diff --git a/0002-add-ocall-file-operation-and-getenv.patch b/0001-Solution_to_issue_ssl_library_is_not_supported.patch similarity index 59% rename from 0002-add-ocall-file-operation-and-getenv.patch rename to 0001-Solution_to_issue_ssl_library_is_not_supported.patch index 931d779c2c7c2f4a288e7256c5b170a49fddc2de..cbab2f0c8e086893170f54011b45da0e0e4ea9e4 100644 --- a/0002-add-ocall-file-operation-and-getenv.patch +++ b/0001-Solution_to_issue_ssl_library_is_not_supported.patch @@ -1,43 +1,103 @@ -From 05d61201781597f53cb7dfcd9508ac0141315131 Mon Sep 17 00:00:00 2001 +From 94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 Mon Sep 17 00:00:00 2001 From: yanlu -Date: Tue, 26 Jan 2021 11:24:43 +0800 -Subject: [PATCH] add ocall file operation and getenv +Date: Thu, 25 Feb 2021 16:41:56 +0800 +Subject: [PATCH] support ssl library + +Update Makefile + +update copyright year + +Reference: https://github.com/intel/intel-sgx-ssl/commit/94d10d73ac952fc8b4f5b6581b858d6fe7f7a352 +Conflict: NA --- - .../Linux/build_openssl.sh | 2 +- - .../Linux/package/include/sgx_tsgxssl.edl | 12 + - .../Linux/package/include/tsgxsslio.h | 8 +- - .../Linux/sgx/libsgx_tsgxssl/tstdio.cpp | 339 +++++++++++++++--- - .../Linux/sgx/libsgx_tsgxssl/tstdlib.cpp | 48 +-- - .../Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 +++++ - .../Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 ++++ - .../sgx/test_app/enclave/tests/stdio_func.c | 4 +- - .../openssl_source/bypass_to_sgxssl.h | 10 +- - 9 files changed, 483 insertions(+), 97 deletions(-) - create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp - create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp + Linux/Makefile | 1 + + Linux/build_openssl.sh | 9 +- + Linux/package/include/sgx_tsgxssl.edl | 14 ++ + Linux/package/include/tsgxsslio.h | 13 +- + Linux/sgx/buildenv.mk | 2 + + Linux/sgx/libsgx_tsgxssl/Makefile | 2 +- + Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 + + Linux/sgx/libsgx_tsgxssl/tstdio.cpp | 229 ++++++++++++++++++ + Linux/sgx/libsgx_tsgxssl/tstdlib.cpp | 48 ++-- + Linux/sgx/libsgx_tsgxssl/tunistd.cpp | 59 ++--- + Linux/sgx/libsgx_usgxssl/Makefile | 2 +- + Linux/sgx/libsgx_usgxssl/ustdio.cpp | 96 ++++++++ + Linux/sgx/libsgx_usgxssl/ustdlib.cpp | 61 +++++ + Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 ++++ + Linux/sgx/test_app/enclave/tests/stdio_func.c | 4 +- + openssl_source/bypass_to_sgxssl.h | 11 +- + 16 files changed, 516 insertions(+), 82 deletions(-) + create mode 100644 Linux/sgx/libsgx_usgxssl/ustdio.cpp + create mode 100644 Linux/sgx/libsgx_usgxssl/ustdlib.cpp + create mode 100644 Linux/sgx/libsgx_usgxssl/uunistd.cpp -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -index 4c5b999..157965d 100755 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -@@ -133,7 +133,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 +diff --git a/Linux/Makefile b/Linux/Makefile +index 9524f45..304ce24 100644 +--- a/Linux/Makefile ++++ b/Linux/Makefile +@@ -55,6 +55,7 @@ sgxssl_no_mitigation: + clean: + $(MAKE) -C sgx/ clean + rm -rf $(PACKAGE_LIB)/$(OPENSSL_LIB) $(PACKAGE_INC)/openssl/ ++ rm -rf $(PACKAGE_LIB)/$(OPENSSL_SSL_LIB) + rm -rf $(PACKAGE_LIB)/cve_2020_0551_load + rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf + +diff --git a/Linux/build_openssl.sh b/Linux/build_openssl.sh +index 7d77b79..9dc4082 100755 +--- a/Linux/build_openssl.sh ++++ b/Linux/build_openssl.sh +@@ -59,6 +59,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1 + + # Remove AESBS to support only AESNI and VPAES + sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure ++sed -i 's/-Wa,--noexecstack/-Wa,--noexecstack -fstack-protector-strong/' $OPENSSL_VERSION/Configure + + ##Space optimization flags. + SPACE_OPT= +@@ -69,8 +70,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt + fi + + OUTPUT_LIB=libsgx_tsgxssl_crypto.a ++OUTPUT_SSLLIB=libsgx_tsgxssl_ssl.a + if [[ "$*" == *"debug"* ]] ; then + OUTPUT_LIB=libsgx_tsgxssl_cryptod.a ++ OUTPUT_SSLLIB=libsgx_tsgxssl_ssld.a + ADDITIONAL_CONF="-g " + fi + +@@ -136,8 +139,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1 cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1 cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1 --perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1 +-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h --prefix=$OPENSSL_INSTALL_DIR || exit 1 +- +perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-hw no-dso no-shared no-ssl3 no-md2 no-md4 no-ui no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h -include$SGXSSL_ROOT/../Linux/package/include/tsgxsslio.h --prefix=$OPENSSL_INSTALL_DIR || exit 1 - + sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c make build_all_generated || exit 1 -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -index 3ad91d8..74dbdde 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -@@ -39,6 +39,18 @@ enclave { +@@ -159,8 +161,9 @@ then + cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s + fi + +-make libcrypto.a || exit 1 ++make libcrypto.a libssl.a || exit 1 + cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 ++cp libssl.a $SGXSSL_ROOT/package/lib64/$OUTPUT_SSLLIB || exit 1 + objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 + cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1 + cp include/crypto/* $SGXSSL_ROOT/package/include/crypto/ || exit 1 +diff --git a/Linux/package/include/sgx_tsgxssl.edl b/Linux/package/include/sgx_tsgxssl.edl +index cbc4888..e385250 100644 +--- a/Linux/package/include/sgx_tsgxssl.edl ++++ b/Linux/package/include/sgx_tsgxssl.edl +@@ -37,6 +37,20 @@ enclave { + + untrusted { void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len); - int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len); - int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len); ++ int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len); ++ int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len); + int ocall_cc_getenv([in, size = name_len] const char *name, size_t name_len, [out, size = buf_len] void *buf, int buf_len, [out] int *need_len); + uint64_t ocall_cc_fopen([in, size = filename_len] const char *filename, size_t filename_len, [in, size = mode_len] const char *mode, size_t mode_len); + int ocall_cc_fclose(uint64_t fp); @@ -53,126 +113,91 @@ index 3ad91d8..74dbdde 100644 }; trusted { -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h -index a200a17..8f9e35b 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/tsgxsslio.h -@@ -32,6 +32,12 @@ +diff --git a/Linux/package/include/tsgxsslio.h b/Linux/package/include/tsgxsslio.h +index a200a17..fe56f61 100644 +--- a/Linux/package/include/tsgxsslio.h ++++ b/Linux/package/include/tsgxsslio.h +@@ -32,6 +32,18 @@ #ifndef _TSGXSSL_IO_H_ #define _TSGXSSL_IO_H_ -typedef void FILE; +#include ++#ifndef __FILE_defined ++#define __FILE_defined 1 ++ ++struct _IO_FILE; ++/* The opaque type of streams. This is the definition used elsewhere. */ ++typedef struct _IO_FILE FILE; ++#endif + +#undef stdout +#define stdout ((void*)1) +#undef stderr +#define stderr ((void*)2) -+typedef struct _IO_FILE FILE; #endif // _TSGXSSL_IO_H_ -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp -index ebb8abb..1e6d8bc 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdio.cpp -@@ -1,55 +1,284 @@ --/* -- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * * Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * * Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * * Neither the name of Intel Corporation nor the names of its -- * contributors may be used to endorse or promote products derived -- * from this software without specific prior written permission. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- */ -- --#include --#include "tcommon.h" --#include "sgx_tsgxssl_t.h" --#include "tSgxSSL_api.h" -- --extern PRINT_TO_STDOUT_STDERR_CB s_print_cb; -- --extern "C" { -- --int sgx_print(const char *format, ...) --{ -- if (s_print_cb != NULL) { -- va_list vl; -- va_start(vl, format); -- int res = s_print_cb(STREAM_STDOUT, format, vl); -- va_end(vl); -- -- return res; -- } -- -- return 0; --} -- --} -+/* -+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Intel Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include +diff --git a/Linux/sgx/buildenv.mk b/Linux/sgx/buildenv.mk +index cd8818e..7cd794c 100644 +--- a/Linux/sgx/buildenv.mk ++++ b/Linux/sgx/buildenv.mk +@@ -73,11 +73,13 @@ endif + ifeq ($(DEBUG), 1) + OBJDIR := debug + OPENSSL_LIB := libsgx_tsgxssl_cryptod.a ++ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssld.a + TRUSTED_LIB := libsgx_tsgxssld.a + UNTRUSTED_LIB := libsgx_usgxssld.a + else + OBJDIR := release + OPENSSL_LIB := libsgx_tsgxssl_crypto.a ++ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssl.a + TRUSTED_LIB := libsgx_tsgxssl.a + UNTRUSTED_LIB := libsgx_usgxssl.a + endif +diff --git a/Linux/sgx/libsgx_tsgxssl/Makefile b/Linux/sgx/libsgx_tsgxssl/Makefile +index 40d8f3b..3eb4a7e 100644 +--- a/Linux/sgx/libsgx_tsgxssl/Makefile ++++ b/Linux/sgx/libsgx_tsgxssl/Makefile +@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o)) + + Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC) + +-Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths) ++Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths) + Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS) $(NO_THREADS_CFLAG) + Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS) + $(shell mkdir -p $(OBJDIR)) +diff --git a/Linux/sgx/libsgx_tsgxssl/tcommon.h b/Linux/sgx/libsgx_tsgxssl/tcommon.h +index f8d9379..dd1ca8d 100644 +--- a/Linux/sgx/libsgx_tsgxssl/tcommon.h ++++ b/Linux/sgx/libsgx_tsgxssl/tcommon.h +@@ -40,6 +40,7 @@ + #include "tdefines.h" + #include "tSgxSSL_api.h" + ++#define CC_SSL_SUCCESS 0 + + //#define DO_SGX_LOG + #define DO_SGX_WARN +diff --git a/Linux/sgx/libsgx_tsgxssl/tstdio.cpp b/Linux/sgx/libsgx_tsgxssl/tstdio.cpp +index 800a9a7..1e6d8bc 100644 +--- a/Linux/sgx/libsgx_tsgxssl/tstdio.cpp ++++ b/Linux/sgx/libsgx_tsgxssl/tstdio.cpp +@@ -30,14 +30,243 @@ + */ + + #include +#include -+#include "tcommon.h" -+#include "sgx_tsgxssl_t.h" -+#include "tSgxSSL_api.h" + #include "tcommon.h" + #include "sgx_tsgxssl_t.h" + #include "tSgxSSL_api.h" +#include "tsgxsslio.h" -+ -+extern PRINT_TO_STDOUT_STDERR_CB s_print_cb; -+ -+extern "C" { -+ + + extern PRINT_TO_STDOUT_STDERR_CB s_print_cb; + + extern "C" { + +int print_with_cb(void* fp, const char* fmt, __va_list vl) +{ + int res = -1; @@ -400,25 +425,13 @@ index ebb8abb..1e6d8bc 100644 + return ret; +} + -+int sgx_print(const char *format, ...) -+{ -+ if (s_print_cb != NULL) { -+ va_list vl; -+ va_start(vl, format); -+ int res = s_print_cb(STREAM_STDOUT, format, vl); -+ va_end(vl); -+ -+ return res; -+ } -+ -+ return 0; -+} -+ -+} -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp -index c6a8066..9a66c72 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp + int sgx_print(const char *format, ...) + { + if (s_print_cb != NULL) { +diff --git a/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp b/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp +index 81851a7..fb794db 100644 +--- a/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp ++++ b/Linux/sgx/libsgx_tsgxssl/tstdlib.cpp @@ -57,39 +57,25 @@ SGX_ACCESS_VERSION(tssl, 1); extern "C" { @@ -462,11 +475,11 @@ index c6a8066..9a66c72 100644 + int ret = 0; + int res; + int buf_len = 0; -+ ++ + if (t_env_buf == NULL || MAX_ENV_BUF_LEN <= 0) { + return NULL; + } -+ ++ + memset(t_env_buf, 0, MAX_ENV_BUF_LEN); + res = ocall_cc_getenv(&ret, name, strlen(name), t_env_buf, MAX_ENV_BUF_LEN, &buf_len); + if (res != CC_SSL_SUCCESS || ret <= 0 || ret != buf_len) { @@ -475,12 +488,100 @@ index c6a8066..9a66c72 100644 + return t_env_buf; } - int sgxssl_atexit(void (*function)(void)) -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp + } +diff --git a/Linux/sgx/libsgx_tsgxssl/tunistd.cpp b/Linux/sgx/libsgx_tsgxssl/tunistd.cpp +index 7bdfa07..d7aba27 100644 +--- a/Linux/sgx/libsgx_tsgxssl/tunistd.cpp ++++ b/Linux/sgx/libsgx_tsgxssl/tunistd.cpp +@@ -56,47 +56,34 @@ int sgxssl_pipe (int pipefd[2]) + + size_t sgxssl_write (int fd, const void *buf, size_t n) + { +- FSTART; +- +- if (fd == FAKE_PIPE_WRITE_FD) { +- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). +- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); +- +- FEND; +- // On error, -1 is returned, and errno is set appropriately +- return -1; +- } +- +- // In addition, the function is used by bss_sock.c as writesocket function. +- // It is unreachable under the assumption that TLS support is not required. +- // Otherwise should be implemented as OCALL. +- SGX_UNREACHABLE_CODE(SET_ERRNO); +- FEND; +- +- return -1; ++ int ret = 0; ++ int res; + ++ if (fd == FAKE_PIPE_WRITE_FD) { ++ return -1; ++ } ++ ++ res = ocall_cc_write(&ret, fd, buf, n); ++ if (res != CC_SSL_SUCCESS) { ++ return -1; ++ } ++ return ret; + } + + size_t sgxssl_read(int fd, void *buf, size_t count) + { +- FSTART; +- +- if (fd == FAKE_PIPE_READ_FD) { +- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). +- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); +- +- FEND; +- // On error, -1 is returned, and errno is set appropriately +- return -1; +- } +- +- // In addition, the function is used by bss_sock.c as readsocket function. +- // It is unreachable under the assumption that TLS support is not required. +- // Otherwise should be implemented as OCALL. +- SGX_UNREACHABLE_CODE(SET_ERRNO); +- FEND; +- +- return -1; ++ int ret = 0; ++ int res; ++ ++ if (fd == FAKE_PIPE_READ_FD) { ++ return -1; ++ } ++ ++ res = ocall_cc_read(&ret, fd, buf, count); ++ if (res != CC_SSL_SUCCESS) { ++ return -1; ++ } ++ return ret; + } + + // TODO +diff --git a/Linux/sgx/libsgx_usgxssl/Makefile b/Linux/sgx/libsgx_usgxssl/Makefile +index 5d7e756..ee1f29f 100644 +--- a/Linux/sgx/libsgx_usgxssl/Makefile ++++ b/Linux/sgx/libsgx_usgxssl/Makefile +@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl + + Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC) + +-Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths) ++Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector-strong -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths) + Sgx_ussl_Cpp_Flags := $(Sgx_ussl_C_Flags) -std=c++11 + + Sgx_ussl_Cpp_Files := $(wildcard *.cpp) +diff --git a/Linux/sgx/libsgx_usgxssl/ustdio.cpp b/Linux/sgx/libsgx_usgxssl/ustdio.cpp new file mode 100644 index 0000000..c4b15f7 --- /dev/null -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdio.cpp ++++ b/Linux/sgx/libsgx_usgxssl/ustdio.cpp @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. @@ -578,11 +679,11 @@ index 0000000..c4b15f7 + return fputs(str, (FILE *)fp); +} +} -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp +diff --git a/Linux/sgx/libsgx_usgxssl/ustdlib.cpp b/Linux/sgx/libsgx_usgxssl/ustdlib.cpp new file mode 100644 index 0000000..7467e1d --- /dev/null -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/ustdlib.cpp ++++ b/Linux/sgx/libsgx_usgxssl/ustdlib.cpp @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. @@ -645,10 +746,62 @@ index 0000000..7467e1d +} + +} -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c +diff --git a/Linux/sgx/libsgx_usgxssl/uunistd.cpp b/Linux/sgx/libsgx_usgxssl/uunistd.cpp +new file mode 100644 +index 0000000..c2456ba +--- /dev/null ++++ b/Linux/sgx/libsgx_usgxssl/uunistd.cpp +@@ -0,0 +1,46 @@ ++/* ++ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * * Neither the name of Intel Corporation nor the names of its ++ * contributors may be used to endorse or promote products derived ++ * from this software without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++ ++extern "C" { ++ ++int ocall_cc_read(int fd, void *buf, size_t buf_len) ++{ ++ return read(fd, buf, buf_len); ++} ++ ++int ocall_cc_write(int fd, const void *buf, size_t buf_len) ++{ ++ return write(fd, buf, buf_len); ++} ++ ++} +diff --git a/Linux/sgx/test_app/enclave/tests/stdio_func.c b/Linux/sgx/test_app/enclave/tests/stdio_func.c index 286340e..13de4dd 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/test_app/enclave/tests/stdio_func.c +--- a/Linux/sgx/test_app/enclave/tests/stdio_func.c ++++ b/Linux/sgx/test_app/enclave/tests/stdio_func.c @@ -42,7 +42,7 @@ static int print_fp(const char *str, size_t len, void *fp) printf("%s", str); return 1; @@ -664,16 +817,17 @@ index 286340e..13de4dd 100644 } - +*/ -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h b/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h -index 1c4d025..e938ff1 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/openssl_source/bypass_to_sgxssl.h -@@ -181,23 +181,19 @@ +diff --git a/openssl_source/bypass_to_sgxssl.h b/openssl_source/bypass_to_sgxssl.h +index 6ff3fc2..9676726 100644 +--- a/openssl_source/bypass_to_sgxssl.h ++++ b/openssl_source/bypass_to_sgxssl.h +@@ -181,23 +181,20 @@ #define mlock sgxssl_mlock #define madvise sgxssl_madvise -/* -#define fopen64 sgxssl_fopen64 ++ #define fopen sgxssl_fopen -#define wfopen sgxssl_wfopen #define fclose sgxssl_fclose diff --git a/0001-add-ocall-read-write.patch b/0001-add-ocall-read-write.patch deleted file mode 100644 index deb0c4009150f1a80d51f58b5ef53e6145a97fb0..0000000000000000000000000000000000000000 --- a/0001-add-ocall-read-write.patch +++ /dev/null @@ -1,435 +0,0 @@ -From 7b20f1fee1c7a437274870c0015435d7f5adcb03 Mon Sep 17 00:00:00 2001 -From: yanlu -Date: Mon, 18 Jan 2021 19:24:32 +0800 -Subject: [PATCH] add ocall read write - ---- - intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile | 1 + - .../Linux/build_openssl.sh | 5 +- - .../Linux/package/include/sgx_tsgxssl.edl | 2 + - .../Linux/sgx/buildenv.mk | 2 + - .../Linux/sgx/libsgx_tsgxssl/tcommon.h | 1 + - .../Linux/sgx/libsgx_tsgxssl/tunistd.cpp | 271 +++++++++--------- - .../Linux/sgx/libsgx_usgxssl/uunistd.cpp | 46 +++ - 7 files changed, 185 insertions(+), 143 deletions(-) - create mode 100644 intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp - -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile -index b79649e..6b91d1c 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/Makefile -@@ -51,6 +51,7 @@ sgxssl_no_mitigation: - clean: - $(MAKE) -C sgx/ clean - rm -rf $(PACKAGE_LIB)/$(OPENSSL_LIB) $(PACKAGE_INC)/openssl/ -+ rm -rf $(PACKAGE_LIB)/$(OPENSSL_SSL_LIB) - rm -rf $(PACKAGE_LIB)/cve_2020_0551_load - rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf - -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -index a70ddf1..4c5b999 100755 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -@@ -68,8 +68,10 @@ sed -i '/OPENSSL_die("assertion failed/d' $OPENSSL_VERSION/include/openssl/crypt - fi - - OUTPUT_LIB=libsgx_tsgxssl_crypto.a -+OUTPUT_SSLLIB=libsgx_tsgxssl_ssl.a - if [[ $# -gt 0 ]] && [[ $1 == "debug" || $2 == "debug" || $3 == "debug" || $4 == "debug" ]] ; then - OUTPUT_LIB=libsgx_tsgxssl_cryptod.a -+ OUTPUT_SSLLIB=libsgx_tsgxssl_ssld.a - ADDITIONAL_CONF="-g " - fi - -@@ -153,8 +155,9 @@ then - cp $SGXSSL_ROOT/../openssl_source/Linux/x86_64cpuid.s ./crypto/x86_64cpuid.s - fi - --make libcrypto.a || exit 1 -+make libcrypto.a libssl.a || exit 1 - cp libcrypto.a $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 -+cp libssl.a $SGXSSL_ROOT/package/lib64/$OUTPUT_SSLLIB || exit 1 - objcopy --rename-section .init=Q6A8dc14f40efc4288a03b32cba4e $SGXSSL_ROOT/package/lib64/$OUTPUT_LIB || exit 1 - cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1 - exit 0 -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -index cbc4888..3ad91d8 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/package/include/sgx_tsgxssl.edl -@@ -37,6 +37,8 @@ enclave { - - untrusted { - void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len); -+ int ocall_cc_read(int fd, [out, size = buf_len] void *buf, size_t buf_len); -+ int ocall_cc_write(int fd, [in, size = buf_len] const void *buf, size_t buf_len); - }; - - trusted { -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk -index cd8818e..7cd794c 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/buildenv.mk -@@ -73,11 +73,13 @@ endif - ifeq ($(DEBUG), 1) - OBJDIR := debug - OPENSSL_LIB := libsgx_tsgxssl_cryptod.a -+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssld.a - TRUSTED_LIB := libsgx_tsgxssld.a - UNTRUSTED_LIB := libsgx_usgxssld.a - else - OBJDIR := release - OPENSSL_LIB := libsgx_tsgxssl_crypto.a -+ OPENSSL_SSL_LIB := libsgx_tsgxssl_ssl.a - TRUSTED_LIB := libsgx_tsgxssl.a - UNTRUSTED_LIB := libsgx_usgxssl.a - endif -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h -index 4d64d23..7dbbfd1 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tcommon.h -@@ -40,6 +40,7 @@ - #include "tdefines.h" - #include "tSgxSSL_api.h" - -+#define CC_SSL_SUCCESS 0 - - //#define DO_SGX_LOG - #define DO_SGX_WARN -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp -index b6cdd39..d7aba27 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/tunistd.cpp -@@ -1,143 +1,130 @@ --/* -- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * * Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * * Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * * Neither the name of Intel Corporation nor the names of its -- * contributors may be used to endorse or promote products derived -- * from this software without specific prior written permission. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- */ -- --#include "sgx_tsgxssl_t.h" --#include "tcommon.h" -- --#define FAKE_PIPE_READ_FD 0xFAFAFAFALL --#define FAKE_PIPE_WRITE_FD 0xFBFBFBFBLL -- --#define ENCLAVE_PAGE_SIZE 0x1000 // 4096 B -- --extern "C" { -- --int sgxssl_pipe (int pipefd[2]) --{ -- FSTART; -- -- // The function is used only by the engines/e_dasync.c (dummy async engine). -- // Adding fake implementation only to be able to distinguish pipe read/write from socket read/write -- pipefd[0] = FAKE_PIPE_READ_FD; -- pipefd[1] = FAKE_PIPE_WRITE_FD; -- -- FEND; -- -- // On error, -1 is returned, and errno is set appropriately -- return 0; --} -- --size_t sgxssl_write (int fd, const void *buf, size_t n) --{ -- FSTART; -- -- if (fd == FAKE_PIPE_WRITE_FD) { -- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). -- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); -- -- FEND; -- // On error, -1 is returned, and errno is set appropriately -- return -1; -- } -- -- // In addition, the function is used by bss_sock.c as writesocket function. -- // It is unreachable under the assumption that TLS support is not required. -- // Otherwise should be implemented as OCALL. -- SGX_UNREACHABLE_CODE(SET_ERRNO); -- FEND; -- -- return -1; -- --} -- --size_t sgxssl_read(int fd, void *buf, size_t count) --{ -- FSTART; -- -- if (fd == FAKE_PIPE_READ_FD) { -- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). -- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); -- -- FEND; -- // On error, -1 is returned, and errno is set appropriately -- return -1; -- } -- -- // In addition, the function is used by bss_sock.c as readsocket function. -- // It is unreachable under the assumption that TLS support is not required. -- // Otherwise should be implemented as OCALL. -- SGX_UNREACHABLE_CODE(SET_ERRNO); -- FEND; -- -- return -1; --} -- --// TODO --int sgxssl_close(int fd) --{ -- FSTART; -- -- if (fd == FAKE_PIPE_READ_FD || -- fd == FAKE_PIPE_WRITE_FD) { -- // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). -- SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); -- -- FEND; -- // On error, -1 is returned, and errno is set appropriately -- return -1; -- } -- -- // In addition, the function is used by b_sock2.c as closesocket function. -- // It is unreachable under the assumption that TLS support is not required. -- // Otherwise should be implemented as OCALL. -- SGX_UNREACHABLE_CODE(SET_ERRNO); -- FEND; -- -- return -1; --} -- --long sgxssl_sysconf(int name) --{ -- FSTART; -- -- // Used by mem_sec.c -- if (name == _SC_PAGESIZE) { -- return ENCLAVE_PAGE_SIZE; -- } -- -- SGX_UNREACHABLE_CODE(SET_ERRNO); -- FEND; -- -- return -1; --} -- -+/* -+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Intel Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include "sgx_tsgxssl_t.h" -+#include "tcommon.h" -+ -+#define FAKE_PIPE_READ_FD 0xFAFAFAFALL -+#define FAKE_PIPE_WRITE_FD 0xFBFBFBFBLL -+ -+#define ENCLAVE_PAGE_SIZE 0x1000 // 4096 B -+ -+extern "C" { -+ -+int sgxssl_pipe (int pipefd[2]) -+{ -+ FSTART; -+ -+ // The function is used only by the engines/e_dasync.c (dummy async engine). -+ // Adding fake implementation only to be able to distinguish pipe read/write from socket read/write -+ pipefd[0] = FAKE_PIPE_READ_FD; -+ pipefd[1] = FAKE_PIPE_WRITE_FD; -+ -+ FEND; -+ -+ // On error, -1 is returned, and errno is set appropriately -+ return 0; -+} -+ -+size_t sgxssl_write (int fd, const void *buf, size_t n) -+{ -+ int ret = 0; -+ int res; -+ -+ if (fd == FAKE_PIPE_WRITE_FD) { -+ return -1; -+ } -+ -+ res = ocall_cc_write(&ret, fd, buf, n); -+ if (res != CC_SSL_SUCCESS) { -+ return -1; -+ } -+ return ret; -+} -+ -+size_t sgxssl_read(int fd, void *buf, size_t count) -+{ -+ int ret = 0; -+ int res; -+ -+ if (fd == FAKE_PIPE_READ_FD) { -+ return -1; -+ } -+ -+ res = ocall_cc_read(&ret, fd, buf, count); -+ if (res != CC_SSL_SUCCESS) { -+ return -1; -+ } -+ return ret; -+} -+ -+// TODO -+int sgxssl_close(int fd) -+{ -+ FSTART; -+ -+ if (fd == FAKE_PIPE_READ_FD || -+ fd == FAKE_PIPE_WRITE_FD) { -+ // With pipes the function is used only by the engines/e_dasync.c (dummy async engine). -+ SGX_UNSUPPORTED_FUNCTION(SET_ERRNO); -+ -+ FEND; -+ // On error, -1 is returned, and errno is set appropriately -+ return -1; -+ } -+ -+ // In addition, the function is used by b_sock2.c as closesocket function. -+ // It is unreachable under the assumption that TLS support is not required. -+ // Otherwise should be implemented as OCALL. -+ SGX_UNREACHABLE_CODE(SET_ERRNO); -+ FEND; -+ -+ return -1; -+} -+ -+long sgxssl_sysconf(int name) -+{ -+ FSTART; -+ -+ // Used by mem_sec.c -+ if (name == _SC_PAGESIZE) { -+ return ENCLAVE_PAGE_SIZE; -+ } -+ -+ SGX_UNREACHABLE_CODE(SET_ERRNO); -+ FEND; -+ -+ return -1; -+} -+ - //Process ID is used as RNG entropy, SGXSSL use sgx_get_rand() hence this function is redundant. - // - int sgxssl_getpid() { -@@ -198,5 +185,5 @@ void *sgxssl_opendir(const char *name) - return NULL; - } - -- --} // extern "C" -+ -+} // extern "C" -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp -new file mode 100644 -index 0000000..c2456ba ---- /dev/null -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/uunistd.cpp -@@ -0,0 +1,46 @@ -+/* -+ * Copyright (C) 2011-2017 Intel Corporation. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Intel Corporation nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+ -+extern "C" { -+ -+int ocall_cc_read(int fd, void *buf, size_t buf_len) -+{ -+ return read(fd, buf, buf_len); -+} -+ -+int ocall_cc_write(int fd, const void *buf, size_t buf_len) -+{ -+ return write(fd, buf, buf_len); -+} -+ -+} --- -2.27.0 - diff --git a/0003-modify-for-sp.patch b/0003-modify-for-sp.patch deleted file mode 100644 index 21a2f46218b25d6439e8a1db56e7f3f550bd1288..0000000000000000000000000000000000000000 --- a/0003-modify-for-sp.patch +++ /dev/null @@ -1,47 +0,0 @@ -From eddebe3a99d42f0f6b904d32574e30b2ba780847 Mon Sep 17 00:00:00 2001 -From: zgzxx -Date: Sat, 20 Mar 2021 15:45:35 +0800 -Subject: [PATCH] modify for sp - - -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile -index 2bf97c8..1501201 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_tsgxssl/Makefile -@@ -90,7 +90,7 @@ Sgx_tssl_S_Objects := $(addprefix $(OBJDIR)/, $(Sgx_tssl_S_Files:.S=.o)) - - Sgx_tssl_Include_Paths := -I. -I$(PACKAGE_INC) -I$(SGX_SDK_INC) -I$(SGX_SDK_INC)/tlibc -I$(LIBCXX_INC) - --Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths) -+Common_C_Cpp_Flags := -DOS_ID=$(OS_ID) $(SGX_COMMON_CFLAGS) -nostdinc -fdata-sections -ffunction-sections -Os -Wl,--gc-sections -fvisibility=hidden -fpie -fpic -fstack-protector-strong -fno-builtin-printf -Wformat -Wformat-security $(Sgx_tssl_Include_Paths) - Sgx_tssl_C_Flags := $(Common_C_Cpp_Flags) -Wno-implicit-function-declaration -std=c11 $(MITIGATION_CFLAGS) - Sgx_tssl_Cpp_Flags := $(Common_C_Cpp_Flags) -std=c++11 -nostdinc++ $(MITIGATION_CFLAGS) - $(shell mkdir -p $(OBJDIR)) -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile -index 5d7e756..ee1f29f 100644 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/sgx/libsgx_usgxssl/Makefile -@@ -72,7 +72,7 @@ SGX_EDL_FILE := $(PACKAGE_INCLUDE)/sgx_tsgxssl.edl - - Sgx_ussl_Include_Paths := -I. -I$(SGX_SDK_INC) - --Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths) -+Sgx_ussl_C_Flags := $(SGX_COMMON_CFLAGS) -fpie -fpic -fstack-protector-strong -Wformat -Wformat-security -Wno-attributes $(Sgx_ussl_Include_Paths) - Sgx_ussl_Cpp_Flags := $(Sgx_ussl_C_Flags) -std=c++11 - - Sgx_ussl_Cpp_Files := $(wildcard *.cpp) -diff --git a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -index 157965d..472988a 100755 ---- a/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -+++ b/intel-sgx-ssl-lin_2.10_1.1.1g/Linux/build_openssl.sh -@@ -58,6 +58,7 @@ tar xvf $OPENSSL_VERSION.tar.gz || exit 1 - - # Remove AESBS to support only AESNI and VPAES - sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure -+sed -i 's/-Wa,--noexecstack/-Wa,--noexecstack -fstack-protector-strong/' $OPENSSL_VERSION/Configure - - ##Space optimization flags. - SPACE_OPT= --- -2.27.0 - diff --git a/lin_2.10_1.1.1g.zip b/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip similarity index 70% rename from lin_2.10_1.1.1g.zip rename to intel-sgx-ssl-lin_2.15.1_1.1.1l.zip index ccc3476c526e32349774857b046b710a21f32cb3..6f8a1fffc4c6937fa04ca228f8f0310756b6ca16 100644 Binary files a/lin_2.10_1.1.1g.zip and b/intel-sgx-ssl-lin_2.15.1_1.1.1l.zip differ diff --git a/intel-sgx-ssl.spec b/intel-sgx-ssl.spec index afe28237b8ed137795ce92f20e5611c9d823cd5c..aae42527d5f6e18f447c4092d9678897f00dc6f5 100644 --- a/intel-sgx-ssl.spec +++ b/intel-sgx-ssl.spec @@ -1,22 +1,21 @@ -%define openssl_version 1.1.1g +%define openssl_version 1.1.1l Name: intel-sgx-ssl -Version: 2.10 -Release: 6 +Version: 2.15.1 +Release: 1 Summary: Intel® Software Guard Extensions SSL ExclusiveArch: x86_64 License: OpenSSL and BSD-3-Clause URL: https://github.com/intel/intel-sgx-ssl -Source0: https://github.com/intel/intel-sgx-ssl/archive/lin_%{version}_%{openssl_version}.zip +Source0: https://github.com/intel/intel-sgx-ssl/archive/intel-sgx-ssl-lin_%{version}_%{openssl_version}.zip Source1: https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz -Patch0: 0001-add-ocall-read-write.patch -Patch1: 0002-add-ocall-file-operation-and-getenv.patch -Patch2: 0003-modify-for-sp.patch +Patch0: 0001-Solution_to_issue_ssl_library_is_not_supported.patch +Patch1: sgxssl_fgets-adapt-glibc-2.35.patch -BuildRequires: gcc -BuildRequires: libsgx-launch libsgx-urts sgxsdk +BuildRequires: gcc gcc-c++ +BuildRequires: libsgx-launch libsgx-urts sgxsdk perl -Requires: glibc +Requires: glibc sgxsdk >= %{version}-%{release} %description The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic @@ -24,7 +23,7 @@ library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications. The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose -cryptography library. Supported OpenSSL version is 1.1.1g. +cryptography library. Supported OpenSSL version is 1.1.1l. %package devel @@ -40,10 +39,10 @@ Requires: %{name} = %{version}-%{release} %prep -%setup -q -n intel-sgx-ssl-lin_2.10_1.1.1g -%patch0 -p2 -%patch1 -p2 -%patch2 -p2 +%setup -q -n intel-sgx-ssl-lin_%{version}_%{openssl_version} +%patch0 -p1 +%patch1 -p1 + %build cp %{SOURCE1} openssl_source/ cd Linux @@ -64,15 +63,5 @@ cp License.txt $RPM_BUILD_ROOT/opt/intel/sgxssl/docs/ /opt/intel/sgxssl/include/* %changelog -* Sat Mar 20 2021 zhangguangzhi - 2.10-6 -- modify for sp -* Mon Feb 22 2021 chenmaodong - 2.10-5 -- add ocall file operation and getenv -* Tue Jan 26 2021 yanlu - 2.10-4 -- add ocall file operation and getenv -* Mon Jan 18 2021 yanlu - 2.10-3 -- add ocall read and write -* Mon Jan 18 2021 chenmaodong - 2.10-2 -- init -* Tue Dec 29 2020 chenmaodong - 2.10-1 +* Mon Jun 27 2022 wangyu - 2.15.1-1 - init diff --git a/openssl-1.1.1g.tar.gz b/openssl-1.1.1l.tar.gz similarity index 54% rename from openssl-1.1.1g.tar.gz rename to openssl-1.1.1l.tar.gz index e768f9e97cff5345aff2e9ae036345a2d65c238a..c8e2e0bd9e54123d19418d12cc7cd896f2449481 100644 Binary files a/openssl-1.1.1g.tar.gz and b/openssl-1.1.1l.tar.gz differ diff --git a/sgxssl_fgets-adapt-glibc-2.35.patch b/sgxssl_fgets-adapt-glibc-2.35.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc8a02b2734672df0263734b44516ff9c97b3e8a --- /dev/null +++ b/sgxssl_fgets-adapt-glibc-2.35.patch @@ -0,0 +1,41 @@ +From 554f95d343c231cdf97d96c876c3e8f6079ccc31 Mon Sep 17 00:00:00 2001 +From: houmingyong +Date: Mon, 27 Jun 2022 11:28:20 +0800 +Subject: [PATCH] sgxssl_fgets adapt glibc-2.35 + +--- + openssl_source/bypass_to_sgxssl.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/openssl_source/bypass_to_sgxssl.h b/openssl_source/bypass_to_sgxssl.h +index 9676726..c833bd2 100644 +--- a/openssl_source/bypass_to_sgxssl.h ++++ b/openssl_source/bypass_to_sgxssl.h +@@ -175,6 +175,8 @@ + + #else //_WIN32 + ++#include ++ + #define mmap sgxssl_mmap + #define munmap sgxssl_munmap + #define mprotect sgxssl_mprotect +@@ -194,7 +196,14 @@ + #define __fprintf_chk sgxssl_fprintf + #define __vfprintf_chk sgxssl_vfprintf + #define __fread_alias sgxssl_fread +-#define __fgets_alias sgxssl_fgets ++ ++# if defined(__GLIBC__) && defined(__GLIBC_PREREQ) ++# if __GLIBC_PREREQ(2, 35) ++# define __fgets_chk sgxssl_fgets ++# else ++# define __fgets_alias sgxssl_fgets ++# endif ++#endif + + #if defined(SGXSDK_INT_VERSION) && (SGXSDK_INT_VERSION > 18) + #define _longjmp longjmp +-- +2.23.0 +