diff --git a/Cargo.lock b/Cargo.lock index c9c6c0e31e..1c25846800 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2532,6 +2532,7 @@ dependencies = [ "mc-attest-verifier", "mc-crypto-noise", "mc-sgx-compat", + "mc-util-serial", "serde", ] @@ -3167,6 +3168,7 @@ dependencies = [ "mc-sgx-build", "mc-sgx-compat", "mc-util-from-random", + "mc-util-serial", "sha2 0.10.6", ] diff --git a/attest/enclave-api/Cargo.toml b/attest/enclave-api/Cargo.toml index f3ebaf381e..7e83b23085 100644 --- a/attest/enclave-api/Cargo.toml +++ b/attest/enclave-api/Cargo.toml @@ -13,6 +13,7 @@ mc-attest-core = { path = "../../attest/core", default-features = false } mc-attest-verifier = { path = "../../attest/verifier", default-features = false } mc-crypto-noise = { path = "../../crypto/noise", default-features = false } mc-sgx-compat = { path = "../../sgx/compat" } +mc-util-serial = { path = "../../util/serial" } displaydoc = { version = "0.2", default-features = false } serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] } diff --git a/attest/enclave-api/src/error.rs b/attest/enclave-api/src/error.rs index 0afddb4901..f741899223 100644 --- a/attest/enclave-api/src/error.rs +++ b/attest/enclave-api/src/error.rs @@ -2,6 +2,7 @@ //! Enclave API Errors +use alloc::{format, string::String}; use core::result::Result as StdResult; use displaydoc::Display; use mc_attest_ake::Error as AkeError; @@ -70,6 +71,12 @@ pub enum Error { /// Too many IAS reports are already in-flight TooManyPendingReports, + /// Encoding error + Encode(String), + + /// Decoding error + Decode(String), + /// Connection not found by node ID or session NotFound, } @@ -127,3 +134,15 @@ impl From for Error { Error::Unseal(src) } } + +impl From for Error { + fn from(src: mc_util_serial::encode::Error) -> Self { + Error::Encode(format!("{}", src)) + } +} + +impl From for Error { + fn from(src: mc_util_serial::decode::Error) -> Self { + Error::Decode(format!("{}", src)) + } +} diff --git a/attest/enclave-api/src/lib.rs b/attest/enclave-api/src/lib.rs index fd04a2d974..360069b34a 100644 --- a/attest/enclave-api/src/lib.rs +++ b/attest/enclave-api/src/lib.rs @@ -87,6 +87,19 @@ pub struct SealedClientMessage { pub data: IntelSealed, } +/// SealedClientRequest structure, which is used in the enclave during the Intel +/// sealing process. Ensures that the data being passed to Intel is not empty. +#[derive(Clone, Debug, Eq, PartialEq, Deserialize, Serialize)] +pub struct SealedClientRequest { + /// The decrypted client request bytes + pub client_request_bytes: Vec, + + /// The channel_id associated with the QueryRequest. Since the channel_id + /// will never be 0, this struct will never serialize into an empty byte + /// array. + pub channel_id: Vec, +} + /// The response to a request for a new report. The enclave will expect the /// QuoteNonce to be used when the report is quoted, and both the quote and /// report to be returned to the enclave during the verify_quote() phase. diff --git a/consensus/enclave/trusted/Cargo.lock b/consensus/enclave/trusted/Cargo.lock index 3f6517cce4..d72d7d8152 100644 --- a/consensus/enclave/trusted/Cargo.lock +++ b/consensus/enclave/trusted/Cargo.lock @@ -771,6 +771,7 @@ dependencies = [ "mc-attest-verifier", "mc-crypto-noise", "mc-sgx-compat", + "mc-util-serial", "serde", ] @@ -1017,6 +1018,7 @@ dependencies = [ "mc-sgx-build", "mc-sgx-compat", "mc-util-from-random", + "mc-util-serial", "sha2", ] @@ -2168,4 +2170,4 @@ dependencies = [ "quote", "syn", "synstructure", -] \ No newline at end of file +] diff --git a/crypto/ake/enclave/Cargo.toml b/crypto/ake/enclave/Cargo.toml index 328c84cc4a..1411040acc 100644 --- a/crypto/ake/enclave/Cargo.toml +++ b/crypto/ake/enclave/Cargo.toml @@ -14,6 +14,7 @@ mc-common = { path = "../../../common", default-features = false } mc-crypto-keys = { path = "../../../crypto/keys", default-features = false } mc-crypto-rand = { path = "../../../crypto/rand", default-features = false } mc-util-from-random = { path = "../../../util/from-random" } +mc-util-serial = { path = "../../../util/serial" } mc-sgx-compat = { path = "../../../sgx/compat", default-features = false } aes-gcm = "0.9.4" diff --git a/crypto/ake/enclave/src/lib.rs b/crypto/ake/enclave/src/lib.rs index 48c55e9afc..83691e52db 100644 --- a/crypto/ake/enclave/src/lib.rs +++ b/crypto/ake/enclave/src/lib.rs @@ -17,7 +17,7 @@ use mc_attest_core::{ use mc_attest_enclave_api::{ ClientAuthRequest, ClientAuthResponse, ClientSession, EnclaveMessage, Error, NonceAuthRequest, NonceAuthResponse, NonceSession, PeerAuthRequest, PeerAuthResponse, PeerSession, Result, - SealedClientMessage, + SealedClientMessage, SealedClientRequest, }; use mc_attest_trusted::{EnclaveReport, SealAlgo}; use mc_attest_verifier::{MrEnclaveVerifier, Verifier, DEBUG_ENCLAVE}; @@ -543,7 +543,12 @@ impl AkeEnclaveState { let aad = incoming_client_message.aad.clone(); let channel_id = incoming_client_message.channel_id.clone(); let client_query_bytes = self.client_decrypt(incoming_client_message)?; - let sealed_data = IntelSealed::seal_raw(&client_query_bytes, &[])?; + let sealed_client_query = SealedClientRequest { + client_request_bytes: client_query_bytes, + channel_id: channel_id.clone().into(), + }; + let sealed_client_query_bytes = mc_util_serial::serialize(&sealed_client_query)?; + let sealed_data = IntelSealed::seal_raw(&sealed_client_query_bytes, &[])?; Ok(SealedClientMessage { channel_id, @@ -555,7 +560,11 @@ impl AkeEnclaveState { /// Unseals the data component of a sealed client message and returns the /// plaintext pub fn unseal(&self, sealed_message: &SealedClientMessage) -> Result> { - Ok(sealed_message.data.unseal_raw()?.0) + let (sealed_client_request_bytes, _) = sealed_message.data.unseal_raw()?; + let sealed_client_request: SealedClientRequest = + mc_util_serial::deserialize(&sealed_client_request_bytes)?; + + Ok(sealed_client_request.client_request_bytes) } /// Transforms a sealed client message, i.e. a message sent from a client @@ -569,14 +578,13 @@ impl AkeEnclaveState { &self, sealed_client_message: &SealedClientMessage, ) -> Result>> { - let (client_query_bytes, _) = sealed_client_message.data.unseal_raw()?; - + let client_request_bytes = self.unseal(sealed_client_message)?; let mut backends = self.backends.lock()?; let backend_messages = backends .iter_mut() .map(|(_, encryptor)| { let aad = sealed_client_message.aad.clone(); - let (data, nonce) = encryptor.encrypt_with_nonce(&aad, &client_query_bytes)?; + let (data, nonce) = encryptor.encrypt_with_nonce(&aad, &client_request_bytes)?; let channel_id = NonceSession::new(encryptor.binding().into(), nonce); Ok(EnclaveMessage { aad, diff --git a/fog/ingest/enclave/trusted/Cargo.lock b/fog/ingest/enclave/trusted/Cargo.lock index f7be98dcf2..bb80a7a15e 100644 --- a/fog/ingest/enclave/trusted/Cargo.lock +++ b/fog/ingest/enclave/trusted/Cargo.lock @@ -791,6 +791,7 @@ dependencies = [ "mc-attest-verifier", "mc-crypto-noise", "mc-sgx-compat", + "mc-util-serial", "serde", ] @@ -944,6 +945,7 @@ dependencies = [ "mc-sgx-build", "mc-sgx-compat", "mc-util-from-random", + "mc-util-serial", "sha2", ] diff --git a/fog/ledger/enclave/trusted/Cargo.lock b/fog/ledger/enclave/trusted/Cargo.lock index 468ca9e683..4a3a1055bc 100644 --- a/fog/ledger/enclave/trusted/Cargo.lock +++ b/fog/ledger/enclave/trusted/Cargo.lock @@ -795,6 +795,7 @@ dependencies = [ "mc-attest-verifier", "mc-crypto-noise", "mc-sgx-compat", + "mc-util-serial", "serde", ] @@ -913,6 +914,7 @@ dependencies = [ "mc-sgx-build", "mc-sgx-compat", "mc-util-from-random", + "mc-util-serial", "sha2", ] diff --git a/fog/view/enclave/impl/src/lib.rs b/fog/view/enclave/impl/src/lib.rs index 8bbadb48d9..bdcd0f4f18 100644 --- a/fog/view/enclave/impl/src/lib.rs +++ b/fog/view/enclave/impl/src/lib.rs @@ -330,8 +330,7 @@ where result.decommissioned_ingest_invocations = shared_data.decommissioned_ingest_invocations; result.next_start_from_user_event_id = shared_data.next_start_from_user_event_id; - let block_data = - get_block_data(responses.as_mut_slice(), &result.missed_block_ranges); + let block_data = get_block_data(responses.as_mut_slice(), &result.missed_block_ranges); result.highest_processed_block_count = block_data.highest_processed_block_count; result.highest_processed_block_signature_timestamp = block_data.highest_processed_block_signature_timestamp; diff --git a/fog/view/enclave/impl/src/types.rs b/fog/view/enclave/impl/src/types.rs index 92a94fc464..0d8f3d1579 100644 --- a/fog/view/enclave/impl/src/types.rs +++ b/fog/view/enclave/impl/src/types.rs @@ -1030,10 +1030,7 @@ mod get_block_data_tests { let result = get_block_data(decrypted_query_responses.as_mut(), &[missed_block_range]); - assert_eq!( - result.highest_processed_block_count, - incomplete_block_count - ); + assert_eq!(result.highest_processed_block_count, incomplete_block_count); assert_eq!( result.highest_processed_block_signature_timestamp, incomplete_timestamp @@ -1154,10 +1151,7 @@ mod get_block_data_tests { let result = get_block_data(decrypted_query_responses.as_mut(), &[missed_block_range]); - assert_eq!( - result.highest_processed_block_count, - incomplete_block_count - ); + assert_eq!(result.highest_processed_block_count, incomplete_block_count); assert_eq!( result.highest_processed_block_signature_timestamp, incomplete_timestamp @@ -1278,10 +1272,7 @@ mod get_block_data_tests { let result = get_block_data(decrypted_query_responses.as_mut(), &[missed_block_range]); - assert_eq!( - result.highest_processed_block_count, - incomplete_block_count - ); + assert_eq!(result.highest_processed_block_count, incomplete_block_count); assert_eq!( result.highest_processed_block_signature_timestamp, incomplete_timestamp diff --git a/fog/view/enclave/trusted/Cargo.lock b/fog/view/enclave/trusted/Cargo.lock index e9d3173963..d24ef92056 100644 --- a/fog/view/enclave/trusted/Cargo.lock +++ b/fog/view/enclave/trusted/Cargo.lock @@ -801,6 +801,7 @@ dependencies = [ "mc-attest-verifier", "mc-crypto-noise", "mc-sgx-compat", + "mc-util-serial", "serde", ] @@ -954,6 +955,7 @@ dependencies = [ "mc-sgx-build", "mc-sgx-compat", "mc-util-from-random", + "mc-util-serial", "sha2", ]