ra-tls: Add ra-tls support

ra-tls intends to establish the link between hardware-based remote attestation and TLS secure channel implementation, which provides more flexibilities on enclave management and communication. This is the initial PoC implementation, and the code base of current implementation is mainly inspired from https://github.com/cloud-security-research/sgx-ra-tls. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

ra-tls: Add ra-tls support
ra-tls intends to establish the link between hardware-based remote attestation and TLS secure channel implementation, which provides more flexibilities on enclave management and communication. This is the initial PoC implementation, and the code base of current implementation is mainly inspired from https://github.com/cloud-security-research/sgx-ra-tls. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
157a1f8d · jia zhang · f69987ee · 157a1f8d · 157a1f8d · 157a1f8d
39 changed file
--- a/ra-tls/.gitignore
+++ b/ra-tls/.gitignore
+build
+curl-wolfssl
+wolfssl
+wolfssl-examples
+*.so
+*.o
+sgx-ra-tls/ra_tls_options.c
+sgx-ra-tls/ra_tls_t.c
+sgx-ra-tls/ra_tls_t.h
+sgx-ra-tls/ra_tls_u.c
+sgx-ra-tls/ra_tls_u.h
+stub-enclave/Wolfssl_Enclave_t.c
+stub-enclave/Wolfssl_Enclave_t.h
+pal/Wolfssl_Enclave_u.c
+pal/Wolfssl_Enclave_u.h
--- a/ra-tls/Makefile
+++ b/ra-tls/Makefile
+TOPDIR := $(shell readlink -f .)
+export TOPDIR
+
+DEBUG ?=
+
+PREFIX ?= $(TOPDIR)/build
+BINDIR := $(PREFIX)/bin
+LIBDIR := $(PREFIX)/lib
+INCDIR := $(PREFIX)/include
+
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_RA_TLS := $(TOPDIR)/sgx-ra-tls
+WOLFSSL := $(TOPDIR)/wolfssl
+
+ifdef ECDSA
+  SGX_DCAP_URI := https://github.com/intel/SGXDataCenterAttestationPrimitives
+  SGX_DCAP_COMMIT := bfab1376480f760757738092399d0d99b22f4dfd
+  SGX_DCAP ?= SGXDataCenterAttestationPrimitives
+  SGX_DCAP_INC := -I$(SGX_DCAP)/QuoteGeneration/quote_wrapper/common/inc -I$(SGX_DCAP)/QuoteGeneration/pce_wrapper/inc -I$(SGX_DCAP)/QuoteVerification/Src/AttestationLibrary/include
+endif
+
+#EPID_SDK := $(SGX_SDK)/external/epid-sdk
+
+CFLAGS += -std=gnu99 -I$(SGX_RA_TLS) -I$(SGX_SDK)/include -I$(INCDIR) $(SGX_DCAP_INC) -fPIC
+#CFLAGSERRORS := -Wall -Wextra -Wwrite-strings -Wlogical-op -Wshadow -Werror
+CFLAGS += $(CFLAGSERRORS) -g -O0 -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_CERT_EXT # -DDEBUG -DDYNAMIC_RSA
+CFLAGS += -DSGX_GROUP_OUT_OF_DATE
+ifdef ECDSA
+  CFLAGS += -DRATLS_ECDSA
+endif
+#CFLAGS += -I$(SGX_GIT)/common/inc/internal -I$(EPID_SDK) -I$(SGX_GIT)/common/inc
+
+CC ?= gcc
+
+export DEBUG PREFIX BINDIR LIBDIR INCDIR SGX_SDK SGX_RA_TLS WOLFSSL CC
+
+deps := $(LIBDIR)/libwolfssl.sgx.static.lib.a $(LIBDIR)/libsgx_ra_tls_wolfssl.a $(LIBDIR)/libcurl-wolfssl.a
+all: $(deps) $(BINDIR)/ra-tls-client $(BINDIR)/ra-tls-server $(BINDIR)/Wolfssl_Enclave.signed.so
+	$(MAKE) -C pal
+
+WOLFSSL_CLIENT_LIBS := -l:libra-challenger.a -l:libwolfssl.a -lm
+ifdef ECDSA
+  WOLFSSL_CLIENT_LIBS += -l:libQuoteVerification.so -ldl
+  $(BINDIR)/ra-tls-client: $(LIBDIR)/libQuoteVerification.so
+endif
+$(BINDIR)/ra-tls-client: $(BINDIR) $(LIBDIR)/libra-challenger.a $(LIBDIR)/libwolfssl.a wolfssl-examples wolfssl-examples/tls/client-tls.c
+	$(CC) -o "$@" $(filter %.c, $^) $(CFLAGS) -L$(LIBDIR) $(WOLFSSL_CLIENT_LIBS)
+
+$(BINDIR)/ra-tls-server: $(LIBDIR)/libwolfssl.sgx.static.lib.a $(LIBDIR)/libsgx_ra_tls_wolfssl.a
+ifndef ECDSA
+	cp -f $(SGX_RA_TLS)/sgxsdk-ra-attester_u.c $(SGX_RA_TLS)/ias-ra.c wolfssl-examples/SGX_Linux/untrusted && \
+	  $(MAKE) -C wolfssl-examples/SGX_Linux SGX_MODE=HW SGX_DEBUG=1 SGX_WOLFSSL_LIB=$(shell readlink -f wolfssl/IDE/LINUX-SGX) SGX_SDK=$(SGX_SDK) WOLFSSL_ROOT=$(shell readlink -f wolfssl) SGX_RA_TLS_LIB=$(shell readlink -f $(SGX_RA_TLS))
+endif
+	cp -f wolfssl-examples/SGX_Linux/App "$@"
+
+$(BINDIR)/Wolfssl_Enclave.signed.so: $(BINDIR)
+	$(MAKE) -C stub-enclave && \
+	  cp -f stub-enclave/Wolfssl_Enclave.signed.so "$@"
+
+# Add --enable-debug to ./configure for debug build
+# WOLFSSL_ALWAYS_VERIFY_CB: Always call certificate verification callback, even if verification succeeds
+# KEEP_OUR_CERT: Keep the certificate around after the handshake
+# --enable-tlsv10: required by libcurl
+# 2019-03-19 removed --enable-intelasm configure flag. The Celeron NUC I am developing this, does not support AVX.
+WOLFSSL_CFLAGS := -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_ALWAYS_VERIFY_CB -DKEEP_PEER_CERT -Wno-stringop-truncation
+ifdef DEBUG
+  WOLFSSL_CFLAGS += --enable-debug
+endif
+$(LIBDIR)/libwolfssl.a: CFLAGS += $(WOLFSSL_CFLAGS)
+$(LIBDIR)/libwolfssl.a: $(LIBDIR) wolfssl
+	cd wolfssl && $(MAKE) install
+
+wolfssl: WOLFSSL_CONFIGURE_FLAGS := --prefix=$(shell readlink -f $(PREFIX)) --enable-writedup --enable-static --enable-keygen --enable-certgen --enable-certext --with-pic --disable-examples --disable-crypttests --enable-aesni --enable-tlsv10
+wolfssl:
+	git clone https://github.com/wolfSSL/wolfssl && \
+	  cd wolfssl && git checkout 57e5648a5dd734d1c219d385705498ad12941dd0 && \
+	  patch -p1 < ../patch/wolfssl.patch && \
+	  ./autogen.sh && \
+	  CFLAGS="$(CFLAGS)" ./configure $(WOLFSSL_CONFIGURE_FLAGS)
+
+wolfssl-examples:
+	git clone https://github.com/wolfSSL/wolfssl-examples.git && \
+	  cd wolfssl-examples && \
+	  git checkout 94b94262b45d264a40d484060cee595b26bdbfd7 && \
+	  patch -p1 < ../patch/wolfssl-examples.patch
+
+ifdef ECDSA
+  $(LIBDIR)/libra-challenger.a: $(SGX_RA_TLS)/ecdsa-sample-data/real/sample_data.o
+endif
+# sgx-ra-tls needs the header files from wolfssl.
+$(LIBDIR)/libra-challenger.a: $(LIBDIR) $(LIBDIR)/libwolfssl.a $(SGX_RA_TLS)/ra.o $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
+	$(AR) rcs "$@" $(filter %.o, $^)
+
+# Ideally, libwolfssl.sgx.static.lib.a and libwolfssl.a could be built
+# in parallel. Does not work however. Hence, the dependency forces a
+# serial build.
+#
+# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
+$(LIBDIR)/libwolfssl.sgx.static.lib.a: $(LIBDIR) $(LIBDIR)/libwolfssl.a
+	cd wolfssl/IDE/LINUX-SGX && \
+	  make -f sgx_t_static.mk CFLAGS="-DUSER_TIME -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_KEY_GEN -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192" && \
+	  cp -f libwolfssl.sgx.static.lib.a "$@"
+
+$(LIBDIR)/libsgx_ra_tls_wolfssl.a: $(LIBDIR)
+# Previous Makefile compiles these .o files with incorrect C flags
+# Don't disturb the build of libsgx_ra_tls_wolfssl.a
+	rm -f $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
+	$(MAKE) -C $(SGX_RA_TLS) && \
+	  mv -f $(SGX_RA_TLS)/libsgx_ra_tls_wolfssl.a "$@"
+# Don't disturb the build of libra-challenger.a
+	rm -f $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
+
+$(LIBDIR)/libcurl-wolfssl.a: $(LIBDIR) curl-wolfssl $(LIBDIR)/libwolfssl.a
+	cd curl-wolfssl && $(MAKE) && \
+	  cp -f lib/.libs/libcurl.a "$@"
+
+CURL_CONFFLAGS := --prefix=$(shell readlink -f $(PREFIX)) --without-libidn --without-librtmp --without-libssh2 --without-libmetalink --without-libpsl --disable-ldap --disable-ldaps --disable-shared
+ifdef DEBUG
+CURL_CONFFLAGS += --enable-debug
+endif
+curl-wolfssl:
+	git clone https://github.com/curl/curl.git -b curl-7_47_0 curl-wolfssl && \
+	  cd curl-wolfssl && ./buildconf && \
+	  CFLAGS="-fPIC" ./configure $(CURL_CONFFLAGS) --without-ssl --with-cyassl=$(shell readlink -f $(PREFIX))
+
+ifdef ECDSA
+  wolfssl-ra-attester.o: ecdsa-sample-data/real/sample_data.h ecdsa-attestation-collateral.h
+  ecdsa-ra-attester.o: ecdsa-aesmd-messages.pb-c.c
+
+ecdsa-aesmd-messages.pb-c.c:
+	cp $(SGX_DCAP)/SampleCode/QuoteServiceSample/App/ecdsa-aesmd-messages.proto .
+	protoc-c ecdsa-aesmd-messages.proto --c_out=.
+
+messages.pb-c.c:
+	( cd linux-sgx/psw/ae/common/proto/ ; protoc-c messages.proto --c_out=. )
+	cp linux-sgx/psw/ae/common/proto/messages.pb-c.c linux-sgx/psw/ae/common/proto/messages.pb-c.h .
+endif
+
+$(LIBDIR)/libra-attester.a: wolfssl wolfssl-ra-attester.o wolfssl-ra.o ias-ra.o
+	$(AR) rcs $@ $(filter %.o, $^)
+
+$(BINDIR):
+	mkdir -p "$(BINDIR)"
+
+$(LIBDIR):
+	mkdir -p "$(LIBDIR)"
+
+clean:
+	rm -rf $(PREFIX)
+	[ -d curl-wolfssl ] && $(MAKE) clean -C curl-wolfssl || true
+	[ -d wolfssl ] && $(MAKE) clean -C wolfssl || true
+	[ -d wolfssl-examples ] && $(MAKE) clean -C wolfssl-examples || true
+	$(MAKE) -C pal clean
+	$(MAKE) -C stub-enclave clean
+	$(MAKE) -C $(SGX_RA_TLS) clean
+	rm -f wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a
+
+mrproper:
+	$(MAKE) clean
+	rm -rf curl-wolfssl wolfssl wolfssl-examples
+
+.PHONY: stub_enclave clean mrproper 
--- a/stub_enclave/README.md
+++ b/stub_enclave/README.md
+# Configure SGX RA settings
+``` shell
+export SPID=<hex string>
+export EPID_SUBSCRIPTION_KEY=<hex string>
+export QUOTE_TYPE=<SGX_LINKABLE_SIGNATURE | SGX_UNLINKABLE_SIGNATURE>
+```
+
 # Build Stub Enclave
 ``` shell
-cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/stub_enclave"
+cd "${path_to_inclavare_containers}/stub-enclave"
 make
 sudo make install
 ```
@@ -20,12 +27,12 @@ cp /lib/x86_64-linux-gnu/libseccomp.so.2 lib
 ``` shell
 FROM ubuntu:18.04
  
-RUN mkdir -p /run/rune/sgxsdk
+RUN mkdir -p /run/rune/stub-enclave
 WORKDIR /run/rune

 COPY lib                        /lib
-COPY liberpal-sgxsdk.so         .
-COPY Wolfssl_Enclave.signed.so  sgxsdk
+COPY liberpal-stub.so         .
+COPY Wolfssl_Enclave.signed.so  stub-enclave

 RUN ldconfig
 ```
@@ -36,7 +43,7 @@ docker build -t ${stub-enclave-image} .

 # run stub-enclave images with rune
 ``` shell
-sudo docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
-		-e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-sgxsdk.so \
-		-e ENCLAVE_RUNTIME_ARGS=sgxsdk ${stub-enclave-image}
+docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
+	-e ENCLAVE_RUNTIME_PATH=/lib/liberpal-stub.so \
+	-e ENCLAVE_RUNTIME_ARGS=stub-enclave ${stub-enclave-image}
 ```
--- a/stub_enclave/untrusted/App.c
+++ b/stub_enclave/untrusted/App.c
 #include "App.h" /* contains include of Enclave_u.h which has wolfSSL header files */
 #include "assert.h"
 #include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
+//#include <wolfssl/certs_test.h>
+#include <sys/time.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <unistd.h>
@@ -18,9 +19,13 @@
 #endif

 static sgx_enclave_id_t global_eid = SGX_ERROR_INVALID_ENCLAVE_ID;
-static bool initialized = false;
 static unsigned int num = 0;

+typedef struct pal_attr {
+	const char *instance_dir;
+	const char *log_level;
+} pal_attr_t;
+
 struct pal_stdio_fds {
 	int stdin, stdout, stderr;
 };
@@ -38,88 +43,118 @@ struct pal_exec_args {
 	int *exit_value;
 };

-const char* get_enclave_absolute_path(char* instance_dir) {
+static sgx_enclave_id_t get_enclave_id(void) {
+	return global_eid;
+}
+
+static const char *get_enclave_absolute_path(const char *instance_dir)
+{
 	static char enclave_path[MAX_PATH + 1] = {0};
+
 	strncat(enclave_path, instance_dir, MAX_PATH);
 	strncat(enclave_path, "/", MAX_PATH);
 	strncat(enclave_path, ENCLAVE_FILENAME, MAX_PATH);
-	return (const char*)enclave_path;
+	return (const char *)enclave_path;
 }

-int pal_get_version(void) {
-    return PAL_VERSION;
+int pal_get_version(void)
+{
+	return PAL_VERSION;
 }

-int pal_init(const sgxsdk_pal_attr_t* attr) {
+int pal_init(const pal_attr_t *attr)
+{
 	errno = 0;

-	if (attr == NULL) {
-		return -EINVAL;
+	if (get_enclave_id() != SGX_ERROR_INVALID_ENCLAVE_ID) {
+		errno = EINVAL;
+		PAL_ERROR("Enclave runtime has been initialized!");
+		return -1;
 	}

-	if (attr->instance_dir == NULL) {
-		return -EINVAL;
+	if (!attr) {
+		errno = EINVAL;
+		return -1;
 	}

-	PAL_INFO("attr->instance_dir = %s", attr->instance_dir);
-	sgx_enclave_id_t eid = pal_get_enclave_id();
-	if (eid != SGX_ERROR_INVALID_ENCLAVE_ID) {
-		PAL_ERROR("Enclave has been initialized.");
-		return -EEXIST;
+	if (!attr->instance_dir) {
+		errno = EINVAL;
+		return -1;
 	}

-	sgx_enclave_id_t id;
-	sgx_launch_token_t t;
-
-	int ret = 0;
-	int updated = 0;
+	PAL_DEBUG("attr->instance_dir = %s", attr->instance_dir);

+	sgx_launch_token_t t;
 	memset(t, 0, sizeof(sgx_launch_token_t));

-	char * enclave_path = get_enclave_absolute_path(attr->instance_dir);
-	PAL_INFO("enclave_path = %s", enclave_path);
+	const char *enclave_path = get_enclave_absolute_path(attr->instance_dir);
+	PAL_DEBUG("enclave_path = %s", enclave_path);

-	ret = sgx_create_enclave(enclave_path, DEBUG_VALUE, &t, &updated, &id, NULL);
+	sgx_enclave_id_t id;
+	int updated = 0;
+	int ret = sgx_create_enclave(enclave_path, DEBUG_VALUE, &t, &updated, &id, NULL);
 	if (ret != SGX_SUCCESS) {
-		PAL_ERROR("Failed to create Enclave : error %d - %#x.", ret, ret);
-		return ret;
+		PAL_ERROR("Failed to create Enclave: error %d.", ret);
+		return -1;
 	}

 	global_eid = id;
-	initialized = true;
+
+	return 0;
 }

 int pal_create_process(struct pal_create_process_args *args)
 {
-	if (args->path == NULL || access(args->path, F_OK) != 0)
-		return -ENOENT;	
+	errno = 0;

-	if (access(args->path, R_OK) != 0)
-		return -EACCES;
+	if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
+		errno = EINVAL;
+		PAL_ERROR("Enclave runtime uninitialized yet!");
+		return -1;
+	}

-	if (!args->stdio)
-		return -EINVAL;
+	if (args == NULL || args->path == NULL) {
+		errno = EINVAL;
+		return -1;
+	}

-	if (!args->pid)
-		return -EINVAL;
+	if (access(args->path, F_OK) != 0)
+		return -1;

-	if (!initialized) {
-		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
-		return -EINVAL;
+	if (access(args->path, R_OK) != 0)
+		return -1;
+
+	if (!args->stdio) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (!args->pid) {
+		errno = EINVAL;
+		return -1;
 	}

 	return 0;
 }

-int pal_exec(struct pal_exec_args *args){
-	if (args->exit_value == NULL) {
+int pal_exec(struct pal_exec_args *args)
+{
+	errno = 0;
+
+	if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
 		errno = EINVAL;
+		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
 		return -1;
 	}

-	if (num == 0) {
-		num ++;
-		while(1) {
+	if (!args || !args->exit_value) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (!num) {
+		++num;
+		while (1) {
 			printf("Hello World!\n");
 			printf("    - Powered by ACK-TEE and runE\n");
 			fflush(stdout);
@@ -135,99 +170,98 @@ int pal_exec(struct pal_exec_args *args){

 int pal_destroy(void)
 {
-	if (!initialized) {
-		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
+	errno = 0;
+
+	if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
+		errno = EINVAL;
+		PAL_ERROR("enclave runtime uninitialized yet!");
 		return -1;
 	}

-	PAL_INFO("enclave runtime sgxsdk exits");
+	PAL_DEBUG("enclave runtime sgxsdk exits");
+
 	return 0;
 }

-int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) {
-	/* 0. check the args */
-	if (!initialized) {
-		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
+int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int *report_len)
+{
+	errno = 0;
+
+	sgx_enclave_id_t eid = get_enclave_id();
+	if (eid == SGX_ERROR_INVALID_ENCLAVE_ID) {
+		errno = EINVAL;
+		PAL_ERROR("Enclave runtime has not been initialized!");
+		return -1;
 	}

-	if (targetinfo == NULL || targetinfo_len != sizeof(sgx_target_info_t)) {
+	if (!targetinfo || targetinfo_len != sizeof(sgx_target_info_t)) {
+		errno = EINVAL;
 		PAL_ERROR("Input parameter targetinfo is NULL or targentinfo_len is not enough!");
-		return -EINVAL;
+		return -1;
 	}

-	if (report == NULL || report_len == NULL || *report_len < sizeof(sgx_report_t)) {
+	if (!report || !report_len || *report_len < sizeof(sgx_report_t)) {
+		errno = EINVAL;
 		PAL_ERROR("Input parameter report is NULL or report_len is not enough!");
-		return -EINVAL;
-	}
-
-	sgx_enclave_id_t eid = pal_get_enclave_id();
-	if (eid == SGX_ERROR_INVALID_ENCLAVE_ID) {
-		PAL_ERROR("Enclave has not been initialized!");
-		return -EINVAL;
+		return -1;
 	}

 	int sgxStatus;
-	int ret = 0;
-	WOLFSSL_METHOD* method;
-	WOLFSSL_CTX*    ctx;
-
-	/* 1. generate mTLS keys and the correspondings hash values */
-	/* Initialize wolfSSL */
 	enc_wolfSSL_Init(eid, &sgxStatus);

 #ifdef SGX_DEBUG
-	enc_wolfSSL_Debugging_ON(global_eid);
+	enc_wolfSSL_Debugging_ON(eid);
 #else
-	enc_wolfSSL_Debugging_OFF(global_eid);
+	enc_wolfSSL_Debugging_OFF(eid);
 #endif

-	sgxStatus = enc_wolfTLSv1_2_server_method(global_eid, &method);
-	if (sgxStatus != SGX_SUCCESS || method == NULL) {
+	WOLFSSL_METHOD *method;
+	sgxStatus = enc_wolfTLSv1_2_server_method(eid, &method);
+	if (sgxStatus != SGX_SUCCESS || !method) {
 		PAL_ERROR("wolfTLSv1_2_server_method failure");
-		return EXIT_FAILURE;
+		return -1;
 	}

-	sgxStatus = enc_wolfSSL_CTX_new(global_eid, &ctx, method);
-	if (sgxStatus != SGX_SUCCESS || ctx == NULL) {
+	WOLFSSL_CTX *ctx;
+	sgxStatus = enc_wolfSSL_CTX_new(eid, &ctx, method);
+	if (sgxStatus != SGX_SUCCESS || !ctx) {
 		PAL_ERROR("wolfSSL_CTX_new failure");
+		return -1;
+	}
+
+	int ret;
+	sgxStatus = enc_create_key_and_x509(eid, &ret, ctx, targetinfo, report);
+	if (sgxStatus != SGX_SUCCESS || ret != SGX_SUCCESS ) {
+		PAL_ERROR("enc_create_key_and_x509 failure");
 		return EXIT_FAILURE;
 	}

+#if 0
 	/* Load server certificates into WOLFSSL_CTX */
-	sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(global_eid, &ret, ctx,
+	sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(eid, &ret, ctx,
 		server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
 	if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
 		PAL_ERROR("enc_wolfSSL_CTX_use_certificate_chain_buffer_format failure");
-		return EXIT_FAILURE;
+		return -1;
 	}

 	/* Load server key into WOLFSSL_CTX */
-	sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(global_eid, &ret, ctx,
+	sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(eid, &ret, ctx,
 		server_key_der_2048, sizeof_server_key_der_2048, SSL_FILETYPE_ASN1);
 	if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
 		PAL_ERROR("wolfSSL_CTX_use_PrivateKey_buffer failure");
-		return EXIT_FAILURE;
-	}
-
-	sgxStatus = enc_create_key_and_x509(global_eid, &ret, ctx, targetinfo, report);
-	if (sgxStatus != SGX_SUCCESS || ret != SGX_SUCCESS ) {
-		PAL_ERROR("enc_create_key_and_x509 failure");
-		return EXIT_FAILURE;
+		return -1;
 	}
+#endif

-	/* 3. return report */
-	targetinfo_len = sizeof(sgx_target_info_t);
 	*report_len = sizeof(sgx_report_t);

-	enc_wolfSSL_CTX_free(global_eid, ctx);
+	enc_wolfSSL_CTX_free(eid, ctx);
+	enc_wolfSSL_Cleanup(eid, &ret);

 	return ret;
 }

-sgx_enclave_id_t pal_get_enclave_id(void) {
-	return global_eid;
-}
-
 static double current_time()
 {
 	struct timeval tv;
@@ -239,8 +273,8 @@ static double current_time()
 void ocall_print_string(const char *str)
 {
 	/* Proxy/Bridge will check the length and null-terminate 
-	*      * the input string to prevent buffer overflow. 
-	*           */ 
+	 * the input string to prevent buffer overflow.
+	 */
 	printf("%s", str);
 }

@@ -252,12 +286,14 @@ void ocall_current_time(double* time)
 	return;
 }

-void ocall_low_res_time(int* time)
+void ocall_low_res_time(int *time)
 {
-	struct timeval tv;
 	if(!time) 
 		return;
+
+	struct timeval tv;
 	*time = tv.tv_sec;
+
 	return;
 }


--- a/stub_enclave/untrusted/App.h
+++ b/stub_enclave/untrusted/App.h
@@ -19,8 +19,8 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

-#ifndef BENCHMARKS_H
-#define BENCHMARKS_H
+#ifndef STUB_ENCLAVE_H
+#define STUB_ENCLAVE_H

 #include "sgx_urts.h"	/* Manages Enclave */
 #include <sys/types.h>	/* for send/recv */
@@ -37,13 +37,6 @@ enum BenchmarkBounds {
 	ntimes = 30 /* how many itteration to run RSA decrypt/encrypt */
 };

-#endif
-
-typedef struct sgxsdk_pal_attr {
-	const char *instance_dir;
-	const char *log_level;
-} sgxsdk_pal_attr_t;
-
 #define PAL_DEBUG(fmt, ...) \
 	fprintf(stderr, "[DEBUG] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
 #define PAL_INFO(fmt, ...) \
@@ -53,5 +46,4 @@ typedef struct sgxsdk_pal_attr {
 #define PAL_ERROR(fmt, ...) \
 	fprintf(stderr, "[ERROR] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)

-int pal_init(const sgxsdk_pal_attr_t* instance_dir);
-sgx_enclave_id_t pal_get_enclave_id(void);
+#endif	/* STUB_ENCLAVE_H */
--- a/stub_enclave/sgx_u.mk
+++ b/stub_enclave/sgx_u.mk
 ######## Intel(R) SGX SDK Settings ########
 SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
+SGX_DEBUG ?= 1
 SGX_ARCH ?= x64
-SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
-WOLFSSL_ROOT ?= ./deps/wolfssl
+WOLFSSL_ROOT ?= $(shell readlink -f ../wolfssl)
+SGX_WOLFSSL_LIB ?= $(shell readlink -f $(WOLFSSL_ROOT)/IDE/LINUX-SGX)
+SGX_RA_TLS_ROOT ?= $(shell readlink -f ../sgx-ra-tls)

-UNTRUSTED_DIR=untrusted
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -36,8 +37,6 @@ else
        SGX_COMMON_CFLAGS += -O2
 endif

-SGX_RA_TLS_ROOT=$(shell readlink -f .)
-
 ######## App Settings ########

 ifneq ($(SGX_MODE), HW)
@@ -47,24 +46,23 @@ else
 endif

 Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DUSE_WOLFSSL
-Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT) \
+	-I$(WOLFSSL_ROOT)/wolfcrypt

 ifeq ($(HAVE_WOLFSSL_TEST), 1)
-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test
 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
 endif

 ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark
 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
 endif

-
-
-# App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/server-tls.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c $(UNTRUSTED_DIR)/ias-ra.c
-App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c 
-App_Include_Paths := $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include -I$(SGX_RA_TLS_ROOT) -I./deps/local/include -I$(shell readlink -f .)
+#App_C_Files := App.c server-tls.c sgxsdk-ra-attester_u.c ias-ra.c
+#App_C_Files := App.c sgxsdk-ra-attester_u.c
+App_C_Fils := App.c
+App_Include_Paths := $(Wolfssl_Include_Paths) -I$(SGX_SDK)/include -I$(SGX_RA_TLS_ROOT) -I$(INCDIR) -I$(shell readlink -f .)

 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -shared -Wno-attributes -Wall -Wno-unused-const-variable $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)

@@ -80,7 +78,8 @@ else
        App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
 endif

-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(SGX_RA_TLS_ROOT)/deps/local/lib -l$(Urts_Library_Name) -lpthread $(SGX_RA_TLS_ROOT)/deps/local/lib/libcurl-wolfssl.a $(SGX_RA_TLS_ROOT)/deps/local/lib/libwolfssl.a -lz -lm
+#App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(TOPDIR)/build/lib -l$(Urts_Library_Name) -lpthread $(TOPDIR)/build/lib/libcurl-wolfssl.a $(TOPDIR)/build/lib/libwolfssl.a -lz -lm
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(TOPDIR)/build/lib -l$(Urts_Library_Name)
 App_Link_Flags += -Wl,--version-script=pal.lds

 ifneq ($(SGX_MODE), HW)
@@ -91,8 +90,6 @@ endif

 App_C_Objects := $(App_C_Files:.c=.o)

-
-
 ifeq ($(SGX_MODE), HW)
 ifneq ($(SGX_DEBUG), 1)
 ifneq ($(SGX_PRERELEASE), 1)
@@ -101,12 +98,11 @@ endif
 endif
 endif

-
 .PHONY: all

 ifeq ($(Build_Mode), HW_RELEASE)
-all: liberpal-sgxsdk.so
-	@echo "Build liberpal-sgxsdk.so [$(Build_Mode)|$(SGX_ARCH)] success!"
+all: liberpal-stub.so
+	@echo "Build liberpal-stub.so [$(Build_Mode)|$(SGX_ARCH)] success!"
 	@echo
 	@echo "*********************************************************************************************************************************************************"
 	@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
@@ -114,31 +110,30 @@ all: liberpal-sgxsdk.so
 	@echo

 else
-all: liberpal-sgxsdk.so
+all: liberpal-stub.so
 endif

-######## liberpal-sgxsdk.so Objects ########
+######## liberpal-stub.so Objects ########

-$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
-	@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
+Wolfssl_Enclave_u.c: $(SGX_EDGER8R) $(TOPDIR)/stub-enclave/Wolfssl_Enclave.edl
+	@$(SGX_EDGER8R) --untrusted $(TOPDIR)/stub-enclave/Wolfssl_Enclave.edl --search-path $(TOPDIR)/stub-enclave --search-path $(SGX_SDK)/include --search-path $(SGX_RA_TLS_ROOT)
 	@echo "GEN  =>  $@"

-$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
+Wolfssl_Enclave_u.o: Wolfssl_Enclave_u.c
 	@echo $(CC) $(App_C_Flags) -c $< -o $@
 	@$(CC) $(App_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"

-$(UNTRUSTED_DIR)/%.o: $(UNTRUSTED_DIR)/%.c
+%.o: %.c
 	@echo $(CC) $(App_C_Flags) -c $< -o $@
 	@$(CC) $(App_C_Flags) -c $< -o $@
 	@echo "CC  <=  $<"

-liberpal-sgxsdk.so: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o $(App_C_Objects)
+liberpal-stub.so: Wolfssl_Enclave_u.o $(App_C_Objects)
 	@$(CC) $^ -o $@ $(App_Link_Flags)
 	@echo "LINK =>  $@"

-
 .PHONY: clean

 clean:
-	@rm -f liberpal-sgxsdk.so $(App_C_Objects) $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.* 
+	@rm -f liberpal-stub.so $(App_C_Objects) Wolfssl_Enclave_u.* 
--- a/stub_enclave/pal.lds
+++ b/stub_enclave/pal.lds
--- a/ra-tls/patch/wolfssl-examples.patch
+++ b/ra-tls/patch/wolfssl-examples.patch
+diff --git a/SGX_Linux/Makefile b/SGX_Linux/Makefile
+index df6744a..41c11d4 100644
+--- a/SGX_Linux/Makefile
+++ b/SGX_Linux/Makefile
+@@ -7,13 +7,11 @@ ifndef WOLFSSL_ROOT
+ $(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory)
+ endif
+ 
+-
+-
+ all:
+ 	$(MAKE) -ef sgx_u.mk all
+-	$(MAKE) -ef sgx_t.mk all
+	#$(MAKE) -ef sgx_t.mk all
+ 
+ clean:
+ 	$(MAKE) -ef sgx_u.mk clean
+-	$(MAKE) -ef sgx_t.mk clean
+	#$(MAKE) -ef sgx_t.mk clean
+ 
+diff --git a/SGX_Linux/sgx_t.mk b/SGX_Linux/sgx_t.mk
+index b4dd62c..9055109 100644
+--- a/SGX_Linux/sgx_t.mk
+++ b/SGX_Linux/sgx_t.mk
+@@ -39,16 +39,18 @@ endif
+ 
+ Crypto_Library_Name := sgx_tcrypto
+ 
+SGX_RA_TLS_ROOT="../../.."
+ 
+-Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT
+ Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+ 						 -I$(WOLFSSL_ROOT)/wolfcrypt/
+ 
+ 
+ Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
+ Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
+-   								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
+-								   -I$(SGX_SDK)/include/stlport
+								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
+								   -I$(SGX_SDK)/include/stlport \
+									 -I$(SGX_RA_TLS_ROOT)
+ 
+ ifeq ($(HAVE_WOLFSSL_TEST), 1)
+ 	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+@@ -62,13 +64,14 @@ endif
+ 
+ 
+ Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
+-Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths)-fno-builtin -fno-builtin-printf -I.
+Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths) -fno-builtin -fno-builtin-printf -I.
+ Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
+ 
+ Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+  -L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
+ 	-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
+ 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
+-	-Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
+	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
+ 	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
+ 	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
+ 	-Wl,--defsym,__ImageBase=0 \
+@@ -112,7 +115,7 @@ endif
+ ######## Wolfssl_Enclave Objects ########
+ 
+ trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
+-	@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+	@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ../../../..
+ 	@echo "GEN  =>  $@"
+ 
+ trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
+diff --git a/SGX_Linux/sgx_u.mk b/SGX_Linux/sgx_u.mk
+index 4d157cd..3dcafa5 100644
+--- a/SGX_Linux/sgx_u.mk
+++ b/SGX_Linux/sgx_u.mk
+@@ -1,4 +1,10 @@
+ ######## Intel(R) SGX SDK Settings ########
+TOPDIR ?= ../../..
+PREFIX ?= $(TOPDIR)/build
+LIBDIR ?= $(PREFIX)/lib
+INCDIR ?= $(PREFIX)/include
+SGX_SDK ?= /opt/intel/sgxsdk
+
+ UNTRUSTED_DIR=untrusted
+ ifeq ($(shell getconf LONG_BIT), 32)
+ 	SGX_ARCH := x86
+@@ -30,6 +36,8 @@ else
+         SGX_COMMON_CFLAGS += -O2
+ endif
+ 
+SGX_RA_TLS ?= "../../../sgx-ra-tls"
+
+ ######## App Settings ########
+ 
+ ifneq ($(SGX_MODE), HW)
+@@ -38,24 +46,23 @@ else
+ 	Urts_Library_Name := sgx_urts
+ endif
+ 
+-Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+-Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+-						 -I$(WOLFSSL_ROOT)/wolfcrypt/
+Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DUSE_WOLFSSL
+Wolfssl_Include_Paths := \
+	-I$(WOLFSSL) \
+	-I$(WOLFSSL)/wolfcrypt/
+ 
+ ifeq ($(HAVE_WOLFSSL_TEST), 1)
+-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_Include_Paths += -I$(WOLFSSL)/wolfcrypt/test/
+ 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
+ endif
+ 
+ ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
+-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_Include_Paths += -I$(WOLFSSL)/wolfcrypt/benchmark/
+ 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
+ endif
+ 
+-
+-
+-App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c $(UNTRUSTED_DIR)/server-tls.c
+-App_Include_Paths := -IInclude $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include
+App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c $(UNTRUSTED_DIR)/server-tls.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c $(UNTRUSTED_DIR)/ias-ra.c
+App_Include_Paths := $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include -I$(SGX_RA_TLS) -I$(INCDIR)
+ 
+ App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)
+ 
+@@ -71,7 +78,7 @@ else
+         App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
+ endif
+ 
+-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(LIBDIR) -l$(Urts_Library_Name) -lpthread $(LIBDIR)/libcurl-wolfssl.a $(LIBDIR)/libwolfssl.a -lz -lm
+ 
+ ifneq ($(SGX_MODE), HW)
+ 	App_Link_Flags += -lsgx_uae_service_sim
+@@ -81,8 +88,6 @@ endif
+ 
+ App_C_Objects := $(App_C_Files:.c=.o)
+ 
+-
+-
+ ifeq ($(SGX_MODE), HW)
+ ifneq ($(SGX_DEBUG), 1)
+ ifneq ($(SGX_PRERELEASE), 1)
+@@ -116,7 +121,7 @@ endif
+ ######## App Objects ########
+ 
+ $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
+-	@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+	@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ../../../sgx-ra-tls
+ 	@echo "GEN  =>  $@"
+ 
+ $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
+diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.c b/SGX_Linux/trusted/Wolfssl_Enclave.c
+index 155df0b..a304bc0 100644
+--- a/SGX_Linux/trusted/Wolfssl_Enclave.c
+++ b/SGX_Linux/trusted/Wolfssl_Enclave.c
+@@ -1,3 +1,4 @@
+#include <assert.h>
+ #include <stdarg.h>
+ #include <stdio.h>      /* vsnprintf */
+ 
+@@ -208,3 +209,25 @@ size_t send(int sockfd, const void *buf, size_t len, int flags)
+     sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
+     return ret;
+ }
+
+extern struct ra_tls_options my_ra_tls_options;
+
+void enc_create_key_and_x509(WOLFSSL_CTX* ctx) {
+    uint8_t der_key[2048];
+    uint8_t der_cert[8 * 1024];
+    uint32_t der_key_len = sizeof(der_key);
+    uint32_t der_cert_len = sizeof(der_cert);
+
+    create_key_and_x509(&der_key, &der_key_len,
+                        &der_cert, &der_cert_len,
+                        &my_ra_tls_options);
+
+    int ret;
+    ret = wolfSSL_CTX_use_certificate_buffer(ctx, der_cert, der_cert_len,
+                                             SSL_FILETYPE_ASN1);
+    assert(ret == SSL_SUCCESS);
+
+    wolfSSL_CTX_use_PrivateKey_buffer(ctx, der_key, der_key_len,
+                                      SSL_FILETYPE_ASN1);
+    assert(ret == SSL_SUCCESS);
+}
+diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.edl b/SGX_Linux/trusted/Wolfssl_Enclave.edl
+index 9a51b0f..2ca4de3 100644
+--- a/SGX_Linux/trusted/Wolfssl_Enclave.edl
+++ b/SGX_Linux/trusted/Wolfssl_Enclave.edl
+@@ -7,6 +7,8 @@ enclave {
+     include "wolfcrypt/test/test.h"
+     include "wolfcrypt/benchmark/benchmark.h"
+ 
+  from "ra_tls.edl" import *;
+
+     trusted {
+         public int wc_test([user_check]void* args);
+         public int wc_benchmark_test([user_check]void* args);
+@@ -49,6 +51,8 @@ enclave {
+ 		public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
+ 		public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
+ 		public int enc_wolfSSL_Cleanup(void);
+
+    public void enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx);
+     };
+ 
+     untrusted {
+diff --git a/SGX_Linux/untrusted/server-tls.c b/SGX_Linux/untrusted/server-tls.c
+index f49b912..01c381b 100644
+--- a/SGX_Linux/untrusted/server-tls.c
+++ b/SGX_Linux/untrusted/server-tls.c
+@@ -22,6 +22,7 @@
+ #include "server-tls.h"
+ 
+ /* the usual suspects */
+#include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -79,6 +80,9 @@ int server_connect(sgx_enclave_id_t id)
+         return -1;
+     }
+ 
+    int enable = 1;
+    ret = setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(int));
+    assert(ret != -1);
+ 
+     /* Create and initialize WOLFSSL_CTX */
+     sgxStatus = enc_wolfTLSv1_2_server_method(id, &method);
+@@ -93,6 +97,7 @@ int server_connect(sgx_enclave_id_t id)
+         return EXIT_FAILURE;
+     }
+ 
+#if 0
+     /* Load server certificates into WOLFSSL_CTX */
+     sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(id, &ret, ctx,
+             server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
+@@ -108,7 +113,11 @@ int server_connect(sgx_enclave_id_t id)
+         printf("wolfSSL_CTX_use_PrivateKey_buffer failure\n");
+         return EXIT_FAILURE;
+     }
+#endif
+ 
+    sgxStatus = enc_create_key_and_x509(id, ctx);
+    assert(sgxStatus == SGX_SUCCESS);
+    
+     /* Initialize the server address struct with zeros */
+     memset(&servAddr, 0, sizeof(servAddr));
+ /* Fill in the server address */
+diff --git a/tls/client-tls.c b/tls/client-tls.c
+index a72dfad..faa623b 100644
+--- a/tls/client-tls.c
+++ b/tls/client-tls.c
+@@ -20,6 +20,9 @@
+  */
+ 
+ /* the usual suspects */
+#ifdef SGX_RATLS_MUTUAL
+#include <assert.h>
+#endif
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -36,9 +39,30 @@
+ 
+ #define DEFAULT_PORT 11111
+ 
+-#define CERT_FILE "../certs/ca-cert.pem"
+#include <sgx_quote.h>
+ 
+#include "ra.h"
+#ifdef SGX_RATLS_MUTUAL
+#include "ra-attester.h"
+#endif
+#include "ra-challenger.h"
+ 
+static
+int cert_verify_callback(int preverify, WOLFSSL_X509_STORE_CTX* store) {
+
+    (void) preverify;
+
+    int ret = verify_sgx_cert_extensions(store->certs->buffer,
+                                         store->certs->length);
+
+    fprintf(stderr, "Verifying SGX certificate extensions ... %s\n",
+            ret == 0 ? "Success" : "Failure");
+    return !ret;
+}
+
+#ifdef SGX_RATLS_MUTUAL
+extern struct ra_tls_options my_ra_tls_options;
+#endif
+ 
+ int main(int argc, char** argv)
+ {
+@@ -51,15 +75,8 @@ int main(int argc, char** argv)
+     WOLFSSL_CTX* ctx;
+     WOLFSSL*     ssl;
+ 
+-
+-
+-    /* Check for proper calling convention */
+-    if (argc != 2) {
+-        printf("usage: %s <IPv4 address>\n", argv[0]);
+-        return 0;
+-    }
+-
+-
+    (void) argc;
+    (void) argv;
+ 
+     /* Initialize wolfSSL */
+     wolfSSL_Init();
+@@ -82,16 +99,19 @@ int main(int argc, char** argv)
+         return -1;
+     }
+ 
+-    /* Load client certificates into WOLFSSL_CTX */
+-    if (wolfSSL_CTX_load_verify_locations(ctx, CERT_FILE, NULL)
+-        != SSL_SUCCESS) {
+-        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+-                CERT_FILE);
+-        return -1;
+-    }
+-
+#ifdef SGX_RATLS_MUTUAL
+    uint8_t key[2048]; uint8_t crt[8192];
+    int key_len = sizeof(key);
+    int crt_len = sizeof(crt);
+ 
+    create_key_and_x509(key, &key_len, crt, &crt_len, &my_ra_tls_options);
+    int ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, key, key_len, SSL_FILETYPE_ASN1);
+    assert(SSL_SUCCESS == ret);
+ 
+    ret = wolfSSL_CTX_use_certificate_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1);
+    assert(SSL_SUCCESS == ret);
+#endif
+    
+     /* Initialize the server address struct with zeros */
+     memset(&servAddr, 0, sizeof(servAddr));
+ 
+@@ -99,8 +119,10 @@ int main(int argc, char** argv)
+     servAddr.sin_family = AF_INET;             /* using IPv4      */
+     servAddr.sin_port   = htons(DEFAULT_PORT); /* on DEFAULT_PORT */
+ 
+    const char* srvaddr = "127.0.0.1";
+
+     /* Get the server IPv4 address from the command line call */
+-    if (inet_pton(AF_INET, argv[1], &servAddr.sin_addr) != 1) {
+    if (inet_pton(AF_INET, srvaddr, &servAddr.sin_addr) != 1) {
+         fprintf(stderr, "ERROR: invalid address\n");
+         return -1;
+     }
+@@ -114,7 +136,7 @@ int main(int argc, char** argv)
+         return -1;
+     }
+ 
+-
+    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, cert_verify_callback);
+ 
+     /* Create a WOLFSSL object */
+     if ((ssl = wolfSSL_new(ctx)) == NULL) {
+@@ -131,22 +153,35 @@ int main(int argc, char** argv)
+         return -1;
+     }
+ 
+-
+-
+-    /* Get a message for the server from stdin */
+-    printf("Message for server: ");
+-    memset(buff, 0, sizeof(buff));
+-    fgets(buff, sizeof(buff), stdin);
+-    len = strnlen(buff, sizeof(buff));
+    WOLFSSL_X509* srvcrt =
+        wolfSSL_get_peer_certificate(ssl);
+      
+    int derSz;
+    const unsigned char* der =
+        wolfSSL_X509_get_der(srvcrt, &derSz);
+
+    sgx_quote_t quote;
+    get_quote_from_cert(der, derSz, &quote);
+    sgx_report_body_t* body = &quote.report_body;
+
+    printf("Server's SGX identity:\n");
+    printf("  . MRENCLAVE = ");
+    for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_enclave.m[i]);
+    printf("\n");
+    
+    printf("  . MRSIGNER  = ");
+    for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_signer.m[i]);
+    printf("\n");
+
+    const char* http_request = "GET / HTTP/1.0\r\n\r\n";
+    len = strlen(http_request);
+ 
+     /* Send the message to the server */
+-    if (wolfSSL_write(ssl, buff, len) != len) {
+    if (wolfSSL_write(ssl, http_request, len) != (int) len) {
+         fprintf(stderr, "ERROR: failed to write\n");
+         return -1;
+     }
+ 
+-
+-
+     /* Read the server data into our buff array */
+     memset(buff, 0, sizeof(buff));
+     if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) {
+@@ -155,7 +190,7 @@ int main(int argc, char** argv)
+     }
+ 
+     /* Print to stdout any data the server sends */
+-    printf("Server: %s\n", buff);
+    printf("Server:\n%s\n", buff);
+ 
+ 
+ 
+diff --git a/tls/server-tls.c b/tls/server-tls.c
+index ebab830..dbdcaa0 100644
+--- a/tls/server-tls.c
+++ b/tls/server-tls.c
+@@ -20,6 +20,7 @@
+  */
+ 
+ /* the usual suspects */
+#include <assert.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -34,12 +35,32 @@
+ #include <wolfssl/options.h>
+ #include <wolfssl/ssl.h>
+ 
+#include "ra-attester.h"
+#ifdef SGX_RATLS_MUTUAL
+#include "ra-challenger.h"
+#endif
+
+ #define DEFAULT_PORT 11111
+ 
+ #define CERT_FILE "../certs/server-cert.pem"
+ #define KEY_FILE  "../certs/server-key.pem"
+ 
+extern struct ra_tls_options my_ra_tls_options;
+
+#ifdef SGX_RATLS_MUTUAL
+static
+int cert_verify_callback(int preverify, WOLFSSL_X509_STORE_CTX* store) {
+
+    (void) preverify;
+ 
+    int ret = verify_sgx_cert_extensions(store->certs->buffer,
+                                         store->certs->length);
+
+    fprintf(stderr, "Verifying SGX certificate extensions ... %s\n",
+            ret == 0 ? "Success" : "Failure");
+    return !ret;
+}
+#endif
+ 
+ int main()
+ {
+@@ -79,23 +100,34 @@ int main()
+         return -1;
+     }
+ 
+    uint8_t key[2048]; uint8_t crt[8192];
+    int key_len = sizeof(key);
+    int crt_len = sizeof(crt);
+
+    create_key_and_x509(key, &key_len, crt, &crt_len, &my_ra_tls_options);
+    
+     /* Load server certificates into WOLFSSL_CTX */
+-    if (wolfSSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)
+    if (wolfSSL_CTX_use_certificate_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1)
+         != SSL_SUCCESS) {
+-        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+-                CERT_FILE);
+        fprintf(stderr, "ERROR: failed to load server certificate.\n");
+         return -1;
+     }
+ 
+     /* Load server key into WOLFSSL_CTX */
+-    if (wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM)
+    if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, key, key_len, SSL_FILETYPE_ASN1)
+         != SSL_SUCCESS) {
+-        fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
+-                KEY_FILE);
+        fprintf(stderr, "ERROR: failed to load server key.\n");
+         return -1;
+     }
+ 
+-
+    int ret;
+#ifdef SGX_RATLS_MUTUAL
+    ret = wolfSSL_CTX_load_verify_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1);
+    assert(SSL_SUCCESS == ret);
+    
+    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                                 cert_verify_callback);
+#endif
+ 
+     /* Initialize the server address struct with zeros */
+     memset(&servAddr, 0, sizeof(servAddr));
+@@ -141,10 +173,34 @@ int main()
+         /* Attach wolfSSL to the socket */
+         wolfSSL_set_fd(ssl, connd);
+ 
+-        printf("Client connected successfully\n");
+-
+        ret = wolfSSL_negotiate(ssl);
+        assert(ret == WOLFSSL_SUCCESS);
+ 
+        printf("Client connected successfully\n");
+ 
+#ifdef SGX_RATLS_MUTUAL
+        WOLFSSL_X509* cli_crt =
+            wolfSSL_get_peer_certificate(ssl);
+      
+        int derSz;
+        const unsigned char* der =
+            wolfSSL_X509_get_der(cli_crt, &derSz);
+
+        sgx_quote_t quote;
+        get_quote_from_cert(der, derSz, &quote);
+        sgx_report_body_t* body = &quote.report_body;
+
+        printf("Client's SGX identity:\n");
+        printf("  . MRENCLAVE = ");
+        for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_enclave.m[i]);
+        printf("\n");
+    
+        printf("  . MRSIGNER  = ");
+        for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_signer.m[i]);
+        printf("\n");
+        fflush(stdout);
+#endif
+        
+         /* Read the client data into our buff array */
+         memset(buff, 0, sizeof(buff));
+         if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) {
+@@ -169,7 +225,7 @@ int main()
+         len = strnlen(buff, sizeof(buff));
+ 
+         /* Reply back to the client */
+-        if (wolfSSL_write(ssl, buff, len) != len) {
+        if (wolfSSL_write(ssl, buff, len) != (int) len) {
+             fprintf(stderr, "ERROR: failed to write\n");
+             return -1;
+         }
--- a/stub_enclave/wolfssl.patch
+++ b/stub_enclave/wolfssl.patch
+diff --git a/m4/ax_vcs_checkout.m4 b/m4/ax_vcs_checkout.m4
+index 4636b58ed..58c1af256 100644
+--- a/m4/ax_vcs_checkout.m4
+++ b/m4/ax_vcs_checkout.m4
+@@ -57,7 +57,6 @@ AC_DEFUN([AX_VCS_SYSTEM],
+       AS_IF([test -d ".bzr"],[ac_cv_vcs_system="bazaar"])
+       AS_IF([test -d ".svn"],[ac_cv_vcs_system="svn"])
+       AS_IF([test -d ".hg"],[ac_cv_vcs_system="mercurial"])
+-      AS_IF([test -e ".git"],[ac_cv_vcs_system="git"])
+       ])
+     AC_DEFINE_UNQUOTED([VCS_SYSTEM],["$ac_cv_vcs_system"],[VCS system])
+     ])
 diff --git a/pre-commit.sh b/pre-commit.sh
-index cbac1b5..71c7976 100755
+index cbac1b5e3..71c79767d 100755
 --- a/pre-commit.sh
 +++ b/pre-commit.sh
 @@ -3,6 +3,8 @@
@@ -12,7 +24,7 @@ index cbac1b5..71c7976 100755
 echo "\n\nSaving current config\n\n"
 cp config.status tmp.status
 diff --git a/src/internal.c b/src/internal.c
-index a6989c4..9036910 100644
+index a6989c419..9036910ba 100644
 --- a/src/internal.c
 +++ b/src/internal.c
 @@ -9777,11 +9777,14 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
@@ -52,7 +64,7 @@ index a6989c4..9036910 100644
         #ifdef WOLFSSL_ASYNC_CRYPT
             if (ret == WC_PENDING_E) {
 diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
-index e234253..5cdeae5 100644
+index e23425311..5cdeae542 100644
 --- a/wolfcrypt/src/asn.c
 +++ b/wolfcrypt/src/asn.c
 @@ -19,6 +19,7 @@
@@ -443,7 +455,7 @@ index e234253..5cdeae5 100644
 
     der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
 diff --git a/wolfssl/internal.h b/wolfssl/internal.h
-index 9c77120..3c922dd 100644
+index 9c77120a1..3c922dd88 100644
 --- a/wolfssl/internal.h
 +++ b/wolfssl/internal.h
 @@ -1272,7 +1272,7 @@ enum Misc {
@@ -456,7 +468,7 @@ index 9c77120..3c922dd 100644
 
 #ifndef SESSION_TICKET_LEN
 diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
-index b730846..870ffdb 100644
+index b73084634..870ffdb44 100644
 --- a/wolfssl/wolfcrypt/asn_public.h
 +++ b/wolfssl/wolfcrypt/asn_public.h
 @@ -164,6 +164,32 @@ typedef struct Cert {
@@ -504,7 +516,7 @@ index b730846..870ffdb 100644
     } /* extern "C" */
 #endif
 diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
-index 6254b72..9a20413 100644
+index 6254b727d..9a204138c 100644
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
 @@ -1228,7 +1228,9 @@ extern void uITRON4_free(void *p) ;

--- a/stub_enclave/ratls-wolfssl.mk
+++ b/stub_enclave/ratls-wolfssl.mk
@@ -4,9 +4,9 @@
 SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_ARCH ?= x64
-PROJECT_ROOT ?= $(shell readlink -f .)

-WOLFSSL_ROOT := $(shell readlink -f deps/wolfssl)
+WOLFSSL_ROOT := $(shell readlink -f $(TOPDIR)/wolfssl)
+THISDIR := $(shell pwd)

 SGX_COMMON_CFLAGS := -m64
 SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
@@ -38,19 +38,22 @@ Library_Name := sgx_ra_tls_wolfssl
 # -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
 Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192

-Wolfssl_C_Files := $(PROJECT_ROOT)/wolfssl-ra-attester.c \
-	$(PROJECT_ROOT)/wolfssl-ra-challenger.c \
-  $(PROJECT_ROOT)/sgxsdk-ra-attester_t.c \
-  $(PROJECT_ROOT)/ra-challenger.c \
-	$(PROJECT_ROOT)/wolfssl-ra.c \
-	$(PROJECT_ROOT)/ra_tls_t.c \
-  $(PROJECT_ROOT)/ra_tls_options.c
-
-Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/ \
-						 -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc \
-						 -I$(SGX_SDK)/include/stlport \
-						 -I/usr/include/linux
+Wolfssl_C_Files := \
+	wolfssl-ra-attester.c \
+	wolfssl-ra-challenger.c \
+	sgxsdk-ra-attester_t.c \
+	ra-challenger.c \
+	wolfssl-ra.c \
+	ra_tls_t.c \
+	ra_tls_options.c
+
+Wolfssl_Include_Paths := \
+	-I$(WOLFSSL_ROOT) \
+	-I$(WOLFSSL_ROOT)/wolfcrypt \
+	-I$(SGX_SDK)/include \
+	-I$(SGX_SDK)/include/tlibc \
+	-I$(SGX_SDK)/include/stlport \
+	-I/usr/include/linux

 Compiler_Warnings := -Wall -Wextra -Wwrite-strings -Wlogical-op -Wshadow
 Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
@@ -59,7 +62,7 @@ Wolfssl_C_Flags := $(Compiler_Warnings) $(Flags_Just_For_C) $(Common_C_Cpp_Flags

 Wolfssl_C_Objects := $(Wolfssl_C_Files:.c=.o)

-override CFLAGS += $(Wolfssl_C_Flags)
+CFLAGS += $(Wolfssl_C_Flags)

 .PHONY: all run clean mrproper

@@ -74,9 +77,12 @@ libsgx_ra_tls_wolfssl.a: ra_tls_t.o ra_tls_u.o $(Wolfssl_C_Objects)
 	ar rcs $@ $(Wolfssl_C_Objects)
 	@echo "LINK =>  $@"

+ra_tls_options.c: ra_tls_options.c.sh
+	bash $^ > $@
+
 clean:
 	@rm -f $(Wolfssl_C_Objects)
-	@rm -f ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
+	@rm -f ra_tls_options.c ra_tls_t.* ra_tls_u.* libsgx_ra_tls_wolfssl.a

 mrproper: clean
-	@rm -f ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
+	@rm -f ra_tls_options.c ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
--- a/ra-tls/sgx-ra-tls/curl_helper.h
+++ b/ra-tls/sgx-ra-tls/curl_helper.h
+struct buffer_and_size {
+    char* data;
+    size_t len;
+};
+
+void http_get
+(
+    CURL* curl,
+    const char* url,
+    struct buffer_and_size* header,
+    struct buffer_and_size* body,
+    struct curl_slist* request_headers,
+    char* request_body
+);
--- a/ra-tls/sgx-ra-tls/ias-ra.c
+++ b/ra-tls/sgx-ra-tls/ias-ra.c
+#define _GNU_SOURCE // for memmem()
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <curl/curl.h>
+
+#if defined(USE_OPENSSL)
+#include <openssl/evp.h> // for base64 encode/decode
+#elif defined(USE_WOLFSSL)
+#include <wolfssl/options.h>
+#include <wolfssl/wolfcrypt/coding.h>
+#elif defined(USE_MBEDTLS)
+#include <mbedtls/base64.h>
+#else
+#error Must use one of OpenSSL/wolfSSL/mbedtls
+#endif
+
+#include <stdint.h>
+
+#include <sgx_report.h>
+
+#include "ra.h"
+#include "ra-attester.h"
+#include "ias-ra.h"
+#include "curl_helper.h"
+
+static
+size_t accumulate_function(void *ptr, size_t size, size_t nmemb, void *userdata) {
+    struct buffer_and_size* s = (struct buffer_and_size*) userdata;
+    s->data = (char*) realloc(s->data, s->len + size * nmemb);
+    assert(s->data != NULL);
+    memcpy(s->data + s->len, ptr, size * nmemb);
+    s->len += size * nmemb;
+    
+    return size * nmemb;
+}
+
+void http_get
+(
+    CURL* curl,
+    const char* url,
+    struct buffer_and_size* header,
+    struct buffer_and_size* body,
+    struct curl_slist* request_headers,
+    char* request_body
+)
+{
+    curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+    curl_easy_setopt(curl, CURLOPT_URL, url);
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
+    
+    curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, accumulate_function);
+    curl_easy_setopt(curl, CURLOPT_HEADERDATA, header);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, accumulate_function);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, body);
+
+    if (request_headers) {
+        curl_easy_setopt(curl, CURLOPT_HTTPHEADER, request_headers);
+    }
+    if (request_body) {
+        curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request_body);
+    }
+
+    CURLcode res = curl_easy_perform(curl);
+    assert(res == CURLE_OK);
+}
+
+static const char pem_marker_begin[] = "-----BEGIN CERTIFICATE-----";
+static const char pem_marker_end[] = "-----END CERTIFICATE-----";
+
+static
+void extract_certificates_from_response_header
+(
+    CURL* curl,
+    const char* header,
+    size_t header_len,
+    attestation_verification_report_t* attn_report
+)
+{
+    // Locate x-iasreport-signature HTTP header field in the response.
+    const char response_header_name[] = "X-IASReport-Signing-Certificate: ";
+    char *field_begin = memmem(header,
+                               header_len,
+                               response_header_name,
+                               strlen(response_header_name));
+    assert(field_begin != NULL);
+    field_begin += strlen(response_header_name);
+    const char http_line_break[] = "\r\n";
+    char *field_end = memmem(field_begin,
+                             header_len - (field_begin - header),
+                             http_line_break,
+                             strlen(http_line_break));
+    size_t field_len = field_end - field_begin;
+
+    // Remove urlencoding from x-iasreport-signing-certificate field.
+    int unescaped_len = 0;
+    char* unescaped = curl_easy_unescape(curl,
+                                         field_begin,
+                                         field_len,
+                                         &unescaped_len);
+    
+    char* cert_begin = memmem(unescaped,
+                              unescaped_len,
+                              pem_marker_begin,
+                              strlen(pem_marker_begin));
+    assert(cert_begin != NULL);
+    char* cert_end = memmem(unescaped, unescaped_len,
+                            pem_marker_end, strlen(pem_marker_end));
+    assert(cert_end != NULL);
+    uint32_t cert_len = cert_end - cert_begin + strlen(pem_marker_end);
+
+    assert(cert_len <= sizeof(attn_report->ias_sign_cert));
+    memcpy(attn_report->ias_sign_cert, cert_begin, cert_len);
+    attn_report->ias_sign_cert_len = cert_len;
+    
+    cert_begin = memmem(cert_end,
+                        unescaped_len - (cert_end - unescaped),
+                        pem_marker_begin,
+                        strlen(pem_marker_begin));
+    assert(cert_begin != NULL);
+    cert_end = memmem(cert_begin,
+                     unescaped_len - (cert_begin - unescaped),
+                     pem_marker_end,
+                     strlen(pem_marker_end));
+    assert(cert_end != NULL);
+    cert_len = cert_end - cert_begin + strlen(pem_marker_end);
+
+    assert(cert_len <= sizeof(attn_report->ias_sign_ca_cert));
+    memcpy((char*) attn_report->ias_sign_ca_cert, cert_begin, cert_len);
+    attn_report->ias_sign_ca_cert_len = cert_len;
+
+    curl_free(unescaped);
+    unescaped = NULL;
+}
+
+/* The header has the certificates and report signature. */
+void parse_response_header
+(
+    const char* header,
+    size_t header_len,
+    unsigned char* signature,
+    const size_t signature_max_size,
+    uint32_t* signature_size
+)
+{
+    const char sig_tag[] = "X-IASReport-Signature: ";
+    char* sig_begin = memmem((const char*) header,
+                             header_len,
+                             sig_tag,
+                             strlen(sig_tag));
+    assert(sig_begin != NULL);
+    sig_begin += strlen(sig_tag);
+    char* sig_end = memmem(sig_begin,
+                           header_len - (sig_begin - header),
+                           "\r\n",
+                           strlen("\r\n"));
+    assert(sig_end);
+
+    assert((size_t) (sig_end - sig_begin) <= signature_max_size);
+    memcpy(signature, sig_begin, sig_end - sig_begin);
+    *signature_size = sig_end - sig_begin;
+}
+
+/**
+ * @return Length of base64 encoded data including terminating NUL-byte.
+ */
+static void base64_encode
+(
+    uint8_t *in,
+    uint32_t in_len,
+    uint8_t* out,
+    uint32_t* out_len /* in/out */
+)
+{
+    // + 1 to account for the terminating \0.
+    assert(*out_len >= (in_len + 3 - 1) / 3 * 4 + 1);
+    bzero(out, *out_len);
+    
+#if defined(USE_OPENSSL)
+        int ret = EVP_EncodeBlock(out, in, in_len);
+        // + 1 since EVP_EncodeBlock() returns length excluding the terminating \0.
+        assert((size_t) ret + 1 <= *out_len);
+        *out_len = ret + 1;
+#elif defined(USE_WOLFSSL)
+        int ret = Base64_Encode_NoNl(in, in_len, out, out_len);
+        assert(ret == 0);
+        // No need append terminating \0 since we memset() the whole
+        // buffer in the beginning.
+        *out_len += 1;
+#elif defined(USE_MBEDTLS)
+        size_t olen;
+        int ret = mbedtls_base64_encode(out, *out_len, &olen, in, in_len);
+        assert(ret == 0);
+        assert(olen <= UINT32_MAX);
+        *out_len = (uint32_t) olen;
+#endif
+}
+
+/** Turns a binary quote into an attestation verification report.
+
+  Communicates with Intel Attestation Service via its HTTP REST interface.
+*/
+void obtain_attestation_verification_report
+(
+    const sgx_quote_t* quote,
+    const uint32_t quote_size,
+    const struct ra_tls_options* opts,
+    attestation_verification_report_t* attn_report
+)
+{
+    int ret;
+  
+    char url[512];
+    ret = snprintf(url, sizeof(url), "https://%s/attestation/v3/report",
+                   opts->ias_server);
+    assert(ret < (int) sizeof(url));
+    
+    char buf[128];
+    int rc = snprintf(buf, sizeof(buf), "Ocp-Apim-Subscription-Key: %.32s",
+                      opts->subscription_key);
+    assert(rc < (int) sizeof(buf));
+
+    struct curl_slist *request_headers =
+        curl_slist_append(NULL, "Content-Type: application/json");
+    request_headers = curl_slist_append(request_headers, buf);
+        
+    const char json_template[] = "{\"isvEnclaveQuote\":\"%s\"}";
+    unsigned char quote_base64[quote_size * 2];
+    uint32_t quote_base64_len = sizeof(quote_base64);
+    char json[quote_size * 2];
+
+    base64_encode((uint8_t*) quote, quote_size,
+                  quote_base64, &quote_base64_len);
+
+    snprintf(json, sizeof(json), json_template, quote_base64);
+
+    CURL *curl = curl_easy_init();
+    assert(curl != NULL);
+    struct buffer_and_size header = {(char*) malloc(1), 0};
+    struct buffer_and_size body = {(char*) malloc(1), 0};
+    http_get(curl, url, &header, &body, request_headers, json);
+        
+    parse_response_header(header.data, header.len,
+                          attn_report->ias_report_signature,
+                          sizeof(attn_report->ias_report_signature),
+                          &attn_report->ias_report_signature_len);
+
+    assert(sizeof(attn_report->ias_report) >= body.len);
+    memcpy(attn_report->ias_report, body.data, body.len);
+    attn_report->ias_report_len = body.len;
+
+    extract_certificates_from_response_header(curl,
+                                              header.data, header.len,
+                                              attn_report);
+    
+    curl_easy_cleanup(curl);
+    free(header.data);
+    free(body.data);
+    curl_slist_free_all(request_headers);
+}
--- a/ra-tls/sgx-ra-tls/ias-ra.h
+++ b/ra-tls/sgx-ra-tls/ias-ra.h
+#ifdef __cplusplus
+extern "C" {
+#endif
+    
+void obtain_attestation_verification_report(
+    const sgx_quote_t* quote,
+    const uint32_t quote_size,
+    const struct ra_tls_options* opts,
+    attestation_verification_report_t* attn_report
+);
+    
+#ifdef __cplusplus
+}
+#endif
--- a/ra-tls/sgx-ra-tls/ias_sign_ca_cert.c
+++ b/ra-tls/sgx-ra-tls/ias_sign_ca_cert.c
+unsigned char ias_sign_ca_cert_der[] = {
+  0x30, 0x82, 0x05, 0x4b, 0x30, 0x82, 0x03, 0xb3, 0xa0, 0x03, 0x02, 0x01,
+  0x02, 0x02, 0x09, 0x00, 0xd1, 0x07, 0x76, 0x5d, 0x32, 0xa3, 0xb0, 0x94,
+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+  0x0b, 0x05, 0x00, 0x30, 0x7e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+  0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+  0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06,
+  0x03, 0x55, 0x04, 0x07, 0x0c, 0x0b, 0x53, 0x61, 0x6e, 0x74, 0x61, 0x20,
+  0x43, 0x6c, 0x61, 0x72, 0x61, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55,
+  0x04, 0x0a, 0x0c, 0x11, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x43, 0x6f,
+  0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x30, 0x30,
+  0x2e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x27, 0x49, 0x6e, 0x74, 0x65,
+  0x6c, 0x20, 0x53, 0x47, 0x58, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74,
+  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
+  0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x43, 0x41, 0x30,
+  0x20, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x31, 0x34, 0x31, 0x35, 0x33,
+  0x37, 0x33, 0x31, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x34, 0x39, 0x31, 0x32,
+  0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x7e, 0x31,
+  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43,
+  0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0b,
+  0x53, 0x61, 0x6e, 0x74, 0x61, 0x20, 0x43, 0x6c, 0x61, 0x72, 0x61, 0x31,
+  0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x49, 0x6e,
+  0x74, 0x65, 0x6c, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
+  0x69, 0x6f, 0x6e, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x0c, 0x27, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x53, 0x47, 0x58, 0x20,
+  0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+  0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
+  0x6e, 0x67, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0xa2, 0x30, 0x0d, 0x06,
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
+  0x03, 0x82, 0x01, 0x8f, 0x00, 0x30, 0x82, 0x01, 0x8a, 0x02, 0x82, 0x01,
+  0x81, 0x00, 0x9f, 0x3c, 0x64, 0x7e, 0xb5, 0x77, 0x3c, 0xbb, 0x51, 0x2d,
+  0x27, 0x32, 0xc0, 0xd7, 0x41, 0x5e, 0xbb, 0x55, 0xa0, 0xfa, 0x9e, 0xde,
+  0x2e, 0x64, 0x91, 0x99, 0xe6, 0x82, 0x1d, 0xb9, 0x10, 0xd5, 0x31, 0x77,
+  0x37, 0x09, 0x77, 0x46, 0x6a, 0x6a, 0x5e, 0x47, 0x86, 0xcc, 0xd2, 0xdd,
+  0xeb, 0xd4, 0x14, 0x9d, 0x6a, 0x2f, 0x63, 0x25, 0x52, 0x9d, 0xd1, 0x0c,
+  0xc9, 0x87, 0x37, 0xb0, 0x77, 0x9c, 0x1a, 0x07, 0xe2, 0x9c, 0x47, 0xa1,
+  0xae, 0x00, 0x49, 0x48, 0x47, 0x6c, 0x48, 0x9f, 0x45, 0xa5, 0xa1, 0x5d,
+  0x7a, 0xc8, 0xec, 0xc6, 0xac, 0xc6, 0x45, 0xad, 0xb4, 0x3d, 0x87, 0x67,
+  0x9d, 0xf5, 0x9c, 0x09, 0x3b, 0xc5, 0xa2, 0xe9, 0x69, 0x6c, 0x54, 0x78,
+  0x54, 0x1b, 0x97, 0x9e, 0x75, 0x4b, 0x57, 0x39, 0x14, 0xbe, 0x55, 0xd3,
+  0x2f, 0xf4, 0xc0, 0x9d, 0xdf, 0x27, 0x21, 0x99, 0x34, 0xcd, 0x99, 0x05,
+  0x27, 0xb3, 0xf9, 0x2e, 0xd7, 0x8f, 0xbf, 0x29, 0x24, 0x6a, 0xbe, 0xcb,
+  0x71, 0x24, 0x0e, 0xf3, 0x9c, 0x2d, 0x71, 0x07, 0xb4, 0x47, 0x54, 0x5a,
+  0x7f, 0xfb, 0x10, 0xeb, 0x06, 0x0a, 0x68, 0xa9, 0x85, 0x80, 0x21, 0x9e,
+  0x36, 0x91, 0x09, 0x52, 0x68, 0x38, 0x92, 0xd6, 0xa5, 0xe2, 0xa8, 0x08,
+  0x03, 0x19, 0x3e, 0x40, 0x75, 0x31, 0x40, 0x4e, 0x36, 0xb3, 0x15, 0x62,
+  0x37, 0x99, 0xaa, 0x82, 0x50, 0x74, 0x40, 0x97, 0x54, 0xa2, 0xdf, 0xe8,
+  0xf5, 0xaf, 0xd5, 0xfe, 0x63, 0x1e, 0x1f, 0xc2, 0xaf, 0x38, 0x08, 0x90,
+  0x6f, 0x28, 0xa7, 0x90, 0xd9, 0xdd, 0x9f, 0xe0, 0x60, 0x93, 0x9b, 0x12,
+  0x57, 0x90, 0xc5, 0x80, 0x5d, 0x03, 0x7d, 0xf5, 0x6a, 0x99, 0x53, 0x1b,
+  0x96, 0xde, 0x69, 0xde, 0x33, 0xed, 0x22, 0x6c, 0xc1, 0x20, 0x7d, 0x10,
+  0x42, 0xb5, 0xc9, 0xab, 0x7f, 0x40, 0x4f, 0xc7, 0x11, 0xc0, 0xfe, 0x47,
+  0x69, 0xfb, 0x95, 0x78, 0xb1, 0xdc, 0x0e, 0xc4, 0x69, 0xea, 0x1a, 0x25,
+  0xe0, 0xff, 0x99, 0x14, 0x88, 0x6e, 0xf2, 0x69, 0x9b, 0x23, 0x5b, 0xb4,
+  0x84, 0x7d, 0xd6, 0xff, 0x40, 0xb6, 0x06, 0xe6, 0x17, 0x07, 0x93, 0xc2,
+  0xfb, 0x98, 0xb3, 0x14, 0x58, 0x7f, 0x9c, 0xfd, 0x25, 0x73, 0x62, 0xdf,
+  0xea, 0xb1, 0x0b, 0x3b, 0xd2, 0xd9, 0x76, 0x73, 0xa1, 0xa4, 0xbd, 0x44,
+  0xc4, 0x53, 0xaa, 0xf4, 0x7f, 0xc1, 0xf2, 0xd3, 0xd0, 0xf3, 0x84, 0xf7,
+  0x4a, 0x06, 0xf8, 0x9c, 0x08, 0x9f, 0x0d, 0xa6, 0xcd, 0xb7, 0xfc, 0xee,
+  0xe8, 0xc9, 0x82, 0x1a, 0x8e, 0x54, 0xf2, 0x5c, 0x04, 0x16, 0xd1, 0x8c,
+  0x46, 0x83, 0x9a, 0x5f, 0x80, 0x12, 0xfb, 0xdd, 0x3d, 0xc7, 0x4d, 0x25,
+  0x62, 0x79, 0xad, 0xc2, 0xc0, 0xd5, 0x5a, 0xff, 0x6f, 0x06, 0x22, 0x42,
+  0x5d, 0x1b, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xc9, 0x30, 0x81,
+  0xc6, 0x30, 0x60, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x59, 0x30, 0x57,
+  0x30, 0x55, 0xa0, 0x53, 0xa0, 0x51, 0x86, 0x4f, 0x68, 0x74, 0x74, 0x70,
+  0x3a, 0x2f, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x73, 0x65,
+  0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x6c,
+  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
+  0x2f, 0x43, 0x52, 0x4c, 0x2f, 0x53, 0x47, 0x58, 0x2f, 0x41, 0x74, 0x74,
+  0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x70, 0x6f,
+  0x72, 0x74, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x41, 0x2e,
+  0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
+  0x04, 0x14, 0x78, 0x43, 0x7b, 0x76, 0xa6, 0x7e, 0xbc, 0xd0, 0xaf, 0x7e,
+  0x42, 0x37, 0xeb, 0x35, 0x7c, 0x3b, 0x87, 0x01, 0x51, 0x3c, 0x30, 0x1f,
+  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x78,
+  0x43, 0x7b, 0x76, 0xa6, 0x7e, 0xbc, 0xd0, 0xaf, 0x7e, 0x42, 0x37, 0xeb,
+  0x35, 0x7c, 0x3b, 0x87, 0x01, 0x51, 0x3c, 0x30, 0x0e, 0x06, 0x03, 0x55,
+  0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30,
+  0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30,
+  0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
+  0x01, 0x81, 0x00, 0x78, 0x5f, 0x2d, 0x60, 0xc5, 0xc8, 0x0a, 0xf4, 0x2a,
+  0x79, 0x76, 0x10, 0x21, 0x39, 0x15, 0xda, 0x82, 0xc9, 0xb2, 0x9e, 0x89,
+  0xe0, 0x90, 0x2a, 0x25, 0xa6, 0xc7, 0x5b, 0x16, 0x09, 0x1c, 0x68, 0xab,
+  0x20, 0x4a, 0xae, 0x71, 0x18, 0x89, 0x49, 0x2c, 0x7e, 0x1e, 0x32, 0x09,
+  0x11, 0x45, 0x5a, 0x8f, 0xc1, 0x34, 0x42, 0x31, 0x2e, 0x77, 0xa6, 0x39,
+  0x94, 0xd9, 0x97, 0x95, 0xc8, 0xea, 0x45, 0x76, 0x82, 0x3c, 0xea, 0x8a,
+  0xd1, 0xe1, 0x91, 0xcf, 0xa8, 0x62, 0xfa, 0xb8, 0xa9, 0x32, 0xd3, 0xd9,
+  0xb0, 0x53, 0x5a, 0x07, 0x02, 0xd0, 0x55, 0x5f, 0x74, 0xe5, 0x20, 0xe3,
+  0x03, 0x30, 0xf3, 0x34, 0x80, 0xe7, 0xad, 0xc9, 0xd7, 0xc8, 0x1e, 0x20,
+  0x70, 0x31, 0x42, 0xbf, 0x00, 0xc5, 0x28, 0xa8, 0x0b, 0x46, 0x33, 0x81,
+  0xfd, 0x60, 0x2a, 0x82, 0xc7, 0x03, 0x52, 0x81, 0xaa, 0xe5, 0x95, 0x62,
+  0xcc, 0xb5, 0x33, 0x4e, 0xa8, 0x90, 0x3e, 0x65, 0x0b, 0x01, 0x06, 0x81,
+  0xf5, 0xce, 0x8e, 0xb6, 0x2e, 0xac, 0x9c, 0x41, 0x49, 0x88, 0x24, 0x3a,
+  0xec, 0x92, 0xf2, 0x5b, 0xf1, 0x3c, 0xdf, 0xf7, 0xeb, 0xcc, 0x29, 0x8e,
+  0xe5, 0x1b, 0xba, 0x5a, 0x35, 0x38, 0xb6, 0x6b, 0x26, 0xcb, 0xc4, 0x5a,
+  0x51, 0xde, 0x00, 0x3c, 0xad, 0x30, 0x65, 0x31, 0xad, 0x7c, 0xf5, 0xd4,
+  0xef, 0x0f, 0x88, 0x05, 0xd1, 0xb9, 0x13, 0x3d, 0x24, 0x13, 0x5a, 0xb3,
+  0xc4, 0x64, 0x1a, 0x2f, 0x88, 0x08, 0x34, 0x9d, 0x73, 0x33, 0x29, 0x5e,
+  0x0e, 0x76, 0xee, 0x4b, 0xc5, 0x22, 0x72, 0x32, 0x62, 0x8e, 0xfa, 0x80,
+  0xd7, 0x9d, 0x92, 0xab, 0x4e, 0x3d, 0x11, 0x20, 0xf3, 0xfb, 0x5a, 0xd1,
+  0x19, 0xcd, 0x8d, 0x54, 0x4a, 0xa1, 0xd4, 0xa6, 0x86, 0x5e, 0x6b, 0x57,
+  0xbe, 0xac, 0x57, 0x71, 0x30, 0x7e, 0x2e, 0x3c, 0xb9, 0x07, 0x0d, 0xa4,
+  0x7b, 0x4b, 0xfc, 0x88, 0x69, 0xe0, 0x14, 0x13, 0xea, 0x09, 0x35, 0x41,
+  0xde, 0x8a, 0x79, 0x28, 0x11, 0xb7, 0x46, 0x36, 0xc5, 0xe9, 0x14, 0x52,
+  0xcf, 0x0c, 0xee, 0x59, 0xf2, 0xfb, 0x40, 0x4a, 0xcd, 0x0b, 0xc5, 0x84,
+  0xcb, 0x9c, 0x83, 0x54, 0x04, 0x73, 0x4c, 0x0e, 0x7e, 0xc6, 0x60, 0x5c,
+  0xdf, 0xcf, 0x2f, 0xf4, 0x39, 0xb6, 0xd4, 0x71, 0x9f, 0x70, 0x2f, 0x0e,
+  0x0c, 0x3f, 0xa0, 0x4f, 0xdb, 0x12, 0xa6, 0xcb, 0x2a, 0xd1, 0xab, 0x1c,
+  0x9a, 0xf1, 0xf8, 0xf4, 0xc3, 0xa0, 0x8e, 0xdd, 0x72, 0xa3, 0x2b, 0x0b,
+  0xb5, 0xd0, 0xad, 0x25, 0x6f, 0xfd, 0x15, 0x9a, 0x68, 0x3b, 0x2a, 0x5a,
+  0x1f, 0x1d, 0x11, 0xfa, 0x62, 0x53, 0x2f, 0x03, 0xd7, 0x54, 0xca, 0xef,
+  0x0d, 0xa5, 0x73, 0x5a, 0x1e, 0x5a, 0x88, 0x4c, 0x7e, 0x89, 0xd9, 0x12,
+  0x18, 0xc9, 0xd7
+};
+unsigned int ias_sign_ca_cert_der_len = 1359;
--- a/stub_enclave/ra-attester.h
+++ b/stub_enclave/ra-attester.h
--- a/stub_enclave/ra-attester_private.h
+++ b/stub_enclave/ra-attester_private.h
--- a/stub_enclave/ra-challenger.c
+++ b/stub_enclave/ra-challenger.c
--- a/stub_enclave/ra-challenger.h
+++ b/stub_enclave/ra-challenger.h
--- a/stub_enclave/ra-challenger_private.h
+++ b/stub_enclave/ra-challenger_private.h
--- a/stub_enclave/ra.c
+++ b/stub_enclave/ra.c
--- a/stub_enclave/ra.h
+++ b/stub_enclave/ra.h
--- a/stub_enclave/ra_private.h
+++ b/stub_enclave/ra_private.h
--- a/stub_enclave/ra_tls.edl
+++ b/stub_enclave/ra_tls.edl
--- a/stub_enclave/ra_tls_options.c.sh
+++ b/stub_enclave/ra_tls_options.c.sh
--- a/stub_enclave/sgxsdk-ra-attester_t.c
+++ b/stub_enclave/sgxsdk-ra-attester_t.c
--- a/stub_enclave/untrusted/sgxsdk-ra-attester_u.c
+++ b/stub_enclave/untrusted/sgxsdk-ra-attester_u.c
@@ -5,7 +5,7 @@

 #include <ra.h>
 #include <ra-attester.h>
-// #include <ias-ra.h>
+#include <ias-ra.h>

 /* Untrusted code to do remote attestation with the SGX SDK. */

@@ -35,7 +35,7 @@ void ocall_remote_attestation
    assert(SGX_SUCCESS == status);

    // verify against IAS
-    // obtain_attestation_verification_report(quote, quote_size, opts, attn_report);
+    obtain_attestation_verification_report(quote, quote_size, opts, attn_report);
 }

 void ocall_sgx_init_quote

--- a/stub_enclave/wolfssl-ra-attester.c
+++ b/stub_enclave/wolfssl-ra-attester.c
@@ -188,8 +188,8 @@ wolfssl_create_key_and_x509

    do_remote_attestation(&report_data, opts, &attestation_report);

-    // generate_x509(&genKey, der_cert, der_cert_len,
-       //           &attestation_report);
+    generate_x509(&genKey, der_cert, der_cert_len,
+                  &attestation_report);
 }

 #ifdef RATLS_ECDSA
@@ -663,8 +663,7 @@ void create_key_and_x509
    int* der_key_len,  /* in/out */
    uint8_t* der_cert, /* out */
    int* der_cert_len, /* in/out */
-    const struct ra_tls_options* opts, /* in */
-    void* targetinfo, void* data, void* report
+    const struct ra_tls_options* opts /* in */
 )
 {
    wolfssl_create_key_and_x509(der_key, der_key_len,
@@ -672,57 +671,6 @@ void create_key_and_x509
                                opts);
 }

-static void create_key_111
-(
-	uint8_t* der_key,  /* out */
-	int* der_key_len,  /* in/out */
-	uint8_t* der_cert, /* out */
-	int* der_cert_len, /* in/out */
-	const struct ra_tls_options* opts, /* in */
-	void* targetinfo, void* data, void* report
-)
-{
-	wolfssl_create_key_and_x509(der_key, der_key_len,
-			            der_cert, der_cert_len,
-				    opts);
-}
-
-static void
-wolfssl_create_key
-(
-	uint8_t* der_key,
-	int* der_key_len,
- 	uint8_t* der_cert,
-	int* der_cert_len,
- 	const struct ra_tls_options* opts,
-	void* targetinfo, void* data, void* report
-)
-{
-        /* Generate key. */
-	RsaKey genKey;
-	RNG    rng;
-	int    ret;
-
-	wc_InitRng(&rng);
-	wc_InitRsaKey(&genKey, 0);
-	ret = wc_MakeRsaKey(&genKey, 3072, 65537, &rng);
-	assert(ret == 0);
-
-	uint8_t der[4096];
-	int  derSz = wc_RsaKeyToDer(&genKey, der, sizeof(der));
-	assert(derSz >= 0);
-	assert(derSz <= (int) *der_key_len);
-
-	*der_key_len = derSz;
-	memcpy(der_key, der, derSz);
-	/* Generate certificate */
-	sgx_report_data_t report_data = {0, };
-	sha256_rsa_pubkey(report_data.d, &genKey);
-	attestation_verification_report_t attestation_report;
-	do_remote_attestation(&report_data, opts, &attestation_report);
-}
-
-
 void create_key_and_x509_pem
 (
    uint8_t* pem_key,  /* out */

--- a/stub_enclave/wolfssl-ra-challenger.c
+++ b/stub_enclave/wolfssl-ra-challenger.c
--- a/stub_enclave/wolfssl-ra.c
+++ b/stub_enclave/wolfssl-ra.c
--- a/stub_enclave/wolfssl-ra.h
+++ b/stub_enclave/wolfssl-ra.h
--- a/stub_enclave/sgx_t.mk
+++ b/stub_enclave/sgx_t.mk
@@ -3,9 +3,10 @@ SGX_SDK ?= /opt/intel/sgxsdk
 SGX_MODE ?= HW
 SGX_DEBUG ?= 1
 SGX_ARCH ?= x64
-SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
-WOLFSSL_ROOT ?= ./deps/wolfssl
-SGX_RA_TLS_LIB ?= $(shell readlink -f .)
+WOLFSSL_ROOT ?= $(TOPDIR)/wolfssl
+SGX_RA_TLS_ROOT=$(shell readlink -f $(TOPDIR)/sgx-ra-tls)
+SGX_WOLFSSL_LIB ?= $(TOPDIR)/build/lib
+SGX_RA_TLS_LIB ?= $(shell readlink -f $(TOPDIR)/build/lib)

 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
@@ -47,49 +48,43 @@ endif

 Crypto_Library_Name := sgx_tcrypto

-SGX_RA_TLS_ROOT=$(shell readlink -f .)
-
 Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT
-Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/
-
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT) \
+	-I$(WOLFSSL_ROOT)/wolfcrypt

-Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
-Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
-								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
-								   -I$(SGX_SDK)/include/stlport \
-									 -I$(SGX_RA_TLS_ROOT)
+Wolfssl_Enclave_C_Files := Wolfssl_Enclave.c
+Wolfssl_Enclave_Include_Paths := -I. $(Wolfssl_Include_Paths) \
+	-I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc \
+	-I$(SGX_SDK)/include/stlport \
+	-I$(SGX_RA_TLS_ROOT)

 ifeq ($(HAVE_WOLFSSL_TEST), 1)
-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test
 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
 endif

 ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
-	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark
 	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
 endif

-
 Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
 Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths) -fno-builtin -fno-builtin-printf -I.
 Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)

-Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
-  -L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
+Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib \
+	-nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+	-L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
 	-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
 	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
 	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
 	-Wl,--defsym,__ImageBase=0 \
-	-Wl,--version-script=trusted/Wolfssl_Enclave.lds
+	-Wl,--version-script=Wolfssl_Enclave.lds

 Wolfssl_Enclave_C_Objects := $(Wolfssl_Enclave_C_Files:.c=.o)

-
-
-
 ifeq ($(SGX_MODE), HW)
 ifneq ($(SGX_DEBUG), 1)
 ifneq ($(SGX_PRERELEASE), 1)
@@ -98,7 +93,6 @@ endif
 endif
 endif

-
 .PHONY: all run

 ifeq ($(Build_Mode), HW_RELEASE)
@@ -119,29 +113,29 @@ ifneq ($(Build_Mode), HW_RELEASE)
 	@echo "RUN  =>  app [$(SGX_MODE)|$(SGX_ARCH), OK]"
 endif

-
 ######## Wolfssl_Enclave Objects ########

-trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
-	@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
+Wolfssl_Enclave_t.c: $(SGX_EDGER8R) Wolfssl_Enclave.edl
+	@$(SGX_EDGER8R) --trusted Wolfssl_Enclave.edl --search-path $(SGX_SDK)/include --search-path $(SGX_RA_TLS_ROOT)
 	@echo "GEN  =>  $@"

-trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
+Wolfssl_Enclave_t.o: Wolfssl_Enclave_t.c
 	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"

-trusted/%.o: trusted/%.c
+%.o: %.c
 	@echo $(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
 	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
-	@echo "CC  <=  $<"
+	@echo "CC   <=  $<"

-Wolfssl_Enclave.so: trusted/Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
+Wolfssl_Enclave.so: Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
 	@echo $(Wolfssl_Enclave_Link_Flags)@
 	@$(CXX) $^ -o $@ $(Wolfssl_Enclave_Link_Flags)
 	@echo "LINK =>  $@"

 Wolfssl_Enclave.signed.so: Wolfssl_Enclave.so
-	@$(SGX_ENCLAVE_SIGNER) sign -key trusted/Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config trusted/Wolfssl_Enclave.config.xml
+	@$(SGX_ENCLAVE_SIGNER) sign -key Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config Wolfssl_Enclave.config.xml
 	@echo "SIGN =>  $@"
+
 clean:
-	@rm -f Wolfssl_Enclave.* trusted/Wolfssl_Enclave_t.*  $(Wolfssl_Enclave_C_Objects)
+	@rm -f *.so Wolfssl_Enclave_t.* $(Wolfssl_Enclave_C_Objects)
--- a/ra-tls/stub-enclave/Wolfssl_Enclave.c
+++ b/ra-tls/stub-enclave/Wolfssl_Enclave.c
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>      /* vsnprintf */
+
+#include "Wolfssl_Enclave_t.h"
+
+#include "sgx_trts.h"
+
+
+int wc_test(void* args)
+{
+#ifdef HAVE_WOLFSSL_TEST
+	return wolfcrypt_test(args);
+#else
+    /* wolfSSL test not compiled in! */
+    return -1;
+#endif /* HAVE_WOLFSSL_TEST */
+}
+
+int wc_benchmark_test(void* args)
+{
+
+#ifdef HAVE_WOLFSSL_BENCHMARK
+    return benchmark_test(args);
+#else
+    /* wolfSSL benchmark not compiled in! */
+    return -1;
+#endif /* HAVE_WOLFSSL_BENCHMARK */
+}
+
+void enc_wolfSSL_Debugging_ON(void)
+{
+    wolfSSL_Debugging_ON();
+}
+
+void enc_wolfSSL_Debugging_OFF(void)
+{
+    wolfSSL_Debugging_OFF();
+}
+
+int enc_wolfSSL_Init(void)
+{
+    return wolfSSL_Init();
+}
+
+WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
+{
+    return wolfTLSv1_2_client_method();
+}
+
+WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
+{
+    return wolfTLSv1_2_server_method();
+}
+
+
+WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
+{
+    if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_new(method);
+}
+
+int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
+        const unsigned char* buf, long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
+        const unsigned char* buf, long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
+                                            long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+                                       long sz, int format)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
+}
+
+int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_set_cipher_list(ctx, list);
+}
+
+WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_new(ctx);
+}
+
+int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_set_fd(ssl, fd);
+}
+
+int enc_wolfSSL_connect(WOLFSSL* ssl)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_connect(ssl);
+}
+
+int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_write(ssl, in, sz);
+}
+
+int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_get_error(ssl, ret);
+}
+
+int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_read(ssl, data, sz);
+}
+
+void enc_wolfSSL_free(WOLFSSL* ssl)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    wolfSSL_free(ssl);
+}
+
+void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    wolfSSL_CTX_free(ctx);
+}
+
+int enc_wolfSSL_Cleanup(void)
+{
+    wolfSSL_Cleanup();
+}
+
+void printf(const char *fmt, ...)
+{
+    char buf[BUFSIZ] = {'\0'};
+    va_list ap;
+    va_start(ap, fmt);
+    vsnprintf(buf, BUFSIZ, fmt, ap);
+    va_end(ap);
+    ocall_print_string(buf);
+}
+
+int sprintf(char* buf, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = vsnprintf(buf, BUFSIZ, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+double current_time(void)
+{
+    double curr;
+    ocall_current_time(&curr);
+    return curr;
+}
+
+int LowResTimer(void) /* low_res timer */
+{
+    int time;
+    ocall_low_res_time(&time);
+    return time;
+}
+
+size_t recv(int sockfd, void *buf, size_t len, int flags)
+{
+    size_t ret;
+    int sgxStatus;
+    sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
+    return ret;
+}
+
+size_t send(int sockfd, const void *buf, size_t len, int flags)
+{
+    size_t ret;
+    int sgxStatus;
+    sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
+    return ret;
+}
+
+extern struct ra_tls_options my_ra_tls_options;
+
+void enc_create_key_and_x509(WOLFSSL_CTX* ctx) {
+    uint8_t der_key[2048];
+    uint8_t der_cert[8 * 1024];
+    uint32_t der_key_len = sizeof(der_key);
+    uint32_t der_cert_len = sizeof(der_cert);
+
+    create_key_and_x509(&der_key, &der_key_len,
+                        &der_cert, &der_cert_len,
+                        &my_ra_tls_options);
+
+    int ret;
+    ret = wolfSSL_CTX_use_certificate_buffer(ctx, der_cert, der_cert_len,
+                                             SSL_FILETYPE_ASN1);
+    assert(ret == SSL_SUCCESS);
+
+    wolfSSL_CTX_use_PrivateKey_buffer(ctx, der_key, der_key_len,
+                                      SSL_FILETYPE_ASN1);
+    assert(ret == SSL_SUCCESS);
+}
--- a/stub_enclave/trusted/Wolfssl_Enclave.config.xml
+++ b/stub_enclave/trusted/Wolfssl_Enclave.config.xml
--- a/stub_enclave/trusted/Wolfssl_Enclave.edl
+++ b/stub_enclave/trusted/Wolfssl_Enclave.edl
@@ -49,9 +49,7 @@ enclave {
 		public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
 		public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
 		public int enc_wolfSSL_Cleanup(void);
-
-		public int enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx, [user_check]void* targetinfo, 
-											[user_check]void* report);
+		public void enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx);
 	};

 	untrusted {

--- a/stub_enclave/trusted/Wolfssl_Enclave.h
+++ b/stub_enclave/trusted/Wolfssl_Enclave.h
--- a/stub_enclave/trusted/Wolfssl_Enclave.lds
+++ b/stub_enclave/trusted/Wolfssl_Enclave.lds
--- a/stub_enclave/trusted/Wolfssl_Enclave_private.pem
+++ b/stub_enclave/trusted/Wolfssl_Enclave_private.pem
--- a/stub_enclave/Makefile
+++ b/stub_enclave/Makefile
-BINDIR := $(PREFIX)/usr/lib
-
-all: stub_enclave
-
-stub_enclave: ra_tls_options.c deps/local/lib/libwolfssl.sgx.static.lib.a deps/local/lib/libcurl-wolfssl.a libsgx_ra_tls_wolfssl.a
-	$(MAKE) -ef sgx_u.mk all
-	$(MAKE) -ef sgx_t.mk all
-
-ra_tls_options.c: ra_tls_options.c.sh
-	bash $^ > $@
-
-deps/local/lib/libcrypto.a: deps/openssl/config
-	cd deps/openssl && $(MAKE) && $(MAKE) -j1 install
-
-deps/wolfssl/configure:
-	mkdir -p deps && cd deps && git clone https://github.com/wolfSSL/wolfssl
-	cd deps/wolfssl && git checkout 57e5648a5dd734d1c219d385705498ad12941dd0
-	cd deps/wolfssl && patch -p1 < ../../wolfssl.patch
-	cd deps/wolfssl && ./autogen.sh
-
-# Add --enable-debug to ./configure for debug build
-# WOLFSSL_ALWAYS_VERIFY_CB ... Always call certificate verification callback, even if verification succeeds
-# KEEP_OUR_CERT ... Keep the certificate around after the handshake
-# --enable-tlsv10 ... required by libcurl
-# 2019-03-19 removed --enable-intelasm configure flag. The Celeron NUC I am developing this, does not support AVX.
-
-WOLFSSL_CFLAGS+=-DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_ALWAYS_VERIFY_CB -DKEEP_PEER_CERT
-WOLFSSL_CONFIGURE_FLAGS+=--prefix=$(shell readlink -f deps/local) --enable-writedup --enable-static --enable-keygen --enable-certgen --enable-certext --with-pic --disable-examples --disable-crypttests --enable-aesni --enable-tlsv10
-ifdef DEBUG
-WOLFSS_CFLAGS+=--enable-debug
-endif
-
-deps/local/lib/libwolfssl.a: CFLAGS+= $(WOLFSSL_CFLAGS)
-deps/local/lib/libwolfssl.a: deps/wolfssl/configure
-# Later versions of gcc report errors on this version of wolfSSL.
-# TODO: Upgrade to more recent version of wolfSSL.
-	cd deps/wolfssl && CC=gcc CFLAGS="$(CFLAGS)" ./configure $(WOLFSSL_CONFIGURE_FLAGS)
-	cd deps/wolfssl && $(MAKE) install
-
-# Ideally, deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a and
-# deps/local/lib/libwolfssl.a could be built in parallel. Does not
-# work however. Hence, the dependency forces a serial build.
-#
-# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
-deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a: deps/local/lib/libwolfssl.a
-	cd deps/wolfssl/IDE/LINUX-SGX && make -f sgx_t_static.mk CFLAGS="-DUSER_TIME -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_KEY_GEN -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192"
-
-deps/local/lib/libwolfssl.sgx.static.lib.a: deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib/libwolfssl.a
-	mkdir -p deps/local/lib && cp deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib
-
-deps/curl/configure:
-	cd deps && git clone https://github.com/curl/curl.git
-	cd deps/curl && git checkout curl-7_47_0
-	cd deps/curl && ./buildconf
-
-CURL_CONFFLAGS=--prefix=$(shell readlink -f deps/local) --without-libidn --without-librtmp --without-libssh2 --without-libmetalink --without-libpsl --disable-ldap --disable-ldaps --disable-shared
-ifdef DEBUG
-CURL_CONFFLAGS+=--enable-debug
-endif
-
-deps/local/lib/libcurl-wolfssl.a: deps/curl/configure deps/local/lib/libwolfssl.a
-	cp -a deps/curl deps/curl-wolfssl
-	cd deps/curl-wolfssl && CFLAGS="-fPIC" ./configure $(CURL_CONFFLAGS) --without-ssl --with-cyassl=$(shell readlink -f deps/local)
-	cd deps/curl-wolfssl && $(MAKE)
-	cp deps/curl-wolfssl/lib/.libs/libcurl.a deps/local/lib/libcurl-wolfssl.a
-
-libsgx_ra_tls_wolfssl.a:
-	make -f ratls-wolfssl.mk
-	rm -f wolfssl-ra-challenger.o wolfssl-ra.o ra-challenger.o ias_sign_ca_cert.o
-
-install:
-	install -D -m0755 liberpal-sgxsdk.so $(BINDIR)/liberpal-sgxsdk.so
-
-uninstall:
-	rm -f $(BINDIR)/liberpal-sgxsdk.so
-
-clean:
-	rm -f ra_tls_options.c ra_tls_u.o
-	rm -rf deps/curl-wolfssl deps/local 
-	$(MAKE) -ef sgx_u.mk clean
-	$(MAKE) -ef sgx_t.mk clean
-	$(MAKE) -ef ratls-wolfssl.mk clean
-
-.PHONY: stub_enclave clean install uninstall
--- a/stub_enclave/trusted/Wolfssl_Enclave.c
+++ b/stub_enclave/trusted/Wolfssl_Enclave.c
-#include <assert.h>
-#include <stdarg.h>
-#include <stdio.h>	/* vsnprintf */
-
-#include "Wolfssl_Enclave_t.h"
-#include "sgx_trts.h"
-#include <wolfssl/wolfcrypt/rsa.h>
-
-int wc_test(void* args)
-{
-#ifdef HAVE_WOLFSSL_TEST
-	return wolfcrypt_test(args);
-#else
-	/* wolfSSL test not compiled in! */
-	return -1;
-#endif /* HAVE_WOLFSSL_TEST */
-}
-
-int wc_benchmark_test(void* args)
-{
-
-#ifdef HAVE_WOLFSSL_BENCHMARK
-	return benchmark_test(args);
-#else
-	/* wolfSSL benchmark not compiled in! */
-	return -1;
-#endif	/* HAVE_WOLFSSL_BENCHMARK */
-}
-
-void enc_wolfSSL_Debugging_ON(void)
-{
-	wolfSSL_Debugging_ON();
-}
-
-void enc_wolfSSL_Debugging_OFF(void)
-{
-	wolfSSL_Debugging_OFF();
-}
-
-int enc_wolfSSL_Init(void)
-{
-	return wolfSSL_Init();
-}
-
-WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
-{
-	return wolfTLSv1_2_client_method();
-}
-
-WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
-{
-	return wolfTLSv1_2_server_method();
-}
-
-
-WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
-{
-	if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_new(method);
-}
-
-int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
-	const unsigned char* buf, long sz, int type)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
-}
-
-int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
-	const unsigned char* buf, long sz, int type)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
-}
-
-int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
-								long sz, int type)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
-}
-
-int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
-								long sz, int format)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
-}
-
-int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_CTX_set_cipher_list(ctx, list);
-}
-
-WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_new(ctx);
-}
-
-int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_set_fd(ssl, fd);
-}
-
-int enc_wolfSSL_connect(WOLFSSL* ssl)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_connect(ssl);
-}
-
-int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_write(ssl, in, sz);
-}
-
-int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_get_error(ssl, ret);
-}
-
-int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	return wolfSSL_read(ssl, data, sz);
-}
-
-void enc_wolfSSL_free(WOLFSSL* ssl)
-{
-	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
-		abort();
-	wolfSSL_free(ssl);
-}
-
-void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
-{
-	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
-		abort();
-	wolfSSL_CTX_free(ctx);
-}
-
-int enc_wolfSSL_Cleanup(void)
-{
-	wolfSSL_Cleanup();
-}
-
-void printf(const char *fmt, ...)
-{
-	char buf[BUFSIZ] = {'\0'};
-	va_list ap;
-	va_start(ap, fmt);
-	vsnprintf(buf, BUFSIZ, fmt, ap);
-	va_end(ap);
-	ocall_print_string(buf);
-}
-
-int sprintf(char* buf, const char *fmt, ...)
-{
-	va_list ap;
-	int ret;
-	va_start(ap, fmt);
-	ret = vsnprintf(buf, BUFSIZ, fmt, ap);
-	va_end(ap);
-	return ret;
-}
-
-double current_time(void)
-{
-	double curr;
-	ocall_current_time(&curr);
-	return curr;
-}
-
-int LowResTimer(void) /* low_res timer */
-{
-	int time;
-	ocall_low_res_time(&time);
-	return time;
-}
-
-size_t recv(int sockfd, void *buf, size_t len, int flags)
-{
-	size_t ret;
-	int sgxStatus;
-	sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
-	return ret;
-}
-
-size_t send(int sockfd, const void *buf, size_t len, int flags)
-{
-	size_t ret;
-	int sgxStatus;
-	sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
-	return ret;
-}
-
-extern struct ra_tls_options my_ra_tls_options;
-
-int wolfssl_create_key
-(
-	uint8_t* der_key,
-	int* der_key_len,
-	uint8_t* der_cert,
-	int* der_cert_len,
-	const struct ra_tls_options* opts,
-	void* targetinfo, void* report
-)
-{
-	if (targetinfo == NULL || report == NULL) {
-		printf("input parameters in invalid!\n");
-		return -1;
-	}
-
-	/* Generate key. */
-	RsaKey genKey;
-	RNG    rng;
-	int    ret;
-
-	wc_InitRng(&rng);
-	wc_InitRsaKey(&genKey, 0);
-	ret = wc_MakeRsaKey(&genKey, 3072, 65537, &rng);
-	assert(ret == 0);
-
-	uint8_t der[4096];
-	int  derSz = wc_RsaKeyToDer(&genKey, der, sizeof(der));
-	assert(derSz >= 0);
-	assert(derSz <= (int) *der_key_len);
-
-	*der_key_len = derSz;
-	memcpy(der_key, der, derSz);
-
-	/* Generate certificate */
-	sgx_report_data_t report_data = {0, };
-	sha256_rsa_pubkey(report_data.d, &genKey);
-	sgx_target_info_t target_info = {0, };
-	memcpy(&target_info, targetinfo, sizeof(sgx_target_info_t));
-	sgx_report_t report_tmp = {0, };
-	sgx_status_t status = sgx_create_report(&target_info, &report_data, &report_tmp);
-
-	memcpy(report, &report_tmp, sizeof(sgx_report_t));
-
-	return status;
-}
-
-int create_key
-(
-	uint8_t* der_key,  /* out */
-	int* der_key_len,  /* in/out */
-	uint8_t* der_cert, /* out */
-	int* der_cert_len, /* in/out */
-	const struct ra_tls_options* opts, /* in */
-	void* targetinfo, void* report
-)
-{
-	return wolfssl_create_key(der_key, der_key_len, der_cert, der_cert_len, opts, targetinfo, report);
-}
-
-#ifdef WOLFSSL_SGX
-time_t XTIME(time_t* tloc) {
-	time_t x = 1512498557; /* Dec 5, 2017, 10:29 PDT */
-	if (tloc) *tloc = x;
-		return x;
-}
-
-time_t mktime(struct tm* tm) {
-	(void) tm;
-	assert(0);
-	return (time_t) 0;
-}
-#endif
-
-int enc_create_key_and_x509(WOLFSSL_CTX* ctx, void* targetinfo, void* report) {
-	uint8_t der_key[2048];
-	uint8_t der_cert[8 * 1024];
-	uint32_t der_key_len = sizeof(der_key);
-	uint32_t der_cert_len = sizeof(der_cert);
-
-	if( targetinfo == NULL || report == NULL)
-	{
-		printf("input parameters is valid!\n");
-		return -1;
-	}
-
-	return create_key(&der_key, &der_key_len,
-			&der_cert, &der_cert_len,
-			&my_ra_tls_options, targetinfo, report);
-}