Merge pull request #64 from NickolasLapp/master

Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt

.gitignore

@@ -22,6 +22,8 @@
 *.x86_64
 *.hex
 
+# IDE Temp Files
+**/*.swp
 
 # Android files
 android/wolfssljni-ndk-sample/bin

SGX_Linux/Makefile

@@ -0,0 +1,8 @@
+all:
+	$(MAKE) -f sgx_u.mk all
+	$(MAKE) -f sgx_t.mk all
+
+clean:
+	$(MAKE) -f sgx_u.mk clean
+	$(MAKE) -f sgx_t.mk clean
+

SGX_Linux/README.md

@@ -0,0 +1,72 @@
+# wolfSSL Linux Enclave Example
+
+This repository contains an example application, written in C, which demonstrates how to link with the wolfSSL lightweight SSL/TLS library with a simple Enclave using Linux. The example has been tested with Ubuntu 16.04.
+
+
+## Prerequisites
+
+First create the trusted static wolfssl library from `<wolfssl-root>/IDE/LINUX-SGX`. Steps for creating the static library can be found in `<wolfssl-root>/IDE/LINUX-SGX/README.md`
+
+## Build
+
+After creating the static library, build the example untrusted application using make. For make the user should specify:
+1. Specify SGX Mode. This can be either SIM or HW
+
+	`SGX_MODE=[SIM,HW]`
+
+2. Whether SGX should be built as Prerelease or regular release
+
+    `SGX_PRERELEASE=[1,0]`
+
+3. Specify if SGX Debug should be set. (This also controls whether wolfssl debug prints, if it was enabled at compile-time for the static library).
+
+    `SGX_DEBUG=[1,0]`
+
+4. The location of the prebuilt static library (this will probably point to `<wolfssl-root>/IDE/LINUX-SGX`)
+
+    `SGX_WOLFSSL_LIB=[location/to/libwolfssl.sgx.static.a]`
+
+5. The location of wolfssl root directory for the header files.
+
+    `WOLFSSL_ROOT=[location/to/wolfssl_root]`
+
+With these three options, simply call, for example:
+
+```make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=~/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0```
+
+### Expected Output
+
+![expected make results](README-images/expected-make-output.png)
+
+## Running
+After the application has been built, it should be tested against the default wolfssl example server. 
+
+### First, start the example server.
+    From <wolfssl-root> run:
+    ./examples/server/server
+
+### Then, start the SGX Application
+    ./App
+
+This will run three tests. The first is the wolfcrypt testsuite, which tests a variety of wolfcrypt functionality. The second is the wolfcrypt benchmark testsuite, which benchmarks some of the main wolfcrypt ciphers. Finally, a simple TLS client test is run which connects a TLS client, instantiated on the enclave, against the previously started example server running normally on the PC. The connection targets localhost:11111.
+
+### Expected Output
+
+![expected app results](README-images/expected-run-output-app.png)
+
+![expected server results](README-images/expected-run-output-server.png)
+
+## Limitations
+
+1) Single Threaded
+
+2) No Filesystem
+
+3) Untrusted Code Must Load Private Key/Certificate Chain
+
+    i) In order to successfully load a private key and certificate into the enclave, these APIs are exposed to the untrusted application. This means that the untrusted region must be "trusted" to load the correct Private Key/ Certificate to start a connection. This method of loading certificates should not be used for production code as it violates the trust assumptions for Intel's SGX. Contact <support@wolfssl.com> if you wish to use wolfSSL in your product.
+
+## Support
+
+Please contact wolfSSL at support@wolfssl.com with any questions, bug fixes, or suggested feature additions.
+

SGX_Linux/sgx_t.mk

@@ -0,0 +1,133 @@
+######## Intel(R) SGX SDK Settings ########
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= SIM
+SGX_ARCH ?= x64
+SGX_WOLFSSL_LIB ?= ./
+
+ifndef WOLFSSL_ROOT
+$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory.)
+endif
+
+ifeq ($(shell getconf LONG_BIT), 32)
+	SGX_ARCH := x86
+else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
+	SGX_ARCH := x86
+endif
+
+ifeq ($(SGX_ARCH), x86)
+	SGX_COMMON_CFLAGS := -m32
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+else
+	SGX_COMMON_CFLAGS := -m64
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+ifeq ($(SGX_PRERELEASE), 1)
+$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
+endif
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+        SGX_COMMON_CFLAGS += -O0 -g -DSGX_DEBUG
+else
+        SGX_COMMON_CFLAGS += -O2
+endif
+
+ifneq ($(SGX_MODE), HW)
+	Trts_Library_Name := sgx_trts_sim
+	Service_Library_Name := sgx_tservice_sim
+else
+	Trts_Library_Name := sgx_trts
+	Service_Library_Name := sgx_tservice
+endif
+
+Crypto_Library_Name := sgx_tcrypto
+
+
+Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/test/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/ \
+
+
+Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
+Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
+   								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
+								   -I$(SGX_SDK)/include/stlport
+
+Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
+Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths)-fno-builtin -fno-builtin-printf -I.
+Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
+
+Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+	-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
+	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
+	-Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
+	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
+	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
+	-Wl,--defsym,__ImageBase=0 \
+	-Wl,--version-script=trusted/Wolfssl_Enclave.lds
+
+Wolfssl_Enclave_C_Objects := $(Wolfssl_Enclave_C_Files:.c=.o)
+
+ifeq ($(SGX_MODE), HW)
+ifneq ($(SGX_DEBUG), 1)
+ifneq ($(SGX_PRERELEASE), 1)
+Build_Mode = HW_RELEASE
+endif
+endif
+endif
+
+
+.PHONY: all run
+
+ifeq ($(Build_Mode), HW_RELEASE)
+all: Wolfssl_Enclave.so
+	@echo "Build enclave Wolfssl_Enclave.so [$(Build_Mode)|$(SGX_ARCH)] success!"
+	@echo
+	@echo "*********************************************************************************************************************************************************"
+	@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
+	@echo "*********************************************************************************************************************************************************"
+	@echo
+else
+all: Wolfssl_Enclave.signed.so
+endif
+
+run: all
+ifneq ($(Build_Mode), HW_RELEASE)
+	@$(CURDIR)/app
+	@echo "RUN  =>  app [$(SGX_MODE)|$(SGX_ARCH), OK]"
+endif
+
+
+######## Wolfssl_Enclave Objects ########
+
+trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
+	@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+	@echo "GEN  =>  $@"
+
+trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
+	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@echo "CC   <=  $<"
+
+trusted/%.o: trusted/%.c
+	@echo $(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@echo "CC  <=  $<"
+
+Wolfssl_Enclave.so: trusted/Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
+	@echo $(Wolfssl_Enclave_Link_Flags)@
+	@$(CXX) $^ -o $@ $(Wolfssl_Enclave_Link_Flags)
+	@echo "LINK =>  $@"
+
+Wolfssl_Enclave.signed.so: Wolfssl_Enclave.so
+	@$(SGX_ENCLAVE_SIGNER) sign -key trusted/Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config trusted/Wolfssl_Enclave.config.xml
+	@echo "SIGN =>  $@"
+clean:
+	@rm -f Wolfssl_Enclave.* trusted/Wolfssl_Enclave_t.*  $(Wolfssl_Enclave_C_Objects)

SGX_Linux/sgx_u.mk

@@ -0,0 +1,141 @@
+######## Intel(R) SGX SDK Settings ########
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= SIM
+SGX_ARCH ?= x64
+UNTRUSTED_DIR=untrusted
+SGX_WOLFSSL_LIB ?= ./
+
+ifndef WOLFSSL_ROOT
+$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory)
+endif
+
+
+
+ifeq ($(shell getconf LONG_BIT), 32)
+	SGX_ARCH := x86
+else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
+	SGX_ARCH := x86
+endif
+
+ifeq ($(SGX_ARCH), x86)
+	SGX_COMMON_CFLAGS := -m32
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+else
+	SGX_COMMON_CFLAGS := -m64
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+ifeq ($(SGX_PRERELEASE), 1)
+$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
+endif
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+        SGX_COMMON_CFLAGS += -O0 -g -DSGX_DEBUG
+else
+        SGX_COMMON_CFLAGS += -O2
+endif
+
+######## App Settings ########
+
+ifneq ($(SGX_MODE), HW)
+	Urts_Library_Name := sgx_urts_sim
+else
+	Urts_Library_Name := sgx_urts
+endif
+
+Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/test/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/ \
+
+App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c
+App_Include_Paths := -IInclude $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include
+
+App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)
+
+# Three configuration modes - Debug, prerelease, release
+#   Debug - Macro DEBUG enabled.
+#   Prerelease - Macro NDEBUG and EDEBUG enabled.
+#   Release - Macro NDEBUG enabled.
+ifeq ($(SGX_DEBUG), 1)
+        App_C_Flags += -DDEBUG -UNDEBUG -UEDEBUG
+else ifeq ($(SGX_PRERELEASE), 1)
+        App_C_Flags += -DNDEBUG -DEDEBUG -UDEBUG
+else
+        App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
+endif
+
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -lpthread
+
+ifneq ($(SGX_MODE), HW)
+	App_Link_Flags += -lsgx_uae_service_sim
+else
+	App_Link_Flags += -lsgx_uae_service
+endif
+
+App_C_Objects := $(App_C_Files:.c=.o)
+
+
+
+ifeq ($(SGX_MODE), HW)
+ifneq ($(SGX_DEBUG), 1)
+ifneq ($(SGX_PRERELEASE), 1)
+Build_Mode = HW_RELEASE
+endif
+endif
+endif
+
+
+.PHONY: all run
+
+ifeq ($(Build_Mode), HW_RELEASE)
+all: App
+	@echo "Build App [$(Build_Mode)|$(SGX_ARCH)] success!"
+	@echo
+	@echo "*********************************************************************************************************************************************************"
+	@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
+	@echo "*********************************************************************************************************************************************************"
+	@echo
+
+else
+all: App
+endif
+
+run: all
+ifneq ($(Build_Mode), HW_RELEASE)
+	@$(CURDIR)/App
+	@echo "RUN  =>  App [$(SGX_MODE)|$(SGX_ARCH), OK]"
+endif
+
+######## App Objects ########
+
+$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
+	@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
+	@echo "GEN  =>  $@"
+
+$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
+	@echo $(CC) $(App_C_Flags) -c $< -o $@
+	@$(CC) $(App_C_Flags) -c $< -o $@
+	@echo "CC   <=  $<"
+
+$(UNTRUSTED_DIR)/%.o: $(UNTRUSTED_DIR)/%.c
+	@echo $(CC) $(App_C_Flags) -c $< -o $@
+	@$(CC) $(App_C_Flags) -c $< -o $@
+	@echo "CC  <=  $<"
+
+App: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o $(App_C_Objects)
+	@$(CC) $^ -o $@ $(App_Link_Flags)
+	@echo "LINK =>  $@"
+
+
+.PHONY: clean
+
+clean:
+	@rm -f App $(App_C_Objects) $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.* 

SGX_Linux/trusted/Wolfssl_Enclave.c

@@ -0,0 +1,179 @@
+#include <stdarg.h>
+#include <stdio.h>      /* vsnprintf */
+
+#include "Wolfssl_Enclave_t.h"
+
+#include "sgx_trts.h"
+
+
+int wc_test(void* args)
+{
+	return wolfcrypt_test(args);
+}
+
+int wc_benchmark_test(void* args)
+{
+    return benchmark_test(args);
+}
+
+void enc_wolfSSL_Debugging_ON(void)
+{
+    wolfSSL_Debugging_ON();
+}
+
+void enc_wolfSSL_Debugging_OFF(void)
+{
+    wolfSSL_Debugging_OFF();
+}
+
+int enc_wolfSSL_Init(void)
+{
+    return wolfSSL_Init();
+}
+
+WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
+{
+    return wolfTLSv1_2_client_method();
+}
+
+WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
+{
+    if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_new(method);
+}
+
+int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
+        const unsigned char* buf, long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
+                                            long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+                                       long sz, int format)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
+}
+
+WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_new(ctx);
+}
+
+int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_set_fd(ssl, fd);
+}
+
+int enc_wolfSSL_connect(WOLFSSL* ssl)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_connect(ssl);
+}
+
+int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_write(ssl, in, sz);
+}
+
+int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_get_error(ssl, ret);
+}
+
+int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_read(ssl, data, sz);
+}
+
+void enc_wolfSSL_free(WOLFSSL* ssl)
+{
+    if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+        abort();
+    wolfSSL_free(ssl);
+}
+
+void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    wolfSSL_CTX_free(ctx);
+}
+
+int enc_wolfSSL_Cleanup(void)
+{
+    wolfSSL_Cleanup();
+}
+
+void printf(const char *fmt, ...)
+{
+    char buf[BUFSIZ] = {'\0'};
+    va_list ap;
+    va_start(ap, fmt);
+    vsnprintf(buf, BUFSIZ, fmt, ap);
+    va_end(ap);
+    ocall_print_string(buf);
+}
+
+int sprintf(char* buf, const char *fmt, ...)
+{
+    va_list ap;
+    int ret;
+    va_start(ap, fmt);
+    ret = vsnprintf(buf, BUFSIZ, fmt, ap);
+    va_end(ap);
+    return ret;
+}
+
+double current_time(void)
+{
+    double curr;
+    ocall_current_time(&curr);
+    return curr;
+}
+
+int LowResTimer(void) /* low_res timer */
+{
+    int time;
+    ocall_low_res_time(&time);
+    return time;
+}
+
+size_t recv(int sockfd, void *buf, size_t len, int flags)
+{
+    size_t ret;
+    int sgxStatus;
+    sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
+    return ret;
+}
+
+size_t send(int sockfd, const void *buf, size_t len, int flags)
+{
+    size_t ret;
+    int sgxStatus;
+    sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
+    return ret;
+}

SGX_Linux/trusted/Wolfssl_Enclave.config.xml

@@ -0,0 +1,9 @@
+<EnclaveConfiguration>
+  <ProdID>0</ProdID>
+  <ISVSVN>0</ISVSVN>
+  <StackMaxSize>0x400000</StackMaxSize>
+  <HeapMaxSize>0x1000000</HeapMaxSize>
+  <TCSNum>10</TCSNum>
+  <TCSPolicy>1</TCSPolicy>
+  <DisableDebug>0</DisableDebug>
+</EnclaveConfiguration>

SGX_Linux/trusted/Wolfssl_Enclave.edl

@@ -0,0 +1,56 @@
+/* Benchmark_Enclave.edl - Top EDL file. */
+enclave {
+	include "wolfssl/ssl.h"
+	include "wolfssl/wolfcrypt/settings.h"
+	include "wolfssl/wolfcrypt/types.h"
+
+    include "wolfcrypt/test/test.h"
+    include "wolfcrypt/benchmark/benchmark.h"
+
+
+    trusted {
+        public int wc_test([user_check]void* args);
+        public int wc_benchmark_test([user_check]void* args);
+
+		public int enc_wolfSSL_Init(void);
+		public void enc_wolfSSL_Debugging_ON(void);
+		public void enc_wolfSSL_Debugging_OFF(void);
+		public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void);
+		public WOLFSSL_CTX* enc_wolfSSL_CTX_new([user_check] WOLFSSL_METHOD* method);
+        public int enc_wolfSSL_CTX_use_PrivateKey_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+        public int enc_wolfSSL_CTX_load_verify_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+        public int enc_wolfSSL_CTX_use_certificate_chain_buffer_format([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+        public WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx);
+		public int enc_wolfSSL_set_fd([user_check]WOLFSSL* ssl, int fd);
+		public int enc_wolfSSL_connect([user_check]WOLFSSL* ssl);
+		public int enc_wolfSSL_write([user_check]WOLFSSL* ssl,
+									 [in, size=sz] const void* in,
+									 int sz);
+		public int enc_wolfSSL_get_error([user_check]WOLFSSL* ssl,
+										 int ret);
+		public int enc_wolfSSL_read([user_check]WOLFSSL* ssl,
+									[out, size=sz]void* out,
+									int sz);
+		public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
+		public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
+		public int enc_wolfSSL_Cleanup(void);
+    };
+
+    untrusted {
+        /* define OCALLs here. */
+        void ocall_print_string([in, string] const char* str);
+        void ocall_current_time([out] double* time);
+        void ocall_low_res_time([out] int* time);
+        size_t ocall_recv(int sockfd, [out, size=len] void *buf, size_t len, int flags) propagate_errno;
+        size_t ocall_send(int sockfd, [in, size=len] const void *buf, size_t len, int flags) propagate_errno;
+    };
+};

SGX_Linux/trusted/Wolfssl_Enclave.h

@@ -0,0 +1,16 @@
+#ifndef _BENCHMARK_ENCLAVE_H_
+#define _BENCHMARK_ENCLAVE_H_
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+void printf(const char *fmt, ...);
+int sprintf(char* buf, const char *fmt, ...);
+double current_time(void);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /* !_BENCHMARK_ENCLAVE_H_ */

SGX_Linux/trusted/Wolfssl_Enclave.lds

@@ -0,0 +1,9 @@
+Benchmark_Enclave.so
+{
+    global:
+        g_global_data_sim;
+        g_global_data;
+        Benchmark_Enclave_entry;
+    local:
+        *;
+};

SGX_Linux/trusted/Wolfssl_Enclave_private.pem

@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAroOogvsj/fZDZY8XFdkl6dJmky0lRvnWMmpeH41Bla6U1qLZ
+AmZuyIF+mQC/cgojIsrBMzBxb1kKqzATF4+XwPwgKz7fmiddmHyYz2WDJfAjIveJ
+ZjdMjM4+EytGlkkJ52T8V8ds0/L2qKexJ+NBLxkeQLfV8n1mIk7zX7jguwbCG1Pr
+nEMdJ3Sew20vnje+RsngAzdPChoJpVsWi/K7cettX/tbnre1DL02GXc5qJoQYk7b
+3zkmhz31TgFrd9VVtmUGyFXAysuSAb3EN+5VnHGr0xKkeg8utErea2FNtNIgua8H
+ONfm9Eiyaav1SVKzPHlyqLtcdxH3I8Wg7yqMsaprZ1n5A1v/levxnL8+It02KseD
+5HqV4rf/cImSlCt3lpRg8U5E1pyFQ2IVEC/XTDMiI3c+AR+w2jSRB3Bwn9zJtFlW
+KHG3m1xGI4ck+Lci1JvWWLXQagQSPtZTsubxTQNx1gsgZhgv1JHVZMdbVlAbbRMC
+1nSuJNl7KPAS/VfzAgEDAoIBgHRXxaynbVP5gkO0ug6Qw/E27wzIw4SmjsxG6Wpe
+K7kfDeRskKxESdsA/xCrKkwGwhcx1iIgS5+Qscd1Yg+1D9X9asd/P7waPmWoZd+Z
+AhlKwhdPsO7PiF3e1AzHhGQwsUTt/Y/aSI1MpHBvy2/s1h9mFCslOUxTmWw0oj/Q
+ldIEgWeNR72CE2+jFIJIyml6ftnb6qzPiga8Bm48ubKh0kvySOqnkmnPzgh+JBD6
+JnBmtZbfPT97bwTT+N6rnPqOOApvfHPf15kWI8yDbprG1l4OCUaIUH1AszxLd826
+5IPM+8gINLRDP1MA6azECPjTyHXhtnSIBZCyWSVkc05vYmNXYUNiXWMajcxW9M02
+wKzFELO8NCEAkaTPxwo4SCyIjUxiK1LbQ9h8PSy4c1+gGP4LAMR8xqP4QKg6zdu9
+osUGG/xRe/uufgTBFkcjqBHtK5L5VI0jeNIUAgW/6iNbYXjBMJ0GfauLs+g1VsOm
+WfdgXzsb9DYdMa0OXXHypmV4GwKBwQDUwQj8RKJ6c8cT4vcWCoJvJF00+RFL+P3i
+Gx2DLERxRrDa8AVGfqaCjsR+3vLgG8V/py+z+dxZYSqeB80Qeo6PDITcRKoeAYh9
+xlT3LJOS+k1cJcEmlbbO2IjLkTmzSwa80fWexKu8/Xv6vv15gpqYl1ngYoqJM3pd
+vzmTIOi7MKSZ0WmEQavrZj8zK4endE3v0eAEeQ55j1GImbypSf7Idh7wOXtjZ7WD
+Dg6yWDrri+AP/L3gClMj8wsAxMV4ZR8CgcEA0fzDHkFa6raVOxWnObmRoDhAtE0a
+cjUj976NM5yyfdf2MrKy4/RhdTiPZ6b08/lBC/+xRfV3xKVGzacm6QjqjZrUpgHC
+0LKiZaMtccCJjLtPwQd0jGQEnKfMFaPsnhOc5y8qVkCzVOSthY5qhz0XNotHHFmJ
+gffVgB0iqrMTvSL7IA2yqqpOqNRlhaYhNl8TiFP3gIeMtVa9rZy31JPgT2uJ+kfo
+gV7sdTPEjPWZd7OshGxWpT6QfVDj/T9T7L6tAoHBAI3WBf2DFvxNL2KXT2QHAZ9t
+k3imC4f7U+wSE6zILaDZyzygA4RUbwG0gv8/TJVn2P/Eynf76DuWHGlaiLWnCbSz
+Az2DHBQBBaku409zDQym3j1ugMRjzzSQWzJg0SIyBH3hTmnYcn3+Uqcp/lEBvGW6
+O+rsXFt3pukqJmIV8HzLGGaLm62BHUeZf3dyWm+i3p/hQAL7Xvu04QW70xuGqdr5
+afV7p5eaeQIJXyGQJ0eylV/90+qxjMKiB1XYg6WYvwKBwQCL/ddpgOdHJGN8uRom
+e7Zq0Csi3hGheMKlKbN3vcxT5U7MdyHtTZZOJbTvxKNNUNYH/8uD+PqDGNneb29G
+BfGzvI3EASyLIcGZF3OhKwZd0jUrWk2y7Vhob91jwp2+t73vdMbkKyI4mHOuXvGv
+fg95si9oO7EBT+Oqvhccd2J+F1IVXncccYnF4u5ZGWt5lLewN/pVr7MjjykeaHqN
+t+rfnQam2psA6fL4zS2zTmZPzR2tnY8Y1GBTi0Ko1OKd1HMCgcAb5cB/7/AQlhP9
+yQa04PLH9ygQkKKptZp7dy5WcWRx0K/hAHRoi2aw1wZqfm7VBNu2SLcs90kCCCxp
+6C5sfJi6b8NpNbIPC+sc9wsFr7pGo9SFzQ78UlcWYK2Gu2FxlMjonhka5hvo4zvg
+WxlpXKEkaFt3gLd92m/dMqBrHfafH7VwOJY2zT3WIpjwuk0ZzmRg5p0pG/svVQEH
+NZmwRwlopysbR69B/n1nefJ84UO50fLh5s5Zr3gBRwbWNZyzhXk=
+-----END RSA PRIVATE KEY-----

SGX_Linux/untrusted/App.c

@@ -0,0 +1,120 @@
+/* App.c
+*
+* Copyright (C) 2006-2016 wolfSSL Inc.
+*
+* This file is part of wolfSSL.
+*
+* wolfSSL is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* wolfSSL is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+*/
+
+
+#include "stdafx.h"
+#include "App.h" /* contains include of Enclave_u.h which has wolfSSL header files */
+#include "client-tls.h"
+
+/* Use Debug SGX ? */
+#if _DEBUG
+	#define DEBUG_VALUE SGX_DEBUG_FLAG
+#else
+	#define DEBUG_VALUE 1
+#endif
+
+typedef struct func_args {
+    int    argc;
+    char** argv;
+    int    return_code;
+} func_args;
+
+int main(int argc, char* argv[]) /* not using since just testing w/ wc_test */
+{
+	sgx_enclave_id_t id;
+	sgx_launch_token_t t;
+
+	int ret = 0;
+	int sgxStatus = 0;
+	int updated = 0;
+    func_args args = { 0 };
+
+	/* only print off if no command line arguments were passed in */
+	if (argc == 1) {
+		printf("Setting up Enclave ... ");
+	}
+
+	memset(t, 0, sizeof(sgx_launch_token_t));
+
+	ret = sgx_create_enclave(ENCLAVE_FILENAME, DEBUG_VALUE, &t, &updated, &id, NULL);
+	if (ret != SGX_SUCCESS) {
+		printf("Failed to create Enclave : error %d - %#x.\n", ret, ret);
+		return 1;
+	}
+
+    printf("\nCrypt Test:\n");
+    wc_test(id, &sgxStatus, &args);
+    printf("Crypt Test: Return code %d\n", args.return_code);
+    printf("\n\n\n");
+
+    memset(&args,0,sizeof(args));
+
+    printf("\nBenchmark Test:\n");
+    wc_benchmark_test(id, &sgxStatus, &args);
+    printf("Benchmark Test: Return code %d\n", args.return_code);
+    printf("\n\n\n");
+
+    printf("\nClient Test:\n");
+    client_connect(id);
+
+	return 0;
+}
+
+static double current_time()
+{
+	struct timeval tv;
+	gettimeofday(&tv,NULL);
+
+	return (double)(1000000 * tv.tv_sec + tv.tv_usec)/1000000.0;
+}
+
+void ocall_print_string(const char *str)
+{
+    /* Proxy/Bridge will check the length and null-terminate 
+     * the input string to prevent buffer overflow. 
+     */ printf("%s", str);
+}
+
+void ocall_current_time(double* time)
+{
+    if(!time) return;
+    *time = current_time();
+    return;
+}
+
+void ocall_low_res_time(int* time)
+{
+    struct timeval tv;
+    if(!time) return;
+    *time = tv.tv_sec;
+    return;
+}
+
+size_t ocall_recv(int sockfd, void *buf, size_t len, int flags)
+{
+    return recv(sockfd, buf, len, flags);
+}
+
+size_t ocall_send(int sockfd, const void *buf, size_t len, int flags)
+{
+    return send(sockfd, buf, len, flags);
+}
+

SGX_Linux/untrusted/App.h

@@ -0,0 +1,40 @@
+/* App.h
+*
+* Copyright (C) 2006-2016 wolfSSL Inc.
+*
+* This file is part of wolfSSL.
+*
+* wolfSSL is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* wolfSSL is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+*/
+
+#ifndef BENCHMARKS_H
+#define BENCHMARKS_H
+
+#include "sgx_urts.h"	 /* Manages Enclave */
+#include <sys/types.h> /* for send/recv */
+#include <sys/socket.h> /* for send/recv */
+
+#include "Wolfssl_Enclave_u.h"   /* contains untrusted wrapper functions used to call enclave functions*/
+
+#define BENCH_RSA
+#define ENCLAVE_FILENAME "Wolfssl_Enclave.signed.so"
+
+enum BenchmarkBounds {
+	/* these numbers are lower then default wolfSSL one to collect benchmark values faster for GUI */
+	numBlocks = 10, /* how many megs to test */
+	ntimes = 30 /* how many itteration to run RSA decrypt/encrypt */
+};
+
+#endif

SGX_Linux/untrusted/client-tls.c

@@ -0,0 +1,166 @@
+/* client-tls.c
+ *
+ * Copyright (C) 2006-2016 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+#include "client-tls.h"
+
+#include    <stdio.h>
+#include    <stdlib.h>
+#include    <string.h>
+#include    <errno.h>
+#include    <arpa/inet.h>
+#include    <wolfssl/ssl.h>          /* wolfSSL secure read/write methods */
+#include    <wolfssl/certs_test.h>
+
+#define MAXDATASIZE  4096           /* maximum acceptable amount of data */
+#define SERV_PORT    11111          /* define default port number */
+
+int client_connect(sgx_enclave_id_t id)
+{
+    int     sgxStatus;
+
+    int     sockfd;                         /* socket file descriptor */
+    struct  sockaddr_in servAddr;           /* struct for server address */
+    int     ret = 0;                        /* variable for error checking */
+
+    WOLFSSL_METHOD* method;
+    WOLFSSL_CTX*    ctx;
+    WOLFSSL*        ssl;
+
+
+    /* data to send to the server, data recieved from the server */
+    char    sendBuff[] = "Hello WolfSSL!";
+    char rcvBuff[MAXDATASIZE] = {0};
+
+    /* internet address family, stream based tcp, default protocol */
+    sockfd = socket(AF_INET, SOCK_STREAM, 0);
+
+    if (sockfd < 0) {
+        printf("Failed to create socket. errno: %i\n", errno);
+        return EXIT_FAILURE;
+    }
+
+    memset(&servAddr, 0, sizeof(servAddr)); /* clears memory block for use */
+    servAddr.sin_family = AF_INET;          /* sets addressfamily to internet*/
+    servAddr.sin_port = htons(SERV_PORT);   /* sets port to defined port */
+
+    /* looks for the server at the entered address (ip in the command line) */
+    if (inet_pton(AF_INET, "127.0.0.1", &servAddr.sin_addr) < 1) {
+        /* checks validity of address */
+        ret = errno;
+        printf("Invalid Address. errno: %i\n", ret);
+        return EXIT_FAILURE;
+    }
+
+    if (connect(sockfd, (struct sockaddr *) &servAddr, sizeof(servAddr)) < 0) {
+        ret = errno;
+        printf("Connect error. Error: %i\n", ret);
+        return EXIT_FAILURE;
+    }
+#ifdef SGX_DEBUG
+    enc_wolfSSL_Debugging_ON(id);
+#else
+    enc_wolfSSL_Debugging_OFF(id);
+#endif
+
+    enc_wolfSSL_Init(id, &sgxStatus);
+
+    sgxStatus = enc_wolfTLSv1_2_client_method(id, &method);
+    if (sgxStatus != SGX_SUCCESS || method == NULL) {
+        printf("wolfTLSv1_2_client_method failure\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_CTX_new(id, &ctx, method);
+    if (sgxStatus != SGX_SUCCESS || ctx == NULL) {
+        printf("wolfSSL_CTX_new failure\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_CTX_use_certificate_chain_buffer_format(id, &ret, ctx,
+            client_cert_der_2048, sizeof_client_cert_der_2048, SSL_FILETYPE_ASN1);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("enc_wolfSSL_CTX_use_certificate_chain_buffer_format failure\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(id, &ret, ctx,
+            client_key_der_2048, sizeof_client_key_der_2048, SSL_FILETYPE_ASN1);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("wolfSSL_CTX_use_PrivateKey_buffer failure\n");
+        return EXIT_FAILURE;
+    }
+
+
+    sgxStatus = enc_wolfSSL_CTX_load_verify_buffer(id, &ret,
+            ctx, ca_cert_der_2048, sizeof_ca_cert_der_2048, SSL_FILETYPE_ASN1);
+
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS)
+    {
+        printf("Error loading cert\n");
+        return EXIT_FAILURE;
+    }
+
+
+    sgxStatus = enc_wolfSSL_new(id, &ssl, ctx);
+
+    if (sgxStatus != SGX_SUCCESS || ssl == NULL) {
+        printf("wolfSSL_new error.\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_set_fd(id, &ret, ssl, sockfd);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("wolfSSL_set_fd failure\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_connect(id, &ret, ssl);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("Failed to connect to server\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_write(id, &ret, ssl, sendBuff, strlen(sendBuff));
+
+    if (sgxStatus != SGX_SUCCESS || ret != strlen(sendBuff)) {
+        /* the message is not able to send, or error trying */
+        sgxStatus = enc_wolfSSL_get_error(id, &ret, ssl, 0);
+        printf("Write error: Error: %i\n", ret);
+        return EXIT_FAILURE;
+    }
+
+
+    sgxStatus = enc_wolfSSL_read(id, &ret, ssl, rcvBuff, MAXDATASIZE);
+
+    if (sgxStatus != SGX_SUCCESS || ret < 0) {
+        /* the server failed to send data, or error trying */
+        sgxStatus = enc_wolfSSL_get_error(id, &ret, ssl, 0);
+        printf("Read error. Error: %i\n", ret);
+        return EXIT_FAILURE;
+    }
+    printf("Recieved: \t%s\n", rcvBuff);
+
+    /* frees all data before client termination */
+    enc_wolfSSL_free(id, ssl);
+    enc_wolfSSL_CTX_free(id, ctx);
+    enc_wolfSSL_Cleanup(id, &ret);
+
+    return ret;
+}

SGX_Linux/untrusted/client-tls.h

@@ -0,0 +1,30 @@
+/* client-tls.h
+*
+* Copyright (C) 2006-2016 wolfSSL Inc.
+*
+* This file is part of wolfSSL.
+*
+* wolfSSL is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* wolfSSL is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+*/
+
+#ifndef CLIENT_TLS_H
+#define CLIENT_TLS_H
+
+#include "sgx_urts.h"	 /* for enclave_id etc.*/
+#include "Wolfssl_Enclave_u.h"   /* contains untrusted wrapper functions used to call enclave functions*/
+
+int client_connect(sgx_enclave_id_t id);
+
+#endif /* CLIENT_TLS_H */

SGX_Linux/untrusted/stdafx.h

@@ -0,0 +1,13 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/time.h>
+
+// TODO: reference additional headers your program requires here