Fix blank query sealing issue

attest/enclave-api/Cargo.toml

@@ -13,6 +13,7 @@ mc-attest-core = { path = "../../attest/core", default-features = false }
 mc-attest-verifier = { path = "../../attest/verifier", default-features = false }
 mc-crypto-noise = { path = "../../crypto/noise", default-features = false }
 mc-sgx-compat = { path = "../../sgx/compat" }
+mc-util-serial = { path = "../../util/serial" }
 
 displaydoc = { version = "0.2", default-features = false }
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] }

attest/enclave-api/src/error.rs

@@ -2,6 +2,7 @@
 
 //! Enclave API Errors
 
+use alloc::{format, string::String};
 use core::result::Result as StdResult;
 use displaydoc::Display;
 use mc_attest_ake::Error as AkeError;
@@ -70,6 +71,12 @@ pub enum Error {
     /// Too many IAS reports are already in-flight
     TooManyPendingReports,
 
+    /// Encoding error
+    Encode(String),
+
+    /// Decoding error
+    Decode(String),
+
     /// Connection not found by node ID or session
     NotFound,
 }
@@ -127,3 +134,15 @@ impl From<ParseSealedError> for Error {
         Error::Unseal(src)
     }
 }
+
+impl From<mc_util_serial::encode::Error> for Error {
+    fn from(src: mc_util_serial::encode::Error) -> Self {
+        Error::Encode(format!("{}", src))
+    }
+}
+
+impl From<mc_util_serial::decode::Error> for Error {
+    fn from(src: mc_util_serial::decode::Error) -> Self {
+        Error::Decode(format!("{}", src))
+    }
+}

attest/enclave-api/src/lib.rs

@@ -87,6 +87,19 @@ pub struct SealedClientMessage {
     pub data: IntelSealed,
 }
 
+/// SealedClientRequest structure, which is used in the enclave during the Intel
+/// sealing process. Ensures that the data being passed to Intel is not empty.
+#[derive(Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
+pub struct SealedClientRequest {
+    /// The decrypted client request bytes
+    pub client_request_bytes: Vec<u8>,
+
+    /// The channel_id associated with the QueryRequest. Since the channel_id
+    /// will never be 0, this struct will never serialize into an empty byte
+    /// array.
+    pub channel_id: Vec<u8>,
+}
+
 /// The response to a request for a new report. The enclave will expect the
 /// QuoteNonce to be used when the report is quoted, and both the quote and
 /// report to be returned to the enclave during the verify_quote() phase.

crypto/ake/enclave/Cargo.toml

@@ -14,6 +14,7 @@ mc-common = { path = "../../../common", default-features = false }
 mc-crypto-keys = { path = "../../../crypto/keys", default-features = false }
 mc-crypto-rand = { path = "../../../crypto/rand", default-features = false }
 mc-util-from-random = { path = "../../../util/from-random" }
+mc-util-serial = { path = "../../../util/serial" }
 mc-sgx-compat = { path = "../../../sgx/compat", default-features = false }
 
 aes-gcm = "0.9.4"

crypto/ake/enclave/src/lib.rs

@@ -17,7 +17,7 @@ use mc_attest_core::{
 use mc_attest_enclave_api::{
     ClientAuthRequest, ClientAuthResponse, ClientSession, EnclaveMessage, Error, NonceAuthRequest,
     NonceAuthResponse, NonceSession, PeerAuthRequest, PeerAuthResponse, PeerSession, Result,
-    SealedClientMessage,
+    SealedClientMessage, SealedClientRequest,
 };
 use mc_attest_trusted::{EnclaveReport, SealAlgo};
 use mc_attest_verifier::{MrEnclaveVerifier, Verifier, DEBUG_ENCLAVE};
@@ -543,7 +543,12 @@ impl<EI: EnclaveIdentity> AkeEnclaveState<EI> {
         let aad = incoming_client_message.aad.clone();
         let channel_id = incoming_client_message.channel_id.clone();
         let client_query_bytes = self.client_decrypt(incoming_client_message)?;
-        let sealed_data = IntelSealed::seal_raw(&client_query_bytes, &[])?;
+        let sealed_client_query = SealedClientRequest {
+            client_request_bytes: client_query_bytes,
+            channel_id: channel_id.clone().into(),
+        };
+        let sealed_client_query_bytes = mc_util_serial::serialize(&sealed_client_query)?;
+        let sealed_data = IntelSealed::seal_raw(&sealed_client_query_bytes, &[])?;
 
         Ok(SealedClientMessage {
             channel_id,
@@ -555,7 +560,11 @@ impl<EI: EnclaveIdentity> AkeEnclaveState<EI> {
     /// Unseals the data component of a sealed client message and returns the
     /// plaintext
     pub fn unseal(&self, sealed_message: &SealedClientMessage) -> Result<Vec<u8>> {
-        Ok(sealed_message.data.unseal_raw()?.0)
+        let (sealed_client_request_bytes, _) = sealed_message.data.unseal_raw()?;
+        let sealed_client_request: SealedClientRequest =
+            mc_util_serial::deserialize(&sealed_client_request_bytes)?;
+
+        Ok(sealed_client_request.client_request_bytes)
     }
 
     /// Transforms a sealed client message, i.e. a message sent from a client
@@ -569,14 +578,13 @@ impl<EI: EnclaveIdentity> AkeEnclaveState<EI> {
         &self,
         sealed_client_message: &SealedClientMessage,
     ) -> Result<Vec<EnclaveMessage<NonceSession>>> {
-        let (client_query_bytes, _) = sealed_client_message.data.unseal_raw()?;
-
+        let client_request_bytes = self.unseal(sealed_client_message)?;
         let mut backends = self.backends.lock()?;
         let backend_messages = backends
             .iter_mut()
             .map(|(_, encryptor)| {
                 let aad = sealed_client_message.aad.clone();
-                let (data, nonce) = encryptor.encrypt_with_nonce(&aad, &client_query_bytes)?;
+                let (data, nonce) = encryptor.encrypt_with_nonce(&aad, &client_request_bytes)?;
                 let channel_id = NonceSession::new(encryptor.binding().into(), nonce);
                 Ok(EnclaveMessage {
                     aad,