ntls-io
diff --git a/‎rtc_auth_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎rtc_auth_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_data_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎rtc_data_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_exec_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎rtc_exec_enclave/Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_tenclave/Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎rtc_tenclave/Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_tenclave/Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎rtc_tenclave/Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_tenclave/src/dh/protected_channel.rs
Lines changed: 1 addition & 1 deletion b/‎rtc_tenclave/src/dh/protected_channel.rs
Lines changed: 1 addition & 1 deletion
diff --git a/‎rtc_tenclave/src/lib.rs
Lines changed: 1 addition & 0 deletions b/‎rtc_tenclave/src/lib.rs
Lines changed: 1 addition & 0 deletions
diff --git a/‎rtc_tenclave/src/sealing.rs
Lines changed: 110 additions & 0 deletions b/‎rtc_tenclave/src/sealing.rs
Lines changed: 110 additions & 0 deletions
@@ -63,6 +63,7 @@ ring = { version = "0.17.0-alpha.8", default-features = false }
 sodalite = { version = "0.4.0", default-features = false }
 cfg-if = "1.0.0"
 hex = { version = "0.4.3", default-features = false, features = ["alloc"] }
+rkyv = { version = "0.6.6", default_features = false, features = ["const_generics", "strict"] }
 
 [dev-dependencies]
 thiserror_std = { package = "thiserror", version = "1.0.9" }
 
@@ -54,7 +54,7 @@ impl ProtectedChannel {
 
     pub fn decrypt_message<const MESSAGE_SIZE: usize, const AAD_SIZE: usize>(
         &self,
-        message: EncryptedEnclaveMessage<MESSAGE_SIZE, AAD_SIZE>,
+        message: &EncryptedEnclaveMessage<MESSAGE_SIZE, AAD_SIZE>,
     ) -> Result<[u8; MESSAGE_SIZE], sgx_status_t> {
         let mut dst = [0_u8; MESSAGE_SIZE];
         rsgx_rijndael128GCM_decrypt(
 
@@ -26,4 +26,5 @@ pub mod dh;
 pub mod crypto;
 pub mod enclave;
 pub mod kv_store;
+pub mod sealing;
 pub mod util;
@@ -0,0 +1,110 @@
+use core::mem::size_of;
+
+use sgx_types::sgx_status_t;
+
+use rkyv::{
+    ser::serializers::{BufferSerializer, BufferSerializerError},
+    Aligned, Archive, Deserialize, Infallible, Serialize,
+};
+
+use rtc_types::{
+    binhelpers::{rkyv_read_array, rkyv_write_array},
+    enclave_messages::{set_access_key, EncryptedEnclaveMessage},
+};
+
+use crate::dh::ProtectedChannel;
+
+pub fn rkyv_seal_associated<T, A>(
+    channel: &mut ProtectedChannel,
+    unsealed: &T,
+    associated: &A,
+) -> Result<
+    EncryptedEnclaveMessage<{ size_of::<T::Archived>() }, { size_of::<A::Archived>() }>,
+    SealingError,
+>
+where
+    T: Serialize<BufferSerializer<Aligned<[u8; size_of::<T::Archived>()]>>>,
+    A: Serialize<BufferSerializer<Aligned<[u8; size_of::<A::Archived>()]>>>,
+{
+    let plaintext = rkyv_write_array(unsealed)?;
+    let aad = rkyv_write_array(associated)?;
+    let sealed = channel.encrypt_message(plaintext, aad)?;
+    Ok(sealed)
+}
+
+pub unsafe fn rkyv_unseal_associated<T, A>(
+    channel: &ProtectedChannel,
+    sealed: &EncryptedEnclaveMessage<{ size_of::<T::Archived>() }, { size_of::<A::Archived>() }>,
+) -> Result<(T, A), SealingError>
+where
+    T: Archive,
+    T::Archived: Deserialize<T, Infallible>,
+    A: Archive,
+    A::Archived: Deserialize<A, Infallible>,
+{
+    let plaintext = &channel.decrypt_message(sealed)?;
+    let unsealed = unsafe { rkyv_read_array(plaintext) };
+    let associated = unsafe { rkyv_read_array(&sealed.aad) };
+    Ok((unsealed, associated))
+}
+
+pub fn rkyv_seal<T>(
+    channel: &mut ProtectedChannel,
+    unsealed: &T,
+) -> Result<EncryptedEnclaveMessage<{ size_of::<T::Archived>() }, 0>, SealingError>
+where
+    T: Serialize<BufferSerializer<Aligned<[u8; size_of::<T::Archived>()]>>>,
+{
+    let bytes = rkyv_write_array(unsealed)?;
+    let sealed = channel.encrypt_message(bytes, [])?;
+    Ok(sealed)
+}
+
+pub unsafe fn rkyv_unseal<T>(
+    channel: &ProtectedChannel,
+    sealed: &EncryptedEnclaveMessage<{ size_of::<T::Archived>() }, 0>,
+) -> Result<T, SealingError>
+where
+    T: Archive,
+    T::Archived: Deserialize<T, Infallible>,
+{
+    let bytes = &channel.decrypt_message(sealed)?;
+    let unsealed = unsafe { rkyv_read_array(bytes) };
+    Ok(unsealed)
+}
+
+// #[cfg(test)]
+// mod tests {
+//     use core::mem::size_of_val;
+//
+//     use super::*;
+//
+//     #[test]
+//     fn test_seal_unseal_request() {
+//         let test = |request: &Request| {
+//             let bytes = &rkyv_write_array(request).unwrap();
+//             assert_eq!(size_of_val(bytes), ARCHIVED_FOO_SIZE);
+//
+//             let unsealed = &unsafe { rkyv_read_array(bytes) };
+//             assert_eq!(request, unsealed);
+//         };
+//         proptest!(|(value: Request)| test(&value));
+//     }
+// }
+
+pub enum SealingError {
+    Rkyv(BufferSerializerError),
+    Sgx(sgx_status_t),
+}
+
+impl From<BufferSerializerError> for SealingError {
+    fn from(error: BufferSerializerError) -> Self {
+        SealingError::Rkyv(error)
+    }
+}
+
+impl From<sgx_status_t> for SealingError {
+    fn from(status: sgx_status_t) -> Self {
+        SealingError::Sgx(status)
+    }
+}