//Function to generate End Point Selection id and XID for end point selection msg1
//@es_selector, output XID and SelectorID
//@return PVEC_SUCCESS on success or error code otherwise
pve_status_t gen_es_msg1_data(gen_endpoint_selection_output_t *es_selector)
{
//randomly generate xid
pve_status_t ret = se_read_rand_error_to_pve_error(sgx_read_rand(es_selector->xid, XID_SIZE));
if(ret != PVEC_SUCCESS)
return ret;
//generate selector id which is hash value of Provisioning Base Key
return gen_es_selector_id(&es_selector->selector_id);
}
//random number generation function inside pve
pve_status_t pve_rng_generate(
int nBits,
unsigned char* pRandData)
{
pve_status_t ret = PVEC_SUCCESS;
sgx_status_t se_ret = SGX_SUCCESS;
//inside enclave, using random function from selib. It will initialize several more bits if nBits is not times of 8
if((se_ret = sgx_read_rand(reinterpret_cast<uint8_t*>(pRandData), (nBits+7)/8))!=SGX_SUCCESS)
ret = se_read_rand_error_to_pve_error(se_ret);
return ret;
}
//The function will try to do some preparation for piece meal encryption of field1 in ProvMsg3
// It prepares the encryption state in msg3
//@parm: structure to provide some input data to generate ProvMsg3 and also some states for piece meal processing
//@return PVEC_SUCCESS on success and error code if failed
static pve_status_t proc_msg3_state_init(prov_msg3_parm_t *parm, const sgx_key_128bit_t *pwk2)
{
pve_status_t ret = PVEC_SUCCESS;
sgx_status_t se_ret = SGX_SUCCESS;
if((se_ret=sgx_read_rand(parm->iv, IV_SIZE))!=SGX_SUCCESS){//randomly generate the IV
ret = se_read_rand_error_to_pve_error(se_ret);
goto ret_point;
}
se_static_assert(SK_SIZE==sizeof(sgx_cmac_128bit_tag_t)); /*size of sgx_cmac_128bit_tag_t should same as value of SK_SIZE*/
//initialize state for piece-meal encryption of field of ProvMsg3
ret = sgx_error_to_pve_error(sgx_aes_gcm128_enc_init((const uint8_t *)pwk2, parm->iv, IV_SIZE,//pwk2 as the key
NULL, 0,//no AAD used for the encryption of EpidSignature
(sgx_aes_state_handle_t*)&parm->p_msg3_state));
ret_point:
return ret;
}
//Function to create data for ProvMsg3 generation
// The sigrl of ProvMsg2 will processed in this function in piece-meal method
//@msg2_blob_input: structure to hold decoded data of ProvMsg2
//@performance_rekey_used[in]: 1 if performance rekey used or 0 if not
//@msg3_parm: structure to hold most information to generate ProvMsg3
//@msg3_output: structure to hold output data to create ProvMsg3
//@emp_epid_sig: output buffer to external memory for variable length EpidSignature
//@epid_sig_buffer_size: size in bytes of buffer emp_epid_sig
//@return PVEC_SUCCESS on success and error code if failed
pve_status_t gen_prov_msg3_data(const proc_prov_msg2_blob_input_t *msg2_blob_input,
prov_msg3_parm_t& msg3_parm,
uint8_t performance_rekey_used,
gen_prov_msg3_output_t *msg3_output,
external_memory_byte_t *emp_epid_sig,
uint32_t epid_sig_buffer_size)
{
pve_status_t ret = PVEC_SUCCESS;
sgx_status_t sgx_status = SGX_ERROR_UNEXPECTED;
uint8_t temp_buf[JOIN_PROOF_TLV_TOTAL_SIZE];
uint8_t *data_to_encrypt = NULL;
uint8_t size_to_encrypt = 0;
uint8_t pwk2_tlv_buffer[PWK2_TLV_TOTAL_SIZE];
sgx_key_128bit_t *pwk2=reinterpret_cast<sgx_key_128bit_t *>(pwk2_tlv_buffer+PWK2_TLV_HEADER_SIZE);
uint8_t report_data_payload[MAC_SIZE + HARD_CODED_JOIN_PROOF_WITH_ESCROW_TLV_SIZE + NONCE_2_SIZE + PEK_MOD_SIZE];
uint8_t* pdata = &report_data_payload[0];
sgx_report_data_t report_data = { 0 };
uint8_t aad[sizeof(GroupId)+sizeof(device_id_t)+CHALLENGE_NONCE_SIZE];
void *pub_key = NULL;
const signed_pek_t& pek = msg2_blob_input->pek;
uint32_t le_e;
int i;
size_t output_len = 0;
uint8_t le_n[sizeof(pek.n)];
static_assert(sizeof(pek.n)==384, "pek.n should be 384 bytes");
device_id_t *device_id_in_aad= (device_id_t *)(aad+sizeof(GroupId));
join_proof_with_escrow_t* join_proof_with_escrow=reinterpret_cast<join_proof_with_escrow_t *>(temp_buf+JOIN_PROOF_TLV_HEADER_SIZE);
se_static_assert(sizeof(join_proof_with_escrow_t)+JOIN_PROOF_TLV_HEADER_SIZE==JOIN_PROOF_TLV_TOTAL_SIZE); /*unmatched hardcoded size*/
se_static_assert(sizeof(sgx_key_128bit_t)==PWK2_TLV_TOTAL_SIZE-PWK2_TLV_HEADER_SIZE); /*unmatched PWK2 size*/
memset(temp_buf, 0 ,sizeof(temp_buf));
memset(aad, 0, sizeof(aad));
memset(pwk2, 0, sizeof(sgx_key_128bit_t));
memcpy(pwk2_tlv_buffer, PWK2_TLV_HEADER, PWK2_TLV_HEADER_SIZE);
msg3_output->is_join_proof_generated=false;
msg3_output->is_epid_sig_generated=false;
if ((msg2_blob_input->pce_target_info.attributes.flags & SGX_FLAGS_PROVISION_KEY) != SGX_FLAGS_PROVISION_KEY ||
(msg2_blob_input->pce_target_info.attributes.flags & SGX_FLAGS_DEBUG) != 0){
//PCE must have access to provisioning key
//Can't be debug PCE
ret = PVEC_PARAMETER_ERROR;
goto ret_point;
}
if(!performance_rekey_used){
//the temp_buf used for join_proof_with_escrow tlv
memcpy(temp_buf, JOIN_PROOF_TLV_HEADER, JOIN_PROOF_TLV_HEADER_SIZE);//first copy in tlv header
ret = random_stack_advance(gen_msg3_join_proof_escrow_data, msg2_blob_input, *join_proof_with_escrow);//generate the tlv payload
if( PVEC_SUCCESS != ret )
goto ret_point;
msg3_output->is_join_proof_generated = true;
data_to_encrypt = temp_buf;
size_to_encrypt = JOIN_PROOF_TLV_TOTAL_SIZE;
}
//now encrypt field1
ret = se_read_rand_error_to_pve_error(sgx_read_rand(msg3_output->field1_iv, IV_SIZE));//randomly generate IV
if( PVEC_SUCCESS != ret)
goto ret_point;
memcpy(aad, &msg2_blob_input->group_cert.key.gid,sizeof(GroupId));//start to prepare AAD
memcpy(&device_id_in_aad->fmsp, &msg2_blob_input->equiv_pi.fmsp, sizeof(fmsp_t));
memcpy(&device_id_in_aad->psvn.cpu_svn, &msg2_blob_input->equiv_pi.cpu_svn, sizeof(sgx_cpu_svn_t));
memcpy(&device_id_in_aad->psvn.isv_svn, &msg2_blob_input->equiv_pi.pve_svn, sizeof(sgx_isv_svn_t));
memset(&device_id_in_aad->ppid, 0, sizeof(device_id_in_aad->ppid));
ret = pve_rng_generate(NONCE_2_SIZE*8, msg3_output->n2);
if(PVEC_SUCCESS !=ret){
goto ret_point;
}
ret = random_stack_advance(get_pwk2, &device_id_in_aad->psvn, msg3_output->n2, pwk2);
if( PVEC_SUCCESS != ret )
goto ret_point;
memcpy(aad+sizeof(GroupId)+sizeof(device_id_t), msg2_blob_input->challenge_nonce, CHALLENGE_NONCE_SIZE);
se_static_assert(sizeof(sgx_aes_gcm_128bit_key_t)==SK_SIZE); /*sizeof sgx_aes_gcm_128bit_key_t should be same as TCB size*/
se_static_assert(sizeof(sgx_aes_gcm_128bit_tag_t)==MAC_SIZE); /*sizeof sgx_aes_gcm_128bit_tag_t should be same as MAC_SIZE*/
sgx_status = sgx_rijndael128GCM_encrypt(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(pwk2),
data_to_encrypt, size_to_encrypt, msg3_output->field1_data,
msg3_output->field1_iv, IV_SIZE, aad, static_cast<uint32_t>(sizeof(GroupId)+sizeof(device_id_t)+CHALLENGE_NONCE_SIZE),
reinterpret_cast<sgx_aes_gcm_128bit_tag_t *>(msg3_output->field1_mac));//encrypt field1
if(SGX_SUCCESS != sgx_status){
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
if( msg2_blob_input->is_previous_pi_provided ){
//preparing the encryption state of ProvMsg3 and encrypt inplace of msg3_inside enclave (field1_0 and field1_1)
//The function will randomly set the iv value too
ret = proc_msg3_state_init(&msg3_parm, pwk2);
if( PVEC_SUCCESS!=ret )
goto ret_point;
//Now start piece-meal generation of EPIDsign
ret = gen_msg3_signature(msg2_blob_input, &msg3_parm, emp_epid_sig, epid_sig_buffer_size);
if( PVEC_SUCCESS!=ret )
goto ret_point;
msg3_output->is_epid_sig_generated = true;
msg3_output->epid_sig_output_size = epid_sig_buffer_size;
memcpy(msg3_output->epid_sig_iv, msg3_parm.iv, IV_SIZE);
//generate MAC in EPC
ret = sgx_error_to_pve_error(sgx_aes_gcm128_enc_get_mac(msg3_output->epid_sig_mac, (sgx_aes_state_handle_t*)msg3_parm.p_msg3_state));
if (PVEC_SUCCESS != ret)
goto ret_point;
}
le_e = lv_ntohl(pek.e);
se_static_assert(sizeof(pek.n)==sizeof(le_n)); /*unmatched size of pek.n*/
//endian swap
for(i=0;i<(int)(sizeof(pek.n)/sizeof(pek.n[0]));i++){
le_n[i]=pek.n[sizeof(pek.n)/sizeof(pek.n[0])-i-1];
}
sgx_status = sgx_create_rsa_pub_key(sizeof(pek.n), sizeof(pek.e),
reinterpret_cast<const unsigned char *>(le_n), reinterpret_cast<const unsigned char *>(&le_e), &pub_key);
if (SGX_SUCCESS != sgx_status) {
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
sgx_status = sgx_rsa_pub_encrypt_sha256(pub_key, NULL, &output_len, reinterpret_cast<const unsigned char*>(pwk2_tlv_buffer),
PWK2_TLV_TOTAL_SIZE);
if (SGX_SUCCESS != sgx_status) {
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
sgx_status = sgx_rsa_pub_encrypt_sha256(pub_key, msg3_output->encrypted_pwk2, &output_len, reinterpret_cast<const unsigned char*>(pwk2_tlv_buffer),
PWK2_TLV_TOTAL_SIZE);
if (SGX_SUCCESS != sgx_status) {
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
// X = (NT)MAC_PWK2(... (NT)E_PWK2((T)(JoinP, f)) ...) | (NT)E_PWK2((T)(JoinP, f)) | (NT)PWK2N | (NT)E_PEK((T)PWK2)
// REPORT.ReportData == SHA256[X]
memcpy(pdata, msg3_output->field1_mac, MAC_SIZE);
pdata += MAC_SIZE;
if (!performance_rekey_used){
memcpy(pdata, msg3_output->field1_data, HARD_CODED_JOIN_PROOF_WITH_ESCROW_TLV_SIZE);
pdata += HARD_CODED_JOIN_PROOF_WITH_ESCROW_TLV_SIZE;
}
memcpy(pdata, msg3_output->n2, NONCE_2_SIZE);
pdata += NONCE_2_SIZE;
memcpy(pdata, msg3_output->encrypted_pwk2, PEK_MOD_SIZE);
pdata += PEK_MOD_SIZE;
se_static_assert(sizeof(report_data) >= sizeof(sgx_sha256_hash_t)); /*report data is no large enough*/
sgx_status = sgx_sha256_msg(report_data_payload, (uint32_t)(pdata - &report_data_payload[0]), reinterpret_cast<sgx_sha256_hash_t *>(&report_data));
if (SGX_SUCCESS != sgx_status){
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
sgx_status = sgx_create_report(&msg2_blob_input->pce_target_info, &report_data, &msg3_output->pwk2_report);
if (SGX_SUCCESS != sgx_status){
ret = sgx_error_to_pve_error(sgx_status);
goto ret_point;
}
ret_point:
(void)memset_s(aad, sizeof(aad), 0, sizeof(aad));
(void)memset_s(temp_buf, sizeof(temp_buf), 0, sizeof(temp_buf));
(void)memset_s(pwk2_tlv_buffer, sizeof(pwk2_tlv_buffer),0,sizeof(pwk2_tlv_buffer));
if(pub_key){
sgx_free_rsa_key(pub_key, SGX_RSA_PUBLIC_KEY, sizeof(pek.n), sizeof(pek.e));
}
return ret;
}
//Function to generate Field1_0 of ProvMsg3
//@msg2_blob_input, input decoded ProvMsg2 info
//@join_proof, output the join proof and the escrow data which is encrypted f of Private Key
//@return PVEC_SUCCESS on success and error code on failure
//The function assume all required inputs have been prepared in msg2_blob_input
static pve_status_t gen_msg3_join_proof_escrow_data(const proc_prov_msg2_blob_input_t *msg2_blob_input,
join_proof_with_escrow_t& join_proof)
{
pve_status_t ret = PVEC_SUCCESS;
BitSupplier epid_prng = (BitSupplier) epid_random_func;
FpElemStr temp_f;
//first generate private key f randomly before sealing it by PSK
FpElemStr *f = &temp_f;
sgx_status_t sgx_status = SGX_SUCCESS;
JoinRequest *join_r = &join_proof.jr;
EpidStatus epid_ret = kEpidNoErr;
psvn_t psvn;
MemberCtx* ctx = NULL;
memset(&temp_f, 0, sizeof(temp_f));
//randomly generate the private EPID key f, host to network transformation not required since server will not decode it
ret=sgx_error_to_pve_error(sgx_gen_epid_priv_f((void*)f));
if(PVEC_SUCCESS != ret){
goto ret_point;
}
//generate JoinP using f before encryption by calling EPID library
memset(join_r, 0, sizeof(JoinRequest));//first clear to 0
//generate JoinP to fill it in field1_0_0 by EPID library
epid_ret = epid_member_create(epid_prng, NULL, f, &ctx);
if(kEpidNoErr!=epid_ret){
ret = epid_error_to_pve_error(epid_ret);
goto ret_point;
}
epid_ret = EpidCreateJoinRequest(ctx,
&msg2_blob_input->group_cert.key, //EPID Group Cert from ProvMsgs2 used
reinterpret_cast<const IssuerNonce *>(msg2_blob_input->challenge_nonce),
join_r);
if(kEpidNoErr != epid_ret){
ret = epid_error_to_pve_error(epid_ret);
goto ret_point;
}
//get PSK
sgx_key_128bit_t psk;
memcpy(&psvn.cpu_svn, &msg2_blob_input->equiv_pi.cpu_svn, sizeof(psvn.cpu_svn));
memcpy(&psvn.isv_svn, &msg2_blob_input->equiv_pi.pve_svn, sizeof(psvn.isv_svn));
ret = get_pve_psk(&psvn, &psk);
if(PVEC_SUCCESS != ret){
goto ret_point;
}
join_proof.escrow.version = 0;//version 0 used for escrow data
//now we could seal f by PSK
ret = se_read_rand_error_to_pve_error(sgx_read_rand(join_proof.escrow.iv, IV_SIZE));
if(PVEC_SUCCESS != ret){
goto ret_point;
}
se_static_assert(sizeof(psk)==sizeof(sgx_aes_gcm_128bit_key_t)); /*sizeof sgx_aes_gcm_128bit_key_t tshould be same as size of psk*/
se_static_assert(sizeof(sgx_aes_gcm_128bit_tag_t)==sizeof(join_proof.escrow.mac)); /*sizeof sgx_aes_gcm_128bit_tag_t should be same as MAC_SIZE*/
sgx_status = sgx_rijndael128GCM_encrypt(reinterpret_cast<const sgx_aes_gcm_128bit_key_t *>(&psk),
reinterpret_cast<uint8_t *>(f), sizeof(*f), reinterpret_cast<uint8_t *>(&join_proof.escrow.f),
join_proof.escrow.iv, IV_SIZE, NULL, 0,
reinterpret_cast<sgx_aes_gcm_128bit_tag_t *>(join_proof.escrow.mac));
if(SGX_SUCCESS != sgx_status){
ret = sgx_error_to_pve_error(sgx_status);
}
ret_point:
(void)memset_s(&psk, sizeof(psk), 0, sizeof(psk));//clear the key
(void)memset_s(&temp_f, sizeof(temp_f), 0, sizeof(temp_f));//clear temp f in stack
if(PVEC_SUCCESS != ret){
(void)memset_s(&join_proof, sizeof(join_proof), 0, sizeof(join_proof));
}
epid_member_delete(&ctx);
return ret;
}
