提交 157a1f8d 编写于 作者: jia zhang's avatar jia zhang

ra-tls: Add ra-tls support

ra-tls intends to establish the link between hardware-based remote
attestation and TLS secure channel implementation, which provides
more flexibilities on enclave management and communication.

This is the initial PoC implementation, and the code base of current
implementation is mainly inspired from
https://github.com/cloud-security-research/sgx-ra-tls.
Signed-off-by: jia zhang's avatarJia Zhang <zhang.jia@linux.alibaba.com>
上级 f69987ee
build
curl-wolfssl
wolfssl
wolfssl-examples
*.so
*.o
sgx-ra-tls/ra_tls_options.c
sgx-ra-tls/ra_tls_t.c
sgx-ra-tls/ra_tls_t.h
sgx-ra-tls/ra_tls_u.c
sgx-ra-tls/ra_tls_u.h
stub-enclave/Wolfssl_Enclave_t.c
stub-enclave/Wolfssl_Enclave_t.h
pal/Wolfssl_Enclave_u.c
pal/Wolfssl_Enclave_u.h
TOPDIR := $(shell readlink -f .)
export TOPDIR
DEBUG ?=
PREFIX ?= $(TOPDIR)/build
BINDIR := $(PREFIX)/bin
LIBDIR := $(PREFIX)/lib
INCDIR := $(PREFIX)/include
SGX_SDK ?= /opt/intel/sgxsdk
SGX_RA_TLS := $(TOPDIR)/sgx-ra-tls
WOLFSSL := $(TOPDIR)/wolfssl
ifdef ECDSA
SGX_DCAP_URI := https://github.com/intel/SGXDataCenterAttestationPrimitives
SGX_DCAP_COMMIT := bfab1376480f760757738092399d0d99b22f4dfd
SGX_DCAP ?= SGXDataCenterAttestationPrimitives
SGX_DCAP_INC := -I$(SGX_DCAP)/QuoteGeneration/quote_wrapper/common/inc -I$(SGX_DCAP)/QuoteGeneration/pce_wrapper/inc -I$(SGX_DCAP)/QuoteVerification/Src/AttestationLibrary/include
endif
#EPID_SDK := $(SGX_SDK)/external/epid-sdk
CFLAGS += -std=gnu99 -I$(SGX_RA_TLS) -I$(SGX_SDK)/include -I$(INCDIR) $(SGX_DCAP_INC) -fPIC
#CFLAGSERRORS := -Wall -Wextra -Wwrite-strings -Wlogical-op -Wshadow -Werror
CFLAGS += $(CFLAGSERRORS) -g -O0 -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_CERT_EXT # -DDEBUG -DDYNAMIC_RSA
CFLAGS += -DSGX_GROUP_OUT_OF_DATE
ifdef ECDSA
CFLAGS += -DRATLS_ECDSA
endif
#CFLAGS += -I$(SGX_GIT)/common/inc/internal -I$(EPID_SDK) -I$(SGX_GIT)/common/inc
CC ?= gcc
export DEBUG PREFIX BINDIR LIBDIR INCDIR SGX_SDK SGX_RA_TLS WOLFSSL CC
deps := $(LIBDIR)/libwolfssl.sgx.static.lib.a $(LIBDIR)/libsgx_ra_tls_wolfssl.a $(LIBDIR)/libcurl-wolfssl.a
all: $(deps) $(BINDIR)/ra-tls-client $(BINDIR)/ra-tls-server $(BINDIR)/Wolfssl_Enclave.signed.so
$(MAKE) -C pal
WOLFSSL_CLIENT_LIBS := -l:libra-challenger.a -l:libwolfssl.a -lm
ifdef ECDSA
WOLFSSL_CLIENT_LIBS += -l:libQuoteVerification.so -ldl
$(BINDIR)/ra-tls-client: $(LIBDIR)/libQuoteVerification.so
endif
$(BINDIR)/ra-tls-client: $(BINDIR) $(LIBDIR)/libra-challenger.a $(LIBDIR)/libwolfssl.a wolfssl-examples wolfssl-examples/tls/client-tls.c
$(CC) -o "$@" $(filter %.c, $^) $(CFLAGS) -L$(LIBDIR) $(WOLFSSL_CLIENT_LIBS)
$(BINDIR)/ra-tls-server: $(LIBDIR)/libwolfssl.sgx.static.lib.a $(LIBDIR)/libsgx_ra_tls_wolfssl.a
ifndef ECDSA
cp -f $(SGX_RA_TLS)/sgxsdk-ra-attester_u.c $(SGX_RA_TLS)/ias-ra.c wolfssl-examples/SGX_Linux/untrusted && \
$(MAKE) -C wolfssl-examples/SGX_Linux SGX_MODE=HW SGX_DEBUG=1 SGX_WOLFSSL_LIB=$(shell readlink -f wolfssl/IDE/LINUX-SGX) SGX_SDK=$(SGX_SDK) WOLFSSL_ROOT=$(shell readlink -f wolfssl) SGX_RA_TLS_LIB=$(shell readlink -f $(SGX_RA_TLS))
endif
cp -f wolfssl-examples/SGX_Linux/App "$@"
$(BINDIR)/Wolfssl_Enclave.signed.so: $(BINDIR)
$(MAKE) -C stub-enclave && \
cp -f stub-enclave/Wolfssl_Enclave.signed.so "$@"
# Add --enable-debug to ./configure for debug build
# WOLFSSL_ALWAYS_VERIFY_CB: Always call certificate verification callback, even if verification succeeds
# KEEP_OUR_CERT: Keep the certificate around after the handshake
# --enable-tlsv10: required by libcurl
# 2019-03-19 removed --enable-intelasm configure flag. The Celeron NUC I am developing this, does not support AVX.
WOLFSSL_CFLAGS := -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_ALWAYS_VERIFY_CB -DKEEP_PEER_CERT -Wno-stringop-truncation
ifdef DEBUG
WOLFSSL_CFLAGS += --enable-debug
endif
$(LIBDIR)/libwolfssl.a: CFLAGS += $(WOLFSSL_CFLAGS)
$(LIBDIR)/libwolfssl.a: $(LIBDIR) wolfssl
cd wolfssl && $(MAKE) install
wolfssl: WOLFSSL_CONFIGURE_FLAGS := --prefix=$(shell readlink -f $(PREFIX)) --enable-writedup --enable-static --enable-keygen --enable-certgen --enable-certext --with-pic --disable-examples --disable-crypttests --enable-aesni --enable-tlsv10
wolfssl:
git clone https://github.com/wolfSSL/wolfssl && \
cd wolfssl && git checkout 57e5648a5dd734d1c219d385705498ad12941dd0 && \
patch -p1 < ../patch/wolfssl.patch && \
./autogen.sh && \
CFLAGS="$(CFLAGS)" ./configure $(WOLFSSL_CONFIGURE_FLAGS)
wolfssl-examples:
git clone https://github.com/wolfSSL/wolfssl-examples.git && \
cd wolfssl-examples && \
git checkout 94b94262b45d264a40d484060cee595b26bdbfd7 && \
patch -p1 < ../patch/wolfssl-examples.patch
ifdef ECDSA
$(LIBDIR)/libra-challenger.a: $(SGX_RA_TLS)/ecdsa-sample-data/real/sample_data.o
endif
# sgx-ra-tls needs the header files from wolfssl.
$(LIBDIR)/libra-challenger.a: $(LIBDIR) $(LIBDIR)/libwolfssl.a $(SGX_RA_TLS)/ra.o $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
$(AR) rcs "$@" $(filter %.o, $^)
# Ideally, libwolfssl.sgx.static.lib.a and libwolfssl.a could be built
# in parallel. Does not work however. Hence, the dependency forces a
# serial build.
#
# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
$(LIBDIR)/libwolfssl.sgx.static.lib.a: $(LIBDIR) $(LIBDIR)/libwolfssl.a
cd wolfssl/IDE/LINUX-SGX && \
make -f sgx_t_static.mk CFLAGS="-DUSER_TIME -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_KEY_GEN -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192" && \
cp -f libwolfssl.sgx.static.lib.a "$@"
$(LIBDIR)/libsgx_ra_tls_wolfssl.a: $(LIBDIR)
# Previous Makefile compiles these .o files with incorrect C flags
# Don't disturb the build of libsgx_ra_tls_wolfssl.a
rm -f $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
$(MAKE) -C $(SGX_RA_TLS) && \
mv -f $(SGX_RA_TLS)/libsgx_ra_tls_wolfssl.a "$@"
# Don't disturb the build of libra-challenger.a
rm -f $(SGX_RA_TLS)/wolfssl-ra-challenger.o $(SGX_RA_TLS)/wolfssl-ra.o $(SGX_RA_TLS)/ra-challenger.o $(SGX_RA_TLS)/ias_sign_ca_cert.o
$(LIBDIR)/libcurl-wolfssl.a: $(LIBDIR) curl-wolfssl $(LIBDIR)/libwolfssl.a
cd curl-wolfssl && $(MAKE) && \
cp -f lib/.libs/libcurl.a "$@"
CURL_CONFFLAGS := --prefix=$(shell readlink -f $(PREFIX)) --without-libidn --without-librtmp --without-libssh2 --without-libmetalink --without-libpsl --disable-ldap --disable-ldaps --disable-shared
ifdef DEBUG
CURL_CONFFLAGS += --enable-debug
endif
curl-wolfssl:
git clone https://github.com/curl/curl.git -b curl-7_47_0 curl-wolfssl && \
cd curl-wolfssl && ./buildconf && \
CFLAGS="-fPIC" ./configure $(CURL_CONFFLAGS) --without-ssl --with-cyassl=$(shell readlink -f $(PREFIX))
ifdef ECDSA
wolfssl-ra-attester.o: ecdsa-sample-data/real/sample_data.h ecdsa-attestation-collateral.h
ecdsa-ra-attester.o: ecdsa-aesmd-messages.pb-c.c
ecdsa-aesmd-messages.pb-c.c:
cp $(SGX_DCAP)/SampleCode/QuoteServiceSample/App/ecdsa-aesmd-messages.proto .
protoc-c ecdsa-aesmd-messages.proto --c_out=.
messages.pb-c.c:
( cd linux-sgx/psw/ae/common/proto/ ; protoc-c messages.proto --c_out=. )
cp linux-sgx/psw/ae/common/proto/messages.pb-c.c linux-sgx/psw/ae/common/proto/messages.pb-c.h .
endif
$(LIBDIR)/libra-attester.a: wolfssl wolfssl-ra-attester.o wolfssl-ra.o ias-ra.o
$(AR) rcs $@ $(filter %.o, $^)
$(BINDIR):
mkdir -p "$(BINDIR)"
$(LIBDIR):
mkdir -p "$(LIBDIR)"
clean:
rm -rf $(PREFIX)
[ -d curl-wolfssl ] && $(MAKE) clean -C curl-wolfssl || true
[ -d wolfssl ] && $(MAKE) clean -C wolfssl || true
[ -d wolfssl-examples ] && $(MAKE) clean -C wolfssl-examples || true
$(MAKE) -C pal clean
$(MAKE) -C stub-enclave clean
$(MAKE) -C $(SGX_RA_TLS) clean
rm -f wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a
mrproper:
$(MAKE) clean
rm -rf curl-wolfssl wolfssl wolfssl-examples
.PHONY: stub_enclave clean mrproper
# Configure SGX RA settings
``` shell
export SPID=<hex string>
export EPID_SUBSCRIPTION_KEY=<hex string>
export QUOTE_TYPE=<SGX_LINKABLE_SIGNATURE | SGX_UNLINKABLE_SIGNATURE>
```
# Build Stub Enclave
``` shell
cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/stub_enclave"
cd "${path_to_inclavare_containers}/stub-enclave"
make
sudo make install
```
......@@ -20,12 +27,12 @@ cp /lib/x86_64-linux-gnu/libseccomp.so.2 lib
``` shell
FROM ubuntu:18.04
RUN mkdir -p /run/rune/sgxsdk
RUN mkdir -p /run/rune/stub-enclave
WORKDIR /run/rune
COPY lib /lib
COPY liberpal-sgxsdk.so .
COPY Wolfssl_Enclave.signed.so sgxsdk
COPY liberpal-stub.so .
COPY Wolfssl_Enclave.signed.so stub-enclave
RUN ldconfig
```
......@@ -36,7 +43,7 @@ docker build -t ${stub-enclave-image} .
# run stub-enclave images with rune
``` shell
sudo docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-sgxsdk.so \
-e ENCLAVE_RUNTIME_ARGS=sgxsdk ${stub-enclave-image}
docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/lib/liberpal-stub.so \
-e ENCLAVE_RUNTIME_ARGS=stub-enclave ${stub-enclave-image}
```
#include "App.h" /* contains include of Enclave_u.h which has wolfSSL header files */
#include "assert.h"
#include <wolfssl/ssl.h>
#include <wolfssl/certs_test.h>
//#include <wolfssl/certs_test.h>
#include <sys/time.h>
#include <stdbool.h>
#include <stdio.h>
#include <unistd.h>
......@@ -18,9 +19,13 @@
#endif
static sgx_enclave_id_t global_eid = SGX_ERROR_INVALID_ENCLAVE_ID;
static bool initialized = false;
static unsigned int num = 0;
typedef struct pal_attr {
const char *instance_dir;
const char *log_level;
} pal_attr_t;
struct pal_stdio_fds {
int stdin, stdout, stderr;
};
......@@ -38,88 +43,118 @@ struct pal_exec_args {
int *exit_value;
};
const char* get_enclave_absolute_path(char* instance_dir) {
static sgx_enclave_id_t get_enclave_id(void) {
return global_eid;
}
static const char *get_enclave_absolute_path(const char *instance_dir)
{
static char enclave_path[MAX_PATH + 1] = {0};
strncat(enclave_path, instance_dir, MAX_PATH);
strncat(enclave_path, "/", MAX_PATH);
strncat(enclave_path, ENCLAVE_FILENAME, MAX_PATH);
return (const char*)enclave_path;
return (const char *)enclave_path;
}
int pal_get_version(void) {
int pal_get_version(void)
{
return PAL_VERSION;
}
int pal_init(const sgxsdk_pal_attr_t* attr) {
int pal_init(const pal_attr_t *attr)
{
errno = 0;
if (attr == NULL) {
return -EINVAL;
if (get_enclave_id() != SGX_ERROR_INVALID_ENCLAVE_ID) {
errno = EINVAL;
PAL_ERROR("Enclave runtime has been initialized!");
return -1;
}
if (attr->instance_dir == NULL) {
return -EINVAL;
if (!attr) {
errno = EINVAL;
return -1;
}
PAL_INFO("attr->instance_dir = %s", attr->instance_dir);
sgx_enclave_id_t eid = pal_get_enclave_id();
if (eid != SGX_ERROR_INVALID_ENCLAVE_ID) {
PAL_ERROR("Enclave has been initialized.");
return -EEXIST;
if (!attr->instance_dir) {
errno = EINVAL;
return -1;
}
sgx_enclave_id_t id;
sgx_launch_token_t t;
int ret = 0;
int updated = 0;
PAL_DEBUG("attr->instance_dir = %s", attr->instance_dir);
sgx_launch_token_t t;
memset(t, 0, sizeof(sgx_launch_token_t));
char * enclave_path = get_enclave_absolute_path(attr->instance_dir);
PAL_INFO("enclave_path = %s", enclave_path);
const char *enclave_path = get_enclave_absolute_path(attr->instance_dir);
PAL_DEBUG("enclave_path = %s", enclave_path);
ret = sgx_create_enclave(enclave_path, DEBUG_VALUE, &t, &updated, &id, NULL);
sgx_enclave_id_t id;
int updated = 0;
int ret = sgx_create_enclave(enclave_path, DEBUG_VALUE, &t, &updated, &id, NULL);
if (ret != SGX_SUCCESS) {
PAL_ERROR("Failed to create Enclave : error %d - %#x.", ret, ret);
return ret;
PAL_ERROR("Failed to create Enclave: error %d.", ret);
return -1;
}
global_eid = id;
initialized = true;
return 0;
}
int pal_create_process(struct pal_create_process_args *args)
{
if (args->path == NULL || access(args->path, F_OK) != 0)
return -ENOENT;
errno = 0;
if (access(args->path, R_OK) != 0)
return -EACCES;
if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
errno = EINVAL;
PAL_ERROR("Enclave runtime uninitialized yet!");
return -1;
}
if (!args->stdio)
return -EINVAL;
if (args == NULL || args->path == NULL) {
errno = EINVAL;
return -1;
}
if (!args->pid)
return -EINVAL;
if (access(args->path, F_OK) != 0)
return -1;
if (!initialized) {
PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
return -EINVAL;
if (access(args->path, R_OK) != 0)
return -1;
if (!args->stdio) {
errno = EINVAL;
return -1;
}
if (!args->pid) {
errno = EINVAL;
return -1;
}
return 0;
}
int pal_exec(struct pal_exec_args *args){
if (args->exit_value == NULL) {
int pal_exec(struct pal_exec_args *args)
{
errno = 0;
if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
errno = EINVAL;
PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
return -1;
}
if (!args || !args->exit_value) {
errno = EINVAL;
return -1;
}
if (num == 0) {
num ++;
while(1) {
if (!num) {
++num;
while (1) {
printf("Hello World!\n");
printf(" - Powered by ACK-TEE and runE\n");
fflush(stdout);
......@@ -135,99 +170,98 @@ int pal_exec(struct pal_exec_args *args){
int pal_destroy(void)
{
if (!initialized) {
PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
errno = 0;
if (get_enclave_id() == SGX_ERROR_INVALID_ENCLAVE_ID) {
errno = EINVAL;
PAL_ERROR("enclave runtime uninitialized yet!");
return -1;
}
PAL_INFO("enclave runtime sgxsdk exits");
PAL_DEBUG("enclave runtime sgxsdk exits");
return 0;
}
int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) {
/* 0. check the args */
if (!initialized) {
PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int *report_len)
{
errno = 0;
sgx_enclave_id_t eid = get_enclave_id();
if (eid == SGX_ERROR_INVALID_ENCLAVE_ID) {
errno = EINVAL;
PAL_ERROR("Enclave runtime has not been initialized!");
return -1;
}
if (targetinfo == NULL || targetinfo_len != sizeof(sgx_target_info_t)) {
if (!targetinfo || targetinfo_len != sizeof(sgx_target_info_t)) {
errno = EINVAL;
PAL_ERROR("Input parameter targetinfo is NULL or targentinfo_len is not enough!");
return -EINVAL;
return -1;
}
if (report == NULL || report_len == NULL || *report_len < sizeof(sgx_report_t)) {
if (!report || !report_len || *report_len < sizeof(sgx_report_t)) {
errno = EINVAL;
PAL_ERROR("Input parameter report is NULL or report_len is not enough!");
return -EINVAL;
}
sgx_enclave_id_t eid = pal_get_enclave_id();
if (eid == SGX_ERROR_INVALID_ENCLAVE_ID) {
PAL_ERROR("Enclave has not been initialized!");
return -EINVAL;
return -1;
}
int sgxStatus;
int ret = 0;
WOLFSSL_METHOD* method;
WOLFSSL_CTX* ctx;
/* 1. generate mTLS keys and the correspondings hash values */
/* Initialize wolfSSL */
enc_wolfSSL_Init(eid, &sgxStatus);
#ifdef SGX_DEBUG
enc_wolfSSL_Debugging_ON(global_eid);
enc_wolfSSL_Debugging_ON(eid);
#else
enc_wolfSSL_Debugging_OFF(global_eid);
enc_wolfSSL_Debugging_OFF(eid);
#endif
sgxStatus = enc_wolfTLSv1_2_server_method(global_eid, &method);
if (sgxStatus != SGX_SUCCESS || method == NULL) {
WOLFSSL_METHOD *method;
sgxStatus = enc_wolfTLSv1_2_server_method(eid, &method);
if (sgxStatus != SGX_SUCCESS || !method) {
PAL_ERROR("wolfTLSv1_2_server_method failure");
return EXIT_FAILURE;
return -1;
}
sgxStatus = enc_wolfSSL_CTX_new(global_eid, &ctx, method);
if (sgxStatus != SGX_SUCCESS || ctx == NULL) {
WOLFSSL_CTX *ctx;
sgxStatus = enc_wolfSSL_CTX_new(eid, &ctx, method);
if (sgxStatus != SGX_SUCCESS || !ctx) {
PAL_ERROR("wolfSSL_CTX_new failure");
return -1;
}
int ret;
sgxStatus = enc_create_key_and_x509(eid, &ret, ctx, targetinfo, report);
if (sgxStatus != SGX_SUCCESS || ret != SGX_SUCCESS ) {
PAL_ERROR("enc_create_key_and_x509 failure");
return EXIT_FAILURE;
}
#if 0
/* Load server certificates into WOLFSSL_CTX */
sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(global_eid, &ret, ctx,
sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(eid, &ret, ctx,
server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
PAL_ERROR("enc_wolfSSL_CTX_use_certificate_chain_buffer_format failure");
return EXIT_FAILURE;
return -1;
}
/* Load server key into WOLFSSL_CTX */
sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(global_eid, &ret, ctx,
sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(eid, &ret, ctx,
server_key_der_2048, sizeof_server_key_der_2048, SSL_FILETYPE_ASN1);
if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
PAL_ERROR("wolfSSL_CTX_use_PrivateKey_buffer failure");
return EXIT_FAILURE;
}
sgxStatus = enc_create_key_and_x509(global_eid, &ret, ctx, targetinfo, report);
if (sgxStatus != SGX_SUCCESS || ret != SGX_SUCCESS ) {
PAL_ERROR("enc_create_key_and_x509 failure");
return EXIT_FAILURE;
return -1;
}
#endif
/* 3. return report */
targetinfo_len = sizeof(sgx_target_info_t);
*report_len = sizeof(sgx_report_t);
enc_wolfSSL_CTX_free(global_eid, ctx);
enc_wolfSSL_CTX_free(eid, ctx);
enc_wolfSSL_Cleanup(eid, &ret);
return ret;
}
sgx_enclave_id_t pal_get_enclave_id(void) {
return global_eid;
}
static double current_time()
{
struct timeval tv;
......@@ -239,8 +273,8 @@ static double current_time()
void ocall_print_string(const char *str)
{
/* Proxy/Bridge will check the length and null-terminate
* * the input string to prevent buffer overflow.
* */
* the input string to prevent buffer overflow.
*/
printf("%s", str);
}
......@@ -252,12 +286,14 @@ void ocall_current_time(double* time)
return;
}
void ocall_low_res_time(int* time)
void ocall_low_res_time(int *time)
{
struct timeval tv;
if(!time)
return;
struct timeval tv;
*time = tv.tv_sec;
return;
}
......
......@@ -19,8 +19,8 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef BENCHMARKS_H
#define BENCHMARKS_H
#ifndef STUB_ENCLAVE_H
#define STUB_ENCLAVE_H
#include "sgx_urts.h" /* Manages Enclave */
#include <sys/types.h> /* for send/recv */
......@@ -37,13 +37,6 @@ enum BenchmarkBounds {
ntimes = 30 /* how many itteration to run RSA decrypt/encrypt */
};
#endif
typedef struct sgxsdk_pal_attr {
const char *instance_dir;
const char *log_level;
} sgxsdk_pal_attr_t;
#define PAL_DEBUG(fmt, ...) \
fprintf(stderr, "[DEBUG] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
#define PAL_INFO(fmt, ...) \
......@@ -53,5 +46,4 @@ typedef struct sgxsdk_pal_attr {
#define PAL_ERROR(fmt, ...) \
fprintf(stderr, "[ERROR] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
int pal_init(const sgxsdk_pal_attr_t* instance_dir);
sgx_enclave_id_t pal_get_enclave_id(void);
#endif /* STUB_ENCLAVE_H */
######## Intel(R) SGX SDK Settings ########
SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= HW
SGX_DEBUG ?= 1
SGX_ARCH ?= x64
SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
WOLFSSL_ROOT ?= ./deps/wolfssl
WOLFSSL_ROOT ?= $(shell readlink -f ../wolfssl)
SGX_WOLFSSL_LIB ?= $(shell readlink -f $(WOLFSSL_ROOT)/IDE/LINUX-SGX)
SGX_RA_TLS_ROOT ?= $(shell readlink -f ../sgx-ra-tls)
UNTRUSTED_DIR=untrusted
ifeq ($(shell getconf LONG_BIT), 32)
SGX_ARCH := x86
else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
......@@ -36,8 +37,6 @@ else
SGX_COMMON_CFLAGS += -O2
endif
SGX_RA_TLS_ROOT=$(shell readlink -f .)
######## App Settings ########
ifneq ($(SGX_MODE), HW)
......@@ -47,24 +46,23 @@ else
endif
Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DUSE_WOLFSSL
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-I$(WOLFSSL_ROOT)/wolfcrypt/
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT) \
-I$(WOLFSSL_ROOT)/wolfcrypt
ifeq ($(HAVE_WOLFSSL_TEST), 1)
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
endif
ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
endif
# App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/server-tls.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c $(UNTRUSTED_DIR)/ias-ra.c
App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c
App_Include_Paths := $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include -I$(SGX_RA_TLS_ROOT) -I./deps/local/include -I$(shell readlink -f .)
#App_C_Files := App.c server-tls.c sgxsdk-ra-attester_u.c ias-ra.c
#App_C_Files := App.c sgxsdk-ra-attester_u.c
App_C_Fils := App.c
App_Include_Paths := $(Wolfssl_Include_Paths) -I$(SGX_SDK)/include -I$(SGX_RA_TLS_ROOT) -I$(INCDIR) -I$(shell readlink -f .)
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -shared -Wno-attributes -Wall -Wno-unused-const-variable $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)
......@@ -80,7 +78,8 @@ else
App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
endif
App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(SGX_RA_TLS_ROOT)/deps/local/lib -l$(Urts_Library_Name) -lpthread $(SGX_RA_TLS_ROOT)/deps/local/lib/libcurl-wolfssl.a $(SGX_RA_TLS_ROOT)/deps/local/lib/libwolfssl.a -lz -lm
#App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(TOPDIR)/build/lib -l$(Urts_Library_Name) -lpthread $(TOPDIR)/build/lib/libcurl-wolfssl.a $(TOPDIR)/build/lib/libwolfssl.a -lz -lm
App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(TOPDIR)/build/lib -l$(Urts_Library_Name)
App_Link_Flags += -Wl,--version-script=pal.lds
ifneq ($(SGX_MODE), HW)
......@@ -91,8 +90,6 @@ endif
App_C_Objects := $(App_C_Files:.c=.o)
ifeq ($(SGX_MODE), HW)
ifneq ($(SGX_DEBUG), 1)
ifneq ($(SGX_PRERELEASE), 1)
......@@ -101,12 +98,11 @@ endif
endif
endif
.PHONY: all
ifeq ($(Build_Mode), HW_RELEASE)
all: liberpal-sgxsdk.so
@echo "Build liberpal-sgxsdk.so [$(Build_Mode)|$(SGX_ARCH)] success!"
all: liberpal-stub.so
@echo "Build liberpal-stub.so [$(Build_Mode)|$(SGX_ARCH)] success!"
@echo
@echo "*********************************************************************************************************************************************************"
@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
......@@ -114,31 +110,30 @@ all: liberpal-sgxsdk.so
@echo
else
all: liberpal-sgxsdk.so
all: liberpal-stub.so
endif
######## liberpal-sgxsdk.so Objects ########
######## liberpal-stub.so Objects ########
$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
Wolfssl_Enclave_u.c: $(SGX_EDGER8R) $(TOPDIR)/stub-enclave/Wolfssl_Enclave.edl
@$(SGX_EDGER8R) --untrusted $(TOPDIR)/stub-enclave/Wolfssl_Enclave.edl --search-path $(TOPDIR)/stub-enclave --search-path $(SGX_SDK)/include --search-path $(SGX_RA_TLS_ROOT)
@echo "GEN => $@"
$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
Wolfssl_Enclave_u.o: Wolfssl_Enclave_u.c
@echo $(CC) $(App_C_Flags) -c $< -o $@
@$(CC) $(App_C_Flags) -c $< -o $@
@echo "CC <= $<"
$(UNTRUSTED_DIR)/%.o: $(UNTRUSTED_DIR)/%.c
%.o: %.c
@echo $(CC) $(App_C_Flags) -c $< -o $@
@$(CC) $(App_C_Flags) -c $< -o $@
@echo "CC <= $<"
liberpal-sgxsdk.so: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o $(App_C_Objects)
liberpal-stub.so: Wolfssl_Enclave_u.o $(App_C_Objects)
@$(CC) $^ -o $@ $(App_Link_Flags)
@echo "LINK => $@"
.PHONY: clean
clean:
@rm -f liberpal-sgxsdk.so $(App_C_Objects) $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.*
@rm -f liberpal-stub.so $(App_C_Objects) Wolfssl_Enclave_u.*
diff --git a/SGX_Linux/Makefile b/SGX_Linux/Makefile
index df6744a..41c11d4 100644
--- a/SGX_Linux/Makefile
+++ b/SGX_Linux/Makefile
@@ -7,13 +7,11 @@ ifndef WOLFSSL_ROOT
$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory)
endif
-
-
all:
$(MAKE) -ef sgx_u.mk all
- $(MAKE) -ef sgx_t.mk all
+ #$(MAKE) -ef sgx_t.mk all
clean:
$(MAKE) -ef sgx_u.mk clean
- $(MAKE) -ef sgx_t.mk clean
+ #$(MAKE) -ef sgx_t.mk clean
diff --git a/SGX_Linux/sgx_t.mk b/SGX_Linux/sgx_t.mk
index b4dd62c..9055109 100644
--- a/SGX_Linux/sgx_t.mk
+++ b/SGX_Linux/sgx_t.mk
@@ -39,16 +39,18 @@ endif
Crypto_Library_Name := sgx_tcrypto
+SGX_RA_TLS_ROOT="../../.."
-Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-I$(WOLFSSL_ROOT)/wolfcrypt/
Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
- -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
- -I$(SGX_SDK)/include/stlport
+ -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
+ -I$(SGX_SDK)/include/stlport \
+ -I$(SGX_RA_TLS_ROOT)
ifeq ($(HAVE_WOLFSSL_TEST), 1)
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
@@ -62,13 +64,14 @@ endif
Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
-Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths)-fno-builtin -fno-builtin-printf -I.
+Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths) -fno-builtin -fno-builtin-printf -I.
Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+ -L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
- -Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
+ -Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
-Wl,--defsym,__ImageBase=0 \
@@ -112,7 +115,7 @@ endif
######## Wolfssl_Enclave Objects ########
trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
- @cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+ @cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ../../../..
@echo "GEN => $@"
trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
diff --git a/SGX_Linux/sgx_u.mk b/SGX_Linux/sgx_u.mk
index 4d157cd..3dcafa5 100644
--- a/SGX_Linux/sgx_u.mk
+++ b/SGX_Linux/sgx_u.mk
@@ -1,4 +1,10 @@
######## Intel(R) SGX SDK Settings ########
+TOPDIR ?= ../../..
+PREFIX ?= $(TOPDIR)/build
+LIBDIR ?= $(PREFIX)/lib
+INCDIR ?= $(PREFIX)/include
+SGX_SDK ?= /opt/intel/sgxsdk
+
UNTRUSTED_DIR=untrusted
ifeq ($(shell getconf LONG_BIT), 32)
SGX_ARCH := x86
@@ -30,6 +36,8 @@ else
SGX_COMMON_CFLAGS += -O2
endif
+SGX_RA_TLS ?= "../../../sgx-ra-tls"
+
######## App Settings ########
ifneq ($(SGX_MODE), HW)
@@ -38,24 +46,23 @@ else
Urts_Library_Name := sgx_urts
endif
-Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
-Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
- -I$(WOLFSSL_ROOT)/wolfcrypt/
+Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DUSE_WOLFSSL
+Wolfssl_Include_Paths := \
+ -I$(WOLFSSL) \
+ -I$(WOLFSSL)/wolfcrypt/
ifeq ($(HAVE_WOLFSSL_TEST), 1)
- Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+ Wolfssl_Include_Paths += -I$(WOLFSSL)/wolfcrypt/test/
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
endif
ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
- Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+ Wolfssl_Include_Paths += -I$(WOLFSSL)/wolfcrypt/benchmark/
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
endif
-
-
-App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c $(UNTRUSTED_DIR)/server-tls.c
-App_Include_Paths := -IInclude $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include
+App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c $(UNTRUSTED_DIR)/server-tls.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c $(UNTRUSTED_DIR)/ias-ra.c
+App_Include_Paths := $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include -I$(SGX_RA_TLS) -I$(INCDIR)
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)
@@ -71,7 +78,7 @@ else
App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
endif
-App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -L$(LIBDIR) -l$(Urts_Library_Name) -lpthread $(LIBDIR)/libcurl-wolfssl.a $(LIBDIR)/libwolfssl.a -lz -lm
ifneq ($(SGX_MODE), HW)
App_Link_Flags += -lsgx_uae_service_sim
@@ -81,8 +88,6 @@ endif
App_C_Objects := $(App_C_Files:.c=.o)
-
-
ifeq ($(SGX_MODE), HW)
ifneq ($(SGX_DEBUG), 1)
ifneq ($(SGX_PRERELEASE), 1)
@@ -116,7 +121,7 @@ endif
######## App Objects ########
$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
- @cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+ @cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ../../../sgx-ra-tls
@echo "GEN => $@"
$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.c b/SGX_Linux/trusted/Wolfssl_Enclave.c
index 155df0b..a304bc0 100644
--- a/SGX_Linux/trusted/Wolfssl_Enclave.c
+++ b/SGX_Linux/trusted/Wolfssl_Enclave.c
@@ -1,3 +1,4 @@
+#include <assert.h>
#include <stdarg.h>
#include <stdio.h> /* vsnprintf */
@@ -208,3 +209,25 @@ size_t send(int sockfd, const void *buf, size_t len, int flags)
sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
return ret;
}
+
+extern struct ra_tls_options my_ra_tls_options;
+
+void enc_create_key_and_x509(WOLFSSL_CTX* ctx) {
+ uint8_t der_key[2048];
+ uint8_t der_cert[8 * 1024];
+ uint32_t der_key_len = sizeof(der_key);
+ uint32_t der_cert_len = sizeof(der_cert);
+
+ create_key_and_x509(&der_key, &der_key_len,
+ &der_cert, &der_cert_len,
+ &my_ra_tls_options);
+
+ int ret;
+ ret = wolfSSL_CTX_use_certificate_buffer(ctx, der_cert, der_cert_len,
+ SSL_FILETYPE_ASN1);
+ assert(ret == SSL_SUCCESS);
+
+ wolfSSL_CTX_use_PrivateKey_buffer(ctx, der_key, der_key_len,
+ SSL_FILETYPE_ASN1);
+ assert(ret == SSL_SUCCESS);
+}
diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.edl b/SGX_Linux/trusted/Wolfssl_Enclave.edl
index 9a51b0f..2ca4de3 100644
--- a/SGX_Linux/trusted/Wolfssl_Enclave.edl
+++ b/SGX_Linux/trusted/Wolfssl_Enclave.edl
@@ -7,6 +7,8 @@ enclave {
include "wolfcrypt/test/test.h"
include "wolfcrypt/benchmark/benchmark.h"
+ from "ra_tls.edl" import *;
+
trusted {
public int wc_test([user_check]void* args);
public int wc_benchmark_test([user_check]void* args);
@@ -49,6 +51,8 @@ enclave {
public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
public int enc_wolfSSL_Cleanup(void);
+
+ public void enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx);
};
untrusted {
diff --git a/SGX_Linux/untrusted/server-tls.c b/SGX_Linux/untrusted/server-tls.c
index f49b912..01c381b 100644
--- a/SGX_Linux/untrusted/server-tls.c
+++ b/SGX_Linux/untrusted/server-tls.c
@@ -22,6 +22,7 @@
#include "server-tls.h"
/* the usual suspects */
+#include <assert.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -79,6 +80,9 @@ int server_connect(sgx_enclave_id_t id)
return -1;
}
+ int enable = 1;
+ ret = setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(int));
+ assert(ret != -1);
/* Create and initialize WOLFSSL_CTX */
sgxStatus = enc_wolfTLSv1_2_server_method(id, &method);
@@ -93,6 +97,7 @@ int server_connect(sgx_enclave_id_t id)
return EXIT_FAILURE;
}
+#if 0
/* Load server certificates into WOLFSSL_CTX */
sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(id, &ret, ctx,
server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
@@ -108,7 +113,11 @@ int server_connect(sgx_enclave_id_t id)
printf("wolfSSL_CTX_use_PrivateKey_buffer failure\n");
return EXIT_FAILURE;
}
+#endif
+ sgxStatus = enc_create_key_and_x509(id, ctx);
+ assert(sgxStatus == SGX_SUCCESS);
+
/* Initialize the server address struct with zeros */
memset(&servAddr, 0, sizeof(servAddr));
/* Fill in the server address */
diff --git a/tls/client-tls.c b/tls/client-tls.c
index a72dfad..faa623b 100644
--- a/tls/client-tls.c
+++ b/tls/client-tls.c
@@ -20,6 +20,9 @@
*/
/* the usual suspects */
+#ifdef SGX_RATLS_MUTUAL
+#include <assert.h>
+#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -36,9 +39,30 @@
#define DEFAULT_PORT 11111
-#define CERT_FILE "../certs/ca-cert.pem"
+#include <sgx_quote.h>
+#include "ra.h"
+#ifdef SGX_RATLS_MUTUAL
+#include "ra-attester.h"
+#endif
+#include "ra-challenger.h"
+static
+int cert_verify_callback(int preverify, WOLFSSL_X509_STORE_CTX* store) {
+
+ (void) preverify;
+
+ int ret = verify_sgx_cert_extensions(store->certs->buffer,
+ store->certs->length);
+
+ fprintf(stderr, "Verifying SGX certificate extensions ... %s\n",
+ ret == 0 ? "Success" : "Failure");
+ return !ret;
+}
+
+#ifdef SGX_RATLS_MUTUAL
+extern struct ra_tls_options my_ra_tls_options;
+#endif
int main(int argc, char** argv)
{
@@ -51,15 +75,8 @@ int main(int argc, char** argv)
WOLFSSL_CTX* ctx;
WOLFSSL* ssl;
-
-
- /* Check for proper calling convention */
- if (argc != 2) {
- printf("usage: %s <IPv4 address>\n", argv[0]);
- return 0;
- }
-
-
+ (void) argc;
+ (void) argv;
/* Initialize wolfSSL */
wolfSSL_Init();
@@ -82,16 +99,19 @@ int main(int argc, char** argv)
return -1;
}
- /* Load client certificates into WOLFSSL_CTX */
- if (wolfSSL_CTX_load_verify_locations(ctx, CERT_FILE, NULL)
- != SSL_SUCCESS) {
- fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
- CERT_FILE);
- return -1;
- }
-
+#ifdef SGX_RATLS_MUTUAL
+ uint8_t key[2048]; uint8_t crt[8192];
+ int key_len = sizeof(key);
+ int crt_len = sizeof(crt);
+ create_key_and_x509(key, &key_len, crt, &crt_len, &my_ra_tls_options);
+ int ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, key, key_len, SSL_FILETYPE_ASN1);
+ assert(SSL_SUCCESS == ret);
+ ret = wolfSSL_CTX_use_certificate_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1);
+ assert(SSL_SUCCESS == ret);
+#endif
+
/* Initialize the server address struct with zeros */
memset(&servAddr, 0, sizeof(servAddr));
@@ -99,8 +119,10 @@ int main(int argc, char** argv)
servAddr.sin_family = AF_INET; /* using IPv4 */
servAddr.sin_port = htons(DEFAULT_PORT); /* on DEFAULT_PORT */
+ const char* srvaddr = "127.0.0.1";
+
/* Get the server IPv4 address from the command line call */
- if (inet_pton(AF_INET, argv[1], &servAddr.sin_addr) != 1) {
+ if (inet_pton(AF_INET, srvaddr, &servAddr.sin_addr) != 1) {
fprintf(stderr, "ERROR: invalid address\n");
return -1;
}
@@ -114,7 +136,7 @@ int main(int argc, char** argv)
return -1;
}
-
+ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, cert_verify_callback);
/* Create a WOLFSSL object */
if ((ssl = wolfSSL_new(ctx)) == NULL) {
@@ -131,22 +153,35 @@ int main(int argc, char** argv)
return -1;
}
-
-
- /* Get a message for the server from stdin */
- printf("Message for server: ");
- memset(buff, 0, sizeof(buff));
- fgets(buff, sizeof(buff), stdin);
- len = strnlen(buff, sizeof(buff));
+ WOLFSSL_X509* srvcrt =
+ wolfSSL_get_peer_certificate(ssl);
+
+ int derSz;
+ const unsigned char* der =
+ wolfSSL_X509_get_der(srvcrt, &derSz);
+
+ sgx_quote_t quote;
+ get_quote_from_cert(der, derSz, &quote);
+ sgx_report_body_t* body = &quote.report_body;
+
+ printf("Server's SGX identity:\n");
+ printf(" . MRENCLAVE = ");
+ for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_enclave.m[i]);
+ printf("\n");
+
+ printf(" . MRSIGNER = ");
+ for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_signer.m[i]);
+ printf("\n");
+
+ const char* http_request = "GET / HTTP/1.0\r\n\r\n";
+ len = strlen(http_request);
/* Send the message to the server */
- if (wolfSSL_write(ssl, buff, len) != len) {
+ if (wolfSSL_write(ssl, http_request, len) != (int) len) {
fprintf(stderr, "ERROR: failed to write\n");
return -1;
}
-
-
/* Read the server data into our buff array */
memset(buff, 0, sizeof(buff));
if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) {
@@ -155,7 +190,7 @@ int main(int argc, char** argv)
}
/* Print to stdout any data the server sends */
- printf("Server: %s\n", buff);
+ printf("Server:\n%s\n", buff);
diff --git a/tls/server-tls.c b/tls/server-tls.c
index ebab830..dbdcaa0 100644
--- a/tls/server-tls.c
+++ b/tls/server-tls.c
@@ -20,6 +20,7 @@
*/
/* the usual suspects */
+#include <assert.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -34,12 +35,32 @@
#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
+#include "ra-attester.h"
+#ifdef SGX_RATLS_MUTUAL
+#include "ra-challenger.h"
+#endif
+
#define DEFAULT_PORT 11111
#define CERT_FILE "../certs/server-cert.pem"
#define KEY_FILE "../certs/server-key.pem"
+extern struct ra_tls_options my_ra_tls_options;
+
+#ifdef SGX_RATLS_MUTUAL
+static
+int cert_verify_callback(int preverify, WOLFSSL_X509_STORE_CTX* store) {
+
+ (void) preverify;
+ int ret = verify_sgx_cert_extensions(store->certs->buffer,
+ store->certs->length);
+
+ fprintf(stderr, "Verifying SGX certificate extensions ... %s\n",
+ ret == 0 ? "Success" : "Failure");
+ return !ret;
+}
+#endif
int main()
{
@@ -79,23 +100,34 @@ int main()
return -1;
}
+ uint8_t key[2048]; uint8_t crt[8192];
+ int key_len = sizeof(key);
+ int crt_len = sizeof(crt);
+
+ create_key_and_x509(key, &key_len, crt, &crt_len, &my_ra_tls_options);
+
/* Load server certificates into WOLFSSL_CTX */
- if (wolfSSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)
+ if (wolfSSL_CTX_use_certificate_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1)
!= SSL_SUCCESS) {
- fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
- CERT_FILE);
+ fprintf(stderr, "ERROR: failed to load server certificate.\n");
return -1;
}
/* Load server key into WOLFSSL_CTX */
- if (wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM)
+ if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, key, key_len, SSL_FILETYPE_ASN1)
!= SSL_SUCCESS) {
- fprintf(stderr, "ERROR: failed to load %s, please check the file.\n",
- KEY_FILE);
+ fprintf(stderr, "ERROR: failed to load server key.\n");
return -1;
}
-
+ int ret;
+#ifdef SGX_RATLS_MUTUAL
+ ret = wolfSSL_CTX_load_verify_buffer(ctx, crt, crt_len, SSL_FILETYPE_ASN1);
+ assert(SSL_SUCCESS == ret);
+
+ wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ cert_verify_callback);
+#endif
/* Initialize the server address struct with zeros */
memset(&servAddr, 0, sizeof(servAddr));
@@ -141,10 +173,34 @@ int main()
/* Attach wolfSSL to the socket */
wolfSSL_set_fd(ssl, connd);
- printf("Client connected successfully\n");
-
+ ret = wolfSSL_negotiate(ssl);
+ assert(ret == WOLFSSL_SUCCESS);
+ printf("Client connected successfully\n");
+#ifdef SGX_RATLS_MUTUAL
+ WOLFSSL_X509* cli_crt =
+ wolfSSL_get_peer_certificate(ssl);
+
+ int derSz;
+ const unsigned char* der =
+ wolfSSL_X509_get_der(cli_crt, &derSz);
+
+ sgx_quote_t quote;
+ get_quote_from_cert(der, derSz, &quote);
+ sgx_report_body_t* body = &quote.report_body;
+
+ printf("Client's SGX identity:\n");
+ printf(" . MRENCLAVE = ");
+ for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_enclave.m[i]);
+ printf("\n");
+
+ printf(" . MRSIGNER = ");
+ for (int i=0; i < SGX_HASH_SIZE; ++i) printf("%02x", body->mr_signer.m[i]);
+ printf("\n");
+ fflush(stdout);
+#endif
+
/* Read the client data into our buff array */
memset(buff, 0, sizeof(buff));
if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) {
@@ -169,7 +225,7 @@ int main()
len = strnlen(buff, sizeof(buff));
/* Reply back to the client */
- if (wolfSSL_write(ssl, buff, len) != len) {
+ if (wolfSSL_write(ssl, buff, len) != (int) len) {
fprintf(stderr, "ERROR: failed to write\n");
return -1;
}
diff --git a/m4/ax_vcs_checkout.m4 b/m4/ax_vcs_checkout.m4
index 4636b58ed..58c1af256 100644
--- a/m4/ax_vcs_checkout.m4
+++ b/m4/ax_vcs_checkout.m4
@@ -57,7 +57,6 @@ AC_DEFUN([AX_VCS_SYSTEM],
AS_IF([test -d ".bzr"],[ac_cv_vcs_system="bazaar"])
AS_IF([test -d ".svn"],[ac_cv_vcs_system="svn"])
AS_IF([test -d ".hg"],[ac_cv_vcs_system="mercurial"])
- AS_IF([test -e ".git"],[ac_cv_vcs_system="git"])
])
AC_DEFINE_UNQUOTED([VCS_SYSTEM],["$ac_cv_vcs_system"],[VCS system])
])
diff --git a/pre-commit.sh b/pre-commit.sh
index cbac1b5..71c7976 100755
index cbac1b5e3..71c79767d 100755
--- a/pre-commit.sh
+++ b/pre-commit.sh
@@ -3,6 +3,8 @@
......@@ -12,7 +24,7 @@ index cbac1b5..71c7976 100755
echo "\n\nSaving current config\n\n"
cp config.status tmp.status
diff --git a/src/internal.c b/src/internal.c
index a6989c4..9036910 100644
index a6989c419..9036910ba 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -9777,11 +9777,14 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
......@@ -52,7 +64,7 @@ index a6989c4..9036910 100644
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) {
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index e234253..5cdeae5 100644
index e23425311..5cdeae542 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -19,6 +19,7 @@
......@@ -443,7 +455,7 @@ index e234253..5cdeae5 100644
der->total = der->versionSz + der->serialSz + der->sigAlgoSz +
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 9c77120..3c922dd 100644
index 9c77120a1..3c922dd88 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1272,7 +1272,7 @@ enum Misc {
......@@ -456,7 +468,7 @@ index 9c77120..3c922dd 100644
#ifndef SESSION_TICKET_LEN
diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h
index b730846..870ffdb 100644
index b73084634..870ffdb44 100644
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@@ -164,6 +164,32 @@ typedef struct Cert {
......@@ -504,7 +516,7 @@ index b730846..870ffdb 100644
} /* extern "C" */
#endif
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 6254b72..9a20413 100644
index 6254b727d..9a204138c 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -1228,7 +1228,9 @@ extern void uITRON4_free(void *p) ;
......
......@@ -4,9 +4,9 @@
SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= HW
SGX_ARCH ?= x64
PROJECT_ROOT ?= $(shell readlink -f .)
WOLFSSL_ROOT := $(shell readlink -f deps/wolfssl)
WOLFSSL_ROOT := $(shell readlink -f $(TOPDIR)/wolfssl)
THISDIR := $(shell pwd)
SGX_COMMON_CFLAGS := -m64
SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
......@@ -38,17 +38,20 @@ Library_Name := sgx_ra_tls_wolfssl
# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192
Wolfssl_C_Files := $(PROJECT_ROOT)/wolfssl-ra-attester.c \
$(PROJECT_ROOT)/wolfssl-ra-challenger.c \
$(PROJECT_ROOT)/sgxsdk-ra-attester_t.c \
$(PROJECT_ROOT)/ra-challenger.c \
$(PROJECT_ROOT)/wolfssl-ra.c \
$(PROJECT_ROOT)/ra_tls_t.c \
$(PROJECT_ROOT)/ra_tls_options.c
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-I$(WOLFSSL_ROOT)/wolfcrypt/ \
-I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc \
Wolfssl_C_Files := \
wolfssl-ra-attester.c \
wolfssl-ra-challenger.c \
sgxsdk-ra-attester_t.c \
ra-challenger.c \
wolfssl-ra.c \
ra_tls_t.c \
ra_tls_options.c
Wolfssl_Include_Paths := \
-I$(WOLFSSL_ROOT) \
-I$(WOLFSSL_ROOT)/wolfcrypt \
-I$(SGX_SDK)/include \
-I$(SGX_SDK)/include/tlibc \
-I$(SGX_SDK)/include/stlport \
-I/usr/include/linux
......@@ -59,7 +62,7 @@ Wolfssl_C_Flags := $(Compiler_Warnings) $(Flags_Just_For_C) $(Common_C_Cpp_Flags
Wolfssl_C_Objects := $(Wolfssl_C_Files:.c=.o)
override CFLAGS += $(Wolfssl_C_Flags)
CFLAGS += $(Wolfssl_C_Flags)
.PHONY: all run clean mrproper
......@@ -74,9 +77,12 @@ libsgx_ra_tls_wolfssl.a: ra_tls_t.o ra_tls_u.o $(Wolfssl_C_Objects)
ar rcs $@ $(Wolfssl_C_Objects)
@echo "LINK => $@"
ra_tls_options.c: ra_tls_options.c.sh
bash $^ > $@
clean:
@rm -f $(Wolfssl_C_Objects)
@rm -f ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
@rm -f ra_tls_options.c ra_tls_t.* ra_tls_u.* libsgx_ra_tls_wolfssl.a
mrproper: clean
@rm -f ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
@rm -f ra_tls_options.c ra_tls_t.c ra_tls_t.h ra_tls_u.h ra_tls_u.c libsgx_ra_tls_wolfssl.a
struct buffer_and_size {
char* data;
size_t len;
};
void http_get
(
CURL* curl,
const char* url,
struct buffer_and_size* header,
struct buffer_and_size* body,
struct curl_slist* request_headers,
char* request_body
);
#define _GNU_SOURCE // for memmem()
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#if defined(USE_OPENSSL)
#include <openssl/evp.h> // for base64 encode/decode
#elif defined(USE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/coding.h>
#elif defined(USE_MBEDTLS)
#include <mbedtls/base64.h>
#else
#error Must use one of OpenSSL/wolfSSL/mbedtls
#endif
#include <stdint.h>
#include <sgx_report.h>
#include "ra.h"
#include "ra-attester.h"
#include "ias-ra.h"
#include "curl_helper.h"
static
size_t accumulate_function(void *ptr, size_t size, size_t nmemb, void *userdata) {
struct buffer_and_size* s = (struct buffer_and_size*) userdata;
s->data = (char*) realloc(s->data, s->len + size * nmemb);
assert(s->data != NULL);
memcpy(s->data + s->len, ptr, size * nmemb);
s->len += size * nmemb;
return size * nmemb;
}
void http_get
(
CURL* curl,
const char* url,
struct buffer_and_size* header,
struct buffer_and_size* body,
struct curl_slist* request_headers,
char* request_body
)
{
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);
curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, accumulate_function);
curl_easy_setopt(curl, CURLOPT_HEADERDATA, header);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, accumulate_function);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, body);
if (request_headers) {
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, request_headers);
}
if (request_body) {
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request_body);
}
CURLcode res = curl_easy_perform(curl);
assert(res == CURLE_OK);
}
static const char pem_marker_begin[] = "-----BEGIN CERTIFICATE-----";
static const char pem_marker_end[] = "-----END CERTIFICATE-----";
static
void extract_certificates_from_response_header
(
CURL* curl,
const char* header,
size_t header_len,
attestation_verification_report_t* attn_report
)
{
// Locate x-iasreport-signature HTTP header field in the response.
const char response_header_name[] = "X-IASReport-Signing-Certificate: ";
char *field_begin = memmem(header,
header_len,
response_header_name,
strlen(response_header_name));
assert(field_begin != NULL);
field_begin += strlen(response_header_name);
const char http_line_break[] = "\r\n";
char *field_end = memmem(field_begin,
header_len - (field_begin - header),
http_line_break,
strlen(http_line_break));
size_t field_len = field_end - field_begin;
// Remove urlencoding from x-iasreport-signing-certificate field.
int unescaped_len = 0;
char* unescaped = curl_easy_unescape(curl,
field_begin,
field_len,
&unescaped_len);
char* cert_begin = memmem(unescaped,
unescaped_len,
pem_marker_begin,
strlen(pem_marker_begin));
assert(cert_begin != NULL);
char* cert_end = memmem(unescaped, unescaped_len,
pem_marker_end, strlen(pem_marker_end));
assert(cert_end != NULL);
uint32_t cert_len = cert_end - cert_begin + strlen(pem_marker_end);
assert(cert_len <= sizeof(attn_report->ias_sign_cert));
memcpy(attn_report->ias_sign_cert, cert_begin, cert_len);
attn_report->ias_sign_cert_len = cert_len;
cert_begin = memmem(cert_end,
unescaped_len - (cert_end - unescaped),
pem_marker_begin,
strlen(pem_marker_begin));
assert(cert_begin != NULL);
cert_end = memmem(cert_begin,
unescaped_len - (cert_begin - unescaped),
pem_marker_end,
strlen(pem_marker_end));
assert(cert_end != NULL);
cert_len = cert_end - cert_begin + strlen(pem_marker_end);
assert(cert_len <= sizeof(attn_report->ias_sign_ca_cert));
memcpy((char*) attn_report->ias_sign_ca_cert, cert_begin, cert_len);
attn_report->ias_sign_ca_cert_len = cert_len;
curl_free(unescaped);
unescaped = NULL;
}
/* The header has the certificates and report signature. */
void parse_response_header
(
const char* header,
size_t header_len,
unsigned char* signature,
const size_t signature_max_size,
uint32_t* signature_size
)
{
const char sig_tag[] = "X-IASReport-Signature: ";
char* sig_begin = memmem((const char*) header,
header_len,
sig_tag,
strlen(sig_tag));
assert(sig_begin != NULL);
sig_begin += strlen(sig_tag);
char* sig_end = memmem(sig_begin,
header_len - (sig_begin - header),
"\r\n",
strlen("\r\n"));
assert(sig_end);
assert((size_t) (sig_end - sig_begin) <= signature_max_size);
memcpy(signature, sig_begin, sig_end - sig_begin);
*signature_size = sig_end - sig_begin;
}
/**
* @return Length of base64 encoded data including terminating NUL-byte.
*/
static void base64_encode
(
uint8_t *in,
uint32_t in_len,
uint8_t* out,
uint32_t* out_len /* in/out */
)
{
// + 1 to account for the terminating \0.
assert(*out_len >= (in_len + 3 - 1) / 3 * 4 + 1);
bzero(out, *out_len);
#if defined(USE_OPENSSL)
int ret = EVP_EncodeBlock(out, in, in_len);
// + 1 since EVP_EncodeBlock() returns length excluding the terminating \0.
assert((size_t) ret + 1 <= *out_len);
*out_len = ret + 1;
#elif defined(USE_WOLFSSL)
int ret = Base64_Encode_NoNl(in, in_len, out, out_len);
assert(ret == 0);
// No need append terminating \0 since we memset() the whole
// buffer in the beginning.
*out_len += 1;
#elif defined(USE_MBEDTLS)
size_t olen;
int ret = mbedtls_base64_encode(out, *out_len, &olen, in, in_len);
assert(ret == 0);
assert(olen <= UINT32_MAX);
*out_len = (uint32_t) olen;
#endif
}
/** Turns a binary quote into an attestation verification report.
Communicates with Intel Attestation Service via its HTTP REST interface.
*/
void obtain_attestation_verification_report
(
const sgx_quote_t* quote,
const uint32_t quote_size,
const struct ra_tls_options* opts,
attestation_verification_report_t* attn_report
)
{
int ret;
char url[512];
ret = snprintf(url, sizeof(url), "https://%s/attestation/v3/report",
opts->ias_server);
assert(ret < (int) sizeof(url));
char buf[128];
int rc = snprintf(buf, sizeof(buf), "Ocp-Apim-Subscription-Key: %.32s",
opts->subscription_key);
assert(rc < (int) sizeof(buf));
struct curl_slist *request_headers =
curl_slist_append(NULL, "Content-Type: application/json");
request_headers = curl_slist_append(request_headers, buf);
const char json_template[] = "{\"isvEnclaveQuote\":\"%s\"}";
unsigned char quote_base64[quote_size * 2];
uint32_t quote_base64_len = sizeof(quote_base64);
char json[quote_size * 2];
base64_encode((uint8_t*) quote, quote_size,
quote_base64, &quote_base64_len);
snprintf(json, sizeof(json), json_template, quote_base64);
CURL *curl = curl_easy_init();
assert(curl != NULL);
struct buffer_and_size header = {(char*) malloc(1), 0};
struct buffer_and_size body = {(char*) malloc(1), 0};
http_get(curl, url, &header, &body, request_headers, json);
parse_response_header(header.data, header.len,
attn_report->ias_report_signature,
sizeof(attn_report->ias_report_signature),
&attn_report->ias_report_signature_len);
assert(sizeof(attn_report->ias_report) >= body.len);
memcpy(attn_report->ias_report, body.data, body.len);
attn_report->ias_report_len = body.len;
extract_certificates_from_response_header(curl,
header.data, header.len,
attn_report);
curl_easy_cleanup(curl);
free(header.data);
free(body.data);
curl_slist_free_all(request_headers);
}
#ifdef __cplusplus
extern "C" {
#endif
void obtain_attestation_verification_report(
const sgx_quote_t* quote,
const uint32_t quote_size,
const struct ra_tls_options* opts,
attestation_verification_report_t* attn_report
);
#ifdef __cplusplus
}
#endif
unsigned char ias_sign_ca_cert_der[] = {
0x30, 0x82, 0x05, 0x4b, 0x30, 0x82, 0x03, 0xb3, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x09, 0x00, 0xd1, 0x07, 0x76, 0x5d, 0x32, 0xa3, 0xb0, 0x94,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x30, 0x7e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06,
0x03, 0x55, 0x04, 0x07, 0x0c, 0x0b, 0x53, 0x61, 0x6e, 0x74, 0x61, 0x20,
0x43, 0x6c, 0x61, 0x72, 0x61, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55,
0x04, 0x0a, 0x0c, 0x11, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x43, 0x6f,
0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x30, 0x30,
0x2e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x27, 0x49, 0x6e, 0x74, 0x65,
0x6c, 0x20, 0x53, 0x47, 0x58, 0x20, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x43, 0x41, 0x30,
0x20, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x31, 0x34, 0x31, 0x35, 0x33,
0x37, 0x33, 0x31, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x34, 0x39, 0x31, 0x32,
0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x7e, 0x31,
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43,
0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0b,
0x53, 0x61, 0x6e, 0x74, 0x61, 0x20, 0x43, 0x6c, 0x61, 0x72, 0x61, 0x31,
0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x49, 0x6e,
0x74, 0x65, 0x6c, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55, 0x04, 0x03,
0x0c, 0x27, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x53, 0x47, 0x58, 0x20,
0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
0x6e, 0x67, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0xa2, 0x30, 0x0d, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
0x03, 0x82, 0x01, 0x8f, 0x00, 0x30, 0x82, 0x01, 0x8a, 0x02, 0x82, 0x01,
0x81, 0x00, 0x9f, 0x3c, 0x64, 0x7e, 0xb5, 0x77, 0x3c, 0xbb, 0x51, 0x2d,
0x27, 0x32, 0xc0, 0xd7, 0x41, 0x5e, 0xbb, 0x55, 0xa0, 0xfa, 0x9e, 0xde,
0x2e, 0x64, 0x91, 0x99, 0xe6, 0x82, 0x1d, 0xb9, 0x10, 0xd5, 0x31, 0x77,
0x37, 0x09, 0x77, 0x46, 0x6a, 0x6a, 0x5e, 0x47, 0x86, 0xcc, 0xd2, 0xdd,
0xeb, 0xd4, 0x14, 0x9d, 0x6a, 0x2f, 0x63, 0x25, 0x52, 0x9d, 0xd1, 0x0c,
0xc9, 0x87, 0x37, 0xb0, 0x77, 0x9c, 0x1a, 0x07, 0xe2, 0x9c, 0x47, 0xa1,
0xae, 0x00, 0x49, 0x48, 0x47, 0x6c, 0x48, 0x9f, 0x45, 0xa5, 0xa1, 0x5d,
0x7a, 0xc8, 0xec, 0xc6, 0xac, 0xc6, 0x45, 0xad, 0xb4, 0x3d, 0x87, 0x67,
0x9d, 0xf5, 0x9c, 0x09, 0x3b, 0xc5, 0xa2, 0xe9, 0x69, 0x6c, 0x54, 0x78,
0x54, 0x1b, 0x97, 0x9e, 0x75, 0x4b, 0x57, 0x39, 0x14, 0xbe, 0x55, 0xd3,
0x2f, 0xf4, 0xc0, 0x9d, 0xdf, 0x27, 0x21, 0x99, 0x34, 0xcd, 0x99, 0x05,
0x27, 0xb3, 0xf9, 0x2e, 0xd7, 0x8f, 0xbf, 0x29, 0x24, 0x6a, 0xbe, 0xcb,
0x71, 0x24, 0x0e, 0xf3, 0x9c, 0x2d, 0x71, 0x07, 0xb4, 0x47, 0x54, 0x5a,
0x7f, 0xfb, 0x10, 0xeb, 0x06, 0x0a, 0x68, 0xa9, 0x85, 0x80, 0x21, 0x9e,
0x36, 0x91, 0x09, 0x52, 0x68, 0x38, 0x92, 0xd6, 0xa5, 0xe2, 0xa8, 0x08,
0x03, 0x19, 0x3e, 0x40, 0x75, 0x31, 0x40, 0x4e, 0x36, 0xb3, 0x15, 0x62,
0x37, 0x99, 0xaa, 0x82, 0x50, 0x74, 0x40, 0x97, 0x54, 0xa2, 0xdf, 0xe8,
0xf5, 0xaf, 0xd5, 0xfe, 0x63, 0x1e, 0x1f, 0xc2, 0xaf, 0x38, 0x08, 0x90,
0x6f, 0x28, 0xa7, 0x90, 0xd9, 0xdd, 0x9f, 0xe0, 0x60, 0x93, 0x9b, 0x12,
0x57, 0x90, 0xc5, 0x80, 0x5d, 0x03, 0x7d, 0xf5, 0x6a, 0x99, 0x53, 0x1b,
0x96, 0xde, 0x69, 0xde, 0x33, 0xed, 0x22, 0x6c, 0xc1, 0x20, 0x7d, 0x10,
0x42, 0xb5, 0xc9, 0xab, 0x7f, 0x40, 0x4f, 0xc7, 0x11, 0xc0, 0xfe, 0x47,
0x69, 0xfb, 0x95, 0x78, 0xb1, 0xdc, 0x0e, 0xc4, 0x69, 0xea, 0x1a, 0x25,
0xe0, 0xff, 0x99, 0x14, 0x88, 0x6e, 0xf2, 0x69, 0x9b, 0x23, 0x5b, 0xb4,
0x84, 0x7d, 0xd6, 0xff, 0x40, 0xb6, 0x06, 0xe6, 0x17, 0x07, 0x93, 0xc2,
0xfb, 0x98, 0xb3, 0x14, 0x58, 0x7f, 0x9c, 0xfd, 0x25, 0x73, 0x62, 0xdf,
0xea, 0xb1, 0x0b, 0x3b, 0xd2, 0xd9, 0x76, 0x73, 0xa1, 0xa4, 0xbd, 0x44,
0xc4, 0x53, 0xaa, 0xf4, 0x7f, 0xc1, 0xf2, 0xd3, 0xd0, 0xf3, 0x84, 0xf7,
0x4a, 0x06, 0xf8, 0x9c, 0x08, 0x9f, 0x0d, 0xa6, 0xcd, 0xb7, 0xfc, 0xee,
0xe8, 0xc9, 0x82, 0x1a, 0x8e, 0x54, 0xf2, 0x5c, 0x04, 0x16, 0xd1, 0x8c,
0x46, 0x83, 0x9a, 0x5f, 0x80, 0x12, 0xfb, 0xdd, 0x3d, 0xc7, 0x4d, 0x25,
0x62, 0x79, 0xad, 0xc2, 0xc0, 0xd5, 0x5a, 0xff, 0x6f, 0x06, 0x22, 0x42,
0x5d, 0x1b, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xc9, 0x30, 0x81,
0xc6, 0x30, 0x60, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x59, 0x30, 0x57,
0x30, 0x55, 0xa0, 0x53, 0xa0, 0x51, 0x86, 0x4f, 0x68, 0x74, 0x74, 0x70,
0x3a, 0x2f, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x73, 0x65,
0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x6c,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74,
0x2f, 0x43, 0x52, 0x4c, 0x2f, 0x53, 0x47, 0x58, 0x2f, 0x41, 0x74, 0x74,
0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x70, 0x6f,
0x72, 0x74, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x43, 0x41, 0x2e,
0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
0x04, 0x14, 0x78, 0x43, 0x7b, 0x76, 0xa6, 0x7e, 0xbc, 0xd0, 0xaf, 0x7e,
0x42, 0x37, 0xeb, 0x35, 0x7c, 0x3b, 0x87, 0x01, 0x51, 0x3c, 0x30, 0x1f,
0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x78,
0x43, 0x7b, 0x76, 0xa6, 0x7e, 0xbc, 0xd0, 0xaf, 0x7e, 0x42, 0x37, 0xeb,
0x35, 0x7c, 0x3b, 0x87, 0x01, 0x51, 0x3c, 0x30, 0x0e, 0x06, 0x03, 0x55,
0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30,
0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30,
0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
0x01, 0x81, 0x00, 0x78, 0x5f, 0x2d, 0x60, 0xc5, 0xc8, 0x0a, 0xf4, 0x2a,
0x79, 0x76, 0x10, 0x21, 0x39, 0x15, 0xda, 0x82, 0xc9, 0xb2, 0x9e, 0x89,
0xe0, 0x90, 0x2a, 0x25, 0xa6, 0xc7, 0x5b, 0x16, 0x09, 0x1c, 0x68, 0xab,
0x20, 0x4a, 0xae, 0x71, 0x18, 0x89, 0x49, 0x2c, 0x7e, 0x1e, 0x32, 0x09,
0x11, 0x45, 0x5a, 0x8f, 0xc1, 0x34, 0x42, 0x31, 0x2e, 0x77, 0xa6, 0x39,
0x94, 0xd9, 0x97, 0x95, 0xc8, 0xea, 0x45, 0x76, 0x82, 0x3c, 0xea, 0x8a,
0xd1, 0xe1, 0x91, 0xcf, 0xa8, 0x62, 0xfa, 0xb8, 0xa9, 0x32, 0xd3, 0xd9,
0xb0, 0x53, 0x5a, 0x07, 0x02, 0xd0, 0x55, 0x5f, 0x74, 0xe5, 0x20, 0xe3,
0x03, 0x30, 0xf3, 0x34, 0x80, 0xe7, 0xad, 0xc9, 0xd7, 0xc8, 0x1e, 0x20,
0x70, 0x31, 0x42, 0xbf, 0x00, 0xc5, 0x28, 0xa8, 0x0b, 0x46, 0x33, 0x81,
0xfd, 0x60, 0x2a, 0x82, 0xc7, 0x03, 0x52, 0x81, 0xaa, 0xe5, 0x95, 0x62,
0xcc, 0xb5, 0x33, 0x4e, 0xa8, 0x90, 0x3e, 0x65, 0x0b, 0x01, 0x06, 0x81,
0xf5, 0xce, 0x8e, 0xb6, 0x2e, 0xac, 0x9c, 0x41, 0x49, 0x88, 0x24, 0x3a,
0xec, 0x92, 0xf2, 0x5b, 0xf1, 0x3c, 0xdf, 0xf7, 0xeb, 0xcc, 0x29, 0x8e,
0xe5, 0x1b, 0xba, 0x5a, 0x35, 0x38, 0xb6, 0x6b, 0x26, 0xcb, 0xc4, 0x5a,
0x51, 0xde, 0x00, 0x3c, 0xad, 0x30, 0x65, 0x31, 0xad, 0x7c, 0xf5, 0xd4,
0xef, 0x0f, 0x88, 0x05, 0xd1, 0xb9, 0x13, 0x3d, 0x24, 0x13, 0x5a, 0xb3,
0xc4, 0x64, 0x1a, 0x2f, 0x88, 0x08, 0x34, 0x9d, 0x73, 0x33, 0x29, 0x5e,
0x0e, 0x76, 0xee, 0x4b, 0xc5, 0x22, 0x72, 0x32, 0x62, 0x8e, 0xfa, 0x80,
0xd7, 0x9d, 0x92, 0xab, 0x4e, 0x3d, 0x11, 0x20, 0xf3, 0xfb, 0x5a, 0xd1,
0x19, 0xcd, 0x8d, 0x54, 0x4a, 0xa1, 0xd4, 0xa6, 0x86, 0x5e, 0x6b, 0x57,
0xbe, 0xac, 0x57, 0x71, 0x30, 0x7e, 0x2e, 0x3c, 0xb9, 0x07, 0x0d, 0xa4,
0x7b, 0x4b, 0xfc, 0x88, 0x69, 0xe0, 0x14, 0x13, 0xea, 0x09, 0x35, 0x41,
0xde, 0x8a, 0x79, 0x28, 0x11, 0xb7, 0x46, 0x36, 0xc5, 0xe9, 0x14, 0x52,
0xcf, 0x0c, 0xee, 0x59, 0xf2, 0xfb, 0x40, 0x4a, 0xcd, 0x0b, 0xc5, 0x84,
0xcb, 0x9c, 0x83, 0x54, 0x04, 0x73, 0x4c, 0x0e, 0x7e, 0xc6, 0x60, 0x5c,
0xdf, 0xcf, 0x2f, 0xf4, 0x39, 0xb6, 0xd4, 0x71, 0x9f, 0x70, 0x2f, 0x0e,
0x0c, 0x3f, 0xa0, 0x4f, 0xdb, 0x12, 0xa6, 0xcb, 0x2a, 0xd1, 0xab, 0x1c,
0x9a, 0xf1, 0xf8, 0xf4, 0xc3, 0xa0, 0x8e, 0xdd, 0x72, 0xa3, 0x2b, 0x0b,
0xb5, 0xd0, 0xad, 0x25, 0x6f, 0xfd, 0x15, 0x9a, 0x68, 0x3b, 0x2a, 0x5a,
0x1f, 0x1d, 0x11, 0xfa, 0x62, 0x53, 0x2f, 0x03, 0xd7, 0x54, 0xca, 0xef,
0x0d, 0xa5, 0x73, 0x5a, 0x1e, 0x5a, 0x88, 0x4c, 0x7e, 0x89, 0xd9, 0x12,
0x18, 0xc9, 0xd7
};
unsigned int ias_sign_ca_cert_der_len = 1359;
......@@ -5,7 +5,7 @@
#include <ra.h>
#include <ra-attester.h>
// #include <ias-ra.h>
#include <ias-ra.h>
/* Untrusted code to do remote attestation with the SGX SDK. */
......@@ -35,7 +35,7 @@ void ocall_remote_attestation
assert(SGX_SUCCESS == status);
// verify against IAS
// obtain_attestation_verification_report(quote, quote_size, opts, attn_report);
obtain_attestation_verification_report(quote, quote_size, opts, attn_report);
}
void ocall_sgx_init_quote
......
......@@ -188,8 +188,8 @@ wolfssl_create_key_and_x509
do_remote_attestation(&report_data, opts, &attestation_report);
// generate_x509(&genKey, der_cert, der_cert_len,
// &attestation_report);
generate_x509(&genKey, der_cert, der_cert_len,
&attestation_report);
}
#ifdef RATLS_ECDSA
......@@ -663,8 +663,7 @@ void create_key_and_x509
int* der_key_len, /* in/out */
uint8_t* der_cert, /* out */
int* der_cert_len, /* in/out */
const struct ra_tls_options* opts, /* in */
void* targetinfo, void* data, void* report
const struct ra_tls_options* opts /* in */
)
{
wolfssl_create_key_and_x509(der_key, der_key_len,
......@@ -672,57 +671,6 @@ void create_key_and_x509
opts);
}
static void create_key_111
(
uint8_t* der_key, /* out */
int* der_key_len, /* in/out */
uint8_t* der_cert, /* out */
int* der_cert_len, /* in/out */
const struct ra_tls_options* opts, /* in */
void* targetinfo, void* data, void* report
)
{
wolfssl_create_key_and_x509(der_key, der_key_len,
der_cert, der_cert_len,
opts);
}
static void
wolfssl_create_key
(
uint8_t* der_key,
int* der_key_len,
uint8_t* der_cert,
int* der_cert_len,
const struct ra_tls_options* opts,
void* targetinfo, void* data, void* report
)
{
/* Generate key. */
RsaKey genKey;
RNG rng;
int ret;
wc_InitRng(&rng);
wc_InitRsaKey(&genKey, 0);
ret = wc_MakeRsaKey(&genKey, 3072, 65537, &rng);
assert(ret == 0);
uint8_t der[4096];
int derSz = wc_RsaKeyToDer(&genKey, der, sizeof(der));
assert(derSz >= 0);
assert(derSz <= (int) *der_key_len);
*der_key_len = derSz;
memcpy(der_key, der, derSz);
/* Generate certificate */
sgx_report_data_t report_data = {0, };
sha256_rsa_pubkey(report_data.d, &genKey);
attestation_verification_report_t attestation_report;
do_remote_attestation(&report_data, opts, &attestation_report);
}
void create_key_and_x509_pem
(
uint8_t* pem_key, /* out */
......
......@@ -3,9 +3,10 @@ SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= HW
SGX_DEBUG ?= 1
SGX_ARCH ?= x64
SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
WOLFSSL_ROOT ?= ./deps/wolfssl
SGX_RA_TLS_LIB ?= $(shell readlink -f .)
WOLFSSL_ROOT ?= $(TOPDIR)/wolfssl
SGX_RA_TLS_ROOT=$(shell readlink -f $(TOPDIR)/sgx-ra-tls)
SGX_WOLFSSL_LIB ?= $(TOPDIR)/build/lib
SGX_RA_TLS_LIB ?= $(shell readlink -f $(TOPDIR)/build/lib)
ifeq ($(shell getconf LONG_BIT), 32)
SGX_ARCH := x86
......@@ -47,35 +48,32 @@ endif
Crypto_Library_Name := sgx_tcrypto
SGX_RA_TLS_ROOT=$(shell readlink -f .)
Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-I$(WOLFSSL_ROOT)/wolfcrypt/
Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT) \
-I$(WOLFSSL_ROOT)/wolfcrypt
Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
-I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
Wolfssl_Enclave_C_Files := Wolfssl_Enclave.c
Wolfssl_Enclave_Include_Paths := -I. $(Wolfssl_Include_Paths) \
-I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc \
-I$(SGX_SDK)/include/stlport \
-I$(SGX_RA_TLS_ROOT)
ifeq ($(HAVE_WOLFSSL_TEST), 1)
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
endif
ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark
Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
endif
Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths) -fno-builtin -fno-builtin-printf -I.
Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib \
-nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
-L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
......@@ -83,13 +81,10 @@ Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
-Wl,--defsym,__ImageBase=0 \
-Wl,--version-script=trusted/Wolfssl_Enclave.lds
-Wl,--version-script=Wolfssl_Enclave.lds
Wolfssl_Enclave_C_Objects := $(Wolfssl_Enclave_C_Files:.c=.o)
ifeq ($(SGX_MODE), HW)
ifneq ($(SGX_DEBUG), 1)
ifneq ($(SGX_PRERELEASE), 1)
......@@ -98,7 +93,6 @@ endif
endif
endif
.PHONY: all run
ifeq ($(Build_Mode), HW_RELEASE)
......@@ -119,29 +113,29 @@ ifneq ($(Build_Mode), HW_RELEASE)
@echo "RUN => app [$(SGX_MODE)|$(SGX_ARCH), OK]"
endif
######## Wolfssl_Enclave Objects ########
trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
Wolfssl_Enclave_t.c: $(SGX_EDGER8R) Wolfssl_Enclave.edl
@$(SGX_EDGER8R) --trusted Wolfssl_Enclave.edl --search-path $(SGX_SDK)/include --search-path $(SGX_RA_TLS_ROOT)
@echo "GEN => $@"
trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
Wolfssl_Enclave_t.o: Wolfssl_Enclave_t.c
@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
@echo "CC <= $<"
trusted/%.o: trusted/%.c
%.o: %.c
@echo $(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
@echo "CC <= $<"
Wolfssl_Enclave.so: trusted/Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
Wolfssl_Enclave.so: Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
@echo $(Wolfssl_Enclave_Link_Flags)@
@$(CXX) $^ -o $@ $(Wolfssl_Enclave_Link_Flags)
@echo "LINK => $@"
Wolfssl_Enclave.signed.so: Wolfssl_Enclave.so
@$(SGX_ENCLAVE_SIGNER) sign -key trusted/Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config trusted/Wolfssl_Enclave.config.xml
@$(SGX_ENCLAVE_SIGNER) sign -key Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config Wolfssl_Enclave.config.xml
@echo "SIGN => $@"
clean:
@rm -f Wolfssl_Enclave.* trusted/Wolfssl_Enclave_t.* $(Wolfssl_Enclave_C_Objects)
@rm -f *.so Wolfssl_Enclave_t.* $(Wolfssl_Enclave_C_Objects)
#include <assert.h>
#include <stdarg.h>
#include <stdio.h> /* vsnprintf */
#include "Wolfssl_Enclave_t.h"
#include "sgx_trts.h"
int wc_test(void* args)
{
#ifdef HAVE_WOLFSSL_TEST
return wolfcrypt_test(args);
#else
/* wolfSSL test not compiled in! */
return -1;
#endif /* HAVE_WOLFSSL_TEST */
}
int wc_benchmark_test(void* args)
{
#ifdef HAVE_WOLFSSL_BENCHMARK
return benchmark_test(args);
#else
/* wolfSSL benchmark not compiled in! */
return -1;
#endif /* HAVE_WOLFSSL_BENCHMARK */
}
void enc_wolfSSL_Debugging_ON(void)
{
wolfSSL_Debugging_ON();
}
void enc_wolfSSL_Debugging_OFF(void)
{
wolfSSL_Debugging_OFF();
}
int enc_wolfSSL_Init(void)
{
return wolfSSL_Init();
}
WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
{
return wolfTLSv1_2_client_method();
}
WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
{
return wolfTLSv1_2_server_method();
}
WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
{
if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_new(method);
}
int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
const unsigned char* buf, long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
const unsigned char* buf, long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
long sz, int format)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
}
int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_set_cipher_list(ctx, list);
}
WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_new(ctx);
}
int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_set_fd(ssl, fd);
}
int enc_wolfSSL_connect(WOLFSSL* ssl)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_connect(ssl);
}
int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_write(ssl, in, sz);
}
int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_get_error(ssl, ret);
}
int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_read(ssl, data, sz);
}
void enc_wolfSSL_free(WOLFSSL* ssl)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
wolfSSL_free(ssl);
}
void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
wolfSSL_CTX_free(ctx);
}
int enc_wolfSSL_Cleanup(void)
{
wolfSSL_Cleanup();
}
void printf(const char *fmt, ...)
{
char buf[BUFSIZ] = {'\0'};
va_list ap;
va_start(ap, fmt);
vsnprintf(buf, BUFSIZ, fmt, ap);
va_end(ap);
ocall_print_string(buf);
}
int sprintf(char* buf, const char *fmt, ...)
{
va_list ap;
int ret;
va_start(ap, fmt);
ret = vsnprintf(buf, BUFSIZ, fmt, ap);
va_end(ap);
return ret;
}
double current_time(void)
{
double curr;
ocall_current_time(&curr);
return curr;
}
int LowResTimer(void) /* low_res timer */
{
int time;
ocall_low_res_time(&time);
return time;
}
size_t recv(int sockfd, void *buf, size_t len, int flags)
{
size_t ret;
int sgxStatus;
sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
return ret;
}
size_t send(int sockfd, const void *buf, size_t len, int flags)
{
size_t ret;
int sgxStatus;
sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
return ret;
}
extern struct ra_tls_options my_ra_tls_options;
void enc_create_key_and_x509(WOLFSSL_CTX* ctx) {
uint8_t der_key[2048];
uint8_t der_cert[8 * 1024];
uint32_t der_key_len = sizeof(der_key);
uint32_t der_cert_len = sizeof(der_cert);
create_key_and_x509(&der_key, &der_key_len,
&der_cert, &der_cert_len,
&my_ra_tls_options);
int ret;
ret = wolfSSL_CTX_use_certificate_buffer(ctx, der_cert, der_cert_len,
SSL_FILETYPE_ASN1);
assert(ret == SSL_SUCCESS);
wolfSSL_CTX_use_PrivateKey_buffer(ctx, der_key, der_key_len,
SSL_FILETYPE_ASN1);
assert(ret == SSL_SUCCESS);
}
......@@ -49,9 +49,7 @@ enclave {
public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
public int enc_wolfSSL_Cleanup(void);
public int enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx, [user_check]void* targetinfo,
[user_check]void* report);
public void enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx);
};
untrusted {
......
BINDIR := $(PREFIX)/usr/lib
all: stub_enclave
stub_enclave: ra_tls_options.c deps/local/lib/libwolfssl.sgx.static.lib.a deps/local/lib/libcurl-wolfssl.a libsgx_ra_tls_wolfssl.a
$(MAKE) -ef sgx_u.mk all
$(MAKE) -ef sgx_t.mk all
ra_tls_options.c: ra_tls_options.c.sh
bash $^ > $@
deps/local/lib/libcrypto.a: deps/openssl/config
cd deps/openssl && $(MAKE) && $(MAKE) -j1 install
deps/wolfssl/configure:
mkdir -p deps && cd deps && git clone https://github.com/wolfSSL/wolfssl
cd deps/wolfssl && git checkout 57e5648a5dd734d1c219d385705498ad12941dd0
cd deps/wolfssl && patch -p1 < ../../wolfssl.patch
cd deps/wolfssl && ./autogen.sh
# Add --enable-debug to ./configure for debug build
# WOLFSSL_ALWAYS_VERIFY_CB ... Always call certificate verification callback, even if verification succeeds
# KEEP_OUR_CERT ... Keep the certificate around after the handshake
# --enable-tlsv10 ... required by libcurl
# 2019-03-19 removed --enable-intelasm configure flag. The Celeron NUC I am developing this, does not support AVX.
WOLFSSL_CFLAGS+=-DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_ALWAYS_VERIFY_CB -DKEEP_PEER_CERT
WOLFSSL_CONFIGURE_FLAGS+=--prefix=$(shell readlink -f deps/local) --enable-writedup --enable-static --enable-keygen --enable-certgen --enable-certext --with-pic --disable-examples --disable-crypttests --enable-aesni --enable-tlsv10
ifdef DEBUG
WOLFSS_CFLAGS+=--enable-debug
endif
deps/local/lib/libwolfssl.a: CFLAGS+= $(WOLFSSL_CFLAGS)
deps/local/lib/libwolfssl.a: deps/wolfssl/configure
# Later versions of gcc report errors on this version of wolfSSL.
# TODO: Upgrade to more recent version of wolfSSL.
cd deps/wolfssl && CC=gcc CFLAGS="$(CFLAGS)" ./configure $(WOLFSSL_CONFIGURE_FLAGS)
cd deps/wolfssl && $(MAKE) install
# Ideally, deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a and
# deps/local/lib/libwolfssl.a could be built in parallel. Does not
# work however. Hence, the dependency forces a serial build.
#
# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a: deps/local/lib/libwolfssl.a
cd deps/wolfssl/IDE/LINUX-SGX && make -f sgx_t_static.mk CFLAGS="-DUSER_TIME -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_KEY_GEN -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192"
deps/local/lib/libwolfssl.sgx.static.lib.a: deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib/libwolfssl.a
mkdir -p deps/local/lib && cp deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib
deps/curl/configure:
cd deps && git clone https://github.com/curl/curl.git
cd deps/curl && git checkout curl-7_47_0
cd deps/curl && ./buildconf
CURL_CONFFLAGS=--prefix=$(shell readlink -f deps/local) --without-libidn --without-librtmp --without-libssh2 --without-libmetalink --without-libpsl --disable-ldap --disable-ldaps --disable-shared
ifdef DEBUG
CURL_CONFFLAGS+=--enable-debug
endif
deps/local/lib/libcurl-wolfssl.a: deps/curl/configure deps/local/lib/libwolfssl.a
cp -a deps/curl deps/curl-wolfssl
cd deps/curl-wolfssl && CFLAGS="-fPIC" ./configure $(CURL_CONFFLAGS) --without-ssl --with-cyassl=$(shell readlink -f deps/local)
cd deps/curl-wolfssl && $(MAKE)
cp deps/curl-wolfssl/lib/.libs/libcurl.a deps/local/lib/libcurl-wolfssl.a
libsgx_ra_tls_wolfssl.a:
make -f ratls-wolfssl.mk
rm -f wolfssl-ra-challenger.o wolfssl-ra.o ra-challenger.o ias_sign_ca_cert.o
install:
install -D -m0755 liberpal-sgxsdk.so $(BINDIR)/liberpal-sgxsdk.so
uninstall:
rm -f $(BINDIR)/liberpal-sgxsdk.so
clean:
rm -f ra_tls_options.c ra_tls_u.o
rm -rf deps/curl-wolfssl deps/local
$(MAKE) -ef sgx_u.mk clean
$(MAKE) -ef sgx_t.mk clean
$(MAKE) -ef ratls-wolfssl.mk clean
.PHONY: stub_enclave clean install uninstall
#include <assert.h>
#include <stdarg.h>
#include <stdio.h> /* vsnprintf */
#include "Wolfssl_Enclave_t.h"
#include "sgx_trts.h"
#include <wolfssl/wolfcrypt/rsa.h>
int wc_test(void* args)
{
#ifdef HAVE_WOLFSSL_TEST
return wolfcrypt_test(args);
#else
/* wolfSSL test not compiled in! */
return -1;
#endif /* HAVE_WOLFSSL_TEST */
}
int wc_benchmark_test(void* args)
{
#ifdef HAVE_WOLFSSL_BENCHMARK
return benchmark_test(args);
#else
/* wolfSSL benchmark not compiled in! */
return -1;
#endif /* HAVE_WOLFSSL_BENCHMARK */
}
void enc_wolfSSL_Debugging_ON(void)
{
wolfSSL_Debugging_ON();
}
void enc_wolfSSL_Debugging_OFF(void)
{
wolfSSL_Debugging_OFF();
}
int enc_wolfSSL_Init(void)
{
return wolfSSL_Init();
}
WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
{
return wolfTLSv1_2_client_method();
}
WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
{
return wolfTLSv1_2_server_method();
}
WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
{
if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_new(method);
}
int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
const unsigned char* buf, long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
const unsigned char* buf, long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
long sz, int type)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
}
int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
long sz, int format)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
}
int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_CTX_set_cipher_list(ctx, list);
}
WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
return wolfSSL_new(ctx);
}
int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_set_fd(ssl, fd);
}
int enc_wolfSSL_connect(WOLFSSL* ssl)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_connect(ssl);
}
int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_write(ssl, in, sz);
}
int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_get_error(ssl, ret);
}
int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
return wolfSSL_read(ssl, data, sz);
}
void enc_wolfSSL_free(WOLFSSL* ssl)
{
if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
abort();
wolfSSL_free(ssl);
}
void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
{
if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
abort();
wolfSSL_CTX_free(ctx);
}
int enc_wolfSSL_Cleanup(void)
{
wolfSSL_Cleanup();
}
void printf(const char *fmt, ...)
{
char buf[BUFSIZ] = {'\0'};
va_list ap;
va_start(ap, fmt);
vsnprintf(buf, BUFSIZ, fmt, ap);
va_end(ap);
ocall_print_string(buf);
}
int sprintf(char* buf, const char *fmt, ...)
{
va_list ap;
int ret;
va_start(ap, fmt);
ret = vsnprintf(buf, BUFSIZ, fmt, ap);
va_end(ap);
return ret;
}
double current_time(void)
{
double curr;
ocall_current_time(&curr);
return curr;
}
int LowResTimer(void) /* low_res timer */
{
int time;
ocall_low_res_time(&time);
return time;
}
size_t recv(int sockfd, void *buf, size_t len, int flags)
{
size_t ret;
int sgxStatus;
sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
return ret;
}
size_t send(int sockfd, const void *buf, size_t len, int flags)
{
size_t ret;
int sgxStatus;
sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
return ret;
}
extern struct ra_tls_options my_ra_tls_options;
int wolfssl_create_key
(
uint8_t* der_key,
int* der_key_len,
uint8_t* der_cert,
int* der_cert_len,
const struct ra_tls_options* opts,
void* targetinfo, void* report
)
{
if (targetinfo == NULL || report == NULL) {
printf("input parameters in invalid!\n");
return -1;
}
/* Generate key. */
RsaKey genKey;
RNG rng;
int ret;
wc_InitRng(&rng);
wc_InitRsaKey(&genKey, 0);
ret = wc_MakeRsaKey(&genKey, 3072, 65537, &rng);
assert(ret == 0);
uint8_t der[4096];
int derSz = wc_RsaKeyToDer(&genKey, der, sizeof(der));
assert(derSz >= 0);
assert(derSz <= (int) *der_key_len);
*der_key_len = derSz;
memcpy(der_key, der, derSz);
/* Generate certificate */
sgx_report_data_t report_data = {0, };
sha256_rsa_pubkey(report_data.d, &genKey);
sgx_target_info_t target_info = {0, };
memcpy(&target_info, targetinfo, sizeof(sgx_target_info_t));
sgx_report_t report_tmp = {0, };
sgx_status_t status = sgx_create_report(&target_info, &report_data, &report_tmp);
memcpy(report, &report_tmp, sizeof(sgx_report_t));
return status;
}
int create_key
(
uint8_t* der_key, /* out */
int* der_key_len, /* in/out */
uint8_t* der_cert, /* out */
int* der_cert_len, /* in/out */
const struct ra_tls_options* opts, /* in */
void* targetinfo, void* report
)
{
return wolfssl_create_key(der_key, der_key_len, der_cert, der_cert_len, opts, targetinfo, report);
}
#ifdef WOLFSSL_SGX
time_t XTIME(time_t* tloc) {
time_t x = 1512498557; /* Dec 5, 2017, 10:29 PDT */
if (tloc) *tloc = x;
return x;
}
time_t mktime(struct tm* tm) {
(void) tm;
assert(0);
return (time_t) 0;
}
#endif
int enc_create_key_and_x509(WOLFSSL_CTX* ctx, void* targetinfo, void* report) {
uint8_t der_key[2048];
uint8_t der_cert[8 * 1024];
uint32_t der_key_len = sizeof(der_key);
uint32_t der_cert_len = sizeof(der_cert);
if( targetinfo == NULL || report == NULL)
{
printf("input parameters is valid!\n");
return -1;
}
return create_key(&der_key, &der_key_len,
&der_cert, &der_cert_len,
&my_ra_tls_options, targetinfo, report);
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册