Updates to LINUX-SGX to add server support, not compile in benchmark

and wolfcrypt tests by default.

SGX_Linux/Makefile

@@ -1,8 +1,19 @@
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= SIM
+SGX_ARCH ?= x64
+SGX_WOLFSSL_LIB ?= ./
+
+ifndef WOLFSSL_ROOT
+$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory)
+endif
+
+
+
 all:
-	$(MAKE) -f sgx_u.mk all
-	$(MAKE) -f sgx_t.mk all
+	$(MAKE) -ef sgx_u.mk all
+	$(MAKE) -ef sgx_t.mk all
 
 clean:
-	$(MAKE) -f sgx_u.mk clean
-	$(MAKE) -f sgx_t.mk clean
+	$(MAKE) -ef sgx_u.mk clean
+	$(MAKE) -ef sgx_t.mk clean
 

SGX_Linux/README.md

@@ -30,32 +30,55 @@ After creating the static library, build the example untrusted application using
 
     `WOLFSSL_ROOT=[location/to/wolfssl_root]`
 
+6. Whether benchmark tests have been enabled. *NOTE: These must be enabled during compilation of the static library as well. See the README in `<wolfssl-root>/IDE/LINUX-SGX/README.md`*
+
+    `HAVE_WOLFSSL_BENCHMARK=[0/1]`
+
+6. Whether wolfcrypt tests have been enabled. *NOTE: These must be enabled during compilation of the static library as well. See the README in `<wolfssl-root>/IDE/LINUX-SGX/README.md`*
+
+    `HAVE_WOLFSSL_TEST=[0/1]`
+
+
 With these three options, simply call, for example:
 
-```make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=~/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0```
+```make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=~/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=1```
 
 ### Expected Output
 
 ![expected make results](README-images/expected-make-output.png)
 
 ## Running
-After the application has been built, it should be tested against the default wolfssl example server. 
+After building, the user can specify one of a set of options to be run via the command line. These are:
 
-### First, start the example server.
-    From <wolfssl-root> run:
-    ./examples/server/server
+* -c: Run a TLS Client in an enclave
+  * This option runs an example TLS client in enclave to connect to a server on port 11111.
+* -s: Run a TLS Server in an enclave
+  * This option runs an example TLS server in enclave to receive clients on port 11111.
+* -t: Run wolfCrypt tests in an enclave
+  * This option runs the wolfCrypt tests. *NOTE: These must be enabled during compilation of the static library as well. See the README in `<wolfssl-root>/IDE/LINUX-SGX/README.md`*
+* -b: Run wolfCrypt benchmarks in an enclave
+  * This option runs the wolfCrypt benchmarks in an enclave. These benchmarks will be somewhat faster than standard benchmarks because the benchmarks are operating entirely within the enclave and buffers don't need to be moved across the enclave boundary between calls. *NOTE: These must be enabled during compilation of the static library as well. See the README in `<wolfssl-root>/IDE/LINUX-SGX/README.md`*
 
-### Then, start the SGX Application
-    ./App
+To test the enclave client against the enclave server:
 
-This will run three tests. The first is the wolfcrypt testsuite, which tests a variety of wolfcrypt functionality. The second is the wolfcrypt benchmark testsuite, which benchmarks some of the main wolfcrypt ciphers. Finally, a simple TLS client test is run which connects a TLS client, instantiated on the enclave, against the previously started example server running normally on the PC. The connection targets localhost:11111.
+### First, start the enclave server.
+    ./App -s
+
+### Then, start the enclave client
+    ./App -c
+
+This will connect an enclave client, in one enclave, to an enclave server, in a second enclave. These can also be replaced by the wolfssl example client/server. For example, to test a standard client against an enclave server, start the enclave server and then run <wolfssl-root>/examples/client/client.
 
 ### Expected Output
 
-![expected app results](README-images/expected-run-output-app.png)
+![expected client results](README-images/expected-run-output-client.png)
 
 ![expected server results](README-images/expected-run-output-server.png)
 
+![expected test results](README-images/expected-run-output-test.png)
+
+![expected benchmark results](README-images/expected-run-output-benchmark.png)
+
 ## Limitations
 
 1) Single Threaded

SGX_Linux/sgx_t.mk

@@ -1,13 +1,4 @@
 ######## Intel(R) SGX SDK Settings ########
-SGX_SDK ?= /opt/intel/sgxsdk
-SGX_MODE ?= SIM
-SGX_ARCH ?= x64
-SGX_WOLFSSL_LIB ?= ./
-
-ifndef WOLFSSL_ROOT
-$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory.)
-endif
-
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -51,9 +42,7 @@ Crypto_Library_Name := sgx_tcrypto
 
 Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
 Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/test/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/
 
 
 Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
@@ -61,6 +50,17 @@ Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
    								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
 								   -I$(SGX_SDK)/include/stlport
 
+ifeq ($(HAVE_WOLFSSL_TEST), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
+endif
+
+ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
+endif
+
+
 Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
 Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths)-fno-builtin -fno-builtin-printf -I.
 Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
@@ -76,6 +76,9 @@ Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib
 
 Wolfssl_Enclave_C_Objects := $(Wolfssl_Enclave_C_Files:.c=.o)
 
+
+
+
 ifeq ($(SGX_MODE), HW)
 ifneq ($(SGX_DEBUG), 1)
 ifneq ($(SGX_PRERELEASE), 1)

SGX_Linux/sgx_u.mk

@@ -1,16 +1,5 @@
 ######## Intel(R) SGX SDK Settings ########
-SGX_SDK ?= /opt/intel/sgxsdk
-SGX_MODE ?= SIM
-SGX_ARCH ?= x64
 UNTRUSTED_DIR=untrusted
-SGX_WOLFSSL_LIB ?= ./
-
-ifndef WOLFSSL_ROOT
-$(error WOLFSSL_ROOT is not set. Please set to root wolfssl directory)
-endif
-
-
-
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
 else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
@@ -51,11 +40,21 @@ endif
 
 Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
 Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/test/ \
-						 -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/
 
-App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c
+ifeq ($(HAVE_WOLFSSL_TEST), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
+endif
+
+ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
+endif
+
+
+
+App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/client-tls.c $(UNTRUSTED_DIR)/server-tls.c
 App_Include_Paths := -IInclude $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include
 
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)

SGX_Linux/trusted/Wolfssl_Enclave.c

@@ -8,12 +8,23 @@
 
 int wc_test(void* args)
 {
+#ifdef HAVE_WOLFSSL_TEST
 	return wolfcrypt_test(args);
+#else
+    /* wolfSSL test not compiled in! */
+    return -1;
+#endif /* HAVE_WOLFSSL_TEST */
 }
 
 int wc_benchmark_test(void* args)
 {
+
+#ifdef HAVE_WOLFSSL_BENCHMARK
     return benchmark_test(args);
+#else
+    /* wolfSSL benchmark not compiled in! */
+    return -1;
+#endif /* HAVE_WOLFSSL_BENCHMARK */
 }
 
 void enc_wolfSSL_Debugging_ON(void)
@@ -36,6 +47,12 @@ WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
     return wolfTLSv1_2_client_method();
 }
 
+WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
+{
+    return wolfTLSv1_2_server_method();
+}
+
+
 WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
 {
     if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
@@ -51,6 +68,14 @@ int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
     return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
 }
 
+int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
+        const unsigned char* buf, long sz, int type)
+{
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
+}
+
 int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
                                             long sz, int type)
 {
@@ -67,6 +92,12 @@ int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in
     return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
 }
 
+int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
+    if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+        abort();
+    return wolfSSL_CTX_set_cipher_list(ctx, list);
+}
+
 WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
 {
     if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)

SGX_Linux/trusted/Wolfssl_Enclave.edl

@@ -7,7 +7,6 @@ enclave {
     include "wolfcrypt/test/test.h"
     include "wolfcrypt/benchmark/benchmark.h"
 
-
     trusted {
         public int wc_test([user_check]void* args);
         public int wc_benchmark_test([user_check]void* args);
@@ -16,6 +15,7 @@ enclave {
 		public void enc_wolfSSL_Debugging_ON(void);
 		public void enc_wolfSSL_Debugging_OFF(void);
 		public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void);
+		public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void);
 		public WOLFSSL_CTX* enc_wolfSSL_CTX_new([user_check] WOLFSSL_METHOD* method);
         public int enc_wolfSSL_CTX_use_PrivateKey_buffer([user_check] WOLFSSL_CTX* ctx,
 												[in, size=sz] const unsigned char* buf,
@@ -29,6 +29,12 @@ enclave {
 												[in, size=sz] const unsigned char* buf,
 												long sz,
 												int type);
+        public int enc_wolfSSL_CTX_use_certificate_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+        public int enc_wolfSSL_CTX_set_cipher_list([user_check] WOLFSSL_CTX* ctx,
+												[in, string] const char* list);
         public WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx);
 		public int enc_wolfSSL_set_fd([user_check]WOLFSSL* ssl, int fd);
 		public int enc_wolfSSL_connect([user_check]WOLFSSL* ssl);

SGX_Linux/untrusted/App.c

@@ -23,6 +23,7 @@
 #include "stdafx.h"
 #include "App.h" /* contains include of Enclave_u.h which has wolfSSL header files */
 #include "client-tls.h"
+#include "server-tls.h"
 
 /* Use Debug SGX ? */
 #if _DEBUG
@@ -48,11 +49,23 @@ int main(int argc, char* argv[]) /* not using since just testing w/ wc_test */
     func_args args = { 0 };
 
 	/* only print off if no command line arguments were passed in */
-	if (argc == 1) {
-		printf("Setting up Enclave ... ");
+	if (argc != 2 || strlen(argv[1]) != 2) {
+		printf("Usage:\n"
+               "\t-c Run a TLS client in enclave\n"
+               "\t-s Run a TLS server in enclave\n"
+#ifdef HAVE_WOLFSSL_TEST
+               "\t-t Run wolfCrypt tests only \n"
+#endif /* HAVE_WOLFSSL_TEST */
+
+#ifdef HAVE_WOLFSSL_BENCHMARK
+               "\t-b Run wolfCrypt benchmarks in enclave\n"
+#endif /* HAVE_WOLFSSL_BENCHMARK */
+               );
+        return 0;
 	}
 
-	memset(t, 0, sizeof(sgx_launch_token_t));
+    memset(t, 0, sizeof(sgx_launch_token_t));
+    memset(&args,0,sizeof(args));
 
 	ret = sgx_create_enclave(ENCLAVE_FILENAME, DEBUG_VALUE, &t, &updated, &id, NULL);
 	if (ret != SGX_SUCCESS) {
@@ -60,22 +73,39 @@ int main(int argc, char* argv[]) /* not using since just testing w/ wc_test */
 		return 1;
 	}
 
-    printf("\nCrypt Test:\n");
-    wc_test(id, &sgxStatus, &args);
-    printf("Crypt Test: Return code %d\n", args.return_code);
-    printf("\n\n\n");
 
-    memset(&args,0,sizeof(args));
+    switch(argv[1][1]) {
+        case 'c':
+            printf("Client Test:\n");
+            client_connect(id);
+            break;
 
-    printf("\nBenchmark Test:\n");
-    wc_benchmark_test(id, &sgxStatus, &args);
-    printf("Benchmark Test: Return code %d\n", args.return_code);
-    printf("\n\n\n");
+        case 's':
+            printf("Server Test:\n");
+            server_connect(id);
+            break;
 
-    printf("\nClient Test:\n");
-    client_connect(id);
+#ifdef HAVE_WOLFSSL_TEST
+        case 't':
+            printf("Crypt Test:\n");
+            wc_test(id, &sgxStatus, &args);
+            printf("Crypt Test: Return code %d\n", args.return_code);
+            break;
+#endif /* HAVE_WOLFSSL_TEST */
 
-	return 0;
+#ifdef HAVE_WOLFSSL_BENCHMARK
+       case 'b':
+            printf("\nBenchmark Test:\n");
+            wc_benchmark_test(id, &sgxStatus, &args);
+            printf("Benchmark Test: Return code %d\n", args.return_code);
+            break;
+#endif /* HAVE_WOLFSSL_BENCHMARK */
+        default:
+            printf("Unrecognized option set!\n");
+            break;
+    }
+
+    return 0;
 }
 
 static double current_time()

SGX_Linux/untrusted/server-tls.c

@@ -0,0 +1,190 @@
+/* server-tls.c
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#include "server-tls.h"
+
+/* the usual suspects */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+/* socket includes */
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <unistd.h>
+
+/* wolfSSL */
+#include <wolfssl/ssl.h>
+#include <wolfssl/certs_test.h>
+
+#define DEFAULT_PORT 11111
+
+#define CIPHER_LIST "ECDHE-ECDSA-AES128-GCM-SHA256"
+
+
+
+int server_connect(sgx_enclave_id_t id)
+{
+    int                sgxStatus;
+    int                sockfd;
+    int                connd;
+    struct sockaddr_in servAddr;
+    struct sockaddr_in clientAddr;
+    socklen_t          size = sizeof(clientAddr);
+    char               buff[256];
+    size_t             len;
+    int                ret = 0;                        /* variable for error checking */
+
+    /* declare wolfSSL objects */
+    WOLFSSL_CTX* ctx;
+    WOLFSSL*     ssl;
+    WOLFSSL_METHOD* method;
+
+
+
+    /* Initialize wolfSSL */
+    enc_wolfSSL_Init(id, &sgxStatus);
+
+#ifdef SGX_DEBUG
+    enc_wolfSSL_Debugging_ON(id);
+#else
+    enc_wolfSSL_Debugging_OFF(id);
+#endif
+
+    /* Create a socket that uses an internet IPv4 address,
+     * Sets the socket to be stream based (TCP),
+     * 0 means choose the default protocol. */
+    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+        fprintf(stderr, "ERROR: failed to create the socket\n");
+        return -1;
+    }
+
+
+    /* Create and initialize WOLFSSL_CTX */
+    sgxStatus = enc_wolfTLSv1_2_server_method(id, &method);
+    if (sgxStatus != SGX_SUCCESS || method == NULL) {
+        printf("wolfTLSv1_2_server_method failure\n");
+        return EXIT_FAILURE;
+    }
+
+    sgxStatus = enc_wolfSSL_CTX_new(id, &ctx, method);
+    if (sgxStatus != SGX_SUCCESS || ctx == NULL) {
+        printf("wolfSSL_CTX_new failure\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Load server certificates into WOLFSSL_CTX */
+    sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(id, &ret, ctx,
+            server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("enc_wolfSSL_CTX_use_certificate_chain_buffer_format failure\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Load server key into WOLFSSL_CTX */
+    sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(id, &ret, ctx,
+            server_key_der_2048, sizeof_server_key_der_2048, SSL_FILETYPE_ASN1);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("wolfSSL_CTX_use_PrivateKey_buffer failure\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Initialize the server address struct with zeros */
+    memset(&servAddr, 0, sizeof(servAddr));
+/* Fill in the server address */
+    servAddr.sin_family      = AF_INET;             /* using IPv4      */
+    servAddr.sin_port        = htons(DEFAULT_PORT); /* on DEFAULT_PORT */
+    servAddr.sin_addr.s_addr = INADDR_ANY;          /* from anywhere   */
+
+
+
+    /* Bind the server socket to our port */
+    if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
+        fprintf(stderr, "ERROR: failed to bind\n");
+        return -1;
+    }
+
+    /* Listen for a new connection, allow 5 pending connections */
+    if (listen(sockfd, 5) == -1) {
+        fprintf(stderr, "ERROR: failed to listen\n");
+        return -1;
+    }
+
+    printf("Waiting for a connection...\n");
+
+    /* Accept client connections */
+    if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size))
+        == -1) {
+        fprintf(stderr, "ERROR: failed to accept the connection\n\n");
+        return -1;
+    }
+
+    sgxStatus = enc_wolfSSL_new(id, &ssl, ctx);
+
+    if (sgxStatus != SGX_SUCCESS || ssl == NULL) {
+        printf("wolfSSL_new failure\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Attach wolfSSL to the socket */
+    sgxStatus = enc_wolfSSL_set_fd(id, &ret, ssl, connd);
+    if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+        printf("wolfSSL_set_fd failure\n");
+        return EXIT_FAILURE;
+    }
+
+    printf("Client connected successfully\n");
+
+    /* Read the client data into our buff array */
+    memset(buff, 0, sizeof(buff));
+    sgxStatus = enc_wolfSSL_read(id, &ret, ssl, buff, sizeof(buff)-1);
+    if(sgxStatus != SGX_SUCCESS || ret == -1) {
+        printf("Server failed to read\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Print to stdout any data the client sends */
+    printf("Client: %s\n", buff);
+
+    /* Write our reply into buff */
+    memset(buff, 0, sizeof(buff));
+    memcpy(buff, "I hear ya fa shizzle!\n", sizeof(buff));
+    len = strnlen(buff, sizeof(buff));
+
+    /* Reply back to the client */
+    sgxStatus = enc_wolfSSL_write(id, &ret, ssl, buff, len);
+    if (sgxStatus != SGX_SUCCESS || ret != len) {
+        printf("Server write failed.\n");
+        return EXIT_FAILURE;
+    }
+
+    /* Cleanup after this connection */
+    enc_wolfSSL_free(id, ssl);      /* Free the wolfSSL object              */
+    close(connd);           /* Close the connection to the client   */
+
+    /* Cleanup and return */
+    sgxStatus = enc_wolfSSL_CTX_free(id, ctx);  /* Free the wolfSSL context object          */
+    sgxStatus = enc_wolfSSL_Cleanup(id, &ret);      /* Cleanup the wolfSSL environment          */
+    close(sockfd);          /* Close the socket listening for clients   */
+    return 0;               /* Return reporting a success               */
+}

SGX_Linux/untrusted/server-tls.h

@@ -0,0 +1,30 @@
+/* server-tls.h
+*
+* Copyright (C) 2006-2016 wolfSSL Inc.
+*
+* This file is part of wolfSSL.
+*
+* wolfSSL is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* wolfSSL is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+*/
+
+#ifndef SERVER_TLS_H
+#define SERVER_TLS_H
+
+#include "sgx_urts.h"	 /* for enclave_id etc.*/
+#include "Wolfssl_Enclave_u.h"   /* contains untrusted wrapper functions used to call enclave functions*/
+
+int server_connect(sgx_enclave_id_t id);
+
+#endif /* SERVER_TLS_H */