packages/intel-sgx-ssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!16 openEuler 22.03 LTS版本intel-sgx-ssl软件升级至2.15.1_1.1.1l

Browse Source 
Merge pull request !16 from hzero1996/openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot 2021-12-22 08:44:14 +00:00 committed by Gitee
commit 5aefeefe41
6 changed files with 336 additions and 677 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

492
0002-add-ocall-file-operation-and-getenv.patch → 0001-Solution_to_issue_ssl_library_is_not_supported.patch
View File

@ -1,43 +1,103 @@
From 05d61201781597f53cb7dfcd9508ac0141315131 Mon Sep 17 00:00:00 2001
From 94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Tue, 26 Jan 2021 11:24:43 +0800
Subject: [PATCH] add ocall file operation and getenv
Date: Thu, 25 Feb 2021 16:41:56 +0800
Subject: [PATCH] support ssl library
Update Makefile
update copyright year
Reference: https://github.com/intel/intel-sgx-ssl/commit/94d10d73ac952fc8b4f5b6581b858d6fe7f7a352
Conflict: NA
---
.../Linux/build_openssl.sh | 2 +-
.../Linux/package/include/sgx_tsgxssl.edl | 12 +
.../Linux/package/include/tsgxsslio.h | 8 +-
.../Linux/sgx/libsgx_tsgxssl/tstdio.cpp | 339 +++++++++++++++---
.../Linux/sgx/libsgx_tsgxssl/tstdlib.cpp | 48 +--
.../Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 +++++
.../Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 ++++
.../sgx/test_app/enclave/tests/stdio_func.c | 4 +-
.../openssl_source/bypass_to_sgxssl.h | 10 +-
9 files changed, 483 insertions(+), 97 deletions(-)
create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp
create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp
Linux/Makefile | 1 +
Linux/build_openssl.sh | 9 +-
Linux/package/include/sgx_tsgxssl.edl | 14 ++
Linux/package/include/tsgxsslio.h | 13 +-
Linux/sgx/buildenv.mk | 2 +
Linux/sgx/libsgx_tsgxssl/Makefile | 2 +-
Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 +
Linux/sgx/libsgx_tsgxssl/tstdio.cpp | 229 ++++++++++++++++++
Linux/sgx/libsgx_tsgxssl/tstdlib.cpp | 48 ++--
Linux/sgx/libsgx_tsgxssl/tunistd.cpp | 59 ++---
Linux/sgx/libsgx_usgxssl/Makefile | 2 +-
Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 ++++++++
Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 +++++
Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 ++++
Linux/sgx/test_app/enclave/tests/stdio_func.c | 4 +-
openssl_source/bypass_to_sgxssl.h | 11 +-
16 files changed, 516 insertions(+), 82 deletions(-)
create mode 100644 Linux/sgx/libsgx_usgxssl/ustdio.cpp
create mode 100644 Linux/sgx/libsgx_usgxssl/ustdlib.cpp
create mode 100644 Linux/sgx/libsgx_usgxssl/uunistd.cpp
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
index 4c5b999..157965d 100755
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
@@ -133,7 +133,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
diff --git a/Linux/Makefile b/Linux/Makefile
index 9524f45..304ce24 100644
--- a/Linux/Makefile
+++ b/Linux/Makefile
@@ -55,6 +55,7 @@ sgxssl_no_mitigation:
clean:
$(MAKE) -C sgx/ clean
rm -rf $(PACKAGE_LIB)/$(OPENSSL_LIB) $(PACKAGE_INC)/openssl/
+ rm -rf $(PACKAGE_LIB)/$(OPENSSL_SSL_LIB)
rm -rf $(PACKAGE_LIB)/cve_2020_0551_load
rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf
diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh
index 7d77b79..9dc4082 100755
--- a/Linux/build_openssl.sh
+++ b/Linux/build_openssl.sh
@@ -59,6 +59,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1
# Remove AESBS to support only AESNI and VPAES
sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
+sed -i 's/-Wa,--noexecstack/-Wa,--noexecstack -fstack-protector-strong/' $OPENSSL_VERSION/Configure
##Space optimization flags.
SPACE_OPT=
@@ -69,8 +70,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt
fi
OUTPUT_LIB=libsgx_tsgxssl_crypto.a
+OUTPUT_SSLLIB=libsgx_tsgxssl_ssl.a
if [[ "$*" == *"debug"* ]] ; then
OUTPUT_LIB=libsgx_tsgxssl_cryptod.a
+ OUTPUT_SSLLIB=libsgx_tsgxssl_ssld.a
ADDITIONAL_CONF="-g "
fi
@@ -136,8 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1
-
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h --prefix=$OPENSSL_INSTALL_DIR || exit 1
sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c
make build_all_generated || exit 1
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
index 3ad91d8..74dbdde 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
@@ -39,6 +39,18 @@ enclave {
@@ -159,8 +161,9 @@ then
cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s
fi
-make libcrypto.a || exit 1
+make libcrypto.a libssl.a || exit 1
cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
+cp libssl.a $SGXSSL_ROOT/package/lib64/$OUTPUT_SSLLIB || exit 1
objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1
cp include/crypto/* $SGXSSL_ROOT/package/include/crypto/ || exit 1
diff --git a/Linux/package/include/sgx_tsgxssl.edl b/Linux/package/include/sgx_tsgxssl.edl
index cbc4888..e385250 100644
--- a/Linux/package/include/sgx_tsgxssl.edl
+++ b/Linux/package/include/sgx_tsgxssl.edl
@@ -37,6 +37,20 @@ enclave {
untrusted {
void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len);
int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len);
int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len);
+ int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len);
+ int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len);
+ int ocall_cc_getenv([in, size = name_len] const char *name, size_t name_len, [out, size = buf_len] void *buf, int buf_len, [out] int *need_len);
+ uint64_t ocall_cc_fopen([in, size = filename_len] const char *filename, size_t filename_len, [in, size = mode_len] const char *mode, size_t mode_len);
+ int ocall_cc_fclose(uint64_t fp);
@ -53,126 +113,91 @@ index 3ad91d8..74dbdde 100644
};
trusted {
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h
index a200a17..8f9e35b 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h
@@ -32,6 +32,12 @@
diff --git a/Linux/package/include/tsgxsslio.h b/Linux/package/include/tsgxsslio.h
index a200a17..fe56f61 100644
--- a/Linux/package/include/tsgxsslio.h
+++ b/Linux/package/include/tsgxsslio.h
@@ -32,6 +32,18 @@
#ifndef _TSGXSSL_IO_H_
#define _TSGXSSL_IO_H_
-typedef void FILE;
+#include <stdio.h>
+#ifndef __FILE_defined
+#define __FILE_defined 1
+
+struct _IO_FILE;
+/* The opaque type of streams. This is the definition used elsewhere. */
+typedef struct _IO_FILE FILE;
+#endif
+
+#undef stdout
+#define stdout ((void*)1)
+#undef stderr
+#define stderr ((void*)2)
+typedef struct _IO_FILE FILE;
#endif // _TSGXSSL_IO_H_
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
index ebb8abb..1e6d8bc 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
@@ -1,55 +1,284 @@
-/*
- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Intel Corporation nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include <stdio.h>
-#include "tcommon.h"
-#include "sgx_tsgxssl_t.h"
-#include "tSgxSSL_api.h"
-
-extern PRINT_TO_STDOUT_STDERR_CB s_print_cb;
-
-extern "C" {
-
-int sgx_print(const char *format, ...)
-{
- if (s_print_cb != NULL) {
- va_list vl;
- va_start(vl, format);
- int res = s_print_cb(STREAM_STDOUT, format, vl);
- va_end(vl);
-
- return res;
- }
-
- return 0;
-}
-
-}
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk
index cd8818e..7cd794c 100644
--- a/Linux/sgx/buildenv.mk
+++ b/Linux/sgx/buildenv.mk
@@ -73,11 +73,13 @@ endif
ifeq ($(DEBUG), 1)
OBJDIR := debug
OPENSSL_LIB := libsgx_tsgxssl_cryptod.a
+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssld.a
TRUSTED_LIB := libsgx_tsgxssld.a
UNTRUSTED_LIB := libsgx_usgxssld.a
else
OBJDIR := release
OPENSSL_LIB := libsgx_tsgxssl_crypto.a
+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssl.a
TRUSTED_LIB := libsgx_tsgxssl.a
UNTRUSTED_LIB := libsgx_usgxssl.a
endif
diff --git a/Linux/sgx/libsgx_tsgxssl/Makefile b/Linux/sgx/libsgx_tsgxssl/Makefile
index 40d8f3b..3eb4a7e 100644
--- a/Linux/sgx/libsgx_tsgxssl/Makefile
+++ b/Linux/sgx/libsgx_tsgxssl/Makefile
@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o))
Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC)
-Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths)
+Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths)
Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS) $(NO_THREADS_CFLAG)
Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS)
$(shell mkdir -p $(OBJDIR))
diff --git a/Linux/sgx/libsgx_tsgxssl/tcommon.h b/Linux/sgx/libsgx_tsgxssl/tcommon.h
index f8d9379..dd1ca8d 100644
--- a/Linux/sgx/libsgx_tsgxssl/tcommon.h
+++ b/Linux/sgx/libsgx_tsgxssl/tcommon.h
@@ -40,6 +40,7 @@
#include "tdefines.h"
#include "tSgxSSL_api.h"
+#define CC_SSL_SUCCESS 0
//#define DO_SGX_LOG
#define DO_SGX_WARN
diff --git a/Linux/sgx/libsgx_tsgxssl/tstdio.cpp b/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
index 800a9a7..1e6d8bc 100644
--- a/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
+++ b/Linux/sgx/libsgx_tsgxssl/tstdio.cpp
@@ -30,14 +30,243 @@
*/
#include <stdio.h>
+#include <string.h>
+#include "tcommon.h"
+#include "sgx_tsgxssl_t.h"
+#include "tSgxSSL_api.h"
#include "tcommon.h"
#include "sgx_tsgxssl_t.h"
#include "tSgxSSL_api.h"
+#include "tsgxsslio.h"
+
+extern PRINT_TO_STDOUT_STDERR_CB s_print_cb;
+
+extern "C" {
+
extern PRINT_TO_STDOUT_STDERR_CB s_print_cb;
extern "C" {
+int print_with_cb(void* fp, const char* fmt, __va_list vl)
+{
+ int res = -1;
@ -400,25 +425,13 @@ index ebb8abb..1e6d8bc 100644
+ return ret;
+}
+
+int sgx_print(const char *format, ...)
+{
+ if (s_print_cb != NULL) {
+ va_list vl;
+ va_start(vl, format);
+ int res = s_print_cb(STREAM_STDOUT, format, vl);
+ va_end(vl);
+
+ return res;
+ }
+
+ return 0;
+}
+
+}
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
index c6a8066..9a66c72 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
int sgx_print(const char *format, ...)
{
if (s_print_cb != NULL) {
diff --git a/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp b/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
index 81851a7..fb794db 100644
--- a/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
+++ b/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp
@@ -57,39 +57,25 @@ SGX_ACCESS_VERSION(tssl, 1);
extern "C" {
@ -462,11 +475,11 @@ index c6a8066..9a66c72 100644
+ int ret = 0;
+ int res;
+ int buf_len = 0;
+
+
+ if (t_env_buf == NULL || MAX_ENV_BUF_LEN <= 0) {
+ return NULL;
+ }
+
+
+ memset(t_env_buf, 0, MAX_ENV_BUF_LEN);
+ res = ocall_cc_getenv(&ret, name, strlen(name), t_env_buf, MAX_ENV_BUF_LEN, &buf_len);
+ if (res != CC_SSL_SUCCESS || ret <= 0 || ret != buf_len) {
@ -475,12 +488,100 @@ index c6a8066..9a66c72 100644
+ return t_env_buf;
}
int sgxssl_atexit(void (*function)(void))
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp
}
diff --git a/Linux/sgx/libsgx_tsgxssl/tunistd.cpp b/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
index 7bdfa07..d7aba27 100644
--- a/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
+++ b/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
@@ -56,47 +56,34 @@ int sgxssl_pipe (int pipefd[2])
size_t sgxssl_write (int fd, const void *buf, size_t n)
{
- FSTART;
-
- if (fd == FAKE_PIPE_WRITE_FD) {
- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
-
- FEND;
- // On error, -1 is returned, and errno is set appropriately
- return -1;
- }
-
- // In addition, the function is used by bss_sock.c as writesocket function.
- // It is unreachable under the assumption that TLS support is not required.
- // Otherwise should be implemented as OCALL.
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
+ int ret = 0;
+ int res;
+ if (fd == FAKE_PIPE_WRITE_FD) {
+ return -1;
+ }
+
+ res = ocall_cc_write(&ret, fd, buf, n);
+ if (res != CC_SSL_SUCCESS) {
+ return -1;
+ }
+ return ret;
}
size_t sgxssl_read(int fd, void *buf, size_t count)
{
- FSTART;
-
- if (fd == FAKE_PIPE_READ_FD) {
- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
-
- FEND;
- // On error, -1 is returned, and errno is set appropriately
- return -1;
- }
-
- // In addition, the function is used by bss_sock.c as readsocket function.
- // It is unreachable under the assumption that TLS support is not required.
- // Otherwise should be implemented as OCALL.
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
+ int ret = 0;
+ int res;
+
+ if (fd == FAKE_PIPE_READ_FD) {
+ return -1;
+ }
+
+ res = ocall_cc_read(&ret, fd, buf, count);
+ if (res != CC_SSL_SUCCESS) {
+ return -1;
+ }
+ return ret;
}
// TODO
diff --git a/Linux/sgx/libsgx_usgxssl/Makefile b/Linux/sgx/libsgx_usgxssl/Makefile
index 5d7e756..ee1f29f 100644
--- a/Linux/sgx/libsgx_usgxssl/Makefile
+++ b/Linux/sgx/libsgx_usgxssl/Makefile
@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl
Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC)
-Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths)
+Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector-strong -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths)
Sgx_ussl_Cpp_Flags := $(Sgx_ussl_C_Flags) -std=c++11
Sgx_ussl_Cpp_Files := $(wildcard *.cpp)
diff --git a/Linux/sgx/libsgx_usgxssl/ustdio.cpp b/Linux/sgx/libsgx_usgxssl/ustdio.cpp
new file mode 100644
index 0000000..c4b15f7
--- /dev/null
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp
+++ b/Linux/sgx/libsgx_usgxssl/ustdio.cpp
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
@ -578,11 +679,11 @@ index 0000000..c4b15f7
+ return fputs(str, (FILE *)fp);
+}
+}
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp
diff --git a/Linux/sgx/libsgx_usgxssl/ustdlib.cpp b/Linux/sgx/libsgx_usgxssl/ustdlib.cpp
new file mode 100644
index 0000000..7467e1d
--- /dev/null
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp
+++ b/Linux/sgx/libsgx_usgxssl/ustdlib.cpp
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
@ -645,10 +746,62 @@ index 0000000..7467e1d
+}
+
+}
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c
diff --git a/Linux/sgx/libsgx_usgxssl/uunistd.cpp b/Linux/sgx/libsgx_usgxssl/uunistd.cpp
new file mode 100644
index 0000000..c2456ba
--- /dev/null
+++ b/Linux/sgx/libsgx_usgxssl/uunistd.cpp
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <unistd.h>
+
+extern "C" {
+
+int ocall_cc_read(int fd, void *buf, size_t buf_len)
+{
+ return read(fd, buf, buf_len);
+}
+
+int ocall_cc_write(int fd, const void *buf, size_t buf_len)
+{
+ return write(fd, buf, buf_len);
+}
+
+}
diff --git a/Linux/sgx/test_app/enclave/tests/stdio_func.c b/Linux/sgx/test_app/enclave/tests/stdio_func.c
index 286340e..13de4dd 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c
--- a/Linux/sgx/test_app/enclave/tests/stdio_func.c
+++ b/Linux/sgx/test_app/enclave/tests/stdio_func.c
@@ -42,7 +42,7 @@ static int print_fp(const char *str, size_t len, void *fp)
printf("%s", str);
return 1;
@ -664,16 +817,17 @@ index 286340e..13de4dd 100644
}
-
+*/
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h b/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h
index 1c4d025..e938ff1 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h
@@ -181,23 +181,19 @@
diff --git a/openssl_source/bypass_to_sgxssl.h b/openssl_source/bypass_to_sgxssl.h
index 6ff3fc2..9676726 100644
--- a/openssl_source/bypass_to_sgxssl.h
+++ b/openssl_source/bypass_to_sgxssl.h
@@ -181,23 +181,20 @@
#define mlock sgxssl_mlock
#define madvise sgxssl_madvise
-/*
-#define fopen64 sgxssl_fopen64
+
#define fopen sgxssl_fopen
-#define wfopen sgxssl_wfopen
#define fclose sgxssl_fclose

435
0001-add-ocall-read-write.patch
View File

@ -1,435 +0,0 @@
From 7b20f1fee1c7a437274870c0015435d7f5adcb03 Mon Sep 17 00:00:00 2001
From: yanlu <yanlu14@huawei.com>
Date: Mon, 18 Jan 2021 19:24:32 +0800
Subject: [PATCH] add ocall read write
---
intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile | 1 +
.../Linux/build_openssl.sh | 5 +-
.../Linux/package/include/sgx_tsgxssl.edl | 2 +
.../Linux/sgx/buildenv.mk | 2 +
.../Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 +
.../Linux/sgx/libsgx_tsgxssl/tunistd.cpp | 271 +++++++++---------
.../Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 +++
7 files changed, 185 insertions(+), 143 deletions(-)
create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile
index b79649e..6b91d1c 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile
@@ -51,6 +51,7 @@ sgxssl_no_mitigation:
clean:
$(MAKE) -C sgx/ clean
rm -rf $(PACKAGE_LIB)/$(OPENSSL_LIB) $(PACKAGE_INC)/openssl/
+ rm -rf $(PACKAGE_LIB)/$(OPENSSL_SSL_LIB)
rm -rf $(PACKAGE_LIB)/cve_2020_0551_load
rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
index a70ddf1..4c5b999 100755
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
@@ -68,8 +68,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt
fi
OUTPUT_LIB=libsgx_tsgxssl_crypto.a
+OUTPUT_SSLLIB=libsgx_tsgxssl_ssl.a
if [[ $# -gt 0 ]] && [[ $1 == "debug" || $2 == "debug" || $3 == "debug" || $4 == "debug" ]] ; then
OUTPUT_LIB=libsgx_tsgxssl_cryptod.a
+ OUTPUT_SSLLIB=libsgx_tsgxssl_ssld.a
ADDITIONAL_CONF="-g "
fi
@@ -153,8 +155,9 @@ then
cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s
fi
-make libcrypto.a || exit 1
+make libcrypto.a libssl.a || exit 1
cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
+cp libssl.a $SGXSSL_ROOT/package/lib64/$OUTPUT_SSLLIB || exit 1
objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1
cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1
exit 0
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
index cbc4888..3ad91d8 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl
@@ -37,6 +37,8 @@ enclave {
untrusted {
void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len);
+ int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len);
+ int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len);
};
trusted {
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk
index cd8818e..7cd794c 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk
@@ -73,11 +73,13 @@ endif
ifeq ($(DEBUG), 1)
OBJDIR := debug
OPENSSL_LIB := libsgx_tsgxssl_cryptod.a
+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssld.a
TRUSTED_LIB := libsgx_tsgxssld.a
UNTRUSTED_LIB := libsgx_usgxssld.a
else
OBJDIR := release
OPENSSL_LIB := libsgx_tsgxssl_crypto.a
+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssl.a
TRUSTED_LIB := libsgx_tsgxssl.a
UNTRUSTED_LIB := libsgx_usgxssl.a
endif
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h
index 4d64d23..7dbbfd1 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h
@@ -40,6 +40,7 @@
#include "tdefines.h"
#include "tSgxSSL_api.h"
+#define CC_SSL_SUCCESS 0
//#define DO_SGX_LOG
#define DO_SGX_WARN
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
index b6cdd39..d7aba27 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp
@@ -1,143 +1,130 @@
-/*
- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of Intel Corporation nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#include "sgx_tsgxssl_t.h"
-#include "tcommon.h"
-
-#define FAKE_PIPE_READ_FD 0xFAFAFAFALL
-#define FAKE_PIPE_WRITE_FD 0xFBFBFBFBLL
-
-#define ENCLAVE_PAGE_SIZE 0x1000 // 4096 B
-
-extern "C" {
-
-int sgxssl_pipe (int pipefd[2])
-{
- FSTART;
-
- // The function is used only by the engines/e_dasync.c (dummy async engine).
- // Adding fake implementation only to be able to distinguish pipe read/write from socket read/write
- pipefd[0] = FAKE_PIPE_READ_FD;
- pipefd[1] = FAKE_PIPE_WRITE_FD;
-
- FEND;
-
- // On error, -1 is returned, and errno is set appropriately
- return 0;
-}
-
-size_t sgxssl_write (int fd, const void *buf, size_t n)
-{
- FSTART;
-
- if (fd == FAKE_PIPE_WRITE_FD) {
- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
-
- FEND;
- // On error, -1 is returned, and errno is set appropriately
- return -1;
- }
-
- // In addition, the function is used by bss_sock.c as writesocket function.
- // It is unreachable under the assumption that TLS support is not required.
- // Otherwise should be implemented as OCALL.
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
-
-}
-
-size_t sgxssl_read(int fd, void *buf, size_t count)
-{
- FSTART;
-
- if (fd == FAKE_PIPE_READ_FD) {
- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
-
- FEND;
- // On error, -1 is returned, and errno is set appropriately
- return -1;
- }
-
- // In addition, the function is used by bss_sock.c as readsocket function.
- // It is unreachable under the assumption that TLS support is not required.
- // Otherwise should be implemented as OCALL.
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
-}
-
-// TODO
-int sgxssl_close(int fd)
-{
- FSTART;
-
- if (fd == FAKE_PIPE_READ_FD ||
- fd == FAKE_PIPE_WRITE_FD) {
- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
-
- FEND;
- // On error, -1 is returned, and errno is set appropriately
- return -1;
- }
-
- // In addition, the function is used by b_sock2.c as closesocket function.
- // It is unreachable under the assumption that TLS support is not required.
- // Otherwise should be implemented as OCALL.
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
-}
-
-long sgxssl_sysconf(int name)
-{
- FSTART;
-
- // Used by mem_sec.c
- if (name == _SC_PAGESIZE) {
- return ENCLAVE_PAGE_SIZE;
- }
-
- SGX_UNREACHABLE_CODE(SET_ERRNO);
- FEND;
-
- return -1;
-}
-
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include "sgx_tsgxssl_t.h"
+#include "tcommon.h"
+
+#define FAKE_PIPE_READ_FD 0xFAFAFAFALL
+#define FAKE_PIPE_WRITE_FD 0xFBFBFBFBLL
+
+#define ENCLAVE_PAGE_SIZE 0x1000 // 4096 B
+
+extern "C" {
+
+int sgxssl_pipe (int pipefd[2])
+{
+ FSTART;
+
+ // The function is used only by the engines/e_dasync.c (dummy async engine).
+ // Adding fake implementation only to be able to distinguish pipe read/write from socket read/write
+ pipefd[0] = FAKE_PIPE_READ_FD;
+ pipefd[1] = FAKE_PIPE_WRITE_FD;
+
+ FEND;
+
+ // On error, -1 is returned, and errno is set appropriately
+ return 0;
+}
+
+size_t sgxssl_write (int fd, const void *buf, size_t n)
+{
+ int ret = 0;
+ int res;
+
+ if (fd == FAKE_PIPE_WRITE_FD) {
+ return -1;
+ }
+
+ res = ocall_cc_write(&ret, fd, buf, n);
+ if (res != CC_SSL_SUCCESS) {
+ return -1;
+ }
+ return ret;
+}
+
+size_t sgxssl_read(int fd, void *buf, size_t count)
+{
+ int ret = 0;
+ int res;
+
+ if (fd == FAKE_PIPE_READ_FD) {
+ return -1;
+ }
+
+ res = ocall_cc_read(&ret, fd, buf, count);
+ if (res != CC_SSL_SUCCESS) {
+ return -1;
+ }
+ return ret;
+}
+
+// TODO
+int sgxssl_close(int fd)
+{
+ FSTART;
+
+ if (fd == FAKE_PIPE_READ_FD ||
+ fd == FAKE_PIPE_WRITE_FD) {
+ // With pipes the function is used only by the engines/e_dasync.c (dummy async engine).
+ SGX_UNSUPPORTED_FUNCTION(SET_ERRNO);
+
+ FEND;
+ // On error, -1 is returned, and errno is set appropriately
+ return -1;
+ }
+
+ // In addition, the function is used by b_sock2.c as closesocket function.
+ // It is unreachable under the assumption that TLS support is not required.
+ // Otherwise should be implemented as OCALL.
+ SGX_UNREACHABLE_CODE(SET_ERRNO);
+ FEND;
+
+ return -1;
+}
+
+long sgxssl_sysconf(int name)
+{
+ FSTART;
+
+ // Used by mem_sec.c
+ if (name == _SC_PAGESIZE) {
+ return ENCLAVE_PAGE_SIZE;
+ }
+
+ SGX_UNREACHABLE_CODE(SET_ERRNO);
+ FEND;
+
+ return -1;
+}
+
//Process ID is used as RNG entropy, SGXSSL use sgx_get_rand() hence this function is redundant.
//
int sgxssl_getpid() {
@@ -198,5 +185,5 @@ void *sgxssl_opendir(const char *name)
return NULL;
}
-
-} // extern "C"
+
+} // extern "C"
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp
new file mode 100644
index 0000000..c2456ba
--- /dev/null
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Intel Corporation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <unistd.h>
+
+extern "C" {
+
+int ocall_cc_read(int fd, void *buf, size_t buf_len)
+{
+ return read(fd, buf, buf_len);
+}
+
+int ocall_cc_write(int fd, const void *buf, size_t buf_len)
+{
+ return write(fd, buf, buf_len);
+}
+
+}
--
2.27.0

47
0003-modify-for-sp.patch
View File

@ -1,47 +0,0 @@
From eddebe3a99d42f0f6b904d32574e30b2ba780847 Mon Sep 17 00:00:00 2001
From: zgzxx <zhangguangzhi3@huawei.com>
Date: Sat, 20 Mar 2021 15:45:35 +0800
Subject: [PATCH] modify for sp
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile
index 2bf97c8..1501201 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile
@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o))
Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC)
-Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths)
+Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths)
Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS)
Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS)
$(shell mkdir -p $(OBJDIR))
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile
index 5d7e756..ee1f29f 100644
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile
@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl
Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC)
-Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths)
+Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector-strong -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths)
Sgx_ussl_Cpp_Flags := $(Sgx_ussl_C_Flags) -std=c++11
Sgx_ussl_Cpp_Files := $(wildcard *.cpp)
diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
index 157965d..472988a 100755
--- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh
@@ -58,6 +58,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1
# Remove AESBS to support only AESNI and VPAES
sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
+sed -i 's/-Wa,--noexecstack/-Wa,--noexecstack -fstack-protector-strong/' $OPENSSL_VERSION/Configure
##Space optimization flags.
SPACE_OPT=
--
2.27.0

BIN
lin_2.10_1.1.1g.zip → intel-sgx-ssl-lin_2.15.1_1.1.1l.zip
View File

Binary file not shown.

39
intel-sgx-ssl.spec
View File

@ -1,22 +1,20 @@
%define openssl_version 1.1.1g
%define openssl_version 1.1.1l
Name: intel-sgx-ssl
Version: 2.10
Release: 6
Version: 2.15.1
Release: 1
Summary: Intel® Software Guard Extensions SSL
ExclusiveArch: x86_64
License: OpenSSL and BSD-3-Clause
URL: https://github.com/intel/intel-sgx-ssl
Source0: https://github.com/intel/intel-sgx-ssl/archive/lin_%{version}_%{openssl_version}.zip
Source0: https://github.com/intel/intel-sgx-ssl/archive/intel-sgx-ssl-lin_%{version}_%{openssl_version}.zip
Source1: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz
Patch0: 0001-add-ocall-read-write.patch
Patch1: 0002-add-ocall-file-operation-and-getenv.patch
Patch2: 0003-modify-for-sp.patch
Patch0: 0001-Solution_to_issue_ssl_library_is_not_supported.patch
BuildRequires: gcc
BuildRequires: libsgx-launch libsgx-urts sgxsdk
BuildRequires: gcc gcc-c++
BuildRequires: libsgx-launch libsgx-urts sgxsdk perl
Requires: glibc
Requires: glibc sgxsdk >= %{version}-%{release}
%description
The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic
@ -24,7 +22,7 @@ library is intended to provide cryptographic services for
Intel® Software Guard Extensions (SGX) enclave applications.
The Intel® SGX SSL cryptographic library is based on the underlying
OpenSSL* Open Source project, providing a full-strength general purpose
cryptography library. Supported OpenSSL version is 1.1.1g.
cryptography library. Supported OpenSSL version is 1.1.1l.
%package devel
@ -40,10 +38,9 @@ Requires: %{name} = %{version}-%{release}
%prep
%setup -q -n intel-sgx-ssl-lin_2.10_1.1.1g
%patch0 -p2
%patch1 -p2
%patch2 -p2
%setup -q -n intel-sgx-ssl-lin_%{version}_%{openssl_version}
%patch0 -p1
%build
cp %{SOURCE1} openssl_source/
cd Linux
@ -64,15 +61,5 @@ cp License.txt $RPM_BUILD_ROOT/opt/intel/sgxssl/docs/
/opt/intel/sgxssl/include/*
%changelog
* Sat Mar 20 2021 zhangguangzhi <zhangguangzhi3@huawei.com> - 2.10-6
- modify for sp
* Mon Feb 22 2021 chenmaodong <chenmaodong@huawei.com> - 2.10-5
- add ocall file operation and getenv
* Tue Jan 26 2021 yanlu <yanlu14@huawei.com> - 2.10-4
- add ocall file operation and getenv
* Mon Jan 18 2021 yanlu <yanlu14@huawei.com> - 2.10-3
- add ocall read and write
* Mon Jan 18 2021 chenmaodong <chenmaodong@huawei.com> - 2.10-2
- init
* Tue Dec 29 2020 chenmaodong <chenmaodong@huawei.com> - 2.10-1
* Thu Dec 9 2021 wangcheng<wangcheng156@huawei.com> - 2.15.1-1
- init

BIN
openssl-1.1.1g.tar.gz → openssl-1.1.1l.tar.gz
View File

Binary file not shown.