_KEY_MK_VK,
|
||
|
mk_key, vk_key);
|
||
|
if (derive_ret != true) {
|
||
|
//fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__);
|
||
|
return SGX_ERROR_UNEXPECTED;
|
||
|
}
|
||
|
return SGX_SUCCESS;
|
||
|
}
|
||
|
#else
|
||
|
#pragma message ("Default key derivation function is used.")
|
||
|
#endif
|
||
|
|
||
|
// This ecall is a wrapper of sgx_ra_init to create the trusted
|
||
|
// KE exchange key context needed for the remote attestation
|
||
|
// SIGMA API's. Input pointers aren't checked since the trusted stubs
|
||
|
// copy them into EPC memory.
|
||
|
//
|
||
|
// @param b_pse Indicates whether the ISV app is using the
|
||
|
// platform services.
|
||
|
// @param p_context Pointer to the location where the returned
|
||
|
// key context is to be copied.
|
||
|
//
|
||
|
// @return Any error return from the create PSE session if b_pse
|
||
|
// is true.
|
||
|
// @return Any error returned from the trusted key exchange API
|
||
|
// for creating a key context.
|
||
|
|
||
|
sgx_status_t enclave_init_ra(
|
||
|
int b_pse,
|
||
|
sgx_ra_context_t *p_context) {
|
||
|
// isv enclave call to trusted key exchange library.
|
||
|
sgx_status_t ret;
|
||
|
if(b_pse) {
|
||
|
int busy_retry_times = 2;
|
||
|
do {
|
||
|
ret = sgx_create_pse_session();
|
||
|
} while (ret == SGX_ERROR_BUSY && busy_retry_times--);
|
||
|
if (ret != SGX_SUCCESS)
|
||
|
return ret;
|
||
|
}
|
||
|
#ifdef SUPPLIED_KEY_DERIVATION
|
||
|
ret = sgx_ra_init_ex(&g_sp_pub_key, b_pse, key_derivation, p_context);
|
||
|
#else
|
||
|
ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context);
|
||
|
#endif
|
||
|
if(b_pse) {
|
||
|
sgx_close_pse_session();
|
||
|
return ret;
|
||
|
}
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
|
||
|
// Closes the tKE key context used during the SIGMA key
|
||
|
// exchange.
|
||
|
//
|
||
|
// @param context The trusted KE library key context.
|
||
|
//
|
||
|
// @return Return value from the key context close API
|
||
|
|
||
|
sgx_status_t SGXAPI enclave_ra_close(
|
||
|
sgx_ra_context_t context) {
|
||
|
sgx_status_t ret;
|
||
|
ret = sgx_ra_close(context);
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
|
||
|
// Verify the mac sent in att_result_msg from the SP using the
|
||
|
// MK key. Input pointers aren't checked since the trusted stubs
|
||
|
// copy them into EPC memory.
|
||
|
//
|
||
|
//
|
||
|
// @param context The trusted KE library key context.
|
||
|
// @param p_message Pointer to the message used to produce MAC
|
||
|
// @param message_size Size in bytes of the message.
|
||
|
// @param p_mac Pointer to the MAC to compare to.
|
||
|
// @param mac_size Size in bytes of the MAC
|
||
|
//
|
||
|
// @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect.
|
||
|
// @return Any error produced by tKE API to get SK key.
|
||
|
// @return Any error produced by the AESCMAC function.
|
||
|
// @return SGX_ERROR_MAC_MISMATCH - MAC compare fails.
|
||
|
|
||
|
sgx_status_t verify_att_result_mac(sgx_ra_context_t context,
|
||
|
uint8_t* p_message,
|
||
|
size_t message_size,
|
||
|
uint8_t* p_mac,
|
||
|
size_t mac_size) {
|
||
|
sgx_status_t ret;
|
||
|
sgx_ec_key_128bit_t mk_key;
|
||
|
|
||
|
if(mac_size != sizeof(sgx_mac_t)) {
|
||
|
ret = SGX_ERROR_INVALID_PARAMETER;
|
||
|
return ret;
|
||
|
}
|
||
|
if(message_size > UINT32_MAX) {
|
||
|
ret = SGX_ERROR_INVALID_PARAMETER;
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
do {
|
||
|
uint8_t mac[SGX_CMAC_MAC_SIZE] = {0};
|
||
|
|
||
|
ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key);
|
||
|
if(SGX_SUCCESS != ret) {
|
||
|
break;
|
||
|
}
|
||
|
ret = sgx_rijndael128_cmac_msg(&mk_key,
|
||
|
p_message,
|
||
|
(uint32_t)message_size,
|
||
|
&mac);
|
||
|
if(SGX_SUCCESS != ret) {
|
||
|
break;
|
||
|
}
|
||
|
if(0 == consttime_memequal(p_mac, mac, sizeof(mac))) {
|
||
|
ret = SGX_ERROR_MAC_MISMATCH;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
} while(0);
|
||
|
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
|
||
|
sgx_status_t verify_secret_data (
|
||
|
sgx_ra_context_t context,
|
||
|
uint8_t *p_secret,
|
||
|
uint32_t secret_size,
|
||
|
uint8_t *p_gcm_mac,
|
||
|
uint32_t max_verification_length,
|
||
|
uint8_t *p_ret) {
|
||
|
sgx_status_t ret = SGX_SUCCESS;
|
||
|
sgx_ec_key_128bit_t sk_key;
|
||
|
|
||
|
do {
|
||
|
ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key);
|
||
|
if (SGX_SUCCESS != ret) {
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
uint8_t *decrypted = (uint8_t*) malloc(sizeof(uint8_t) * secret_size);
|
||
|
uint8_t aes_gcm_iv[12] = {0};
|
||
|
|
||
|
ret = sgx_rijndael128GCM_decrypt(&sk_key,
|
||
|
p_secret,
|
||
|
secret_size,
|
||
|
decrypted,
|
||
|
&aes_gcm_iv[0],
|
||
|
12,
|
||
|
NULL,
|
||
|
0,
|
||
|
(const sgx_aes_gcm_128bit_tag_t *) (p_gcm_mac));
|
||
|
|
||
|
if (SGX_SUCCESS == ret) {
|
||
|
if (decrypted[0] == 0) {
|
||
|
if (decrypted[1] != 1) {
|
||
|
ret = SGX_ERROR_INVALID_SIGNATURE;
|
||
|
}
|
||
|
} else {
|
||
|
ret = SGX_ERROR_UNEXPECTED;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
} while(0);
|
||
|
|
||
|
return ret;
|
||
|
}
|
||
|
|
||
|
|
||
|
|