feat(rtc_data_enclave::ocalls): flesh out save_access_key OCALL

PiDelport · PiDelport · commit ee5365446647 · 2021-07-08T00:37:33.000+02:00
diff --git a/rtc_data_enclave/src/ocalls/mod.rs b/rtc_data_enclave/src/ocalls/mod.rs
@@ -5,4 +5,6 @@ mod save_sealed_blob_impl;
 
 // Re-export the OCALL entry points we're interested in:
 
+#[allow(unused_imports)] // TODO
+pub(crate) use save_access_key_impl::save_access_key;
 pub(crate) use save_sealed_blob_impl::save_sealed_blob_u;
diff --git a/rtc_data_enclave/src/ocalls/save_access_key_impl.rs b/rtc_data_enclave/src/ocalls/save_access_key_impl.rs
@@ -3,11 +3,73 @@
 //! This call is responsible for establishing a protected channel with the auth enclave,
 //! and relaying the sealed exchange with the auth enclave's `save_access_key` ECALL.
 
-use rtc_types::enclave_messages::ffi_set_access_key;
+use rtc_tenclave::dh::{dh_sessions, sealing, DhSessions, ProtectedChannel};
+use rtc_types::enclave_messages::errors::SealingError;
+pub use rtc_types::enclave_messages::ffi_set_access_key::SetAccessKeyEncryptedRequest;
+use rtc_types::enclave_messages::{ffi_set_access_key, set_access_key};
+use rtc_types::EcallResult;
+use sgx_tstd::enclave::get_enclave_id;
 use sgx_types::{sgx_enclave_id_t, sgx_status_t};
 
+// Handle protected channel establishment
+#[allow(dead_code)] // TODO
+pub(crate) fn save_access_key(
+    auth_enclave_id: sgx_enclave_id_t,
+    request: set_access_key::Request,
+) -> Result<set_access_key::Response, SealingError> {
+    let sessions: &DhSessions<_, _> = dh_sessions();
+    sessions.with_acquire_new_or_established(auth_enclave_id, |channel| {
+        save_access_key_sealing(auth_enclave_id, channel, request)
+    })?
+}
+
+// Handle message sealing
+fn save_access_key_sealing(
+    auth_enclave_id: sgx_enclave_id_t,
+    channel: &mut ProtectedChannel,
+    request: set_access_key::Request,
+) -> Result<set_access_key::Response, SealingError> {
+    let sending_enclave_id: sgx_enclave_id_t = get_enclave_id();
+
+    // Seal the request
+    let encrypted_request =
+        sealing::rkyv_seal_associated(channel, &request, &sending_enclave_id).unwrap();
+
+    // Exchange with the auth enclave
+    let encrypted_response = save_access_key_ffi(auth_enclave_id, encrypted_request)?;
+
+    // Unseal the response
+    let response =
+        unsafe { sealing::rkyv_unseal::<set_access_key::Response>(channel, encrypted_response) }?;
+    Ok(response)
+}
+
+/// Handle converting between the [`ffi_set_access_key`] and [`set_access_key`] types.
+fn save_access_key_ffi(
+    auth_enclave_id: sgx_enclave_id_t,
+    encrypted_request: set_access_key::EncryptedRequest,
+) -> set_access_key::SetAccessKeyResult {
+    let ffi_encrypted_request = encrypted_request.into();
+    let ffi_result = save_access_key_u(auth_enclave_id, ffi_encrypted_request);
+    ffi_result.into()
+}
+
+// Handle call
+fn save_access_key_u(
+    auth_enclave_id: sgx_enclave_id_t,
+    encrypted_request: ffi_set_access_key::SetAccessKeyEncryptedRequest,
+) -> ffi_set_access_key::SetAccessKeyResult {
+    let mut retval = ffi_set_access_key::SetAccessKeyResult::default();
+
+    // Safety: Copies ffi_set_access_key::SetAccessKeyResult into retval,
+    // but only valid for sgx_status_t::SGX_SUCCESS.
+    match unsafe { rtc_save_access_key_u(&mut retval, auth_enclave_id, encrypted_request) } {
+        sgx_status_t::SGX_SUCCESS => retval,
+        status_err => EcallResult::Err(status_err.into()),
+    }
+}
+
 extern "C" {
-    #[allow(dead_code)] // TODO
     fn rtc_save_access_key_u(
         retval: *mut ffi_set_access_key::SetAccessKeyResult,
         auth_enclave_id: sgx_enclave_id_t,
