- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
it's quite urgent since I have a deadline this week and I need to figure out what's wrong so I hope someone will be able to help. Note that I developed everything in simulation mode since my university didn't provide me a machine with IntelSGX in time as promised.
In short, I made an application that is able to encrypt/decrypt a variable, another one that is able to save and retrieve to/from a file. But when I put these two functionalities together something weird happens.
Enclave2.cpp
#include "Enclave2_t.h" #include "sgx_trts.h" #include "sgx_utils.h" #include "sgx_key.h" #include "sgx_tcrypto.h" #include "string.h" #include "stdlib.h" #include "sgx_tprotected_fs.h" void enclaveDemo() { sgx_status_t ret = SGX_SUCCESS; sgx_key_128bit_t key; sgx_report_t report; sgx_report_data_t reportData; uint8_t payload = 222; //number that I want to encrypt and then decrypt uint8_t dest; //after encryption uint8_t dest2; //after decryption uint8_t piv = 0; sgx_aes_gcm_128bit_tag_t mac; uint32_t seal_length = sizeof(dest); uint32_t unseal_length = sizeof(dest2); //CREATE REPORT TO GET THE CPUSVN sgx_create_report(NULL, &reportData, &report); //CREATE KEY sgx_key_request_t kreq = { SGX_KEYSELECT_SEAL, SGX_KEYPOLICY_MRENCLAVE, report.body.isv_svn, 0, report.body.cpu_svn , NULL, 2, NULL, 0 }; ret = sgx_get_key(&kreq, &key); //ENCRYPTION ret = sgx_rijndael128GCM_encrypt(&key, &payload, seal_length, &dest, &piv, 12, NULL, NULL, &mac); printInt(dest); // Ocall to print an int //DECRYPTION ret = sgx_rijndael128GCM_decrypt(&key, &dest, unseal_length, &dest2, &piv, 12, NULL, NULL, &mac); if (ret == SGX_ERROR_MAC_MISMATCH) { printInt(-1); //failed } else if (ret != SGX_SUCCESS) { printInt(-2); //failed } else { printInt((int)dest2); //cast to int not necessary } }
and this works perfectly: I want to encrypt 222 so dest is changing everytime I rebuild (e.g. 43, or when I rebuild 201, rerebuilding 18, etc) and dest2 is always 222 with NO mac mismatch.
Introducing just few lines more (even if I wrote more) I get an SGX_ERROR_MAC_MISMATCH . Looks like the function sgx_fwrite does something to the variable dest.
Enclave2.cpp EDIT1
#include "Enclave2_t.h" #include "sgx_trts.h" #include "sgx_utils.h" #include "sgx_key.h" #include "sgx_tcrypto.h" #include "string.h" #include "stdlib.h" #include "sgx_tprotected_fs.h" void enclaveDemo() { sgx_status_t ret = SGX_SUCCESS; sgx_key_128bit_t key; sgx_report_t report; sgx_report_data_t reportData; uint8_t payload = 222; //number that I want to encrypt and then decrypt uint8_t dest; //after encryption uint8_t dest2; //after decryption uint8_t piv = 0; sgx_aes_gcm_128bit_tag_t mac; uint32_t seal_length = sizeof(dest); uint32_t unseal_length = sizeof(dest2); SGX_FILE* pFile; size_t sizeofWrite; //CREATE REPORT TO GET THE CPUSVN sgx_create_report(NULL, &reportData, &report); //CREATE KEY sgx_key_request_t kreq = { SGX_KEYSELECT_SEAL, SGX_KEYPOLICY_MRENCLAVE, report.body.isv_svn, 0, report.body.cpu_svn , NULL, 2, NULL, 0 }; ret = sgx_get_key(&kreq, &key); //ENCRYPTION ret = sgx_rijndael128GCM_encrypt(&key, &payload, seal_length, &dest, &piv, 12, NULL, NULL, &mac); pFile = sgx_fopen_auto_key("test.bin", "w+"); //works write/read if (pFile == NULL) { enclaveOutputInt(-2); //error } sizeofWrite = sgx_fwrite(&dest, sizeof(uint8_t), sizeof(dest), pFile); printInt(dest); // Ocall to print an int //DECRYPTION ret = sgx_rijndael128GCM_decrypt(&key, &dest, unseal_length, &dest2, &piv, 12, NULL, NULL, &mac); if (ret == SGX_ERROR_MAC_MISMATCH) { printInt(-1); //failed } else if (ret != SGX_SUCCESS) { printInt(-2); //failed } else { printInt((int)dest2); //cast to int not necessary } }
What's going on?
Thanks in advance for your help,
Stefano
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you found the resolution for SGX_ERROR_MAC_MISMATCH?
I was trying sgx_rijndael128GCM_encrypt() and sgx_rijndael128GCM_decrypt() apis. Noticed that const uint8_t *p_iv, and sgx_aes_gcm_128bit_tag_t *p_out_mac has to be passed from encrypt() api to decrypt() api for successful decryption. I used sgx_fopen_auto_key(), sgx_fwrite(), sgx_fclose() to write const uint8_t *p_iv value from the encrypt. When the decrypt tries to use p_iv, SGX_ERROR_MAC_MISMATCH error happens.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is the problem with your IV. You have declared IV as uint8_t which is 8 bytes, and are inputting 12 as length of IV. It is going to read four extra random bytes from the start of the address that is pointing to piv.
Solution: Declare iv as an array uint8_t iv[12] and initialize it with meaninful bytes and use &iv[0] or just iv in encrypt/decrypt calls and it will work.
Cheers,
Sankar
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page