ae_error_t CertificateProvisioningProtocol::aesGCMDecrypt(const upse::Buffer& iv, const upse::Buffer& key, const upse::Buffer& cipherText,
const upse::Buffer& aad, const upse::Buffer& mac, upse::Buffer& plainText)
{
ae_error_t status = AE_FAILURE;
do
{
if (key.getSize() != sizeof(sgx_aes_gcm_128bit_key_t))
break;
status = plainText.Alloc(cipherText.getSize());
if (AE_FAILED(status))
break;
uint8_t* pPlainText = NULL;
status = upse::BufferWriter(plainText).reserve(plainText.getSize(), &pPlainText);
if (AE_FAILED(status))
break;
sgx_status_t sgx_status;
sgx_status = sgx_rijndael128GCM_decrypt(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(key.getData()),
cipherText.getData(), cipherText.getSize(), pPlainText, iv.getData(), IV_SIZE, aad.getData(), aad.getSize(),
reinterpret_cast<const sgx_aes_gcm_128bit_tag_t *>(mac.getData()));
if (SGX_SUCCESS != sgx_status)
{
AESM_LOG_ERROR("%s", g_event_string_table[SGX_EVENT_PSE_CERT_PROV_INTEGRITY_ERROR]);
status = AE_FAILURE;
break;
}
status = AE_SUCCESS;
} while (0);
return status;
}
aesm_error_t AESMLogic::get_launch_token(
const uint8_t * mrenclave, uint32_t mrenclave_size,
const uint8_t *public_key, uint32_t public_key_size,
const uint8_t *se_attributes, uint32_t se_attributes_size,
uint8_t * lictoken, uint32_t lictoken_size)
{
AESM_DBG_INFO("enter function");
CHECK_SERVICE_STATUS;
AESMLogicLock lock(_le_mutex);
CHECK_SERVICE_STATUS;
ae_error_t ret_le = AE_SUCCESS;
if (NULL == mrenclave ||
NULL == public_key ||
NULL == se_attributes ||
NULL == lictoken)
{
//sizes are checked in CLEClass::get_launch_token()
AESM_DBG_TRACE("Invalid parameter");
return AESM_PARAMETER_ERROR;
}
ae_error_t ae_ret = CLEClass::instance().load_enclave();
if(ae_ret == AE_SERVER_NOT_AVAILABLE)
{
AESM_LOG_ERROR("%s", g_event_string_table[SGX_EVENT_SERVICE_UNAVAILABLE]);
AESM_DBG_FATAL("LE not loaded due to AE_SERVER_NOT_AVAILABLE, possible SGX Env Not Ready");
return AESM_NO_DEVICE_ERROR;
}
else if(AE_FAILED(ae_ret))
{
AESM_DBG_ERROR("LE not loaded:%d", ae_ret);
return AESM_UNEXPECTED_ERROR;
}
ret_le = static_cast<ae_error_t>(CLEClass::instance().get_launch_token(
const_cast<uint8_t *>(mrenclave), mrenclave_size,
const_cast<uint8_t *>(public_key), public_key_size,
const_cast<uint8_t *>(se_attributes), se_attributes_size,
lictoken, lictoken_size));
switch (ret_le)
{
case AE_SUCCESS:
return AESM_SUCCESS;
case LE_INVALID_PARAMETER:
AESM_DBG_TRACE("Invalid parameter");
return AESM_PARAMETER_ERROR;
case LE_INVALID_ATTRIBUTE:
case LE_INVALID_PRIVILEGE_ERROR:
AESM_DBG_TRACE("Launch token error");
return AESM_GET_LICENSETOKEN_ERROR;
case LE_WHITELIST_UNINITIALIZED_ERROR:
AESM_DBG_TRACE("LE whitelist uninitialized error");
return AESM_UNEXPECTED_ERROR;
default:
AESM_DBG_WARN("unexpeted error %d", ret_le);
return AESM_UNEXPECTED_ERROR;
}
}
int main() {
if(daemon(0, 0) < 0)
{
AESM_LOG_INIT();
AESM_LOG_FATAL("Fail to set daemon.");
AESM_LOG_FINI();
exit(1);
}
CURLcode curl_code = curl_global_init(CURL_GLOBAL_DEFAULT);
if(curl_code!=CURLE_OK){
curl_initialized = false;
}else{
curl_initialized = true;
}
signal(SIGCHLD, SIG_IGN);
signal(SIGHUP, signal_handler);
//ignore SIGPIPE, socket is unexpectedly closed by client
signal(SIGPIPE, SIG_IGN);
signal(SIGTERM, signal_handler);
try{
do{
reload = false;
AESMLogicWrapper* aesmLogic = new AESMLogicWrapper();
if(aesmLogic->service_start()!=AE_SUCCESS){
AESM_LOG_ERROR("Fail to start service.");
delete aesmLogic;
exit(1);
}
UnixServerSocket* serverSock = new UnixServerSocket(CONFIG_SOCKET_PATH);
CSelector* selector = new CSelector(serverSock);
server = new CAESMServer(serverSock, selector, aesmLogic);
AESM_LOG_WARN("The server sock is %#lx" ,serverSock);
server->init();
server->doWork();
CAESMServer* temp_server = server;
server = NULL;
delete temp_server;
}while(reload == true);
}
catch(char const* error_msg)
{
AESM_LOG_FATAL("%s", error_msg);
}
return 0;
}
void AESMQueueManager::enqueue(RequestData* requestData)
{
if(requestData != NULL && requestData->getRequest() != NULL)
{
switch (requestData->getRequest()->getRequestClass()) {
case IAERequest::QUOTING_CLASS:
m_quotingThread->enqueue(requestData);
break;
case IAERequest::LAUNCH_CLASS:
m_launchThread->enqueue(requestData);
break;
case IAERequest::PLATFORM_CLASS:
m_platformServiceThread->enqueue(requestData);
break;
default: //if we reach this point, this could only mean a corrupted or a forged message. In any case, close the connection
// Closing the connection will translate in an IPC error on the client side in case of corruption (and we would be correct), or in unexpected manner for forged messages (the case of an attacker client)
delete requestData; //this will delete the socket also.
AESM_LOG_ERROR("Malformed request received (May be forged for attack)");
}
}
}
ae_error_t ConvertBackendStatus(CertificateProvisioningProtocol& cpp, ae_error_t status)
{
if (AE_FAILED(status))
{
if (PSE_PRS_OK != cpp.GetProtocolResponseStatus())
{
SGX_DBGPRINT_ONE_STRING_ONE_INT("Backend ProtocolResponseStatus", cpp.GetProtocolResponseStatus());
switch (cpp.GetProtocolResponseStatus())
{
case PSE_PRS_INVALID_GID: status = AESM_PSE_PR_BACKEND_INVALID_GID; break;
case PSE_PRS_GID_REVOKED: status = AESM_PSE_PR_BACKEND_GID_REVOKED; break;
case PSE_PRS_INVALID_QUOTE: status = AESM_PSE_PR_BACKEND_INVALID_QUOTE; break;
case PSE_PRS_INVALID_REQUEST: status = AESM_PSE_PR_BACKEND_INVALID_REQUEST; break;
default: status = AESM_PSE_PR_BACKEND_UNKNOWN_PROTOCOL_RESPONSE; break;
}
AESM_DBG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_PROTOCOL_RESPONSE_FAILURE], status);
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_PROTOCOL_RESPONSE_FAILURE], status);
}
else if (GRS_OK != cpp.GetGeneralResponseStatus())
{
SGX_DBGPRINT_ONE_STRING_ONE_INT("Backend GeneralResponseStatus", cpp.GetGeneralResponseStatus());
switch (cpp.GetGeneralResponseStatus())
{
case GRS_SERVER_BUSY: status = AESM_PSE_PR_BACKEND_SERVER_BUSY; break;
case GRS_INTEGRITY_CHECK_FAIL: status = AESM_PSE_PR_BACKEND_INTEGRITY_CHECK_FAIL; break;
case GRS_INCORRECT_SYNTAX: status = AESM_PSE_PR_BACKEND_INCORRECT_SYNTAX; break;
case GRS_INCOMPATIBLE_VERSION: status = PSW_UPDATE_REQUIRED; break;
case GRS_TRANSACTION_STATE_LOST: status = AESM_PSE_PR_BACKEND_TRANSACTION_STATE_LOST; break;
case GRS_PROTOCOL_ERROR: status = AESM_PSE_PR_BACKEND_PROTOCOL_ERROR; break;
case GRS_INTERNAL_ERROR: status = AESM_PSE_PR_BACKEND_INTERNAL_ERROR; break;
default: status = AESM_PSE_PR_BACKEND_UNKNOWN_PROTOCOL_RESPONSE; break;
}
AESM_DBG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_GENERAL_RESPONSE_FAILURE], status);
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_GENERAL_RESPONSE_FAILURE], status);
}
else
{
switch (status)
{
case OAL_NETWORK_UNAVAILABLE_ERROR:
{
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_FAILURE]);
break;
}
case PSE_PAIRING_BLOB_UNSEALING_ERROR:
{
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_LTP_BLOB_INTEGRITY_ERROR]);
break;
}
case PSE_PAIRING_BLOB_INVALID_ERROR:
{
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_LTP_BLOB_INVALID_ERROR]);
break;
}
case AESM_PSE_PR_BACKEND_MSG4_PLATFORM_INFO_BLOB_SIZE:
{
//
// happens if pib returned is not the right size
//
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_PROTOCOL_RESPONSE_FAILURE]);
break;
}
case AE_FAILURE:
{
//
// happens if problem with proxy setting
//
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_CERT_PROV_FAILURE]);
break;
}
case AESM_CP_ATTESTATION_FAILURE:
{
AESM_LOG_ERROR(g_event_string_table[SGX_EVENT_PSE_ATTESTATION_ERROR]);
break;
}
default:
{
AESM_DBG_ERROR("Error in ConvertBackendStatus(status) : status = %d (%xh)", status, status);
break;
}
}
}
}
return status;
}
