From 1862c108d7e3be47a3d6fe18f406df444ae36e6e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Sun, 29 Dec 2019 22:10:35 -0700 Subject: [PATCH] remove user_check arguments in edl and add tables to hold SSL / CTX --- SGX_Linux/README.md | 2 + SGX_Linux/trusted/Wolfssl_Enclave.c | 263 +++++++++++++++----------- SGX_Linux/trusted/Wolfssl_Enclave.edl | 79 ++++---- SGX_Linux/untrusted/client-tls.c | 8 +- SGX_Linux/untrusted/server-tls.c | 8 +- 5 files changed, 202 insertions(+), 158 deletions(-) diff --git a/SGX_Linux/README.md b/SGX_Linux/README.md index d308d2c7..24abca09 100644 --- a/SGX_Linux/README.md +++ b/SGX_Linux/README.md @@ -95,6 +95,8 @@ This will connect an enclave client, in one enclave, to an enclave server, in a i) In order to successfully load a private key and certificate into the enclave, these APIs are exposed to the untrusted application. This means that the untrusted region must be "trusted" to load the correct Private Key/ Certificate to start a connection. This method of loading certificates should not be used for production code as it violates the trust assumptions for Intel's SGX. Contact if you wish to use wolfSSL in your product. +4) Default max number of WOLFSSL_CTX and WOLFSSL structures set to 2. This was introduced as a side effect of avoiding passing the pointers of the opaque structures from untrusted to trusted code. + ## Support Please contact wolfSSL at support@wolfssl.com with any questions, bug fixes, or suggested feature additions. diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.c b/SGX_Linux/trusted/Wolfssl_Enclave.c index 5da811d7..2b4bbc32 100644 --- a/SGX_Linux/trusted/Wolfssl_Enclave.c +++ b/SGX_Linux/trusted/Wolfssl_Enclave.c @@ -10,6 +10,86 @@ #warning verfication of heap hint pointers needed when overriding default malloc/free #endif + +/* Max number of WOLFSSL_CTX's */ +#ifndef MAX_WOLFSSL_CTX +#define MAX_WOLFSSL_CTX 2 +#endif +WOLFSSL_CTX* CTX_TABLE[MAX_WOLFSSL_CTX]; + +/* Max number of WOLFSSL's */ +#ifndef MAX_WOLFSSL +#define MAX_WOLFSSL 2 +#endif +WOLFSSL* SSL_TABLE[MAX_WOLFSSL]; + +/* returns ID assigned on success and -1 on failure + * @TODO mutex for threaded use cases */ +static long AddCTX(WOLFSSL_CTX* ctx) +{ + long i; + for (i = 0; i < MAX_WOLFSSL_CTX; i++) { + if (CTX_TABLE[i] == NULL) { + CTX_TABLE[i] = ctx; + return i; + } + } + return -1; +} + + +/* returns ID assigned on success and -1 on failure + * @TODO mutex for threaded use cases */ +static long AddSSL(WOLFSSL* ssl) +{ + long i; + for (i = 0; i < MAX_WOLFSSL; i++) { + if (SSL_TABLE[i] == NULL) { + SSL_TABLE[i] = ssl; + return i; + } + } + return -1; +} + + +/* returns the WOLFSSL_CTX pointer on success and NULL on failure */ +static WOLFSSL_CTX* GetCTX(long id) +{ + if (id >= MAX_WOLFSSL_CTX || id < 0) + return NULL; + return CTX_TABLE[id]; +} + + +/* returns the WOLFSSL pointer on success and NULL on failure */ +static WOLFSSL* GetSSL(long id) +{ + if (id >= MAX_WOLFSSL || id < 0) + return NULL; + return SSL_TABLE[id]; +} + + +/* Free's and removes the WOLFSSL_CTX associated with 'id' */ +static void RemoveCTX(long id) +{ + if (id >= MAX_WOLFSSL_CTX || id < 0) + return; + wolfSSL_CTX_free(CTX_TABLE[id]); + CTX_TABLE[id] = NULL; +} + + +/* Free's and removes the WOLFSSL associated with 'id' */ +static void RemoveSSL(long id) +{ + if (id >= MAX_WOLFSSL || id < 0) + return; + wolfSSL_free(SSL_TABLE[id]); + SSL_TABLE[id] = NULL; +} + #if defined(WOLFSSL_STATIC_MEMORY) /* check on heap hint when used, aborts if pointer is not in Enclave. * In the default case where wolfSSL_Malloc is used the heap hint pointer is not @@ -63,180 +143,145 @@ int enc_wolfSSL_Init(void) return wolfSSL_Init(); } -WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void) + +#define WOLFTLSv12_CLIENT 1 +#define WOLFTLSv12_SERVER 2 + +long enc_wolfTLSv1_2_client_method(void) { - return wolfTLSv1_2_client_method(); + return WOLFTLSv12_CLIENT; } -WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void) +long enc_wolfTLSv1_2_server_method(void) { - return wolfTLSv1_2_server_method(); + return WOLFTLSv12_SERVER; } -WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method) +/* returns method releated to id */ +static WOLFSSL_METHOD* GetMethod(long id) { - if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1) - abort(); - return wolfSSL_CTX_new(method); + switch (id) { + case WOLFTLSv12_CLIENT: return wolfTLSv1_2_client_method(); + case WOLFTLSv12_SERVER: return wolfTLSv1_2_server_method(); + default: + return NULL; + } } -int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, + +long enc_wolfSSL_CTX_new(long method) +{ + WOLFSSL_CTX* ctx; + long id = -1; + + ctx = wolfSSL_CTX_new(GetMethod(method)); + if (ctx != NULL) { + id = AddCTX(ctx); + } + return id; +} + +int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(long id, const unsigned char* buf, long sz, int type) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif - + WOLFSSL_CTX* ctx = GetCTX(id); return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type); } -int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx, +int enc_wolfSSL_CTX_use_certificate_buffer(long id, const unsigned char* buf, long sz, int type) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif - + WOLFSSL_CTX* ctx = GetCTX(id); return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type); } -int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf, +int enc_wolfSSL_CTX_use_PrivateKey_buffer(long id, const unsigned char* buf, long sz, int type) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif - + WOLFSSL_CTX* ctx = GetCTX(id); return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type); } -int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, +int enc_wolfSSL_CTX_load_verify_buffer(long id, const unsigned char* in, long sz, int format) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif - + WOLFSSL_CTX* ctx = GetCTX(id); return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format); } -int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif +int enc_wolfSSL_CTX_set_cipher_list(long id, const char* list) +{ + WOLFSSL_CTX* ctx = GetCTX(id); return wolfSSL_CTX_set_cipher_list(ctx, list); } -WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx) +long enc_wolfSSL_new(long id) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - return wolfSSL_new(ctx); + WOLFSSL_CTX* ctx; + WOLFSSL* ssl; + long ret = -1; + + ctx = GetCTX(id); + ssl = wolfSSL_new(ctx); + if (ssl != NULL) { + ret = AddSSL(ssl); + } + return ret; } -int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd) +int enc_wolfSSL_set_fd(long sslId, int fd) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - + WOLFSSL* ssl = GetSSL(sslId); return wolfSSL_set_fd(ssl, fd); } -int enc_wolfSSL_connect(WOLFSSL* ssl) +int enc_wolfSSL_connect(long sslId) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - + WOLFSSL* ssl = GetSSL(sslId); return wolfSSL_connect(ssl); } -int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz) +int enc_wolfSSL_write(long sslId, const void* in, int sz) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - + WOLFSSL* ssl = GetSSL(sslId); return wolfSSL_write(ssl, in, sz); } -int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret) +int enc_wolfSSL_get_error(long sslId, int ret) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - + WOLFSSL* ssl = GetSSL(sslId); return wolfSSL_get_error(ssl, ret); } -int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz) +int enc_wolfSSL_read(long sslId, void* data, int sz) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - + WOLFSSL* ssl = GetSSL(sslId); return wolfSSL_read(ssl, data, sz); } -void enc_wolfSSL_free(WOLFSSL* ssl) +void enc_wolfSSL_free(long sslId) { - if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(NULL, ssl); -#endif - - wolfSSL_free(ssl); + RemoveSSL(sslId); } -void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx) +void enc_wolfSSL_CTX_free(long id) { - if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1) - abort(); - -#if defined(WOLFSSL_STATIC_MEMORY) - checkHeapHint(ctx, NULL); -#endif - - wolfSSL_CTX_free(ctx); + RemoveCTX(id); } int enc_wolfSSL_Cleanup(void) { + long id; + + /* free up all WOLFSSL's */ + for (id = 0; id < MAX_WOLFSSL; id++) + RemoveSSL(id); + + /* free up all WOLFSSL_CTX's */ + for (id = 0; id < MAX_WOLFSSL_CTX; id++) + RemoveCTX(id); wolfSSL_Cleanup(); } diff --git a/SGX_Linux/trusted/Wolfssl_Enclave.edl b/SGX_Linux/trusted/Wolfssl_Enclave.edl index 9a51b0ff..7f539227 100644 --- a/SGX_Linux/trusted/Wolfssl_Enclave.edl +++ b/SGX_Linux/trusted/Wolfssl_Enclave.edl @@ -1,8 +1,8 @@ /* Benchmark_Enclave.edl - Top EDL file. */ enclave { - include "wolfssl/ssl.h" - include "wolfssl/wolfcrypt/settings.h" - include "wolfssl/wolfcrypt/types.h" + include "wolfssl/ssl.h" + include "wolfssl/wolfcrypt/settings.h" + include "wolfssl/wolfcrypt/types.h" include "wolfcrypt/test/test.h" include "wolfcrypt/benchmark/benchmark.h" @@ -11,44 +11,41 @@ enclave { public int wc_test([user_check]void* args); public int wc_benchmark_test([user_check]void* args); - public int enc_wolfSSL_Init(void); - public void enc_wolfSSL_Debugging_ON(void); - public void enc_wolfSSL_Debugging_OFF(void); - public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void); - public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void); - public WOLFSSL_CTX* enc_wolfSSL_CTX_new([user_check] WOLFSSL_METHOD* method); - public int enc_wolfSSL_CTX_use_PrivateKey_buffer([user_check] WOLFSSL_CTX* ctx, - [in, size=sz] const unsigned char* buf, - long sz, - int type); - public int enc_wolfSSL_CTX_load_verify_buffer([user_check] WOLFSSL_CTX* ctx, - [in, size=sz] const unsigned char* buf, - long sz, - int type); - public int enc_wolfSSL_CTX_use_certificate_chain_buffer_format([user_check] WOLFSSL_CTX* ctx, - [in, size=sz] const unsigned char* buf, - long sz, - int type); - public int enc_wolfSSL_CTX_use_certificate_buffer([user_check] WOLFSSL_CTX* ctx, - [in, size=sz] const unsigned char* buf, - long sz, - int type); - public int enc_wolfSSL_CTX_set_cipher_list([user_check] WOLFSSL_CTX* ctx, - [in, string] const char* list); - public WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx); - public int enc_wolfSSL_set_fd([user_check]WOLFSSL* ssl, int fd); - public int enc_wolfSSL_connect([user_check]WOLFSSL* ssl); - public int enc_wolfSSL_write([user_check]WOLFSSL* ssl, - [in, size=sz] const void* in, - int sz); - public int enc_wolfSSL_get_error([user_check]WOLFSSL* ssl, - int ret); - public int enc_wolfSSL_read([user_check]WOLFSSL* ssl, - [out, size=sz]void* out, - int sz); - public void enc_wolfSSL_free([user_check]WOLFSSL* ssl); - public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx); - public int enc_wolfSSL_Cleanup(void); + public int enc_wolfSSL_Init(void); + public void enc_wolfSSL_Debugging_ON(void); + public void enc_wolfSSL_Debugging_OFF(void); + public long enc_wolfTLSv1_2_client_method(void); + public long enc_wolfTLSv1_2_server_method(void); + public long enc_wolfSSL_CTX_new(long method); + public int enc_wolfSSL_CTX_use_PrivateKey_buffer(long ctxId, + [in, size=sz] const unsigned char* buf, + long sz, int type); + public int enc_wolfSSL_CTX_load_verify_buffer(long ctxId, + [in, size=sz] const unsigned char* buf, + long sz, int type); + public int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(long ctxId, + [in, size=sz] const unsigned char* buf, + long sz, int type); + public int enc_wolfSSL_CTX_use_certificate_buffer(long ctxId, + [in, size=sz] const unsigned char* buf, + long sz, + int type); + public int enc_wolfSSL_CTX_set_cipher_list(long ctxId, + [in, string] const char* list); + public long enc_wolfSSL_new(long ctxId); + public int enc_wolfSSL_set_fd(long sslId, int fd); + public int enc_wolfSSL_connect(long sslId); + public int enc_wolfSSL_write(long sslId, + [in, size=sz] const void* in, + int sz); + public int enc_wolfSSL_get_error(long sslId, + int ret); + public int enc_wolfSSL_read(long sslId, + [out, size=sz]void* out, + int sz); + public void enc_wolfSSL_free(long sslId); + public void enc_wolfSSL_CTX_free(long ctxId); + public int enc_wolfSSL_Cleanup(void); }; untrusted { diff --git a/SGX_Linux/untrusted/client-tls.c b/SGX_Linux/untrusted/client-tls.c index 55e9b8af..7fc5fe72 100644 --- a/SGX_Linux/untrusted/client-tls.c +++ b/SGX_Linux/untrusted/client-tls.c @@ -40,8 +40,8 @@ int client_connect(sgx_enclave_id_t id) int ret = 0; /* variable for error checking */ WOLFSSL_METHOD* method; - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; + long ctx; + long ssl; /* data to send to the server, data recieved from the server */ @@ -88,7 +88,7 @@ int client_connect(sgx_enclave_id_t id) } sgxStatus = enc_wolfSSL_CTX_new(id, &ctx, method); - if (sgxStatus != SGX_SUCCESS || ctx == NULL) { + if (sgxStatus != SGX_SUCCESS || ctx < 0) { printf("wolfSSL_CTX_new failure\n"); return EXIT_FAILURE; } @@ -120,7 +120,7 @@ int client_connect(sgx_enclave_id_t id) sgxStatus = enc_wolfSSL_new(id, &ssl, ctx); - if (sgxStatus != SGX_SUCCESS || ssl == NULL) { + if (sgxStatus != SGX_SUCCESS || ssl < 0) { printf("wolfSSL_new error.\n"); return EXIT_FAILURE; } diff --git a/SGX_Linux/untrusted/server-tls.c b/SGX_Linux/untrusted/server-tls.c index d0682762..963e16d8 100644 --- a/SGX_Linux/untrusted/server-tls.c +++ b/SGX_Linux/untrusted/server-tls.c @@ -57,8 +57,8 @@ int server_connect(sgx_enclave_id_t id) const char* reply = "I hear ya fa shizzle!\n"; /* declare wolfSSL objects */ - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; + long ctx; + long ssl; WOLFSSL_METHOD* method; @@ -89,7 +89,7 @@ int server_connect(sgx_enclave_id_t id) } sgxStatus = enc_wolfSSL_CTX_new(id, &ctx, method); - if (sgxStatus != SGX_SUCCESS || ctx == NULL) { + if (sgxStatus != SGX_SUCCESS || ctx < 0) { printf("wolfSSL_CTX_new failure\n"); return EXIT_FAILURE; } @@ -142,7 +142,7 @@ int server_connect(sgx_enclave_id_t id) sgxStatus = enc_wolfSSL_new(id, &ssl, ctx); - if (sgxStatus != SGX_SUCCESS || ssl == NULL) { + if (sgxStatus != SGX_SUCCESS || ssl < 0) { printf("wolfSSL_new failure\n"); return EXIT_FAILURE; }