diff --git a/.gitmodules b/.gitmodules index 784172de..05140718 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,11 +1,11 @@ [submodule "QuoteVerification/QVL"] path = QuoteVerification/QVL url = https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary.git - branch = DCAP/1.20 + branch = DCAP/1.21 [submodule "QuoteVerification/QuoteVerificationService"] path = QuoteVerification/QuoteVerificationService url = https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationService.git - branch = stable + branch = DCAP/1.21 [submodule "external/wasm-micro-runtime"] path = external/wasm-micro-runtime url = https://github.com/bytecodealliance/wasm-micro-runtime.git diff --git a/QuoteGeneration/README.md b/QuoteGeneration/README.md index 27b7febb..d53dd8bd 100644 --- a/QuoteGeneration/README.md +++ b/QuoteGeneration/README.md @@ -39,7 +39,7 @@ For Windows* OS **NOTE**:`sgx_dcap_dev.inf` is for Windows* Server 2016 LTSC and `sgx_dcap.inf` is for Windows* Server 2019 LTSC. ## How to install - Refer to the *"Installation Instructions"* section in the [Intel(R) Software Guard Extensions: Data Center Attestation Primitives Installation Guide For Windows* OS](https://download.01.org/intel-sgx/sgx-dcap/1.20/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf) to install the right packages on your platform. + Refer to the *"Installation Instructions"* section in the [Intel(R) Software Guard Extensions: Data Center Attestation Primitives Installation Guide For Windows* OS](https://download.01.org/intel-sgx/sgx-dcap/1.21/windows/docs/Intel_SGX_DCAP_Windows_SW_Installation_Guide.pdf) to install the right packages on your platform. For Linux* OS diff --git a/QuoteGeneration/buildenv.mk b/QuoteGeneration/buildenv.mk index b48d6bfe..4fd3fe0e 100644 --- a/QuoteGeneration/buildenv.mk +++ b/QuoteGeneration/buildenv.mk @@ -68,10 +68,12 @@ SGX_DEBUG ?= 0 ifndef SERVTD_ATTEST ifneq ($(origin SGX_SDK),file) - include $(SGX_SDK)/buildenv.mk - else -$(info You may need to set environment variables if the SGX SDK is installed.) -$(info Use a command like 'source /opt/intel/sgxsdk/environment') + include $(SGX_SDK)/buildenv.mk + else + ifneq ($(SDK_NOT_REQUIRED), 1) + $(info You may need to set environment variables if the SGX SDK is installed.) + $(info Use a command like 'source /opt/intel/sgxsdk/environment') + endif endif endif diff --git a/QuoteGeneration/common/inc/internal/se_version.h b/QuoteGeneration/common/inc/internal/se_version.h index 0a1a0c22..f1db0830 100644 --- a/QuoteGeneration/common/inc/internal/se_version.h +++ b/QuoteGeneration/common/inc/internal/se_version.h @@ -28,21 +28,21 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ -#define STRFILEVER "1.20.100.2" -#define COPYRIGHT "Copyright (C) 2023 Intel Corporation" -#define FILEVER 1,20,100,2 -#define PRODUCTVER 1,20,100,2 -#define STRPRODUCTVER "1.20.100.2" +#define STRFILEVER "1.21.100.3" +#define COPYRIGHT "Copyright (C) 2024 Intel Corporation" +#define FILEVER 1,21,100,3 +#define PRODUCTVER 1,21,100,3 +#define STRPRODUCTVER "1.21.100.3" #define COMPANYNAME "Intel Corporation" #define PRODUCTNAME "IntelĀ® Software Guard Extensions" -#define DEFAULT_QPL_VERSION "1.13.107.2" -#define QUOTE_VERIFIER_VERSION "1.13.100.2" -#define QUOTE_LOADER_VERSION "1.11.107.2" -#define TDQE_WRAPPER_VERSION "1.14.107.2" -#define PCE_WRAPPER_VERSION "1.14.107.2" +#define DEFAULT_QPL_VERSION "1.13.108.3" +#define QUOTE_VERIFIER_VERSION "1.13.101.3" +#define QUOTE_LOADER_VERSION "1.11.108.3" +#define TDQE_WRAPPER_VERSION "1.14.108.3" +#define PCE_WRAPPER_VERSION "1.14.108.3" #define QE3_VERSION "1.19.100.1" -#define QVE_VERSION "1.20.100.1" +#define QVE_VERSION "1.21.100.1" #define IDE_VERSION "1.19.100.1" #define TDQE_VERSION "1.19.100.1" diff --git a/QuoteGeneration/download_prebuilt.bat b/QuoteGeneration/download_prebuilt.bat index 779ac8f5..62ab3420 100644 --- a/QuoteGeneration/download_prebuilt.bat +++ b/QuoteGeneration/download_prebuilt.bat @@ -29,9 +29,9 @@ @echo off -set ae_file_name=prebuilt_windows_dcap_1.20.zip -set checksum_file=SHA256SUM_prebuilt_windows_dcap_1.20.cfg -set server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.20/windows/ +set ae_file_name=prebuilt_windows_dcap_1.21.zip +set checksum_file=SHA256SUM_prebuilt_windows_dcap_1.21.cfg +set server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.21/windows/ set server_ae_url=%server_url_path%/%ae_file_name% set server_checksum_url=%server_url_path%/%checksum_file% diff --git a/QuoteGeneration/download_prebuilt.sh b/QuoteGeneration/download_prebuilt.sh index 2724c69b..f2e5a12f 100755 --- a/QuoteGeneration/download_prebuilt.sh +++ b/QuoteGeneration/download_prebuilt.sh @@ -32,9 +32,9 @@ top_dir=`dirname $0` out_dir=$top_dir -ae_file_name=prebuilt_dcap_1.20.tar.gz -checksum_file=SHA256SUM_prebuilt_dcap_1.20.cfg -server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.20/linux/ +ae_file_name=prebuilt_dcap_1.21.tar.gz +checksum_file=SHA256SUM_prebuilt_dcap_1.21.cfg +server_url_path=https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/ server_ae_url=$server_url_path/$ae_file_name server_checksum_url=$server_url_path/$checksum_file diff --git a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/BOMs/sgx-dcap-pccs.txt b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/BOMs/sgx-dcap-pccs.txt index c2bd1bce..f738996b 100644 --- a/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/BOMs/sgx-dcap-pccs.txt +++ b/QuoteGeneration/installer/linux/common/sgx-dcap-pccs/BOMs/sgx-dcap-pccs.txt @@ -43,11 +43,13 @@ DeliveryName InstallName FileCheckSum FileFeature FileOwner /pccs/middleware/auth.js /middleware/auth.js 0 main STP /pccs/middleware/error.js /middleware/error.js 0 main STP /pccs/middleware/addRequestId.js /middleware/addRequestId.js 0 main STP +/pccs/middleware/filterDuplicatedParams.js /middleware/filterDuplicatedParams.js 0 main STP /pccs/migrations/00_db_initialize.up.sql /migrations/00_db_initialize.up.sql 0 main STP /pccs/migrations/01_db_version_1.js /migrations/01_db_version_1.js 0 main STP /pccs/migrations/02_db_version_2.js /migrations/02_db_version_2.js 0 main STP /pccs/migrations/03_db_version_3.js /migrations/03_db_version_3.js 0 main STP /pccs/migrations/04_db_version_4.js /migrations/04_db_version_4.js 0 main STP +/pccs/migrations/05_db_version_5.js /migrations/05_db_version_5.js 0 main STP /pccs/pcs_client/pcs_client.js /pcs_client/pcs_client.js 0 main STP /pccs/routes/index.js /routes/index.js 0 main STP /pccs/services/identityService.js /services/identityService.js 0 main STP diff --git a/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile b/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile index 1c2e32b5..8f47ecd2 100644 --- a/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile +++ b/QuoteGeneration/installer/linux/common/tdx-qgs/Makefile @@ -34,6 +34,7 @@ include installConfig PACKAGE_ROOT_FOLDER=pkgroot PACKAGES=$(notdir $(wildcard $(PACKAGE_ROOT_FOLDER)/*)) +VAR_OPT_PATH=/var/opt/qgsd QGSD_CONF_NAME=$(if $(wildcard /run/systemd/system/.*),qgsd.service,$(if $(wildcard /etc/init/.*),qgsd.conf,)) QGSD_CONF_DEL=$(if $(wildcard /run/systemd/system/.*),qgsd.conf,$(if $(wildcard /etc/init/.*),qgsd.service,)) QGSD_CONF_PATH=$(if $(wildcard /run/systemd/system/.*),$(if $(wildcard /lib/systemd/system/.*),/lib/systemd/system,/usr/lib/systemd/system),$(if $(wildcard /etc/init/.*),/etc/init/)) @@ -52,6 +53,7 @@ endif default: install: $(PACKAGES) + install -d $(shell readlink -m $(DESTDIR)/$(VAR_OPT_PATH)) install -d $(shell readlink -m $(DESTDIR)/$(QGSD_CONF_PATH)) sed -e "s:@qgs_folder@:$(TDX_QGS_PACKAGE_PATH)/$(TDX_QGS_PACKAGE_NAME):" \ $(DESTDIR)/$(TDX_QGS_PACKAGE_PATH)/$(TDX_QGS_PACKAGE_NAME)/$(QGSD_CONF_NAME) \ diff --git a/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.0/debian/control b/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.0/debian/control index 24dd1bb1..a1290eca 100644 --- a/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.0/debian/control +++ b/QuoteGeneration/installer/linux/deb/libsgx-dcap-ql/libsgx-dcap-ql-1.0/debian/control @@ -9,11 +9,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: libsgx-dcap-ql Architecture: amd64 Depends: libsgx-qe3-logic(>= @dep_version@), libsgx-pce-logic(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends} -Recommends: libsgx-dcap-quote-verify(>= @dep_version@), libsgx-quote-ex(>= 2.23) +Recommends: libsgx-dcap-quote-verify(>= @dep_version@), libsgx-quote-ex(>= 2.24) Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives Package: libsgx-dcap-ql-dev Section: devel Architecture: amd64 -Depends: libsgx-dcap-ql (= @dep_version@), libsgx-headers (>= 2.23) +Depends: libsgx-dcap-ql (= @dep_version@), libsgx-headers (>= 2.24) Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers diff --git a/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify-1.0/debian/control b/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify-1.0/debian/control index 09dd214c..1dca3f7d 100644 --- a/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify-1.0/debian/control +++ b/QuoteGeneration/installer/linux/deb/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify-1.0/debian/control @@ -9,11 +9,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: libsgx-dcap-quote-verify Architecture: amd64 Depends: ${shlibs:Depends}, ${misc:Depends} -Recommends: libsgx-ae-qve (>= @dep_version@), libsgx-urts (>= 2.23) +Recommends: libsgx-ae-qve (>= @dep_version@), libsgx-urts (>= 2.24) Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives Package: libsgx-dcap-quote-verify-dev Section: devel Architecture: amd64 -Depends: libsgx-dcap-quote-verify (= @dep_version@), libsgx-headers (>= 2.23) +Depends: libsgx-dcap-quote-verify (= @dep_version@), libsgx-headers (>= 2.24) Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives For Developers diff --git a/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control b/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control index 13c09780..1dca555c 100644 --- a/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control +++ b/QuoteGeneration/installer/linux/deb/libsgx-pce-logic/libsgx-pce-logic-1.0/debian/control @@ -8,5 +8,5 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: libsgx-pce-logic Architecture: amd64 -Depends: libsgx-urts (>= 2.23), libsgx-ae-pce(>= 2.23), ${shlibs:Depends}, ${misc:Depends} +Depends: libsgx-urts (>= 2.24), libsgx-ae-pce(>= 2.24), ${shlibs:Depends}, ${misc:Depends} Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives diff --git a/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/libsgx-qe3-logic-1.0/debian/control b/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/libsgx-qe3-logic-1.0/debian/control index 8fa80ec0..abe5b02b 100644 --- a/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/libsgx-qe3-logic-1.0/debian/control +++ b/QuoteGeneration/installer/linux/deb/libsgx-qe3-logic/libsgx-qe3-logic-1.0/debian/control @@ -8,5 +8,5 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: libsgx-qe3-logic Architecture: amd64 -Depends: libsgx-urts (>= 2.23), libsgx-ae-qe3(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: libsgx-urts (>= 2.24), libsgx-ae-qe3(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends} Description: Intel(R) Software Guard Extensions Data Center Attestation Primitives diff --git a/QuoteGeneration/installer/linux/deb/libsgx-tdx-logic/libsgx-tdx-logic-1.0/debian/control b/QuoteGeneration/installer/linux/deb/libsgx-tdx-logic/libsgx-tdx-logic-1.0/debian/control index fa95815c..53679ae0 100644 --- a/QuoteGeneration/installer/linux/deb/libsgx-tdx-logic/libsgx-tdx-logic-1.0/debian/control +++ b/QuoteGeneration/installer/linux/deb/libsgx-tdx-logic/libsgx-tdx-logic-1.0/debian/control @@ -8,11 +8,11 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: libsgx-tdx-logic Architecture: amd64 -Depends: libsgx-urts (>= 2.23), libsgx-pce-logic(>= @dep_version@), libsgx-ae-tdqe(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: libsgx-urts (>= 2.24), libsgx-pce-logic(>= @dep_version@), libsgx-ae-tdqe(>= @dep_version@), libsgx-ae-id-enclave(>= @dep_version@), ${shlibs:Depends}, ${misc:Depends} Description: Intel(R) Trust Domain Extensions QE logic library Package: libsgx-tdx-logic-dev Section: devel Architecture: amd64 -Depends: libsgx-tdx-logic (= @dep_version@), libsgx-headers (>= 2.23) +Depends: libsgx-tdx-logic (= @dep_version@), libsgx-headers (>= 2.24) Description: Intel(R) Trust Domain Extensions QE logic library For Developers diff --git a/QuoteGeneration/installer/linux/rpm/libsgx-dcap-ql/libsgx-dcap-ql.spec b/QuoteGeneration/installer/linux/rpm/libsgx-dcap-ql/libsgx-dcap-ql.spec index d7b80ed5..2fab2a59 100644 --- a/QuoteGeneration/installer/linux/rpm/libsgx-dcap-ql/libsgx-dcap-ql.spec +++ b/QuoteGeneration/installer/linux/rpm/libsgx-dcap-ql/libsgx-dcap-ql.spec @@ -37,7 +37,7 @@ Release: 1%{?dist} Summary: Intel(R) Software Guard Extensions Data Center Attestation Primitives Group: Development/Libraries Requires: libsgx-qe3-logic >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release} -Recommends: libsgx-dcap-quote-verify >= %{version}-%{release} libsgx-quote-ex >= 2.23 +Recommends: libsgx-dcap-quote-verify >= %{version}-%{release} libsgx-quote-ex >= 2.24 License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives @@ -49,7 +49,7 @@ Intel(R) Software Guard Extensions Data Center Attestation Primitives %package devel Summary: Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.23 +Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.24 %description devel Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers diff --git a/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify.spec b/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify.spec index 1a0d44b2..725f17ed 100644 --- a/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify.spec +++ b/QuoteGeneration/installer/linux/rpm/libsgx-dcap-quote-verify/libsgx-dcap-quote-verify.spec @@ -36,7 +36,7 @@ Version: @version@ Release: 1%{?dist} Summary: Intel(R) Software Guard Extensions Data Center Attestation Primitives Group: Development/Libraries -Recommends: libsgx-ae-qve >= %{version}-%{release} libsgx-urts >= 2.23 +Recommends: libsgx-ae-qve >= %{version}-%{release} libsgx-urts >= 2.24 License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives @@ -48,7 +48,7 @@ Intel(R) Software Guard Extensions Data Center Attestation Primitives %package devel Summary: Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.23 +Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.24 %description devel Intel(R) Software Guard Extensions Data Center Attestation Primitives for Developers diff --git a/QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/libsgx-pce-logic.spec b/QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/libsgx-pce-logic.spec index b6757a13..47c5a3fd 100644 --- a/QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/libsgx-pce-logic.spec +++ b/QuoteGeneration/installer/linux/rpm/libsgx-pce-logic/libsgx-pce-logic.spec @@ -36,7 +36,7 @@ Version: @version@ Release: 1%{?dist} Summary: Intel(R) Software Guard Extensions PCE logic Group: Development/Libraries -Requires: libsgx-urts >= 2.23 libsgx-ae-pce >= 2.23 +Requires: libsgx-urts >= 2.24 libsgx-ae-pce >= 2.24 License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives diff --git a/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/libsgx-qe3-logic.spec b/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/libsgx-qe3-logic.spec index 9b0b11e2..ec3bf804 100644 --- a/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/libsgx-qe3-logic.spec +++ b/QuoteGeneration/installer/linux/rpm/libsgx-qe3-logic/libsgx-qe3-logic.spec @@ -36,7 +36,7 @@ Version: @version@ Release: 1%{?dist} Summary: Intel(R) Software Guard Extensions QE3 logic Group: Development/Libraries -Requires: libsgx-urts >= 2.23 libsgx-ae-qe3 >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release} +Requires: libsgx-urts >= 2.24 libsgx-ae-qe3 >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release} License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives diff --git a/QuoteGeneration/installer/linux/rpm/libsgx-tdx-logic/libsgx-tdx-logic.spec b/QuoteGeneration/installer/linux/rpm/libsgx-tdx-logic/libsgx-tdx-logic.spec index 71655200..03a73f59 100644 --- a/QuoteGeneration/installer/linux/rpm/libsgx-tdx-logic/libsgx-tdx-logic.spec +++ b/QuoteGeneration/installer/linux/rpm/libsgx-tdx-logic/libsgx-tdx-logic.spec @@ -36,7 +36,7 @@ Version: @version@ Release: 1%{?dist} Summary: Intel(R) Trust Domain Extensions QE logic library Group: Development/Libraries -Requires: libsgx-urts >= 2.23 libsgx-ae-tdqe >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release} +Requires: libsgx-urts >= 2.24 libsgx-ae-tdqe >= %{version}-%{release} libsgx-ae-id-enclave >= %{version}-%{release} libsgx-pce-logic >= %{version}-%{release} License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives @@ -49,7 +49,7 @@ Intel(R) Trust Domain Extensions QE logic library %package devel Summary: Intel(R) Trust Domain Extensions QE logic library For Developers Group: Development/Libraries -Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.23 +Requires: %{name} = %{version}-%{release} libsgx-headers >= 2.24 %description devel Intel(R) Trust Domain Extensions QE logic library For Developers %prep diff --git a/QuoteGeneration/installer/win/DCAP_Components/DCAP_Components.nuspec b/QuoteGeneration/installer/win/DCAP_Components/DCAP_Components.nuspec index 2164cc09..723a090d 100644 --- a/QuoteGeneration/installer/win/DCAP_Components/DCAP_Components.nuspec +++ b/QuoteGeneration/installer/win/DCAP_Components/DCAP_Components.nuspec @@ -2,15 +2,15 @@ DCAP_Components - 1.20.100.2 + 1.21.100.3 DCAP Components Intel(R) SGX Intel false DCAP Components - Copyright (C) 2022 Intel Corporation + Copyright (C) 2024 Intel Corporation - + diff --git a/QuoteGeneration/pccs/README.md b/QuoteGeneration/pccs/README.md index a53ce989..112c23c6 100644 --- a/QuoteGeneration/pccs/README.md +++ b/QuoteGeneration/pccs/README.md @@ -6,7 +6,7 @@ This is a lightweight Provisioning Certificate Caching Service implemented in no - **Prerequisites** - Install node.js (Version 18.17 or later) + Install node.js (Supported versions are 18.17.0 to 18.19.1, 20.0.0 to 20.11.1, or 21.0.0 to 21.5.0.) - For Debian and Ubuntu based distributions, please refer to https://github.com/nodesource/distributions - To download and install, goto https://nodejs.org/en/download/ diff --git a/QuoteGeneration/pccs/config/default.json b/QuoteGeneration/pccs/config/default.json index a5e80d1e..13e00e26 100644 --- a/QuoteGeneration/pccs/config/default.json +++ b/QuoteGeneration/pccs/config/default.json @@ -49,6 +49,10 @@ "freezeTableName": true }, "logging" : false + }, + "ssl":{ + "required": false, + "ca":"/if_required/path/to/your_ssl_ca" } } } diff --git a/QuoteGeneration/pccs/constants/index.js b/QuoteGeneration/pccs/constants/index.js index dce2e346..61eb6c0e 100644 --- a/QuoteGeneration/pccs/constants/index.js +++ b/QuoteGeneration/pccs/constants/index.js @@ -38,8 +38,6 @@ function define(name, value) { }); } -define('DB_VERSION', 2); - define('PLATF_REG_NEW', 0); define('PLATF_REG_NOT_AVAILABLE', 1); define('PLATF_REG_DELETED', 9); @@ -77,4 +75,9 @@ define('SGX_TCB_INFO_ISSUER_CHAIN', 'SGX-TCB-Info-Issuer-Chain'); define('SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN', 'SGX-Enclave-Identity-Issuer-Chain'); define('SGX_PCK_CRL_ISSUER_CHAIN', 'SGX-PCK-CRL-Issuer-Chain'); +//Update type +define('UPDATE_TYPE_STANDARD', 'STANDARD'); +define('UPDATE_TYPE_EARLY', 'EARLY'); +define('UPDATE_TYPE_ALL', 'ALL'); + export default Constants; diff --git a/QuoteGeneration/pccs/container/Dockerfile b/QuoteGeneration/pccs/container/Dockerfile index 3a70c445..278a36bb 100644 --- a/QuoteGeneration/pccs/container/Dockerfile +++ b/QuoteGeneration/pccs/container/Dockerfile @@ -1,9 +1,14 @@ +# Copyright (c) 2024 Intel Corporation + +# Declare nodejs version you want to use +ARG NODE_VERSION=20.11.1 + # Use multi-stage builds to reduce final image size -FROM ubuntu:23.04 AS builder +FROM docker.io/library/debian AS builder # Define arguments used across multiple stages -ARG DCAP_VERSION=DCAP_1.20 -ARG NODE_MAJOR=20 +ARG DCAP_VERSION=DCAP_1.21 +ARG NODE_VERSION # update and install packages, nodejs RUN DEBIAN_FRONTEND=noninteractive \ @@ -16,15 +21,25 @@ RUN DEBIAN_FRONTEND=noninteractive \ gnupg \ git \ zip \ - && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg \ - && echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \ - && apt-get update -yq \ - && apt-get install -yq --no-install-recommends nodejs \ + python3 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* +# Install nvm (Node Version Manager) +RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash + +# Set NVM_DIR so we can use it in subsequent commands +ENV NVM_DIR /root/.nvm + +# Install specific version of Node using nvm +# Source nvm in each RUN command to ensure it's available +RUN . "$NVM_DIR/nvm.sh" && nvm install $NODE_VERSION && nvm use $NODE_VERSION + +# Set PATH to include the node and npm binaries +ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH + # Clone the specific branch or tag -RUN git clone --recurse-submodules https://github.com/intel/SGXDataCenterAttestationPrimitives.git # -b ${DCAP_VERSION} --depth 1 +RUN git clone --recurse-submodules https://github.com/intel/SGXDataCenterAttestationPrimitives.git -b ${DCAP_VERSION} --depth 1 # Build libPCKCertSelection library WORKDIR /SGXDataCenterAttestationPrimitives/tools/PCKCertSelection/ @@ -41,14 +56,16 @@ RUN npm config set proxy $http_proxy \ && npm install # Start final image build -FROM ubuntu:23.04 +FROM docker.io/library/debian:12-slim + +ARG NODE_VERSION # Create user and group before copying files ARG USER=pccs RUN useradd -M -U -r ${USER} -s /bin/false # Copy only necessary files from builder stage -COPY --from=builder /usr/bin/node /usr/bin/node +COPY --from=builder /root/.nvm/versions/node/v$NODE_VERSION/bin/node /usr/bin/node COPY --from=builder --chown=${USER}:${USER} /SGXDataCenterAttestationPrimitives/QuoteGeneration/pccs/ /opt/intel/pccs/ # Set the working directory and switch user diff --git a/QuoteGeneration/pccs/controllers/identityController.js b/QuoteGeneration/pccs/controllers/identityController.js index 1a1eff4a..4643b071 100644 --- a/QuoteGeneration/pccs/controllers/identityController.js +++ b/QuoteGeneration/pccs/controllers/identityController.js @@ -36,11 +36,18 @@ import * as appUtil from '../utils/apputil.js'; async function getEnclaveIdentity(req, res, next, enclave_id) { try { + const update_type = req.query.update? req.query.update.toUpperCase():Constants.UPDATE_TYPE_STANDARD; + + if (update_type !== Constants.UPDATE_TYPE_STANDARD && update_type !== Constants.UPDATE_TYPE_EARLY) { + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } + // call service let version = appUtil.get_api_version_from_url(req.originalUrl); let enclaveIdentityJson = await identityService.getEnclaveIdentity( enclave_id, - version + version, + update_type ); // send response diff --git a/QuoteGeneration/pccs/controllers/platformsController.js b/QuoteGeneration/pccs/controllers/platformsController.js index fcb20592..ca6d176c 100644 --- a/QuoteGeneration/pccs/controllers/platformsController.js +++ b/QuoteGeneration/pccs/controllers/platformsController.js @@ -36,8 +36,20 @@ import Constants from '../constants/index.js'; export async function postPlatforms(req, res, next) { try { + // validate request parameters + let update = req.query.update; + if (update) { + update = update.toUpperCase(); + if (![Constants.UPDATE_TYPE_STANDARD, Constants.UPDATE_TYPE_EARLY, Constants.UPDATE_TYPE_ALL].includes(update)) { + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } + } + else { + update = Constants.UPDATE_TYPE_STANDARD; + } + // call registration service - await platformsRegService.registerPlatforms(req.body); + await platformsRegService.registerPlatforms(req.body, update); // send response res diff --git a/QuoteGeneration/pccs/controllers/refreshController.js b/QuoteGeneration/pccs/controllers/refreshController.js index 018212b7..51092077 100644 --- a/QuoteGeneration/pccs/controllers/refreshController.js +++ b/QuoteGeneration/pccs/controllers/refreshController.js @@ -31,12 +31,16 @@ import { refreshService } from '../services/index.js'; import PccsStatus from '../constants/pccs_status_code.js'; +import PccsError from '../utils/PccsError.js'; export async function refreshCache(req, res, next) { try { const type = req.query.type; const fmspc = req.query.fmspc; + if (type && type !== "certs") { + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } // call service await refreshService.refreshCache(type, fmspc); diff --git a/QuoteGeneration/pccs/controllers/tcbinfoController.js b/QuoteGeneration/pccs/controllers/tcbinfoController.js index 96460f41..00f26613 100644 --- a/QuoteGeneration/pccs/controllers/tcbinfoController.js +++ b/QuoteGeneration/pccs/controllers/tcbinfoController.js @@ -49,8 +49,14 @@ async function getTcbInfo(req, res, next, type) { // normalize request parameters fmspc = fmspc.toUpperCase(); + const update_type = req.query.update? req.query.update.toUpperCase():Constants.UPDATE_TYPE_STANDARD; + + if (update_type !== Constants.UPDATE_TYPE_STANDARD && update_type !== Constants.UPDATE_TYPE_EARLY) { + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } + // call service - let tcbinfoJson = await tcbinfoService.getTcbInfo(type, fmspc, version); + let tcbinfoJson = await tcbinfoService.getTcbInfo(type, fmspc, version, update_type); let issuerChainName = appUtil.getTcbInfoIssuerChainName(version); // send response diff --git a/QuoteGeneration/pccs/dao/appraisalPolicyDao.js b/QuoteGeneration/pccs/dao/appraisalPolicyDao.js index 1c159ecd..5af2e5ad 100644 --- a/QuoteGeneration/pccs/dao/appraisalPolicyDao.js +++ b/QuoteGeneration/pccs/dao/appraisalPolicyDao.js @@ -55,7 +55,7 @@ export async function upsertAppraisalPolicy(apJson) { await AppraisalPolicy.update( { is_default: false }, { - where: { type: apJson.type, fmspc: apJson.fmspc, is_default: true }, + where: { fmspc: apJson.fmspc, is_default: true }, } ); } diff --git a/QuoteGeneration/pccs/dao/enclaveIdentityDao.js b/QuoteGeneration/pccs/dao/enclaveIdentityDao.js index 23a08857..554a3181 100644 --- a/QuoteGeneration/pccs/dao/enclaveIdentityDao.js +++ b/QuoteGeneration/pccs/dao/enclaveIdentityDao.js @@ -34,10 +34,11 @@ import PccsError from '../utils/PccsError.js'; import PccsStatus from '../constants/pccs_status_code.js'; import { EnclaveIdentities, sequelize } from './models/index.js'; -export async function upsertEnclaveIdentity(id, identity, version) { +export async function upsertEnclaveIdentity(id, identity, version, update_type) { return await EnclaveIdentities.upsert({ id: id, version: version, + update_type: update_type, identity: identity, root_cert_id: Constants.PROCESSOR_ROOT_CERT_ID, signing_cert_id: Constants.PROCESSOR_SIGNING_CERT_ID, @@ -45,16 +46,17 @@ export async function upsertEnclaveIdentity(id, identity, version) { } //Query EnclaveIdentity -export async function getEnclaveIdentity(id, version) { +export async function getEnclaveIdentity(id, version, update_type) { const sql = 'select a.*,' + ' (select cert from pcs_certificates where id=a.root_cert_id) as root_cert,' + ' (select cert from pcs_certificates where id=a.signing_cert_id) as signing_cert' + ' from enclave_identities a ' + - ' where a.id=$id and a.version=$version'; + ' where a.id=$id and a.version=$version ' + + ' and a.update_type=$update_type'; const enclave_identity = await sequelize.query(sql, { type: sequelize.QueryTypes.SELECT, - bind: { id: id, version: version }, + bind: { id: id, version: version, update_type: update_type }, }); if (enclave_identity.length == 0) return null; else if (enclave_identity.length == 1) { diff --git a/QuoteGeneration/pccs/dao/fmspcTcbDao.js b/QuoteGeneration/pccs/dao/fmspcTcbDao.js index a4da6f7e..0f307e55 100644 --- a/QuoteGeneration/pccs/dao/fmspcTcbDao.js +++ b/QuoteGeneration/pccs/dao/fmspcTcbDao.js @@ -41,6 +41,7 @@ export async function upsertFmspcTcb(tcbinfoJson) { type: tcbinfoJson.type, fmspc: tcbinfoJson.fmspc, version: tcbinfoJson.version, + update_type: tcbinfoJson.update_type, tcbinfo: tcbinfoJson.tcbinfo, root_cert_id: Constants.PROCESSOR_ROOT_CERT_ID, signing_cert_id: Constants.PROCESSOR_SIGNING_CERT_ID, @@ -48,8 +49,8 @@ export async function upsertFmspcTcb(tcbinfoJson) { } //Query TCBInfo by fmspc -export async function getTcbInfo(type, fmspc, version) { - if (typeof type == 'undefined' || typeof version == 'undefined') { +export async function getTcbInfo(type, fmspc, version, update_type) { + if (typeof type == 'undefined' || typeof version == 'undefined' || typeof update_type == 'undefined') { throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); } @@ -60,13 +61,15 @@ export async function getTcbInfo(type, fmspc, version) { ' from fmspc_tcbs a ' + ' where a.type=$type' + ' and a.fmspc=$fmspc' + - ' and a.version=$version'; + ' and a.version=$version' + + ' and a.update_type=$update_type'; const tcbinfo = await sequelize.query(sql, { type: sequelize.QueryTypes.SELECT, bind: { type: type, fmspc: fmspc, version: version, + update_type: update_type }, }); if (tcbinfo.length == 0) return null; diff --git a/QuoteGeneration/pccs/dao/models/enclave_identities.js b/QuoteGeneration/pccs/dao/models/enclave_identities.js index 5dfb9d5d..467dec46 100644 --- a/QuoteGeneration/pccs/dao/models/enclave_identities.js +++ b/QuoteGeneration/pccs/dao/models/enclave_identities.js @@ -36,6 +36,7 @@ export default class EnclaveIdentities extends Sequelize.Model { { id: { type: Sequelize.DataTypes.INTEGER, primaryKey: true }, version: { type: Sequelize.DataTypes.INTEGER, primaryKey: true }, + update_type: { type: Sequelize.DataTypes.STRING, primaryKey: true }, identity: { type: Sequelize.DataTypes.BLOB }, root_cert_id: { type: Sequelize.DataTypes.INTEGER }, signing_cert_id: { type: Sequelize.DataTypes.INTEGER }, diff --git a/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js b/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js index 076eadbf..f51aa8c2 100644 --- a/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js +++ b/QuoteGeneration/pccs/dao/models/fmspc_tcbs.js @@ -37,6 +37,7 @@ export default class FmspcTcbs extends Sequelize.Model { fmspc: { type: Sequelize.DataTypes.STRING, primaryKey: true }, type: { type: Sequelize.DataTypes.INTEGER, primaryKey: true }, version: { type: Sequelize.DataTypes.INTEGER, primaryKey: true }, + update_type: { type: Sequelize.DataTypes.STRING, primaryKey: true }, tcbinfo: { type: Sequelize.DataTypes.BLOB }, root_cert_id: { type: Sequelize.DataTypes.INTEGER }, signing_cert_id: { type: Sequelize.DataTypes.INTEGER }, diff --git a/QuoteGeneration/pccs/dao/models/index.js b/QuoteGeneration/pccs/dao/models/index.js index 9375b6dc..cba42d67 100644 --- a/QuoteGeneration/pccs/dao/models/index.js +++ b/QuoteGeneration/pccs/dao/models/index.js @@ -28,7 +28,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ - +import * as fs from 'fs'; import Config from 'config'; import Sequelize from 'sequelize'; import logger from '../../utils/Logger.js'; @@ -50,59 +50,85 @@ import mysqlPromise from 'mysql2/promise.js'; const pccs_namespace = clshooked.createNamespace('pccs-namespace'); Sequelize.useCLS(pccs_namespace); -// initialize sequelize instance -let db_conf = Config.get(Config.get('DB_CONFIG')); -let db_opt = JSON.parse(JSON.stringify(db_conf.options)); -if (db_opt.logging == true) { - // Enable sequelize logging through logger.info - db_opt.logging = (msg) => logger.info(msg); +// get config options for ssl +function getSSLConfig(sslConfig) { + if (sslConfig && sslConfig.required && fs.existsSync(sslConfig.ca)) { + return { ssl: { ca: fs.readFileSync(sslConfig.ca) } }; + } + return null; +} + +function initModels(sequelize) { + FmspcTcbs.init(sequelize); + PckCert.init(sequelize); + PckCertchain.init(sequelize); + PckCrl.init(sequelize); + PcsCertificates.init(sequelize); + PcsVersion.init(sequelize); + PlatformTcbs.init(sequelize); + PlatformsRegistered.init(sequelize); + Platforms.init(sequelize); + EnclaveIdentities.init(sequelize); + CrlCache.init(sequelize); + AppraisalPolicy.init(sequelize); } -const sequelize = new Sequelize( - db_conf.database, - db_conf.username, - db_conf.password, - db_opt -); -try { - // Test connection - await sequelize.authenticate(); -} catch (err) { - if (Config.get('DB_CONFIG') == 'mysql') { - logger.error('Failed to connect DB. Try to create it ...'); - try { - // For MySQL, maybe the database doesn't exist. Try to create it - const connection = await mysqlPromise.createConnection({ - host: db_opt.host, - port: db_opt.port, - user: db_conf.username, - password: db_conf.password, - }); - await connection.query( - `CREATE DATABASE IF NOT EXISTS \`${db_conf.database}\` CHARACTER SET utf8 COLLATE utf8_general_ci;` - ); - } catch (err2) { - logger.error(err2); +async function initializeDatabase() { + let dbConfig = Config.get(Config.get('DB_CONFIG')); + let dbOptions = { ...dbConfig.options }; + if (dbOptions.logging === true) { + dbOptions.logging = (msg) => logger.info(msg); + } + + const sslOptions = getSSLConfig(dbConfig.ssl); + if (sslOptions) { + dbOptions.dialectOptions = sslOptions; + } + + const sequelize = new Sequelize( + dbConfig.database, + dbConfig.username, + dbConfig.password, + dbOptions + ); + + try { + await sequelize.authenticate(); + } catch (err) { + if (Config.get('DB_CONFIG') === 'mysql') { + // Handle MySQL specific error + await handleMySQLError(dbConfig, dbOptions, err); + } else { + logger.error(err); process.exit(1); } - } else { - logger.error(err); + } + + return sequelize; +} + +async function handleMySQLError(dbConfig, dbOptions, err) { + logger.error('Failed to connect DB. Try to create it ...'); + try { + const connOptions = { + host: dbOptions.host, + port: dbOptions.port, + user: dbConfig.username, + password: dbConfig.password, + ...getSSLConfig(dbConfig.ssl) + }; + const connection = await mysqlPromise.createConnection(connOptions); + await connection.query( + `CREATE DATABASE IF NOT EXISTS \`${dbConfig.database}\` CHARACTER SET utf8 COLLATE utf8_general_ci;` + ); + } catch (err2) { + logger.error(err2); process.exit(1); } } -FmspcTcbs.init(sequelize); -PckCert.init(sequelize); -PckCertchain.init(sequelize); -PckCrl.init(sequelize); -PcsCertificates.init(sequelize); -PcsVersion.init(sequelize); -PlatformTcbs.init(sequelize); -PlatformsRegistered.init(sequelize); -Platforms.init(sequelize); -EnclaveIdentities.init(sequelize); -CrlCache.init(sequelize); -AppraisalPolicy.init(sequelize); +const sequelize = await initializeDatabase(); +initModels(sequelize); // Initialize all models export { Sequelize, diff --git a/QuoteGeneration/pccs/middleware/error.js b/QuoteGeneration/pccs/middleware/error.js index 59bb2f9c..47ac9c34 100644 --- a/QuoteGeneration/pccs/middleware/error.js +++ b/QuoteGeneration/pccs/middleware/error.js @@ -35,6 +35,12 @@ import logger from '../utils/Logger.js'; export function errorHandling(err, req, res, next) { if (err instanceof PccsError) res.status(err.status).send(err.message); + else if (err instanceof SyntaxError) { + logger.error(err.stack); + res + .status(PccsStatus.PCCS_STATUS_INVALID_REQ[0]) + .send(PccsStatus.PCCS_STATUS_INVALID_REQ[1]); + } else { logger.error(err.stack); res diff --git a/QuoteGeneration/pccs/middleware/filterDuplicatedParams.js b/QuoteGeneration/pccs/middleware/filterDuplicatedParams.js new file mode 100644 index 00000000..83200d64 --- /dev/null +++ b/QuoteGeneration/pccs/middleware/filterDuplicatedParams.js @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +export default function filterDuplicatedParams(req, res, next) { + const filteredQuery = {}; + + Object.keys(req.query).forEach((key) => { + const value = req.query[key]; + // If the value is an array, take the first element; otherwise, take the value as it is + filteredQuery[key] = Array.isArray(value) ? value[0] : value; + }); + + // Replace the original req.query with the filtered query parameters + req.query = filteredQuery; + + next(); // Proceed to the next middleware or request handler +} diff --git a/QuoteGeneration/pccs/migrations/05_db_version_5.js b/QuoteGeneration/pccs/migrations/05_db_version_5.js new file mode 100644 index 00000000..e90b371a --- /dev/null +++ b/QuoteGeneration/pccs/migrations/05_db_version_5.js @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2011-2021 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +import logger from '../utils/Logger.js'; + +async function up(sequelize) { + await sequelize.transaction(async (t) => { + logger.info('DB Migration (Ver.4 -> 5) -- Start'); + + // update pcs_version table + logger.debug('DB Migration -- Update pcs_version table'); + let sql = 'UPDATE pcs_version SET db_version=5,api_version=4'; + await sequelize.query(sql); + + // update fmspc_tcbs table + // this is done by 1.Create new table 2.Copy data 3.Drop old table 4.Rename new into old + logger.debug('DB Migration -- update fmspc_tcbs'); + sql = + 'CREATE TABLE IF NOT EXISTS fmspc_tcbs_temp (fmspc VARCHAR(255) NOT NULL, type INTEGER NOT NULL, version INTEGER NOT NULL, ' + + ' update_type VARCHAR(255) NOT NULL, tcbinfo BLOB, root_cert_id INTEGER, signing_cert_id INTEGER, ' + + ' created_time DATETIME NOT NULL, updated_time DATETIME NOT NULL, PRIMARY KEY(fmspc, type, version, update_type));'; + await sequelize.query(sql); + + sql = + "INSERT INTO fmspc_tcbs_temp (fmspc, type, version, update_type, tcbinfo, root_cert_id, signing_cert_id, created_time, updated_time) " + + " SELECT fmspc, type, version, 'STANDARD' as update_type, tcbinfo, root_cert_id, signing_cert_id, created_time, updated_time " + + " FROM fmspc_tcbs "; + await sequelize.query(sql); + + sql = 'DROP TABLE fmspc_tcbs'; + await sequelize.query(sql); + + sql = 'ALTER TABLE fmspc_tcbs_temp RENAME TO fmspc_tcbs'; + await sequelize.query(sql); + + // update enclave_identities table + // this is done by 1.Create new table 2.Copy data 3.Drop old table 4.Rename new into old + logger.debug('DB Migration -- update enclave_identities'); + sql = + 'CREATE TABLE IF NOT EXISTS enclave_identities_temp (id INTEGER NOT NULL, version INTEGER NOT NULL, update_type VARCHAR(255) NOT NULL, ' + + ' identity BLOB, root_cert_id INTEGER, signing_cert_id INTEGER, created_time DATETIME NOT NULL, updated_time DATETIME NOT NULL, PRIMARY KEY(id, version, update_type));'; + await sequelize.query(sql); + + sql = + "INSERT INTO enclave_identities_temp (id, version, update_type, identity, root_cert_id, signing_cert_id, created_time, updated_time) " + + " SELECT id, version, 'STANDARD' as update_type, identity, root_cert_id, signing_cert_id, created_time, updated_time " + + " FROM enclave_identities "; + await sequelize.query(sql); + + sql = 'DROP TABLE enclave_identities'; + await sequelize.query(sql); + + sql = 'ALTER TABLE enclave_identities_temp RENAME TO enclave_identities'; + await sequelize.query(sql); + + logger.info('DB Migration -- Done.'); + }); +} + +export default { up }; diff --git a/QuoteGeneration/pccs/package-lock.json b/QuoteGeneration/pccs/package-lock.json index ec51f1bc..e118905e 100644 --- a/QuoteGeneration/pccs/package-lock.json +++ b/QuoteGeneration/pccs/package-lock.json @@ -1,12 +1,12 @@ { "name": "PCCS", - "version": "1.19.0", + "version": "1.21.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "PCCS", - "version": "1.19.0", + "version": "1.21.0", "dependencies": { "@fidm/x509": "^1.2.1", "ajv": "^8.12.0", @@ -15,21 +15,21 @@ "caw": "^2.0.1", "cls-hooked": "^4.2.2", "config": "^3.3.9", - "express": "^4.18.2", + "express": "^4.19.2", "ffi-napi": "^4.0.3", "got": "^11.8.6", "morgan": "^1.10.0", - "mysql2": "^3.5.1", + "mysql2": "^3.9.4", "node-schedule": "^2.1.1", "ref-array-di": "^1.2.2", "ref-napi": "^3.0.3", - "sequelize": "^6.32.1", - "sqlite3": "^5.1.6", + "sequelize": "^6.37.3", + "sqlite3": "^5.1.7", "umzug": "^3.3.0", "winston": "^3.10.0" }, "engines": { - "node": ">= 18.17.0" + "node": ">= 18.17.0 <= 18.19.1 || >= 20.0.0 <= 20.11.1 || >= 21.0.0 <= 21.5.0" } }, "node_modules/@colors/colors": { @@ -76,50 +76,6 @@ "integrity": "sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==", "optional": true }, - "node_modules/@mapbox/node-pre-gyp": { - "version": "1.0.11", - "resolved": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.11.tgz", - "integrity": "sha512-Yhlar6v9WQgUp/He7BdgzOz8lqMQ8sU+jkCq7Wx8Myc5YFJLbEe7lgui/V7G1qB1DJykHSGwreceSaD60Y0PUQ==", - "dependencies": { - "detect-libc": "^2.0.0", - "https-proxy-agent": "^5.0.0", - "make-dir": "^3.1.0", - "node-fetch": "^2.6.7", - "nopt": "^5.0.0", - "npmlog": "^5.0.1", - "rimraf": "^3.0.2", - "semver": "^7.3.5", - "tar": "^6.1.11" - }, - "bin": { - "node-pre-gyp": "bin/node-pre-gyp" - } - }, - "node_modules/@mapbox/node-pre-gyp/node_modules/lru-cache": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", - "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", - "dependencies": { - "yallist": "^4.0.0" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/@mapbox/node-pre-gyp/node_modules/semver": { - "version": "7.5.4", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", - "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==", - "dependencies": { - "lru-cache": "^6.0.0" - }, - "bin": { - "semver": "bin/semver.js" - }, - "engines": { - "node": ">=10" - } - }, "node_modules/@npmcli/fs": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-1.1.1.tgz", @@ -238,9 +194,9 @@ } }, "node_modules/@types/http-cache-semantics": { - "version": "4.0.2", - "resolved": "https://registry.npmjs.org/@types/http-cache-semantics/-/http-cache-semantics-4.0.2.tgz", - "integrity": "sha512-FD+nQWA2zJjh4L9+pFXqWOi0Hs1ryBCfI+985NjluQ1p8EYtoLvjLOKidXBtZ4/IcxDX4o8/E8qDS3540tNliw==" + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/@types/http-cache-semantics/-/http-cache-semantics-4.0.4.tgz", + "integrity": "sha512-1m0bIFVc7eJWyve9S0RnuRgcQqF/Xd5QsUZAZeQFr1Q3/p9JWoQQEqmVy+DPTNpGXwhgIetAoYF8JSc33q29QA==" }, "node_modules/@types/keyv": { "version": "3.1.4", @@ -261,9 +217,9 @@ "integrity": "sha512-jxiZQFpb+NlH5kjW49vXxvxTjeeqlbsnTAdBTKpzEdPs9itay7MscYXz3Fo9VYFEsfQ6LJFitHad3faerLAjCw==" }, "node_modules/@types/responselike": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.1.tgz", - "integrity": "sha512-TiGnitEDxj2X0j+98Eqk5lv/Cij8oHd32bU4D/Yw6AOq7vvTk0gSD2GPj0G/HkvhMoVsdlhYF4yqqlyPBTM6Sg==", + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.3.tgz", + "integrity": "sha512-H/+L+UkTV33uf49PH5pCAUBVPNj2nDBXTN+qS1dOwyyg24l3CcicicCA7ca+HMvJBZcFgl5r8e+RR6elsb4Lyw==", "dependencies": { "@types/node": "*" } @@ -281,7 +237,8 @@ "node_modules/abbrev": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz", - "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==" + "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==", + "optional": true }, "node_modules/accepts": { "version": "1.3.8", @@ -299,6 +256,7 @@ "version": "6.0.2", "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz", "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==", + "optional": true, "dependencies": { "debug": "4" }, @@ -310,6 +268,7 @@ "version": "4.3.4", "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "optional": true, "dependencies": { "ms": "2.1.2" }, @@ -325,7 +284,8 @@ "node_modules/agent-base/node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "optional": true }, "node_modules/agentkeepalive": { "version": "4.5.0", @@ -387,6 +347,7 @@ "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "optional": true, "engines": { "node": ">=8" } @@ -394,19 +355,8 @@ "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", - "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==" - }, - "node_modules/are-we-there-yet": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-2.0.0.tgz", - "integrity": "sha512-Ci/qENmwHnsYo9xKIcUJN5LeDKdJ6R1Z1j9V/J5wyq8nh/mYPEpIKJbBZXtZjG04HiK7zV/p6Vs9952MrMeUIw==", - "dependencies": { - "delegates": "^1.0.0", - "readable-stream": "^3.6.0" - }, - "engines": { - "node": ">=10" - } + "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", + "optional": true }, "node_modules/argparse": { "version": "1.0.10", @@ -454,6 +404,25 @@ "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, + "node_modules/base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, "node_modules/basic-auth": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/basic-auth/-/basic-auth-2.0.1.tgz", @@ -470,6 +439,24 @@ "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, + "node_modules/bindings": { + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz", + "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==", + "dependencies": { + "file-uri-to-path": "1.0.0" + } + }, + "node_modules/bl": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz", + "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==", + "dependencies": { + "buffer": "^5.5.0", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" + } + }, "node_modules/body-parser": { "version": "1.20.2", "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz", @@ -497,11 +484,35 @@ "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "optional": true, "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, + "node_modules/buffer": { + "version": "5.7.1", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz", + "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "base64-js": "^1.3.1", + "ieee754": "^1.1.13" + } + }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -678,6 +689,7 @@ "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", + "optional": true, "bin": { "color-support": "bin.js" } @@ -702,7 +714,8 @@ "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "optional": true }, "node_modules/config": { "version": "3.3.9", @@ -727,7 +740,8 @@ "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", - "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==" + "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", + "optional": true }, "node_modules/content-disposition": { "version": "0.5.4", @@ -749,9 +763,9 @@ } }, "node_modules/cookie": { - "version": "0.5.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz", - "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==", + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", + "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", "engines": { "node": ">= 0.6" } @@ -814,6 +828,14 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/deep-extend": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", + "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==", + "engines": { + "node": ">=4.0.0" + } + }, "node_modules/defer-to-connect": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/defer-to-connect/-/defer-to-connect-2.0.1.tgz", @@ -825,7 +847,8 @@ "node_modules/delegates": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz", - "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==" + "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==", + "optional": true }, "node_modules/denque": { "version": "2.1.0", @@ -853,9 +876,9 @@ } }, "node_modules/detect-libc": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.2.tgz", - "integrity": "sha512-UX6sGumvvqSaXgdKGUsgZWqcUyIXZ/vZTrlRT/iobiKhGL0zL4d3osHj3uqllWJK+i+sixDS/3COVEOFbupFyw==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.3.tgz", + "integrity": "sha512-bwy0MGW55bG41VqxxypOsdSdGqLwXPI/focwgTYCFMbdUiBAxLg9CFzG08sz2aqzknwiX7Hkl0bQENjg8iLByw==", "engines": { "node": ">=8" } @@ -892,7 +915,8 @@ "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "optional": true }, "node_modules/enabled": { "version": "2.0.0", @@ -952,13 +976,14 @@ "optional": true }, "node_modules/es5-ext": { - "version": "0.10.62", - "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.62.tgz", - "integrity": "sha512-BHLqn0klhEpnOKSrzn/Xsz2UIW8j+cGmo9JLzr8BiUapV8hPL9+FliFqjwr9ngW7jWdnxv6eO+/LqyhJVqgrjA==", + "version": "0.10.64", + "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.64.tgz", + "integrity": "sha512-p2snDhiLaXe6dahss1LddxqEm+SkuDvV8dnIQG0MWjyHpcMNfXKPE+/Cc0y+PhxJX3A4xGNeFCj5oc0BUh6deg==", "hasInstallScript": true, "dependencies": { "es6-iterator": "^2.0.3", "es6-symbol": "^3.1.3", + "esniff": "^2.0.1", "next-tick": "^1.1.0" }, "engines": { @@ -989,6 +1014,25 @@ "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==" }, + "node_modules/esniff": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/esniff/-/esniff-2.0.1.tgz", + "integrity": "sha512-kTUIGKQ/mDPFoJ0oVfcmyJn4iBDRptjNVIzwIFR7tqWXdVI9xfA2RMwY/gbSpJG3lkdWNEjLap/NqVHZiJsdfg==", + "dependencies": { + "d": "^1.0.1", + "es5-ext": "^0.10.62", + "event-emitter": "^0.3.5", + "type": "^2.7.2" + }, + "engines": { + "node": ">=0.10" + } + }, + "node_modules/esniff/node_modules/type": { + "version": "2.7.2", + "resolved": "https://registry.npmjs.org/type/-/type-2.7.2.tgz", + "integrity": "sha512-dzlvlNlt6AXU7EBSfpAscydQ7gXB+pPGsPnfJnZpiNJBDj7IaJzQlBZYGdEi4R9HmPdBv2XmWJ6YUtoTa7lmCw==" + }, "node_modules/etag": { "version": "1.8.1", "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", @@ -997,17 +1041,34 @@ "node": ">= 0.6" } }, + "node_modules/event-emitter": { + "version": "0.3.5", + "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz", + "integrity": "sha512-D9rRn9y7kLPnJ+hMq7S/nhvoKwwvVJahBi2BPmx3bvbsEdK3W9ii8cBSGjP+72/LnM4n6fo3+dkCX5FeTQruXA==", + "dependencies": { + "d": "1", + "es5-ext": "~0.10.14" + } + }, + "node_modules/expand-template": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz", + "integrity": "sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==", + "engines": { + "node": ">=6" + } + }, "node_modules/express": { - "version": "4.18.2", - "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz", - "integrity": "sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ==", + "version": "4.19.2", + "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz", + "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.1", + "body-parser": "1.20.2", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.5.0", + "cookie": "0.6.0", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", @@ -1038,43 +1099,6 @@ "node": ">= 0.10.0" } }, - "node_modules/express/node_modules/body-parser": { - "version": "1.20.1", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz", - "integrity": "sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw==", - "dependencies": { - "bytes": "3.1.2", - "content-type": "~1.0.4", - "debug": "2.6.9", - "depd": "2.0.0", - "destroy": "1.2.0", - "http-errors": "2.0.0", - "iconv-lite": "0.4.24", - "on-finished": "2.4.1", - "qs": "6.11.0", - "raw-body": "2.5.1", - "type-is": "~1.6.18", - "unpipe": "1.0.0" - }, - "engines": { - "node": ">= 0.8", - "npm": "1.2.8000 || >= 1.4.16" - } - }, - "node_modules/express/node_modules/raw-body": { - "version": "2.5.1", - "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz", - "integrity": "sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig==", - "dependencies": { - "bytes": "3.1.2", - "http-errors": "2.0.0", - "iconv-lite": "0.4.24", - "unpipe": "1.0.0" - }, - "engines": { - "node": ">= 0.8" - } - }, "node_modules/ext": { "version": "1.7.0", "resolved": "https://registry.npmjs.org/ext/-/ext-1.7.0.tgz", @@ -1136,6 +1160,11 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" }, + "node_modules/file-uri-to-path": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", + "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==" + }, "node_modules/finalhandler": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz", @@ -1174,6 +1203,11 @@ "node": ">= 0.6" } }, + "node_modules/fs-constants": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz", + "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==" + }, "node_modules/fs-minipass": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz", @@ -1195,25 +1229,6 @@ "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz", "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==" }, - "node_modules/gauge": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/gauge/-/gauge-3.0.2.tgz", - "integrity": "sha512-+5J6MS/5XksCuXq++uFRsnUd7Ovu1XenbeuIuNRJxYWjgQbPuFhT14lAvsWfqfAmnwluf1OwMjz39HjfLPci0Q==", - "dependencies": { - "aproba": "^1.0.3 || ^2.0.0", - "color-support": "^1.1.2", - "console-control-strings": "^1.0.0", - "has-unicode": "^2.0.1", - "object-assign": "^4.1.1", - "signal-exit": "^3.0.0", - "string-width": "^4.2.3", - "strip-ansi": "^6.0.1", - "wide-align": "^1.1.2" - }, - "engines": { - "node": ">=10" - } - }, "node_modules/generate-function": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz", @@ -1274,10 +1289,16 @@ "get-symbol-from-current-process-h": "^1.0.1" } }, + "node_modules/github-from-package": { + "version": "0.0.0", + "resolved": "https://registry.npmjs.org/github-from-package/-/github-from-package-0.0.0.tgz", + "integrity": "sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw==" + }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "optional": true, "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", @@ -1375,7 +1396,8 @@ "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", - "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==" + "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", + "optional": true }, "node_modules/http-cache-semantics": { "version": "4.1.1", @@ -1450,6 +1472,7 @@ "version": "5.0.1", "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz", "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==", + "optional": true, "dependencies": { "agent-base": "6", "debug": "4" @@ -1462,6 +1485,7 @@ "version": "4.3.4", "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "optional": true, "dependencies": { "ms": "2.1.2" }, @@ -1477,7 +1501,8 @@ "node_modules/https-proxy-agent/node_modules/ms": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "optional": true }, "node_modules/humanize-ms": { "version": "1.2.1", @@ -1499,6 +1524,25 @@ "node": ">=0.10.0" } }, + "node_modules/ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, "node_modules/imurmurhash": { "version": "0.1.4", "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", @@ -1551,9 +1595,9 @@ "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==" }, "node_modules/ip": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.0.tgz", - "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", + "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==", "optional": true }, "node_modules/ipaddr.js": { @@ -1573,6 +1617,7 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "optional": true, "engines": { "node": ">=8" } @@ -1647,9 +1692,9 @@ } }, "node_modules/keyv": { - "version": "4.5.3", - "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.3.tgz", - "integrity": "sha512-QCiSav9WaX1PgETJ+SpNnx2PRRapJ/oRSXM4VO5OGYGSjrxbKPVFVhB3l2OCbLCk329N8qyAtsJjSjvVBWzEug==", + "version": "4.5.4", + "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz", + "integrity": "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==", "dependencies": { "json-buffer": "3.0.1" } @@ -1716,28 +1761,6 @@ "node": ">=12" } }, - "node_modules/make-dir": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-3.1.0.tgz", - "integrity": "sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==", - "dependencies": { - "semver": "^6.0.0" - }, - "engines": { - "node": ">=8" - }, - "funding": { - "url": "https://github.com/sponsors/sindresorhus" - } - }, - "node_modules/make-dir/node_modules/semver": { - "version": "6.3.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", - "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", - "bin": { - "semver": "bin/semver.js" - } - }, "node_modules/make-fetch-happen": { "version": "9.1.0", "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-9.1.0.tgz", @@ -1840,6 +1863,7 @@ "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "optional": true, "dependencies": { "brace-expansion": "^1.1.7" }, @@ -1847,6 +1871,14 @@ "node": "*" } }, + "node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/minipass": { "version": "3.3.6", "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", @@ -1946,6 +1978,11 @@ "node": ">=10" } }, + "node_modules/mkdirp-classic": { + "version": "0.5.3", + "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz", + "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==" + }, "node_modules/moment": { "version": "2.29.4", "resolved": "https://registry.npmjs.org/moment/-/moment-2.29.4.tgz", @@ -1997,9 +2034,9 @@ "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" }, "node_modules/mysql2": { - "version": "3.6.1", - "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.6.1.tgz", - "integrity": "sha512-O7FXjLtNkjcMBpLURwkXIhyVbX9i4lq4nNRCykPNOXfceq94kJ0miagmTEGCZieuO8JtwtXaZ41U6KT4eF9y3g==", + "version": "3.9.4", + "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz", + "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==", "dependencies": { "denque": "^2.1.0", "generate-function": "^2.3.1", @@ -2044,6 +2081,11 @@ "node": ">=12" } }, + "node_modules/napi-build-utils": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/napi-build-utils/-/napi-build-utils-1.0.2.tgz", + "integrity": "sha512-ONmRUqK7zj7DWX0D9ADe03wbwOBZxNAfF20PlGfCWQcD3+/MakShIHrMqx9YwPTfxDdF1zLeL+RGZiR9kGMLdg==" + }, "node_modules/negotiator": { "version": "0.6.3", "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz", @@ -2057,30 +2099,47 @@ "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.1.0.tgz", "integrity": "sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==" }, - "node_modules/node-addon-api": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-3.2.1.tgz", - "integrity": "sha512-mmcei9JghVNDYydghQmeDX8KoAm0FAiYyIcUt/N4nhyAipB17pllZQDOJD2fotxABnt4Mdz+dKTO7eftLg4d0A==" + "node_modules/node-abi": { + "version": "3.57.0", + "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-3.57.0.tgz", + "integrity": "sha512-Dp+A9JWxRaKuHP35H77I4kCKesDy5HUDEmScia2FyncMTOXASMyg251F5PhFoDA5uqBrDDffiLpbqnrZmNXW+g==", + "dependencies": { + "semver": "^7.3.5" + }, + "engines": { + "node": ">=10" + } }, - "node_modules/node-fetch": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", - "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", + "node_modules/node-abi/node_modules/lru-cache": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", + "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", "dependencies": { - "whatwg-url": "^5.0.0" + "yallist": "^4.0.0" }, "engines": { - "node": "4.x || >=6.0.0" + "node": ">=10" + } + }, + "node_modules/node-abi/node_modules/semver": { + "version": "7.6.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz", + "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==", + "dependencies": { + "lru-cache": "^6.0.0" }, - "peerDependencies": { - "encoding": "^0.1.0" + "bin": { + "semver": "bin/semver.js" }, - "peerDependenciesMeta": { - "encoding": { - "optional": true - } + "engines": { + "node": ">=10" } }, + "node_modules/node-addon-api": { + "version": "3.2.1", + "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-3.2.1.tgz", + "integrity": "sha512-mmcei9JghVNDYydghQmeDX8KoAm0FAiYyIcUt/N4nhyAipB17pllZQDOJD2fotxABnt4Mdz+dKTO7eftLg4d0A==" + }, "node_modules/node-gyp": { "version": "8.4.1", "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-8.4.1.tgz", @@ -2206,6 +2265,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz", "integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==", + "optional": true, "dependencies": { "abbrev": "1" }, @@ -2239,25 +2299,6 @@ "node": ">=4" } }, - "node_modules/npmlog": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-5.0.1.tgz", - "integrity": "sha512-AqZtDUWOMKs1G/8lwylVjrdYgqA4d9nu8hc+0gzRxlDb1I10+FHBGMXs6aiQHFdCUUlqH99MUMuLfzWDNDtfxw==", - "dependencies": { - "are-we-there-yet": "^2.0.0", - "console-control-strings": "^1.1.0", - "gauge": "^3.0.0", - "set-blocking": "^2.0.0" - } - }, - "node_modules/object-assign": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", - "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/object-inspect": { "version": "1.12.3", "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.12.3.tgz", @@ -2336,6 +2377,7 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", + "optional": true, "engines": { "node": ">=0.10.0" } @@ -2366,6 +2408,31 @@ "node": ">=12.0.0" } }, + "node_modules/prebuild-install": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.2.tgz", + "integrity": "sha512-UnNke3IQb6sgarcZIDU3gbMeTp/9SSU1DAIkil7PrqG1vZlBtY5msYccSKSHDqa3hNg436IXK+SNImReuA1wEQ==", + "dependencies": { + "detect-libc": "^2.0.0", + "expand-template": "^2.0.3", + "github-from-package": "0.0.0", + "minimist": "^1.2.3", + "mkdirp-classic": "^0.5.3", + "napi-build-utils": "^1.0.1", + "node-abi": "^3.3.0", + "pump": "^3.0.0", + "rc": "^1.2.7", + "simple-get": "^4.0.0", + "tar-fs": "^2.0.0", + "tunnel-agent": "^0.6.0" + }, + "bin": { + "prebuild-install": "bin.js" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/promise-inflight": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/promise-inflight/-/promise-inflight-1.0.1.tgz", @@ -2466,6 +2533,20 @@ "node": ">= 0.8" } }, + "node_modules/rc": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz", + "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==", + "dependencies": { + "deep-extend": "^0.6.0", + "ini": "~1.3.0", + "minimist": "^1.2.0", + "strip-json-comments": "~2.0.1" + }, + "bin": { + "rc": "cli.js" + } + }, "node_modules/readable-stream": { "version": "3.6.2", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", @@ -2600,6 +2681,7 @@ "version": "3.0.2", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "optional": true, "dependencies": { "glob": "^7.1.3" }, @@ -2684,9 +2766,9 @@ "integrity": "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q==" }, "node_modules/sequelize": { - "version": "6.33.0", - "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.33.0.tgz", - "integrity": "sha512-GkeCbqgaIcpyZ1EyXrDNIwktbfMldHAGOVXHGM4x8bxGSRAOql5htDWofPvwpfL/FoZ59CaFmfO3Mosv1lDbQw==", + "version": "6.37.3", + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-6.37.3.tgz", + "integrity": "sha512-V2FTqYpdZjPy3VQrZvjTPnOoLm0KudCRXfGWp48QwhyPPp2yW8z0p0sCYZd/em847Tl2dVxJJ1DR+hF+O77T7A==", "funding": [ { "type": "opencollective", @@ -2815,7 +2897,8 @@ "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", - "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==" + "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", + "optional": true }, "node_modules/setprototypeof": { "version": "1.2.0", @@ -2843,7 +2926,51 @@ "node_modules/signal-exit": { "version": "3.0.7", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", - "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==" + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "optional": true + }, + "node_modules/simple-concat": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.1.tgz", + "integrity": "sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/simple-get": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/simple-get/-/simple-get-4.0.1.tgz", + "integrity": "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "decompress-response": "^6.0.0", + "once": "^1.3.1", + "simple-concat": "^1.0.0" + } }, "node_modules/simple-swizzle": { "version": "0.2.2", @@ -2925,13 +3052,14 @@ "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==" }, "node_modules/sqlite3": { - "version": "5.1.6", - "resolved": "https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.6.tgz", - "integrity": "sha512-olYkWoKFVNSSSQNvxVUfjiVbz3YtBwTJj+mfV5zpHmqW3sELx2Cf4QCdirMelhM5Zh+KDVaKgQHqCxrqiWHybw==", + "version": "5.1.7", + "resolved": "https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.7.tgz", + "integrity": "sha512-GGIyOiFaG+TUra3JIfkI/zGP8yZYLPQ0pl1bH+ODjiX57sPhrLU5sQJn1y9bDKZUFYkX1crlrPfSYt0BKKdkog==", "hasInstallScript": true, "dependencies": { - "@mapbox/node-pre-gyp": "^1.0.0", - "node-addon-api": "^4.2.0", + "bindings": "^1.5.0", + "node-addon-api": "^7.0.0", + "prebuild-install": "^7.1.1", "tar": "^6.1.11" }, "optionalDependencies": { @@ -2947,9 +3075,12 @@ } }, "node_modules/sqlite3/node_modules/node-addon-api": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-4.3.0.tgz", - "integrity": "sha512-73sE9+3UaLYYFmDsFZnqCInzPyh3MqIwZO9cw58yIqAZhONrrabrYyYe3TuIqtIiOuTXVhsGau8hcrhhwSsDIQ==" + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.0.tgz", + "integrity": "sha512-mNcltoe1R8o7STTegSOHdnJNN7s5EUvhoS7ShnTHDyOSd+8H+UdWODq6qSv67PjC8Zc5JRT8+oLAMCr0SIXw7g==", + "engines": { + "node": "^16 || ^18 || >= 20" + } }, "node_modules/sqlstring": { "version": "2.3.3", @@ -3012,6 +3143,7 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -3025,6 +3157,7 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, @@ -3032,10 +3165,18 @@ "node": ">=8" } }, + "node_modules/strip-json-comments": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz", + "integrity": "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ==", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/tar": { - "version": "6.2.0", - "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.0.tgz", - "integrity": "sha512-/Wo7DcT0u5HUV486xg675HtjNd3BXZ6xDbzsCUZPt5iw8bTQ63bP0Raut3mvro9u+CUyq7YQd8Cx55fsZXxqLQ==", + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", + "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", "dependencies": { "chownr": "^2.0.0", "fs-minipass": "^2.0.0", @@ -3048,6 +3189,37 @@ "node": ">=10" } }, + "node_modules/tar-fs": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz", + "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==", + "dependencies": { + "chownr": "^1.1.1", + "mkdirp-classic": "^0.5.2", + "pump": "^3.0.0", + "tar-stream": "^2.1.4" + } + }, + "node_modules/tar-fs/node_modules/chownr": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz", + "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==" + }, + "node_modules/tar-stream": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz", + "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==", + "dependencies": { + "bl": "^4.0.3", + "end-of-stream": "^1.4.1", + "fs-constants": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.1.1" + }, + "engines": { + "node": ">=6" + } + }, "node_modules/tar/node_modules/minipass": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz", @@ -3074,11 +3246,6 @@ "resolved": "https://registry.npmjs.org/toposort-class/-/toposort-class-1.0.1.tgz", "integrity": "sha512-OsLcGGbYF3rMjPUf8oKktyvCiUxSbqMMS39m33MAjLTC1DVIH6x3WSt63/M77ihI09+Sdfk1AXvfhCEeUmC7mg==" }, - "node_modules/tr46": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" - }, "node_modules/triple-beam": { "version": "1.4.1", "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.4.1.tgz", @@ -3262,20 +3429,6 @@ "node": ">= 0.8" } }, - "node_modules/webidl-conversions": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" - }, - "node_modules/whatwg-url": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", - "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "dependencies": { - "tr46": "~0.0.3", - "webidl-conversions": "^3.0.0" - } - }, "node_modules/which": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", @@ -3295,6 +3448,7 @@ "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", + "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } diff --git a/QuoteGeneration/pccs/package.json b/QuoteGeneration/pccs/package.json index 10ebb572..5fee15b2 100644 --- a/QuoteGeneration/pccs/package.json +++ b/QuoteGeneration/pccs/package.json @@ -11,21 +11,21 @@ "caw": "^2.0.1", "cls-hooked": "^4.2.2", "config": "^3.3.9", - "express": "^4.18.2", + "express": "^4.19.2", "ffi-napi": "^4.0.3", "got": "^11.8.6", "morgan": "^1.10.0", - "mysql2": "^3.5.1", + "mysql2": "^3.9.4", "node-schedule": "^2.1.1", "ref-array-di": "^1.2.2", "ref-napi": "^3.0.3", - "sequelize": "^6.32.1", - "sqlite3": "^5.1.6", + "sequelize": "^6.37.3", + "sqlite3": "^5.1.7", "umzug": "^3.3.0", "winston": "^3.10.0" }, "engines": { - "node": ">= 18.17.0" + "node": ">= 18.17.0 <= 18.19.1 || >= 20.0.0 <= 20.11.1 || >= 21.0.0 <= 21.5.0" }, "scripts": { "start": "node pccs_server.js", diff --git a/QuoteGeneration/pccs/pccs_server.js b/QuoteGeneration/pccs/pccs_server.js index f132dcc1..3b1aa794 100644 --- a/QuoteGeneration/pccs/pccs_server.js +++ b/QuoteGeneration/pccs/pccs_server.js @@ -42,6 +42,7 @@ import * as https from 'https'; import * as auth from './middleware/auth.js'; import * as error from './middleware/error.js'; import addRequestId from './middleware/addRequestId.js'; +import filterDuplicatedParams from './middleware/filterDuplicatedParams.js'; import * as refreshService from './services/refreshService.js'; import * as appUtil from './utils/apputil.js'; import { cachingModeManager } from './services/caching_modes/cachingModeManager.js'; @@ -87,6 +88,7 @@ async function initializeApp() { function configureMiddlewareAndRoutes() { app.use(morgan('combined', { stream: logger.stream })); app.use(addRequestId); + app.use(filterDuplicatedParams); app.use(body_parser.urlencoded({ extended: true })); app.use(body_parser.json({ limit: '200000kb' })); diff --git a/QuoteGeneration/pccs/pcs_client/pcs_client.js b/QuoteGeneration/pccs/pcs_client/pcs_client.js index 3bea2fa7..cf675a89 100644 --- a/QuoteGeneration/pccs/pcs_client/pcs_client.js +++ b/QuoteGeneration/pccs/pcs_client/pcs_client.js @@ -162,14 +162,20 @@ export async function getPckCrl(ca) { return do_request(Config.get('uri') + 'pckcrl', options); } -export async function getTcb(type, fmspc, version) { +export async function getTcb(type, fmspc, version, update_type) { if (type != Constants.PROD_TYPE_SGX && type != Constants.PROD_TYPE_TDX) { throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); } + if (update_type != Constants.UPDATE_TYPE_STANDARD && update_type != Constants.UPDATE_TYPE_EARLY) { + throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); + } + let update = update_type === Constants.UPDATE_TYPE_EARLY ? 'early' : 'standard'; + const options = { searchParams: { fmspc: fmspc, + update: update }, method: 'GET', }; @@ -187,7 +193,7 @@ export async function getTcb(type, fmspc, version) { return do_request(uri, options); } -export async function getEnclaveIdentity(enclave_id, version) { +export async function getEnclaveIdentity(enclave_id, version, update_type) { if ( enclave_id != Constants.QE_IDENTITY_ID && enclave_id != Constants.QVE_IDENTITY_ID && @@ -195,9 +201,15 @@ export async function getEnclaveIdentity(enclave_id, version) { ) { throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); } + if (update_type != Constants.UPDATE_TYPE_STANDARD && update_type != Constants.UPDATE_TYPE_EARLY) { + throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); + } + let update = update_type === Constants.UPDATE_TYPE_EARLY ? 'early' : 'standard'; const options = { - searchParams: {}, + searchParams: { + update: update + }, method: 'GET', }; diff --git a/QuoteGeneration/pccs/services/caching_modes/cachingMode.js b/QuoteGeneration/pccs/services/caching_modes/cachingMode.js index e2a27eb8..7fd6a5cd 100644 --- a/QuoteGeneration/pccs/services/caching_modes/cachingMode.js +++ b/QuoteGeneration/pccs/services/caching_modes/cachingMode.js @@ -72,7 +72,7 @@ class CachingMode { throw new PccsError(PccsStatus.PCCS_STATUS_PLATFORM_UNKNOWN); } - async getEnclaveIdentityFromPCS(enclave_id, version) { + async getEnclaveIdentityFromPCS(enclave_id, version, update_type) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } @@ -84,7 +84,7 @@ class CachingMode { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } - async getTcbInfoFromPCS(type, fmspc, version) { + async getTcbInfoFromPCS(type, fmspc, version, update_type) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } @@ -92,7 +92,7 @@ class CachingMode { return false; } - async registerPlatforms(regDataJson) {} + async registerPlatforms(isCached, regDataJson, update) {} async processNotAvailableTcbs( qeid, @@ -133,8 +133,8 @@ export class LazyCachingMode extends CachingMode { ); } - async getEnclaveIdentityFromPCS(enclave_id, version) { - return await CommonCacheLogic.getEnclaveIdentityFromPCS(enclave_id, version); + async getEnclaveIdentityFromPCS(enclave_id, version, update_type) { + return await CommonCacheLogic.getEnclaveIdentityFromPCS(enclave_id, version, update_type); } async getPckCrlFromPCS(ca) { @@ -149,15 +149,15 @@ export class LazyCachingMode extends CachingMode { return await CommonCacheLogic.getCrlFromPCS(uri); } - async getTcbInfoFromPCS(type, fmspc, version) { - return await CommonCacheLogic.getTcbInfoFromPCS(type, fmspc, version); + async getTcbInfoFromPCS(type, fmspc, version, update_type) { + return await CommonCacheLogic.getTcbInfoFromPCS(type, fmspc, version, update_type); } isRefreshable() { return true; } - async registerPlatforms(isCached, regDataJson) { + async registerPlatforms(isCached, regDataJson, update) { if (!isCached) { // Get PCK certs from Intel PCS if not cached await CommonCacheLogic.getPckCertFromPCS( @@ -170,7 +170,7 @@ export class LazyCachingMode extends CachingMode { ); } // Get other collaterals if not cached - await checkQuoteVerificationCollateral(); + await checkQuoteVerificationCollateral(update); } async processNotAvailableTcbs( @@ -193,7 +193,7 @@ export class ReqCachingMode extends CachingMode { return true; } - async registerPlatforms(isCached, regDataJson) { + async registerPlatforms(isCached, regDataJson, update) { if (!isCached) { // For REQ mode, add registration entry first, and delete it after the collaterals are retrieved await platformsRegDao.registerPlatform( @@ -218,7 +218,7 @@ export class ReqCachingMode extends CachingMode { ); } // Get other collaterals if not cached - await checkQuoteVerificationCollateral(); + await checkQuoteVerificationCollateral(update); } async processNotAvailableTcbs( @@ -251,7 +251,7 @@ export class ReqCachingMode extends CachingMode { ////////////////////////////////////////////////////////////////////// export class OfflineCachingMode extends CachingMode { - async registerPlatforms(isCached, regDataJson) { + async registerPlatforms(isCached, regDataJson, update) { if (!isCached) { // add to registration table await platformsRegDao.registerPlatform( diff --git a/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js b/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js index e0443ce0..04c627c7 100644 --- a/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js +++ b/QuoteGeneration/pccs/services/caching_modes/cachingModeManager.js @@ -61,8 +61,8 @@ class CachingModeManager { ); } - async getEnclaveIdentityFromPCS(enclave_id, version) { - return this._mode.getEnclaveIdentityFromPCS(enclave_id, version); + async getEnclaveIdentityFromPCS(enclave_id, version, update_type) { + return this._mode.getEnclaveIdentityFromPCS(enclave_id, version, update_type); } async getPckCrlFromPCS(ca) { @@ -73,16 +73,16 @@ class CachingModeManager { return this._mode.getRootCACrlFromPCS(rootca); } - async getTcbInfoFromPCS(type, fmspc, version) { - return this._mode.getTcbInfoFromPCS(type, fmspc, version); + async getTcbInfoFromPCS(type, fmspc, version, update_type) { + return this._mode.getTcbInfoFromPCS(type, fmspc, version, update_type); } isRefreshable() { return this._mode.isRefreshable(); } - async registerPlatforms(isCached, regDataJson) { - return this._mode.registerPlatforms(isCached, regDataJson); + async registerPlatforms(isCached, regDataJson, update) { + return this._mode.registerPlatforms(isCached, regDataJson, update); } async processNotAvailableTcbs( diff --git a/QuoteGeneration/pccs/services/identityService.js b/QuoteGeneration/pccs/services/identityService.js index 755ba43b..a22ca03b 100644 --- a/QuoteGeneration/pccs/services/identityService.js +++ b/QuoteGeneration/pccs/services/identityService.js @@ -32,15 +32,16 @@ import Constants from '../constants/index.js'; import * as enclaveIdentityDao from '../dao/enclaveIdentityDao.js'; import { cachingModeManager } from './caching_modes/cachingModeManager.js'; -export async function getEnclaveIdentity(enclave_id, version) { +export async function getEnclaveIdentity(enclave_id, version, update_type) { // query enclave identity from local database first const enclaveIdentity = await enclaveIdentityDao.getEnclaveIdentity( enclave_id, - version + version, + update_type ); let result = {}; if (enclaveIdentity == null) { - result = await cachingModeManager.getEnclaveIdentityFromPCS(enclave_id, version); + result = await cachingModeManager.getEnclaveIdentityFromPCS(enclave_id, version, update_type); } else { result[Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN] = enclaveIdentity.signing_cert + enclaveIdentity.root_cert; diff --git a/QuoteGeneration/pccs/services/logic/commonCacheLogic.js b/QuoteGeneration/pccs/services/logic/commonCacheLogic.js index 76aedf6d..6cb6e629 100644 --- a/QuoteGeneration/pccs/services/logic/commonCacheLogic.js +++ b/QuoteGeneration/pccs/services/logic/commonCacheLogic.js @@ -48,6 +48,93 @@ import * as appUtil from '../../utils/apputil.js'; import { sequelize } from '../../dao/models/index.js'; import { cachingModeManager } from '../caching_modes/cachingModeManager.js'; +async function getPckServerResponse(platform_manifest, enc_ppid, pceid) { + if (platform_manifest) { + return pcsClient.getCertsWithManifest(platform_manifest, pceid); + } else if (enc_ppid && enc_ppid.match(/^0+$/)) { + throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); + } else { + return pcsClient.getCerts(enc_ppid, pceid); + } +} + +function filterPckCerts(pckcerts) { + const pckcerts_not_available = pckcerts.filter(pckCert => pckCert.cert === 'Not available'); + const pckcerts_valid = pckcerts.filter(pckCert => pckCert.cert !== 'Not available'); + return { pckcerts_valid, pckcerts_not_available }; +} + +function getFmspcAndCaType(pck_server_res) { + let fmspc = pcsClient.getHeaderValue(pck_server_res.headers, Constants.SGX_FMSPC); + let ca_type = pcsClient.getHeaderValue(pck_server_res.headers, Constants.SGX_PCK_CERTIFICATE_CA_TYPE); + if (!fmspc || !ca_type) { + throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); + } + fmspc = fmspc.toUpperCase(); + ca_type = ca_type.toUpperCase() + return { fmspc, ca_type }; +} + +async function getTcbInfo(type, fmspc, version, update_type) { + const pckServerRes = await pcsClient.getTcb(type, fmspc, version, update_type); + if (pckServerRes.statusCode == Constants.HTTP_SUCCESS) { + return { + tcbinfo: pckServerRes.rawBody, + tcbinfo_str: pckServerRes.body, + tcbinfo_issuer_chain: pcsClient.getHeaderValue( + pckServerRes.headers, + appUtil.getTcbInfoIssuerChainName(version) + ) + }; + } + else { + return null; + } +} + +function parsePckServerResponseBody(body) { + if (typeof body === 'object') { + return body; + } else if (typeof body === 'string') { + return JSON.parse(body); + } else { + throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); + } +} + +async function fetchTcbInfo(fmspc) { + const tcbInfos = {}; + // Fetch SGX TCB info + tcbInfos.sgx_early = await getTcbInfo(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_EARLY); + tcbInfos.sgx_standard = await getTcbInfo(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_STANDARD); + + if (!tcbInfos.sgx_standard) { + throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); + } + + // Fetch TDX TCB info if applicable + if (global.PCS_VERSION >= 4) { + tcbInfos.tdx_early = await getTcbInfo(Constants.PROD_TYPE_TDX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_EARLY); + tcbInfos.tdx_standard = await getTcbInfo(Constants.PROD_TYPE_TDX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_STANDARD); + } + + return tcbInfos; +} + +async function upsertTcbInfos(tcbInfos, fmspc, {transaction}) { + for (const [key, tcbInfo] of Object.entries(tcbInfos)) { + if (tcbInfo) { + await fmspcTcbDao.upsertFmspcTcb({ + type: key.includes('sgx') ? Constants.PROD_TYPE_SGX : Constants.PROD_TYPE_TDX, + fmspc: tcbInfo.fmspc || fmspc, + version: global.PCS_VERSION, + tcbinfo: tcbInfo.tcbinfo, + update_type: key.includes('early') ? Constants.UPDATE_TYPE_EARLY : Constants.UPDATE_TYPE_STANDARD + }, {transaction}); + } + } +} + // Try to get PCK certs from Intel PCS for the platform with {pce_id, platform_manifest}, // and if platform manifest is not provided, then use {pce_id, enc_ppid} instead. // Refresh the cache DB after a successful PCK certs retrieval. @@ -66,23 +153,7 @@ export async function getPckCertFromPCS( throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - let pck_server_res; - if (platform_manifest) { - // if platform manifest is provided, will call Intel PCS API with platform manifest - pck_server_res = await pcsClient.getCertsWithManifest( - platform_manifest, - pceid - ); - } else { - // if enc_ppid is all zero, return NO_CACHE_DATA - if (enc_ppid.match(/^0+$/)) { - throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); - } - - // Call Intel PCS API with encrypted PPID - pck_server_res = await pcsClient.getCerts(enc_ppid, pceid); - } - + let pck_server_res = await getPckServerResponse(platform_manifest, enc_ppid, pceid); // check HTTP status if (pck_server_res.statusCode != Constants.HTTP_SUCCESS) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); @@ -95,19 +166,10 @@ export async function getPckCertFromPCS( ); // Parse the response body - let pckcerts = null; - if (typeof pck_server_res.body === 'object') { - pckcerts = pck_server_res.body; - } else if (typeof pck_server_res.body === 'string') { - pckcerts = JSON.parse(pck_server_res.body); - } else { - throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); - } + let pckcerts = parsePckServerResponseBody(pck_server_res.body); // The latest PCS service may return 'Not available' in the certs array, need to filter them out - let pckcerts_not_available = pckcerts.filter((pckcert) => { - return pckcert.cert == 'Not available'; - }); + const { pckcerts_valid, pckcerts_not_available } = filterPckCerts(pckcerts); await cachingModeManager.processNotAvailableTcbs( qeid, pceid, @@ -116,130 +178,64 @@ export async function getPckCertFromPCS( pckcerts_not_available ); - // Certificates that are valid - let pckcerts_valid = pckcerts.filter((pckcert) => { - return pckcert.cert != 'Not available'; - }); if (pckcerts_valid.length == 0) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } // Make PEM certificates array let pem_certs = pckcerts_valid.map((o) => decodeURIComponent(o.cert)); + const { fmspc, ca_type } = getFmspcAndCaType(pck_server_res); - // Get fmspc and ca type from response header - const fmspc = pcsClient - .getHeaderValue(pck_server_res.headers, Constants.SGX_FMSPC) - .toUpperCase(); - const ca_type = pcsClient - .getHeaderValue( - pck_server_res.headers, - Constants.SGX_PCK_CERTIFICATE_CA_TYPE - ) - .toUpperCase(); - - if (fmspc == null || ca_type == null) { - throw new PccsError(PccsStatus.PCCS_STATUS_INTERNAL_ERROR); - } - - // get SGX tcbinfo for this fmspc - pck_server_res = await pcsClient.getTcb(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION); - if (pck_server_res.statusCode != Constants.HTTP_SUCCESS) { - throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); - } - const tcbinfo = pck_server_res.rawBody; - const tcbinfo_str = pck_server_res.body; - const tcbinfo_issuer_chain = pcsClient.getHeaderValue( - pck_server_res.headers, - appUtil.getTcbInfoIssuerChainName(global.PCS_VERSION) - ); - - // also get TDX tcbinfo for this fmspc if it exists - let tcbinfo_tdx = null; - if (global.PCS_VERSION >= 4) { - pck_server_res = await pcsClient.getTcb(Constants.PROD_TYPE_TDX, fmspc, global.PCS_VERSION); - if (pck_server_res.statusCode == Constants.HTTP_SUCCESS) { - tcbinfo_tdx = pck_server_res.rawBody; - } - } + // get tcbInfos for this fmspc + const tcb_infos = await fetchTcbInfo(fmspc); + let tcb_info_str = tcb_infos.sgx_early ? tcb_infos.sgx_early.tcbinfo_str : tcb_infos.sgx_standard.tcbinfo_str; // Before we flush the caching database, get current raw TCBs that are already cached // We need to re-run PCK cert selection tool for existing raw TCB levels due to certs change - let cached_platform_tcbs = await platformTcbsDao.getPlatformTcbsById( - qeid, - pceid - ); + let cached_platform_tcbs = await platformTcbsDao.getPlatformTcbsById(qeid, pceid); + // Database operations await sequelize.transaction(async (t) => { - // Update the platform entry in the cache - await platformsDao.upsertPlatform( - qeid, - pceid, - platform_manifest, - enc_ppid, - fmspc, - ca_type - ); + await platformsDao.upsertPlatform(qeid, pceid, platform_manifest, enc_ppid, fmspc, ca_type, {transaction: t}); - // flush pck_cert - await pckcertDao.deleteCerts(qeid, pceid); - for (const pckcert of pckcerts_valid) { - await pckcertDao.upsertPckCert( - qeid, - pceid, - pckcert.tcbm, - decodeURIComponent(pckcert.cert) - ); - } + await pckcertDao.deleteCerts(qeid, pceid, {transaction: t}); + await Promise.all(pckcerts_valid.map(pckcert => + pckcertDao.upsertPckCert(qeid, pceid, pckcert.tcbm, decodeURIComponent(pckcert.cert), {transaction: t}) + )); - // delete old TCB mappings - await platformTcbsDao.deletePlatformTcbsById(qeid, pceid); + await platformTcbsDao.deletePlatformTcbsById(qeid, pceid, {transaction: t}); - // Update or insert fmspc_tcbs - await fmspcTcbDao.upsertFmspcTcb({ - type: Constants.PROD_TYPE_SGX, - fmspc: fmspc, - version: global.PCS_VERSION, - tcbinfo: tcbinfo, - }); - if (tcbinfo_tdx) { - await fmspcTcbDao.upsertFmspcTcb({ - type: Constants.PROD_TYPE_TDX, - fmspc: fmspc, - version: global.PCS_VERSION, - tcbinfo: tcbinfo_tdx, - }); - } - // Update or insert PCK Certchain - await pckCertchainDao.upsertPckCertchain(ca_type); - // Update or insert PCS certificates - await pcsCertificatesDao.upsertPckCertificateIssuerChain( - ca_type, - pck_certchain - ); - await pcsCertificatesDao.upsertTcbInfoIssuerChain(tcbinfo_issuer_chain); + // Upsert TCB infos + await upsertTcbInfos(tcb_infos, fmspc, {transaction: t}); - // For all cached TCB levels, re-run PCK cert selection tool + await pckCertchainDao.upsertPckCertchain(ca_type, {transaction: t}); + await pcsCertificatesDao.upsertPckCertificateIssuerChain(ca_type, pck_certchain, {transaction: t}); + await pcsCertificatesDao.upsertTcbInfoIssuerChain(tcb_infos.sgx_standard.tcbinfo_issuer_chain, {transaction: t}); + + // Re-run PCK cert selection tool for all cached TCB levels for (const platform_tcb of cached_platform_tcbs) { let cert_index = pckLibWrapper.pck_cert_select( platform_tcb.cpu_svn, platform_tcb.pce_svn, platform_tcb.pce_id, - tcbinfo_str, + tcb_info_str, pem_certs, pem_certs.length ); + if (cert_index == -1) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } + await platformTcbsDao.upsertPlatformTcbs( platform_tcb.qe_id, platform_tcb.pce_id, platform_tcb.cpu_svn, platform_tcb.pce_svn, - pckcerts_valid[cert_index].tcbm + pckcerts_valid[cert_index].tcbm, + { transaction: t } ); - } + } }); if (!cpusvn || !pcesvn) return {}; // end here if raw TCB not provided @@ -248,7 +244,7 @@ export async function getPckCertFromPCS( cpusvn, pcesvn, pceid, - tcbinfo_str, + tcb_info_str, pem_certs, pem_certs.length ); @@ -308,8 +304,8 @@ export async function getPckCrlFromPCS(ca) { return result; } -export async function getTcbInfoFromPCS(type, fmspc, version) { - const pck_server_res = await pcsClient.getTcb(type, fmspc, version); +export async function getTcbInfoFromPCS(type, fmspc, version, update_type) { + const pck_server_res = await pcsClient.getTcb(type, fmspc, version, update_type); if (pck_server_res.statusCode != Constants.HTTP_SUCCESS) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); @@ -329,6 +325,7 @@ export async function getTcbInfoFromPCS(type, fmspc, version) { type: type, fmspc: fmspc, version: version, + update_type: update_type, tcbinfo: result['tcbinfo'], }); // update or insert certificate chain @@ -338,8 +335,8 @@ export async function getTcbInfoFromPCS(type, fmspc, version) { return result; } -export async function getEnclaveIdentityFromPCS(enclave_id, version) { - const pck_server_res = await pcsClient.getEnclaveIdentity(enclave_id, version); +export async function getEnclaveIdentityFromPCS(enclave_id, version, update_type) { + const pck_server_res = await pcsClient.getEnclaveIdentity(enclave_id, version, update_type); if (pck_server_res.statusCode != Constants.HTTP_SUCCESS) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); @@ -358,7 +355,8 @@ export async function getEnclaveIdentityFromPCS(enclave_id, version) { await enclaveIdentityDao.upsertEnclaveIdentity( enclave_id, pck_server_res.rawBody, - version + version, + update_type ); // update or insert certificate chain await pcsCertificatesDao.upsertEnclaveIdentityIssuerChain( @@ -378,7 +376,8 @@ export async function getRootCACrlFromPCS(rootca) { // Root Cert not cached const pck_server_res = await pcsClient.getEnclaveIdentity( Constants.QE_IDENTITY_ID, - global.PCS_VERSION + global.PCS_VERSION, + Constants.UPDATE_TYPE_STANDARD ); if (pck_server_res.statusCode == Constants.HTTP_SUCCESS) { // update certificates diff --git a/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js b/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js index 80e1bee5..a83dbc22 100644 --- a/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js +++ b/QuoteGeneration/pccs/services/logic/qvCollateralLogic.js @@ -34,72 +34,56 @@ import * as enclaveIdentityDao from '../../dao/enclaveIdentityDao.js'; import * as pckcrlDao from '../../dao/pckcrlDao.js'; import * as CommonCacheLogic from './commonCacheLogic.js'; -export async function checkQuoteVerificationCollateral() { - // pck crl - let pckcrl = await pckcrlDao.getPckCrl(Constants.CA_PROCESSOR); - if (pckcrl == null) { - await CommonCacheLogic.getPckCrlFromPCS(Constants.CA_PROCESSOR); - } - pckcrl = await pckcrlDao.getPckCrl(Constants.CA_PLATFORM); - if (pckcrl == null) { - await CommonCacheLogic.getPckCrlFromPCS(Constants.CA_PLATFORM); +async function fetchWithFallback(daoMethod, pcsMethod, ...args) { + let result = await daoMethod(...args); + if (result == null) { + await pcsMethod(...args); } +} - // QE identity - const qeid = await enclaveIdentityDao.getEnclaveIdentity( - Constants.QE_IDENTITY_ID, - global.PCS_VERSION - ); - if (qeid == null) { - await CommonCacheLogic.getEnclaveIdentityFromPCS( - Constants.QE_IDENTITY_ID, - global.PCS_VERSION - ); - } - // QVE identity - const qveid = await enclaveIdentityDao.getEnclaveIdentity( - Constants.QVE_IDENTITY_ID, - global.PCS_VERSION - ); - if (qveid == null) { - await CommonCacheLogic.getEnclaveIdentityFromPCS( - Constants.QVE_IDENTITY_ID, - global.PCS_VERSION - ); +export async function checkQuoteVerificationCollateral(update) { + await fetchWithFallback(pckcrlDao.getPckCrl, CommonCacheLogic.getPckCrlFromPCS, Constants.CA_PROCESSOR); + await fetchWithFallback(pckcrlDao.getPckCrl, CommonCacheLogic.getPckCrlFromPCS, Constants.CA_PLATFORM); + + const pcsVersion = global.PCS_VERSION; + const identityTypes = [Constants.QE_IDENTITY_ID, Constants.QVE_IDENTITY_ID]; + let updateTypes = []; + + if (update === Constants.UPDATE_TYPE_STANDARD) { + updateTypes = [Constants.UPDATE_TYPE_STANDARD]; + } else if (update === Constants.UPDATE_TYPE_EARLY) { + updateTypes = [Constants.UPDATE_TYPE_EARLY]; + } else if (update === Constants.UPDATE_TYPE_ALL) { + updateTypes = [Constants.UPDATE_TYPE_EARLY, Constants.UPDATE_TYPE_STANDARD]; + } else { + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } + // Fetching for both versions 3 and 4 if PCS_VERSION is 4 + const versionsToFetch = pcsVersion === 4 ? [3, 4] : [pcsVersion]; - if (global.PCS_VERSION == 4) { - // QE identity v3 - const qeid = await enclaveIdentityDao.getEnclaveIdentity( - Constants.QE_IDENTITY_ID, - 3 - ); - if (qeid == null) { - await CommonCacheLogic.getEnclaveIdentityFromPCS( - Constants.QE_IDENTITY_ID, - 3 - ); - } - // QVE identity v3 - const qveid = await enclaveIdentityDao.getEnclaveIdentity( - Constants.QVE_IDENTITY_ID, - 3 - ); - if (qveid == null) { - await CommonCacheLogic.getEnclaveIdentityFromPCS( - Constants.QVE_IDENTITY_ID, - 3 - ); + for (const id of identityTypes) { + for (const version of versionsToFetch) { + for (const updateType of updateTypes) { + await fetchWithFallback( + enclaveIdentityDao.getEnclaveIdentity, + CommonCacheLogic.getEnclaveIdentityFromPCS, + id, + version, + updateType + ); + } } - // TD QE identity v4 - const tdqeid = await enclaveIdentityDao.getEnclaveIdentity( - Constants.TDQE_IDENTITY_ID, - 4 - ); - if (tdqeid == null) { - await CommonCacheLogic.getEnclaveIdentityFromPCS( - Constants.TDQE_IDENTITY_ID, - 4 + } + + // Additional identity type to fetch if PCS_VERSION is 4 + if (pcsVersion === 4) { + for (const updateType of updateTypes) { + await fetchWithFallback( + enclaveIdentityDao.getEnclaveIdentity, + CommonCacheLogic.getEnclaveIdentityFromPCS, + Constants.TDQE_IDENTITY_ID, + 4, + updateType ); } } diff --git a/QuoteGeneration/pccs/services/pccs_schemas.js b/QuoteGeneration/pccs/services/pccs_schemas.js index d2466240..9cf9c171 100644 --- a/QuoteGeneration/pccs/services/pccs_schemas.js +++ b/QuoteGeneration/pccs/services/pccs_schemas.js @@ -385,15 +385,15 @@ export const PLATFORM_COLLATERAL_SCHEMA_V3 = { } } }, - "signature": { - "type": "string" - } }, - "required": ["tcbInfo", "signature"] - } + "signature": { + "type": "string" + }, + }, + "required": ["tcbInfo","signature"] } }, - "required": ["fmspc", "tcbinfo"] + "required": ["fmspc"] } }, "pckcacrl": { diff --git a/QuoteGeneration/pccs/services/pckcertService.js b/QuoteGeneration/pccs/services/pckcertService.js index 30c6e69f..e8747cd9 100644 --- a/QuoteGeneration/pccs/services/pckcertService.js +++ b/QuoteGeneration/pccs/services/pckcertService.js @@ -60,7 +60,10 @@ export async function pckCertSelection( } // Always use SGX tcb info for PCK cert selection - let tcbinfo = await fmspcTcbDao.getTcbInfo(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION); + let tcbinfo = await fmspcTcbDao.getTcbInfo(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_EARLY); + if (tcbinfo == null) { + tcbinfo = await fmspcTcbDao.getTcbInfo(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_STANDARD); + } if (tcbinfo == null || tcbinfo.tcbinfo == null) throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); diff --git a/QuoteGeneration/pccs/services/platformCollateralService.js b/QuoteGeneration/pccs/services/platformCollateralService.js index ed523e0c..84c6474d 100644 --- a/QuoteGeneration/pccs/services/platformCollateralService.js +++ b/QuoteGeneration/pccs/services/platformCollateralService.js @@ -65,291 +65,262 @@ function verify_cert(root1, root2) { return true; } -export async function addPlatformCollateral(collateralJson, version) { - return await sequelize.transaction(async (t) => { - //check parameters - let validate; - let valid; - if (version < 4) { - validate = ajv.compile(PLATFORM_COLLATERAL_SCHEMA_V3); - } - else { - validate = ajv.compile(PLATFORM_COLLATERAL_SCHEMA_V4); - } - valid = validate(collateralJson); - if (!valid) { - for (const err of validate.errors) { - logger.error(err.schemaPath); - logger.error(err.message); - } +async function upsertIdentity(identityType, identity, version, updateType) { + if (identity) { + await enclaveIdentityDao.upsertEnclaveIdentity( + identityType, + identity, + version, + updateType + ); + } +} + +async function validateCollateral(collateralJson, version) { + const schema = version < 4 ? PLATFORM_COLLATERAL_SCHEMA_V3 : PLATFORM_COLLATERAL_SCHEMA_V4; + const validate = ajv.compile(schema); + const valid = validate(collateralJson); + + if (!valid) { + validate.errors.forEach(err => { + logger.error(err.schemaPath); + logger.error(err.message); + }); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } +} + +async function processPckCerts(collateralJson, version) { + const { platforms, collaterals } = collateralJson; + + for (const platformCerts of collaterals.pck_certs) { + const { qe_id: rawQeId, pce_id: rawPceId, certs } = platformCerts; + const qeId = toUpper(rawQeId); + const pceId = toUpper(rawPceId); + + if (!certs || certs.length === 0) { throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - // process the collaterals - let platforms = collateralJson.platforms; - let collaterals = collateralJson.collaterals; - let tcbinfos = collaterals.tcbinfos; - - // For every platform we have a set of PCK certs - for (const platform_certs of collaterals.pck_certs) { - // Flush and add certs for this platform - await pckcertDao.deleteCerts(platform_certs.qe_id, platform_certs.pce_id); - for (const cert of platform_certs.certs) { - await pckcertDao.upsertPckCert( - toUpper(platform_certs.qe_id), - toUpper(platform_certs.pce_id), - toUpper(cert.tcbm), - decodeURIComponent(cert.cert) - ); - } + // Flush and add certs for this platform + await pckcertDao.deleteCerts(qeId, pceId); - // We will update platforms both in cache and in the request list - // make a full list based on the cache data and the input data - let cached_platform_tcbs = await platformTcbsDao.getPlatformTcbsById( - platform_certs.qe_id, - platform_certs.pce_id - ); - let new_platforms = platforms.filter( - (o) => - o.pce_id == platform_certs.pce_id && o.qe_id == platform_certs.qe_id - ); - let new_raw_tcbs = new_platforms.filter( - (o) => Boolean(o.cpu_svn) && Boolean(o.pce_svn) - ); - let platforms_all = []; - for (const cached_platform of cached_platform_tcbs) { - platforms_all.push({ - qe_id: cached_platform.qe_id, - pce_id: cached_platform.pce_id, - cpu_svn: cached_platform.cpu_svn, - pce_svn: cached_platform.pce_svn, - }); - } - for (const raw_tcb of new_raw_tcbs) { - platforms_all.push({ - qe_id: raw_tcb.qe_id, - pce_id: raw_tcb.pce_id, - cpu_svn: raw_tcb.cpu_svn, - pce_svn: raw_tcb.pce_svn, - }); - } - // Remove duplicates - let platforms_cleaned = platforms_all.filter( - (element, index, self) => - index === - self.findIndex( - (t) => - t.qe_id === element.qe_id && - t.pce_id === element.pce_id && - t.cpu_svn === element.cpu_svn && - t.pce_svn === element.pce_svn - ) - ); + // unescape certificates + const decodedCerts = certs.map(cert => ({ + tcbm: toUpper(cert.tcbm), + cert: decodeURIComponent(cert.cert) + })); - let mycerts = platform_certs.certs; - if (mycerts == null || mycerts.length == 0) { - throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); - } - // parse arbitary cert to get fmspc value - const x509 = new X509(); - if (!x509.parseCert(decodeURIComponent(mycerts[0].cert))) { - logger.error('Invalid certificate format.'); - throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); - } + for (const { tcbm, cert } of decodedCerts) { + await pckcertDao.upsertPckCert(qeId, pceId, tcbm, cert); + } - let fmspc = x509.fmspc; - let ca = x509.ca; - if (fmspc == null || ca == null) { - logger.error('Invalid certificate format.'); - throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); - } - // get tcbinfo for the fmspc - let tcbinfo = tcbinfos.find((o) => o.fmspc === fmspc); - if (tcbinfo == null) { - logger.error("Can't find TCB info."); - throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); - } + // We will update platforms both in cache and in the request list + // make a full list based on the cache data and the input data + const cachedPlatformTcbs = await platformTcbsDao.getPlatformTcbsById(qeId, pceId); + const newPlatforms = platforms.filter(o => o.pce_id === rawPceId && o.qe_id === rawQeId); + const newRawTcbs = newPlatforms.filter(o => Boolean(o.cpu_svn) && Boolean(o.pce_svn)); - let tcbinfo_str; - if (version < 4) tcbinfo_str = JSON.stringify(tcbinfo.tcbinfo); - else tcbinfo_str = JSON.stringify(tcbinfo.sgx_tcbinfo); - - let pem_certs = mycerts.map((o) => decodeURIComponent(o.cert)); - for (let platform of platforms_cleaned) { - // get the best cert with PCKCertSelectionTool - let cert_index = pckLibWrapper.pck_cert_select( - platform.cpu_svn, - platform.pce_svn, - platform.pce_id, - tcbinfo_str, - pem_certs, - pem_certs.length - ); - if (cert_index == -1) { - logger.error('Failed to select the best certificate for ' + platform); - throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); - } - - // update platform_tcbs table - await platformTcbsDao.upsertPlatformTcbs( - toUpper(platform.qe_id), - toUpper(platform.pce_id), - toUpper(platform.cpu_svn), - toUpper(platform.pce_svn), - mycerts[cert_index].tcbm - ); - } + // put all together + const platformsCleaned = [...new Set([...cachedPlatformTcbs, ...newRawTcbs])]; - // update platforms table for new platforms only - for (const platform of new_platforms) { - // update platforms/pck_cert table - await platformsDao.upsertPlatform( - toUpper(platform.qe_id), - toUpper(platform.pce_id), - toUpper(platform.platform_manifest), - toUpper(platform.enc_ppid), - toUpper(fmspc), - toUpper(ca) - ); - } + // parse arbitary cert to get fmspc value + const x509 = new X509(); + if (!x509.parseCert(decodedCerts[0].cert)) { + logger.error('Invalid certificate format.'); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - // loop through tcbinfos - for (const tcbinfo of tcbinfos) { - tcbinfo.fmspc = toUpper(tcbinfo.fmspc); - tcbinfo.version = version; - if (version < 4 && tcbinfo.tcbinfo) { - tcbinfo.type = Constants.PROD_TYPE_SGX; - tcbinfo.tcbinfo = Buffer.from(JSON.stringify(tcbinfo.tcbinfo)); - await fmspcTcbDao.upsertFmspcTcb(tcbinfo); - } - if (version >= 4) { - if (tcbinfo.sgx_tcbinfo) { - tcbinfo.type = Constants.PROD_TYPE_SGX; - tcbinfo.tcbinfo = Buffer.from(JSON.stringify(tcbinfo.sgx_tcbinfo)); - await fmspcTcbDao.upsertFmspcTcb(tcbinfo); - } - if (tcbinfo.tdx_tcbinfo) { - tcbinfo.type = Constants.PROD_TYPE_TDX; - tcbinfo.tcbinfo = Buffer.from(JSON.stringify(tcbinfo.tdx_tcbinfo)); - await fmspcTcbDao.upsertFmspcTcb(tcbinfo); - } - } + const { fmspc, ca } = x509; + if (!fmspc || !ca) { + logger.error('Invalid certificate format.'); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - // Update or insert PCK CRL - if (collaterals.pckcacrl) { - if (collaterals.pckcacrl.processorCrl) - await pckcrlDao.upsertPckCrl( - Constants.CA_PROCESSOR, - Buffer.from(collaterals.pckcacrl.processorCrl, 'hex') - ); - if (collaterals.pckcacrl.platformCrl) - await pckcrlDao.upsertPckCrl( - Constants.CA_PLATFORM, - Buffer.from(collaterals.pckcacrl.platformCrl, 'hex') - ); + // get tcbinfo for the fmspc + const tcbinfo = collaterals.tcbinfos.find((o) => o.fmspc === fmspc); + if (!tcbinfo) { + logger.error("Can't find TCB info."); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - // Update or insert QE Identity - if (collaterals.qeidentity) { - await enclaveIdentityDao.upsertEnclaveIdentity( - Constants.QE_IDENTITY_ID, - collaterals.qeidentity, - version - ); + let tcbinfoStr; + if (version < 4) { + tcbinfoStr = tcbinfo.tcbinfo_early ? JSON.stringify(tcbinfo.tcbinfo_early) : + tcbinfo.tcbinfo ? JSON.stringify(tcbinfo.tcbinfo) : + null; + } else { + tcbinfoStr = tcbinfo.sgx_tcbinfo_early ? JSON.stringify(tcbinfo.sgx_tcbinfo_early) : + (tcbinfo.sgx_tcbinfo ? JSON.stringify(tcbinfo.sgx_tcbinfo) : + null); + } + if (tcbinfoStr === null) { + logger.error("Can't find TCB info."); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); } - // Update or insert TDQE Identity - if (collaterals.tdqeidentity) { - await enclaveIdentityDao.upsertEnclaveIdentity( - Constants.TDQE_IDENTITY_ID, - collaterals.tdqeidentity, - version + for (let platform of platformsCleaned) { + // get the best cert with PCKCertSelectionTool + const cert_index = pckLibWrapper.pck_cert_select( + platform.cpu_svn, + platform.pce_svn, + platform.pce_id, + tcbinfoStr, + decodedCerts.map(c => c.cert), + decodedCerts.length + ); + if (cert_index === -1) { + logger.error('Failed to select the best certificate for ' + platform); + throw new PccsError(PccsStatus.PCCS_STATUS_INVALID_REQ); + } + + // update platform_tcbs table + await platformTcbsDao.upsertPlatformTcbs( + qeId, + pceId, + toUpper(platform.cpu_svn), + toUpper(platform.pce_svn), + decodedCerts[cert_index].tcbm ); } - // Update or insert QvE Identity - if (collaterals.qveidentity) { - await enclaveIdentityDao.upsertEnclaveIdentity( - Constants.QVE_IDENTITY_ID, - collaterals.qveidentity, - version + + // update platforms table for new platforms only + for (const platform of newPlatforms) { + await platformsDao.upsertPlatform( + qeId, + pceId, + toUpper(platform.platform_manifest), + toUpper(platform.enc_ppid), + toUpper(fmspc), + toUpper(ca) ); } + } +} - // Update or insert PCK Certchain - await pckCertchainDao.upsertPckCertchain(Constants.CA_PROCESSOR); - await pckCertchainDao.upsertPckCertchain(Constants.CA_PLATFORM); +async function processTcbInfo(tcbinfo, version) { + const newTcbInfo = { fmspc: toUpper(tcbinfo.fmspc), version }; - // Update or insert PCS certificates - let rootCert = new Array(); - if ( - Boolean( - collaterals.certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN] - ) - ) { - if ( - Boolean( - collaterals.certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN][ - Constants.CA_PROCESSOR - ] - ) - ) { - rootCert[0] = await pcsCertificatesDao.upsertPckCertificateIssuerChain( - Constants.CA_PROCESSOR, - collaterals.certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN][ - Constants.CA_PROCESSOR - ] - ); - } - if ( - Boolean( - collaterals.certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN][ - Constants.CA_PLATFORM - ] - ) - ) { - rootCert[1] = await pcsCertificatesDao.upsertPckCertificateIssuerChain( - Constants.CA_PLATFORM, - collaterals.certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN][ - Constants.CA_PLATFORM - ] - ); - } + const tcbTypes = version < 4 + ? ['tcbinfo', 'tcbinfo_early'] + : ['sgx_tcbinfo', 'tdx_tcbinfo', 'sgx_tcbinfo_early', 'tdx_tcbinfo_early']; + + for (const type of tcbTypes) { + if (tcbinfo[type]) { + newTcbInfo.type = type.startsWith('tdx') ? Constants.PROD_TYPE_TDX : Constants.PROD_TYPE_SGX; + newTcbInfo.tcbinfo = Buffer.from(JSON.stringify(tcbinfo[type])); + newTcbInfo.update_type = type.includes('early') ? Constants.UPDATE_TYPE_EARLY : Constants.UPDATE_TYPE_STANDARD; + await fmspcTcbDao.upsertFmspcTcb(newTcbInfo); } - if ( - Boolean( - collaterals.certificates[appUtil.getTcbInfoIssuerChainName(version)] - ) - ) { - rootCert[2] = await pcsCertificatesDao.upsertTcbInfoIssuerChain( - collaterals.certificates[appUtil.getTcbInfoIssuerChainName(version)] + } +} + +async function processPckCacrl(pckcacrl) { + if (pckcacrl) { + if (pckcacrl.processorCrl) { + await pckcrlDao.upsertPckCrl(Constants.CA_PROCESSOR, Buffer.from(pckcacrl.processorCrl, 'hex')); + } + if (pckcacrl.platformCrl) { + await pckcrlDao.upsertPckCrl(Constants.CA_PLATFORM, Buffer.from(pckcacrl.platformCrl, 'hex')); + } + } +} + +async function processCertificates(certificates, version) { + const rootCert = []; + + // Process SGX_PCK_CERTIFICATE_ISSUER_CHAIN for both CA_PROCESSOR and CA_PLATFORM + const pckCertChainTypes = [Constants.CA_PROCESSOR, Constants.CA_PLATFORM]; + for (const type of pckCertChainTypes) { + if (certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN]?.[type]) { + rootCert.push( + await pcsCertificatesDao.upsertPckCertificateIssuerChain( + type, + certificates[Constants.SGX_PCK_CERTIFICATE_ISSUER_CHAIN][type] + ) ); } - if ( - Boolean( - collaterals.certificates[Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN] + } + + // Process TCB Info Issuer Chain + if (certificates[appUtil.getTcbInfoIssuerChainName(version)]) { + rootCert.push( + await pcsCertificatesDao.upsertTcbInfoIssuerChain( + certificates[appUtil.getTcbInfoIssuerChainName(version)] ) - ) { - rootCert[3] = await pcsCertificatesDao.upsertEnclaveIdentityIssuerChain( - collaterals.certificates[Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN] - ); + ); + } + + // Process Enclave Identity Issuer Chain + if (certificates[Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN]) { + rootCert.push( + await pcsCertificatesDao.upsertEnclaveIdentityIssuerChain( + certificates[Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN] + ) + ); + } + + return rootCert; +} + +function verifyCertChain(rootCert) { + for (let i = 0; i < rootCert.length - 1; i++) { + if (!verify_cert(rootCert[i], rootCert[i + 1])) { + return false; } - if ( - !verify_cert(rootCert[0], rootCert[1]) || - !verify_cert(rootCert[1], rootCert[2]) || - !verify_cert(rootCert[2], rootCert[3]) - ) { - throw new PccsError(PccsStatus.PCCS_STATUS_INTEGRITY_ERROR); + } + return true; +} + +async function processRootCacrl(rootcacrl, rootcacrlCdp) { + if (rootcacrl) { + await pcsCertificatesDao.upsertRootCACrl(Buffer.from(rootcacrl, 'hex')); + if (rootcacrlCdp) { + await crlCacheDao.upsertCrl(rootcacrlCdp, Buffer.from(rootcacrl, 'hex')); } + } +} - // Update or insert rootcacrl in DER format - if (collaterals.rootcacrl) { - await pcsCertificatesDao.upsertRootCACrl( - Buffer.from(collaterals.rootcacrl, 'hex') - ); - if (collaterals.rootcacrl_cdp) { - await crlCacheDao.upsertCrl(collaterals.rootcacrl_cdp, Buffer.from(collaterals.rootcacrl, 'hex')); - } +export async function addPlatformCollateral(collateralJson, version) { + return await sequelize.transaction(async (t) => { + await validateCollateral(collateralJson, version); + + const { collaterals } = collateralJson; + const { tcbinfos } = collaterals; + + // process the PCK certificates + await processPckCerts(collateralJson, version); + + // process the TCB infos + for (const tcbinfo of tcbinfos) { + await processTcbInfo(tcbinfo, version); } + + // process the PCK CRLs + await processPckCacrl(collaterals.pckcacrl); + + // process the QE Identity + await upsertIdentity(Constants.QE_IDENTITY_ID, collaterals.qeidentity, version, Constants.UPDATE_TYPE_STANDARD); + await upsertIdentity(Constants.QE_IDENTITY_ID, collaterals.qeidentity_early, version, Constants.UPDATE_TYPE_EARLY); + + // process the TDQE Identity + await upsertIdentity(Constants.TDQE_IDENTITY_ID, collaterals.tdqeidentity, version, Constants.UPDATE_TYPE_STANDARD); + await upsertIdentity(Constants.TDQE_IDENTITY_ID, collaterals.tdqeidentity_early, version, Constants.UPDATE_TYPE_EARLY); + + // process the QvE Identity + await upsertIdentity(Constants.QVE_IDENTITY_ID, collaterals.qveidentity, version, Constants.UPDATE_TYPE_STANDARD); + await upsertIdentity(Constants.QVE_IDENTITY_ID, collaterals.qveidentity_early, version, Constants.UPDATE_TYPE_EARLY); + + // process the PCK Certchain + await pckCertchainDao.upsertPckCertchain(Constants.CA_PROCESSOR); + await pckCertchainDao.upsertPckCertchain(Constants.CA_PLATFORM); + + // process the intermediate or signing certificates + const rootCert = await processCertificates(collaterals.certificates, version); + if (!verifyCertChain(rootCert)) { + throw new PccsError(PccsStatus.PCCS_STATUS_INTEGRITY_ERROR); + } + + // process the rootcacrl + await processRootCacrl(collaterals.rootcacrl, collaterals.rootcacrl_cdp); }); } diff --git a/QuoteGeneration/pccs/services/platformsRegService.js b/QuoteGeneration/pccs/services/platformsRegService.js index 656a16ef..92321f47 100644 --- a/QuoteGeneration/pccs/services/platformsRegService.js +++ b/QuoteGeneration/pccs/services/platformsRegService.js @@ -91,7 +91,7 @@ function normalizeRegData(regDataJson) { } } -export async function registerPlatforms(regDataJson) { +export async function registerPlatforms(regDataJson, update) { //check parameters let valid = ajv.validate(PLATFORM_REG_SCHEMA, regDataJson); if (!valid) { @@ -104,7 +104,7 @@ export async function registerPlatforms(regDataJson) { // Get cache status let isCached = await checkPCKCertCacheStatus(regDataJson); - await cachingModeManager.registerPlatforms(isCached, regDataJson); + await cachingModeManager.registerPlatforms(isCached, regDataJson, update); } export async function getRegisteredPlatforms() { diff --git a/QuoteGeneration/pccs/services/refreshService.js b/QuoteGeneration/pccs/services/refreshService.js index e1f75546..3cec577a 100644 --- a/QuoteGeneration/pccs/services/refreshService.js +++ b/QuoteGeneration/pccs/services/refreshService.js @@ -67,28 +67,33 @@ async function refresh_enclave_identities() { } let issuer_chain_updated = false; // Update issuer chain only once for (const enclave_id of enclave_id_list) { - const pck_server_res = await pcsClient.getEnclaveIdentity( - enclave_id[0], - enclave_id[1] - ); - if (pck_server_res.statusCode == Constants.HTTP_SUCCESS) { - // Then refresh cache DB - await enclaveIdentityDao.upsertEnclaveIdentity( + for (const update_type of [Constants.UPDATE_TYPE_STANDARD, Constants.UPDATE_TYPE_EARLY]) { + const pck_server_res = await pcsClient.getEnclaveIdentity( enclave_id[0], - pck_server_res.rawBody, - enclave_id[1] + enclave_id[1], + update_type ); - if (!issuer_chain_updated) { - await pcsCertificatesDao.upsertEnclaveIdentityIssuerChain( - pcsClient.getHeaderValue( - pck_server_res.headers, - Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN - ) + if (pck_server_res.statusCode == Constants.HTTP_SUCCESS) { + // Then refresh cache DB + await enclaveIdentityDao.upsertEnclaveIdentity( + enclave_id[0], + pck_server_res.rawBody, + enclave_id[1], + update_type ); - issuer_chain_updated = true; - } - } else { - throw new PccsError(PccsStatus.PCCS_STATUS_SERVICE_UNAVAILABLE); + if (!issuer_chain_updated) { + await pcsCertificatesDao.upsertEnclaveIdentityIssuerChain( + pcsClient.getHeaderValue( + pck_server_res.headers, + Constants.SGX_ENCLAVE_IDENTITY_ISSUER_CHAIN + ) + ); + issuer_chain_updated = true; + } + } else { + // Let it continue even though the collateral doesn't exist + logger.debug("Couldn't get enclave identity for (id:%d,version:%d,type:%s)", enclave_id[0], enclave_id[1], update_type); + } } } } @@ -170,7 +175,7 @@ async function refresh_all_pckcerts(fmspc_array) { } // get tcbinfo for this fmspc - pck_server_res = await pcsClient.getTcb(Constants.PROD_TYPE_SGX, fmspc); + pck_server_res = await pcsClient.getTcb(Constants.PROD_TYPE_SGX, fmspc, global.PCS_VERSION, Constants.UPDATE_TYPE_EARLY); if (pck_server_res.statusCode != Constants.HTTP_SUCCESS) { throw new PccsError(PccsStatus.PCCS_STATUS_NO_CACHE_DATA); } @@ -285,14 +290,15 @@ async function refresh_cached_crls() { } // Refresh the TCB info for the specified fmspc value -async function refresh_one_tcb(fmspc, type, version) { - const pck_server_res = await pcsClient.getTcb(type, fmspc, version); +async function refresh_one_tcb(fmspc, type, version, update_type) { + const pck_server_res = await pcsClient.getTcb(type, fmspc, version, update_type); if (pck_server_res.statusCode == Constants.HTTP_SUCCESS) { // Then refresh cache DB await fmspcTcbDao.upsertFmspcTcb({ type: type, fmspc: fmspc, version: version, + update_type: update_type, tcbinfo: pck_server_res.rawBody, }); // update or insert certificate chain @@ -303,6 +309,7 @@ async function refresh_one_tcb(fmspc, type, version) { ) ); } else { + logger.error("Failed to get tcbinfo for fmspc:" + fmspc) throw new PccsError(PccsStatus.PCCS_STATUS_SERVICE_UNAVAILABLE); } } @@ -315,7 +322,7 @@ async function refresh_all_tcbs() { const tcbs = await fmspcTcbDao.getAllTcbs(); for (let tcb of tcbs) { // refresh each tcb - await refresh_one_tcb(tcb.fmspc, tcb.type, tcb.version); + await refresh_one_tcb(tcb.fmspc, tcb.type, tcb.version, tcb.update_type); } } diff --git a/QuoteGeneration/pccs/services/tcbinfoService.js b/QuoteGeneration/pccs/services/tcbinfoService.js index 95724573..af1652a8 100644 --- a/QuoteGeneration/pccs/services/tcbinfoService.js +++ b/QuoteGeneration/pccs/services/tcbinfoService.js @@ -33,12 +33,12 @@ import * as appUtil from '../utils/apputil.js'; import { cachingModeManager } from './caching_modes/cachingModeManager.js'; -export async function getTcbInfo(type, fmspc, version) { +export async function getTcbInfo(type, fmspc, version, update_type) { // query tcbinfo from local database first - const tcbinfo = await fmspcTcbDao.getTcbInfo(type, fmspc, version); + const tcbinfo = await fmspcTcbDao.getTcbInfo(type, fmspc, version, update_type); let result = {}; if (tcbinfo == null) { - result = await cachingModeManager.getTcbInfoFromPCS(type, fmspc, version); + result = await cachingModeManager.getTcbInfoFromPCS(type, fmspc, version, update_type); } else { result[appUtil.getTcbInfoIssuerChainName(version)] = tcbinfo.signing_cert + tcbinfo.root_cert; diff --git a/QuoteGeneration/psw/ae/data/prebuilt/README.md b/QuoteGeneration/psw/ae/data/prebuilt/README.md index e7db6eec..f23a3e82 100644 --- a/QuoteGeneration/psw/ae/data/prebuilt/README.md +++ b/QuoteGeneration/psw/ae/data/prebuilt/README.md @@ -5,7 +5,7 @@ The PCE is part of Intel(R) Software Guard Extensions for Linux\* OS which is pu The QE3 is part of [Intel(R) Software Guard Extensions Data Center Attestation Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) Github repository. The libsgx_qe3.signed.so in prebuilt package is built by [qe3](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/quote_wrapper/quote/enclave) with branch [sgx_2.22_reproducible](https://github.com/intel/linux-sgx/tree/sgx_2.22_reproducible) and signed by Intel. # QVE source code -The QVE is part of [Intel(R) Software Guard Extensions Data Center Attestation Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) Github repository. The libsgx_qve.signed.so in prebuilt package is built by [qve](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteVerification/QvE/Enclave) with branch [sgx_2.23_reproducible](https://github.com/intel/linux-sgx/tree/sgx_2.23_reproducible)and signed by Intel. +The QVE is part of [Intel(R) Software Guard Extensions Data Center Attestation Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) Github repository. The libsgx_qve.signed.so in prebuilt package is built by [qve](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteVerification/QvE/Enclave) with branch [sgx_2.24_reproducible](https://github.com/intel/linux-sgx/tree/sgx_2.24_reproducible)and signed by Intel. # IDE source code The IDE is part of [Intel(R) Software Guard Extensions Data Center Attestation Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) Github repository. The libsgx_id_enclave.signed.so in prebuilt package is built by [id_enclave](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/quote_wrapper/quote/id_enclave) with branch [sgx_2.22_reproducible](https://github.com/intel/linux-sgx/tree/sgx_2.22_reproducible) and signed by Intel. diff --git a/QuoteGeneration/qcnl/certification_provider.cpp b/QuoteGeneration/qcnl/certification_provider.cpp index b5ceba7b..a08ea7e7 100644 --- a/QuoteGeneration/qcnl/certification_provider.cpp +++ b/QuoteGeneration/qcnl/certification_provider.cpp @@ -173,9 +173,15 @@ sgx_qcnl_error_t CacheProvider::get_certification(const string &query_string, } sgx_qcnl_error_t CacheProvider::set_certification(sgx_qpl_cache_type_t cache_type, - uint32_t default_expiry_seconds, const string &query_string, PccsResponseObject *pccs_resp_obj) { + uint32_t default_expiry_seconds; + if (cache_type == SGX_QPL_CACHE_CERTIFICATE) { + default_expiry_seconds = (uint32_t)(QcnlConfig::Instance()->getCacheExpireHour() * 3600); + } else { + default_expiry_seconds = (uint32_t)(QcnlConfig::Instance()->getVerifyCollateralExpireHour() * 3600); + } + // Cache-Control:max-age has higher priority over config file uint32_t cache_max_age = pccs_resp_obj->get_cache_max_age(); uint32_t expiry_seconds = (cache_max_age > 0) ? cache_max_age : default_expiry_seconds; diff --git a/QuoteGeneration/qcnl/certification_service.cpp b/QuoteGeneration/qcnl/certification_service.cpp index 0a590eb3..5568b0dd 100644 --- a/QuoteGeneration/qcnl/certification_service.cpp +++ b/QuoteGeneration/qcnl/certification_service.cpp @@ -117,7 +117,6 @@ sgx_qcnl_error_t CertificationService::fetch_data(RequestType type, const Reques sgx_qcnl_error_t handler_ret = handlerData->handler(&pccs_resp_obj, handlerData->args); if (handler_ret == SGX_QCNL_SUCCESS) { ret = cacheProvider.set_certification(get_cache_type_of_request(type), - (uint32_t)(QcnlConfig::Instance()->getVerifyCollateralExpireHour() * 3600), query_str, &pccs_resp_obj); // User query_str for caching key } } @@ -289,6 +288,7 @@ sgx_qcnl_error_t CertificationService::build_tcbinfo_options(Request &request, if (!concat_string_with_hex_buf(request.params, reinterpret_cast(fmspc), fmspc_size)) { return SGX_QCNL_UNEXPECTED_ERROR; } + request.params.append("&update=").append(QcnlConfig::Instance()->getTcbUpdateType()); if (!custom_param_.empty()) { request.params.append("&").append(get_custom_param_string()); } @@ -308,8 +308,9 @@ sgx_qcnl_error_t CertificationService::build_qeidentity_options(Request &request } request.params.append("qe/identity"); + request.params.append("?update=").append(QcnlConfig::Instance()->getTcbUpdateType()); if (!custom_param_.empty()) { - request.params.append("?").append(get_custom_param_string()); + request.params.append("&").append(get_custom_param_string()); } return SGX_QCNL_SUCCESS; @@ -319,8 +320,9 @@ sgx_qcnl_error_t CertificationService::build_qveidentity_options(Request &reques request.endpoint = QcnlConfig::Instance()->getCollateralServiceUrl(); request.params.append("qve/identity"); + request.params.append("?update=").append(QcnlConfig::Instance()->getTcbUpdateType()); if (!custom_param_.empty()) { - request.params.append("?").append(get_custom_param_string()); + request.params.append("&").append(get_custom_param_string()); } return SGX_QCNL_SUCCESS; diff --git a/QuoteGeneration/qcnl/inc/certification_provider.h b/QuoteGeneration/qcnl/inc/certification_provider.h index efbc86d1..9c0b3c62 100644 --- a/QuoteGeneration/qcnl/inc/certification_provider.h +++ b/QuoteGeneration/qcnl/inc/certification_provider.h @@ -89,7 +89,6 @@ class CacheProvider { sgx_qcnl_error_t get_certification(const string &query_string, PccsResponseObject *pccs_resp_obj); sgx_qcnl_error_t set_certification(sgx_qpl_cache_type_t cache_type, - uint32_t default_expiry_seconds, const string &query_string, PccsResponseObject *pccs_resp_obj); sgx_qcnl_error_t get_local_certification(const sgx_ql_pck_cert_id_t *p_pck_cert_id, diff --git a/QuoteGeneration/qcnl/inc/qcnl_config.h b/QuoteGeneration/qcnl/inc/qcnl_config.h index 3015a8e7..ff3c744d 100644 --- a/QuoteGeneration/qcnl/inc/qcnl_config.h +++ b/QuoteGeneration/qcnl/inc/qcnl_config.h @@ -79,6 +79,8 @@ class QcnlConfig { Document custom_request_options_; // Local cache only mode bool local_cache_only_; + // TCB update type, "early" or "standard" + string tcb_update_type_; QcnlConfig() : server_url_("https://localhost:8081/sgx/certification/v4/"), use_secure_cert_(true), @@ -89,7 +91,8 @@ class QcnlConfig { local_pck_url_(""), pck_cache_expire_hours_(0), verify_collateral_expire_hours_(0), - local_cache_only_(false) {} + local_cache_only_(false), + tcb_update_type_("standard") {} virtual ~QcnlConfig(){}; public: @@ -145,6 +148,10 @@ class QcnlConfig { return local_cache_only_; } + string getTcbUpdateType() { + return tcb_update_type_; + } + sgx_qcnl_error_t load_config_json(const TCHAR *json_file); }; diff --git a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf index a7c84c9f..7df39958 100644 --- a/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf +++ b/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf @@ -12,6 +12,13 @@ // PCK Certs and verification collateral will be retrieved using pccs_url //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/" + // Type of update to TCB Info. Possible value: early, standard. Default is standard. + // early indicates an early access to updated TCB Info provided as part of a TCB recovery event + // (commonly the day of public disclosure of the items in scope) + // standard indicates standard access to updated TCB Info provided as part of a TCB recovery event + // (commonly approximately 6 weeks after public disclosure of the items in scope) + //, "tcb_update_type" : "standard" + // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used. // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version diff --git a/QuoteGeneration/qcnl/qcnl_config.cpp b/QuoteGeneration/qcnl/qcnl_config.cpp index a7e8aad3..42388a08 100644 --- a/QuoteGeneration/qcnl/qcnl_config.cpp +++ b/QuoteGeneration/qcnl/qcnl_config.cpp @@ -41,6 +41,7 @@ #include #include #include +#include using namespace std; @@ -113,6 +114,22 @@ sgx_qcnl_error_t QcnlConfig::load_config_json(const TCHAR *json_file) { } } + if (config.HasMember("tcb_update_type")) { + Value &val = config["tcb_update_type"]; + if (val.IsString()) { + string tcb_update_type = val.GetString(); + // Convert to lowercase + std::transform(tcb_update_type.begin(), tcb_update_type.end(), tcb_update_type.begin(), + [](unsigned char c){ return static_cast(std::tolower(c)); }); + if (tcb_update_type != "early" && tcb_update_type != "standard") { + qcnl_log(SGX_QL_LOG_ERROR, "[QCNL] Wrong tcb_update_type configured. \n"); + return SGX_QCNL_INVALID_CONFIG; + } + + this->tcb_update_type_ = tcb_update_type; + } + } + if (config.HasMember("pccs_api_version")) { Value &val = config["pccs_api_version"]; if (val.IsString()) { diff --git a/QuoteGeneration/qcnl/sgx_default_qcnl_wrapper.cpp b/QuoteGeneration/qcnl/sgx_default_qcnl_wrapper.cpp index 022964f5..51bda746 100644 --- a/QuoteGeneration/qcnl/sgx_default_qcnl_wrapper.cpp +++ b/QuoteGeneration/qcnl/sgx_default_qcnl_wrapper.cpp @@ -382,8 +382,9 @@ sgx_qcnl_error_t sgx_qcnl_clear_cache(uint32_t cache_type) { sgx_qcnl_error_t sgx_qcnl_global_init() { sgx_qcnl_error_t ret = SGX_QCNL_SUCCESS; QcnlConfigJson *pConfigJson = new QcnlConfigJson(); - if (pConfigJson->load_config() == SGX_QCNL_CONFIG_INVALID_JSON) - ret = SGX_QCNL_CONFIG_INVALID_JSON; + ret = pConfigJson->load_config(); + if (ret == SGX_QCNL_CONFIG_NOT_JSON) + ret = SGX_QCNL_SUCCESS; // Ignore SGX_QCNL_CONFIG_NOT_JSON for legacy config file delete pConfigJson; return ret; } diff --git a/QuoteGeneration/qcnl/win/qcnl_config_impl.cpp b/QuoteGeneration/qcnl/win/qcnl_config_impl.cpp index 5f0f75d9..1d20bf93 100644 --- a/QuoteGeneration/qcnl/win/qcnl_config_impl.cpp +++ b/QuoteGeneration/qcnl/win/qcnl_config_impl.cpp @@ -195,6 +195,6 @@ sgx_qcnl_error_t QcnlConfigJson::load_config() { return this->load_config_json(config_path); } else { - return SGX_QCNL_INVALID_CONFIG; + return SGX_QCNL_CONFIG_NOT_JSON; } } \ No newline at end of file diff --git a/QuoteGeneration/qpl-rs/src/lib.rs b/QuoteGeneration/qpl-rs/src/lib.rs index aa5e60c5..69da9693 100644 --- a/QuoteGeneration/qpl-rs/src/lib.rs +++ b/QuoteGeneration/qpl-rs/src/lib.rs @@ -604,7 +604,8 @@ mod tests { level: tee_qpl_log_level, message: *const ::std::os::raw::c_char, ) { - println!("level {level}: {:?}", message); + let msg_str = std::ffi::CStr::from_ptr(message).to_str().unwrap(); + println!("level {level}: {:?}", msg_str); } #[test] diff --git a/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h b/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h index 87df7f68..10338a8e 100644 --- a/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h +++ b/QuoteGeneration/quote_wrapper/common/inc/sgx_ql_lib_common.h @@ -41,114 +41,114 @@ #include "sgx_key.h" -#define SGX_QL_MK_ERROR(x) (0x0000E000|(x)) +#define TEE_MK_ERROR(x) (0x0000E000|(x)) /** Possible errors generated by the quote interface. */ typedef enum _quote3_error_t { - SGX_QL_SUCCESS = 0x0000, ///< Success - SGX_QL_ERROR_MIN = SGX_QL_MK_ERROR(0x0001), ///< Indicate min error to allow better translation. - SGX_QL_ERROR_UNEXPECTED = SGX_QL_MK_ERROR(0x0001), ///< Unexpected error - SGX_QL_ERROR_INVALID_PARAMETER = SGX_QL_MK_ERROR(0x0002), ///< The parameter is incorrect - SGX_QL_ERROR_OUT_OF_MEMORY = SGX_QL_MK_ERROR(0x0003), ///< Not enough memory is available to complete this operation - SGX_QL_ERROR_ECDSA_ID_MISMATCH = SGX_QL_MK_ERROR(0x0004), ///< Expected ECDSA_ID does not match the value stored in the ECDSA Blob - SGX_QL_PATHNAME_BUFFER_OVERFLOW_ERROR = SGX_QL_MK_ERROR(0x0005), ///< The ECDSA blob pathname is too large - SGX_QL_FILE_ACCESS_ERROR = SGX_QL_MK_ERROR(0x0006), ///< Error accessing ECDSA blob - SGX_QL_ERROR_STORED_KEY = SGX_QL_MK_ERROR(0x0007), ///< Cached ECDSA key is invalid - SGX_QL_ERROR_PUB_KEY_ID_MISMATCH = SGX_QL_MK_ERROR(0x0008), ///< Cached ECDSA key does not match requested key - SGX_QL_ERROR_INVALID_PCE_SIG_SCHEME = SGX_QL_MK_ERROR(0x0009), ///< PCE use the incorrect signature scheme - SGX_QL_ATT_KEY_BLOB_ERROR = SGX_QL_MK_ERROR(0x000a), ///< There is a problem with the attestation key blob. - SGX_QL_UNSUPPORTED_ATT_KEY_ID = SGX_QL_MK_ERROR(0x000b), ///< Unsupported attestation key ID. - SGX_QL_UNSUPPORTED_LOADING_POLICY = SGX_QL_MK_ERROR(0x000c), ///< Unsupported enclave loading policy. - SGX_QL_INTERFACE_UNAVAILABLE = SGX_QL_MK_ERROR(0x000d), ///< Unable to load the PCE enclave - SGX_QL_PLATFORM_LIB_UNAVAILABLE = SGX_QL_MK_ERROR(0x000e), ///< Unable to find the platform library with the dependent APIs. Not fatal. - SGX_QL_ATT_KEY_NOT_INITIALIZED = SGX_QL_MK_ERROR(0x000f), ///< The attestation key doesn't exist or has not been certified. - SGX_QL_ATT_KEY_CERT_DATA_INVALID = SGX_QL_MK_ERROR(0x0010), ///< The certification data retrieved from the platform library is invalid. - SGX_QL_NO_PLATFORM_CERT_DATA = SGX_QL_MK_ERROR(0x0011), ///< The platform library doesn't have any platfrom cert data. - SGX_QL_OUT_OF_EPC = SGX_QL_MK_ERROR(0x0012), ///< Not enough memory in the EPC to load the enclave. - SGX_QL_ERROR_REPORT = SGX_QL_MK_ERROR(0x0013), ///< There was a problem verifying an SGX REPORT. - SGX_QL_ENCLAVE_LOST = SGX_QL_MK_ERROR(0x0014), ///< Interfacing to the enclave failed due to a power transition. - SGX_QL_INVALID_REPORT = SGX_QL_MK_ERROR(0x0015), ///< Error verifying the application enclave's report. - SGX_QL_ENCLAVE_LOAD_ERROR = SGX_QL_MK_ERROR(0x0016), ///< Unable to load the enclaves. Could be due to file I/O error, loading infrastructure error, or non-SGX capable system - SGX_QL_UNABLE_TO_GENERATE_QE_REPORT = SGX_QL_MK_ERROR(0x0017), ///< The QE was unable to generate its own report targeting the application enclave either - ///< because the QE doesn't support this feature there is an enclave compatibility issue. - ///< Please call again with the p_qe_report_info to NULL. - SGX_QL_KEY_CERTIFCATION_ERROR = SGX_QL_MK_ERROR(0x0018), ///< Caused when the provider library returns an invalid TCB (too high). - SGX_QL_NETWORK_ERROR = SGX_QL_MK_ERROR(0x0019), ///< Network error when retrieving PCK certs - SGX_QL_MESSAGE_ERROR = SGX_QL_MK_ERROR(0x001a), ///< Message error when retrieving PCK certs - SGX_QL_NO_QUOTE_COLLATERAL_DATA = SGX_QL_MK_ERROR(0x001b), ///< The platform does not have the quote verification collateral data available. - SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED = SGX_QL_MK_ERROR(0x001c), - SGX_QL_QUOTE_FORMAT_UNSUPPORTED = SGX_QL_MK_ERROR(0x001d), - SGX_QL_UNABLE_TO_GENERATE_REPORT = SGX_QL_MK_ERROR(0x001e), - SGX_QL_QE_REPORT_INVALID_SIGNATURE = SGX_QL_MK_ERROR(0x001f), - SGX_QL_QE_REPORT_UNSUPPORTED_FORMAT = SGX_QL_MK_ERROR(0x0020), - SGX_QL_PCK_CERT_UNSUPPORTED_FORMAT = SGX_QL_MK_ERROR(0x0021), - SGX_QL_PCK_CERT_CHAIN_ERROR = SGX_QL_MK_ERROR(0x0022), - SGX_QL_TCBINFO_UNSUPPORTED_FORMAT = SGX_QL_MK_ERROR(0x0023), - SGX_QL_TCBINFO_MISMATCH = SGX_QL_MK_ERROR(0x0024), - SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT = SGX_QL_MK_ERROR(0x0025), - SGX_QL_QEIDENTITY_MISMATCH = SGX_QL_MK_ERROR(0x0026), - SGX_QL_TCB_OUT_OF_DATE = SGX_QL_MK_ERROR(0x0027), - SGX_QL_TCB_OUT_OF_DATE_CONFIGURATION_NEEDED = SGX_QL_MK_ERROR(0x0028), ///< TCB out of date and Configuration needed - SGX_QL_SGX_ENCLAVE_IDENTITY_OUT_OF_DATE = SGX_QL_MK_ERROR(0x0029), - SGX_QL_SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE = SGX_QL_MK_ERROR(0x002a), - SGX_QL_QE_IDENTITY_OUT_OF_DATE = SGX_QL_MK_ERROR(0x002b), - SGX_QL_SGX_TCB_INFO_EXPIRED = SGX_QL_MK_ERROR(0x002c), - SGX_QL_SGX_PCK_CERT_CHAIN_EXPIRED = SGX_QL_MK_ERROR(0x002d), - SGX_QL_SGX_CRL_EXPIRED = SGX_QL_MK_ERROR(0x002e), - SGX_QL_SGX_SIGNING_CERT_CHAIN_EXPIRED = SGX_QL_MK_ERROR(0x002f), - SGX_QL_SGX_ENCLAVE_IDENTITY_EXPIRED = SGX_QL_MK_ERROR(0x0030), - SGX_QL_PCK_REVOKED = SGX_QL_MK_ERROR(0x0031), - SGX_QL_TCB_REVOKED = SGX_QL_MK_ERROR(0x0032), - SGX_QL_TCB_CONFIGURATION_NEEDED = SGX_QL_MK_ERROR(0x0033), - SGX_QL_UNABLE_TO_GET_COLLATERAL = SGX_QL_MK_ERROR(0x0034), - SGX_QL_ERROR_INVALID_PRIVILEGE = SGX_QL_MK_ERROR(0x0035), ///< No enough privilege to perform the operation - SGX_QL_NO_QVE_IDENTITY_DATA = SGX_QL_MK_ERROR(0x0037), ///< The platform does not have the QVE identity data available. - SGX_QL_CRL_UNSUPPORTED_FORMAT = SGX_QL_MK_ERROR(0x0038), - SGX_QL_QEIDENTITY_CHAIN_ERROR = SGX_QL_MK_ERROR(0x0039), - SGX_QL_TCBINFO_CHAIN_ERROR = SGX_QL_MK_ERROR(0x003a), - SGX_QL_ERROR_QVL_QVE_MISMATCH = SGX_QL_MK_ERROR(0x003b), ///< Supplemental data size and version mismatched between QVL and QvE - ///< Please make sure to use QVL and QvE from same release package - SGX_QL_TCB_SW_HARDENING_NEEDED = SGX_QL_MK_ERROR(0x003c), ///< TCB up to date but SW Hardening needed - SGX_QL_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED = SGX_QL_MK_ERROR(0x003d), ///< TCB up to date but Configuration and SW Hardening needed - - SGX_QL_UNSUPPORTED_MODE = SGX_QL_MK_ERROR(0x003e), - - SGX_QL_NO_DEVICE = SGX_QL_MK_ERROR(0x003f), - SGX_QL_SERVICE_UNAVAILABLE = SGX_QL_MK_ERROR(0x0040), - SGX_QL_NETWORK_FAILURE = SGX_QL_MK_ERROR(0x0041), - SGX_QL_SERVICE_TIMEOUT = SGX_QL_MK_ERROR(0x0042), - SGX_QL_ERROR_BUSY = SGX_QL_MK_ERROR(0x0043), - - SGX_QL_UNKNOWN_MESSAGE_RESPONSE = SGX_QL_MK_ERROR(0x0044), /// Unexpected error from the cache service - SGX_QL_PERSISTENT_STORAGE_ERROR = SGX_QL_MK_ERROR(0x0045), /// Error storing the retrieved cached data in persistent memory - SGX_QL_ERROR_MESSAGE_PARSING_ERROR = SGX_QL_MK_ERROR(0x0046), /// Message parsing error - SGX_QL_PLATFORM_UNKNOWN = SGX_QL_MK_ERROR(0x0047), /// Platform was not found in the cache - SGX_QL_UNKNOWN_API_VERSION = SGX_QL_MK_ERROR(0x0048), /// The current PCS API version configured is unknown - SGX_QL_CERTS_UNAVAILABLE = SGX_QL_MK_ERROR(0x0049), /// Certificates are not available for this platform - - SGX_QL_QVEIDENTITY_MISMATCH = SGX_QL_MK_ERROR(0x0050), ///< QvE Identity is NOT match to Intel signed QvE identity - SGX_QL_QVE_OUT_OF_DATE = SGX_QL_MK_ERROR(0x0051), ///< QvE ISVSVN is smaller than the ISVSVN threshold, or input QvE ISVSVN is too small - SGX_QL_PSW_NOT_AVAILABLE = SGX_QL_MK_ERROR(0x0052), ///< SGX PSW library cannot be loaded, could be due to file I/O error - SGX_QL_COLLATERAL_VERSION_NOT_SUPPORTED = SGX_QL_MK_ERROR(0x0053), ///< SGX quote verification collateral version not supported by QVL/QvE - SGX_QL_TDX_MODULE_MISMATCH = SGX_QL_MK_ERROR(0x0060), ///< TDX SEAM module identity is NOT match to Intel signed TDX SEAM module - - SGX_QL_QEIDENTITY_NOT_FOUND = SGX_QL_MK_ERROR(0x0061), ///< QE identity was not found - SGX_QL_TCBINFO_NOT_FOUND = SGX_QL_MK_ERROR(0x0062), ///< TCB Info was not found - SGX_QL_INTERNAL_SERVER_ERROR = SGX_QL_MK_ERROR(0x0063), ///< Internal server error - - SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = SGX_QL_MK_ERROR(0x0064), ///< The supplemental data version is not supported - - SGX_QL_ROOT_CA_UNTRUSTED = SGX_QL_MK_ERROR(0x0065), ///< The certificate used to establish SSL session is untrusted - - SGX_QL_TCB_NOT_SUPPORTED = SGX_QL_MK_ERROR(0x0066), ///< Current TCB level cannot be found in platform/enclave TCB info - - SGX_QL_CONFIG_INVALID_JSON = SGX_QL_MK_ERROR(0x0067), ///< The QPL's config file is in JSON format but has a format error + SGX_QL_SUCCESS = 0x0000, TEE_SUCCESS = 0x0000, ///< Success + SGX_QL_ERROR_MIN = TEE_MK_ERROR(0x0001), TEE_ERROR_MIN = TEE_MK_ERROR(0x0001), ///< Indicate min error to allow better translation. + SGX_QL_ERROR_UNEXPECTED = TEE_MK_ERROR(0x0001), TEE_ERROR_UNEXPECTED = TEE_MK_ERROR(0x0001), ///< Unexpected error + SGX_QL_ERROR_INVALID_PARAMETER = TEE_MK_ERROR(0x0002), TEE_ERROR_INVALID_PARAMETER = TEE_MK_ERROR(0x0002), ///< The parameter is incorrect + SGX_QL_ERROR_OUT_OF_MEMORY = TEE_MK_ERROR(0x0003), TEE_ERROR_OUT_OF_MEMORY = TEE_MK_ERROR(0x0003), ///< Not enough memory is available to complete this operation + SGX_QL_ERROR_ECDSA_ID_MISMATCH = TEE_MK_ERROR(0x0004), TEE_ERROR_ECDSA_ID_MISMATCH = TEE_MK_ERROR(0x0004), ///< Expected ECDSA_ID does not match the value stored in the ECDSA Blob + SGX_QL_PATHNAME_BUFFER_OVERFLOW_ERROR = TEE_MK_ERROR(0x0005), TEE_PATHNAME_BUFFER_OVERFLOW_ERROR = TEE_MK_ERROR(0x0005), ///< The ECDSA blob pathname is too large + SGX_QL_FILE_ACCESS_ERROR = TEE_MK_ERROR(0x0006), TEE_FILE_ACCESS_ERROR = TEE_MK_ERROR(0x0006), ///< Error accessing ECDSA blob + SGX_QL_ERROR_STORED_KEY = TEE_MK_ERROR(0x0007), TEE_ERROR_STORED_KEY = TEE_MK_ERROR(0x0007), ///< Cached ECDSA key is invalid + SGX_QL_ERROR_PUB_KEY_ID_MISMATCH = TEE_MK_ERROR(0x0008), TEE_ERROR_PUB_KEY_ID_MISMATCH = TEE_MK_ERROR(0x0008), ///< Cached ECDSA key does not match requested key + SGX_QL_ERROR_INVALID_PCE_SIG_SCHEME = TEE_MK_ERROR(0x0009), TEE_ERROR_INVALID_PCE_SIG_SCHEME = TEE_MK_ERROR(0x0009), ///< PCE use the incorrect signature scheme + SGX_QL_ATT_KEY_BLOB_ERROR = TEE_MK_ERROR(0x000a), TEE_ATT_KEY_BLOB_ERROR = TEE_MK_ERROR(0x000a), ///< There is a problem with the attestation key blob. + SGX_QL_UNSUPPORTED_ATT_KEY_ID = TEE_MK_ERROR(0x000b), TEE_UNSUPPORTED_ATT_KEY_ID = TEE_MK_ERROR(0x000b), ///< Unsupported attestation key ID. + SGX_QL_UNSUPPORTED_LOADING_POLICY = TEE_MK_ERROR(0x000c), TEE_UNSUPPORTED_LOADING_POLICY = TEE_MK_ERROR(0x000c), ///< Unsupported enclave loading policy. + SGX_QL_INTERFACE_UNAVAILABLE = TEE_MK_ERROR(0x000d), TEE_INTERFACE_UNAVAILABLE = TEE_MK_ERROR(0x000d), ///< Unable to load the PCE enclave + SGX_QL_PLATFORM_LIB_UNAVAILABLE = TEE_MK_ERROR(0x000e), TEE_PLATFORM_LIB_UNAVAILABLE = TEE_MK_ERROR(0x000e), ///< Unable to find the platform library with the dependent APIs. Not fatal. + SGX_QL_ATT_KEY_NOT_INITIALIZED = TEE_MK_ERROR(0x000f), TEE_ATT_KEY_NOT_INITIALIZED = TEE_MK_ERROR(0x000f), ///< The attestation key doesn't exist or has not been certified. + SGX_QL_ATT_KEY_CERT_DATA_INVALID = TEE_MK_ERROR(0x0010), TEE_ATT_KEY_CERT_DATA_INVALID = TEE_MK_ERROR(0x0010), ///< The certification data retrieved from the platform library is invalid. + SGX_QL_NO_PLATFORM_CERT_DATA = TEE_MK_ERROR(0x0011), TEE_NO_PLATFORM_CERT_DATA = TEE_MK_ERROR(0x0011), ///< The platform library doesn't have any platfrom cert data. + SGX_QL_OUT_OF_EPC = TEE_MK_ERROR(0x0012), TEE_OUT_OF_EPC = TEE_MK_ERROR(0x0012), ///< Not enough memory in the EPC to load the enclave. + SGX_QL_ERROR_REPORT = TEE_MK_ERROR(0x0013), TEE_ERROR_REPORT = TEE_MK_ERROR(0x0013), ///< There was a problem verifying an SGX REPORT. + SGX_QL_ENCLAVE_LOST = TEE_MK_ERROR(0x0014), TEE_ENCLAVE_LOST = TEE_MK_ERROR(0x0014), ///< Interfacing to the enclave failed due to a power transition. + SGX_QL_INVALID_REPORT = TEE_MK_ERROR(0x0015), TEE_INVALID_REPORT = TEE_MK_ERROR(0x0015), ///< Error verifying the application enclave's report. + SGX_QL_ENCLAVE_LOAD_ERROR = TEE_MK_ERROR(0x0016), TEE_ENCLAVE_LOAD_ERROR = TEE_MK_ERROR(0x0016), ///< Unable to load the enclaves. Could be due to file I/O error, loading infrastructure error, or non-SGX capable system + SGX_QL_UNABLE_TO_GENERATE_QE_REPORT = TEE_MK_ERROR(0x0017), TEE_UNABLE_TO_GENERATE_QE_REPORT = TEE_MK_ERROR(0x0017), ///< The QE was unable to generate its own report targeting the application enclave either + ///< because the QE doesn't support this feature there is an enclave compatibility issue. + ///< Please call again with the p_qe_report_info to NULL. + SGX_QL_KEY_CERTIFCATION_ERROR = TEE_MK_ERROR(0x0018), TEE_KEY_CERTIFCATION_ERROR = TEE_MK_ERROR(0x0018), ///< Caused when the provider library returns an invalid TCB (too high). + SGX_QL_NETWORK_ERROR = TEE_MK_ERROR(0x0019), TEE_NETWORK_ERROR = TEE_MK_ERROR(0x0019), ///< Network error when retrieving PCK certs + SGX_QL_MESSAGE_ERROR = TEE_MK_ERROR(0x001a), TEE_MESSAGE_ERROR = TEE_MK_ERROR(0x001a), ///< Message error when retrieving PCK certs + SGX_QL_NO_QUOTE_COLLATERAL_DATA = TEE_MK_ERROR(0x001b), TEE_NO_QUOTE_COLLATERAL_DATA = TEE_MK_ERROR(0x001b), ///< The platform does not have the quote verification collateral data available. + SGX_QL_QUOTE_CERTIFICATION_DATA_UNSUPPORTED = TEE_MK_ERROR(0x001c), TEE_QUOTE_CERTIFICATION_DATA_UNSUPPORTED = TEE_MK_ERROR(0x001c), + SGX_QL_QUOTE_FORMAT_UNSUPPORTED = TEE_MK_ERROR(0x001d), TEE_QUOTE_FORMAT_UNSUPPORTED = TEE_MK_ERROR(0x001d), + SGX_QL_UNABLE_TO_GENERATE_REPORT = TEE_MK_ERROR(0x001e), TEE_UNABLE_TO_GENERATE_REPORT = TEE_MK_ERROR(0x001e), + SGX_QL_QE_REPORT_INVALID_SIGNATURE = TEE_MK_ERROR(0x001f), TEE_QE_REPORT_INVALID_SIGNATURE = TEE_MK_ERROR(0x001f), + SGX_QL_QE_REPORT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0020), TEE_QE_REPORT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0020), + SGX_QL_PCK_CERT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0021), TEE_PCK_CERT_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0021), + SGX_QL_PCK_CERT_CHAIN_ERROR = TEE_MK_ERROR(0x0022), TEE_PCK_CERT_CHAIN_ERROR = TEE_MK_ERROR(0x0022), + SGX_QL_TCBINFO_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0023), TEE_TCBINFO_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0023), + SGX_QL_TCBINFO_MISMATCH = TEE_MK_ERROR(0x0024), TEE_TCBINFO_MISMATCH = TEE_MK_ERROR(0x0024), + SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0025), TEE_QEIDENTITY_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0025), + SGX_QL_QEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0026), TEE_QEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0026), + SGX_QL_TCB_OUT_OF_DATE = TEE_MK_ERROR(0x0027), TEE_TCB_OUT_OF_DATE = TEE_MK_ERROR(0x0027), + SGX_QL_TCB_OUT_OF_DATE_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0028), TEE_TCB_OUT_OF_DATE_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0028), ///< TCB out of date and Configuration needed + SGX_QL_SGX_ENCLAVE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x0029), TEE_SGX_ENCLAVE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x0029), + SGX_QL_SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE = TEE_MK_ERROR(0x002a), TEE_SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE = TEE_MK_ERROR(0x002a), + SGX_QL_QE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x002b), TEE_QE_IDENTITY_OUT_OF_DATE = TEE_MK_ERROR(0x002b), + SGX_QL_SGX_TCB_INFO_EXPIRED = TEE_MK_ERROR(0x002c), TEE_SGX_TCB_INFO_EXPIRED = TEE_MK_ERROR(0x002c), + SGX_QL_SGX_PCK_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002d), TEE_SGX_PCK_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002d), + SGX_QL_SGX_CRL_EXPIRED = TEE_MK_ERROR(0x002e), TEE_SGX_CRL_EXPIRED = TEE_MK_ERROR(0x002e), + SGX_QL_SGX_SIGNING_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002f), TEE_SGX_SIGNING_CERT_CHAIN_EXPIRED = TEE_MK_ERROR(0x002f), + SGX_QL_SGX_ENCLAVE_IDENTITY_EXPIRED = TEE_MK_ERROR(0x0030), TEE_SGX_ENCLAVE_IDENTITY_EXPIRED = TEE_MK_ERROR(0x0030), + SGX_QL_PCK_REVOKED = TEE_MK_ERROR(0x0031), TEE_PCK_REVOKED = TEE_MK_ERROR(0x0031), + SGX_QL_TCB_REVOKED = TEE_MK_ERROR(0x0032), TEE_TCB_REVOKED = TEE_MK_ERROR(0x0032), + SGX_QL_TCB_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0033), TEE_TCB_CONFIGURATION_NEEDED = TEE_MK_ERROR(0x0033), + SGX_QL_UNABLE_TO_GET_COLLATERAL = TEE_MK_ERROR(0x0034), TEE_UNABLE_TO_GET_COLLATERAL = TEE_MK_ERROR(0x0034), + SGX_QL_ERROR_INVALID_PRIVILEGE = TEE_MK_ERROR(0x0035), TEE_ERROR_INVALID_PRIVILEGE = TEE_MK_ERROR(0x0035), ///< No enough privilege to perform the operation + SGX_QL_NO_QVE_IDENTITY_DATA = TEE_MK_ERROR(0x0037), TEE_NO_QVE_IDENTITY_DATA = TEE_MK_ERROR(0x0037), ///< The platform does not have the QVE identity data available. + SGX_QL_CRL_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0038), TEE_CRL_UNSUPPORTED_FORMAT = TEE_MK_ERROR(0x0038), + SGX_QL_QEIDENTITY_CHAIN_ERROR = TEE_MK_ERROR(0x0039), TEE_QEIDENTITY_CHAIN_ERROR = TEE_MK_ERROR(0x0039), + SGX_QL_TCBINFO_CHAIN_ERROR = TEE_MK_ERROR(0x003a), TEE_TCBINFO_CHAIN_ERROR = TEE_MK_ERROR(0x003a), + SGX_QL_ERROR_QVL_QVE_MISMATCH = TEE_MK_ERROR(0x003b), TEE_ERROR_QVL_QVE_MISMATCH = TEE_MK_ERROR(0x003b), ///< Supplemental data size and version mismatched between QVL and QvE + ///< Please make sure to use QVL and QvE from same release package + SGX_QL_TCB_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003c), TEE_TCB_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003c), ///< TCB up to date but SW Hardening needed + SGX_QL_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003d), TEE_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED = TEE_MK_ERROR(0x003d), ///< TCB up to date but Configuration and SW Hardening needed + + SGX_QL_UNSUPPORTED_MODE = TEE_MK_ERROR(0x003e), TEE_UNSUPPORTED_MODE = TEE_MK_ERROR(0x003e), + + SGX_QL_NO_DEVICE = TEE_MK_ERROR(0x003f), TEE_NO_DEVICE = TEE_MK_ERROR(0x003f), + SGX_QL_SERVICE_UNAVAILABLE = TEE_MK_ERROR(0x0040), TEE_SERVICE_UNAVAILABLE = TEE_MK_ERROR(0x0040), + SGX_QL_NETWORK_FAILURE = TEE_MK_ERROR(0x0041), TEE_NETWORK_FAILURE = TEE_MK_ERROR(0x0041), + SGX_QL_SERVICE_TIMEOUT = TEE_MK_ERROR(0x0042), TEE_SERVICE_TIMEOUT = TEE_MK_ERROR(0x0042), + SGX_QL_ERROR_BUSY = TEE_MK_ERROR(0x0043), TEE_ERROR_BUSY = TEE_MK_ERROR(0x0043), + + SGX_QL_UNKNOWN_MESSAGE_RESPONSE = TEE_MK_ERROR(0x0044), TEE_UNKNOWN_MESSAGE_RESPONSE = TEE_MK_ERROR(0x0044), ///< Unexpected error from the cache service + SGX_QL_PERSISTENT_STORAGE_ERROR = TEE_MK_ERROR(0x0045), TEE_PERSISTENT_STORAGE_ERROR = TEE_MK_ERROR(0x0045), ///< Error storing the retrieved cached data in persistent memory + SGX_QL_ERROR_MESSAGE_PARSING_ERROR = TEE_MK_ERROR(0x0046), TEE_ERROR_MESSAGE_PARSING_ERROR = TEE_MK_ERROR(0x0046), /// Message parsing error + SGX_QL_PLATFORM_UNKNOWN = TEE_MK_ERROR(0x0047), TEE_PLATFORM_UNKNOWN = TEE_MK_ERROR(0x0047), ///< Platform was not found in the cache + SGX_QL_UNKNOWN_API_VERSION = TEE_MK_ERROR(0x0048), TEE_UNKNOWN_API_VERSION = TEE_MK_ERROR(0x0048), ///< The current PCS API version configured is unknown + SGX_QL_CERTS_UNAVAILABLE = TEE_MK_ERROR(0x0049), TEE_CERTS_UNAVAILABLE = TEE_MK_ERROR(0x0049), ///< Certificates are not available for this platform + + SGX_QL_QVEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0050), TEE_QVEIDENTITY_MISMATCH = TEE_MK_ERROR(0x0050), ///< QvE Identity is NOT match to Intel signed QvE identity + SGX_QL_QVE_OUT_OF_DATE = TEE_MK_ERROR(0x0051), TEE_QVE_OUT_OF_DATE = TEE_MK_ERROR(0x0051), ///< QvE ISVSVN is smaller than the ISVSVN threshold, or input QvE ISVSVN is too small + SGX_QL_PSW_NOT_AVAILABLE = TEE_MK_ERROR(0x0052), TEE_PSW_NOT_AVAILABLE = TEE_MK_ERROR(0x0052), ///< SGX PSW library cannot be loaded, could be due to file I/O error + SGX_QL_COLLATERAL_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0053), TEE_COLLATERAL_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0053), ///< SGX quote verification collateral version not supported by QVL/QvE + SGX_QL_TDX_MODULE_MISMATCH = TEE_MK_ERROR(0x0060), TEE_TDX_MODULE_MISMATCH = TEE_MK_ERROR(0x0060), ///< TDX SEAM module identity is NOT match to Intel signed TDX SEAM module + + SGX_QL_QEIDENTITY_NOT_FOUND = TEE_MK_ERROR(0x0061), TEE_QEIDENTITY_NOT_FOUND = TEE_MK_ERROR(0x0061), ///< QE identity was not found + SGX_QL_TCBINFO_NOT_FOUND = TEE_MK_ERROR(0x0062), TEE_TCBINFO_NOT_FOUND = TEE_MK_ERROR(0x0062), ///< TCB Info was not found + SGX_QL_INTERNAL_SERVER_ERROR = TEE_MK_ERROR(0x0063), TEE_INTERNAL_SERVER_ERROR = TEE_MK_ERROR(0x0063), ///< Internal server error + + SGX_QL_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0064), TEE_SUPPLEMENTAL_DATA_VERSION_NOT_SUPPORTED = TEE_MK_ERROR(0x0064), ///< The supplemental data version is not supported + + SGX_QL_ROOT_CA_UNTRUSTED = TEE_MK_ERROR(0x0065), TEE_ROOT_CA_UNTRUSTED = TEE_MK_ERROR(0x0065), ///< The certificate used to establish SSL session is untrusted + + SGX_QL_TCB_NOT_SUPPORTED = TEE_MK_ERROR(0x0066), TEE_TCB_NOT_SUPPORTED = TEE_MK_ERROR(0x0066), ///< Current TCB level cannot be found in platform/enclave TCB info + + SGX_QL_CONFIG_INVALID_JSON = TEE_MK_ERROR(0x0067), TEE_CONFIG_INVALID_JSON = TEE_MK_ERROR(0x0067), ///< The QPL's config file is in JSON format but has a format error - SGX_QL_RESULT_INVALID_SIGNATURE = SGX_QL_MK_ERROR(0x0068), ///< Invalid signature during quote verification + SGX_QL_RESULT_INVALID_SIGNATURE = TEE_MK_ERROR(0x0068), TEE_RESULT_INVALID_SIGNATURE = TEE_MK_ERROR(0x0068), ///< Invalid signature during quote verification - SGX_QL_ERROR_MAX = SGX_QL_MK_ERROR(0x00FF), ///< Indicate max error to allow better translation. + SGX_QL_ERROR_MAX = TEE_MK_ERROR(0x00FF), TEE_ERROR_MAX = TEE_MK_ERROR(0x00FF), ///< Indicate max error to allow better translation. -} quote3_error_t; +} quote3_error_t, tee_error_t; #pragma pack(push, 1) diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp index 8e25f96d..b3710055 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.cpp @@ -45,7 +45,17 @@ typedef quote3_error_t (*get_collateral_func)(const uint8_t *fmspc, uint16_t fmspc_size, const char *pck_ca, tdx_ql_qv_collateral_t **pp_quote_collateral); typedef quote3_error_t (*free_collateral_func)(tdx_ql_qv_collateral_t *p_quote_collateral); -extern "C" tee_att_error_t tee_att_get_qpl_handle(const tee_att_config_t *p_context, void **pp_qpl_handle); +typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_t logger, + sgx_ql_log_level_t loglevel); + +void sgx_ql_logging_callback(sgx_ql_log_level_t level, const char *message) { + if (level == SGX_QL_LOG_ERROR) { + sgx_proc_log_report(1, message); + + } else if (level == SGX_QL_LOG_INFO) { + sgx_proc_log_report(3, message); + } +} void cleanup(tee_att_config_t *p_ctx) { QGS_LOG_INFO("About to delete ctx in cleanup\n"); @@ -57,7 +67,15 @@ boost::thread_specific_ptr ptr(cleanup); namespace intel { namespace sgx { namespace dcap { namespace qgs { - data_buffer get_resp(uint8_t *p_req, uint32_t req_size) { + // Function to check if any byte within [start, end) in a vector is non-zero + bool is_any_byte_none_zero(const uint8_t* p, size_t size) { + // Use std::any_of to check if any element in the specified range is non-zero + return std::any_of(p, p + size, + [](uint8_t value) + { return value != 0; }); + } + + data_buffer get_resp(const uint8_t *p_req, uint32_t req_size) { tee_att_error_t tee_att_ret = TEE_ATT_SUCCESS; qgs_msg_error_t qgs_msg_error_ret = QGS_MSG_SUCCESS; @@ -75,30 +93,45 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { tee_att_config_t *p_ctx = NULL; QGS_LOG_INFO("call tee_att_create_context\n"); ret = tee_att_create_context(NULL, NULL, &p_ctx); - if (TEE_ATT_SUCCESS == ret) { - std::ostringstream oss; - oss << boost::this_thread::get_id(); - QGS_LOG_INFO("create context in thread[%s]\n", - oss.str().c_str()); - ptr.reset(p_ctx); - if (req_type != GET_PLATFORM_INFO_REQ) { - sgx_target_info_t qe_target_info; - uint8_t hash[32] = {0}; - size_t hash_size = sizeof(hash); - tee_att_ret = tee_att_init_quote(ptr.get(), &qe_target_info, false, - &hash_size, - hash); - if (TEE_ATT_SUCCESS != tee_att_ret) { - QGS_LOG_ERROR("tee_att_init_quote return 0x%x\n", tee_att_ret); - return {}; - } else { - QGS_LOG_INFO("tee_att_init_quote return success\n"); - } - } - } else { + if (TEE_ATT_SUCCESS != ret) { QGS_LOG_ERROR("Cannot create context\n"); return {}; } + std::ostringstream oss; + oss << boost::this_thread::get_id(); + QGS_LOG_INFO("create context in thread[%s]\n", oss.str().c_str()); + ptr.reset(p_ctx); + + do { + void *p_handle = NULL; + tee_att_ret = ::tee_att_get_qpl_handle(ptr.get(), &p_handle); + if (TEE_ATT_SUCCESS != tee_att_ret || NULL == p_handle) { + QGS_LOG_WARN("tee_att_get_qpl_handle return 0x%x\n", tee_att_ret); + break; + } + + sgx_ql_set_logging_callback_t ql_set_logging_callback = + (sgx_ql_set_logging_callback_t)dlsym(p_handle, "sgx_ql_set_logging_callback"); + if (dlerror() == NULL && ql_set_logging_callback) { + // Set log level to SGX_QL_LOG_ERROR + ql_set_logging_callback(sgx_ql_logging_callback, SGX_QL_LOG_ERROR); + } else { + QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n"); + } + } while(0); + + if (req_type != GET_PLATFORM_INFO_REQ) { + sgx_target_info_t qe_target_info; + uint8_t hash[32] = {0}; + size_t hash_size = sizeof(hash); + tee_att_ret = tee_att_init_quote(ptr.get(), &qe_target_info, false, &hash_size, hash); + if (TEE_ATT_SUCCESS != tee_att_ret) { + QGS_LOG_ERROR("tee_att_init_quote return 0x%x\n", tee_att_ret); + return {}; + } else { + QGS_LOG_INFO("tee_att_init_quote return success\n"); + } + } } switch (req_type) { @@ -227,14 +260,15 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { } if (resp_error_code == QGS_MSG_SUCCESS) { qgs_msg_error_ret = qgs_msg_gen_get_collateral_resp(p_collateral->major_version, p_collateral->minor_version, - (const uint8_t *)p_collateral->pck_crl_issuer_chain, p_collateral->pck_crl_issuer_chain_size, - (const uint8_t *)p_collateral->root_ca_crl, p_collateral->root_ca_crl_size, - (const uint8_t *)p_collateral->pck_crl, p_collateral->pck_crl_size, - (const uint8_t *)p_collateral->tcb_info_issuer_chain, p_collateral->tcb_info_issuer_chain_size, - (const uint8_t *)p_collateral->tcb_info, p_collateral->tcb_info_size, - (const uint8_t *)p_collateral->qe_identity_issuer_chain, p_collateral->qe_identity_issuer_chain_size, - (const uint8_t *)p_collateral->qe_identity, p_collateral->qe_identity_size, - &p_resp, &resp_size); + (const uint8_t *)p_collateral->pck_crl_issuer_chain, p_collateral->pck_crl_issuer_chain_size, + (const uint8_t *)p_collateral->root_ca_crl, p_collateral->root_ca_crl_size, + (const uint8_t *)p_collateral->pck_crl, p_collateral->pck_crl_size, + (const uint8_t *)p_collateral->tcb_info_issuer_chain, p_collateral->tcb_info_issuer_chain_size, + (const uint8_t *)p_collateral->tcb_info, p_collateral->tcb_info_size, + (const uint8_t *)p_collateral->qe_identity_issuer_chain, p_collateral->qe_identity_issuer_chain_size, + (const uint8_t *)p_collateral->qe_identity, p_collateral->qe_identity_size, + &p_resp, &resp_size, + (qgs_msg_header_t *)p_req); free_func(p_collateral); } else { qgs_msg_error_ret = qgs_msg_gen_error_resp(resp_error_code, GET_COLLATERAL_RESP, &p_resp, &resp_size); @@ -290,6 +324,117 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { qgs_msg_free(p_resp); return resp; } + + data_buffer get_raw_resp(const uint8_t *req, uint32_t req_size) { + tee_att_error_t tee_att_ret = TEE_ATT_SUCCESS; + data_buffer resp; + + if (ptr.get() == 0) { + tee_att_error_t ret = TEE_ATT_SUCCESS; + tee_att_config_t *p_ctx = NULL; + QGS_LOG_INFO("call tee_att_create_context\n"); + ret = tee_att_create_context(NULL, NULL, &p_ctx); + if (TEE_ATT_SUCCESS != ret) { + QGS_LOG_ERROR("Cannot create context\n"); + return {}; + } + + std::ostringstream oss; + oss << boost::this_thread::get_id(); + QGS_LOG_INFO("create context in thread[%s]\n", oss.str().c_str()); + ptr.reset(p_ctx); + + do { + void *p_handle = NULL; + tee_att_ret = ::tee_att_get_qpl_handle(ptr.get(), &p_handle); + if (TEE_ATT_SUCCESS != tee_att_ret || NULL == p_handle) { + QGS_LOG_WARN("tee_att_get_qpl_handle return 0x%x\n", tee_att_ret); + break; + } + + sgx_ql_set_logging_callback_t ql_set_logging_callback = + (sgx_ql_set_logging_callback_t)dlsym(p_handle, "sgx_ql_set_logging_callback"); + if (dlerror() == NULL && ql_set_logging_callback) { + // Set log level to SGX_QL_LOG_ERROR + ql_set_logging_callback(sgx_ql_logging_callback, SGX_QL_LOG_ERROR); + } else { + QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n"); + } + } while(0); + + sgx_target_info_t qe_target_info; + uint8_t hash[32] = {0}; + size_t hash_size = sizeof(hash); + tee_att_ret = tee_att_init_quote(ptr.get(), &qe_target_info, false, + &hash_size, + hash); + if (TEE_ATT_SUCCESS != tee_att_ret) { + QGS_LOG_ERROR("tee_att_init_quote return 0x%x\n", tee_att_ret); + //ingnore failure + } else { + QGS_LOG_INFO("tee_att_init_quote return success\n"); + } + } + + if (req_size == sizeof(sgx_report2_t)) { + sgx_report2_t * p_report = (sgx_report2_t *)req; + if (p_report->report_mac_struct.report_type.type != TEE_REPORT2_TYPE + || p_report->report_mac_struct.report_type.subtype != TEE_REPORT2_SUBTYPE + || (p_report->report_mac_struct.report_type.version != TEE_REPORT2_VERSION + && p_report->report_mac_struct.report_type.version != TEE_REPORT2_VERSION_SERVICETD) + || p_report->report_mac_struct.report_type.reserved != 0 + || is_any_byte_none_zero(p_report->report_mac_struct.reserved1, SGX_REPORT2_MAC_STRUCT_RESERVED1_BYTES) + || is_any_byte_none_zero(p_report->report_mac_struct.reserved2, SGX_REPORT2_MAC_STRUCT_RESERVED2_BYTES) + || is_any_byte_none_zero(p_report->reserved, SGX_REPORT2_RESERVED_BYTES) + ) { + QGS_LOG_ERROR("Not a legimit TD report, stop\n"); + return {}; + } + + int retry = 1; + do { + uint32_t size = 0; + if (retry == 0) { + sgx_target_info_t qe_target_info; + uint8_t hash[32] = {0}; + size_t hash_size = sizeof(hash); + QGS_LOG_INFO("call tee_att_init_quote\n"); + tee_att_ret = tee_att_init_quote(ptr.get(), &qe_target_info, true, + &hash_size, + hash); + if (TEE_ATT_SUCCESS != tee_att_ret) { + QGS_LOG_ERROR("tee_att_init_quote return 0x%x\n", tee_att_ret); + } else { + QGS_LOG_INFO("tee_att_init_quote return Success\n"); + } + } + if (TEE_ATT_SUCCESS != (tee_att_ret = tee_att_get_quote_size(ptr.get(), &size))) { + QGS_LOG_ERROR("tee_att_get_quote_size return 0x%x\n", tee_att_ret); + } else { + QGS_LOG_INFO("tee_att_get_quote_size return Success\n"); + resp.resize(size); + tee_att_ret = tee_att_get_quote(ptr.get(), + req, + req_size, + NULL, + resp.data(), + size); + if (TEE_ATT_SUCCESS != tee_att_ret) { + resp.resize(0); + QGS_LOG_ERROR("tee_att_get_quote return 0x%x\n", tee_att_ret); + } else { + QGS_LOG_INFO("tee_att_get_quote return Success\n"); + } + } + // Only retry once when the return code is TEE_ATT_ATT_KEY_NOT_INITIALIZED + } while (TEE_ATT_ATT_KEY_NOT_INITIALIZED == tee_att_ret && retry--); + + return resp; + } else { + QGS_LOG_INFO("Not a legimit raw request, stop\n"); + return {}; + } + } } } // namespace dcap } // namespace sgx diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.h b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.h index c32f7d83..ab90d3c2 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.h +++ b/QuoteGeneration/quote_wrapper/qgs/qgs_ql_logic.h @@ -38,7 +38,8 @@ namespace intel { namespace sgx { namespace dcap { namespace qgs { using data_buffer = std::vector; - data_buffer get_resp(uint8_t *p_req, uint32_t req_size); + data_buffer get_resp(const uint8_t *p_req, uint32_t req_size); + data_buffer get_raw_resp(const uint8_t *p_req, uint32_t req_size); } } } diff --git a/QuoteGeneration/quote_wrapper/qgs/qgs_server.cpp b/QuoteGeneration/quote_wrapper/qgs/qgs_server.cpp index 67ce443c..818f2a03 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgs_server.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/qgs_server.cpp @@ -32,6 +32,7 @@ #include "qgs_server.h" #include "qgs_log.h" #include "qgs_ql_logic.h" +#include "qgs_msg_lib.h" #include "se_trace.h" #include #include @@ -55,7 +56,6 @@ using namespace std; using boost::uint8_t; static const int QGS_TIMEOUT = 30; - namespace intel { namespace sgx { namespace dcap { namespace qgs { const unsigned HEADER_SIZE = 4; @@ -103,7 +103,7 @@ class QgsConnection : public boost::enable_shared_from_this { stop(); } }); - start_read_header(); + start_read(); } void stop() { @@ -140,21 +140,58 @@ class QgsConnection : public boost::enable_shared_from_this { m_timer(io_service) { } - void handle_read_header(const boost::system::error_code &ec) { + void handle_read(const boost::system::error_code &ec, std::size_t bytes_transferred) { std::ostringstream oss; oss << ec.category().name() << ':' << ec.value(); - QGS_LOG_INFO("handle read header, status [%s]\n", + QGS_LOG_INFO("handle_read: status [%s]\n", oss.str().c_str()); - if (!ec) { - QGS_LOG_INFO("Got header!\n"); + if (ec == asio::error::eof) { + oss << "Received eof and " << bytes_transferred << " bytes."; + QGS_LOG_INFO("handle_read:[%s]\n", oss.str().c_str()); + } else if (ec) { + oss << "Error: " << ec.message(); + QGS_LOG_INFO("handle_read:[%s]\n", oss.str().c_str()); + } else { + oss << "Received " << bytes_transferred << " bytes."; + QGS_LOG_INFO("handle_read:[%s]\n", oss.str().c_str()); + unsigned msg_len = decode_header(m_readbuf); - QGS_LOG_INFO("body should be [%d] bytes!\n", msg_len); - if (!msg_len) { - QGS_LOG_INFO("Failed to decode header, stop\n"); - m_timer.cancel(); - stop(); + uint32_t msg_type = QGS_MSG_TYPE_MAX; + auto ptr = reinterpret_cast(&m_readbuf[HEADER_SIZE]); + if (!msg_len + || ptr->size != msg_len + || QGS_MSG_SUCCESS != qgs_msg_get_type(&m_readbuf[HEADER_SIZE], + (uint32_t)bytes_transferred - HEADER_SIZE, &msg_type)) { + const std::size_t raw_report_size = 1024; + if (bytes_transferred == raw_report_size) { + QGS_LOG_INFO("process raw request [%zu] bytes!.\n", bytes_transferred); + m_readbuf.resize(bytes_transferred); + handle_raw_request(); + } else { + QGS_LOG_INFO("wait for [%zu] bytes!.\n", raw_report_size - bytes_transferred); + asio::async_read(m_socket, asio::buffer(m_readbuf), + asio::transfer_exactly(raw_report_size - bytes_transferred), + boost::bind(&QgsConnection::handle_read, + shared_from_this(), + asio::placeholders::error, + asio::placeholders::bytes_transferred)); + } + return; } else { - start_read_body(msg_len); + if (msg_len + HEADER_SIZE > bytes_transferred) { + QGS_LOG_INFO("wait for [%zu] bytes!.\n", msg_len + HEADER_SIZE - bytes_transferred); + asio::async_read(m_socket, asio::buffer(m_readbuf), + asio::transfer_exactly(msg_len + HEADER_SIZE - bytes_transferred), + boost::bind(&QgsConnection::handle_read, + shared_from_this(), + asio::placeholders::error, + asio::placeholders::bytes_transferred)); + } else { + QGS_LOG_INFO("process legecy request [%zu] bytes!.\n", bytes_transferred); + m_readbuf.resize(bytes_transferred); + handle_request(); + return; + } } } } @@ -193,39 +230,62 @@ class QgsConnection : public boost::enable_shared_from_this { std::copy(resp.begin(), resp.end(), writebuf.begin() + HEADER_SIZE); std::ostringstream oss1; oss1 << boost::this_thread::get_id(); - QGS_LOG_INFO("About to write response in thread [%s]\n", - oss1.str().c_str()); + QGS_LOG_INFO("About to write response in thread [%s]\n", oss1.str().c_str()); if (asio::write(m_socket, asio::buffer(writebuf), ec) != writebuf.size()) { - QGS_LOG_INFO("Failed to write all buffer in thread [%s]\n", - oss1.str().c_str()); + QGS_LOG_INFO("Failed to write all buffer in thread [%s]\n", oss1.str().c_str()); } m_timer.cancel(); stop(); }); } - void start_read_header() { - m_readbuf.resize(HEADER_SIZE); - asio::async_read(m_socket, asio::buffer(m_readbuf), - boost::bind(&QgsConnection::handle_read_header, - shared_from_this(), - asio::placeholders::error)); + void handle_raw_request() { + std::ostringstream oss; + oss << boost::this_thread::get_id(); + QGS_LOG_INFO("unpack message successfully in thread [%s]\n", + oss.str().c_str()); + asio::post(m_pool, [this, self = shared_from_this()] { + boost::system::error_code ec; + + data_buffer resp = prepare_raw_response(const_cast(m_readbuf)); + + uint32_t resp_size = (uint32_t)resp.size(); + if (!resp_size) { + QGS_LOG_INFO("resp_size is 0"); + m_timer.cancel(); + stop(); + return; + } + std::ostringstream oss1; + oss1 << boost::this_thread::get_id(); + QGS_LOG_INFO("About to write response in thread [%s]\n", oss1.str().c_str()); + if (asio::write(m_socket, asio::buffer(resp), ec) != resp.size()) { + QGS_LOG_INFO("Failed to write all buffer in thread [%s]\n", oss1.str().c_str()); + } + m_timer.cancel(); + stop(); + }); } - void start_read_body(unsigned msg_len) { - m_readbuf.resize(HEADER_SIZE + msg_len); - asio::mutable_buffers_1 buf = asio::buffer(&m_readbuf[HEADER_SIZE], - msg_len); - asio::async_read(m_socket, buf, - boost::bind(&QgsConnection::handle_read_body, + + void start_read() { + m_readbuf.resize(4096); + asio::async_read(m_socket, asio::buffer(m_readbuf), + asio::transfer_at_least(HEADER_SIZE + sizeof(qgs_msg_header_t)), + boost::bind(&QgsConnection::handle_read, shared_from_this(), - asio::placeholders::error)); + asio::placeholders::error, + asio::placeholders::bytes_transferred)); } data_buffer prepare_response(data_buffer const &req) { - return get_resp((uint8_t *)&req[HEADER_SIZE], (uint32_t)req.size() - HEADER_SIZE); + return get_resp(&req[HEADER_SIZE], (uint32_t)req.size() - HEADER_SIZE); } - }; + + data_buffer prepare_raw_response(data_buffer const &req) { + return get_raw_resp(req.data(), (uint32_t)req.size()); + } +}; struct QgsServer::QgsServerImpl diff --git a/QuoteGeneration/quote_wrapper/qgs/qgsd.service b/QuoteGeneration/quote_wrapper/qgs/qgsd.service index 47364197..ecd33043 100644 --- a/QuoteGeneration/quote_wrapper/qgs/qgsd.service +++ b/QuoteGeneration/quote_wrapper/qgs/qgsd.service @@ -1,5 +1,5 @@ [Unit] -Description=Intel(R) TD Quoting Generation Service +Description=Intel(R) TD Quoting Generation Service After=syslog.target network.target auditd.service After=remount-dev-exec.service Wants=remount-dev-exec.service @@ -11,6 +11,8 @@ Environment=NAME=qgsd Environment=LD_LIBRARY_PATH=@qgs_folder@ WorkingDirectory=@qgs_folder@ PermissionsStartOnly=true +ExecStartPre=/bin/chown -R qgsd:qgsd /var/opt/qgsd/ +ExecStartPre=/bin/chmod 0750 /var/opt/qgsd/ ExecStart=@qgs_folder@/qgs ExecStartPre=@qgs_folder@/linksgx.sh InaccessibleDirectories=/home diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp index a9652c56..00dd9a22 100644 --- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp @@ -144,7 +144,7 @@ int main(int argc, const char* argv[]) exit(1); } char value[256] = {}; - strncpy(value, line.substr(delimiterPos + 1).c_str(), sizeof(value)); + strncpy(value, line.substr(delimiterPos + 1).c_str(), sizeof(value) - 1); value[255] = '\0'; if (!port && name.compare("port") == 0) { errno = 0; diff --git a/QuoteGeneration/quote_wrapper/qgs/test_client.c b/QuoteGeneration/quote_wrapper/qgs/test_client.c index d869eae7..9d8cb828 100644 --- a/QuoteGeneration/quote_wrapper/qgs/test_client.c +++ b/QuoteGeneration/quote_wrapper/qgs/test_client.c @@ -65,6 +65,52 @@ static void print_hex_dump(const char *title, const char *prefix_str, fprintf(stdout, "\n"); } +int test_raw_request(void) +{ + + int s = socket(AF_VSOCK, SOCK_STREAM, 0); + if (-1 == s) + { + fprintf(stderr, "\nsocket return 0x%x\n", s); + return 1; + } + struct sockaddr_vm vm_addr; + memset(&vm_addr, 0, sizeof(vm_addr)); + vm_addr.svm_family = AF_VSOCK; + vm_addr.svm_reserved1 = 0; + vm_addr.svm_port = 4050; + vm_addr.svm_cid = VMADDR_CID_HOST; + if (connect(s, (struct sockaddr *)&vm_addr, sizeof(vm_addr))) + { + fprintf(stderr, "\nconnect error\n"); + return 1; + } + + uint8_t report[1024] = {0}; + report[0] = 0x81; + ssize_t ret; + // Write to socket + ret = send(s, &report, sizeof(report), 0); + if (ret != sizeof(report)) + { + perror(NULL); + fprintf(stderr, "\nraw request send error %ld\n", ret); + return 1; + } + + uint8_t buf[8 * 1024] = {0}; + // Read the response + ret = recv(s, buf, 8 * 1024, 0); + // No data excepted + if (ret != 0) { + perror(NULL); + fprintf(stderr, "\nraw request recv error %ld\n", ret); + return 1; + } + return 0; +} + + int main(int argc, char *argv[]) { (void)argc; @@ -72,6 +118,11 @@ int main(int argc, char *argv[]) int s = -1; int ret = 0; + ret = test_raw_request(); + if (0 == ret) { + fprintf(stderr, "\nraw request success\n"); + } + uint8_t buf[4 * 1024] = {0}; uint32_t msg_size = 0; uint32_t in_msg_size = 0; @@ -105,7 +156,7 @@ int main(int argc, char *argv[]) s = socket(AF_VSOCK, SOCK_STREAM, 0); if (-1 == s) { - fprintf(stderr, "\nsocket return 0x%x\n", qgs_msg_ret); + fprintf(stderr, "\nsocket return 0x%x\n", s); ret = 1; goto ret_point; } @@ -130,6 +181,7 @@ int main(int argc, char *argv[]) // Read the response size header if (HEADER_SIZE != recv(s, buf, HEADER_SIZE, 0)) { + perror(NULL); fprintf(stderr, "\nrecv error\n"); ret = 1; goto ret_point; @@ -165,8 +217,13 @@ int main(int argc, char *argv[]) goto ret_point; } - // We've called qgs_msg_inflate_get_quote_resp, the message type should be GET_QUOTE_RESP + // We've called qgs_msg_inflate_get_platform_info_resp, the message type should be GET_PLATFORM_INFO_RESP p_header = (qgs_msg_header_t *)(buf + HEADER_SIZE); + if (p_header->type != GET_PLATFORM_INFO_RESP) { + fprintf(stderr, "\ntype in resp msg is 0x%d", p_header->type); + ret = 1; + goto ret_point; + } if (p_header->error_code != 0) { fprintf(stderr, "\nerror code in resp msg is 0x%x", p_header->error_code); ret = 1; @@ -183,4 +240,4 @@ int main(int argc, char *argv[]) } return ret; -} \ No newline at end of file +} diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h b/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h index d063cca2..c235806c 100644 --- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h +++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h @@ -168,7 +168,8 @@ qgs_msg_error_t qgs_msg_gen_get_collateral_resp( const uint8_t *p_tcb_info, uint32_t tcb_info_size, const uint8_t *p_qe_identity_issuer_chain, uint32_t qe_identity_issuer_chain_size, const uint8_t *p_qe_identity, uint32_t qe_identity_size, - uint8_t **pp_resp, uint32_t *p_resp_size); + uint8_t **pp_resp, uint32_t *p_resp_size, + const qgs_msg_header_t *p_req_header); qgs_msg_error_t qgs_msg_inflate_get_quote_resp( const uint8_t *p_serialized_resp, uint32_t size, diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile index 02c6d1c5..74cc4a47 100644 --- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/linux/Makefile @@ -31,8 +31,15 @@ ######## SGX SDK Settings ######## TOP_DIR = ../../.. -include $(TOP_DIR)/buildenv.mk - +SDK_NOT_REQUIRED = 1 +ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) + CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ + -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ + -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ + -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection +else + include $(TOP_DIR)/buildenv.mk +endif ######## LIBQGS_MSG ######## SRC := $(wildcard ../*.cpp) diff --git a/QuoteGeneration/quote_wrapper/qgs_msg_lib/qgs_msg_lib.cpp b/QuoteGeneration/quote_wrapper/qgs_msg_lib/qgs_msg_lib.cpp index 2a5f0004..254f673f 100644 --- a/QuoteGeneration/quote_wrapper/qgs_msg_lib/qgs_msg_lib.cpp +++ b/QuoteGeneration/quote_wrapper/qgs_msg_lib/qgs_msg_lib.cpp @@ -35,7 +35,7 @@ #include const uint32_t QGS_MSG_LIB_MAJOR_VER = 1; -const uint32_t QGS_MSG_LIB_MINOR_VER = 0; +const uint32_t QGS_MSG_LIB_MINOR_VER = 1; void qgs_msg_free(void *p_buf) { free(p_buf); @@ -459,7 +459,8 @@ qgs_msg_error_t qgs_msg_gen_get_collateral_resp( const uint8_t *p_tcb_info, uint32_t tcb_info_size, const uint8_t *p_qe_identity_issuer_chain, uint32_t qe_identity_issuer_chain_size, const uint8_t *p_qe_identity, uint32_t qe_identity_size, - uint8_t **pp_resp, uint32_t *p_resp_size) { + uint8_t **pp_resp, uint32_t *p_resp_size, + const qgs_msg_header_t *p_req_header) { qgs_msg_error_t ret = QGS_MSG_SUCCESS; qgs_msg_get_collateral_resp_t *p_resp = NULL; uint8_t *p_ptr = NULL; @@ -483,7 +484,15 @@ qgs_msg_error_t qgs_msg_gen_get_collateral_resp( goto ret_point; } - temp = sizeof(major_version) + sizeof(minor_version) + sizeof(*p_resp); + if (p_req_header->major_version != QGS_MSG_LIB_MAJOR_VER) { + ret = QGS_MSG_ERROR_INVALID_VERSION; + goto ret_point; + } + if (p_req_header->minor_version == 0) { + temp = sizeof(major_version) + sizeof(minor_version) + sizeof(*p_resp); + } else { + temp = sizeof(*p_resp); + } temp += pck_crl_issuer_chain_size; temp += root_ca_crl_size; temp += pck_crl_size; @@ -708,7 +717,11 @@ qgs_msg_error_t qgs_msg_inflate_get_collateral_resp( goto ret_point; } - temp = sizeof(p_resp->major_version) + sizeof(p_resp->minor_version) + sizeof(*p_resp); + if (p_resp->header.minor_version == 0) { + temp = sizeof(*p_resp) + sizeof(p_resp->major_version) + sizeof(p_resp->minor_version); + } else { + temp = sizeof(*p_resp); + } temp += p_resp->pck_crl_issuer_chain_size; temp += p_resp->root_ca_crl_size; temp += p_resp->pck_crl_size; diff --git a/QuoteGeneration/quote_wrapper/quote/id_enclave/win/id_enclave.vcxproj b/QuoteGeneration/quote_wrapper/quote/id_enclave/win/id_enclave.vcxproj index 6446a049..9b5bc02a 100644 --- a/QuoteGeneration/quote_wrapper/quote/id_enclave/win/id_enclave.vcxproj +++ b/QuoteGeneration/quote_wrapper/quote/id_enclave/win/id_enclave.vcxproj @@ -1,4 +1,4 @@ - +ļ»æ @@ -133,6 +133,7 @@ true false false + Guard Windows @@ -172,6 +173,7 @@ false false /Qspectre-load-cf + Guard Windows @@ -211,6 +213,7 @@ false false /Qspectre-load + Guard Windows @@ -288,6 +291,7 @@ Default true false + Guard Windows diff --git a/QuoteGeneration/quote_wrapper/servtd_attest/inc/servtd_com.h b/QuoteGeneration/quote_wrapper/servtd_attest/inc/servtd_com.h index a2e1b27a..18b2d1e5 100644 --- a/QuoteGeneration/quote_wrapper/servtd_attest/inc/servtd_com.h +++ b/QuoteGeneration/quote_wrapper/servtd_attest/inc/servtd_com.h @@ -48,8 +48,8 @@ #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff #define GET_QUOTE_ERROR 0x8000000000000000 #define GET_QUOTE_SERVICE_UNAVAILABLE 0x8000000000000001 -#define SVN_COMPONENT_LEN 16 -#define TD_REPORT10_ONLY_LEN 584 +#define MISCSELECTMASK_LEN 4 +#define ATTRIBUTESELECTMASK_LEN 16 struct servtd_tdx_quote_hdr { /* Quote version, filled by TD */ @@ -65,19 +65,23 @@ struct servtd_tdx_quote_hdr { }; struct servtd_tdx_quote_suppl_data { - sgx_report2_body_t quote_body; /* 0 584 */ - uint32_t tcb_version; /* 584 4 */ - uint8_t fmspc[FMSPC_SIZE]; /* 588 6 */ - uint8_t tdx_tcb_components[SVN_COMPONENT_LEN]; /* 594 16 */ - uint32_t pce_svn; /* 610 4 */ - uint8_t sgx_tcb_components[SVN_COMPONENT_LEN]; /* 614 16 */ - sgx_misc_select_t misc_select; /* 630 4 */ - sgx_attributes_t attributes; /* 634 16 */ - sgx_measurement_t mr_enclave; /* 650 32 */ - sgx_measurement_t mr_signer; /* 682 32 */ - sgx_prod_id_t isv_prod_id; /* 714 2 */ - sgx_isv_svn_t isv_svn; /* 716 2 */ + sgx_report2_body_t quote_body; /* 0 584 */ + uint8_t fmspc[FMSPC_SIZE]; /* 584 6 */ + uint8_t tdx_tcb_components[TEE_TCB_SVN_SIZE]; /* 590 16 */ + uint16_t pce_svn; /* 606 2 */ + uint8_t sgx_tcb_components[TEE_TCB_SVN_SIZE]; /* 608 16 */ + uint8_t tdx_module_major_ver; /* 624 1 */ + uint8_t tdx_module_svn; /* 625 1 */ + sgx_misc_select_t misc_select; /* 626 4 */ + uint8_t misc_select_mask[MISCSELECTMASK_LEN]; /* 630 4 */ + sgx_attributes_t attributes; /* 634 16 */ + uint8_t attributes_mask[ATTRIBUTESELECTMASK_LEN]; /* 650 16 */ + sgx_measurement_t mr_enclave; /* 666 32 */ + sgx_measurement_t mr_signer; /* 698 32 */ + sgx_prod_id_t isv_prod_id; /* 730 2 */ + sgx_isv_svn_t isv_svn; /* 732 2 */ }; + static const unsigned SERVTD_HEADER_SIZE = 4; static const uint32_t SERVTD_REQ_BUF_SIZE = 16 * 4 * 1024; // 16 pages diff --git a/QuoteGeneration/quote_wrapper/td-ql-logic-rs/Cargo.toml b/QuoteGeneration/quote_wrapper/td-ql-logic-rs/Cargo.toml index 35ece40f..feec7db3 100644 --- a/QuoteGeneration/quote_wrapper/td-ql-logic-rs/Cargo.toml +++ b/QuoteGeneration/quote_wrapper/td-ql-logic-rs/Cargo.toml @@ -7,3 +7,6 @@ edition = "2021" [dependencies] "td-ql-logic-sys" = { version = "0.1.0", path = "../td-ql-logic-sys" } +"qpl-rs" = { version = "0.1.0", path = "../../qpl-rs" } +"libc" = { version = "0.2" } + diff --git a/QuoteGeneration/quote_wrapper/td-ql-logic-rs/src/lib.rs b/QuoteGeneration/quote_wrapper/td-ql-logic-rs/src/lib.rs index 19bdbcbe..4c52b03d 100644 --- a/QuoteGeneration/quote_wrapper/td-ql-logic-rs/src/lib.rs +++ b/QuoteGeneration/quote_wrapper/td-ql-logic-rs/src/lib.rs @@ -43,6 +43,14 @@ pub use td_ql_logic_sys::tee_att_config_t; pub use td_ql_logic_sys::tee_att_error_t; pub use td_ql_logic_sys::tee_platform_info_t; +pub use qpl_rs::tee_qpl_log_level; +pub use qpl_rs::tee_qpl_logging_callback; + +type sgx_ql_set_logging_callback_t = unsafe extern "C" fn( + logger: qpl_rs::tee_qpl_logging_callback, + loglevel: qpl_rs::tee_qpl_log_level, +) -> qpl_rs::quote3_error_t; + /// Creates a TEE attestation context. /// /// # Arguments @@ -249,9 +257,55 @@ pub fn tee_att_set_path( } } +/// # Parameters +/// +/// * `context`: A mutable pointer to a `tee_att_config_t` object. +/// * `cb` - The logging callback to set. +/// * `loglevel` - The log level to set for the callback. +/// +/// # Panics +/// +/// This function does not have any scenarios in which it could panic. +/// +pub fn tee_att_set_logging_callback( + context: *mut tee_att_config_t, + cb: qpl_rs::tee_qpl_logging_callback, + loglevel: qpl_rs::tee_qpl_log_level, +) -> tee_att_error_t { + let mut qpl_handle: *mut std::ffi::c_void = std::ptr::null_mut(); + unsafe { + let result = td_ql_logic_sys::tee_att_get_qpl_handle(context, &mut qpl_handle); + match result { + tee_att_error_t::TEE_ATT_SUCCESS => { + let name = std::ffi::CString::new("sgx_ql_set_logging_callback").unwrap(); + let func = libc::dlsym(qpl_handle, name.as_ptr() as *const i8); + if func.is_null() { + tee_att_error_t::TEE_ATT_PLATFORM_LIB_UNAVAILABLE + } else { + let set_callback_handle: sgx_ql_set_logging_callback_t = + std::mem::transmute(func); + let ret = set_callback_handle(cb, loglevel); + match ret { + qpl_rs::quote3_error_t::SGX_QL_SUCCESS => tee_att_error_t::TEE_ATT_SUCCESS, + _ => tee_att_error_t::TEE_ATT_PLATFORM_LIB_UNAVAILABLE, + } + } + } + _ => result, + } + } +} + #[cfg(test)] mod tests { use super::*; + unsafe extern "C" fn my_logging_callback( + level: tee_qpl_log_level, + message: *const ::std::os::raw::c_char, + ) { + let msg_str = std::ffi::CStr::from_ptr(message).to_str().unwrap(); + println!("level {level}: {:?}", msg_str); + } #[test] fn it_works() { @@ -276,6 +330,12 @@ mod tests { tee_att_error_t::TEE_ATT_SUCCESS => println!("tee_att_set_path Success"), _ => println!("tee_att_set_path failed"), } + let cb: tee_qpl_logging_callback = Some(my_logging_callback); + let result = tee_att_set_logging_callback(context, cb, 1); + match result { + tee_att_error_t::TEE_ATT_SUCCESS => println!("tee_att_set_logging_callback Success"), + _ => println!("tee_att_set_logging_callback failed"), + }; let result = tee_att_init_quote(context, false); let (_pub_key, _qe_target_info) = match result { Ok((p, t)) => { diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile index fd239c27..0d073ef1 100644 --- a/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile +++ b/QuoteGeneration/quote_wrapper/tdx_attest/linux/Makefile @@ -31,7 +31,26 @@ ######## Basic Settings ######## TOP_DIR = ../../.. -include $(TOP_DIR)/buildenv.mk +SDK_NOT_REQUIRED = 1 +ifeq ($(wildcard $(TOP_DIR)/buildenv.mk),) + CFLAGS ?= -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -fstack-protector -O2 \ + -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self \ + -Wpointer-arith -Wreturn-type -Waddress -Wsequence-point -Wformat-security -Wmissing-include-dirs \ + -Wfloat-equal -Wundef -Wshadow -Wcast-align -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection + CXXFLAGS ?= -Wnon-virtual-dtor -std=c++14 -fstack-protector -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG \ + -ffunction-sections -fdata-sections -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type -Waddress \ + -Wsequence-point -Wformat-security -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow -Wcast-align \ + -Wconversion -Wredundant-decls -DITT_ARCH_IA64 -fcf-protection + COMMON_LDFLAGS ?= -Wl,-z,relro,-z,now,-z,noexecstack + BUILD_DIR ?= ../out + SGX_MAJOR_VER ?= 1 + CP ?= cp + MKDIR ?= mkdir +else + include $(TOP_DIR)/buildenv.mk +endif + + ######## Tdx_Attest Settings ######## QGS_MSG_LFLAGS = -L../../qgs_msg_lib/linux -lqgs_msg @@ -40,6 +59,10 @@ Tdx_Attest_C_Files := ../tdx_attest.c Tdx_Attest_Include_Paths := -I./ -I../../qgs_msg_lib/inc +ifeq ($(V3_DRIVER), 1) + CFLAGS += -DV3_DRIVER +endif + Tdx_Attest_C_Flags := $(CFLAGS) -g -MMD -fPIC -Wno-attributes $(Tdx_Attest_Include_Paths) LDUFLAGS := $(COMMON_LDFLAGS) @@ -56,10 +79,11 @@ Tdx_Attest_Name := libtdx_attest.so all: install_lib install_lib: $(Tdx_Attest_Name) | $(BUILD_DIR) - @$(CP) $(Tdx_Attest_Name) $| + $(CP) $(Tdx_Attest_Name) $| ######## Tdx_Attest Objects ######## $(Tdx_Attest_Name): $(Tdx_Attest_C_Objects) + make -C ../../qgs_msg_lib/linux CXXFLAGS="$(CXXFLAGS)" $(CC) $^ -shared -shared -Wl,-soname=$@.$(SGX_MAJOR_VER) $(QGS_MSG_LFLAGS) $(LDUFLAGS) -o $@ @echo "LINK => $@" @@ -70,9 +94,11 @@ test_app: $(Tdx_Attest_Name) ../test_tdx_attest.c ../tdx_attest.h $(CC) -I. -L./linux ../test_tdx_attest.c -L. -ltdx_attest -g -o $@ $(BUILD_DIR): - @$(MKDIR) $@ + $(MKDIR) $@ .PHONY: clean clean: - @rm -rf $(Tdx_Attest_Name) $(Tdx_Attest_C_Objects) $(Tdx_Attest_C_Depends) ./qgs test_app + make -C ../../qgs_msg_lib/linux clean + @rm -rf $(Tdx_Attest_Name) $(Tdx_Attest_C_Objects) $(Tdx_Attest_C_Depends) \ + $(BUILD_DIR)/$(Tdx_Attest_Name) ./qgs test_app diff --git a/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c b/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c index 3af870c1..23073091 100644 --- a/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c +++ b/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c @@ -30,35 +30,52 @@ */ #ifndef SERVTD_ATTEST + +#define _GNU_SOURCE #include #include -#include "tdx_attest.h" #include "qgs_msg_lib.h" +#include "tdx_attest.h" -#include +#include +#include +#include +#include +#include // For strtoul +#include +#include +#include #include -#include #include -#include -#include +#include +#include #include -#include -// For strtoul -#include -#include +#include #include -#include +#include #define TDX_ATTEST_DEV_PATH "/dev/tdx_guest" #define CFG_FILE_PATH "/etc/tdx-attest.conf" +#define DCAP_TDX_QUOTE_CONFIGFS_PATH_ENV "DCAP_TDX_QUOTE_CONFIGFS_PATH" +#define QUOTE_CONFIGFS_PATH "/sys/kernel/config/tsm/report" +#define DEFAULT_DCAP_TDX_QUOTE_CONFIGFS_PATH QUOTE_CONFIGFS_PATH"/com.intel.dcap" + // TODO: Should include kernel header, but the header file are included by // different package in differnt distro, and installed in different locations. // So add these defines here. Need to remove them later when kernel header // became stable. -#define TDX_CMD_GET_REPORT0 _IOWR('T', 1, struct tdx_report_req) -#define TDX_CMD_VERIFY_REPORT _IOR('T', 2, struct tdx_verify_report_req) -#define TDX_CMD_EXTEND_RTMR _IOR('T', 3, struct tdx_extend_rtmr_req) -#define TDX_CMD_GET_QUOTE _IOR('T', 4, struct tdx_quote_req) + +#define TDX_CMD_GET_REPORT0 _IOWR('T', 1, struct tdx_report_req) +#ifdef V3_DRIVER +#define TDX_CMD_VERIFY_REPORT _IOWR('T', 2, struct tdx_verify_report_req) +#define TDX_CMD_EXTEND_RTMR _IOW('T', 3, struct tdx_extend_rtmr_req) +#define TDX_CMD_GET_QUOTE _IOWR('T', 4, struct tdx_quote_req) +#else +#define TDX_CMD_VERIFY_REPORT _IOR('T', 2, struct tdx_verify_report_req) +#define TDX_CMD_EXTEND_RTMR _IOR('T', 3, struct tdx_extend_rtmr_req) +#define TDX_CMD_GET_QUOTE _IOR('T', 4, struct tdx_quote_req) +#endif + /* TD Quote status codes */ #define GET_QUOTE_SUCCESS 0 @@ -108,6 +125,9 @@ struct tdx_quote_req { static const unsigned HEADER_SIZE = 4; static const size_t REQ_BUF_SIZE = 4 * 4 * 1024; // 4 pages +static const size_t QUOTE_BUF_SIZE = 8 * 1024; //8K +static const size_t QUOTE_MIN_SIZE = 1020; + static const tdx_uuid_t g_intel_tdqe_uuid = {TDX_SGX_ECDSA_ATTESTATION_ID}; static unsigned int get_vsock_port(void) @@ -157,9 +177,9 @@ static unsigned int get_vsock_port(void) // range is ok, so we can convert to int port = (unsigned int)long_num & 0xFFFFFFFF; - #ifdef DEBUG +#ifdef DEBUG fprintf(stdout, "\nGet the vsock port number [%u]\n", port); - #endif +#endif break; } } @@ -198,6 +218,179 @@ static tdx_attest_error_t get_tdx_report( return TDX_ATTEST_SUCCESS; } +#define MAX_PATH 260 + +static int b_mkdir = 1; +pthread_mutex_t mkdir_mutex; + +void __attribute__((constructor)) init_mutex(void) { pthread_mutex_init(&mkdir_mutex, NULL); } +void __attribute__((destructor)) destroy_mutex(void) { pthread_mutex_destroy(&mkdir_mutex); } + +static tdx_attest_error_t prepare_configfs(char **p_configfs_path) { + int ret = TDX_ATTEST_ERROR_NOT_SUPPORTED; + char *configfs_path = NULL; + do { + // Retrive DCAP TDX quote configFS path from environment + configfs_path = secure_getenv(DCAP_TDX_QUOTE_CONFIGFS_PATH_ENV); + if (configfs_path == NULL) { + syslog(LOG_INFO, "libtdx_attest: env '%s' is not provided - try default path.", + DCAP_TDX_QUOTE_CONFIGFS_PATH_ENV); + break; + } + if (strnlen(configfs_path, MAX_PATH) >= MAX_PATH - 20) { + syslog(LOG_ERR, "libtdx_attest: env '%s' is too long.", DCAP_TDX_QUOTE_CONFIGFS_PATH_ENV); + return ret; + } + + // Check whether the configFS directory exists + DIR *dir = opendir(configfs_path); + if (dir == NULL) { + syslog(LOG_ERR, "libtdx_attest: env '%s' is not valid directory.", + DCAP_TDX_QUOTE_CONFIGFS_PATH_ENV); + return ret; + } + closedir(dir); + ret = TDX_ATTEST_SUCCESS; + } while (0); + + while (ret != TDX_ATTEST_SUCCESS) { + // Default DCAP TDX quote configFS path + ret = TDX_ATTEST_ERROR_NOT_SUPPORTED; + configfs_path = DEFAULT_DCAP_TDX_QUOTE_CONFIGFS_PATH; + pthread_mutex_lock(&mkdir_mutex); + DIR *dir = opendir(configfs_path); + if (dir != NULL) { + pthread_mutex_unlock(&mkdir_mutex); + ret = TDX_ATTEST_SUCCESS; + closedir(dir); + break; + } + if (errno != ENOENT) { + pthread_mutex_unlock(&mkdir_mutex); + syslog(LOG_INFO, "libtdx_attest: default DCAP configFS not supported - fallback to vsock mode."); + break; + } + + // Create default DCAP TDX quote configFS path only once + if (!b_mkdir) { + pthread_mutex_unlock(&mkdir_mutex); + syslog(LOG_INFO, "libtdx_attest: default DCAP configFS not supported - fallback to vsock mode."); + break; + } + b_mkdir = 0; + + dir = opendir(QUOTE_CONFIGFS_PATH); + if (dir == NULL) { + pthread_mutex_unlock(&mkdir_mutex); + syslog(LOG_INFO, "libtdx_attest: configFS not supported - fallback to vsock mode."); + break; + } + closedir(dir); + + if (mkdir(configfs_path, S_IRWXU | S_IRWXG)) { + pthread_mutex_unlock(&mkdir_mutex); + if (errno == EEXIST && (dir = opendir(configfs_path)) != NULL) { + // Another process has just created configfs_path + ret = TDX_ATTEST_SUCCESS; + closedir(dir); + break; + } + syslog(LOG_INFO, "libtdx_attest: cannot create default configFS - fallback to vsock mode."); + break; + } + char provider_path[MAX_PATH]; + snprintf(provider_path, sizeof(provider_path), "%s/provider", configfs_path); + for (size_t retry = 0; retry < 5; retry++) { + // Linux kernel will create provider, generation, inblob, outblob in configfs_path + // after configfs_path direcotry created. + if (access(provider_path, F_OK) == 0) { + pthread_mutex_unlock(&mkdir_mutex); + ret = TDX_ATTEST_SUCCESS; + break; + } + usleep((useconds_t)retry); + } + pthread_mutex_unlock(&mkdir_mutex); + syslog(LOG_INFO, "libtdx_attest: unavailable default configFS - fallback to vsock mode."); + break; + } + + if (ret != TDX_ATTEST_SUCCESS) { + //Both configfs path are unavailable + return ret; + } + + // For Intel TDX, provider is "tdx_guest" + char provider_path[MAX_PATH]; + snprintf(provider_path, sizeof(provider_path), "%s/provider", configfs_path); + int fd = open(provider_path, O_RDONLY); + if (-1 == fd) { + TDX_TRACE; + syslog(LOG_ERR, "libtdx_attest: cannot open configFS `%s`.", provider_path); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + + // Read the entire file in one shot + char provider[16] = {0}; + ssize_t byte_size = read(fd, provider, 15); + close(fd); + + if (byte_size == -1 || byte_size == 0 || + strncmp(provider, "tdx_guest", sizeof("tdx_guest") - 1)) { + syslog(LOG_ERR, "libtdx_attest: configFS unsupported provider."); + return TDX_ATTEST_ERROR_NOT_SUPPORTED; + } + *p_configfs_path = configfs_path; + return TDX_ATTEST_SUCCESS; +} + +static tdx_attest_error_t read_configfs_generation(char *generation_path, long* p_generation) +{ + int fd = open(generation_path, O_RDONLY); + if (-1 == fd) { + TDX_TRACE; + syslog(LOG_ERR, "libtdx_attest: failed to open configFS generation."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } +#ifdef DEBUG + fprintf(stdout, "\nstart to read generation\n"); +#endif + #define GENERATION_MAX_LENGTH 20 + char str_generation[GENERATION_MAX_LENGTH] = {0}; + ssize_t byte_size = read(fd, str_generation, GENERATION_MAX_LENGTH); + if (byte_size == -1) { + TDX_TRACE; + close(fd); + syslog(LOG_ERR, "libtdx_attest: failed to read configFS generation."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + close(fd); + if (byte_size == 0) { + syslog(LOG_ERR, "libtdx_attest: no content of configFS generation."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + if (byte_size >= GENERATION_MAX_LENGTH) { + syslog(LOG_ERR, "libtdx_attest: too large configFS generation."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + + errno = 0; + long generation = strtol(str_generation, NULL, 10); + if (errno != 0) { + TDX_TRACE; + syslog(LOG_ERR, "libtdx_attest: cannot parse configFS generation."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + *p_generation = generation; + +#ifdef DEBUG + fprintf(stdout, "\ngeneration: %ld\n", generation); +#endif + return TDX_ATTEST_SUCCESS; +} + +#define RETRY_WAIT_TIME_USEC 10000000 + tdx_attest_error_t tdx_att_get_quote( const tdx_report_data_t *p_tdx_report_data, const tdx_uuid_t *p_att_key_id_list, @@ -209,50 +402,217 @@ tdx_attest_error_t tdx_att_get_quote( { int s = -1; int devfd = -1; - int use_tdvmcall = 1; + + const uint8_t *p_quote = NULL; uint32_t quote_size = 0; - uint32_t recieved_bytes = 0; - uint32_t in_msg_size = 0; - unsigned int vsock_port = 0; tdx_attest_error_t ret = TDX_ATTEST_ERROR_UNEXPECTED; - struct tdx_quote_hdr *p_get_quote_blob = NULL; uint8_t *p_blob_payload = NULL; - tdx_report_t tdx_report; - uint32_t msg_size = 0; - - qgs_msg_error_t qgs_msg_ret = QGS_MSG_SUCCESS; - qgs_msg_header_t *p_header = NULL; - uint8_t *p_req = NULL; - const uint8_t *p_quote = NULL; - const uint8_t *p_selected_id = NULL; - uint32_t id_size = 0; if ((!p_att_key_id_list && list_size) || (p_att_key_id_list && !list_size)) { - ret = TDX_ATTEST_ERROR_INVALID_PARAMETER; - goto ret_point; + return TDX_ATTEST_ERROR_INVALID_PARAMETER; } if (!pp_quote) { - ret = TDX_ATTEST_ERROR_INVALID_PARAMETER; - goto ret_point; + return TDX_ATTEST_ERROR_INVALID_PARAMETER; } if (flags) { //TODO: I think we need to have a runtime version to make this flag usable. - ret = TDX_ATTEST_ERROR_INVALID_PARAMETER; - goto ret_point; + return TDX_ATTEST_ERROR_INVALID_PARAMETER; } // Currently only intel TDQE are supported if (1 < list_size) { - ret = TDX_ATTEST_ERROR_INVALID_PARAMETER; + return TDX_ATTEST_ERROR_INVALID_PARAMETER; } if (p_att_key_id_list && memcmp(p_att_key_id_list, &g_intel_tdqe_uuid, sizeof(g_intel_tdqe_uuid))) { - ret = TDX_ATTEST_ERROR_UNSUPPORTED_ATT_KEY_ID; + return TDX_ATTEST_ERROR_UNSUPPORTED_ATT_KEY_ID; } + *pp_quote = NULL; + + do { + char *configfs_path = NULL; + if (prepare_configfs(&configfs_path) != TDX_ATTEST_SUCCESS) + break; + + char inblob_path[MAX_PATH]; + snprintf(inblob_path, sizeof(inblob_path), "%s/inblob", configfs_path); + + // Lock `inblob` to avoid other processes accessing it using libtdx_attest + // Will unlock it via close() + int fd_lock = open(inblob_path, O_WRONLY | O_CLOEXEC); + if (-1 == fd_lock) { + TDX_TRACE; + syslog(LOG_ERR, "libtdx_attest: failed to open configFS inblob."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + if (flock(fd_lock, LOCK_EX)) { + TDX_TRACE; + close(fd_lock); + syslog(LOG_ERR, "libtdx_attest: failed to lock configFS inblob."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + + /* Read and check generation value before writing inblob, after writing inblob and after + reading outblob to make sure that outblob matches inblob */ + char generation_path[MAX_PATH]; + snprintf(generation_path, sizeof(generation_path), "%s/generation", configfs_path); + long generation1; + ret = read_configfs_generation(generation_path, &generation1); + if (ret) { + close(fd_lock); + return ret; + } + + // Write TDX report data to inblob + int fd_inblob = open(inblob_path, O_WRONLY); + if (-1 == fd_inblob) { + TDX_TRACE; + close(fd_lock); + syslog(LOG_ERR, "libtdx_attest: failed to open configFS inblob."); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + + ssize_t byte_size = 0; + // Wait and retry when EBUSY; other TDX Quotes are being generating + for (int retry = 0; retry < 3; retry++) { + errno = 0; + byte_size = write(fd_inblob, p_tdx_report_data, sizeof(*p_tdx_report_data)); + if (errno != EBUSY) + break; + usleep(RETRY_WAIT_TIME_USEC); + } + if (byte_size != sizeof(*p_tdx_report_data)) { + if (errno == EBUSY) { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_BUSY; + } else { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_UNEXPECTED; + } + close(fd_lock); + close(fd_inblob); + syslog(LOG_ERR, "libtdx_attest: failed to write configFS inblob."); + return ret; + } + close(fd_inblob); + + long generation2; + do { + ret = read_configfs_generation(generation_path, &generation2); + if (ret) { + close(fd_lock); + return ret; + } + // In rare cases, generation is not updated + } while (generation2 == generation1 && !usleep(0)); + if (generation2 != generation1 + 1) { + // Another TDX quote generation has been triggered + close(fd_lock); + return TDX_ATTEST_ERROR_BUSY; + } + + // Read TDX quote from outblob + char outblob_path[MAX_PATH]; + snprintf(outblob_path, sizeof(outblob_path), "%s/outblob", configfs_path); + int fd = open(outblob_path, O_RDONLY); + if (-1 == fd) { + TDX_TRACE; + syslog(LOG_ERR, "libtdx_attest: failed to open configFS outblob."); + close(fd_lock); + return TDX_ATTEST_ERROR_UNEXPECTED; + } + + // Allocate memory for the entire file content + p_blob_payload = malloc(QUOTE_BUF_SIZE); + if (p_blob_payload == NULL) { + close(fd_lock); + close(fd); + return TDX_ATTEST_ERROR_OUT_OF_MEMORY; + } +#ifdef DEBUG + fprintf(stdout, "\nstart to read outblob\n"); +#endif + // Read the entire file in one shot + for (int retry = 0; retry < 3; retry++) { + errno = 0; + byte_size = read(fd, p_blob_payload, QUOTE_BUF_SIZE); + if (errno == EBUSY) { + usleep(RETRY_WAIT_TIME_USEC); + } else if (errno != EINTR && errno != ETIMEDOUT) + break; + } + if (byte_size == -1 || byte_size == 0) { + if (errno == EBUSY || errno == EINTR || errno == ETIMEDOUT) { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_BUSY; + } else + ret = TDX_ATTEST_ERROR_QUOTE_FAILURE; + close(fd_lock); + close(fd); + free(p_blob_payload); + syslog(LOG_ERR, "libtdx_attest: failed to read outblob."); + return ret; + } + close(fd); + + quote_size = (uint32_t)byte_size; +#ifdef DEBUG + fprintf(stdout, "\nquote size: %d\n", quote_size); +#endif + if (quote_size <= QUOTE_MIN_SIZE || quote_size == QUOTE_BUF_SIZE) { + close(fd_lock); + free(p_blob_payload); + return TDX_ATTEST_ERROR_QUOTE_FAILURE; + } + + long generation3; + ret = read_configfs_generation(generation_path, &generation3); + close(fd_lock); + if (ret) { + free(p_blob_payload); + return ret; + } + // Another TDX quote generation is triggered + if (generation3 != generation2) { + free(p_blob_payload); + return TDX_ATTEST_ERROR_BUSY; + } + + *pp_quote = realloc(p_blob_payload, quote_size); + if (!*pp_quote) { + free(p_blob_payload); + return TDX_ATTEST_ERROR_OUT_OF_MEMORY; + } + + if (p_quote_size) { + *p_quote_size = quote_size; + } + if (p_att_key_id) { + *p_att_key_id = g_intel_tdqe_uuid; + } + return TDX_ATTEST_SUCCESS; + } while (0); + +#ifdef DEBUG + fprintf(stdout, "\ngoto legacy logic\n"); +#endif + + uint32_t recieved_bytes = 0; + uint32_t in_msg_size = 0; + unsigned int vsock_port = 0; + uint32_t msg_size = 0; + qgs_msg_error_t qgs_msg_ret = QGS_MSG_SUCCESS; + qgs_msg_header_t *p_header = NULL; + uint8_t *p_req = NULL; + const uint8_t *p_selected_id = NULL; + uint32_t id_size = 0; + + tdx_report_t tdx_report; memset(&tdx_report, 0, sizeof(tdx_report)); - p_get_quote_blob = (struct tdx_quote_hdr *)malloc(REQ_BUF_SIZE); + + struct tdx_quote_hdr *p_get_quote_blob = malloc(REQ_BUF_SIZE); if (!p_get_quote_blob) { ret = TDX_ATTEST_ERROR_OUT_OF_MEMORY; goto ret_point; @@ -273,9 +633,9 @@ tdx_attest_error_t tdx_att_get_quote( qgs_msg_ret = qgs_msg_gen_get_quote_req(tdx_report.d, sizeof(tdx_report.d), NULL, 0, &p_req, &msg_size); if (QGS_MSG_SUCCESS != qgs_msg_ret) { - #ifdef DEBUG +#ifdef DEBUG fprintf(stdout, "\nqgs_msg_gen_get_quote_req return 0x%x\n", qgs_msg_ret); - #endif +#endif ret = TDX_ATTEST_ERROR_UNEXPECTED; goto ret_point; } @@ -363,56 +723,56 @@ tdx_attest_error_t tdx_att_get_quote( #ifdef DEBUG fprintf(stdout, "\nGet %u bytes response from vsock", recieved_bytes); #endif - use_tdvmcall = 0; + + goto done; } while (0); - if (use_tdvmcall) { - int ioctl_ret = 0; - struct tdx_quote_req arg; - p_get_quote_blob->version = 1; - p_get_quote_blob->status = 0; - p_get_quote_blob->in_len = HEADER_SIZE + msg_size; - p_get_quote_blob->out_len = 0; - arg.buf = (__u64)p_get_quote_blob; - arg.len = REQ_BUF_SIZE; - - ioctl_ret = ioctl(devfd, TDX_CMD_GET_QUOTE, &arg); - if (EBUSY == ioctl_ret) { - TDX_TRACE; - ret = TDX_ATTEST_ERROR_BUSY; - goto ret_point; - } else if (ioctl_ret) { - TDX_TRACE; - ret = TDX_ATTEST_ERROR_QUOTE_FAILURE; - goto ret_point; - } - if (p_get_quote_blob->status - || p_get_quote_blob->out_len <= HEADER_SIZE) { - TDX_TRACE; - if (GET_QUOTE_IN_FLIGHT == p_get_quote_blob->status) { - ret = TDX_ATTEST_ERROR_BUSY; - } else if (GET_QUOTE_SERVICE_UNAVAILABLE == p_get_quote_blob->status) { - ret = TDX_ATTEST_ERROR_NOT_SUPPORTED; - } else { - ret = TDX_ATTEST_ERROR_UNEXPECTED; - } - goto ret_point; - } + int ioctl_ret; + struct tdx_quote_req arg; + p_get_quote_blob->version = 1; + p_get_quote_blob->status = 0; + p_get_quote_blob->in_len = HEADER_SIZE + msg_size; + p_get_quote_blob->out_len = 0; + arg.buf = (__u64)p_get_quote_blob; + arg.len = REQ_BUF_SIZE; - //in_msg_size is the size of serialized response - for (unsigned i = 0; i < HEADER_SIZE; ++i) { - in_msg_size = in_msg_size * 256 + ((p_blob_payload[i]) & 0xFF); - } - if (in_msg_size != p_get_quote_blob->out_len - HEADER_SIZE) { - TDX_TRACE; + ioctl_ret = ioctl(devfd, TDX_CMD_GET_QUOTE, &arg); + if (EBUSY == ioctl_ret) { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_BUSY; + goto ret_point; + } else if (ioctl_ret) { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_QUOTE_FAILURE; + goto ret_point; + } + if (p_get_quote_blob->status + || p_get_quote_blob->out_len <= HEADER_SIZE) { + TDX_TRACE; + if (GET_QUOTE_IN_FLIGHT == p_get_quote_blob->status) { + ret = TDX_ATTEST_ERROR_BUSY; + } else if (GET_QUOTE_SERVICE_UNAVAILABLE == p_get_quote_blob->status) { + ret = TDX_ATTEST_ERROR_NOT_SUPPORTED; + } else { ret = TDX_ATTEST_ERROR_UNEXPECTED; - goto ret_point; } - #ifdef DEBUG - fprintf(stdout, "\nGet %u bytes response from tdvmcall", in_msg_size); - #endif + goto ret_point; } + //in_msg_size is the size of serialized response + for (unsigned i = 0; i < HEADER_SIZE; ++i) { + in_msg_size = in_msg_size * 256 + ((p_blob_payload[i]) & 0xFF); + } + if (in_msg_size != p_get_quote_blob->out_len - HEADER_SIZE) { + TDX_TRACE; + ret = TDX_ATTEST_ERROR_UNEXPECTED; + goto ret_point; + } + #ifdef DEBUG + fprintf(stdout, "\nGet %u bytes response from tdvmcall", in_msg_size); + #endif + +done: qgs_msg_ret = qgs_msg_inflate_get_quote_resp( p_blob_payload + HEADER_SIZE, in_msg_size, &p_selected_id, &id_size, @@ -596,7 +956,7 @@ __attribute__ ((visibility("default"))) tdx_attest_error_t tdx_att_get_quote_by_ ret = TDX_ATTEST_ERROR_OUT_OF_MEMORY; goto ret_point; } - + qgs_msg_ret = qgs_msg_gen_get_quote_req(p_tdx_report, tdx_report_size, NULL, 0, &p_req, &msg_size); if (QGS_MSG_SUCCESS != qgs_msg_ret) { @@ -617,7 +977,7 @@ __attribute__ ((visibility("default"))) tdx_attest_error_t tdx_att_get_quote_by_ // Serialization memcpy(p_blob_payload + SERVTD_HEADER_SIZE, p_req, msg_size); - + p_get_quote_blob->version = 1; p_get_quote_blob->status = 0; p_get_quote_blob->in_len = SERVTD_HEADER_SIZE + msg_size; @@ -671,7 +1031,7 @@ __attribute__ ((visibility("default"))) tdx_attest_error_t tdx_att_get_quote_by_ goto ret_point; } memcpy(p_quote, tmp_p_quote, quote_size); - + *p_quote_size = quote_size; ret = TDX_ATTEST_SUCCESS; diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/inc/td_ql_wrapper.h b/QuoteGeneration/quote_wrapper/tdx_quote/inc/td_ql_wrapper.h index fab0ea3a..6db5cc70 100644 --- a/QuoteGeneration/quote_wrapper/tdx_quote/inc/td_ql_wrapper.h +++ b/QuoteGeneration/quote_wrapper/tdx_quote/inc/td_ql_wrapper.h @@ -404,6 +404,20 @@ tee_att_error_t tee_att_get_platform_info(const tee_att_config_t* p_context, tee_att_error_t tee_att_set_path(const tee_att_config_t* p_context, tee_att_ae_type_t type, const char* p_path); + +/** + * This API can be used to get QPL library handle that returned by dlopen(). + * + * @param p_context The context that contains information during quote generation flow. + * @param pp_qpl_handle It should be a valid pointer. + * @return TEE_ATT_SUCCESS Handle returned. + * @return TEE_ATT_UNSUPPORTED_MODE This function is called on Windows. + * @return TEE_ATT_PLATFORM_LIB_UNAVAILABLE Unable to find the platform library. + * @return TEE_ATT_ERROR_INVALID_PARAMETER One of the parameters is not valid. + * + */ +tee_att_error_t tee_att_get_qpl_handle(const tee_att_config_t *p_context, void **pp_qpl_handle); + #endif #if defined(__cplusplus) } diff --git a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp index 95a58179..aa245e37 100644 --- a/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp +++ b/QuoteGeneration/quote_wrapper/tdx_quote/td_ql_logic.cpp @@ -77,16 +77,6 @@ typedef quote3_error_t (*sgx_read_persistent_data_func_t)(const uint8_t *p_buf, const char *p_label); typedef quote3_error_t (*sgx_qpl_global_init_func_t)(); -typedef quote3_error_t (*sgx_ql_set_logging_callback_t)(sgx_ql_logging_callback_t logger, - sgx_ql_log_level_t loglevel); - -void sgx_ql_logging_callback(sgx_ql_log_level_t level, const char *message) { - if (level == SGX_QL_LOG_ERROR) { - sgx_proc_log_report(1, message); - } else if (level == SGX_QL_LOG_INFO) { - sgx_proc_log_report(3, message); - } -} #ifndef _MSC_VER inline errno_t memcpy_s(void *dest, size_t numberOfElements, const void *src, size_t count) @@ -184,13 +174,6 @@ tee_att_config_t::get_qpl_handle() SE_PROD_LOG("Cannot open Quote Provider Library %s\n", TEE_ATT_QUOTE_CONFIG_LIB_FILE_NAME); } else { - sgx_ql_set_logging_callback_t ql_set_logging_callback = (sgx_ql_set_logging_callback_t)dlsym(m_qpl_handle, "sgx_ql_set_logging_callback"); - if (dlerror() == NULL && ql_set_logging_callback) { - // Set log level to SGX_QL_LOG_ERROR - ql_set_logging_callback(sgx_ql_logging_callback, SGX_QL_LOG_ERROR); - } else { - SE_PROD_LOG("Failed to set logging callback for the quote provider library.\n"); - } sgx_qpl_global_init_func_t p_sgx_qpl_global_init = (sgx_qpl_global_init_func_t)dlsym(m_qpl_handle, "sgx_qpl_global_init"); if (dlerror() == NULL && p_sgx_qpl_global_init) { SE_TRACE(SE_TRACE_NOTICE, "Found the sgx_qpl_global_init API.\n"); diff --git a/QuoteVerification/QVL b/QuoteVerification/QVL index 16b7291a..7e5b2a13 160000 --- a/QuoteVerification/QVL +++ b/QuoteVerification/QVL @@ -1 +1 @@ -Subproject commit 16b7291a7a86e486fdfcf1dfb4be885c0cc00b4e +Subproject commit 7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba diff --git a/QuoteVerification/QuoteVerificationService b/QuoteVerification/QuoteVerificationService index abebcaf0..541531b8 160000 --- a/QuoteVerification/QuoteVerificationService +++ b/QuoteVerification/QuoteVerificationService @@ -1 +1 @@ -Subproject commit abebcaf098d40fe0aa405384ad841862da0cbc4b +Subproject commit 541531b838d17f7418f7d86c16974f98f2fa81b4 diff --git a/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj b/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj index 9e90f1f6..4edada6f 100644 --- a/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj +++ b/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj @@ -148,6 +148,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -170,6 +171,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -192,6 +194,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -237,6 +240,7 @@ Guard 4101;4244 /d2FH4- %(AdditionalOptions) + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -288,6 +292,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -304,6 +309,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -324,6 +330,9 @@ + + + diff --git a/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj.filters b/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj.filters index b63dd948..c02717b5 100644 --- a/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj.filters +++ b/QuoteVerification/QvE/AttestationLibrary/AttestationLibrary.vcxproj.filters @@ -96,5 +96,14 @@ Source Files + + Source Files + + + Source Files + + + Source Files + \ No newline at end of file diff --git a/QuoteVerification/QvE/AttestationParsers/AttestationParsers.vcxproj b/QuoteVerification/QvE/AttestationParsers/AttestationParsers.vcxproj index 5d8e57ce..372d33db 100644 --- a/QuoteVerification/QvE/AttestationParsers/AttestationParsers.vcxproj +++ b/QuoteVerification/QvE/AttestationParsers/AttestationParsers.vcxproj @@ -148,6 +148,7 @@ Guard true 4101 + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -170,6 +171,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -192,6 +194,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -214,6 +217,7 @@ true 4101 /d2FH4- %(AdditionalOptions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -236,6 +240,7 @@ true 4101 /d2FH4- %(AdditionalOptions) + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -261,6 +266,7 @@ /d2FH4- %(AdditionalOptions) false ProgramDatabase + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -286,6 +292,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -302,6 +309,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib diff --git a/QuoteVerification/QvE/Enclave/linux/config.xml b/QuoteVerification/QvE/Enclave/linux/config.xml index 76a2bc8b..8514167e 100644 --- a/QuoteVerification/QvE/Enclave/linux/config.xml +++ b/QuoteVerification/QvE/Enclave/linux/config.xml @@ -1,7 +1,7 @@ 1 0x2 - 0xA + 0xB 1 1 diff --git a/QuoteVerification/QvE/Enclave/qve.cpp b/QuoteVerification/QvE/Enclave/qve.cpp index 1f4b565b..c56a5d2c 100644 --- a/QuoteVerification/QvE/Enclave/qve.cpp +++ b/QuoteVerification/QvE/Enclave/qve.cpp @@ -127,6 +127,8 @@ static bool is_nonterminal_error(Status status_err) { case STATUS_TCB_CONFIGURATION_NEEDED: case STATUS_TCB_SW_HARDENING_NEEDED: case STATUS_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED: + case STATUS_TCB_TD_RELAUNCH_ADVISED: + case STATUS_TCB_TD_RELAUNCH_ADVISED_CONFIGURATION_NEEDED: return true; default: return false; @@ -169,6 +171,8 @@ static quote3_error_t status_error_to_quote3_error(Status status_err) { switch (status_err) { case STATUS_OK: + case STATUS_TCB_TD_RELAUNCH_ADVISED: + case STATUS_TCB_TD_RELAUNCH_ADVISED_CONFIGURATION_NEEDED: return SGX_QL_SUCCESS; case STATUS_MISSING_PARAMETERS: return SGX_QL_ERROR_INVALID_PARAMETER; @@ -299,6 +303,10 @@ static sgx_ql_qv_result_t status_error_to_ql_qve_result(Status status_err) { return SGX_QL_QV_RESULT_SW_HARDENING_NEEDED; case STATUS_TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED: return SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED; + case STATUS_TCB_TD_RELAUNCH_ADVISED: + return TEE_QV_RESULT_TD_RELAUNCH_ADVISED; + case STATUS_TCB_TD_RELAUNCH_ADVISED_CONFIGURATION_NEEDED: + return TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED; default: return SGX_QL_QV_RESULT_UNSPECIFIED; } @@ -436,6 +444,49 @@ const json::TcbLevel& getMatchingTcbLevel(const json::TcbInfo *tcbInfo, throw SGX_QL_TCBINFO_UNSUPPORTED_FORMAT; } +#ifdef SERVTD_ATTEST + +int getTdxModuleTcblevel(const json::TcbInfo* tcbInfo, + const Quote& quote, uint8_t& tcbLevel) +{ + const auto& tdxModuleVersion = quote.getTeeTcbSvn()[1]; + const auto& tdxModuleIsvSvn = quote.getTeeTcbSvn()[0]; + tcbLevel = 0; + + if (quote.getHeader().version > constants::QUOTE_VERSION_3 && tdxModuleVersion == 0) + { + return 0; + } + + const std::string tdxModuleIdentityId = "TDX_" + bytesToHexString({ tdxModuleVersion }); + + const auto& found = std::find_if(tcbInfo->getTdxModuleIdentities().begin(), + tcbInfo->getTdxModuleIdentities().end(), + [&](const auto& tdxModuleIdentity) + { + std::string id = tdxModuleIdentity.getId(); + std::transform(id.begin(), id.end(), id.begin(), + ::toupper); // convert to uppercase + return (id == tdxModuleIdentityId); + }); + if (found == std::end(tcbInfo->getTdxModuleIdentities())) { + return -1; + } + const auto& foundTdxModuleTcbLevel = std::find_if(found->getTcbLevels().begin(), + found->getTcbLevels().end(), + [&](const auto& tdxModuleTcbLevel) + { + return tdxModuleIsvSvn >= tdxModuleTcbLevel.getTcb().getIsvSvn(); + }); + if (foundTdxModuleTcbLevel == std::end(found->getTcbLevels())) + { + return -1; + } + tcbLevel = static_cast(foundTdxModuleTcbLevel->getTcb().getIsvSvn()); + return 0; +} +#endif + /** * Given a quote with cert type 5, extract PCK Cert chain and return it. * @param p_quote[IN] - Pointer to a quote buffer. @@ -871,37 +922,15 @@ static quote3_error_t qve_get_collateral_dates(const CertificateChain* p_cert_ch #ifdef SERVTD_ATTEST /** - * @brief Get the matching QE TCB level based on ISVSVN. - * @param qe_identity The QE identity string. - * @param quote The quote object containing ISVSVN information. - * @return The matching TCB level object if found, otherwise throws an exception. + * @brief Get the matching QE TCB level based on ISVSVN + * @param enclaveIdentity The QE identity + * @param quote The quote object containing ISVSVN information + * @return The matching TCB level object if found, otherwise throws an exception */ -const TCBLevel getMatchingQETcbLevel(const char* qe_identity, const Quote& quote) { - // Parse the QE identity and validate its version. - EnclaveIdentityParser parser; - std::unique_ptr qe_identity_obj; - try{ - qe_identity_obj = parser.parse(qe_identity); - if (!qe_identity_obj) { - throw SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT; - } - auto version = qe_identity_obj->getVersion(); - if (version != 2 && version != 3) { - throw SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT; - } - } - catch (...) { - throw SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT; - } - - EnclaveIdentityV2* qe_identity_v2 = dynamic_cast(qe_identity_obj.get()); - - if (!qe_identity_v2) { - throw SGX_QL_QEIDENTITY_UNSUPPORTED_FORMAT; - } +const TCBLevel getMatchingQETcbLevel(std::unique_ptr& enclaveIdentity, const Quote& quote) { // Get matching QE identity TCB levels. - const auto& qe_identity_tcb_levels = qe_identity_v2->getTcbLevels(); + const auto& qe_identity_tcb_levels = enclaveIdentity->getTcbLevels(); // Ensure the QE identity has at least one TCBLevel. if (qe_identity_tcb_levels.empty()) { @@ -935,6 +964,7 @@ const TCBLevel getMatchingQETcbLevel(const char* qe_identity, const Quote& quote * generation request * @param p_fmspc_size [IN] Size of fmspc * @param qe_tcb_info [IN] Pointer to a buffer containing qe tcb info + * @param enclaveIdentity The QE identity * @param p_servtd_supplemental_data [IN/OUT] Pointer to a data buffer. Must be * allocated by caller * @param p_servtd_supplemental_data_size [IN/OUT] Pointer to size of buffer @@ -945,7 +975,7 @@ const TCBLevel getMatchingQETcbLevel(const char* qe_identity, const Quote& quote static quote3_error_t servtd_set_quote_supplemental_data( const Quote "e, const x509::PckCertificate &pckCert, const json::TcbInfo *tcb_info_obj, uint8_t *p_fmspc, size_t p_fmspc_size, - const TCBLevel &qe_tcb_info, uint8_t *p_servtd_supplemental_data, + const TCBLevel &qe_tcb_info, std::unique_ptr& enclaveIdentity, uint8_t *p_servtd_supplemental_data, uint32_t *p_servtd_supplemental_data_size) { if (tcb_info_obj == NULL) { @@ -980,7 +1010,6 @@ static quote3_error_t servtd_set_quote_supplemental_data( return SGX_QL_ERROR_UNEXPECTED; } - p_servtd_suppl_data->tcb_version = tcb_info_obj->getVersion(); if (memcpy_s(p_servtd_suppl_data->fmspc, FMSPC_SIZE, p_fmspc, p_fmspc_size) != 0) { return SGX_QL_ERROR_UNEXPECTED; @@ -994,21 +1023,42 @@ static quote3_error_t servtd_set_quote_supplemental_data( p_servtd_suppl_data->tdx_tcb_components[i] = tdx_svn[i].getSvn(); } } - p_servtd_suppl_data->pce_svn = tcb.getPceSvn(); + p_servtd_suppl_data->pce_svn = static_cast(tcb.getPceSvn()); auto sgx_svn = tcb.getSgxTcbComponents(); if (sgx_svn.size() == SGX_CPUSVN_SIZE) { for (size_t i = 0; i < SGX_CPUSVN_SIZE; i++) { p_servtd_suppl_data->sgx_tcb_components[i] = sgx_svn[i].getSvn(); } } + // Get Tdx Module major version + p_servtd_suppl_data->tdx_module_major_ver = quote.getTeeTcbSvn()[1]; + uint8_t matchedTcbLevel = 0; + auto ret = getTdxModuleTcblevel(tcb_info_obj, quote, matchedTcbLevel); + // For the quote with TDX module major is 0, fill svn with 0 + if (ret == 0) { + p_servtd_suppl_data->tdx_module_svn = matchedTcbLevel; + } + else { + return SGX_QL_TDX_MODULE_MISMATCH; + } auto qe_report = quote.getQeReport(); p_servtd_suppl_data->misc_select = qe_report.miscSelect; + auto misc_mask = enclaveIdentity->getMiscselectMask(); + if(misc_mask.size() == MISCSELECTMASK_LEN) { + std::copy(misc_mask.begin(), misc_mask.end(), p_servtd_suppl_data->misc_select_mask); + } if (memcpy_s(&(p_servtd_suppl_data->attributes), sizeof(p_servtd_suppl_data->attributes), qe_report.attributes.data(), sizeof(qe_report.attributes)) != 0) { return SGX_QL_ERROR_UNEXPECTED; } + + auto attr_mask = enclaveIdentity->getAttributesMask(); + if(attr_mask.size() == ATTRIBUTESELECTMASK_LEN) { + std::copy(attr_mask.begin(), attr_mask.end(), p_servtd_suppl_data->attributes_mask); + } + if (memcpy_s(p_servtd_suppl_data->mr_enclave.m, sizeof(p_servtd_suppl_data->mr_enclave.m), qe_report.mrEnclave.data(), @@ -1254,15 +1304,11 @@ static quote3_error_t qve_set_quote_supplemental_data(const Quote "e, ret = SGX_QL_ERROR_UNEXPECTED; break; } + //QE identity TCB level date supplemental_data->qe_iden_tcb_level_date_tag = qe_identity_date; - //compare TCB info TCB level date and QE identity TCB level date, return the smaller one - // - if (qe_identity_date <= matching_tcb_info_tcb_date) { - supplemental_data->tcb_level_date_tag = qe_identity_date; - } - else { - supplemental_data->tcb_level_date_tag = matching_tcb_info_tcb_date; - } + //TCB info TCB level date + supplemental_data->tcb_level_date_tag = matching_tcb_info_tcb_date; + } catch(...) { @@ -1982,20 +2028,23 @@ quote3_error_t sgx_qve_verify_quote( } #ifdef SERVTD_ATTEST memset(p_td_report_body, 0, *p_td_report_body_size); - // Get the TCB level matching the ISVSVN in the quote. + intel::sgx::dcap::EnclaveIdentityParser parser; + std::unique_ptr enclaveIdentity; try { - auto qe_tcb = getMatchingQETcbLevel( - p_quote_collateral->qe_identity, quote); + enclaveIdentity = parser.parse(p_quote_collateral->qe_identity); + // Get the TCB level matching the ISVSVN in the quote. + auto qe_tcb = getMatchingQETcbLevel(enclaveIdentity, quote); auto chain_pck_cert = chain.getPckCert(); auto p_pckCert = chain_pck_cert.get(); ret = servtd_set_quote_supplemental_data( quote, *p_pckCert, &tcb_info_obj, fmspc_from_quote, - FMSPC_SIZE, qe_tcb, p_td_report_body, + FMSPC_SIZE, qe_tcb, enclaveIdentity, p_td_report_body, p_td_report_body_size); if (ret != SGX_QL_SUCCESS) { + memset(p_td_report_body, 0, *p_td_report_body_size); break; } } diff --git a/QuoteVerification/QvE/Enclave/qve.vcxproj b/QuoteVerification/QvE/Enclave/qve.vcxproj index ae1399f3..bf14da3a 100644 --- a/QuoteVerification/QvE/Enclave/qve.vcxproj +++ b/QuoteVerification/QvE/Enclave/qve.vcxproj @@ -188,6 +188,7 @@ Guard ATTESTATIONLIBRARY_STATIC;ATTESTATIONPARSERS_STATIC;SGX_TRUSTED;_WINDOWS;_WINDLL;%(PreprocessorDefinitions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -226,6 +227,7 @@ ATTESTATIONLIBRARY_STATIC;ATTESTATIONPARSERS_STATIC;SGX_TRUSTED;_WINDOWS;_WINDLL;%(PreprocessorDefinitions) true /d2FH4- %(AdditionalOptions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -264,6 +266,7 @@ Guard + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -303,6 +306,7 @@ Guard /d2FH4- %(AdditionalOptions) + stdcpp17 sgx_trts_sim.lib;sgx_tstdc.lib;sgx_tservice_sim.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -340,6 +344,7 @@ true Guard ATTESTATIONLIBRARY_STATIC;ATTESTATIONPARSERS_STATIC;SGX_TRUSTED;_WINDOWS;_WINDLL;%(PreprocessorDefinitions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -376,6 +381,7 @@ true Guard ATTESTATIONLIBRARY_STATIC;ATTESTATIONPARSERS_STATIC;SGX_TRUSTED;_WINDOWS;_WINDLL;%(PreprocessorDefinitions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -416,6 +422,7 @@ /d2FH4- %(AdditionalOptions) false ProgramDatabase + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib @@ -454,6 +461,7 @@ true Guard ATTESTATIONLIBRARY_STATIC;ATTESTATIONPARSERS_STATIC;SGX_TRUSTED;_WINDOWS;_WINDLL;%(PreprocessorDefinitions) + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib;AttestationParsers.lib;AttestationLibrary.lib;libsgx_tsgxssl.lib;libsgx_tsgxssl_crypto.lib diff --git a/QuoteVerification/QvE/Enclave/win/config.xml b/QuoteVerification/QvE/Enclave/win/config.xml index a77d0a77..b7d39d3a 100644 --- a/QuoteVerification/QvE/Enclave/win/config.xml +++ b/QuoteVerification/QvE/Enclave/win/config.xml @@ -1,7 +1,7 @@ 1 0x2 - 0xA + 0xB 1 1 diff --git a/QuoteVerification/QvE/Include/sgx_qve_header.h b/QuoteVerification/QvE/Include/sgx_qve_header.h index 90b197f1..76904153 100644 --- a/QuoteVerification/QvE/Include/sgx_qve_header.h +++ b/QuoteVerification/QvE/Include/sgx_qve_header.h @@ -35,38 +35,41 @@ #include "sgx_key.h" #include "time.h" -#ifndef SGX_QL_QV_MK_ERROR -#define SGX_QL_QV_MK_ERROR(x) (0x0000A000|(x)) -#endif //SGX_QL_QV_MK_ERROR +#ifndef TEE_QV_MK_ERROR +#define TEE_QV_MK_ERROR(x) (0x0000A000|(x)) +#endif //TEE_QV_MK_ERROR /** Contains the possible values of the quote verification result. */ typedef enum _sgx_ql_qv_result_t { - SGX_QL_QV_RESULT_OK = 0x0000, ///< The Quote verification passed and is at the latest TCB level - SGX_QL_QV_RESULT_MIN = SGX_QL_QV_MK_ERROR(0x0001), - SGX_QL_QV_RESULT_CONFIG_NEEDED = SGX_QL_QV_MK_ERROR(0x0001), ///< The Quote verification passed and the platform is patched to - ///< the latest TCB level but additional configuration of the SGX - ///< platform may be needed - SGX_QL_QV_RESULT_OUT_OF_DATE = SGX_QL_QV_MK_ERROR(0x0002), ///< The Quote is good but TCB level of the platform is out of date. - ///< The platform needs patching to be at the latest TCB level - SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED = SGX_QL_QV_MK_ERROR(0x0003), ///< The Quote is good but the TCB level of the platform is out of - ///< date and additional configuration of the SGX Platform at its - ///< current patching level may be needed. The platform needs - ///< patching to be at the latest TCB level - SGX_QL_QV_RESULT_INVALID_SIGNATURE = SGX_QL_QV_MK_ERROR(0x0004), ///< The signature over the application report is invalid - SGX_QL_QV_RESULT_REVOKED = SGX_QL_QV_MK_ERROR(0x0005), ///< The attestation key or platform has been revoked - SGX_QL_QV_RESULT_UNSPECIFIED = SGX_QL_QV_MK_ERROR(0x0006), ///< The Quote verification failed due to an error in one of the input - SGX_QL_QV_RESULT_SW_HARDENING_NEEDED = SGX_QL_QV_MK_ERROR(0x0007), ///< The TCB level of the platform is up to date, but SGX SW Hardening - ///< is needed - SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED = SGX_QL_QV_MK_ERROR(0x0008), ///< The TCB level of the platform is up to date, but additional - ///< configuration of the platform at its current patching level - ///< may be needed. Moreove, SGX SW Hardening is also needed - SGX_QL_QV_RESULT_TD_RELAUNCH_ADVISED = SGX_QL_QV_MK_ERROR(0x0009), ///< For TDX only. All components in the TDā€™s TCB are latest, including the - ///< TD preserving loaded TDX, but the TD was launched and ran for some time - ///< with out-of-date TDX Module. Relaunching or re-provisioning your TD is advised - - SGX_QL_QV_RESULT_MAX = SGX_QL_QV_MK_ERROR(0x00FF), ///< Indicate max result to allow better translation - -} sgx_ql_qv_result_t; + // Quote verification passed and is at the latest TCB level + SGX_QL_QV_RESULT_OK = 0x0000, TEE_QV_RESULT_OK = 0x0000, + + SGX_QL_QV_RESULT_MIN = TEE_QV_MK_ERROR(0x0001), TEE_QV_RESULT_MIN = TEE_QV_MK_ERROR(0x0001), + + // The Quote verification passed, but further actions are required: + SGX_QL_QV_RESULT_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0001), TEE_QV_RESULT_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0001), // Additional configuration of the platform needed + SGX_QL_QV_RESULT_OUT_OF_DATE = TEE_QV_MK_ERROR(0x0002), TEE_QV_RESULT_OUT_OF_DATE = TEE_QV_MK_ERROR(0x0002), // TCB level out of date, platform patching required + SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0003), TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x0003), // Both patching and additional configuration needed + + // Errors + SGX_QL_QV_RESULT_INVALID_SIGNATURE = TEE_QV_MK_ERROR(0x0004), TEE_QV_RESULT_INVALID_SIGNATURE = TEE_QV_MK_ERROR(0x0004), + SGX_QL_QV_RESULT_REVOKED = TEE_QV_MK_ERROR(0x0005), TEE_QV_RESULT_REVOKED = TEE_QV_MK_ERROR(0x0005), + SGX_QL_QV_RESULT_UNSPECIFIED = TEE_QV_MK_ERROR(0x0006), TEE_QV_RESULT_UNSPECIFIED = TEE_QV_MK_ERROR(0x0006), + + // Requires Software or Configuration Hardening + SGX_QL_QV_RESULT_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0007), TEE_QV_RESULT_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0007), // TCB level is up to date, but SGX SW Hardening is needed + SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0008), TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED = TEE_QV_MK_ERROR(0x0008), //TCB level is up to date, but both SW Hardening and additional configuration are needed + + // TDX specific results + SGX_QL_QV_RESULT_TD_RELAUNCH_ADVISED = TEE_QV_MK_ERROR(0x0009), TEE_QV_RESULT_TD_RELAUNCH_ADVISED = TEE_QV_MK_ERROR(0x0009), // All components in the TDā€™s TCB are latest, including the TD preserving loaded TDX, but the TD was launched + // and ran for some time with out-of-date TDX Module. Relaunching or re-provisioning your TD is advised + SGX_QL_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x000A), TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED = TEE_QV_MK_ERROR(0x000A), // Same as above, relaunching or re-provisioning your TD is advised. In the meantime, + // additional configuration of the platform is needed + + // Maximum result value + SGX_QL_QV_RESULT_MAX = TEE_QV_MK_ERROR(0x00FF), TEE_QV_RESULT_MAX = TEE_QV_MK_ERROR(0x00FF), + +} sgx_ql_qv_result_t, tee_qv_result_t; typedef enum _pck_cert_flag_enum_t { PCK_FLAG_FALSE = 0, diff --git a/QuoteVerification/QvE/Makefile b/QuoteVerification/QvE/Makefile index 34f5c69d..48a2e22e 100644 --- a/QuoteVerification/QvE/Makefile +++ b/QuoteVerification/QvE/Makefile @@ -104,7 +104,7 @@ else ENCLAVE_CFLAGS += -fstack-protector-strong endif -ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++14 -DSGX_TRUSTED +ENCLAVE_CXXFLAGS += $(ENCLAVE_CFLAGS) -std=c++17 -DSGX_TRUSTED ifdef SERVTD_ATTEST diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/file_util.cpp b/QuoteVerification/appraisal/common/file_util.cpp similarity index 100% rename from QuoteVerification/appraisal/tee_appraisal_tool/file_util.cpp rename to QuoteVerification/appraisal/common/file_util.cpp diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/file_util.h b/QuoteVerification/appraisal/common/file_util.h similarity index 100% rename from QuoteVerification/appraisal/tee_appraisal_tool/file_util.h rename to QuoteVerification/appraisal/common/file_util.h diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/format_util.cpp b/QuoteVerification/appraisal/common/format_util.cpp similarity index 100% rename from QuoteVerification/appraisal/tee_appraisal_tool/format_util.cpp rename to QuoteVerification/appraisal/common/format_util.cpp diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/format_util.h b/QuoteVerification/appraisal/common/format_util.h similarity index 100% rename from QuoteVerification/appraisal/tee_appraisal_tool/format_util.h rename to QuoteVerification/appraisal/common/format_util.h diff --git a/QuoteVerification/appraisal/qal/Makefile b/QuoteVerification/appraisal/qal/Makefile index c0076f33..5884f6ad 100644 --- a/QuoteVerification/appraisal/qal/Makefile +++ b/QuoteVerification/appraisal/qal/Makefile @@ -31,31 +31,32 @@ include ../../../QuoteGeneration/buildenv.mk -WARM_Top_Path =../../../external/wasm-micro-runtime/ +WARM_Top_Path :=../../../external/wasm-micro-runtime/ -WARM_Lib_Path = $(WARM_Top_Path)/product-mini/platforms/linux/build/ -JWT_CPP_Path = ../../../external/jwt-cpp/ -RAPIDJSON_DIR = ../../QVL/Src/ThirdParty/rapidjson/include -PREBUILD_OPENSSL_PATH = ../../../prebuilt/openssl -QAL_Include_Path = -I./ \ +WARM_Lib_Path := $(WARM_Top_Path)/product-mini/platforms/linux/build/ +JWT_CPP_Path := ../../../external/jwt-cpp/ +RAPIDJSON_DIR := ../../QVL/Src/ThirdParty/rapidjson/include +PREBUILD_OPENSSL_PATH := ../../../prebuilt/openssl +QAL_Include_Path := -I./ \ -I$(SGX_SDK)/include \ -I$(PREBUILD_OPENSSL_PATH)/inc \ -I$(WARM_Top_Path)/core/iwasm/include \ -I$(JWT_CPP_Path)/include \ -I$(COMMON_DIR)/inc/internal \ -I../../dcap_quoteverify/inc \ + -I../common/ \ -I$(RAPIDJSON_DIR)/ -QAL_Cpp_Flags = $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) -QAL_C_Flags = $(CFLAGS) -g -fPIC $(QAL_Include_Path) +QAL_Cpp_Flags := $(CXXFLAGS) -g -fPIC $(QAL_Include_Path) +QAL_C_Flags := $(CFLAGS) -g -fPIC $(QAL_Include_Path) QAL_Link_Flags := $(COMMON_LDFLAGS) -L$(WARM_Lib_Path) -lvmlib -ldl -lm -lpthread \ -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto \ -Wl,--gc-sections -Wl,--version-script=sgx_dcap_qal.lds -WASM_CONFIG = -DCMAKE_BUILD_TYPE=Release +WASM_CONFIG ?= -DCMAKE_BUILD_TYPE=Release ifeq ($(DEBUG), 1) - WASM_CONFIG = -DCMAKE_BUILD_TYPE=Debug + WASM_CONFIG := -DCMAKE_BUILD_TYPE=Debug QAL_Link_Flags += -fsanitize=undefined endif @@ -63,19 +64,19 @@ ifeq ($(USE_LOCAL_WASM), 1) QAL_Cpp_Flags += -DUSE_LOCAL_WASM endif -QAL_Cpp_Files := $(wildcard *.cpp) -QAL_CXX_Obj_Files = $(QAL_Cpp_Files:.cpp=.o) +QAL_Cpp_Files := $(wildcard *.cpp) ../common/file_util.cpp +QAL_CXX_Obj_Files := $(QAL_Cpp_Files:.cpp=.o) -QAL_C_Obj_Files = se_thread.o se_trace.o +QAL_C_Obj_Files := se_thread.o se_trace.o ifdef QAL_BUILD -QAL_Obj_Files = $(QAL_CXX_Obj_Files) $(QAL_C_Obj_Files) +QAL_Obj_Files := $(sort $(QAL_CXX_Obj_Files) $(QAL_C_Obj_Files)) else -QVL_Cpp_Obj_Files = sgx_dcap_pcs_com.o config.o -QAL_Obj_Files = $(QAL_CXX_Obj_Files) $(QAL_C_Obj_Files) +QVL_Cpp_Obj_Files := sgx_dcap_pcs_com.o config.o +QAL_Obj_Files := $(sort $(QAL_CXX_Obj_Files) $(QAL_C_Obj_Files)) endif -Target_Lib_Name = libsgx_dcap_qal.so +Target_Lib_Name := libsgx_dcap_qal.so -Target_Static_Lib_Name = libdcap_qal.a +Target_Static_Lib_Name := libdcap_qal.a .PHONY: all clean rebuild wasm_lib diff --git a/QuoteVerification/appraisal/qal/opa_bin/policy.wasm b/QuoteVerification/appraisal/qal/opa_bin/policy.wasm index d4ff1e28..004fb8cd 100644 Binary files a/QuoteVerification/appraisal/qal/opa_bin/policy.wasm and b/QuoteVerification/appraisal/qal/opa_bin/policy.wasm differ diff --git a/QuoteVerification/appraisal/qal/opa_bin/qal_script.rego b/QuoteVerification/appraisal/qal/opa_bin/qal_script.rego index 6d9e7a83..d51446dc 100644 --- a/QuoteVerification/appraisal/qal/opa_bin/qal_script.rego +++ b/QuoteVerification/appraisal/qal/opa_bin/qal_script.rego @@ -320,14 +320,7 @@ expiration_date_check_ok(bundle) if { # the platform_tcb.tcb_level_date_tag must be within the grace period default earliest_accepted_tcb_level_date_tag_ok(_) := false -earliest_accepted_tcb_level_date_tag_ok(bundle) if { - not bundle.policy.reference.platform_grace_period -} - -# If user defines platform_grace_period, then collateral_grace_period must be 0 -# accepted_tcb_status must include UpToDate and OutOfDate -# min_eval_num must not be present -earliest_accepted_tcb_level_date_tag_ok(bundle) if { +tcb_level_date_tag_basic_check(bundle) if { is_number(bundle.policy.reference.platform_grace_period) is_number(bundle.policy.reference.collateral_grace_period) bundle.policy.reference.collateral_grace_period == 0 @@ -341,6 +334,28 @@ earliest_accepted_tcb_level_date_tag_ok(bundle) if { every status in basic_status { status in upper_accepted_tcb } +} + +earliest_accepted_tcb_level_date_tag_ok(bundle) if { + not bundle.policy.reference.platform_grace_period +} + +# If current TCB status in report is one of "UpToDate", "ConfigurationNeeded", "SWHardeningNeeded" or "TDRelaunchAdvised" +# and collateral has no expiry, then ignore the check +earliest_accepted_tcb_level_date_tag_ok(bundle) if { + tcb_level_date_tag_basic_check(bundle) + expiration_date_check_ok(bundle) + ignored_status := ["UPTODATE", "CONFIGURATIONNEEDED", "SWHARDENINGNEEDED", "TDRELAUNCHADVISED"] + every status in bundle.report.measurement.tcb_status { + upper(status) in ignored_status + } +} + +# If user defines platform_grace_period, then collateral_grace_period must be 0 +# accepted_tcb_status must include UpToDate and OutOfDate +# min_eval_num must not be present +earliest_accepted_tcb_level_date_tag_ok(bundle) if { + tcb_level_date_tag_basic_check(bundle) grace_period := bundle.policy.reference.platform_grace_period * 1000000000 expiration_date := time.parse_rfc3339_ns(bundle.report.measurement.tcb_level_date_tag) expiration_date != uint64_max diff --git a/QuoteVerification/appraisal/qal/opa_wasm.cpp b/QuoteVerification/appraisal/qal/opa_wasm.cpp index 9716ed8a..1aa68126 100644 --- a/QuoteVerification/appraisal/qal/opa_wasm.cpp +++ b/QuoteVerification/appraisal/qal/opa_wasm.cpp @@ -42,14 +42,27 @@ #include "opa_wasm.h" #include "se_memcpy.h" #include "se_trace.h" +#include "file_util.h" std::map g_builtins; std::map g_builtin_func_map; static bool g_builtin_prepared = false; -static pthread_mutex_t g_builtin_mutex; -static int g_full_init = 0; +static pthread_mutex_t g_wasm_mutex; +static int g_wasm_init = 0; +static uint8_t *g_wasm_buf = NULL; +static size_t g_wasm_size = 0; +static wasm_module_t g_wasm_module = NULL; + +#ifdef USE_LOCAL_WASM +#define WASM_FILE "./policy.wasm" +#else +#define WASM_FILE "/usr/share/sgx/tee_appraisal_policy.wasm" +#endif + +#define CHECK_OPA_RET(val) if(val == 0) {return SGX_QL_ERROR_UNEXPECTED;} + static NativeSymbol native_symbols[6] = { {"opa_builtin0", (void *)opa_builtin0, "(i*)i", NULL}, {"opa_builtin1", (void *)opa_builtin1, "(i**)i", NULL}, @@ -60,52 +73,80 @@ static NativeSymbol native_symbols[6] = { static void __attribute__((constructor)) _sgx_qal_init() { - pthread_mutex_init(&g_builtin_mutex, NULL); + pthread_mutex_init(&g_wasm_mutex, NULL); } static void __attribute__((destructor)) _sgx_qal_fini() { - pthread_mutex_destroy(&g_builtin_mutex); - if(g_full_init == 1) + pthread_mutex_destroy(&g_wasm_mutex); + if (g_wasm_init == 1) + { + wasm_runtime_unload(g_wasm_module); wasm_runtime_destroy(); + free(g_wasm_buf); + } } -int init_wasm_runtime_once() +static int init_wasm_runtime_once() { - if (g_full_init != 0) + if (g_wasm_init != 0) { - return g_full_init; + return g_wasm_init; } else { - pthread_mutex_lock(&g_builtin_mutex); - if (g_full_init == 0) + pthread_mutex_lock(&g_wasm_mutex); + if (g_wasm_init == 0) { - RuntimeInitArgs init_args; - memset(&init_args, 0, sizeof(RuntimeInitArgs)); - init_args.mem_alloc_type = Alloc_With_Allocator; - init_args.mem_alloc_option.allocator.malloc_func = (void *)malloc; - init_args.mem_alloc_option.allocator.realloc_func = (void *)realloc; - init_args.mem_alloc_option.allocator.free_func = (void *)free; - // Native symbols need below registration phase - init_args.n_native_symbols = sizeof(native_symbols) / sizeof(NativeSymbol); - init_args.native_module_name = "env"; - init_args.native_symbols = native_symbols; - - /* initialize runtime environment */ - if (!wasm_runtime_full_init(&init_args)) + do { - se_trace(SE_TRACE_ERROR, "Init runtime environment failed.\n"); - g_full_init = -1; - } - else - { - SE_TRACE(SE_TRACE_DEBUG, "Init runtime environment successfully.\n"); - g_full_init = 1; - } + RuntimeInitArgs init_args; + memset(&init_args, 0, sizeof(RuntimeInitArgs)); + init_args.mem_alloc_type = Alloc_With_Allocator; + init_args.mem_alloc_option.allocator.malloc_func = (void *)malloc; + init_args.mem_alloc_option.allocator.realloc_func = (void *)realloc; + init_args.mem_alloc_option.allocator.free_func = (void *)free; + + init_args.n_native_symbols = sizeof(native_symbols) / sizeof(NativeSymbol); + init_args.native_module_name = "env"; + init_args.native_symbols = native_symbols; + char error_buf[128] = {0}; + // Initialize runtime environment + if (!wasm_runtime_full_init(&init_args)) + { + se_trace(SE_TRACE_ERROR, "Init runtime environment failed.\n"); + g_wasm_init = -1; + break; + } + g_wasm_buf = read_file_to_buffer(WASM_FILE, &g_wasm_size); + if(g_wasm_buf == NULL) + { + se_trace(SE_TRACE_ERROR, "Read WASM file failed.\n"); + wasm_runtime_destroy(); + g_wasm_init = -1; + break; + + } + // Load WASM module from the WASM file buf + if (!(g_wasm_module = wasm_runtime_load(g_wasm_buf, (uint32_t)g_wasm_size, + error_buf, sizeof(error_buf)))) + { + se_trace(SE_TRACE_ERROR, "Read WASM file failed.\n"); + wasm_runtime_destroy(); + free(g_wasm_buf); + g_wasm_buf = NULL; + g_wasm_init = -1; + break; + } + else + { + SE_TRACE(SE_TRACE_DEBUG, "Init runtime environment successfully.\n"); + g_wasm_init = 1; + } + } while (0); } - pthread_mutex_unlock(&g_builtin_mutex); - return g_full_init; + pthread_mutex_unlock(&g_wasm_mutex); + return g_wasm_init; } } @@ -118,7 +159,7 @@ static int prepare_builtin_once(const char *json_buffer_builtins) } else { - pthread_mutex_lock(&g_builtin_mutex); + pthread_mutex_lock(&g_wasm_mutex); if (g_builtin_prepared == false) { // Prepare g_builtins @@ -128,13 +169,13 @@ static int prepare_builtin_once(const char *json_buffer_builtins) if (!err.empty()) { SE_TRACE(SE_TRACE_DEBUG, "%s\n", err.c_str()); - pthread_mutex_unlock(&g_builtin_mutex); + pthread_mutex_unlock(&g_wasm_mutex); return -1; } if (!v.is()) { SE_TRACE(SE_TRACE_DEBUG, "JSON is not an object\n"); - pthread_mutex_unlock(&g_builtin_mutex); + pthread_mutex_unlock(&g_wasm_mutex); return -1; } const picojson::value::object &obj = v.get(); @@ -154,29 +195,16 @@ static int prepare_builtin_once(const char *json_buffer_builtins) } g_builtin_prepared = true; } - pthread_mutex_unlock(&g_builtin_mutex); + pthread_mutex_unlock(&g_wasm_mutex); return 0; } } -#ifdef USE_LOCAL_WASM -#define WASM_FILE "./policy.wasm" -#else -#define WASM_FILE "/usr/share/sgx/tee_appraisal_policy.wasm" -#endif - -#define CHECK_OPA_RET(val) if(val == 0) {return SGX_QL_ERROR_UNEXPECTED;} - - - OPAEvaluateEngine::OPAEvaluateEngine() : m_stack_size(DEFAULT_STACK_SIZE) , m_heap_size(DEFAULT_HEAP_SIZE) -, m_wasm_module(NULL) , m_wasm_module_inst(NULL) , m_exec_env(NULL) -, m_wasm_file_buf(NULL) -, m_wasm_file_size(0) { } @@ -189,62 +217,6 @@ OPAEvaluateEngine::~OPAEvaluateEngine() wasm_runtime_deinstantiate(m_wasm_module_inst); } wasm_runtime_destroy_thread_env(); - if (m_wasm_module) - wasm_runtime_unload(m_wasm_module); - if (m_wasm_file_buf) - free(m_wasm_file_buf); -} - -int OPAEvaluateEngine::read_wasm_file() -{ - // Looks we cannot read wasm file once and share among multi-threads. - // Read the wasm into memory for each OPAEvaluateEngine instance - unsigned char *buffer; - FILE *file; - long file_size, read_size; - - if (!(file = fopen(WASM_FILE, "rb"))) - { - SE_TRACE(SE_TRACE_DEBUG, "Read file to buffer failed: open file %s failed.\n", WASM_FILE); - return -1; - } - - if (fseek(file, 0, SEEK_END)) - { - fclose(file); - return -1; - } - if ((file_size = ftell(file)) == -1) - { - fclose(file); - return -1; - } - if (fseek(file, 0, SEEK_SET)) - { - fclose(file); - return -1; - } - - if (!(buffer = (unsigned char *)malloc(file_size))) - { - SE_TRACE(SE_TRACE_DEBUG, "Alloc memory failed.\n"); - fclose(file); - return 1; - } - - read_size = fread(buffer, 1, file_size, file); - fclose(file); - - if (read_size < file_size) - { - SE_TRACE(SE_TRACE_DEBUG, "Read file to buffer failed: read file content failed.\n"); - free(buffer); - return -1; - } - - m_wasm_file_size = file_size; - m_wasm_file_buf = buffer; - return 0; } quote3_error_t OPAEvaluateEngine::prepare_wasm(uint32_t stack_size, uint32_t heap_size) @@ -260,26 +232,14 @@ quote3_error_t OPAEvaluateEngine::prepare_wasm(uint32_t stack_size, uint32_t hea return SGX_QL_ERROR_UNEXPECTED; } - /* Load WASM byte buffer from WASM bin file */ - int ret = read_wasm_file(); - if (ret != 0) + if (wasm_runtime_init_thread_env() == false) { - if(ret == 1) - return SGX_QL_ERROR_OUT_OF_MEMORY; + SE_TRACE(SE_TRACE_DEBUG, "Failed to initialize the wasm thread environment.\n"); return SGX_QL_ERROR_UNEXPECTED; } - /* Load WASM module */ - if (!(m_wasm_module = wasm_runtime_load(m_wasm_file_buf, (uint32_t)m_wasm_file_size, - error_buf, sizeof(error_buf)))) - { - SE_TRACE(SE_TRACE_DEBUG, "%s\n", error_buf); - return SGX_QL_ERROR_UNEXPECTED; - } - wasm_runtime_init_thread_env(); - /* Instantiate the module */ - if (!(m_wasm_module_inst = - wasm_runtime_instantiate(m_wasm_module, m_stack_size, m_heap_size, + // Instantiate the module + if (!(m_wasm_module_inst = wasm_runtime_instantiate(g_wasm_module, m_stack_size, m_heap_size, error_buf, sizeof(error_buf)))) { SE_TRACE(SE_TRACE_DEBUG, "%s\n", error_buf); @@ -287,7 +247,7 @@ quote3_error_t OPAEvaluateEngine::prepare_wasm(uint32_t stack_size, uint32_t hea } if (!(m_exec_env = wasm_runtime_create_exec_env(m_wasm_module_inst, m_stack_size))) { - SE_TRACE(SE_TRACE_DEBUG, "Create wasm execution environment failed.\n"); + SE_TRACE(SE_TRACE_DEBUG, "Failed to create wasm execution environment.\n"); return SGX_QL_ERROR_UNEXPECTED; } int builtins = opa_builtins(m_wasm_module_inst, m_exec_env); @@ -297,7 +257,7 @@ quote3_error_t OPAEvaluateEngine::prepare_wasm(uint32_t stack_size, uint32_t hea CHECK_OPA_RET(json_builtins); char *json_buffer_builtins = (char *)wasm_runtime_addr_app_to_native(m_wasm_module_inst, json_builtins); - ret = prepare_builtin_once(json_buffer_builtins); + int ret = prepare_builtin_once(json_buffer_builtins); if(ret != 0) return SGX_QL_ERROR_UNEXPECTED; return SGX_QL_SUCCESS; diff --git a/QuoteVerification/appraisal/qal/opa_wasm.h b/QuoteVerification/appraisal/qal/opa_wasm.h index ccc2e7ef..40aa4977 100644 --- a/QuoteVerification/appraisal/qal/opa_wasm.h +++ b/QuoteVerification/appraisal/qal/opa_wasm.h @@ -34,7 +34,7 @@ #define DEFAULT_STACK_SIZE 8 * 1024 -#define DEFAULT_HEAP_SIZE 8 * 1024 +#define DEFAULT_HEAP_SIZE 0 class OPAEvaluateEngine { @@ -51,13 +51,8 @@ class OPAEvaluateEngine OPAEvaluateEngine(const OPAEvaluateEngine &); OPAEvaluateEngine &operator=(const OPAEvaluateEngine &); - int read_wasm_file(); - uint32_t m_stack_size; uint32_t m_heap_size; - wasm_module_t m_wasm_module; wasm_module_inst_t m_wasm_module_inst; wasm_exec_env_t m_exec_env; - uint8_t *m_wasm_file_buf; - size_t m_wasm_file_size; }; \ No newline at end of file diff --git a/QuoteVerification/appraisal/qal/qal_json.cpp b/QuoteVerification/appraisal/qal/qal_json.cpp index ca646664..4590f31a 100644 --- a/QuoteVerification/appraisal/qal/qal_json.cpp +++ b/QuoteVerification/appraisal/qal/qal_json.cpp @@ -541,6 +541,7 @@ quote3_error_t construct_complete_json(const uint8_t *p_verification_result_toke std::string signature[qaps_count]; std::string jwk[qaps_count]; uint8_t fmspc[FMSPC_SIZE] = {0}; + bool fmspc_parsed = false; std::vector desired_id_vec = {TENANT_ENCLAVE_CLASS_ID, TENANT_TDX10_CLASS_ID, TENANT_TDX15_CLASS_ID, SGX_PLATFORM_CLASS_ID, TDX15_PLATFORM_CLASS_ID, TDX10_PLATFORM_CLASS_ID, TDX_TDQE_CLASS_ID}; for (uint32_t i = 0; i < qaps_count; i++) @@ -601,25 +602,30 @@ quote3_error_t construct_complete_json(const uint8_t *p_verification_result_toke return SGX_QL_ERROR_INVALID_PARAMETER; } std::string class_id = report_array[j]["environment"]["class_id"].GetString(); - // Try to retrieve fmpsc from platform tcb result - auto it = s_default_policy_map.find(class_id); - if (it != s_default_policy_map.end() && class_id != TDX_TDQE_CLASS_ID) + + if (fmspc_parsed == false) { - if (report_array[j].HasMember("measurement") == true && - report_array[j]["measurement"].HasMember("fmspc") == true && - report_array[j]["measurement"]["fmspc"].IsString() == true) + // Try to retrieve fmpsc from platform tcb result + auto it = s_default_policy_map.find(class_id); + if (it != s_default_policy_map.end() && class_id != TDX_TDQE_CLASS_ID) { - const char *tmp_str = report_array[j]["measurement"]["fmspc"].GetString(); - if (strlen(tmp_str) != FMSPC_SIZE*2) - { - se_trace(SE_TRACE_ERROR, "The input QVL result is not correct.\n"); - return SGX_QL_ERROR_INVALID_PARAMETER; - } - for (uint32_t z = 0; z < strlen(tmp_str) / 2; z++) + if (report_array[j].HasMember("measurement") == true && + report_array[j]["measurement"].HasMember("fmspc") == true && + report_array[j]["measurement"]["fmspc"].IsString() == true) { - char a[3] = {0}; - strncpy(a, tmp_str + z * 2, 2); - fmspc[z] = (uint8_t)strtoul(a, NULL, 16); + const char *tmp_str = report_array[j]["measurement"]["fmspc"].GetString(); + if (strlen(tmp_str) != FMSPC_SIZE * 2) + { + se_trace(SE_TRACE_ERROR, "The input QVL result is not correct.\n"); + return SGX_QL_ERROR_INVALID_PARAMETER; + } + for (uint32_t z = 0; z < strlen(tmp_str) / 2; z++) + { + char a[3] = {0}; + strncpy(a, tmp_str + z * 2, 2); + fmspc[z] = (uint8_t)strtoul(a, NULL, 16); + } + fmspc_parsed = true; } } } @@ -639,31 +645,39 @@ quote3_error_t construct_complete_json(const uint8_t *p_verification_result_toke se_trace(SE_TRACE_ERROR, "The policy format is not correct. Item: %d, policy:\n%s\n", i, p_qaps[i]); return SGX_QL_ERROR_INVALID_PARAMETER; } - if (class_id_p == class_id && id_map.count(class_id) == 0) + if (class_id_p == class_id) { - rapidjson::Document jwk_doc; - jwk_doc.Parse(jwk[i].c_str()); - if (jwk_doc.HasParseError()) + if (id_map.count(class_id) == 0) { - return SGX_QL_ERROR_INVALID_PARAMETER; + rapidjson::Document jwk_doc; + jwk_doc.Parse(jwk[i].c_str()); + if (jwk_doc.HasParseError()) + { + return SGX_QL_ERROR_INVALID_PARAMETER; + } + std::string v; + { + rapidjson::Document d; + d.SetObject(); + rapidjson::Value &p = policy_array[z]; + d.CopyFrom(p, d.GetAllocator()); + rapidjson::Value str_v(rapidjson::kStringType); + str_v.SetString(signature[i].c_str(), (unsigned int)signature[i].length()); + d.AddMember("signature", str_v, d.GetAllocator()); + d.AddMember("signing_key", jwk_doc, jwk_doc.GetAllocator()); + rapidjson::StringBuffer buffer; + rapidjson::Writer> writer(buffer); + d.Accept(writer); + v = buffer.GetString(); + } + id_map[class_id] = v; + break; } - std::string v; + else { - rapidjson::Document d; - d.SetObject(); - rapidjson::Value &p = policy_array[z]; - d.CopyFrom(p, d.GetAllocator()); - rapidjson::Value str_v(rapidjson::kStringType); - str_v.SetString(signature[i].c_str(), (unsigned int)signature[i].length()); - d.AddMember("signature", str_v, d.GetAllocator()); - d.AddMember("signing_key", jwk_doc, jwk_doc.GetAllocator()); - rapidjson::StringBuffer buffer; - rapidjson::Writer> writer(buffer); - d.Accept(writer); - v = buffer.GetString(); + se_trace(SE_TRACE_ERROR, "The input policies are not correct. Repeatedly entering numerous policies with the same class_id is prohibited.\n"); + return SGX_QL_ERROR_INVALID_PARAMETER; } - id_map[class_id] = v; - break; } } } @@ -769,6 +783,12 @@ static quote3_error_t authenticate_one_policy(rapidjson::Value &report_array, co return SGX_QL_ERROR_INVALID_PARAMETER; } std::string class_id_p = policy_array[i]["environment"]["class_id"].GetString(); + if(result_map.find(class_id_p) == result_map.end()) + { + // The policy file contains some unrecognized policy + se_trace(SE_TRACE_ERROR, "The input policy is not correct:\n%s\n", policy); + return SGX_QL_ERROR_INVALID_PARAMETER; + } uint32_t j = 0; for (; j < report_array.Size(); j++) { @@ -841,7 +861,6 @@ static quote3_error_t authenticate_one_policy(rapidjson::Value &report_array, co se_trace(SE_TRACE_ERROR, "\033[0;31mERROR:\033[0m The appraisal result token doesn't utilize the policy with class_id %s:\n%s\n", class_id_p.c_str(), policy); result_map[class_id_p].result = POLICY_NOT_IN_RESULT; - break; } } return SGX_QL_SUCCESS; diff --git a/QuoteVerification/appraisal/tee_appraisal_tool/Makefile b/QuoteVerification/appraisal/tee_appraisal_tool/Makefile index e73f91ac..e2973567 100644 --- a/QuoteVerification/appraisal/tee_appraisal_tool/Makefile +++ b/QuoteVerification/appraisal/tee_appraisal_tool/Makefile @@ -33,14 +33,15 @@ DCAP_TOPDIR = ../../.. include $(DCAP_TOPDIR)/QuoteGeneration/buildenv.mk -PREBUILD_OPENSSL_PATH = $(DCAP_TOPDIR)/prebuilt/openssl -FLAGS += -fpie -g -I./ \ +PREBUILD_OPENSSL_PATH := $(DCAP_TOPDIR)/prebuilt/openssl +FLAGS := -fpie -g -I./ \ -I$(SGX_SDK)/include \ -I$(DCAP_TOPDIR)/external/jwt-cpp/include \ -I../../QVL/Src/ThirdParty/rapidjson/include \ -I$(DCAP_TOPDIR)/QuoteGeneration/common/inc/internal/ \ -I$(DCAP_TOPDIR)/QuoteGeneration/common/inc/internal/linux/ \ - -I$(PREBUILD_OPENSSL_PATH)/inc + -I$(PREBUILD_OPENSSL_PATH)/inc \ + -I../common ifdef DEBUG FLAGS += -DSE_DEBUG_LEVEL=SE_TRACE_DEBUG @@ -50,13 +51,15 @@ endif CFLAGS += $(FLAGS) CXXFLAGS += $(FLAGS) -Cpp_Files = $(wildcard *.cpp) -C_Obj_Files = se_trace.o +Cpp_Files := $(wildcard *.cpp) +Cpp_Common_Obj_Files := file_util.o format_util.o +C_Obj_Files := se_trace.o -Obj_Files = $(Cpp_Files:.cpp=.o) $(C_Obj_Files) -LDFLAGS += -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto -lpthread +Obj_Files := $(Cpp_Files:.cpp=.o) $(C_Obj_Files) $(Cpp_Common_Obj_Files) +LDFLAGS += -L$(PREBUILD_OPENSSL_PATH)/lib/linux64 -lcrypto -lpthread -ldl -TARGET_NAME = tee_appraisal_tool + +TARGET_NAME := tee_appraisal_tool .PHONY: all clean rebuild gen_key @@ -72,6 +75,9 @@ $(TARGET_NAME): $(Obj_Files) $(C_Obj_Files): %.o:$(DCAP_TOPDIR)/QuoteGeneration/common/src/%.c $(CC) $(CFLAGS) -c $< -o $@ +$(Cpp_Common_Obj_Files): %.o:../common/%.cpp + $(CXX) $(CXXFLAGS) -c $< -o $@ + gen_key: @openssl ecparam -name secp384r1 -genkey -noout -out ec_private.pem @echo "The private key file named ec_private.pem is generated successfully for test purposes." diff --git a/QuoteVerification/buildenv.mk b/QuoteVerification/buildenv.mk index 97ef4874..6e8f5809 100644 --- a/QuoteVerification/buildenv.mk +++ b/QuoteVerification/buildenv.mk @@ -58,7 +58,7 @@ SGXSSL_PACKAGE_PATH ?= $(DCAP_QV_DIR)/sgxssl/Linux/package PREBUILD_OPENSSL_PATH ?= $(DCAP_QV_DIR)/../prebuilt/openssl SGX_COMMON_CFLAGS := $(COMMON_FLAGS) -m64 -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants -SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++14 +SGX_COMMON_CXXFLAGS := $(COMMON_FLAGS) -m64 -Wnon-virtual-dtor -std=c++17 DCAP_EXTERNAL_DIR := $(DCAP_QG_DIR)/../external @@ -76,5 +76,5 @@ QVL_LIB_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils - QVL_PARSER_INC := -I$(QVL_COMMON_PATH)/include -I$(QVL_COMMON_PATH)/include/Utils -I$(QVL_SRC_PATH) -I$(QVL_PARSER_PATH)/include -I$(QVL_PARSER_PATH)/src -I$(QVL_LIB_PATH)/include -I$(QVL_SRC_PATH)/ThirdParty/rapidjson/include -QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp)) +QVL_LIB_FILES := $(sort $(wildcard $(QVL_LIB_PATH)/src/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*.cpp) $(wildcard $(QVL_LIB_PATH)/src/*/*/*.cpp) $(wildcard $(QVL_COMMON_PATH)/src/Utils/*.cpp)) QVL_PARSER_FILES := $(sort $(wildcard $(QVL_PARSER_PATH)/src/*.cpp) $(wildcard $(QVL_PARSER_PATH)/src/*/*.cpp)) diff --git a/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj b/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj index 72ae9306..fca60f7d 100644 --- a/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj +++ b/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj @@ -91,6 +91,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -166,6 +167,7 @@ true Guard 4101;4244 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -186,6 +188,9 @@ + + + diff --git a/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj.filters b/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj.filters index b63dd948..c02717b5 100644 --- a/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj.filters +++ b/QuoteVerification/dcap_quoteverify/AttestationLibrary_untrusted/AttestationLibrary_untrusted.vcxproj.filters @@ -96,5 +96,14 @@ Source Files + + Source Files + + + Source Files + + + Source Files + \ No newline at end of file diff --git a/QuoteVerification/dcap_quoteverify/AttestationParsers_untrusted/AttestationParsers_untrusted.vcxproj b/QuoteVerification/dcap_quoteverify/AttestationParsers_untrusted/AttestationParsers_untrusted.vcxproj index 93687c47..42fb43ee 100644 --- a/QuoteVerification/dcap_quoteverify/AttestationParsers_untrusted/AttestationParsers_untrusted.vcxproj +++ b/QuoteVerification/dcap_quoteverify/AttestationParsers_untrusted/AttestationParsers_untrusted.vcxproj @@ -89,6 +89,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -110,6 +111,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -134,6 +136,7 @@ 4101 false ProgramDatabase + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib @@ -159,6 +162,7 @@ Guard true 4101 + stdcpp17 sgx_trts.lib;sgx_tstdc.lib;sgx_tservice.lib;sgx_tcxx.lib;sgx_tcrypto.lib diff --git a/QuoteVerification/dcap_quoteverify/inc/sgx_dcap_quoteverify.h b/QuoteVerification/dcap_quoteverify/inc/sgx_dcap_quoteverify.h index 234f6313..e39332a8 100644 --- a/QuoteVerification/dcap_quoteverify/inc/sgx_dcap_quoteverify.h +++ b/QuoteVerification/dcap_quoteverify/inc/sgx_dcap_quoteverify.h @@ -166,9 +166,9 @@ quote3_error_t sgx_qv_set_path(sgx_qv_path_type_t path_type, const char *p_path); /** - * Get quote verification result token. + * Perform ECDSA quote verification and get quote verification result token. * - * @param p_quote[IN] - Pointer to SGX Quote. + * @param p_quote[IN] - Pointer to SGX or TDX Quote. * @param quote_size[IN] - Size of the buffer pointed to by p_quote (in bytes). * @param p_quote_collateral[IN] - The parameter is optional. This is a pointer to the Quote Certification Collateral provided by the caller. * @param p_qve_report_info[IN/OUT] - This parameter can be used in 2 ways. diff --git a/QuoteVerification/dcap_quoteverify/linux/Makefile b/QuoteVerification/dcap_quoteverify/linux/Makefile index b856cfb8..610dc532 100644 --- a/QuoteVerification/dcap_quoteverify/linux/Makefile +++ b/QuoteVerification/dcap_quoteverify/linux/Makefile @@ -81,9 +81,10 @@ QVL_VERIFY_LIB_NAME_Static := $(QVL_VERIFY_LIB_NAME).a QAL_APPRAISAL_DIR := $(DCAP_QV_DIR)/appraisal/qal QAL_APPRAISAL_CPP_SRCS :=$(wildcard $(QAL_APPRAISAL_DIR)/*.cpp) +QAL_APPRAISAL_CPP_SRCS += $(QAL_APPRAISAL_DIR)/../common/file_util.cpp QAL_CPP_OBJS := $(QAL_APPRAISAL_CPP_SRCS:.cpp=.o) -QAL_Static_Lib_Name = libdcap_qal.a -WARM_Lib_Path = $(DCAP_EXTERNAL_DIR)/wasm-micro-runtime/product-mini/platforms/linux/build/ +QAL_Static_Lib_Name := libdcap_qal.a +WARM_Lib_Path := $(DCAP_EXTERNAL_DIR)/wasm-micro-runtime/product-mini/platforms/linux/build/ LDUFLAGS += -L$(WARM_Lib_Path) -lvmlib ifeq ($(DEBUG), 1) LDUFLAGS += -fsanitize=undefined diff --git a/QuoteVerification/dcap_quoteverify/sgx_dcap_quoteverify.cpp b/QuoteVerification/dcap_quoteverify/sgx_dcap_quoteverify.cpp index 10c5018e..3619bad9 100644 --- a/QuoteVerification/dcap_quoteverify/sgx_dcap_quoteverify.cpp +++ b/QuoteVerification/dcap_quoteverify/sgx_dcap_quoteverify.cpp @@ -1063,35 +1063,42 @@ quote3_error_t sgx_qv_set_path( static void qv_result_tcb_status_map(std::vector& tcb_status, sgx_ql_qv_result_t qv_result){ switch (qv_result){ - case SGX_QL_QV_RESULT_OK: + case TEE_QV_RESULT_OK: tcb_status.push_back("UpToDate"); break; - case SGX_QL_QV_RESULT_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_SW_HARDENING_NEEDED: tcb_status.push_back("UpToDate"); tcb_status.push_back("SWHardeningNeeded"); break; - case SGX_QL_QV_RESULT_CONFIG_NEEDED: + case TEE_QV_RESULT_CONFIG_NEEDED: tcb_status.push_back("UpToDate"); tcb_status.push_back("ConfigurationNeeded"); break; - case SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: tcb_status.push_back("UpToDate"); tcb_status.push_back("SWHardeningNeeded"); tcb_status.push_back("ConfigurationNeeded"); break; - case SGX_QL_QV_RESULT_OUT_OF_DATE: + case TEE_QV_RESULT_OUT_OF_DATE: tcb_status.push_back("OutOfDate"); break; - case SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: + case TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: tcb_status.push_back("OutOfDate"); tcb_status.push_back("ConfigurationNeeded"); break; - case SGX_QL_QV_RESULT_INVALID_SIGNATURE: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED: + tcb_status.push_back("TDRelaunchAdvised"); break; - case SGX_QL_QV_RESULT_REVOKED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED: + tcb_status.push_back("TDRelaunchAdvised"); + tcb_status.push_back("ConfigurationNeeded"); + break; + case TEE_QV_RESULT_INVALID_SIGNATURE: + break; + case TEE_QV_RESULT_REVOKED: tcb_status.push_back("Revoked"); break; - case SGX_QL_QV_RESULT_UNSPECIFIED: + case TEE_QV_RESULT_UNSPECIFIED: break; default: break; @@ -1183,11 +1190,11 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, plat_version == NULL || enclave_type == NULL || enclave_version == NULL || request_id == NULL || p_quote_collateral == NULL || p_supplemental_data == NULL) { - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } if(quote_ver != intel::sgx::dcap::constants::QUOTE_VERSION_5 && quote_ver != intel::sgx::dcap::constants::QUOTE_VERSION_3) { - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } using namespace rapidjson; Document JWT; @@ -1196,7 +1203,7 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, Document::AllocatorType &allocator = JWT.GetAllocator(); if(&allocator == NULL) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } Value obj_platform(kObjectType); @@ -1302,7 +1309,7 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, } //get fmpsc from quote - quote3_error_t ret = SGX_QL_SUCCESS; + quote3_error_t ret = TEE_SUCCESS; unsigned char fmspc_from_quote[FMSPC_SIZE] = {0}; unsigned char ca_from_quote[CA_SIZE] = {0}; @@ -1313,7 +1320,7 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, FMSPC_SIZE, ca_from_quote, CA_SIZE); - if(ret == SGX_QL_SUCCESS) + if(ret == TEE_SUCCESS) { Value str_fmspc(kStringType); std::string sfmspc((char* )fmspc_from_quote, FMSPC_SIZE); @@ -1436,7 +1443,7 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, memcpy(&sgx_report, p_tmp_quote5->body, sizeof(sgx_report_body_t)); } else { - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } Value str_encl(kStringType); @@ -1507,7 +1514,7 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, std::string raw_data = str_buff.GetString(); if(raw_data.empty()) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } auto qal_token = jwt::create() @@ -1518,17 +1525,17 @@ static quote3_error_t sgx_jwt_generator_internal(const char *plat_type, if(qal_token.empty()) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } *jwt_data = (uint8_t*)malloc(qal_token.length() + 1); if (*jwt_data == NULL) { - return SGX_QL_ERROR_OUT_OF_MEMORY; + return TEE_ERROR_OUT_OF_MEMORY; } memset(*jwt_data, 0, qal_token.length() + 1); memcpy_s(*jwt_data, qal_token.length() + 1, qal_token.c_str(), qal_token.length()); *jwt_size = (uint32_t)qal_token.length(); - return SGX_QL_SUCCESS; + return TEE_SUCCESS; } static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, @@ -1551,14 +1558,14 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, if(CHECK_MANDATORY_PARAMS(p_quote, quote_size) || quote_size < QUOTE_MIN_SIZE || plat_version == NULL || qe_identity_version == NULL || td_identity_version == NULL || request_id == NULL || p_supplemental_data == NULL || p_quote_collateral == NULL){ - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } if(report_type != TDX10_REPORT && report_type != TDX15_REPORT){ - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } const sgx_quote4_t *quote4 = reinterpret_cast (p_quote); if(quote4->header.tee_type != intel::sgx::dcap::constants::TEE_TYPE_TDX){ - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } using namespace rapidjson; Document JWT; @@ -1567,7 +1574,7 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, Document::AllocatorType &allocator = JWT.GetAllocator(); if(&allocator == NULL) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } @@ -1680,7 +1687,7 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, } //get fmpsc from quote - quote3_error_t ret = SGX_QL_SUCCESS; + quote3_error_t ret = TEE_SUCCESS; unsigned char fmspc_from_quote[FMSPC_SIZE] = {0}; unsigned char ca_from_quote[CA_SIZE] = {0}; @@ -1691,7 +1698,7 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, FMSPC_SIZE, ca_from_quote, CA_SIZE); - if(ret == SGX_QL_SUCCESS) + if(ret == TEE_SUCCESS) { Value str_fmspc(kStringType); std::string sfmspc((char* )fmspc_from_quote, FMSPC_SIZE); @@ -1937,7 +1944,7 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, std::string raw_data = str_buff.GetString(); if(raw_data.empty()) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } auto qal_token = jwt::create() @@ -1948,17 +1955,17 @@ static quote3_error_t tdx_jwt_generator_internal(uint16_t quote_ver, if(qal_token.empty()) { - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } *jwt_data = (uint8_t*)malloc(qal_token.length() + 1); if (*jwt_data == NULL) { - return SGX_QL_ERROR_OUT_OF_MEMORY; + return TEE_ERROR_OUT_OF_MEMORY; } memset(*jwt_data, 0, qal_token.length() + 1); memcpy_s(*jwt_data, qal_token.length() + 1, qal_token.c_str(), qal_token.length()); *jwt_size = (uint32_t)qal_token.length(); - return SGX_QL_SUCCESS; + return TEE_SUCCESS; } quote3_error_t tee_verify_quote_qvt( @@ -1974,7 +1981,7 @@ quote3_error_t tee_verify_quote_qvt( if(CHECK_MANDATORY_PARAMS(p_quote, quote_size) || quote_size < QUOTE_MIN_SIZE || p_verification_result_token_buffer_size == NULL || p_verification_result_token == NULL) { - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } time_t current_time = time(NULL); uint32_t collateral_expiration_status = 1; @@ -1984,8 +1991,8 @@ quote3_error_t tee_verify_quote_qvt( tee_supp_data_descriptor_t supp_data; memset(&supp_data, 0, sizeof(tee_supp_data_descriptor_t)); - sgx_ql_qv_result_t quote_verification_result = SGX_QL_QV_RESULT_UNSPECIFIED; - quote3_error_t dcap_ret = SGX_QL_ERROR_UNEXPECTED; + sgx_ql_qv_result_t quote_verification_result = TEE_QV_RESULT_UNSPECIFIED; + quote3_error_t dcap_ret = TEE_ERROR_UNEXPECTED; sgx_ql_qve_collateral_t *p_tmp_quote_collateral = NULL; //get supplemental data size @@ -1993,7 +2000,7 @@ quote3_error_t tee_verify_quote_qvt( quote_size, &latest_ver.version, &supp_data.data_size); - if (dcap_ret == SGX_QL_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) { + if (dcap_ret == TEE_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) { SE_TRACE(SE_TRACE_DEBUG,"\tInfo: tee_get_quote_supplemental_data_version_and_size successfully returned.\n"); SE_TRACE(SE_TRACE_DEBUG,"\tInfo: latest supplemental data major version: %d, minor version: %d, size: %d\n", latest_ver.major_version, latest_ver.minor_version, supp_data.data_size); supp_data.p_data = (uint8_t*)malloc(supp_data.data_size); @@ -2002,11 +2009,11 @@ quote3_error_t tee_verify_quote_qvt( } else { SE_TRACE(SE_TRACE_DEBUG,"\tError: Cannot allocate memory for supplemental data.\n"); - return SGX_QL_ERROR_OUT_OF_MEMORY; + return TEE_ERROR_OUT_OF_MEMORY; } } else { - if (dcap_ret != SGX_QL_SUCCESS) + if (dcap_ret != TEE_SUCCESS) SE_TRACE(SE_TRACE_DEBUG,"\tError: tee_get_supplemental_data_version_and_size failed: 0x%04x\n", dcap_ret); if (supp_data.data_size != sizeof(sgx_ql_qv_supplemental_t)) @@ -2024,7 +2031,7 @@ quote3_error_t tee_verify_quote_qvt( reinterpret_cast(&p_tmp_quote_collateral), &p_collateral_size); - if (dcap_ret == SGX_QL_SUCCESS) { + if (dcap_ret == TEE_SUCCESS) { SE_TRACE(SE_TRACE_DEBUG,"\tInfo: tee_qv_get_collateral successfully returned.\n"); p_quote_collateral = reinterpret_cast(p_tmp_quote_collateral); } @@ -2041,22 +2048,24 @@ quote3_error_t tee_verify_quote_qvt( "e_verification_result, p_qve_report_info, &supp_data); - if (dcap_ret == SGX_QL_SUCCESS) { + if (dcap_ret == TEE_SUCCESS) { switch (quote_verification_result) { - case SGX_QL_QV_RESULT_OK: + case TEE_QV_RESULT_OK: break; - case SGX_QL_QV_RESULT_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_OUT_OF_DATE: - case SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_SW_HARDENING_NEEDED: - case SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_NEEDED: + case TEE_QV_RESULT_OUT_OF_DATE: + case TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: + case TEE_QV_RESULT_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED: SE_TRACE(SE_TRACE_DEBUG,"\tWarning: Verification completed with Non-terminal result: 0x%04x\n", quote_verification_result); break; //Will not generate JWT when critical error occurred - case SGX_QL_QV_RESULT_INVALID_SIGNATURE: - case SGX_QL_QV_RESULT_REVOKED: - case SGX_QL_QV_RESULT_UNSPECIFIED: + case TEE_QV_RESULT_INVALID_SIGNATURE: + case TEE_QV_RESULT_REVOKED: + case TEE_QV_RESULT_UNSPECIFIED: default: SE_TRACE(SE_TRACE_DEBUG,"\tError: Verification completed with Terminal result: 0x%04x\n", quote_verification_result); if(p_tmp_quote_collateral != NULL){ @@ -2065,7 +2074,7 @@ quote3_error_t tee_verify_quote_qvt( if(supp_data.p_data != NULL){ free(supp_data.p_data); } - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } } else { @@ -2084,7 +2093,7 @@ quote3_error_t tee_verify_quote_qvt( if(!RAND_bytes(rand_nonce, REQUEST_ID_LEN)) { SE_TRACE(SE_TRACE_ERROR,"\tError: Failed to generate random request_id.\n"); - return SGX_QL_ERROR_UNEXPECTED; + return TEE_ERROR_UNEXPECTED; } //parse quote header to get tee type, only support SGX and TDX by now @@ -2104,7 +2113,7 @@ quote3_error_t tee_verify_quote_qvt( free(supp_data.p_data); } //quote type is not supported - return SGX_QL_ERROR_INVALID_PARAMETER; + return TEE_ERROR_INVALID_PARAMETER; } uint16_t quote_ver = 0; uint16_t report_type = 0; @@ -2169,7 +2178,7 @@ quote3_error_t tee_verify_quote_qvt( } catch (...) { - dcap_ret = SGX_QL_ERROR_UNEXPECTED; + dcap_ret = TEE_ERROR_UNEXPECTED; SE_TRACE(SE_TRACE_ERROR,"\tError: Failed to generate JWT.\n"); } @@ -2184,12 +2193,13 @@ quote3_error_t tee_verify_quote_qvt( quote3_error_t tee_free_verify_quote_qvt(uint8_t *p_verification_result_token, uint32_t *p_verification_result_token_buffer_size) { - if(p_verification_result_token == NULL) + if(p_verification_result_token == NULL || p_verification_result_token_buffer_size == NULL) { return SGX_QL_ERROR_INVALID_PARAMETER; } free(p_verification_result_token); - p_verification_result_token_buffer_size = 0; + p_verification_result_token = NULL; + *p_verification_result_token_buffer_size = 0; return SGX_QL_SUCCESS; } #endif \ No newline at end of file diff --git a/QuoteVerification/dcap_quoteverify/win/dcap_quoteverify.vcxproj b/QuoteVerification/dcap_quoteverify/win/dcap_quoteverify.vcxproj index d38417cb..44af4d60 100644 --- a/QuoteVerification/dcap_quoteverify/win/dcap_quoteverify.vcxproj +++ b/QuoteVerification/dcap_quoteverify/win/dcap_quoteverify.vcxproj @@ -109,6 +109,7 @@ Guard ProgramDatabase MultiThreadedDebug + stdcpp17 Windows @@ -141,6 +142,7 @@ Guard ProgramDatabase MultiThreadedDebug + stdcpp17 Windows @@ -171,6 +173,7 @@ true Guard MultiThreaded + stdcpp17 Windows @@ -203,6 +206,7 @@ true Guard MultiThreaded + stdcpp17 Windows diff --git a/QuoteVerification/prepare_sgxssl.cmd b/QuoteVerification/prepare_sgxssl.cmd index 572156b5..ce9c6ba9 100644 --- a/QuoteVerification/prepare_sgxssl.cmd +++ b/QuoteVerification/prepare_sgxssl.cmd @@ -39,7 +39,7 @@ set top_dir=%~dp0 set sgxssl_dir=%top_dir%\sgxssl set openssl_out_dir=%sgxssl_dir%\openssl_source -set openssl_ver_name=openssl-3.0.12 +set openssl_ver_name=openssl-3.0.13 set sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive set sgxssl_ver_name=3.0_Rev2 set sgxssl_ver=%sgxssl_ver_name% @@ -49,7 +49,7 @@ set server_url_path=https://www.openssl.org/source/ set full_openssl_url=%server_url_path%/%openssl_ver_name%.tar.gz set sgxssl_chksum=269e1171f566ac6630d83c3b6cf9669e254b08a7f208cc8cf59f471f3d8a579b -set openssl_chksum=f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61 +set openssl_chksum=88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313 if not exist %sgxssl_dir% ( mkdir %sgxssl_dir% @@ -83,7 +83,6 @@ if !errorlevel! NEQ 0 ( if not exist %sgxssl_dir%\Windows\package\lib\%PFM%\%CFG%\libsgx_tsgxssl.lib ( cd %sgxssl_dir%\Windows\ - call powershell -Command "$content = Get-Content build_package.cmd; $content[152] = \"xcopy /y /s ..\..\..\..\prebuilt\openssl\openssl-3.0.13_files\* .`n\" + $content[152]; Set-Content build_package.cmd $content" start /WAIT cmd /C call %build_script% %PFM%_%CFG% %openssl_ver_name% no-clean SIM || exit /b 1 xcopy /E /H /y %sgxssl_dir%\Windows\package %top_dir%\package\ diff --git a/QuoteVerification/prepare_sgxssl.sh b/QuoteVerification/prepare_sgxssl.sh index 09c011bb..d0d884ab 100755 --- a/QuoteVerification/prepare_sgxssl.sh +++ b/QuoteVerification/prepare_sgxssl.sh @@ -34,7 +34,7 @@ ARG1=${1:-build} top_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" sgxssl_dir=$top_dir/sgxssl openssl_out_dir=$sgxssl_dir/openssl_source -openssl_ver_name=openssl-3.0.12 +openssl_ver_name=openssl-3.0.13 sgxssl_github_archive=https://github.com/intel/intel-sgx-ssl/archive sgxssl_file_name=3.0_Rev2 build_script=$sgxssl_dir/Linux/build_openssl.sh @@ -43,6 +43,7 @@ full_openssl_url=$server_url_path/$openssl_ver_name.tar.gz full_openssl_url_old=$server_url_path/old/3.0/$openssl_ver_name.tar.gz sgxssl_chksum=269e1171f566ac6630d83c3b6cf9669e254b08a7f208cc8cf59f471f3d8a579b +openssl_chksum=88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313 rm -f check_sum_sgxssl.txt check_sum_openssl.txt if [ ! -f $build_script ]; then wget $sgxssl_github_archive/$sgxssl_file_name.zip -P $sgxssl_dir/ || exit 1 @@ -75,9 +76,8 @@ fi if [ ! -f $openssl_out_dir/$openssl_ver_name.tar.gz ]; then wget $full_openssl_url_old -P $openssl_out_dir || wget $full_openssl_url -P $openssl_out_dir || exit 1 - wget $server_url_path/$openssl_ver_name.tar.gz.sha256 -O expected_chksum_openssl.txt || wget $full_openssl_url.sha256 -O expected_chksum_openssl.txt || exit 1 - openssl_chksum=`sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz | awk '{print $1}'` - grep $openssl_chksum expected_chksum_openssl.txt + sha256sum $openssl_out_dir/$openssl_ver_name.tar.gz > $sgxssl_dir/check_sum_openssl.txt + grep $openssl_chksum $sgxssl_dir/check_sum_openssl.txt if [ $? -ne 0 ]; then echo "File $openssl_out_dir/$openssl_ver_name.tar.gz checksum failure" rm -f $openssl_out_dir/$openssl_ver_name.tar.gz @@ -91,7 +91,6 @@ if [ "$1" = "nobuild" ]; then fi pushd $sgxssl_dir/Linux/ -sed -i '141a patch --merge -p1 < ../../../../prebuilt/openssl/openssl.CVE-2023-5678.patch || exit 1' build_openssl.sh if [[ "$*" == *SERVTD_ATTEST* ]];then make clean sgxssl_no_mitigation NO_THREADS=1 LINUX_SGX_BUILD=2 SERVTD_ATTEST=1 else diff --git a/SampleCode/QuoteAppraisalSample/App/App.cpp b/SampleCode/QuoteAppraisalSample/App/App.cpp index b87350cc..683d1f38 100644 --- a/SampleCode/QuoteAppraisalSample/App/App.cpp +++ b/SampleCode/QuoteAppraisalSample/App/App.cpp @@ -57,7 +57,6 @@ vector tdx_platform_policy = { "Policies/tdx_platform_policy_platform_grace_period.jwt", "Policies/tdx_platform_policy_collateral_grace_period.jwt", "Policies/tdx_platform_policy_rejected_id.jwt", - // Alibaba Cloud predefined TDX platform policy with FMSPC 90C06F000000 "Policies/alibabacloud_tdx_platform_policy_90C06F000000.jwt", }; diff --git a/SampleCode/QuoteAppraisalSample/Policies/alibabacloud_tdx_platform_policy_90C06F000000.json b/SampleCode/QuoteAppraisalSample/Policies/alibabacloud_tdx_platform_policy_90C06F000000.json index c33431e4..7e409ddc 100644 --- a/SampleCode/QuoteAppraisalSample/Policies/alibabacloud_tdx_platform_policy_90C06F000000.json +++ b/SampleCode/QuoteAppraisalSample/Policies/alibabacloud_tdx_platform_policy_90C06F000000.json @@ -1,29 +1,30 @@ { - "policy_array": [ - { - "environment": { - "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3", - "description": "Alibaba Cloud Evaluation Num Policy for TDX Platform" - }, - "reference": { - "allow_dynamic_plaform": true, - "accepted_tcb_status": [ - "UpToDate" - ], - "min_eval_num": 16 - } - }, - { - "environment": { - "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2", - "description": "Alibaba Cloud Num Policy for Verified TDQE" - }, - "reference": { - "accepted_tcb_status": [ - "UpToDate" - ], - "min_eval_num": 16 - } - } - ] + "policy_array": [ + { + "environment": { + "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3", + "description": "Alibaba Cloud Evaluation Num Policy for TDX Platform" + }, + + "reference": { + "allow_dynamic_plaform": true, + "accepted_tcb_status": [ + "UpToDate" + ], + "min_eval_num": 16 + } + }, + { + "environment": { + "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2", + "description": "Alibaba Cloud Num Policy for Verified TDQE" + }, + "reference": { + "accepted_tcb_status": [ + "UpToDate" + ], + "min_eval_num": 16 + } + } + ] } diff --git a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_collateral_grace_period.json b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_collateral_grace_period.json index 03486529..8fb7f9ad 100644 --- a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_collateral_grace_period.json +++ b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_collateral_grace_period.json @@ -13,7 +13,8 @@ "UpToDate", "SWHardeningNeeded", "ConfigurationNeeded", - "OutOfDate" + "OutOfDate", + "TDRelaunchAdvised" ], "#NOTE": "'collateral_grace_period' allows you to pass appraisal verification even if the collateral has expired within 90 days (7776000 seconds).", "#NOTE": "If 'collateral_grace_period' is greater than 0, 'platform_grace_period' must not be defined", diff --git a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_min_eval_num.json b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_min_eval_num.json index a5911e22..bd5deb17 100644 --- a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_min_eval_num.json +++ b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_min_eval_num.json @@ -13,7 +13,8 @@ "UpToDate", "SWHardeningNeeded", "ConfigurationNeeded", - "OutOfDate" + "OutOfDate", + "TDRelaunchAdvised" ], "#NOTE": "'min_eval_num' indicates that Platform TCB Reports with higher tcb_eval_num are not required.", "#NOTE": "The Policy fails if the Platform TCB Report includes an tcb_eval_num which is lower than the value defined in 'min_eval_num'.", diff --git a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_platform_grace_period.json b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_platform_grace_period.json index 11b9a00c..8bdca2b5 100644 --- a/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_platform_grace_period.json +++ b/SampleCode/QuoteAppraisalSample/Policies/tdx_platform_policy_platform_grace_period.json @@ -13,7 +13,8 @@ "UpToDate", "SWHardeningNeeded", "ConfigurationNeeded", - "OutOfDate" + "OutOfDate", + "TDRelaunchAdvised" ], "#NOTE": "'platform_grace_period' allows you to pass appraisal verification even if the platform has expired within 90 days (7776000 seconds).", "platform_grace_period": 7776000, diff --git a/SampleCode/QuoteVerificationSample/App/App.cpp b/SampleCode/QuoteVerificationSample/App/App.cpp index 2d3a6cb0..adff044f 100644 --- a/SampleCode/QuoteVerificationSample/App/App.cpp +++ b/SampleCode/QuoteVerificationSample/App/App.cpp @@ -121,7 +121,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) int updated = 0; sgx_launch_token_t token = {0}; unsigned char rand_nonce[16] = "59jslk201fgjmm;"; - quote3_error_t verify_qveid_ret = SGX_QL_ERROR_UNEXPECTED; + quote3_error_t verify_qveid_ret = TEE_ERROR_UNEXPECTED; sgx_enclave_id_t eid = 0; #else (void)use_qve; @@ -129,9 +129,9 @@ int ecdsa_quote_verification(vector quote, bool use_qve) int ret = 0; time_t current_time = 0; - quote3_error_t dcap_ret = SGX_QL_ERROR_UNEXPECTED; + quote3_error_t dcap_ret = TEE_ERROR_UNEXPECTED; uint32_t collateral_expiration_status = 1; - sgx_ql_qv_result_t quote_verification_result = SGX_QL_QV_RESULT_UNSPECIFIED; + sgx_ql_qv_result_t quote_verification_result = TEE_QV_RESULT_UNSPECIFIED; tee_supp_data_descriptor_t supp_data; @@ -174,7 +174,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) // call DCAP quote verify library to set QvE loading policy // dcap_ret = sgx_qv_set_enclave_load_policy(SGX_QL_DEFAULT); - if (dcap_ret == SGX_QL_SUCCESS) + if (dcap_ret == TEE_SUCCESS) { log("Info: sgx_qv_set_enclave_load_policy successfully returned."); } @@ -194,7 +194,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) &latest_ver.version, &supp_data.data_size); - if (dcap_ret == SGX_QL_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) + if (dcap_ret == TEE_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) { log("Info: tee_get_quote_supplemental_data_version_and_size successfully returned."); log("Info: latest supplemental data major version: %d, minor version: %d, size: %d", latest_ver.major_version, latest_ver.minor_version, supp_data.data_size); @@ -214,7 +214,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) } else { - if (dcap_ret != SGX_QL_SUCCESS) + if (dcap_ret != TEE_SUCCESS) log("Error: tee_get_quote_supplemental_data_size failed: 0x%04x", dcap_ret); if (supp_data.data_size != sizeof(sgx_ql_qv_supplemental_t)) @@ -239,7 +239,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) "e_verification_result, &qve_report_info, &supp_data); - if (dcap_ret == SGX_QL_SUCCESS) + if (dcap_ret == TEE_SUCCESS) { log("Info: App: tee_verify_quote successfully returned."); } @@ -274,7 +274,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) supp_data.data_size, qve_isvsvn_threshold); - if (sgx_ret != SGX_SUCCESS || verify_qveid_ret != SGX_QL_SUCCESS) + if (sgx_ret != SGX_SUCCESS || verify_qveid_ret != TEE_SUCCESS) { log("Error: Ecall: Verify QvE report and identity failed. 0x%04x", verify_qveid_ret); ret = -1; @@ -289,7 +289,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) // switch (quote_verification_result) { - case SGX_QL_QV_RESULT_OK: + case TEE_QV_RESULT_OK: // check verification collateral expiration status // this value should be considered in your own attestation/verification policy // @@ -305,17 +305,19 @@ int ecdsa_quote_verification(vector quote, bool use_qve) } break; - case SGX_QL_QV_RESULT_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_OUT_OF_DATE: - case SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_SW_HARDENING_NEEDED: - case SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_NEEDED: + case TEE_QV_RESULT_OUT_OF_DATE: + case TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: + case TEE_QV_RESULT_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED: log("Warning: App: Verification completed with Non-terminal result: %x", quote_verification_result); ret = 1; break; - case SGX_QL_QV_RESULT_INVALID_SIGNATURE: - case SGX_QL_QV_RESULT_REVOKED: - case SGX_QL_QV_RESULT_UNSPECIFIED: + case TEE_QV_RESULT_INVALID_SIGNATURE: + case TEE_QV_RESULT_REVOKED: + case TEE_QV_RESULT_UNSPECIFIED: default: log("Error: App: Verification completed with Terminal result: %x", quote_verification_result); ret = -1; @@ -324,7 +326,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) // check supplemental data if necessary // - if (dcap_ret == SGX_QL_SUCCESS && supp_data.p_data != NULL && supp_data.data_size > 0) + if (dcap_ret == TEE_SUCCESS && supp_data.p_data != NULL && supp_data.data_size > 0) { sgx_ql_qv_supplemental_t *p = (sgx_ql_qv_supplemental_t *)supp_data.p_data; @@ -355,7 +357,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) &latest_ver.version, &supp_data.data_size); - if (dcap_ret == SGX_QL_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) + if (dcap_ret == TEE_SUCCESS && supp_data.data_size == sizeof(sgx_ql_qv_supplemental_t)) { log("Info: tee_get_quote_supplemental_data_version_and_size successfully returned."); log("Info: latest supplemental data major version: %d, minor version: %d, size: %d", latest_ver.major_version, latest_ver.minor_version, supp_data.data_size); @@ -375,7 +377,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) } else { - if (dcap_ret != SGX_QL_SUCCESS) + if (dcap_ret != TEE_SUCCESS) log("Error: tee_get_quote_supplemental_data_size failed: 0x%04x", dcap_ret); if (supp_data.data_size != sizeof(sgx_ql_qv_supplemental_t)) @@ -400,7 +402,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) "e_verification_result, NULL, &supp_data); - if (dcap_ret == SGX_QL_SUCCESS) + if (dcap_ret == TEE_SUCCESS) { log("Info: App: tee_verify_quote successfully returned."); } @@ -414,7 +416,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) // switch (quote_verification_result) { - case SGX_QL_QV_RESULT_OK: + case TEE_QV_RESULT_OK: // check verification collateral expiration status // this value should be considered in your own attestation/verification policy // @@ -429,17 +431,19 @@ int ecdsa_quote_verification(vector quote, bool use_qve) ret = 1; } break; - case SGX_QL_QV_RESULT_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_OUT_OF_DATE: - case SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: - case SGX_QL_QV_RESULT_SW_HARDENING_NEEDED: - case SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_NEEDED: + case TEE_QV_RESULT_OUT_OF_DATE: + case TEE_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED: + case TEE_QV_RESULT_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED: + case TEE_QV_RESULT_TD_RELAUNCH_ADVISED_CONFIG_NEEDED: log("Warning: App: Verification completed with Non-terminal result: %x", quote_verification_result); ret = 1; break; - case SGX_QL_QV_RESULT_INVALID_SIGNATURE: - case SGX_QL_QV_RESULT_REVOKED: - case SGX_QL_QV_RESULT_UNSPECIFIED: + case TEE_QV_RESULT_INVALID_SIGNATURE: + case TEE_QV_RESULT_REVOKED: + case TEE_QV_RESULT_UNSPECIFIED: default: log("Error: App: Verification completed with Terminal result: %x", quote_verification_result); ret = -1; @@ -448,7 +452,7 @@ int ecdsa_quote_verification(vector quote, bool use_qve) // check supplemental data if necessary // - if (dcap_ret == SGX_QL_SUCCESS && supp_data.p_data != NULL && supp_data.data_size > 0) + if (dcap_ret == TEE_SUCCESS && supp_data.p_data != NULL && supp_data.data_size > 0) { sgx_ql_qv_supplemental_t *p = (sgx_ql_qv_supplemental_t *)supp_data.p_data; diff --git a/prebuilt/openssl/inc/openssl/bio.h b/prebuilt/openssl/inc/openssl/bio.h index e16cf622..f9aa7473 100644 --- a/prebuilt/openssl/inc/openssl/bio.h +++ b/prebuilt/openssl/inc/openssl/bio.h @@ -867,7 +867,7 @@ int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, - int (*gets) (BIO *, char *, int)); + int (*ossl_gets) (BIO *, char *, int)); long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); diff --git a/prebuilt/openssl/inc/openssl/conferr.h b/prebuilt/openssl/inc/openssl/conferr.h index 496e2e1e..5dd4868a 100644 --- a/prebuilt/openssl/inc/openssl/conferr.h +++ b/prebuilt/openssl/inc/openssl/conferr.h @@ -38,6 +38,7 @@ # define CONF_R_NUMBER_TOO_LARGE 121 # define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION 124 # define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111 +# define CONF_R_RECURSIVE_SECTION_REFERENCE 126 # define CONF_R_RELATIVE_PATH 125 # define CONF_R_SSL_COMMAND_SECTION_EMPTY 117 # define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118 diff --git a/prebuilt/openssl/inc/openssl/configuration.h b/prebuilt/openssl/inc/openssl/configuration.h index 6c56d766..26d99319 100644 --- a/prebuilt/openssl/inc/openssl/configuration.h +++ b/prebuilt/openssl/inc/openssl/configuration.h @@ -34,9 +34,6 @@ extern "C" { # ifndef OPENSSL_THREADS # define OPENSSL_THREADS # endif -# ifndef OPENSSL_NO_ACVP_TESTS -# define OPENSSL_NO_ACVP_TESTS -# endif # ifndef OPENSSL_NO_AFALGENG # define OPENSSL_NO_AFALGENG # endif @@ -85,9 +82,6 @@ extern "C" { # ifndef OPENSSL_NO_DEVCRYPTOENG # define OPENSSL_NO_DEVCRYPTOENG # endif -# ifndef OPENSSL_NO_DSO -# define OPENSSL_NO_DSO -# endif # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 # define OPENSSL_NO_EC_NISTP_64_GCC_128 # endif @@ -100,9 +94,6 @@ extern "C" { # ifndef OPENSSL_NO_FILENAMES # define OPENSSL_NO_FILENAMES # endif -# ifndef OPENSSL_NO_FIPS_SECURITYCHECKS -# define OPENSSL_NO_FIPS_SECURITYCHECKS -# endif # ifndef OPENSSL_NO_FUZZ_AFL # define OPENSSL_NO_FUZZ_AFL # endif diff --git a/prebuilt/openssl/inc/openssl/opensslv.h b/prebuilt/openssl/inc/openssl/opensslv.h index 73590b76..012d77ee 100644 --- a/prebuilt/openssl/inc/openssl/opensslv.h +++ b/prebuilt/openssl/inc/openssl/opensslv.h @@ -29,7 +29,7 @@ extern "C" { */ # define OPENSSL_VERSION_MAJOR 3 # define OPENSSL_VERSION_MINOR 0 -# define OPENSSL_VERSION_PATCH 12 +# define OPENSSL_VERSION_PATCH 13 /* * Additional version information @@ -74,21 +74,21 @@ extern "C" { * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and * OPENSSL_VERSION_BUILD_METADATA_STR appended. */ -# define OPENSSL_VERSION_STR "3.0.12" -# define OPENSSL_FULL_VERSION_STR "3.0.12" +# define OPENSSL_VERSION_STR "3.0.13" +# define OPENSSL_FULL_VERSION_STR "3.0.13" /* * SECTION 3: ADDITIONAL METADATA * * These strings are defined separately to allow them to be parsable. */ -# define OPENSSL_RELEASE_DATE "24 Oct 2023" +# define OPENSSL_RELEASE_DATE "30 Jan 2024" /* * SECTION 4: BACKWARD COMPATIBILITY */ -# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.12 24 Oct 2023" +# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.13 30 Jan 2024" /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ # ifdef OPENSSL_VERSION_PRE_RELEASE diff --git a/prebuilt/openssl/lib/linux64/libcrypto.a b/prebuilt/openssl/lib/linux64/libcrypto.a index 3a4eb717..af7f2dae 100644 Binary files a/prebuilt/openssl/lib/linux64/libcrypto.a and b/prebuilt/openssl/lib/linux64/libcrypto.a differ diff --git a/prebuilt/openssl/lib/win32/libcrypto.lib b/prebuilt/openssl/lib/win32/libcrypto.lib index 2c18fc87..0ebc845e 100644 Binary files a/prebuilt/openssl/lib/win32/libcrypto.lib and b/prebuilt/openssl/lib/win32/libcrypto.lib differ diff --git a/prebuilt/openssl/lib/win64/libcrypto.lib b/prebuilt/openssl/lib/win64/libcrypto.lib index d5860b3a..b747dea3 100644 Binary files a/prebuilt/openssl/lib/win64/libcrypto.lib and b/prebuilt/openssl/lib/win64/libcrypto.lib differ diff --git a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_check.c b/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_check.c deleted file mode 100644 index e20eb620..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_check.c +++ /dev/null @@ -1,360 +0,0 @@ -/* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * DH low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "internal/cryptlib.h" -#include -#include "dh_local.h" -#include "crypto/dh.h" - -/*- - * Check that p and g are suitable enough - * - * p is odd - * 1 < g < p - 1 - */ -int DH_check_params_ex(const DH *dh) -{ - int errflags = 0; - - if (!DH_check_params(dh, &errflags)) - return 0; - - if ((errflags & DH_CHECK_P_NOT_PRIME) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_PRIME); - if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0) - ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR); - if ((errflags & DH_MODULUS_TOO_SMALL) != 0) - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - if ((errflags & DH_MODULUS_TOO_LARGE) != 0) - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - - return errflags == 0; -} - -#ifdef FIPS_MODULE -int DH_check_params(const DH *dh, int *ret) -{ - int nid; - - *ret = 0; - /* - * SP800-56A R3 Section 5.5.2 Assurances of Domain Parameter Validity - * (1a) The domain parameters correspond to any approved safe prime group. - */ - nid = DH_get_nid((DH *)dh); - if (nid != NID_undef) - return 1; - /* - * OR - * (2b) FFC domain params conform to FIPS-186-4 explicit domain param - * validity tests. - */ - return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, - FFC_PARAM_TYPE_DH, ret, NULL); -} -#else -int DH_check_params(const DH *dh, int *ret) -{ - int ok = 0; - BIGNUM *tmp = NULL; - BN_CTX *ctx = NULL; - - *ret = 0; - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; - BN_CTX_start(ctx); - tmp = BN_CTX_get(ctx); - if (tmp == NULL) - goto err; - - if (!BN_is_odd(dh->params.p)) - *ret |= DH_CHECK_P_NOT_PRIME; - if (BN_is_negative(dh->params.g) - || BN_is_zero(dh->params.g) - || BN_is_one(dh->params.g)) - *ret |= DH_NOT_SUITABLE_GENERATOR; - if (BN_copy(tmp, dh->params.p) == NULL || !BN_sub_word(tmp, 1)) - goto err; - if (BN_cmp(dh->params.g, tmp) >= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) - *ret |= DH_MODULUS_TOO_SMALL; - if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) - *ret |= DH_MODULUS_TOO_LARGE; - - ok = 1; - err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ok; -} -#endif /* FIPS_MODULE */ - -/*- - * Check that p is a safe prime and - * g is a suitable generator. - */ -int DH_check_ex(const DH *dh) -{ - int errflags = 0; - - if (!DH_check(dh, &errflags)) - return 0; - - if ((errflags & DH_NOT_SUITABLE_GENERATOR) != 0) - ERR_raise(ERR_LIB_DH, DH_R_NOT_SUITABLE_GENERATOR); - if ((errflags & DH_CHECK_Q_NOT_PRIME) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_Q_NOT_PRIME); - if ((errflags & DH_CHECK_INVALID_Q_VALUE) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_INVALID_Q_VALUE); - if ((errflags & DH_CHECK_INVALID_J_VALUE) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_INVALID_J_VALUE); - if ((errflags & DH_UNABLE_TO_CHECK_GENERATOR) != 0) - ERR_raise(ERR_LIB_DH, DH_R_UNABLE_TO_CHECK_GENERATOR); - if ((errflags & DH_CHECK_P_NOT_PRIME) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_PRIME); - if ((errflags & DH_CHECK_P_NOT_SAFE_PRIME) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_P_NOT_SAFE_PRIME); - if ((errflags & DH_MODULUS_TOO_SMALL) != 0) - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - if ((errflags & DH_MODULUS_TOO_LARGE) != 0) - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - - return errflags == 0; -} - -/* Note: according to documentation - this only checks the params */ -int DH_check(const DH *dh, int *ret) -{ -#ifdef FIPS_MODULE - return DH_check_params(dh, ret); -#else - int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - int nid = DH_get_nid((DH *)dh); - - *ret = 0; - if (nid != NID_undef) - return 1; - - /* Don't do any checks at all with an excessively large modulus */ - if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME; - return 0; - } - - if (!DH_check_params(dh, ret)) - return 0; - - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; - BN_CTX_start(ctx); - t1 = BN_CTX_get(ctx); - t2 = BN_CTX_get(ctx); - if (t2 == NULL) - goto err; - - if (dh->params.q != NULL) { - if (BN_ucmp(dh->params.p, dh->params.q) > 0) - q_good = 1; - else - *ret |= DH_CHECK_INVALID_Q_VALUE; - } - - if (q_good) { - if (BN_cmp(dh->params.g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->params.g, dh->params.p) >= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else { - /* Check g^q == 1 mod p */ - if (!BN_mod_exp(t1, dh->params.g, dh->params.q, dh->params.p, ctx)) - goto err; - if (!BN_is_one(t1)) - *ret |= DH_NOT_SUITABLE_GENERATOR; - } - r = BN_check_prime(dh->params.q, ctx, NULL); - if (r < 0) - goto err; - if (!r) - *ret |= DH_CHECK_Q_NOT_PRIME; - /* Check p == 1 mod q i.e. q divides p - 1 */ - if (!BN_div(t1, t2, dh->params.p, dh->params.q, ctx)) - goto err; - if (!BN_is_one(t2)) - *ret |= DH_CHECK_INVALID_Q_VALUE; - if (dh->params.j != NULL - && BN_cmp(dh->params.j, t1)) - *ret |= DH_CHECK_INVALID_J_VALUE; - } - - r = BN_check_prime(dh->params.p, ctx, NULL); - if (r < 0) - goto err; - if (!r) - *ret |= DH_CHECK_P_NOT_PRIME; - else if (dh->params.q == NULL) { - if (!BN_rshift1(t1, dh->params.p)) - goto err; - r = BN_check_prime(t1, ctx, NULL); - if (r < 0) - goto err; - if (!r) - *ret |= DH_CHECK_P_NOT_SAFE_PRIME; - } - ok = 1; - err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ok; -#endif /* FIPS_MODULE */ -} - -int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) -{ - int errflags = 0; - - if (!DH_check_pub_key(dh, pub_key, &errflags)) - return 0; - - if ((errflags & DH_CHECK_PUBKEY_TOO_SMALL) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_TOO_SMALL); - if ((errflags & DH_CHECK_PUBKEY_TOO_LARGE) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_TOO_LARGE); - if ((errflags & DH_CHECK_PUBKEY_INVALID) != 0) - ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); - - return errflags == 0; -} - -/* - * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. - */ -int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) -{ - /* Don't do any checks at all with an excessively large modulus */ - if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; - return 0; - } - - if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { - *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; - return 1; - } - - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); -} - -/* - * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Partial public key validation. - * To only be used with ephemeral FFC public keys generated using the approved - * safe-prime groups. - */ -int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret) -{ - return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret) - && *ret == 0; -} - -int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret) -{ - int ok = 0; - BIGNUM *two_powN = NULL, *upper; - - *ret = 0; - two_powN = BN_new(); - if (two_powN == NULL) - return 0; - - if (dh->params.q != NULL) { - upper = dh->params.q; -#ifndef FIPS_MODULE - } else if (dh->params.p != NULL) { - /* - * We do not have q so we just check the key is within some - * reasonable range, or the number of bits is equal to dh->length. - */ - int length = dh->length; - - if (length == 0) { - length = BN_num_bits(dh->params.p) - 1; - if (BN_num_bits(priv_key) <= length - && BN_num_bits(priv_key) > 1) - ok = 1; - } else if (BN_num_bits(priv_key) == length) { - ok = 1; - } - goto end; -#endif - } else { - goto end; - } - - /* Is it from an approved Safe prime group ?*/ - if (DH_get_nid((DH *)dh) != NID_undef && dh->length != 0) { - if (!BN_lshift(two_powN, BN_value_one(), dh->length)) - goto end; - if (BN_cmp(two_powN, dh->params.q) < 0) - upper = two_powN; - } - if (!ossl_ffc_validate_private_key(upper, priv_key, ret)) - goto end; - - ok = 1; -end: - BN_free(two_powN); - return ok; -} - -/* - * FFC pairwise check from SP800-56A R3. - * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency - */ -int ossl_dh_check_pairwise(const DH *dh) -{ - int ret = 0; - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL; - - if (dh->params.p == NULL - || dh->params.g == NULL - || dh->priv_key == NULL - || dh->pub_key == NULL) - return 0; - - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; - pub_key = BN_new(); - if (pub_key == NULL) - goto err; - - /* recalculate the public key = (g ^ priv) mod p */ - if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key)) - goto err; - /* check it matches the existing pubic_key */ - ret = BN_cmp(pub_key, dh->pub_key) == 0; -err: - BN_free(pub_key); - BN_CTX_free(ctx); - return ret; -} diff --git a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_err.c b/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_err.c deleted file mode 100644 index f76ac0dd..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_err.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include -#include -#include "crypto/dherr.h" - -#ifndef OPENSSL_NO_DH - -# ifndef OPENSSL_NO_ERR - -static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_FFC_PARAMETERS), "bad ffc parameters"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR), "bad generator"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_BN_DECODE_ERROR), "bn decode error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_BN_ERROR), "bn error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_INVALID_J_VALUE), - "check invalid j value"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_INVALID_Q_VALUE), - "check invalid q value"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_PUBKEY_INVALID), - "check pubkey invalid"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_PUBKEY_TOO_LARGE), - "check pubkey too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_PUBKEY_TOO_SMALL), - "check pubkey too small"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_P_NOT_PRIME), "check p not prime"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_P_NOT_SAFE_PRIME), - "check p not safe prime"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_CHECK_Q_NOT_PRIME), "check q not prime"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_DECODE_ERROR), "decode error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PARAMETER_NAME), - "invalid parameter name"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PARAMETER_NID), - "invalid parameter nid"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_SECRET), "invalid secret"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL), "modulus too small"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), - "not suitable generator"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, - {0, NULL} -}; - -# endif - -int ossl_err_load_DH_strings(void) -{ -# ifndef OPENSSL_NO_ERR - if (ERR_reason_error_string(DH_str_reasons[0].error) == NULL) - ERR_load_strings_const(DH_str_reasons); -# endif - return 1; -} -#else -NON_EMPTY_TRANSLATION_UNIT -#endif diff --git a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_key.c b/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_key.c deleted file mode 100644 index afc49f5c..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/crypto/dh/dh_key.c +++ /dev/null @@ -1,453 +0,0 @@ -/* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * DH low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "internal/cryptlib.h" -#include "dh_local.h" -#include "crypto/bn.h" -#include "crypto/dh.h" -#include "crypto/security_bits.h" - -#ifdef FIPS_MODULE -# define MIN_STRENGTH 112 -#else -# define MIN_STRENGTH 80 -#endif - -static int generate_key(DH *dh); -static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, - const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -static int dh_init(DH *dh); -static int dh_finish(DH *dh); - -/* - * See SP800-56Ar3 Section 5.7.1.1 - * Finite Field Cryptography Diffie-Hellman (FFC DH) Primitive - */ -int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) -{ - BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *z = NULL, *pminus1; - int ret = -1; - - if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - goto err; - } - - if (dh->params.q != NULL - && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); - goto err; - } - - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; - } - - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; - BN_CTX_start(ctx); - pminus1 = BN_CTX_get(ctx); - z = BN_CTX_get(ctx); - if (z == NULL) - goto err; - - if (dh->priv_key == NULL) { - ERR_raise(ERR_LIB_DH, DH_R_NO_PRIVATE_VALUE); - goto err; - } - - if (dh->flags & DH_FLAG_CACHE_MONT_P) { - mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, - dh->lock, dh->params.p, ctx); - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - if (!mont) - goto err; - } - - /* (Step 1) Z = pub_key^priv_key mod p */ - if (!dh->meth->bn_mod_exp(dh, z, pub_key, dh->priv_key, dh->params.p, ctx, - mont)) { - ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB); - goto err; - } - - /* (Step 2) Error if z <= 1 or z = p - 1 */ - if (BN_copy(pminus1, dh->params.p) == NULL - || !BN_sub_word(pminus1, 1) - || BN_cmp(z, BN_value_one()) <= 0 - || BN_cmp(z, pminus1) == 0) { - ERR_raise(ERR_LIB_DH, DH_R_INVALID_SECRET); - goto err; - } - - /* return the padded key, i.e. same number of bytes as the modulus */ - ret = BN_bn2binpad(z, key, BN_num_bytes(dh->params.p)); - err: - BN_clear(z); /* (Step 2) destroy intermediate values */ - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ret; -} - -/*- - * NB: This function is inherently not constant time due to the - * RFC 5246 (8.1.2) padding style that strips leading zero bytes. - */ -int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) -{ - int ret = 0, i; - volatile size_t npad = 0, mask = 1; - - /* compute the key; ret is constant unless compute_key is external */ -#ifdef FIPS_MODULE - ret = ossl_dh_compute_key(key, pub_key, dh); -#else - ret = dh->meth->compute_key(key, pub_key, dh); -#endif - if (ret <= 0) - return ret; - - /* count leading zero bytes, yet still touch all bytes */ - for (i = 0; i < ret; i++) { - mask &= !key[i]; - npad += mask; - } - - /* unpad key */ - ret -= npad; - /* key-dependent memory access, potentially leaking npad / ret */ - memmove(key, key + npad, ret); - /* key-dependent memory access, potentially leaking npad / ret */ - memset(key + ret, 0, npad); - - return ret; -} - -int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) -{ - int rv, pad; - - /* rv is constant unless compute_key is external */ -#ifdef FIPS_MODULE - rv = ossl_dh_compute_key(key, pub_key, dh); -#else - rv = dh->meth->compute_key(key, pub_key, dh); -#endif - if (rv <= 0) - return rv; - pad = BN_num_bytes(dh->params.p) - rv; - /* pad is constant (zero) unless compute_key is external */ - if (pad > 0) { - memmove(key + pad, key, rv); - memset(key, 0, pad); - } - return rv + pad; -} - -static DH_METHOD dh_ossl = { - "OpenSSL DH Method", - generate_key, - ossl_dh_compute_key, - dh_bn_mod_exp, - dh_init, - dh_finish, - DH_FLAG_FIPS_METHOD, - NULL, - NULL -}; - -static const DH_METHOD *default_DH_method = &dh_ossl; - -const DH_METHOD *DH_OpenSSL(void) -{ - return &dh_ossl; -} - -const DH_METHOD *DH_get_default_method(void) -{ - return default_DH_method; -} - -static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, - const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) -{ - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); -} - -static int dh_init(DH *dh) -{ - dh->flags |= DH_FLAG_CACHE_MONT_P; - dh->dirty_cnt++; - return 1; -} - -static int dh_finish(DH *dh) -{ - BN_MONT_CTX_free(dh->method_mont_p); - return 1; -} - -#ifndef FIPS_MODULE -void DH_set_default_method(const DH_METHOD *meth) -{ - default_DH_method = meth; -} -#endif /* FIPS_MODULE */ - -int DH_generate_key(DH *dh) -{ -#ifdef FIPS_MODULE - return generate_key(dh); -#else - return dh->meth->generate_key(dh); -#endif -} - -int ossl_dh_generate_public_key(BN_CTX *ctx, const DH *dh, - const BIGNUM *priv_key, BIGNUM *pub_key) -{ - int ret = 0; - BIGNUM *prk = BN_new(); - BN_MONT_CTX *mont = NULL; - - if (prk == NULL) - return 0; - - if (dh->flags & DH_FLAG_CACHE_MONT_P) { - /* - * We take the input DH as const, but we lie, because in some cases we - * want to get a hold of its Montgomery context. - * - * We cast to remove the const qualifier in this case, it should be - * fine... - */ - BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p; - - mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx); - if (mont == NULL) - goto err; - } - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - - /* pub_key = g^priv_key mod p */ - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->params.g, prk, dh->params.p, - ctx, mont)) - goto err; - ret = 1; -err: - BN_clear_free(prk); - return ret; -} - -static int generate_key(DH *dh) -{ - int ok = 0; - int generate_new_key = 0; -#ifndef FIPS_MODULE - unsigned l; -#endif - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - - if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); - return 0; - } - - if (dh->params.q != NULL - && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); - return 0; - } - - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; - } - - ctx = BN_CTX_new_ex(dh->libctx); - if (ctx == NULL) - goto err; - - if (dh->priv_key == NULL) { - priv_key = BN_secure_new(); - if (priv_key == NULL) - goto err; - generate_new_key = 1; - } else { - priv_key = dh->priv_key; - } - - if (dh->pub_key == NULL) { - pub_key = BN_new(); - if (pub_key == NULL) - goto err; - } else { - pub_key = dh->pub_key; - } - if (generate_new_key) { - /* Is it an approved safe prime ?*/ - if (DH_get_nid(dh) != NID_undef) { - int max_strength = - ossl_ifc_ffc_compute_security_bits(BN_num_bits(dh->params.p)); - - if (dh->params.q == NULL - || dh->length > BN_num_bits(dh->params.q)) - goto err; - /* dh->length = maximum bit length of generated private key */ - if (!ossl_ffc_generate_private_key(ctx, &dh->params, dh->length, - max_strength, priv_key)) - goto err; - } else { -#ifdef FIPS_MODULE - if (dh->params.q == NULL) - goto err; -#else - if (dh->params.q == NULL) { - /* secret exponent length, must satisfy 2^(l-1) <= p */ - if (dh->length != 0 - && dh->length >= BN_num_bits(dh->params.p)) - goto err; - l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1; - if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE, - BN_RAND_BOTTOM_ANY, 0, ctx)) - goto err; - /* - * We handle just one known case where g is a quadratic non-residue: - * for g = 2: p % 8 == 3 - */ - if (BN_is_word(dh->params.g, DH_GENERATOR_2) - && !BN_is_bit_set(dh->params.p, 2)) { - /* clear bit 0, since it won't be a secret anyway */ - if (!BN_clear_bit(priv_key, 0)) - goto err; - } - } else -#endif - { - /* Do a partial check for invalid p, q, g */ - if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, - FFC_PARAM_TYPE_DH, NULL)) - goto err; - /* - * For FFC FIPS 186-4 keygen - * security strength s = 112, - * Max Private key size N = len(q) - */ - if (!ossl_ffc_generate_private_key(ctx, &dh->params, - BN_num_bits(dh->params.q), - MIN_STRENGTH, - priv_key)) - goto err; - } - } - } - - if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) - goto err; - - dh->pub_key = pub_key; - dh->priv_key = priv_key; - dh->dirty_cnt++; - ok = 1; - err: - if (ok != 1) - ERR_raise(ERR_LIB_DH, ERR_R_BN_LIB); - - if (pub_key != dh->pub_key) - BN_free(pub_key); - if (priv_key != dh->priv_key) - BN_free(priv_key); - BN_CTX_free(ctx); - return ok; -} - -int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len) -{ - int err_reason = DH_R_BN_ERROR; - BIGNUM *pubkey = NULL; - const BIGNUM *p; - int ret; - - if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL) - goto err; - DH_get0_pqg(dh, &p, NULL, NULL); - if (p == NULL || BN_num_bytes(p) == 0) { - err_reason = DH_R_NO_PARAMETERS_SET; - goto err; - } - /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */ - if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) { - err_reason = DH_R_INVALID_PUBKEY; - goto err; - } - if (DH_set0_key(dh, pubkey, NULL) != 1) - goto err; - return 1; -err: - ERR_raise(ERR_LIB_DH, err_reason); - BN_free(pubkey); - return 0; -} - -size_t ossl_dh_key2buf(const DH *dh, unsigned char **pbuf_out, size_t size, - int alloc) -{ - const BIGNUM *pubkey; - unsigned char *pbuf = NULL; - const BIGNUM *p; - int p_size; - - DH_get0_pqg(dh, &p, NULL, NULL); - DH_get0_key(dh, &pubkey, NULL); - if (p == NULL || pubkey == NULL - || (p_size = BN_num_bytes(p)) == 0 - || BN_num_bytes(pubkey) == 0) { - ERR_raise(ERR_LIB_DH, DH_R_INVALID_PUBKEY); - return 0; - } - if (pbuf_out != NULL && (alloc || *pbuf_out != NULL)) { - if (!alloc) { - if (size >= (size_t)p_size) - pbuf = *pbuf_out; - } else { - pbuf = OPENSSL_malloc(p_size); - } - - if (pbuf == NULL) { - ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); - return 0; - } - /* - * As per Section 4.2.8.1 of RFC 8446 left pad public - * key with zeros to the size of p - */ - if (BN_bn2binpad(pubkey, pbuf, p_size) < 0) { - if (alloc) - OPENSSL_free(pbuf); - ERR_raise(ERR_LIB_DH, DH_R_BN_ERROR); - return 0; - } - *pbuf_out = pbuf; - } - return p_size; -} diff --git a/prebuilt/openssl/openssl-3.0.13_files/crypto/err/openssl.txt b/prebuilt/openssl/openssl-3.0.13_files/crypto/err/openssl.txt deleted file mode 100644 index 36de321b..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/crypto/err/openssl.txt +++ /dev/null @@ -1,1714 +0,0 @@ -# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -#Reason codes -ASN1_R_ADDING_OBJECT:171:adding object -ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error -ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error -ASN1_R_AUX_ERROR:100:aux error -ASN1_R_BAD_OBJECT_HEADER:102:bad object header -ASN1_R_BAD_TEMPLATE:230:bad template -ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length -ASN1_R_BN_LIB:105:bn lib -ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length -ASN1_R_BUFFER_TOO_SMALL:107:buffer too small -ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER:108:cipher has no object identifier -ASN1_R_CONTEXT_NOT_INITIALISED:217:context not initialised -ASN1_R_DATA_IS_WRONG:109:data is wrong -ASN1_R_DECODE_ERROR:110:decode error -ASN1_R_DEPTH_EXCEEDED:174:depth exceeded -ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED:198:digest and key type not supported -ASN1_R_ENCODE_ERROR:112:encode error -ASN1_R_ERROR_GETTING_TIME:173:error getting time -ASN1_R_ERROR_LOADING_SECTION:172:error loading section -ASN1_R_ERROR_SETTING_CIPHER_PARAMS:114:error setting cipher params -ASN1_R_EXPECTING_AN_INTEGER:115:expecting an integer -ASN1_R_EXPECTING_AN_OBJECT:116:expecting an object -ASN1_R_EXPLICIT_LENGTH_MISMATCH:119:explicit length mismatch -ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED:120:explicit tag not constructed -ASN1_R_FIELD_MISSING:121:field missing -ASN1_R_FIRST_NUM_TOO_LARGE:122:first num too large -ASN1_R_HEADER_TOO_LONG:123:header too long -ASN1_R_ILLEGAL_BITSTRING_FORMAT:175:illegal bitstring format -ASN1_R_ILLEGAL_BOOLEAN:176:illegal boolean -ASN1_R_ILLEGAL_CHARACTERS:124:illegal characters -ASN1_R_ILLEGAL_FORMAT:177:illegal format -ASN1_R_ILLEGAL_HEX:178:illegal hex -ASN1_R_ILLEGAL_IMPLICIT_TAG:179:illegal implicit tag -ASN1_R_ILLEGAL_INTEGER:180:illegal integer -ASN1_R_ILLEGAL_NEGATIVE_VALUE:226:illegal negative value -ASN1_R_ILLEGAL_NESTED_TAGGING:181:illegal nested tagging -ASN1_R_ILLEGAL_NULL:125:illegal null -ASN1_R_ILLEGAL_NULL_VALUE:182:illegal null value -ASN1_R_ILLEGAL_OBJECT:183:illegal object -ASN1_R_ILLEGAL_OPTIONAL_ANY:126:illegal optional any -ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE:170:illegal options on item template -ASN1_R_ILLEGAL_PADDING:221:illegal padding -ASN1_R_ILLEGAL_TAGGED_ANY:127:illegal tagged any -ASN1_R_ILLEGAL_TIME_VALUE:184:illegal time value -ASN1_R_ILLEGAL_ZERO_CONTENT:222:illegal zero content -ASN1_R_INTEGER_NOT_ASCII_FORMAT:185:integer not ascii format -ASN1_R_INTEGER_TOO_LARGE_FOR_LONG:128:integer too large for long -ASN1_R_INVALID_BIT_STRING_BITS_LEFT:220:invalid bit string bits left -ASN1_R_INVALID_BMPSTRING_LENGTH:129:invalid bmpstring length -ASN1_R_INVALID_DIGIT:130:invalid digit -ASN1_R_INVALID_MIME_TYPE:205:invalid mime type -ASN1_R_INVALID_MODIFIER:186:invalid modifier -ASN1_R_INVALID_NUMBER:187:invalid number -ASN1_R_INVALID_OBJECT_ENCODING:216:invalid object encoding -ASN1_R_INVALID_SCRYPT_PARAMETERS:227:invalid scrypt parameters -ASN1_R_INVALID_SEPARATOR:131:invalid separator -ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value -ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length -ASN1_R_INVALID_UTF8STRING:134:invalid utf8string -ASN1_R_INVALID_VALUE:219:invalid value -ASN1_R_LENGTH_TOO_LONG:231:length too long -ASN1_R_LIST_ERROR:188:list error -ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type -ASN1_R_MIME_PARSE_ERROR:207:mime parse error -ASN1_R_MIME_SIG_PARSE_ERROR:208:mime sig parse error -ASN1_R_MISSING_EOC:137:missing eoc -ASN1_R_MISSING_SECOND_NUMBER:138:missing second number -ASN1_R_MISSING_VALUE:189:missing value -ASN1_R_MSTRING_NOT_UNIVERSAL:139:mstring not universal -ASN1_R_MSTRING_WRONG_TAG:140:mstring wrong tag -ASN1_R_NESTED_ASN1_STRING:197:nested asn1 string -ASN1_R_NESTED_TOO_DEEP:201:nested too deep -ASN1_R_NON_HEX_CHARACTERS:141:non hex characters -ASN1_R_NOT_ASCII_FORMAT:190:not ascii format -ASN1_R_NOT_ENOUGH_DATA:142:not enough data -ASN1_R_NO_CONTENT_TYPE:209:no content type -ASN1_R_NO_MATCHING_CHOICE_TYPE:143:no matching choice type -ASN1_R_NO_MULTIPART_BODY_FAILURE:210:no multipart body failure -ASN1_R_NO_MULTIPART_BOUNDARY:211:no multipart boundary -ASN1_R_NO_SIG_CONTENT_TYPE:212:no sig content type -ASN1_R_NULL_IS_WRONG_LENGTH:144:null is wrong length -ASN1_R_OBJECT_NOT_ASCII_FORMAT:191:object not ascii format -ASN1_R_ODD_NUMBER_OF_CHARS:145:odd number of chars -ASN1_R_SECOND_NUMBER_TOO_LARGE:147:second number too large -ASN1_R_SEQUENCE_LENGTH_MISMATCH:148:sequence length mismatch -ASN1_R_SEQUENCE_NOT_CONSTRUCTED:149:sequence not constructed -ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG:192:sequence or set needs config -ASN1_R_SHORT_LINE:150:short line -ASN1_R_SIG_INVALID_MIME_TYPE:213:sig invalid mime type -ASN1_R_STREAMING_NOT_SUPPORTED:202:streaming not supported -ASN1_R_STRING_TOO_LONG:151:string too long -ASN1_R_STRING_TOO_SHORT:152:string too short -ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD:154:\ - the asn1 object identifier is not known for this md -ASN1_R_TIME_NOT_ASCII_FORMAT:193:time not ascii format -ASN1_R_TOO_LARGE:223:too large -ASN1_R_TOO_LONG:155:too long -ASN1_R_TOO_SMALL:224:too small -ASN1_R_TYPE_NOT_CONSTRUCTED:156:type not constructed -ASN1_R_TYPE_NOT_PRIMITIVE:195:type not primitive -ASN1_R_UNEXPECTED_EOC:159:unexpected eoc -ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH:215:universalstring is wrong length -ASN1_R_UNKNOWN_DIGEST:229:unknown digest -ASN1_R_UNKNOWN_FORMAT:160:unknown format -ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM:161:unknown message digest algorithm -ASN1_R_UNKNOWN_OBJECT_TYPE:162:unknown object type -ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE:163:unknown public key type -ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM:199:unknown signature algorithm -ASN1_R_UNKNOWN_TAG:194:unknown tag -ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE:164:unsupported any defined by type -ASN1_R_UNSUPPORTED_CIPHER:228:unsupported cipher -ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE:167:unsupported public key type -ASN1_R_UNSUPPORTED_TYPE:196:unsupported type -ASN1_R_WRONG_INTEGER_TYPE:225:wrong integer type -ASN1_R_WRONG_PUBLIC_KEY_TYPE:200:wrong public key type -ASN1_R_WRONG_TAG:168:wrong tag -ASYNC_R_FAILED_TO_SET_POOL:101:failed to set pool -ASYNC_R_FAILED_TO_SWAP_CONTEXT:102:failed to swap context -ASYNC_R_INIT_FAILED:105:init failed -ASYNC_R_INVALID_POOL_SIZE:103:invalid pool size -BIO_R_ACCEPT_ERROR:100:accept error -BIO_R_ADDRINFO_ADDR_IS_NOT_AF_INET:141:addrinfo addr is not af inet -BIO_R_AMBIGUOUS_HOST_OR_SERVICE:129:ambiguous host or service -BIO_R_BAD_FOPEN_MODE:101:bad fopen mode -BIO_R_BROKEN_PIPE:124:broken pipe -BIO_R_CONNECT_ERROR:103:connect error -BIO_R_CONNECT_TIMEOUT:147:connect timeout -BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET:107:gethostbyname addr is not af inet -BIO_R_GETSOCKNAME_ERROR:132:getsockname error -BIO_R_GETSOCKNAME_TRUNCATED_ADDRESS:133:getsockname truncated address -BIO_R_GETTING_SOCKTYPE:134:getting socktype -BIO_R_INVALID_ARGUMENT:125:invalid argument -BIO_R_INVALID_SOCKET:135:invalid socket -BIO_R_IN_USE:123:in use -BIO_R_LENGTH_TOO_LONG:102:length too long -BIO_R_LISTEN_V6_ONLY:136:listen v6 only -BIO_R_LOOKUP_RETURNED_NOTHING:142:lookup returned nothing -BIO_R_MALFORMED_HOST_OR_SERVICE:130:malformed host or service -BIO_R_NBIO_CONNECT_ERROR:110:nbio connect error -BIO_R_NO_ACCEPT_ADDR_OR_SERVICE_SPECIFIED:143:\ - no accept addr or service specified -BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED:144:no hostname or service specified -BIO_R_NO_PORT_DEFINED:113:no port defined -BIO_R_NO_SUCH_FILE:128:no such file -BIO_R_TRANSFER_ERROR:104:transfer error -BIO_R_TRANSFER_TIMEOUT:105:transfer timeout -BIO_R_UNABLE_TO_BIND_SOCKET:117:unable to bind socket -BIO_R_UNABLE_TO_CREATE_SOCKET:118:unable to create socket -BIO_R_UNABLE_TO_KEEPALIVE:137:unable to keepalive -BIO_R_UNABLE_TO_LISTEN_SOCKET:119:unable to listen socket -BIO_R_UNABLE_TO_NODELAY:138:unable to nodelay -BIO_R_UNABLE_TO_REUSEADDR:139:unable to reuseaddr -BIO_R_UNAVAILABLE_IP_FAMILY:145:unavailable ip family -BIO_R_UNINITIALIZED:120:uninitialized -BIO_R_UNKNOWN_INFO_TYPE:140:unknown info type -BIO_R_UNSUPPORTED_IP_FAMILY:146:unsupported ip family -BIO_R_UNSUPPORTED_METHOD:121:unsupported method -BIO_R_UNSUPPORTED_PROTOCOL_FAMILY:131:unsupported protocol family -BIO_R_WRITE_TO_READ_ONLY_BIO:126:write to read only BIO -BIO_R_WSASTARTUP:122:WSAStartup -BN_R_ARG2_LT_ARG3:100:arg2 lt arg3 -BN_R_BAD_RECIPROCAL:101:bad reciprocal -BN_R_BIGNUM_TOO_LONG:114:bignum too long -BN_R_BITS_TOO_SMALL:118:bits too small -BN_R_CALLED_WITH_EVEN_MODULUS:102:called with even modulus -BN_R_DIV_BY_ZERO:103:div by zero -BN_R_ENCODING_ERROR:104:encoding error -BN_R_EXPAND_ON_STATIC_BIGNUM_DATA:105:expand on static bignum data -BN_R_INPUT_NOT_REDUCED:110:input not reduced -BN_R_INVALID_LENGTH:106:invalid length -BN_R_INVALID_RANGE:115:invalid range -BN_R_INVALID_SHIFT:119:invalid shift -BN_R_NOT_A_SQUARE:111:not a square -BN_R_NOT_INITIALIZED:107:not initialized -BN_R_NO_INVERSE:108:no inverse -BN_R_NO_PRIME_CANDIDATE:121:no prime candidate -BN_R_NO_SOLUTION:116:no solution -BN_R_NO_SUITABLE_DIGEST:120:no suitable digest -BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large -BN_R_P_IS_NOT_PRIME:112:p is not prime -BN_R_TOO_MANY_ITERATIONS:113:too many iterations -BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables -CMP_R_ALGORITHM_NOT_SUPPORTED:139:algorithm not supported -CMP_R_BAD_CHECKAFTER_IN_POLLREP:167:bad checkafter in pollrep -CMP_R_BAD_REQUEST_ID:108:bad request id -CMP_R_CERTHASH_UNMATCHED:156:certhash unmatched -CMP_R_CERTID_NOT_FOUND:109:certid not found -CMP_R_CERTIFICATE_NOT_ACCEPTED:169:certificate not accepted -CMP_R_CERTIFICATE_NOT_FOUND:112:certificate not found -CMP_R_CERTREQMSG_NOT_FOUND:157:certreqmsg not found -CMP_R_CERTRESPONSE_NOT_FOUND:113:certresponse not found -CMP_R_CERT_AND_KEY_DO_NOT_MATCH:114:cert and key do not match -CMP_R_CHECKAFTER_OUT_OF_RANGE:181:checkafter out of range -CMP_R_ENCOUNTERED_KEYUPDATEWARNING:176:encountered keyupdatewarning -CMP_R_ENCOUNTERED_WAITING:162:encountered waiting -CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection -CMP_R_ERROR_CREATING_CERTCONF:116:error creating certconf -CMP_R_ERROR_CREATING_CERTREP:117:error creating certrep -CMP_R_ERROR_CREATING_CERTREQ:163:error creating certreq -CMP_R_ERROR_CREATING_ERROR:118:error creating error -CMP_R_ERROR_CREATING_GENM:119:error creating genm -CMP_R_ERROR_CREATING_GENP:120:error creating genp -CMP_R_ERROR_CREATING_PKICONF:122:error creating pkiconf -CMP_R_ERROR_CREATING_POLLREP:123:error creating pollrep -CMP_R_ERROR_CREATING_POLLREQ:124:error creating pollreq -CMP_R_ERROR_CREATING_RP:125:error creating rp -CMP_R_ERROR_CREATING_RR:126:error creating rr -CMP_R_ERROR_PARSING_PKISTATUS:107:error parsing pkistatus -CMP_R_ERROR_PROCESSING_MESSAGE:158:error processing message -CMP_R_ERROR_PROTECTING_MESSAGE:127:error protecting message -CMP_R_ERROR_SETTING_CERTHASH:128:error setting certhash -CMP_R_ERROR_UNEXPECTED_CERTCONF:160:error unexpected certconf -CMP_R_ERROR_VALIDATING_PROTECTION:140:error validating protection -CMP_R_ERROR_VALIDATING_SIGNATURE:171:error validating signature -CMP_R_FAILED_BUILDING_OWN_CHAIN:164:failed building own chain -CMP_R_FAILED_EXTRACTING_PUBKEY:141:failed extracting pubkey -CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random -CMP_R_FAIL_INFO_OUT_OF_RANGE:129:fail info out of range -CMP_R_INVALID_ARGS:100:invalid args -CMP_R_INVALID_OPTION:174:invalid option -CMP_R_MISSING_CERTID:165:missing certid -CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\ - missing key input for creating protection -CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature -CMP_R_MISSING_P10CSR:121:missing p10csr -CMP_R_MISSING_PBM_SECRET:166:missing pbm secret -CMP_R_MISSING_PRIVATE_KEY:131:missing private key -CMP_R_MISSING_PRIVATE_KEY_FOR_POPO:190:missing private key for popo -CMP_R_MISSING_PROTECTION:143:missing protection -CMP_R_MISSING_PUBLIC_KEY:183:missing public key -CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert -CMP_R_MISSING_SECRET:178:missing secret -CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification -CMP_R_MISSING_TRUST_ANCHOR:179:missing trust anchor -CMP_R_MISSING_TRUST_STORE:144:missing trust store -CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED:161:multiple requests not supported -CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED:170:multiple responses not supported -CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources -CMP_R_NO_STDIO:194:no stdio -CMP_R_NO_SUITABLE_SENDER_CERT:145:no suitable sender cert -CMP_R_NULL_ARGUMENT:103:null argument -CMP_R_PKIBODY_ERROR:146:pkibody error -CMP_R_PKISTATUSINFO_NOT_FOUND:132:pkistatusinfo not found -CMP_R_POLLING_FAILED:172:polling failed -CMP_R_POTENTIALLY_INVALID_CERTIFICATE:147:potentially invalid certificate -CMP_R_RECEIVED_ERROR:180:received error -CMP_R_RECIPNONCE_UNMATCHED:148:recipnonce unmatched -CMP_R_REQUEST_NOT_ACCEPTED:149:request not accepted -CMP_R_REQUEST_REJECTED_BY_SERVER:182:request rejected by server -CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED:150:\ - sender generalname type not supported -CMP_R_SRVCERT_DOES_NOT_VALIDATE_MSG:151:srvcert does not validate msg -CMP_R_TOTAL_TIMEOUT:184:total timeout -CMP_R_TRANSACTIONID_UNMATCHED:152:transactionid unmatched -CMP_R_TRANSFER_ERROR:159:transfer error -CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody -CMP_R_UNEXPECTED_PKISTATUS:185:unexpected pkistatus -CMP_R_UNEXPECTED_PVNO:153:unexpected pvno -CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id -CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type -CMP_R_UNKNOWN_PKISTATUS:186:unknown pkistatus -CMP_R_UNSUPPORTED_ALGORITHM:136:unsupported algorithm -CMP_R_UNSUPPORTED_KEY_TYPE:137:unsupported key type -CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC:154:\ - unsupported protection alg dhbasedmac -CMP_R_VALUE_TOO_LARGE:175:value too large -CMP_R_VALUE_TOO_SMALL:177:value too small -CMP_R_WRONG_ALGORITHM_OID:138:wrong algorithm oid -CMP_R_WRONG_CERTID:189:wrong certid -CMP_R_WRONG_CERTID_IN_RP:187:wrong certid in rp -CMP_R_WRONG_PBM_VALUE:155:wrong pbm value -CMP_R_WRONG_RP_COMPONENT_COUNT:188:wrong rp component count -CMP_R_WRONG_SERIAL_IN_RP:173:wrong serial in rp -CMS_R_ADD_SIGNER_ERROR:99:add signer error -CMS_R_ATTRIBUTE_ERROR:161:attribute error -CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present -CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid -CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error -CMS_R_CIPHER_AEAD_SET_TAG_ERROR:184:cipher aead set tag error -CMS_R_CIPHER_GET_TAG:185:cipher get tag -CMS_R_CIPHER_INITIALISATION_ERROR:101:cipher initialisation error -CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR:102:\ - cipher parameter initialisation error -CMS_R_CMS_DATAFINAL_ERROR:103:cms datafinal error -CMS_R_CMS_LIB:104:cms lib -CMS_R_CONTENTIDENTIFIER_MISMATCH:170:contentidentifier mismatch -CMS_R_CONTENT_NOT_FOUND:105:content not found -CMS_R_CONTENT_TYPE_MISMATCH:171:content type mismatch -CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA:106:content type not compressed data -CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA:107:content type not enveloped data -CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA:108:content type not signed data -CMS_R_CONTENT_VERIFY_ERROR:109:content verify error -CMS_R_CTRL_ERROR:110:ctrl error -CMS_R_CTRL_FAILURE:111:ctrl failure -CMS_R_DECODE_ERROR:187:decode error -CMS_R_DECRYPT_ERROR:112:decrypt error -CMS_R_ERROR_GETTING_PUBLIC_KEY:113:error getting public key -CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE:114:\ - error reading messagedigest attribute -CMS_R_ERROR_SETTING_KEY:115:error setting key -CMS_R_ERROR_SETTING_RECIPIENTINFO:116:error setting recipientinfo -CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR:183:ess signing certid mismatch error -CMS_R_INVALID_ENCRYPTED_KEY_LENGTH:117:invalid encrypted key length -CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER:176:invalid key encryption parameter -CMS_R_INVALID_KEY_LENGTH:118:invalid key length -CMS_R_INVALID_LABEL:190:invalid label -CMS_R_INVALID_OAEP_PARAMETERS:191:invalid oaep parameters -CMS_R_KDF_PARAMETER_ERROR:186:kdf parameter error -CMS_R_MD_BIO_INIT_ERROR:119:md bio init error -CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH:120:\ - messagedigest attribute wrong length -CMS_R_MESSAGEDIGEST_WRONG_LENGTH:121:messagedigest wrong length -CMS_R_MSGSIGDIGEST_ERROR:172:msgsigdigest error -CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE:162:msgsigdigest verification failure -CMS_R_MSGSIGDIGEST_WRONG_LENGTH:163:msgsigdigest wrong length -CMS_R_NEED_ONE_SIGNER:164:need one signer -CMS_R_NOT_A_SIGNED_RECEIPT:165:not a signed receipt -CMS_R_NOT_ENCRYPTED_DATA:122:not encrypted data -CMS_R_NOT_KEK:123:not kek -CMS_R_NOT_KEY_AGREEMENT:181:not key agreement -CMS_R_NOT_KEY_TRANSPORT:124:not key transport -CMS_R_NOT_PWRI:177:not pwri -CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:125:not supported for this key type -CMS_R_NO_CIPHER:126:no cipher -CMS_R_NO_CONTENT:127:no content -CMS_R_NO_CONTENT_TYPE:173:no content type -CMS_R_NO_DEFAULT_DIGEST:128:no default digest -CMS_R_NO_DIGEST_SET:129:no digest set -CMS_R_NO_KEY:130:no key -CMS_R_NO_KEY_OR_CERT:174:no key or cert -CMS_R_NO_MATCHING_DIGEST:131:no matching digest -CMS_R_NO_MATCHING_RECIPIENT:132:no matching recipient -CMS_R_NO_MATCHING_SIGNATURE:166:no matching signature -CMS_R_NO_MSGSIGDIGEST:167:no msgsigdigest -CMS_R_NO_PASSWORD:178:no password -CMS_R_NO_PRIVATE_KEY:133:no private key -CMS_R_NO_PUBLIC_KEY:134:no public key -CMS_R_NO_RECEIPT_REQUEST:168:no receipt request -CMS_R_NO_SIGNERS:135:no signers -CMS_R_PEER_KEY_ERROR:188:peer key error -CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:136:\ - private key does not match certificate -CMS_R_RECEIPT_DECODE_ERROR:169:receipt decode error -CMS_R_RECIPIENT_ERROR:137:recipient error -CMS_R_SHARED_INFO_ERROR:189:shared info error -CMS_R_SIGNER_CERTIFICATE_NOT_FOUND:138:signer certificate not found -CMS_R_SIGNFINAL_ERROR:139:signfinal error -CMS_R_SMIME_TEXT_ERROR:140:smime text error -CMS_R_STORE_INIT_ERROR:141:store init error -CMS_R_TYPE_NOT_COMPRESSED_DATA:142:type not compressed data -CMS_R_TYPE_NOT_DATA:143:type not data -CMS_R_TYPE_NOT_DIGESTED_DATA:144:type not digested data -CMS_R_TYPE_NOT_ENCRYPTED_DATA:145:type not encrypted data -CMS_R_TYPE_NOT_ENVELOPED_DATA:146:type not enveloped data -CMS_R_UNABLE_TO_FINALIZE_CONTEXT:147:unable to finalize context -CMS_R_UNKNOWN_CIPHER:148:unknown cipher -CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm -CMS_R_UNKNOWN_ID:150:unknown id -CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm -CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\ - unsupported content encryption algorithm -CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type -CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type -CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm -CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\ - unsupported key encryption algorithm -CMS_R_UNSUPPORTED_LABEL_SOURCE:193:unsupported label source -CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE:155:unsupported recipientinfo type -CMS_R_UNSUPPORTED_RECIPIENT_TYPE:154:unsupported recipient type -CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM:195:unsupported signature algorithm -CMS_R_UNSUPPORTED_TYPE:156:unsupported type -CMS_R_UNWRAP_ERROR:157:unwrap error -CMS_R_UNWRAP_FAILURE:180:unwrap failure -CMS_R_VERIFICATION_FAILURE:158:verification failure -CMS_R_WRAP_ERROR:159:wrap error -COMP_R_ZLIB_DEFLATE_ERROR:99:zlib deflate error -COMP_R_ZLIB_INFLATE_ERROR:100:zlib inflate error -COMP_R_ZLIB_NOT_SUPPORTED:101:zlib not supported -CONF_R_ERROR_LOADING_DSO:110:error loading dso -CONF_R_INVALID_PRAGMA:122:invalid pragma -CONF_R_LIST_CANNOT_BE_NULL:115:list cannot be null -CONF_R_MANDATORY_BRACES_IN_VARIABLE_EXPANSION:123:\ - mandatory braces in variable expansion -CONF_R_MISSING_CLOSE_SQUARE_BRACKET:100:missing close square bracket -CONF_R_MISSING_EQUAL_SIGN:101:missing equal sign -CONF_R_MISSING_INIT_FUNCTION:112:missing init function -CONF_R_MODULE_INITIALIZATION_ERROR:109:module initialization error -CONF_R_NO_CLOSE_BRACE:102:no close brace -CONF_R_NO_CONF:105:no conf -CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE:106:no conf or environment variable -CONF_R_NO_SECTION:107:no section -CONF_R_NO_SUCH_FILE:114:no such file -CONF_R_NO_VALUE:108:no value -CONF_R_NUMBER_TOO_LARGE:121:number too large -CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\ - openssl conf references missing section -CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include -CONF_R_RELATIVE_PATH:125:relative path -CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty -CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found -CONF_R_SSL_SECTION_EMPTY:119:ssl section empty -CONF_R_SSL_SECTION_NOT_FOUND:120:ssl section not found -CONF_R_UNABLE_TO_CREATE_NEW_SECTION:103:unable to create new section -CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name -CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long -CONF_R_VARIABLE_HAS_NO_VALUE:104:variable has no value -CRMF_R_BAD_PBM_ITERATIONCOUNT:100:bad pbm iterationcount -CRMF_R_CRMFERROR:102:crmferror -CRMF_R_ERROR:103:error -CRMF_R_ERROR_DECODING_CERTIFICATE:104:error decoding certificate -CRMF_R_ERROR_DECRYPTING_CERTIFICATE:105:error decrypting certificate -CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key -CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random -CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100 -CRMF_R_MALFORMED_IV:101:malformed iv -CRMF_R_NULL_ARGUMENT:109:null argument -CRMF_R_POPOSKINPUT_NOT_SUPPORTED:113:poposkinput not supported -CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY:117:popo inconsistent public key -CRMF_R_POPO_MISSING:121:popo missing -CRMF_R_POPO_MISSING_PUBLIC_KEY:118:popo missing public key -CRMF_R_POPO_MISSING_SUBJECT:119:popo missing subject -CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED:120:popo raverified not accepted -CRMF_R_SETTING_MAC_ALGOR_FAILURE:110:setting mac algor failure -CRMF_R_SETTING_OWF_ALGOR_FAILURE:111:setting owf algor failure -CRMF_R_UNSUPPORTED_ALGORITHM:112:unsupported algorithm -CRMF_R_UNSUPPORTED_CIPHER:114:unsupported cipher -CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO:115:\ - unsupported method for creating popo -CRMF_R_UNSUPPORTED_POPO_METHOD:116:unsupported popo method -CRYPTO_R_BAD_ALGORITHM_NAME:117:bad algorithm name -CRYPTO_R_CONFLICTING_NAMES:118:conflicting names -CRYPTO_R_HEX_STRING_TOO_SHORT:121:hex string too short -CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit -CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space -CRYPTO_R_INSUFFICIENT_PARAM_SIZE:107:insufficient param size -CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE:108:insufficient secure data space -CRYPTO_R_INVALID_NEGATIVE_VALUE:122:invalid negative value -CRYPTO_R_INVALID_NULL_ARGUMENT:109:invalid null argument -CRYPTO_R_INVALID_OSSL_PARAM_TYPE:110:invalid ossl param type -CRYPTO_R_ODD_NUMBER_OF_DIGITS:103:odd number of digits -CRYPTO_R_PROVIDER_ALREADY_EXISTS:104:provider already exists -CRYPTO_R_PROVIDER_SECTION_ERROR:105:provider section error -CRYPTO_R_RANDOM_SECTION_ERROR:119:random section error -CRYPTO_R_SECURE_MALLOC_FAILURE:111:secure malloc failure -CRYPTO_R_STRING_TOO_LONG:112:string too long -CRYPTO_R_TOO_MANY_BYTES:113:too many bytes -CRYPTO_R_TOO_MANY_RECORDS:114:too many records -CRYPTO_R_TOO_SMALL_BUFFER:116:too small buffer -CRYPTO_R_UNKNOWN_NAME_IN_RANDOM_SECTION:120:unknown name in random section -CRYPTO_R_ZERO_LENGTH_NUMBER:115:zero length number -CT_R_BASE64_DECODE_ERROR:108:base64 decode error -CT_R_INVALID_LOG_ID_LENGTH:100:invalid log id length -CT_R_LOG_CONF_INVALID:109:log conf invalid -CT_R_LOG_CONF_INVALID_KEY:110:log conf invalid key -CT_R_LOG_CONF_MISSING_DESCRIPTION:111:log conf missing description -CT_R_LOG_CONF_MISSING_KEY:112:log conf missing key -CT_R_LOG_KEY_INVALID:113:log key invalid -CT_R_SCT_FUTURE_TIMESTAMP:116:sct future timestamp -CT_R_SCT_INVALID:104:sct invalid -CT_R_SCT_INVALID_SIGNATURE:107:sct invalid signature -CT_R_SCT_LIST_INVALID:105:sct list invalid -CT_R_SCT_LOG_ID_MISMATCH:114:sct log id mismatch -CT_R_SCT_NOT_SET:106:sct not set -CT_R_SCT_UNSUPPORTED_VERSION:115:sct unsupported version -CT_R_UNRECOGNIZED_SIGNATURE_NID:101:unrecognized signature nid -CT_R_UNSUPPORTED_ENTRY_TYPE:102:unsupported entry type -CT_R_UNSUPPORTED_VERSION:103:unsupported version -DH_R_BAD_FFC_PARAMETERS:127:bad ffc parameters -DH_R_BAD_GENERATOR:101:bad generator -DH_R_BN_DECODE_ERROR:109:bn decode error -DH_R_BN_ERROR:106:bn error -DH_R_CHECK_INVALID_J_VALUE:115:check invalid j value -DH_R_CHECK_INVALID_Q_VALUE:116:check invalid q value -DH_R_CHECK_PUBKEY_INVALID:122:check pubkey invalid -DH_R_CHECK_PUBKEY_TOO_LARGE:123:check pubkey too large -DH_R_CHECK_PUBKEY_TOO_SMALL:124:check pubkey too small -DH_R_CHECK_P_NOT_PRIME:117:check p not prime -DH_R_CHECK_P_NOT_SAFE_PRIME:118:check p not safe prime -DH_R_CHECK_Q_NOT_PRIME:119:check q not prime -DH_R_DECODE_ERROR:104:decode error -DH_R_INVALID_PARAMETER_NAME:110:invalid parameter name -DH_R_INVALID_PARAMETER_NID:114:invalid parameter nid -DH_R_INVALID_PUBKEY:102:invalid public key -DH_R_INVALID_SECRET:128:invalid secret -DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error -DH_R_KEYS_NOT_SET:108:keys not set -DH_R_MISSING_PUBKEY:125:missing pubkey -DH_R_MODULUS_TOO_LARGE:103:modulus too large -DH_R_MODULUS_TOO_SMALL:126:modulus too small -DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator -DH_R_NO_PARAMETERS_SET:107:no parameters set -DH_R_NO_PRIVATE_VALUE:100:no private value -DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error -DH_R_PEER_KEY_ERROR:111:peer key error -DH_R_Q_TOO_LARGE:130:q too large -DH_R_SHARED_INFO_ERROR:113:shared info error -DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator -DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -DSA_R_BAD_Q_VALUE:102:bad q value -DSA_R_BN_DECODE_ERROR:108:bn decode error -DSA_R_BN_ERROR:109:bn error -DSA_R_DECODE_ERROR:104:decode error -DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type -DSA_R_INVALID_PARAMETERS:112:invalid parameters -DSA_R_MISSING_PARAMETERS:101:missing parameters -DSA_R_MISSING_PRIVATE_KEY:111:missing private key -DSA_R_MODULUS_TOO_LARGE:103:modulus too large -DSA_R_NO_PARAMETERS_SET:107:no parameters set -DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error -DSA_R_P_NOT_PRIME:115:p not prime -DSA_R_Q_NOT_PRIME:113:q not prime -DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q -DSA_R_TOO_MANY_RETRIES:116:too many retries -DSO_R_CTRL_FAILED:100:control command failed -DSO_R_DSO_ALREADY_LOADED:110:dso already loaded -DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure -DSO_R_FAILURE:114:failure -DSO_R_FILENAME_TOO_BIG:101:filename too big -DSO_R_FINISH_FAILED:102:cleanup method function failed -DSO_R_INCORRECT_FILE_SYNTAX:115:incorrect file syntax -DSO_R_LOAD_FAILED:103:could not load the shared library -DSO_R_NAME_TRANSLATION_FAILED:109:name translation failed -DSO_R_NO_FILENAME:111:no filename -DSO_R_NULL_HANDLE:104:a null shared library handle was used -DSO_R_SET_FILENAME_FAILED:112:set filename failed -DSO_R_STACK_ERROR:105:the meth_data stack is corrupt -DSO_R_SYM_FAILURE:106:could not bind to the requested symbol name -DSO_R_UNLOAD_FAILED:107:could not unload the shared library -DSO_R_UNSUPPORTED:108:functionality not supported -EC_R_ASN1_ERROR:115:asn1 error -EC_R_BAD_SIGNATURE:156:bad signature -EC_R_BIGNUM_OUT_OF_RANGE:144:bignum out of range -EC_R_BUFFER_TOO_SMALL:100:buffer too small -EC_R_CANNOT_INVERT:165:cannot invert -EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range -EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh -EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa -EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing -EC_R_DECODE_ERROR:142:decode error -EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero -EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure -EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported -EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key -EC_R_FIELD_TOO_LARGE:143:field too large -EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported -EC_R_GROUP2PKPARAMETERS_FAILURE:120:group2pkparameters failure -EC_R_I2D_ECPKPARAMETERS_FAILURE:121:i2d ecpkparameters failure -EC_R_INCOMPATIBLE_OBJECTS:101:incompatible objects -EC_R_INVALID_A:168:invalid a -EC_R_INVALID_ARGUMENT:112:invalid argument -EC_R_INVALID_B:169:invalid b -EC_R_INVALID_COFACTOR:171:invalid cofactor -EC_R_INVALID_COMPRESSED_POINT:110:invalid compressed point -EC_R_INVALID_COMPRESSION_BIT:109:invalid compression bit -EC_R_INVALID_CURVE:141:invalid curve -EC_R_INVALID_DIGEST:151:invalid digest -EC_R_INVALID_DIGEST_TYPE:138:invalid digest type -EC_R_INVALID_ENCODING:102:invalid encoding -EC_R_INVALID_FIELD:103:invalid field -EC_R_INVALID_FORM:104:invalid form -EC_R_INVALID_GENERATOR:173:invalid generator -EC_R_INVALID_GROUP_ORDER:122:invalid group order -EC_R_INVALID_KEY:116:invalid key -EC_R_INVALID_LENGTH:117:invalid length -EC_R_INVALID_NAMED_GROUP_CONVERSION:174:invalid named group conversion -EC_R_INVALID_OUTPUT_LENGTH:161:invalid output length -EC_R_INVALID_P:172:invalid p -EC_R_INVALID_PEER_KEY:133:invalid peer key -EC_R_INVALID_PENTANOMIAL_BASIS:132:invalid pentanomial basis -EC_R_INVALID_PRIVATE_KEY:123:invalid private key -EC_R_INVALID_SEED:175:invalid seed -EC_R_INVALID_TRINOMIAL_BASIS:137:invalid trinomial basis -EC_R_KDF_PARAMETER_ERROR:148:kdf parameter error -EC_R_KEYS_NOT_SET:140:keys not set -EC_R_LADDER_POST_FAILURE:136:ladder post failure -EC_R_LADDER_PRE_FAILURE:153:ladder pre failure -EC_R_LADDER_STEP_FAILURE:162:ladder step failure -EC_R_MISSING_OID:167:missing OID -EC_R_MISSING_PARAMETERS:124:missing parameters -EC_R_MISSING_PRIVATE_KEY:125:missing private key -EC_R_NEED_NEW_SETUP_VALUES:157:need new setup values -EC_R_NOT_A_NIST_PRIME:135:not a NIST prime -EC_R_NOT_IMPLEMENTED:126:not implemented -EC_R_NOT_INITIALIZED:111:not initialized -EC_R_NO_PARAMETERS_SET:139:no parameters set -EC_R_NO_PRIVATE_VALUE:154:no private value -EC_R_OPERATION_NOT_SUPPORTED:152:operation not supported -EC_R_PASSED_NULL_PARAMETER:134:passed null parameter -EC_R_PEER_KEY_ERROR:149:peer key error -EC_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure -EC_R_POINT_AT_INFINITY:106:point at infinity -EC_R_POINT_COORDINATES_BLIND_FAILURE:163:point coordinates blind failure -EC_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve -EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed -EC_R_SHARED_INFO_ERROR:150:shared info error -EC_R_SLOT_FULL:108:slot full -EC_R_TOO_MANY_RETRIES:176:too many retries -EC_R_UNDEFINED_GENERATOR:113:undefined generator -EC_R_UNDEFINED_ORDER:128:undefined order -EC_R_UNKNOWN_COFACTOR:164:unknown cofactor -EC_R_UNKNOWN_GROUP:129:unknown group -EC_R_UNKNOWN_ORDER:114:unknown order -EC_R_UNSUPPORTED_FIELD:131:unsupported field -EC_R_WRONG_CURVE_PARAMETERS:145:wrong curve parameters -EC_R_WRONG_ORDER:130:wrong order -ENGINE_R_ALREADY_LOADED:100:already loaded -ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER:133:argument is not a number -ENGINE_R_CMD_NOT_EXECUTABLE:134:cmd not executable -ENGINE_R_COMMAND_TAKES_INPUT:135:command takes input -ENGINE_R_COMMAND_TAKES_NO_INPUT:136:command takes no input -ENGINE_R_CONFLICTING_ENGINE_ID:103:conflicting engine id -ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED:119:ctrl command not implemented -ENGINE_R_DSO_FAILURE:104:DSO failure -ENGINE_R_DSO_NOT_FOUND:132:dso not found -ENGINE_R_ENGINES_SECTION_ERROR:148:engines section error -ENGINE_R_ENGINE_CONFIGURATION_ERROR:102:engine configuration error -ENGINE_R_ENGINE_IS_NOT_IN_LIST:105:engine is not in the list -ENGINE_R_ENGINE_SECTION_ERROR:149:engine section error -ENGINE_R_FAILED_LOADING_PRIVATE_KEY:128:failed loading private key -ENGINE_R_FAILED_LOADING_PUBLIC_KEY:129:failed loading public key -ENGINE_R_FINISH_FAILED:106:finish failed -ENGINE_R_ID_OR_NAME_MISSING:108:'id' or 'name' missing -ENGINE_R_INIT_FAILED:109:init failed -ENGINE_R_INTERNAL_LIST_ERROR:110:internal list error -ENGINE_R_INVALID_ARGUMENT:143:invalid argument -ENGINE_R_INVALID_CMD_NAME:137:invalid cmd name -ENGINE_R_INVALID_CMD_NUMBER:138:invalid cmd number -ENGINE_R_INVALID_INIT_VALUE:151:invalid init value -ENGINE_R_INVALID_STRING:150:invalid string -ENGINE_R_NOT_INITIALISED:117:not initialised -ENGINE_R_NOT_LOADED:112:not loaded -ENGINE_R_NO_CONTROL_FUNCTION:120:no control function -ENGINE_R_NO_INDEX:144:no index -ENGINE_R_NO_LOAD_FUNCTION:125:no load function -ENGINE_R_NO_REFERENCE:130:no reference -ENGINE_R_NO_SUCH_ENGINE:116:no such engine -ENGINE_R_UNIMPLEMENTED_CIPHER:146:unimplemented cipher -ENGINE_R_UNIMPLEMENTED_DIGEST:147:unimplemented digest -ENGINE_R_UNIMPLEMENTED_PUBLIC_KEY_METHOD:101:unimplemented public key method -ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility -ESS_R_EMPTY_ESS_CERT_ID_LIST:107:empty ess cert id list -ESS_R_ESS_CERT_DIGEST_ERROR:103:ess cert digest error -ESS_R_ESS_CERT_ID_NOT_FOUND:104:ess cert id not found -ESS_R_ESS_CERT_ID_WRONG_ORDER:105:ess cert id wrong order -ESS_R_ESS_DIGEST_ALG_UNKNOWN:106:ess digest alg unknown -ESS_R_ESS_SIGNING_CERTIFICATE_ERROR:102:ess signing certificate error -ESS_R_ESS_SIGNING_CERT_ADD_ERROR:100:ess signing cert add error -ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR:101:ess signing cert v2 add error -ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE:108:\ - missing signing certificate attribute -EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed -EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed -EVP_R_BAD_ALGORITHM_NAME:200:bad algorithm name -EVP_R_BAD_DECRYPT:100:bad decrypt -EVP_R_BAD_KEY_LENGTH:195:bad key length -EVP_R_BUFFER_TOO_SMALL:155:buffer too small -EVP_R_CACHE_CONSTANTS_FAILED:225:cache constants failed -EVP_R_CAMELLIA_KEY_SETUP_FAILED:157:camellia key setup failed -EVP_R_CANNOT_GET_PARAMETERS:197:cannot get parameters -EVP_R_CANNOT_SET_PARAMETERS:198:cannot set parameters -EVP_R_CIPHER_NOT_GCM_MODE:184:cipher not gcm mode -EVP_R_CIPHER_PARAMETER_ERROR:122:cipher parameter error -EVP_R_COMMAND_NOT_SUPPORTED:147:command not supported -EVP_R_CONFLICTING_ALGORITHM_NAME:201:conflicting algorithm name -EVP_R_COPY_ERROR:173:copy error -EVP_R_CTRL_NOT_IMPLEMENTED:132:ctrl not implemented -EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED:133:ctrl operation not implemented -EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:138:data not multiple of block length -EVP_R_DECODE_ERROR:114:decode error -EVP_R_DEFAULT_QUERY_PARSE_ERROR:210:default query parse error -EVP_R_DIFFERENT_KEY_TYPES:101:different key types -EVP_R_DIFFERENT_PARAMETERS:153:different parameters -EVP_R_ERROR_LOADING_SECTION:165:error loading section -EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key -EVP_R_EXPECTING_AN_RSA_KEY:127:expecting an rsa key -EVP_R_EXPECTING_A_DH_KEY:128:expecting a dh key -EVP_R_EXPECTING_A_DSA_KEY:129:expecting a dsa key -EVP_R_EXPECTING_A_ECX_KEY:219:expecting an ecx key -EVP_R_EXPECTING_A_EC_KEY:142:expecting an ec key -EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key -EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key -EVP_R_FINAL_ERROR:188:final error -EVP_R_GENERATE_ERROR:214:generate error -EVP_R_GET_RAW_KEY_FAILED:182:get raw key failed -EVP_R_ILLEGAL_SCRYPT_PARAMETERS:171:illegal scrypt parameters -EVP_R_INACCESSIBLE_DOMAIN_PARAMETERS:204:inaccessible domain parameters -EVP_R_INACCESSIBLE_KEY:203:inaccessible key -EVP_R_INITIALIZATION_ERROR:134:initialization error -EVP_R_INPUT_NOT_INITIALIZED:111:input not initialized -EVP_R_INVALID_CUSTOM_LENGTH:185:invalid custom length -EVP_R_INVALID_DIGEST:152:invalid digest -EVP_R_INVALID_IV_LENGTH:194:invalid iv length -EVP_R_INVALID_KEY:163:invalid key -EVP_R_INVALID_KEY_LENGTH:130:invalid key length -EVP_R_INVALID_LENGTH:221:invalid length -EVP_R_INVALID_NULL_ALGORITHM:218:invalid null algorithm -EVP_R_INVALID_OPERATION:148:invalid operation -EVP_R_INVALID_PROVIDER_FUNCTIONS:193:invalid provider functions -EVP_R_INVALID_SALT_LENGTH:186:invalid salt length -EVP_R_INVALID_SECRET_LENGTH:223:invalid secret length -EVP_R_INVALID_SEED_LENGTH:220:invalid seed length -EVP_R_INVALID_VALUE:222:invalid value -EVP_R_KEYMGMT_EXPORT_FAILURE:205:keymgmt export failure -EVP_R_KEY_SETUP_FAILED:180:key setup failed -EVP_R_LOCKING_NOT_SUPPORTED:213:locking not supported -EVP_R_MEMORY_LIMIT_EXCEEDED:172:memory limit exceeded -EVP_R_MESSAGE_DIGEST_IS_NULL:159:message digest is null -EVP_R_METHOD_NOT_SUPPORTED:144:method not supported -EVP_R_MISSING_PARAMETERS:103:missing parameters -EVP_R_NOT_ABLE_TO_COPY_CTX:190:not able to copy ctx -EVP_R_NOT_XOF_OR_INVALID_LENGTH:178:not XOF or invalid length -EVP_R_NO_CIPHER_SET:131:no cipher set -EVP_R_NO_DEFAULT_DIGEST:158:no default digest -EVP_R_NO_DIGEST_SET:139:no digest set -EVP_R_NO_IMPORT_FUNCTION:206:no import function -EVP_R_NO_KEYMGMT_AVAILABLE:199:no keymgmt available -EVP_R_NO_KEYMGMT_PRESENT:196:no keymgmt present -EVP_R_NO_KEY_SET:154:no key set -EVP_R_NO_OPERATION_SET:149:no operation set -EVP_R_NULL_MAC_PKEY_CTX:208:null mac pkey ctx -EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported -EVP_R_OPERATION_NOT_INITIALIZED:151:operation not initialized -EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ - operation not supported for this keytype -EVP_R_OUTPUT_WOULD_OVERFLOW:202:output would overflow -EVP_R_PARAMETER_TOO_LARGE:187:parameter too large -EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers -EVP_R_PBKDF2_ERROR:181:pbkdf2 error -EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ - pkey application asn1 method already registered -EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error -EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error -EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa -EVP_R_SETTING_XOF_FAILED:227:setting xof failed -EVP_R_SET_DEFAULT_PROPERTY_FAILURE:209:set default property failure -EVP_R_TOO_MANY_RECORDS:183:too many records -EVP_R_UNABLE_TO_ENABLE_LOCKING:212:unable to enable locking -EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE:215:unable to get maximum request size -EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH:216:unable to get random strength -EVP_R_UNABLE_TO_LOCK_CONTEXT:211:unable to lock context -EVP_R_UNABLE_TO_SET_CALLBACKS:217:unable to set callbacks -EVP_R_UNKNOWN_CIPHER:160:unknown cipher -EVP_R_UNKNOWN_DIGEST:161:unknown digest -EVP_R_UNKNOWN_KEY_TYPE:207:unknown key type -EVP_R_UNKNOWN_OPTION:169:unknown option -EVP_R_UNKNOWN_PBE_ALGORITHM:121:unknown pbe algorithm -EVP_R_UNSUPPORTED_ALGORITHM:156:unsupported algorithm -EVP_R_UNSUPPORTED_CIPHER:107:unsupported cipher -EVP_R_UNSUPPORTED_KEYLENGTH:123:unsupported keylength -EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:124:\ - unsupported key derivation function -EVP_R_UNSUPPORTED_KEY_SIZE:108:unsupported key size -EVP_R_UNSUPPORTED_KEY_TYPE:224:unsupported key type -EVP_R_UNSUPPORTED_NUMBER_OF_ROUNDS:135:unsupported number of rounds -EVP_R_UNSUPPORTED_PRF:125:unsupported prf -EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:118:unsupported private key algorithm -EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type -EVP_R_UPDATE_ERROR:189:update error -EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed -EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length -EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE:191:xts data unit is too large -EVP_R_XTS_DUPLICATED_KEYS:192:xts duplicated keys -HTTP_R_ASN1_LEN_EXCEEDS_MAX_RESP_LEN:108:asn1 len exceeds max resp len -HTTP_R_CONNECT_FAILURE:100:connect failure -HTTP_R_ERROR_PARSING_ASN1_LENGTH:109:error parsing asn1 length -HTTP_R_ERROR_PARSING_CONTENT_LENGTH:119:error parsing content length -HTTP_R_ERROR_PARSING_URL:101:error parsing url -HTTP_R_ERROR_RECEIVING:103:error receiving -HTTP_R_ERROR_SENDING:102:error sending -HTTP_R_FAILED_READING_DATA:128:failed reading data -HTTP_R_HEADER_PARSE_ERROR:126:header parse error -HTTP_R_INCONSISTENT_CONTENT_LENGTH:120:inconsistent content length -HTTP_R_INVALID_PORT_NUMBER:123:invalid port number -HTTP_R_INVALID_URL_PATH:125:invalid url path -HTTP_R_INVALID_URL_SCHEME:124:invalid url scheme -HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded -HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding -HTTP_R_MISSING_CONTENT_TYPE:121:missing content type -HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location -HTTP_R_RECEIVED_ERROR:105:received error -HTTP_R_RECEIVED_WRONG_HTTP_VERSION:106:received wrong http version -HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http -HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled -HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long -HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error -HTTP_R_RETRY_TIMEOUT:129:retry timeout -HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection -HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported -HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported -HTTP_R_TLS_NOT_ENABLED:107:tls not enabled -HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections -HTTP_R_UNEXPECTED_CONTENT_TYPE:118:unexpected content type -OBJ_R_OID_EXISTS:102:oid exists -OBJ_R_UNKNOWN_NID:101:unknown nid -OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name -OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -OCSP_R_DIGEST_ERR:102:digest err -OCSP_R_DIGEST_NAME_ERR:106:digest name err -OCSP_R_DIGEST_SIZE_ERR:107:digest size err -OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field -OCSP_R_ERROR_IN_THISUPDATE_FIELD:123:error in thisupdate field -OCSP_R_MISSING_OCSPSIGNING_USAGE:103:missing ocspsigning usage -OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE:124:nextupdate before thisupdate -OCSP_R_NOT_BASIC_RESPONSE:104:not basic response -OCSP_R_NO_CERTIFICATES_IN_CHAIN:105:no certificates in chain -OCSP_R_NO_RESPONSE_DATA:108:no response data -OCSP_R_NO_REVOKED_TIME:109:no revoked time -OCSP_R_NO_SIGNER_KEY:130:no signer key -OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:110:\ - private key does not match certificate -OCSP_R_REQUEST_NOT_SIGNED:128:request not signed -OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA:111:\ - response contains no revocation data -OCSP_R_ROOT_CA_NOT_TRUSTED:112:root ca not trusted -OCSP_R_SIGNATURE_FAILURE:117:signature failure -OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND:118:signer certificate not found -OCSP_R_STATUS_EXPIRED:125:status expired -OCSP_R_STATUS_NOT_YET_VALID:126:status not yet valid -OCSP_R_STATUS_TOO_OLD:127:status too old -OCSP_R_UNKNOWN_MESSAGE_DIGEST:119:unknown message digest -OCSP_R_UNKNOWN_NID:120:unknown nid -OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE:129:unsupported requestorname type -OSSL_DECODER_R_COULD_NOT_DECODE_OBJECT:101:could not decode object -OSSL_DECODER_R_DECODER_NOT_FOUND:102:decoder not found -OSSL_DECODER_R_MISSING_GET_PARAMS:100:missing get params -OSSL_ENCODER_R_ENCODER_NOT_FOUND:101:encoder not found -OSSL_ENCODER_R_INCORRECT_PROPERTY_QUERY:100:incorrect property query -OSSL_ENCODER_R_MISSING_GET_PARAMS:102:missing get params -OSSL_STORE_R_AMBIGUOUS_CONTENT_TYPE:107:ambiguous content type -OSSL_STORE_R_BAD_PASSWORD_READ:115:bad password read -OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC:113:error verifying pkcs12 mac -OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST:121:\ - fingerprint size does not match digest -OSSL_STORE_R_INVALID_SCHEME:106:invalid scheme -OSSL_STORE_R_IS_NOT_A:112:is not a -OSSL_STORE_R_LOADER_INCOMPLETE:116:loader incomplete -OSSL_STORE_R_LOADING_STARTED:117:loading started -OSSL_STORE_R_NOT_A_CERTIFICATE:100:not a certificate -OSSL_STORE_R_NOT_A_CRL:101:not a crl -OSSL_STORE_R_NOT_A_NAME:103:not a name -OSSL_STORE_R_NOT_A_PRIVATE_KEY:102:not a private key -OSSL_STORE_R_NOT_A_PUBLIC_KEY:122:not a public key -OSSL_STORE_R_NOT_PARAMETERS:104:not parameters -OSSL_STORE_R_NO_LOADERS_FOUND:123:no loaders found -OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR:114:passphrase callback error -OSSL_STORE_R_PATH_MUST_BE_ABSOLUTE:108:path must be absolute -OSSL_STORE_R_SEARCH_ONLY_SUPPORTED_FOR_DIRECTORIES:119:\ - search only supported for directories -OSSL_STORE_R_UI_PROCESS_INTERRUPTED_OR_CANCELLED:109:\ - ui process interrupted or cancelled -OSSL_STORE_R_UNREGISTERED_SCHEME:105:unregistered scheme -OSSL_STORE_R_UNSUPPORTED_CONTENT_TYPE:110:unsupported content type -OSSL_STORE_R_UNSUPPORTED_OPERATION:118:unsupported operation -OSSL_STORE_R_UNSUPPORTED_SEARCH_TYPE:120:unsupported search type -OSSL_STORE_R_URI_AUTHORITY_UNSUPPORTED:111:uri authority unsupported -PEM_R_BAD_BASE64_DECODE:100:bad base64 decode -PEM_R_BAD_DECRYPT:101:bad decrypt -PEM_R_BAD_END_LINE:102:bad end line -PEM_R_BAD_IV_CHARS:103:bad iv chars -PEM_R_BAD_MAGIC_NUMBER:116:bad magic number -PEM_R_BAD_PASSWORD_READ:104:bad password read -PEM_R_BAD_VERSION_NUMBER:117:bad version number -PEM_R_BIO_WRITE_FAILURE:118:bio write failure -PEM_R_CIPHER_IS_NULL:127:cipher is null -PEM_R_ERROR_CONVERTING_PRIVATE_KEY:115:error converting private key -PEM_R_EXPECTING_DSS_KEY_BLOB:131:expecting dss key blob -PEM_R_EXPECTING_PRIVATE_KEY_BLOB:119:expecting private key blob -PEM_R_EXPECTING_PUBLIC_KEY_BLOB:120:expecting public key blob -PEM_R_EXPECTING_RSA_KEY_BLOB:132:expecting rsa key blob -PEM_R_HEADER_TOO_LONG:128:header too long -PEM_R_INCONSISTENT_HEADER:121:inconsistent header -PEM_R_KEYBLOB_HEADER_PARSE_ERROR:122:keyblob header parse error -PEM_R_KEYBLOB_TOO_SHORT:123:keyblob too short -PEM_R_MISSING_DEK_IV:129:missing dek iv -PEM_R_NOT_DEK_INFO:105:not dek info -PEM_R_NOT_ENCRYPTED:106:not encrypted -PEM_R_NOT_PROC_TYPE:107:not proc type -PEM_R_NO_START_LINE:108:no start line -PEM_R_PROBLEMS_GETTING_PASSWORD:109:problems getting password -PEM_R_PVK_DATA_TOO_SHORT:124:pvk data too short -PEM_R_PVK_TOO_SHORT:125:pvk too short -PEM_R_READ_KEY:111:read key -PEM_R_SHORT_HEADER:112:short header -PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv -PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher -PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption -PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components -PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type -PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure -PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data -PKCS12_R_DECODE_ERROR:101:decode error -PKCS12_R_ENCODE_ERROR:102:encode error -PKCS12_R_ENCRYPT_ERROR:103:encrypt error -PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE:120:error setting encrypted data type -PKCS12_R_INVALID_NULL_ARGUMENT:104:invalid null argument -PKCS12_R_INVALID_NULL_PKCS12_POINTER:105:invalid null pkcs12 pointer -PKCS12_R_INVALID_TYPE:112:invalid type -PKCS12_R_IV_GEN_ERROR:106:iv gen error -PKCS12_R_KEY_GEN_ERROR:107:key gen error -PKCS12_R_MAC_ABSENT:108:mac absent -PKCS12_R_MAC_GENERATION_ERROR:109:mac generation error -PKCS12_R_MAC_SETUP_ERROR:110:mac setup error -PKCS12_R_MAC_STRING_SET_ERROR:111:mac string set error -PKCS12_R_MAC_VERIFY_FAILURE:113:mac verify failure -PKCS12_R_PARSE_ERROR:114:parse error -PKCS12_R_PKCS12_CIPHERFINAL_ERROR:116:pkcs12 cipherfinal error -PKCS12_R_UNKNOWN_DIGEST_ALGORITHM:118:unknown digest algorithm -PKCS12_R_UNSUPPORTED_PKCS12_MODE:119:unsupported pkcs12 mode -PKCS7_R_CERTIFICATE_VERIFY_ERROR:117:certificate verify error -PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER:144:cipher has no object identifier -PKCS7_R_CIPHER_NOT_INITIALIZED:116:cipher not initialized -PKCS7_R_CONTENT_AND_DATA_PRESENT:118:content and data present -PKCS7_R_CTRL_ERROR:152:ctrl error -PKCS7_R_DECRYPT_ERROR:119:decrypt error -PKCS7_R_DIGEST_FAILURE:101:digest failure -PKCS7_R_ENCRYPTION_CTRL_FAILURE:149:encryption ctrl failure -PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:150:\ - encryption not supported for this key type -PKCS7_R_ERROR_ADDING_RECIPIENT:120:error adding recipient -PKCS7_R_ERROR_SETTING_CIPHER:121:error setting cipher -PKCS7_R_INVALID_NULL_POINTER:143:invalid null pointer -PKCS7_R_INVALID_SIGNED_DATA_TYPE:155:invalid signed data type -PKCS7_R_NO_CONTENT:122:no content -PKCS7_R_NO_DEFAULT_DIGEST:151:no default digest -PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND:154:no matching digest type found -PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE:115:no recipient matches certificate -PKCS7_R_NO_SIGNATURES_ON_DATA:123:no signatures on data -PKCS7_R_NO_SIGNERS:142:no signers -PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE:104:\ - operation not supported on this type -PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR:124:pkcs7 add signature error -PKCS7_R_PKCS7_ADD_SIGNER_ERROR:153:pkcs7 add signer error -PKCS7_R_PKCS7_DATASIGN:145:pkcs7 datasign -PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:127:\ - private key does not match certificate -PKCS7_R_SIGNATURE_FAILURE:105:signature failure -PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND:128:signer certificate not found -PKCS7_R_SIGNING_CTRL_FAILURE:147:signing ctrl failure -PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:148:\ - signing not supported for this key type -PKCS7_R_SMIME_TEXT_ERROR:129:smime text error -PKCS7_R_UNABLE_TO_FIND_CERTIFICATE:106:unable to find certificate -PKCS7_R_UNABLE_TO_FIND_MEM_BIO:107:unable to find mem bio -PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST:108:unable to find message digest -PKCS7_R_UNKNOWN_DIGEST_TYPE:109:unknown digest type -PKCS7_R_UNKNOWN_OPERATION:110:unknown operation -PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type -PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type -PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type -PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type -PROP_R_NAME_TOO_LONG:100:name too long -PROP_R_NOT_AN_ASCII_CHARACTER:101:not an ascii character -PROP_R_NOT_AN_HEXADECIMAL_DIGIT:102:not an hexadecimal digit -PROP_R_NOT_AN_IDENTIFIER:103:not an identifier -PROP_R_NOT_AN_OCTAL_DIGIT:104:not an octal digit -PROP_R_NOT_A_DECIMAL_DIGIT:105:not a decimal digit -PROP_R_NO_MATCHING_STRING_DELIMITER:106:no matching string delimiter -PROP_R_NO_VALUE:107:no value -PROP_R_PARSE_FAILED:108:parse failed -PROP_R_STRING_TOO_LONG:109:string too long -PROP_R_TRAILING_CHARACTERS:110:trailing characters -PROV_R_ADDITIONAL_INPUT_TOO_LONG:184:additional input too long -PROV_R_ALGORITHM_MISMATCH:173:algorithm mismatch -PROV_R_ALREADY_INSTANTIATED:185:already instantiated -PROV_R_BAD_DECRYPT:100:bad decrypt -PROV_R_BAD_ENCODING:141:bad encoding -PROV_R_BAD_LENGTH:142:bad length -PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version -PROV_R_BN_ERROR:160:bn error -PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed -PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed -PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed -PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak -PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg -PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy -PROV_R_ERROR_RETRIEVING_NONCE:190:error retrieving nonce -PROV_R_FAILED_DURING_DERIVATION:164:failed during derivation -PROV_R_FAILED_TO_CREATE_LOCK:180:failed to create lock -PROV_R_FAILED_TO_DECRYPT:162:failed to decrypt -PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key -PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter -PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter -PROV_R_FAILED_TO_SIGN:175:failed to sign -PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error -PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state -PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state -PROV_R_GENERATE_ERROR:191:generate error -PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\ - illegal or unsupported padding mode -PROV_R_INDICATOR_INTEGRITY_FAILURE:210:indicator integrity failure -PROV_R_INSUFFICIENT_DRBG_STRENGTH:181:insufficient drbg strength -PROV_R_INVALID_AAD:108:invalid aad -PROV_R_INVALID_CONFIG_DATA:211:invalid config data -PROV_R_INVALID_CONSTANT_LENGTH:157:invalid constant length -PROV_R_INVALID_CURVE:176:invalid curve -PROV_R_INVALID_CUSTOM_LENGTH:111:invalid custom length -PROV_R_INVALID_DATA:115:invalid data -PROV_R_INVALID_DIGEST:122:invalid digest -PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length -PROV_R_INVALID_DIGEST_SIZE:218:invalid digest size -PROV_R_INVALID_INPUT_LENGTH:230:invalid input length -PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count -PROV_R_INVALID_IV_LENGTH:109:invalid iv length -PROV_R_INVALID_KEY:158:invalid key -PROV_R_INVALID_KEY_LENGTH:105:invalid key length -PROV_R_INVALID_MAC:151:invalid mac -PROV_R_INVALID_MGF1_MD:167:invalid mgf1 md -PROV_R_INVALID_MODE:125:invalid mode -PROV_R_INVALID_OUTPUT_LENGTH:217:invalid output length -PROV_R_INVALID_PADDING_MODE:168:invalid padding mode -PROV_R_INVALID_PUBINFO:198:invalid pubinfo -PROV_R_INVALID_SALT_LENGTH:112:invalid salt length -PROV_R_INVALID_SEED_LENGTH:154:invalid seed length -PROV_R_INVALID_SIGNATURE_SIZE:179:invalid signature size -PROV_R_INVALID_STATE:212:invalid state -PROV_R_INVALID_TAG:110:invalid tag -PROV_R_INVALID_TAG_LENGTH:118:invalid tag length -PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length -PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest -PROV_R_IN_ERROR_STATE:192:in error state -PROV_R_KEY_SETUP_FAILED:101:key setup failed -PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small -PROV_R_LENGTH_TOO_LARGE:202:length too large -PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters -PROV_R_MISSING_CEK_ALG:144:missing cek alg -PROV_R_MISSING_CIPHER:155:missing cipher -PROV_R_MISSING_CONFIG_DATA:213:missing config data -PROV_R_MISSING_CONSTANT:156:missing constant -PROV_R_MISSING_KEY:128:missing key -PROV_R_MISSING_MAC:150:missing mac -PROV_R_MISSING_MESSAGE_DIGEST:129:missing message digest -PROV_R_MISSING_OID:209:missing OID -PROV_R_MISSING_PASS:130:missing pass -PROV_R_MISSING_SALT:131:missing salt -PROV_R_MISSING_SECRET:132:missing secret -PROV_R_MISSING_SEED:140:missing seed -PROV_R_MISSING_SESSION_ID:133:missing session id -PROV_R_MISSING_TYPE:134:missing type -PROV_R_MISSING_XCGHASH:135:missing xcghash -PROV_R_MODULE_INTEGRITY_FAILURE:214:module integrity failure -PROV_R_NOT_A_PRIVATE_KEY:221:not a private key -PROV_R_NOT_A_PUBLIC_KEY:220:not a public key -PROV_R_NOT_INSTANTIATED:193:not instantiated -PROV_R_NOT_PARAMETERS:226:not parameters -PROV_R_NOT_SUPPORTED:136:not supported -PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length -PROV_R_NO_KEY_SET:114:no key set -PROV_R_NO_PARAMETERS_SET:177:no parameters set -PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\ - operation not supported for this keytype -PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small -PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\ - parent cannot generate random numbers -PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED:187:parent cannot supply entropy seed -PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled -PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak -PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute -PROV_R_PERSONALISATION_STRING_TOO_LONG:195:personalisation string too long -PROV_R_PSS_SALTLEN_TOO_SMALL:172:pss saltlen too small -PROV_R_REQUEST_TOO_LARGE_FOR_DRBG:196:request too large for drbg -PROV_R_REQUIRE_CTR_MODE_CIPHER:206:require ctr mode cipher -PROV_R_RESEED_ERROR:197:reseed error -PROV_R_SEARCH_ONLY_SUPPORTED_FOR_DIRECTORIES:222:\ - search only supported for directories -PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT:229:\ - seed sources must not have a parent -PROV_R_SELF_TEST_KAT_FAILURE:215:self test kat failure -PROV_R_SELF_TEST_POST_FAILURE:216:self test post failure -PROV_R_TAG_NOT_NEEDED:120:tag not needed -PROV_R_TAG_NOT_SET:119:tag not set -PROV_R_TOO_MANY_RECORDS:126:too many records -PROV_R_UNABLE_TO_FIND_CIPHERS:207:unable to find ciphers -PROV_R_UNABLE_TO_GET_PARENT_STRENGTH:199:unable to get parent strength -PROV_R_UNABLE_TO_GET_PASSPHRASE:159:unable to get passphrase -PROV_R_UNABLE_TO_INITIALISE_CIPHERS:208:unable to initialise ciphers -PROV_R_UNABLE_TO_LOAD_SHA256:147:unable to load sha256 -PROV_R_UNABLE_TO_LOCK_PARENT:201:unable to lock parent -PROV_R_UNABLE_TO_RESEED:204:unable to reseed -PROV_R_UNSUPPORTED_CEK_ALG:145:unsupported cek alg -PROV_R_UNSUPPORTED_KEY_SIZE:153:unsupported key size -PROV_R_UNSUPPORTED_MAC_TYPE:137:unsupported mac type -PROV_R_UNSUPPORTED_NUMBER_OF_ROUNDS:152:unsupported number of rounds -PROV_R_URI_AUTHORITY_UNSUPPORTED:223:uri authority unsupported -PROV_R_VALUE_ERROR:138:value error -PROV_R_WRONG_FINAL_BLOCK_LENGTH:107:wrong final block length -PROV_R_WRONG_OUTPUT_BUFFER_SIZE:139:wrong output buffer size -PROV_R_XOF_DIGESTS_NOT_ALLOWED:183:xof digests not allowed -PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE:148:xts data unit is too large -PROV_R_XTS_DUPLICATED_KEYS:149:xts duplicated keys -RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long -RAND_R_ALREADY_INSTANTIATED:103:already instantiated -RAND_R_ARGUMENT_OUT_OF_RANGE:105:argument out of range -RAND_R_CANNOT_OPEN_FILE:121:Cannot open file -RAND_R_DRBG_ALREADY_INITIALIZED:129:drbg already initialized -RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised -RAND_R_ENTROPY_INPUT_TOO_LONG:106:entropy input too long -RAND_R_ENTROPY_OUT_OF_RANGE:124:entropy out of range -RAND_R_ERROR_ENTROPY_POOL_WAS_IGNORED:127:error entropy pool was ignored -RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg -RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg -RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input -RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy -RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce -RAND_R_FAILED_TO_CREATE_LOCK:126:failed to create lock -RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented -RAND_R_FWRITE_ERROR:123:Error writing file -RAND_R_GENERATE_ERROR:112:generate error -RAND_R_INSUFFICIENT_DRBG_STRENGTH:139:insufficient drbg strength -RAND_R_INTERNAL_ERROR:113:internal error -RAND_R_IN_ERROR_STATE:114:in error state -RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file -RAND_R_NOT_INSTANTIATED:115:not instantiated -RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED:128:no drbg implementation selected -RAND_R_PARENT_LOCKING_NOT_ENABLED:130:parent locking not enabled -RAND_R_PARENT_STRENGTH_TOO_WEAK:131:parent strength too weak -RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long -RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED:133:\ - prediction resistance not supported -RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded -RAND_R_RANDOM_POOL_OVERFLOW:125:random pool overflow -RAND_R_RANDOM_POOL_UNDERFLOW:134:random pool underflow -RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg -RAND_R_RESEED_ERROR:118:reseed error -RAND_R_SELFTEST_FAILURE:119:selftest failure -RAND_R_TOO_LITTLE_NONCE_REQUESTED:135:too little nonce requested -RAND_R_TOO_MUCH_NONCE_REQUESTED:136:too much nonce requested -RAND_R_UNABLE_TO_CREATE_DRBG:143:unable to create drbg -RAND_R_UNABLE_TO_FETCH_DRBG:144:unable to fetch drbg -RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER:141:\ - unable to get parent reseed prop counter -RAND_R_UNABLE_TO_GET_PARENT_STRENGTH:138:unable to get parent strength -RAND_R_UNABLE_TO_LOCK_PARENT:140:unable to lock parent -RAND_R_UNSUPPORTED_DRBG_FLAGS:132:unsupported drbg flags -RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type -RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch -RSA_R_BAD_E_VALUE:101:bad e value -RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt -RSA_R_BAD_PAD_BYTE_COUNT:103:bad pad byte count -RSA_R_BAD_SIGNATURE:104:bad signature -RSA_R_BLOCK_TYPE_IS_NOT_01:106:block type is not 01 -RSA_R_BLOCK_TYPE_IS_NOT_02:107:block type is not 02 -RSA_R_DATA_GREATER_THAN_MOD_LEN:108:data greater than mod len -RSA_R_DATA_TOO_LARGE:109:data too large -RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:110:data too large for key size -RSA_R_DATA_TOO_LARGE_FOR_MODULUS:132:data too large for modulus -RSA_R_DATA_TOO_SMALL:111:data too small -RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:122:data too small for key size -RSA_R_DIGEST_DOES_NOT_MATCH:158:digest does not match -RSA_R_DIGEST_NOT_ALLOWED:145:digest not allowed -RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY:112:digest too big for rsa key -RSA_R_DMP1_NOT_CONGRUENT_TO_D:124:dmp1 not congruent to d -RSA_R_DMQ1_NOT_CONGRUENT_TO_D:125:dmq1 not congruent to d -RSA_R_D_E_NOT_CONGRUENT_TO_1:123:d e not congruent to 1 -RSA_R_FIRST_OCTET_INVALID:133:first octet invalid -RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:144:\ - illegal or unsupported padding mode -RSA_R_INVALID_DIGEST:157:invalid digest -RSA_R_INVALID_DIGEST_LENGTH:143:invalid digest length -RSA_R_INVALID_HEADER:137:invalid header -RSA_R_INVALID_KEYPAIR:171:invalid keypair -RSA_R_INVALID_KEY_LENGTH:173:invalid key length -RSA_R_INVALID_LABEL:160:invalid label -RSA_R_INVALID_LENGTH:181:invalid length -RSA_R_INVALID_MESSAGE_LENGTH:131:invalid message length -RSA_R_INVALID_MGF1_MD:156:invalid mgf1 md -RSA_R_INVALID_MODULUS:174:invalid modulus -RSA_R_INVALID_MULTI_PRIME_KEY:167:invalid multi prime key -RSA_R_INVALID_OAEP_PARAMETERS:161:invalid oaep parameters -RSA_R_INVALID_PADDING:138:invalid padding -RSA_R_INVALID_PADDING_MODE:141:invalid padding mode -RSA_R_INVALID_PSS_PARAMETERS:149:invalid pss parameters -RSA_R_INVALID_PSS_SALTLEN:146:invalid pss saltlen -RSA_R_INVALID_REQUEST:175:invalid request -RSA_R_INVALID_SALT_LENGTH:150:invalid salt length -RSA_R_INVALID_STRENGTH:176:invalid strength -RSA_R_INVALID_TRAILER:139:invalid trailer -RSA_R_INVALID_X931_DIGEST:142:invalid x931 digest -RSA_R_IQMP_NOT_INVERSE_OF_Q:126:iqmp not inverse of q -RSA_R_KEY_PRIME_NUM_INVALID:165:key prime num invalid -RSA_R_KEY_SIZE_TOO_SMALL:120:key size too small -RSA_R_LAST_OCTET_INVALID:134:last octet invalid -RSA_R_MGF1_DIGEST_NOT_ALLOWED:152:mgf1 digest not allowed -RSA_R_MISSING_PRIVATE_KEY:179:missing private key -RSA_R_MODULUS_TOO_LARGE:105:modulus too large -RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r -RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d -RSA_R_MP_R_NOT_PRIME:170:mp r not prime -RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent -RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing -RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes -RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q -RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error -RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\ - operation not supported for this keytype -RSA_R_PADDING_CHECK_FAILED:114:padding check failed -RSA_R_PAIRWISE_TEST_FAILURE:177:pairwise test failure -RSA_R_PKCS_DECODING_ERROR:159:pkcs decoding error -RSA_R_PSS_SALTLEN_TOO_SMALL:164:pss saltlen too small -RSA_R_PUB_EXPONENT_OUT_OF_RANGE:178:pub exponent out of range -RSA_R_P_NOT_PRIME:128:p not prime -RSA_R_Q_NOT_PRIME:129:q not prime -RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT:180:\ - randomness source strength insufficient -RSA_R_RSA_OPERATIONS_NOT_SUPPORTED:130:rsa operations not supported -RSA_R_SLEN_CHECK_FAILED:136:salt length check failed -RSA_R_SLEN_RECOVERY_FAILED:135:salt length recovery failed -RSA_R_SSLV3_ROLLBACK_ATTACK:115:sslv3 rollback attack -RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD:116:\ - the asn1 object identifier is not known for this md -RSA_R_UNKNOWN_ALGORITHM_TYPE:117:unknown algorithm type -RSA_R_UNKNOWN_DIGEST:166:unknown digest -RSA_R_UNKNOWN_MASK_DIGEST:151:unknown mask digest -RSA_R_UNKNOWN_PADDING_TYPE:118:unknown padding type -RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:unsupported encryption type -RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source -RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm -RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter -RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type -RSA_R_VALUE_MISSING:147:value missing -RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length -SM2_R_ASN1_ERROR:100:asn1 error -SM2_R_BAD_SIGNATURE:101:bad signature -SM2_R_BUFFER_TOO_SMALL:107:buffer too small -SM2_R_DIST_ID_TOO_LARGE:110:dist id too large -SM2_R_ID_NOT_SET:112:id not set -SM2_R_ID_TOO_LARGE:111:id too large -SM2_R_INVALID_CURVE:108:invalid curve -SM2_R_INVALID_DIGEST:102:invalid digest -SM2_R_INVALID_DIGEST_TYPE:103:invalid digest type -SM2_R_INVALID_ENCODING:104:invalid encoding -SM2_R_INVALID_FIELD:105:invalid field -SM2_R_INVALID_PRIVATE_KEY:113:invalid private key -SM2_R_NO_PARAMETERS_SET:109:no parameters set -SM2_R_USER_ID_TOO_LARGE:106:user id too large -SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\ - application data after close notify -SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake -SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\ - attempt to reuse session in different context -SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\ - at least (D)TLS 1.2 needed in Suite B mode -SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec -SSL_R_BAD_CIPHER:186:bad cipher -SSL_R_BAD_DATA:390:bad data -SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback -SSL_R_BAD_DECOMPRESSION:107:bad decompression -SSL_R_BAD_DH_VALUE:102:bad dh value -SSL_R_BAD_DIGEST_LENGTH:111:bad digest length -SSL_R_BAD_EARLY_DATA:233:bad early data -SSL_R_BAD_ECC_CERT:304:bad ecc cert -SSL_R_BAD_ECPOINT:306:bad ecpoint -SSL_R_BAD_EXTENSION:110:bad extension -SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length -SSL_R_BAD_HANDSHAKE_STATE:236:bad handshake state -SSL_R_BAD_HELLO_REQUEST:105:bad hello request -SSL_R_BAD_HRR_VERSION:263:bad hrr version -SSL_R_BAD_KEY_SHARE:108:bad key share -SSL_R_BAD_KEY_UPDATE:122:bad key update -SSL_R_BAD_LEGACY_VERSION:292:bad legacy version -SSL_R_BAD_LENGTH:271:bad length -SSL_R_BAD_PACKET:240:bad packet -SSL_R_BAD_PACKET_LENGTH:115:bad packet length -SSL_R_BAD_PROTOCOL_VERSION_NUMBER:116:bad protocol version number -SSL_R_BAD_PSK:219:bad psk -SSL_R_BAD_PSK_IDENTITY:114:bad psk identity -SSL_R_BAD_RECORD_TYPE:443:bad record type -SSL_R_BAD_RSA_ENCRYPT:119:bad rsa encrypt -SSL_R_BAD_SIGNATURE:123:bad signature -SSL_R_BAD_SRP_A_LENGTH:347:bad srp a length -SSL_R_BAD_SRP_PARAMETERS:371:bad srp parameters -SSL_R_BAD_SRTP_MKI_VALUE:352:bad srtp mki value -SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST:353:bad srtp protection profile list -SSL_R_BAD_SSL_FILETYPE:124:bad ssl filetype -SSL_R_BAD_VALUE:384:bad value -SSL_R_BAD_WRITE_RETRY:127:bad write retry -SSL_R_BINDER_DOES_NOT_VERIFY:253:binder does not verify -SSL_R_BIO_NOT_SET:128:bio not set -SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong -SSL_R_BN_LIB:130:bn lib -SSL_R_CALLBACK_FAILED:234:callback failed -SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher -SSL_R_CANNOT_GET_GROUP_NAME:299:cannot get group name -SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch -SSL_R_CA_KEY_TOO_SMALL:397:ca key too small -SSL_R_CA_MD_TOO_WEAK:398:ca md too weak -SSL_R_CCS_RECEIVED_EARLY:133:ccs received early -SSL_R_CERTIFICATE_VERIFY_FAILED:134:certificate verify failed -SSL_R_CERT_CB_ERROR:377:cert cb error -SSL_R_CERT_LENGTH_MISMATCH:135:cert length mismatch -SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED:218:ciphersuite digest has changed -SSL_R_CIPHER_CODE_WRONG_LENGTH:137:cipher code wrong length -SSL_R_CLIENTHELLO_TLSEXT:226:clienthello tlsext -SSL_R_COMPRESSED_LENGTH_TOO_LONG:140:compressed length too long -SSL_R_COMPRESSION_DISABLED:343:compression disabled -SSL_R_COMPRESSION_FAILURE:141:compression failure -SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE:307:\ - compression id not within private range -SSL_R_COMPRESSION_LIBRARY_ERROR:142:compression library error -SSL_R_CONNECTION_TYPE_NOT_SET:144:connection type not set -SSL_R_CONTEXT_NOT_DANE_ENABLED:167:context not dane enabled -SSL_R_COOKIE_GEN_CALLBACK_FAILURE:400:cookie gen callback failure -SSL_R_COOKIE_MISMATCH:308:cookie mismatch -SSL_R_COPY_PARAMETERS_FAILED:296:copy parameters failed -SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED:206:\ - custom ext handler already installed -SSL_R_DANE_ALREADY_ENABLED:172:dane already enabled -SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL:173:dane cannot override mtype full -SSL_R_DANE_NOT_ENABLED:175:dane not enabled -SSL_R_DANE_TLSA_BAD_CERTIFICATE:180:dane tlsa bad certificate -SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE:184:dane tlsa bad certificate usage -SSL_R_DANE_TLSA_BAD_DATA_LENGTH:189:dane tlsa bad data length -SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH:192:dane tlsa bad digest length -SSL_R_DANE_TLSA_BAD_MATCHING_TYPE:200:dane tlsa bad matching type -SSL_R_DANE_TLSA_BAD_PUBLIC_KEY:201:dane tlsa bad public key -SSL_R_DANE_TLSA_BAD_SELECTOR:202:dane tlsa bad selector -SSL_R_DANE_TLSA_NULL_DATA:203:dane tlsa null data -SSL_R_DATA_BETWEEN_CCS_AND_FINISHED:145:data between ccs and finished -SSL_R_DATA_LENGTH_TOO_LONG:146:data length too long -SSL_R_DECRYPTION_FAILED:147:decryption failed -SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC:281:\ - decryption failed or bad record mac -SSL_R_DH_KEY_TOO_SMALL:394:dh key too small -SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG:148:dh public value length is wrong -SSL_R_DIGEST_CHECK_FAILED:149:digest check failed -SSL_R_DTLS_MESSAGE_TOO_BIG:334:dtls message too big -SSL_R_DUPLICATE_COMPRESSION_ID:309:duplicate compression id -SSL_R_ECC_CERT_NOT_FOR_SIGNING:318:ecc cert not for signing -SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE:374:ecdh required for suiteb mode -SSL_R_EE_KEY_TOO_SMALL:399:ee key too small -SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list -SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long -SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list -SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain -SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size -SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size -SSL_R_EXTENSION_NOT_RECEIVED:279:extension not received -SSL_R_EXTRA_DATA_IN_MESSAGE:153:extra data in message -SSL_R_EXT_LENGTH_MISMATCH:163:ext length mismatch -SSL_R_FAILED_TO_INIT_ASYNC:405:failed to init async -SSL_R_FRAGMENTED_CLIENT_HELLO:401:fragmented client hello -SSL_R_GOT_A_FIN_BEFORE_A_CCS:154:got a fin before a ccs -SSL_R_HTTPS_PROXY_REQUEST:155:https proxy request -SSL_R_HTTP_REQUEST:156:http request -SSL_R_ILLEGAL_POINT_COMPRESSION:162:illegal point compression -SSL_R_ILLEGAL_SUITEB_DIGEST:380:illegal Suite B digest -SSL_R_INAPPROPRIATE_FALLBACK:373:inappropriate fallback -SSL_R_INCONSISTENT_COMPRESSION:340:inconsistent compression -SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn -SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni -SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms -SSL_R_INSUFFICIENT_SECURITY:241:insufficient security -SSL_R_INVALID_ALERT:205:invalid alert -SSL_R_INVALID_CCS_MESSAGE:260:invalid ccs message -SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg -SSL_R_INVALID_COMMAND:280:invalid command -SSL_R_INVALID_COMPRESSION_ALGORITHM:341:invalid compression algorithm -SSL_R_INVALID_CONFIG:283:invalid config -SSL_R_INVALID_CONFIGURATION_NAME:113:invalid configuration name -SSL_R_INVALID_CONTEXT:282:invalid context -SSL_R_INVALID_CT_VALIDATION_TYPE:212:invalid ct validation type -SSL_R_INVALID_KEY_UPDATE_TYPE:120:invalid key update type -SSL_R_INVALID_MAX_EARLY_DATA:174:invalid max early data -SSL_R_INVALID_NULL_CMD_NAME:385:invalid null cmd name -SSL_R_INVALID_SEQUENCE_NUMBER:402:invalid sequence number -SSL_R_INVALID_SERVERINFO_DATA:388:invalid serverinfo data -SSL_R_INVALID_SESSION_ID:999:invalid session id -SSL_R_INVALID_SRP_USERNAME:357:invalid srp username -SSL_R_INVALID_STATUS_RESPONSE:328:invalid status response -SSL_R_INVALID_TICKET_KEYS_LENGTH:325:invalid ticket keys length -SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED:333:\ - legacy sigalg disallowed or unsupported -SSL_R_LENGTH_MISMATCH:159:length mismatch -SSL_R_LENGTH_TOO_LONG:404:length too long -SSL_R_LENGTH_TOO_SHORT:160:length too short -SSL_R_LIBRARY_BUG:274:library bug -SSL_R_LIBRARY_HAS_NO_CIPHERS:161:library has no ciphers -SSL_R_MISSING_DSA_SIGNING_CERT:165:missing dsa signing cert -SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert -SSL_R_MISSING_FATAL:256:missing fatal -SSL_R_MISSING_PARAMETERS:290:missing parameters -SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension -SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate -SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert -SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert -SSL_R_MISSING_SIGALGS_EXTENSION:112:missing sigalgs extension -SSL_R_MISSING_SIGNING_CERT:221:missing signing cert -SSL_R_MISSING_SRP_PARAM:358:can't find SRP server param -SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension -SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key -SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key -SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\ - mixed handshake and non handshake data -SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary -SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate -SSL_R_NOT_SERVER:284:not server -SSL_R_NO_APPLICATION_PROTOCOL:235:no application protocol -SSL_R_NO_CERTIFICATES_RETURNED:176:no certificates returned -SSL_R_NO_CERTIFICATE_ASSIGNED:177:no certificate assigned -SSL_R_NO_CERTIFICATE_SET:179:no certificate set -SSL_R_NO_CHANGE_FOLLOWING_HRR:214:no change following hrr -SSL_R_NO_CIPHERS_AVAILABLE:181:no ciphers available -SSL_R_NO_CIPHERS_SPECIFIED:183:no ciphers specified -SSL_R_NO_CIPHER_MATCH:185:no cipher match -SSL_R_NO_CLIENT_CERT_METHOD:331:no client cert method -SSL_R_NO_COMPRESSION_SPECIFIED:187:no compression specified -SSL_R_NO_COOKIE_CALLBACK_SET:287:no cookie callback set -SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER:330:\ - Peer haven't sent GOST certificate, required for selected ciphersuite -SSL_R_NO_METHOD_SPECIFIED:188:no method specified -SSL_R_NO_PEM_EXTENSIONS:389:no pem extensions -SSL_R_NO_PRIVATE_KEY_ASSIGNED:190:no private key assigned -SSL_R_NO_PROTOCOLS_AVAILABLE:191:no protocols available -SSL_R_NO_RENEGOTIATION:339:no renegotiation -SSL_R_NO_REQUIRED_DIGEST:324:no required digest -SSL_R_NO_SHARED_CIPHER:193:no shared cipher -SSL_R_NO_SHARED_GROUPS:410:no shared groups -SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS:376:no shared signature algorithms -SSL_R_NO_SRTP_PROFILES:359:no srtp profiles -SSL_R_NO_SUITABLE_DIGEST_ALGORITHM:297:no suitable digest algorithm -SSL_R_NO_SUITABLE_GROUPS:295:no suitable groups -SSL_R_NO_SUITABLE_KEY_SHARE:101:no suitable key share -SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM:118:no suitable signature algorithm -SSL_R_NO_VALID_SCTS:216:no valid scts -SSL_R_NO_VERIFY_COOKIE_CALLBACK:403:no verify cookie callback -SSL_R_NULL_SSL_CTX:195:null ssl ctx -SSL_R_NULL_SSL_METHOD_PASSED:196:null ssl method passed -SSL_R_OCSP_CALLBACK_FAILURE:305:ocsp callback failure -SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED:197:old session cipher not returned -SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED:344:\ - old session compression algorithm not returned -SSL_R_OVERFLOW_ERROR:237:overflow error -SSL_R_PACKET_LENGTH_TOO_LONG:198:packet length too long -SSL_R_PARSE_TLSEXT:227:parse tlsext -SSL_R_PATH_TOO_LONG:270:path too long -SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE:199:peer did not return a certificate -SSL_R_PEM_NAME_BAD_PREFIX:391:pem name bad prefix -SSL_R_PEM_NAME_TOO_SHORT:392:pem name too short -SSL_R_PIPELINE_FAILURE:406:pipeline failure -SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR:278:post handshake auth encoding err -SSL_R_PRIVATE_KEY_MISMATCH:288:private key mismatch -SSL_R_PROTOCOL_IS_SHUTDOWN:207:protocol is shutdown -SSL_R_PSK_IDENTITY_NOT_FOUND:223:psk identity not found -SSL_R_PSK_NO_CLIENT_CB:224:psk no client cb -SSL_R_PSK_NO_SERVER_CB:225:psk no server cb -SSL_R_READ_BIO_NOT_SET:211:read bio not set -SSL_R_READ_TIMEOUT_EXPIRED:312:read timeout expired -SSL_R_RECORD_LENGTH_MISMATCH:213:record length mismatch -SSL_R_RECORD_TOO_SMALL:298:record too small -SSL_R_RENEGOTIATE_EXT_TOO_LONG:335:renegotiate ext too long -SSL_R_RENEGOTIATION_ENCODING_ERR:336:renegotiation encoding err -SSL_R_RENEGOTIATION_MISMATCH:337:renegotiation mismatch -SSL_R_REQUEST_PENDING:285:request pending -SSL_R_REQUEST_SENT:286:request sent -SSL_R_REQUIRED_CIPHER_MISSING:215:required cipher missing -SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING:342:\ - required compression algorithm missing -SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING:345:scsv received when renegotiating -SSL_R_SCT_VERIFICATION_FAILED:208:sct verification failed -SSL_R_SERVERHELLO_TLSEXT:275:serverhello tlsext -SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED:277:session id context uninitialized -SSL_R_SHUTDOWN_WHILE_IN_INIT:407:shutdown while in init -SSL_R_SIGNATURE_ALGORITHMS_ERROR:360:signature algorithms error -SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE:220:\ - signature for non signing certificate -SSL_R_SRP_A_CALC:361:error with the srp params -SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES:362:srtp could not allocate profiles -SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG:363:\ - srtp protection profile list too long -SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE:364:srtp unknown protection profile -SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH:232:\ - ssl3 ext invalid max fragment length -SSL_R_SSL3_EXT_INVALID_SERVERNAME:319:ssl3 ext invalid servername -SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE:320:ssl3 ext invalid servername type -SSL_R_SSL3_SESSION_ID_TOO_LONG:300:ssl3 session id too long -SSL_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty -SSL_R_SSL_COMMAND_SECTION_NOT_FOUND:125:ssl command section not found -SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION:228:ssl ctx has no default ssl version -SSL_R_SSL_HANDSHAKE_FAILURE:229:ssl handshake failure -SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS:230:ssl library has no ciphers -SSL_R_SSL_NEGATIVE_LENGTH:372:ssl negative length -SSL_R_SSL_SECTION_EMPTY:126:ssl section empty -SSL_R_SSL_SECTION_NOT_FOUND:136:ssl section not found -SSL_R_SSL_SESSION_ID_CALLBACK_FAILED:301:ssl session id callback failed -SSL_R_SSL_SESSION_ID_CONFLICT:302:ssl session id conflict -SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG:273:ssl session id context too long -SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length -SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long -SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch -SSL_R_STILL_IN_INIT:121:still in init -SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label -SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list -SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates -SSL_R_TOO_MANY_WARN_ALERTS:409:too many warn alerts -SSL_R_TOO_MUCH_EARLY_DATA:164:too much early data -SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS:314:unable to find ecdh parameters -SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS:239:\ - unable to find public key parameters -SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines -SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines -SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message -SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data -SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading -SSL_R_UNEXPECTED_MESSAGE:244:unexpected message -SSL_R_UNEXPECTED_RECORD:245:unexpected record -SSL_R_UNINITIALIZED:276:uninitialized -SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type -SSL_R_UNKNOWN_CERTIFICATE_TYPE:247:unknown certificate type -SSL_R_UNKNOWN_CIPHER_RETURNED:248:unknown cipher returned -SSL_R_UNKNOWN_CIPHER_TYPE:249:unknown cipher type -SSL_R_UNKNOWN_CMD_NAME:386:unknown cmd name -SSL_R_UNKNOWN_COMMAND:139:unknown command -SSL_R_UNKNOWN_DIGEST:368:unknown digest -SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE:250:unknown key exchange type -SSL_R_UNKNOWN_PKEY_TYPE:251:unknown pkey type -SSL_R_UNKNOWN_PROTOCOL:252:unknown protocol -SSL_R_UNKNOWN_SSL_VERSION:254:unknown ssl version -SSL_R_UNKNOWN_STATE:255:unknown state -SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED:338:\ - unsafe legacy renegotiation disabled -SSL_R_UNSOLICITED_EXTENSION:217:unsolicited extension -SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM:257:unsupported compression algorithm -SSL_R_UNSUPPORTED_ELLIPTIC_CURVE:315:unsupported elliptic curve -SSL_R_UNSUPPORTED_PROTOCOL:258:unsupported protocol -SSL_R_UNSUPPORTED_SSL_VERSION:259:unsupported ssl version -SSL_R_UNSUPPORTED_STATUS_TYPE:329:unsupported status type -SSL_R_USE_SRTP_NOT_NEGOTIATED:369:use srtp not negotiated -SSL_R_VERSION_TOO_HIGH:166:version too high -SSL_R_VERSION_TOO_LOW:396:version too low -SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type -SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned -SSL_R_WRONG_CURVE:378:wrong curve -SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length -SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size -SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type -SSL_R_WRONG_SSL_VERSION:266:wrong ssl version -SSL_R_WRONG_VERSION_NUMBER:267:wrong version number -SSL_R_X509_LIB:268:x509 lib -SSL_R_X509_VERIFICATION_SETUP_PROBLEMS:269:x509 verification setup problems -TS_R_BAD_PKCS7_TYPE:132:bad pkcs7 type -TS_R_BAD_TYPE:133:bad type -TS_R_CANNOT_LOAD_CERT:137:cannot load certificate -TS_R_CANNOT_LOAD_KEY:138:cannot load private key -TS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error -TS_R_COULD_NOT_SET_ENGINE:127:could not set engine -TS_R_COULD_NOT_SET_TIME:115:could not set time -TS_R_DETACHED_CONTENT:134:detached content -TS_R_ESS_ADD_SIGNING_CERT_ERROR:116:ess add signing cert error -TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR:139:ess add signing cert v2 error -TS_R_ESS_SIGNING_CERTIFICATE_ERROR:101:ess signing certificate error -TS_R_INVALID_NULL_POINTER:102:invalid null pointer -TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE:117:invalid signer certificate purpose -TS_R_MESSAGE_IMPRINT_MISMATCH:103:message imprint mismatch -TS_R_NONCE_MISMATCH:104:nonce mismatch -TS_R_NONCE_NOT_RETURNED:105:nonce not returned -TS_R_NO_CONTENT:106:no content -TS_R_NO_TIME_STAMP_TOKEN:107:no time stamp token -TS_R_PKCS7_ADD_SIGNATURE_ERROR:118:pkcs7 add signature error -TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR:119:pkcs7 add signed attr error -TS_R_PKCS7_TO_TS_TST_INFO_FAILED:129:pkcs7 to ts tst info failed -TS_R_POLICY_MISMATCH:108:policy mismatch -TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:120:\ - private key does not match certificate -TS_R_RESPONSE_SETUP_ERROR:121:response setup error -TS_R_SIGNATURE_FAILURE:109:signature failure -TS_R_THERE_MUST_BE_ONE_SIGNER:110:there must be one signer -TS_R_TIME_SYSCALL_ERROR:122:time syscall error -TS_R_TOKEN_NOT_PRESENT:130:token not present -TS_R_TOKEN_PRESENT:131:token present -TS_R_TSA_NAME_MISMATCH:111:tsa name mismatch -TS_R_TSA_UNTRUSTED:112:tsa untrusted -TS_R_TST_INFO_SETUP_ERROR:123:tst info setup error -TS_R_TS_DATASIGN:124:ts datasign -TS_R_UNACCEPTABLE_POLICY:125:unacceptable policy -TS_R_UNSUPPORTED_MD_ALGORITHM:126:unsupported md algorithm -TS_R_UNSUPPORTED_VERSION:113:unsupported version -TS_R_VAR_BAD_VALUE:135:var bad value -TS_R_VAR_LOOKUP_FAILURE:136:cannot find config variable -TS_R_WRONG_CONTENT_TYPE:114:wrong content type -UI_R_COMMON_OK_AND_CANCEL_CHARACTERS:104:common ok and cancel characters -UI_R_INDEX_TOO_LARGE:102:index too large -UI_R_INDEX_TOO_SMALL:103:index too small -UI_R_NO_RESULT_BUFFER:105:no result buffer -UI_R_PROCESSING_ERROR:107:processing error -UI_R_RESULT_TOO_LARGE:100:result too large -UI_R_RESULT_TOO_SMALL:101:result too small -UI_R_SYSASSIGN_ERROR:109:sys$assign error -UI_R_SYSDASSGN_ERROR:110:sys$dassgn error -UI_R_SYSQIOW_ERROR:111:sys$qiow error -UI_R_UNKNOWN_CONTROL_COMMAND:106:unknown control command -UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value -UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported -X509V3_R_BAD_IP_ADDRESS:118:bad ip address -X509V3_R_BAD_OBJECT:119:bad object -X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error -X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error -X509V3_R_DIRNAME_ERROR:149:dirname error -X509V3_R_DISTPOINT_ALREADY_SET:160:distpoint already set -X509V3_R_DUPLICATE_ZONE_ID:133:duplicate zone id -X509V3_R_EMPTY_KEY_USAGE:169:empty key usage -X509V3_R_ERROR_CONVERTING_ZONE:131:error converting zone -X509V3_R_ERROR_CREATING_EXTENSION:144:error creating extension -X509V3_R_ERROR_IN_EXTENSION:128:error in extension -X509V3_R_EXPECTED_A_SECTION_NAME:137:expected a section name -X509V3_R_EXTENSION_EXISTS:145:extension exists -X509V3_R_EXTENSION_NAME_ERROR:115:extension name error -X509V3_R_EXTENSION_NOT_FOUND:102:extension not found -X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED:103:extension setting not supported -X509V3_R_EXTENSION_VALUE_ERROR:116:extension value error -X509V3_R_ILLEGAL_EMPTY_EXTENSION:151:illegal empty extension -X509V3_R_INCORRECT_POLICY_SYNTAX_TAG:152:incorrect policy syntax tag -X509V3_R_INVALID_ASNUMBER:162:invalid asnumber -X509V3_R_INVALID_ASRANGE:163:invalid asrange -X509V3_R_INVALID_BOOLEAN_STRING:104:invalid boolean string -X509V3_R_INVALID_CERTIFICATE:158:invalid certificate -X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name -X509V3_R_INVALID_EXTENSION_STRING:105:invalid extension string -X509V3_R_INVALID_INHERITANCE:165:invalid inheritance -X509V3_R_INVALID_IPADDRESS:166:invalid ipaddress -X509V3_R_INVALID_MULTIPLE_RDNS:161:invalid multiple rdns -X509V3_R_INVALID_NAME:106:invalid name -X509V3_R_INVALID_NULL_ARGUMENT:107:invalid null argument -X509V3_R_INVALID_NULL_VALUE:109:invalid null value -X509V3_R_INVALID_NUMBER:140:invalid number -X509V3_R_INVALID_NUMBERS:141:invalid numbers -X509V3_R_INVALID_OBJECT_IDENTIFIER:110:invalid object identifier -X509V3_R_INVALID_OPTION:138:invalid option -X509V3_R_INVALID_POLICY_IDENTIFIER:134:invalid policy identifier -X509V3_R_INVALID_PROXY_POLICY_SETTING:153:invalid proxy policy setting -X509V3_R_INVALID_PURPOSE:146:invalid purpose -X509V3_R_INVALID_SAFI:164:invalid safi -X509V3_R_INVALID_SECTION:135:invalid section -X509V3_R_INVALID_SYNTAX:143:invalid syntax -X509V3_R_ISSUER_DECODE_ERROR:126:issuer decode error -X509V3_R_MISSING_VALUE:124:missing value -X509V3_R_NEED_ORGANIZATION_AND_NUMBERS:142:need organization and numbers -X509V3_R_NEGATIVE_PATHLEN:168:negative pathlen -X509V3_R_NO_CONFIG_DATABASE:136:no config database -X509V3_R_NO_ISSUER_CERTIFICATE:121:no issuer certificate -X509V3_R_NO_ISSUER_DETAILS:127:no issuer details -X509V3_R_NO_POLICY_IDENTIFIER:139:no policy identifier -X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED:154:\ - no proxy cert policy language defined -X509V3_R_NO_PUBLIC_KEY:114:no public key -X509V3_R_NO_SUBJECT_DETAILS:125:no subject details -X509V3_R_OPERATION_NOT_DEFINED:148:operation not defined -X509V3_R_OTHERNAME_ERROR:147:othername error -X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED:155:policy language already defined -X509V3_R_POLICY_PATH_LENGTH:156:policy path length -X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED:157:\ - policy path length already defined -X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY:159:\ - policy when proxy language requires no policy -X509V3_R_SECTION_NOT_FOUND:150:section not found -X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS:122:unable to get issuer details -X509V3_R_UNABLE_TO_GET_ISSUER_KEYID:123:unable to get issuer keyid -X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument -X509V3_R_UNKNOWN_EXTENSION:129:unknown extension -X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name -X509V3_R_UNKNOWN_OPTION:120:unknown option -X509V3_R_UNSUPPORTED_OPTION:117:unsupported option -X509V3_R_UNSUPPORTED_TYPE:167:unsupported type -X509V3_R_USER_TOO_LONG:132:user too long -X509_R_AKID_MISMATCH:110:akid mismatch -X509_R_BAD_SELECTOR:133:bad selector -X509_R_BAD_X509_FILETYPE:100:bad x509 filetype -X509_R_BASE64_DECODE_ERROR:118:base64 decode error -X509_R_CANT_CHECK_DH_KEY:114:cant check dh key -X509_R_CERTIFICATE_VERIFICATION_FAILED:139:certificate verification failed -X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table -X509_R_CRL_ALREADY_DELTA:127:crl already delta -X509_R_CRL_VERIFY_FAILURE:131:crl verify failure -X509_R_DUPLICATE_ATTRIBUTE:140:duplicate attribute -X509_R_ERROR_GETTING_MD_BY_NID:141:error getting md by nid -X509_R_ERROR_USING_SIGINF_SET:142:error using siginf set -X509_R_IDP_MISMATCH:128:idp mismatch -X509_R_INVALID_ATTRIBUTES:138:invalid attributes -X509_R_INVALID_DIRECTORY:113:invalid directory -X509_R_INVALID_DISTPOINT:143:invalid distpoint -X509_R_INVALID_FIELD_NAME:119:invalid field name -X509_R_INVALID_TRUST:123:invalid trust -X509_R_ISSUER_MISMATCH:129:issuer mismatch -X509_R_KEY_TYPE_MISMATCH:115:key type mismatch -X509_R_KEY_VALUES_MISMATCH:116:key values mismatch -X509_R_LOADING_CERT_DIR:103:loading cert dir -X509_R_LOADING_DEFAULTS:104:loading defaults -X509_R_METHOD_NOT_SUPPORTED:124:method not supported -X509_R_NAME_TOO_LONG:134:name too long -X509_R_NEWER_CRL_NOT_NEWER:132:newer crl not newer -X509_R_NO_CERTIFICATE_FOUND:135:no certificate found -X509_R_NO_CERTIFICATE_OR_CRL_FOUND:136:no certificate or crl found -X509_R_NO_CERT_SET_FOR_US_TO_VERIFY:105:no cert set for us to verify -X509_R_NO_CRL_FOUND:137:no crl found -X509_R_NO_CRL_NUMBER:130:no crl number -X509_R_PUBLIC_KEY_DECODE_ERROR:125:public key decode error -X509_R_PUBLIC_KEY_ENCODE_ERROR:126:public key encode error -X509_R_SHOULD_RETRY:106:should retry -X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN:107:unable to find parameters in chain -X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY:108:unable to get certs public key -X509_R_UNKNOWN_KEY_TYPE:117:unknown key type -X509_R_UNKNOWN_NID:109:unknown nid -X509_R_UNKNOWN_PURPOSE_ID:121:unknown purpose id -X509_R_UNKNOWN_SIGID_ALGS:144:unknown sigid algs -X509_R_UNKNOWN_TRUST_ID:120:unknown trust id -X509_R_UNSUPPORTED_ALGORITHM:111:unsupported algorithm -X509_R_WRONG_LOOKUP_TYPE:112:wrong lookup type -X509_R_WRONG_TYPE:122:wrong type diff --git a/prebuilt/openssl/openssl-3.0.13_files/include/crypto/dherr.h b/prebuilt/openssl/openssl-3.0.13_files/include/crypto/dherr.h deleted file mode 100644 index 519327f7..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/include/crypto/dherr.h +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifndef OSSL_CRYPTO_DHERR_H -# define OSSL_CRYPTO_DHERR_H -# pragma once - -# include -# include - -# ifdef __cplusplus -extern "C" { -# endif - -# ifndef OPENSSL_NO_DH - -int ossl_err_load_DH_strings(void); -# endif - -# ifdef __cplusplus -} -# endif -#endif diff --git a/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dh.h b/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dh.h deleted file mode 100644 index 50e0cf54..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dh.h +++ /dev/null @@ -1,332 +0,0 @@ -/* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifndef OPENSSL_DH_H -# define OPENSSL_DH_H -# pragma once - -# include -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define HEADER_DH_H -# endif - -# include -# include - -# ifdef __cplusplus -extern "C" { -# endif - -#include - -/* DH parameter generation types used by EVP_PKEY_CTX_set_dh_paramgen_type() */ -# define DH_PARAMGEN_TYPE_GENERATOR 0 /* Use a safe prime generator */ -# define DH_PARAMGEN_TYPE_FIPS_186_2 1 /* Use FIPS186-2 standard */ -# define DH_PARAMGEN_TYPE_FIPS_186_4 2 /* Use FIPS186-4 standard */ -# define DH_PARAMGEN_TYPE_GROUP 3 /* Use a named safe prime group */ - -int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int typ); -int EVP_PKEY_CTX_set_dh_paramgen_gindex(EVP_PKEY_CTX *ctx, int gindex); -int EVP_PKEY_CTX_set_dh_paramgen_seed(EVP_PKEY_CTX *ctx, - const unsigned char *seed, - size_t seedlen); -int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int pbits); -int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int qlen); -int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen); -int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid); -int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int gen); -int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int gen); -int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); - -int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf); -int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx); -int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid); -int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid); -int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); -int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len); -int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len); -int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len); -# ifndef OPENSSL_NO_DEPRECATED_3_0 -OSSL_DEPRECATEDIN_3_0 -int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); -#endif - -# define EVP_PKEY_CTRL_DH_PARAMGEN_PRIME_LEN (EVP_PKEY_ALG_CTRL + 1) -# define EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR (EVP_PKEY_ALG_CTRL + 2) -# define EVP_PKEY_CTRL_DH_RFC5114 (EVP_PKEY_ALG_CTRL + 3) -# define EVP_PKEY_CTRL_DH_PARAMGEN_SUBPRIME_LEN (EVP_PKEY_ALG_CTRL + 4) -# define EVP_PKEY_CTRL_DH_PARAMGEN_TYPE (EVP_PKEY_ALG_CTRL + 5) -# define EVP_PKEY_CTRL_DH_KDF_TYPE (EVP_PKEY_ALG_CTRL + 6) -# define EVP_PKEY_CTRL_DH_KDF_MD (EVP_PKEY_ALG_CTRL + 7) -# define EVP_PKEY_CTRL_GET_DH_KDF_MD (EVP_PKEY_ALG_CTRL + 8) -# define EVP_PKEY_CTRL_DH_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 9) -# define EVP_PKEY_CTRL_GET_DH_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 10) -# define EVP_PKEY_CTRL_DH_KDF_UKM (EVP_PKEY_ALG_CTRL + 11) -# define EVP_PKEY_CTRL_GET_DH_KDF_UKM (EVP_PKEY_ALG_CTRL + 12) -# define EVP_PKEY_CTRL_DH_KDF_OID (EVP_PKEY_ALG_CTRL + 13) -# define EVP_PKEY_CTRL_GET_DH_KDF_OID (EVP_PKEY_ALG_CTRL + 14) -# define EVP_PKEY_CTRL_DH_NID (EVP_PKEY_ALG_CTRL + 15) -# define EVP_PKEY_CTRL_DH_PAD (EVP_PKEY_ALG_CTRL + 16) - -/* KDF types */ -# define EVP_PKEY_DH_KDF_NONE 1 -# define EVP_PKEY_DH_KDF_X9_42 2 - -# ifndef OPENSSL_NO_DH -# include -# include -# include -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include -# endif -# include - -# ifndef OPENSSL_DH_MAX_MODULUS_BITS -# define OPENSSL_DH_MAX_MODULUS_BITS 10000 -# endif - -# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 -# endif - -# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 - -# define DH_FLAG_CACHE_MONT_P 0x01 - -# define DH_FLAG_TYPE_MASK 0xF000 -# define DH_FLAG_TYPE_DH 0x0000 -# define DH_FLAG_TYPE_DHX 0x1000 - -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -/* - * Does nothing. Previously this switched off constant time behaviour. - */ -# define DH_FLAG_NO_EXP_CONSTTIME 0x00 -# endif - -# ifndef OPENSSL_NO_DEPRECATED_3_0 -/* - * If this flag is set the DH method is FIPS compliant and can be used in - * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its responsibility to ensure the - * result is compliant. - */ - -# define DH_FLAG_FIPS_METHOD 0x0400 - -/* - * If this flag is set the operations normally disabled in FIPS mode are - * permitted it is then the applications responsibility to ensure that the - * usage is compliant. - */ - -# define DH_FLAG_NON_FIPS_ALLOW 0x0400 -# endif - -/* Already defined in ossl_typ.h */ -/* typedef struct dh_st DH; */ -/* typedef struct dh_method DH_METHOD; */ - -DECLARE_ASN1_ITEM(DHparams) - -# ifndef OPENSSL_NO_DEPRECATED_3_0 -# define DH_GENERATOR_2 2 -# define DH_GENERATOR_3 3 -# define DH_GENERATOR_5 5 - -/* DH_check error codes, some of them shared with DH_check_pub_key */ -/* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. - */ -# define DH_CHECK_P_NOT_PRIME 0x01 -# define DH_CHECK_P_NOT_SAFE_PRIME 0x02 -# define DH_UNABLE_TO_CHECK_GENERATOR 0x04 -# define DH_NOT_SUITABLE_GENERATOR 0x08 -# define DH_CHECK_Q_NOT_PRIME 0x10 -# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ -# define DH_CHECK_INVALID_J_VALUE 0x40 -# define DH_MODULUS_TOO_SMALL 0x80 -# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - -/* DH_check_pub_key error codes */ -# define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -# define DH_CHECK_PUBKEY_TOO_LARGE 0x02 -# define DH_CHECK_PUBKEY_INVALID 0x04 - -/* - * primes p where (p-1)/2 is prime too are called "safe"; we define this for - * backward compatibility: - */ -# define DH_CHECK_P_NOT_STRONG_PRIME DH_CHECK_P_NOT_SAFE_PRIME - -# define d2i_DHparams_fp(fp, x) \ - (DH *)ASN1_d2i_fp((char *(*)())DH_new, \ - (char *(*)())d2i_DHparams, \ - (fp), \ - (unsigned char **)(x)) -# define i2d_DHparams_fp(fp, x) \ - ASN1_i2d_fp(i2d_DHparams,(fp), (unsigned char *)(x)) -# define d2i_DHparams_bio(bp, x) \ - ASN1_d2i_bio_of(DH, DH_new, d2i_DHparams, bp, x) -# define i2d_DHparams_bio(bp, x) \ - ASN1_i2d_bio_of(DH, i2d_DHparams, bp, x) - -# define d2i_DHxparams_fp(fp,x) \ - (DH *)ASN1_d2i_fp((char *(*)())DH_new, \ - (char *(*)())d2i_DHxparams, \ - (fp), \ - (unsigned char **)(x)) -# define i2d_DHxparams_fp(fp, x) \ - ASN1_i2d_fp(i2d_DHxparams,(fp), (unsigned char *)(x)) -# define d2i_DHxparams_bio(bp, x) \ - ASN1_d2i_bio_of(DH, DH_new, d2i_DHxparams, bp, x) -# define i2d_DHxparams_bio(bp, x) \ - ASN1_i2d_bio_of(DH, i2d_DHxparams, bp, x) - -DECLARE_ASN1_DUP_FUNCTION_name_attr(OSSL_DEPRECATEDIN_3_0, DH, DHparams) - -OSSL_DEPRECATEDIN_3_0 const DH_METHOD *DH_OpenSSL(void); - -OSSL_DEPRECATEDIN_3_0 void DH_set_default_method(const DH_METHOD *meth); -OSSL_DEPRECATEDIN_3_0 const DH_METHOD *DH_get_default_method(void); -OSSL_DEPRECATEDIN_3_0 int DH_set_method(DH *dh, const DH_METHOD *meth); -OSSL_DEPRECATEDIN_3_0 DH *DH_new_method(ENGINE *engine); - -OSSL_DEPRECATEDIN_3_0 DH *DH_new(void); -OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_up_ref(DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_bits(const DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_size(const DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_security_bits(const DH *dh); - -# define DH_get_ex_new_index(l, p, newf, dupf, freef) \ - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, l, p, newf, dupf, freef) - -OSSL_DEPRECATEDIN_3_0 int DH_set_ex_data(DH *d, int idx, void *arg); -OSSL_DEPRECATEDIN_3_0 void *DH_get_ex_data(const DH *d, int idx); - -OSSL_DEPRECATEDIN_3_0 int DH_generate_parameters_ex(DH *dh, int prime_len, - int generator, - BN_GENCB *cb); - -OSSL_DEPRECATEDIN_3_0 int DH_check_params_ex(const DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_check_ex(const DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key); -OSSL_DEPRECATEDIN_3_0 int DH_check_params(const DH *dh, int *ret); -OSSL_DEPRECATEDIN_3_0 int DH_check(const DH *dh, int *codes); -OSSL_DEPRECATEDIN_3_0 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, - int *codes); -OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_compute_key(unsigned char *key, - const BIGNUM *pub_key, DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_compute_key_padded(unsigned char *key, - const BIGNUM *pub_key, DH *dh); - -DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, DH, DHparams) -DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, DH, DHxparams) - -# ifndef OPENSSL_NO_STDIO -OSSL_DEPRECATEDIN_3_0 int DHparams_print_fp(FILE *fp, const DH *x); -# endif -OSSL_DEPRECATEDIN_3_0 int DHparams_print(BIO *bp, const DH *x); - -/* RFC 5114 parameters */ -OSSL_DEPRECATEDIN_3_0 DH *DH_get_1024_160(void); -OSSL_DEPRECATEDIN_3_0 DH *DH_get_2048_224(void); -OSSL_DEPRECATEDIN_3_0 DH *DH_get_2048_256(void); - -/* Named parameters, currently RFC7919 and RFC3526 */ -OSSL_DEPRECATEDIN_3_0 DH *DH_new_by_nid(int nid); -OSSL_DEPRECATEDIN_3_0 int DH_get_nid(const DH *dh); - -/* RFC2631 KDF */ -OSSL_DEPRECATEDIN_3_0 int DH_KDF_X9_42(unsigned char *out, size_t outlen, - const unsigned char *Z, size_t Zlen, - ASN1_OBJECT *key_oid, - const unsigned char *ukm, - size_t ukmlen, const EVP_MD *md); - -OSSL_DEPRECATEDIN_3_0 void DH_get0_pqg(const DH *dh, const BIGNUM **p, - const BIGNUM **q, const BIGNUM **g); -OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -OSSL_DEPRECATEDIN_3_0 void DH_get0_key(const DH *dh, const BIGNUM **pub_key, - const BIGNUM **priv_key); -OSSL_DEPRECATEDIN_3_0 int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -OSSL_DEPRECATEDIN_3_0 const BIGNUM *DH_get0_p(const DH *dh); -OSSL_DEPRECATEDIN_3_0 const BIGNUM *DH_get0_q(const DH *dh); -OSSL_DEPRECATEDIN_3_0 const BIGNUM *DH_get0_g(const DH *dh); -OSSL_DEPRECATEDIN_3_0 const BIGNUM *DH_get0_priv_key(const DH *dh); -OSSL_DEPRECATEDIN_3_0 const BIGNUM *DH_get0_pub_key(const DH *dh); -OSSL_DEPRECATEDIN_3_0 void DH_clear_flags(DH *dh, int flags); -OSSL_DEPRECATEDIN_3_0 int DH_test_flags(const DH *dh, int flags); -OSSL_DEPRECATEDIN_3_0 void DH_set_flags(DH *dh, int flags); -OSSL_DEPRECATEDIN_3_0 ENGINE *DH_get0_engine(DH *d); -OSSL_DEPRECATEDIN_3_0 long DH_get_length(const DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_set_length(DH *dh, long length); - -OSSL_DEPRECATEDIN_3_0 DH_METHOD *DH_meth_new(const char *name, int flags); -OSSL_DEPRECATEDIN_3_0 void DH_meth_free(DH_METHOD *dhm); -OSSL_DEPRECATEDIN_3_0 DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); -OSSL_DEPRECATEDIN_3_0 const char *DH_meth_get0_name(const DH_METHOD *dhm); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set1_name(DH_METHOD *dhm, const char *name); -OSSL_DEPRECATEDIN_3_0 int DH_meth_get_flags(const DH_METHOD *dhm); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_flags(DH_METHOD *dhm, int flags); -OSSL_DEPRECATEDIN_3_0 void *DH_meth_get0_app_data(const DH_METHOD *dhm); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_generate_key(const DH_METHOD *dhm)) (DH *); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_generate_key(DH_METHOD *dhm, - int (*generate_key) (DH *)); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_compute_key(const DH_METHOD *dhm)) - (unsigned char *key, - const BIGNUM *pub_key, - DH *dh); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_compute_key(DH_METHOD *dhm, - int (*compute_key) - (unsigned char *key, - const BIGNUM *pub_key, - DH *dh)); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_bn_mod_exp(const DH_METHOD *dhm)) - (const DH *, BIGNUM *, - const BIGNUM *, - const BIGNUM *, - const BIGNUM *, BN_CTX *, - BN_MONT_CTX *); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_bn_mod_exp(DH_METHOD *dhm, - int (*bn_mod_exp) - (const DH *, BIGNUM *, - const BIGNUM *, const BIGNUM *, - const BIGNUM *, BN_CTX *, - BN_MONT_CTX *)); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_init(const DH_METHOD *dhm))(DH *); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_init(DH_METHOD *dhm, int (*init)(DH *)); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_finish(const DH_METHOD *dhm)) (DH *); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_finish(DH_METHOD *dhm, int (*finish) (DH *)); -OSSL_DEPRECATEDIN_3_0 int (*DH_meth_get_generate_params(const DH_METHOD *dhm)) - (DH *, int, int, - BN_GENCB *); -OSSL_DEPRECATEDIN_3_0 int DH_meth_set_generate_params(DH_METHOD *dhm, - int (*generate_params) - (DH *, int, int, - BN_GENCB *)); -# endif /* OPENSSL_NO_DEPRECATED_3_0 */ - -# ifndef OPENSSL_NO_DEPRECATED_0_9_8 -OSSL_DEPRECATEDIN_0_9_8 DH *DH_generate_parameters(int prime_len, int generator, - void (*callback) (int, int, - void *), - void *cb_arg); -# endif - -# endif -# ifdef __cplusplus -} -# endif -#endif diff --git a/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dherr.h b/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dherr.h deleted file mode 100644 index 074a7014..00000000 --- a/prebuilt/openssl/openssl-3.0.13_files/include/openssl/dherr.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#ifndef OPENSSL_DHERR_H -# define OPENSSL_DHERR_H -# pragma once - -# include -# include -# include - - -# ifndef OPENSSL_NO_DH - - -/* - * DH reason codes. - */ -# define DH_R_BAD_FFC_PARAMETERS 127 -# define DH_R_BAD_GENERATOR 101 -# define DH_R_BN_DECODE_ERROR 109 -# define DH_R_BN_ERROR 106 -# define DH_R_CHECK_INVALID_J_VALUE 115 -# define DH_R_CHECK_INVALID_Q_VALUE 116 -# define DH_R_CHECK_PUBKEY_INVALID 122 -# define DH_R_CHECK_PUBKEY_TOO_LARGE 123 -# define DH_R_CHECK_PUBKEY_TOO_SMALL 124 -# define DH_R_CHECK_P_NOT_PRIME 117 -# define DH_R_CHECK_P_NOT_SAFE_PRIME 118 -# define DH_R_CHECK_Q_NOT_PRIME 119 -# define DH_R_DECODE_ERROR 104 -# define DH_R_INVALID_PARAMETER_NAME 110 -# define DH_R_INVALID_PARAMETER_NID 114 -# define DH_R_INVALID_PUBKEY 102 -# define DH_R_INVALID_SECRET 128 -# define DH_R_KDF_PARAMETER_ERROR 112 -# define DH_R_KEYS_NOT_SET 108 -# define DH_R_MISSING_PUBKEY 125 -# define DH_R_MODULUS_TOO_LARGE 103 -# define DH_R_MODULUS_TOO_SMALL 126 -# define DH_R_NOT_SUITABLE_GENERATOR 120 -# define DH_R_NO_PARAMETERS_SET 107 -# define DH_R_NO_PRIVATE_VALUE 100 -# define DH_R_PARAMETER_ENCODING_ERROR 105 -# define DH_R_PEER_KEY_ERROR 111 -# define DH_R_Q_TOO_LARGE 130 -# define DH_R_SHARED_INFO_ERROR 113 -# define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - -# endif -#endif diff --git a/prebuilt/openssl/openssl.CVE-2023-5678.patch b/prebuilt/openssl/openssl.CVE-2023-5678.patch deleted file mode 100644 index afb23ade..00000000 --- a/prebuilt/openssl/openssl.CVE-2023-5678.patch +++ /dev/null @@ -1,177 +0,0 @@ -From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) - -(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7f..e20eb62081 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426..f76ac0dd14 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241..afc49f5cdc 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e51504b7ab..36de321b74 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb..519327f795 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6533260f20..50e0cf54be 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96..074a70145f 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - --- -2.34.1 - diff --git a/tools/PCKRetrievalTool/App/App.cpp b/tools/PCKRetrievalTool/App/App.cpp index e6f8766e..a34710d5 100644 --- a/tools/PCKRetrievalTool/App/App.cpp +++ b/tools/PCKRetrievalTool/App/App.cpp @@ -74,7 +74,8 @@ void PrintHelp() { printf( " -user_token token_string - user token to access the cache server \n"); printf( " -proxy_type proxy_type - proxy setting when access the cache server \n"); printf( " -proxy_url proxy_server_address - proxy server's address \n"); - printf( " -use_secure_cert [true | false] - accept secure/insecure https cert, default value is true \n"); + printf( " -use_secure_cert {true | false} - accept secure/insecure https cert, default value is true \n"); + printf( " -tcb_update_type {standard, early, all} - update type for tcb material, default value is standard \n"); printf( " -platform_id \"platform_id_string\" - in this mode, enclave is not needed to load, but platform id need to input\n"); printf( " -? - show command help\n"); printf( " -h - show command help\n"); @@ -134,6 +135,7 @@ std::string user_token_string = ""; std::string use_secure_cert_string = ""; std::string output_filename = ""; std::string platform_id_string = ""; +std::string tcb_update_type_string = ""; bool non_enclave_mode = false; // Use secure HTTPS certificate or not bool g_use_secure_cert = true; @@ -253,6 +255,22 @@ int parse_arg(int argc, const char *argv[]) continue; } } + else if (strncmp(argv[i], "-tcb_update_type",16) == 0) { + if (i == argc - 1 || argv[i+1][0] == '-') { + fprintf(stderr, "No tcb update type was provided for -tcb_update_type\n"); + return -1; + } + else { + tcb_update_type_string = argv[i + 1]; + std::transform(tcb_update_type_string.begin(), tcb_update_type_string.end(), tcb_update_type_string.begin(), toUpper); + if (!is_valid_tcb_update_type(tcb_update_type_string)) { + fprintf(stderr, "Invalid tcb_update_type: %s\n", tcb_update_type_string.c_str()); + return -1; + } + i++; + continue; + } + } else { fprintf(stderr, "unknown option %s\n", argv[i]); return -1; diff --git a/tools/PCKRetrievalTool/App/inc/utility.h b/tools/PCKRetrievalTool/App/inc/utility.h index afaa8aac..840bf760 100644 --- a/tools/PCKRetrievalTool/App/inc/utility.h +++ b/tools/PCKRetrievalTool/App/inc/utility.h @@ -60,6 +60,7 @@ #include #include +#include "network_wrapper.h" typedef enum { UEFI_OPERATION_SUCCESS = 0, @@ -94,6 +95,15 @@ bool is_valid_proxy_type(std::string& proxy_type); bool is_valid_use_secure_cert(std::string& use_secure_cert); +bool is_valid_tcb_update_type(std::string& tcb_update_type); + + +network_post_error_t generate_json_message_body(const uint8_t *raw_data, + const uint32_t raw_data_size, + const uint16_t platform_id_length, + const bool non_enclave_mode, + std::string &jsonString); + #ifdef _MSC_VER bool get_program_path(TCHAR *p_file_path, size_t buf_size); #else diff --git a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp index 8019554a..171e078f 100644 --- a/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp +++ b/tools/PCKRetrievalTool/App/linux/network_wrapper.cpp @@ -65,6 +65,7 @@ extern string proxy_type_string; extern string proxy_url_string; extern string user_token_string; extern string use_secure_cert_string; +extern string tcb_update_type_string; typedef enum _network_proxy_type { DIRECT = 0, @@ -75,75 +76,6 @@ typedef enum _network_proxy_type { // Use secure HTTPS certificate or not extern bool g_use_secure_cert; -/** -* Method converts byte containing value from 0x00-0x0F into its corresponding ASCII code, -* e.g. converts 0x00 to '0', 0x0A to 'A'. -* Note: This is mainly a helper method for internal use in byte_array_to_hex_string(). -* -* @param in byte to be converted (allowed values: 0x00-0x0F) -* -* @return ASCII code representation of the byte or 0 if method failed (e.g input value was not in provided range). -*/ -static uint8_t convert_value_to_ascii(uint8_t in) -{ - if(in <= 0x09) - { - return (uint8_t)(in + '0'); - } - else if(in <= 0x0F) - { - return (uint8_t)(in - 10 + 'A'); - } - - return 0; -} - -//Function to do HEX encoding of array of bytes -//@param in_buf, bytes array whose length is in_size -// out_buf, output the HEX encoding of in_buf on success. -//@return true on success and false on error -//The out_size must always be 2*in_size since each byte into encoded by 2 characters -static bool byte_array_to_hex_string(const uint8_t *in_buf, uint32_t in_size, uint8_t *out_buf, uint32_t out_size) -{ - if(in_size>UINT32_MAX/2)return false; - if(in_buf==NULL||out_buf==NULL|| out_size!=in_size*2 )return false; - - for(uint32_t i=0; i< in_size; i++) - { - *out_buf++ = convert_value_to_ascii( static_cast(*in_buf >> 4)); - *out_buf++ = convert_value_to_ascii( static_cast(*in_buf & 0xf)); - in_buf++; - } - return true; -} - - - -/** -* This function appends request parameters of byte array type to the URL in HEX string format -* -* @param url Request URL -* @param request Request parameter in byte array -* @param request_size Size of byte array -* -* @return true If the byte array was appended to the URL successfully -*/ -network_post_error_t append_body_context(string& url, const uint8_t* request, const uint32_t request_size) -{ - if (request_size >= UINT32_MAX / 2) - return POST_INVALID_PARAMETER_ERROR; - - uint8_t* hex = (uint8_t*)malloc(request_size * 2); - if (!hex) - return POST_OUT_OF_MEMORY_ERROR; - if (!byte_array_to_hex_string(request, request_size, hex, request_size*2)){ - free(hex); - return POST_UNEXPECTED_ERROR; - } - url.append(reinterpret_cast(hex), request_size*2); - free(hex); - return POST_SUCCESS; -} static size_t write_callback(void *ptr, size_t size, size_t nmemb, void *stream) @@ -236,6 +168,12 @@ static bool process_configuration_setting(const char *config_file_name, string& user_token = value; } } + else if (name.compare("TCB_UPDATE_TYPE") == 0){ + if(tcb_update_type_string.empty() == true) { + std::transform(value.begin(), value.end(), value.begin(), ::toupper); + tcb_update_type_string = value; + } + } else { continue; } @@ -257,6 +195,14 @@ static bool process_configuration_setting(const char *config_file_name, string& } } + + if(tcb_update_type_string.compare("EARLY") == 0) { + url = url + "?update=early"; + } + else if(tcb_update_type_string.compare("ALL") == 0) { + url = url + "?update=all"; + } + return ret; } @@ -287,77 +233,6 @@ static void network_configuration(string &url, string &proxy_type, string &proxy } -static network_post_error_t generate_json_message_body(const uint8_t *raw_data, - const uint32_t raw_data_size, - const uint16_t platform_id_length, - const bool non_enclave_mode, - string &jsonString) -{ - network_post_error_t ret = POST_SUCCESS; - const uint8_t *position = raw_data; - - jsonString = "{"; - - if(true == non_enclave_mode){ - jsonString += "\"pce_id\": \""; - if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"qe_id\": \""; - position = position + PCE_ID_LENGTH; - if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"platform_manifest\": \""; - position = position + platform_id_length; - if ((ret = append_body_context(jsonString, position, raw_data_size - PCE_ID_LENGTH - platform_id_length)) != POST_SUCCESS) { - return ret; - } - } - else { - uint32_t left_size = raw_data_size - platform_id_length - CPU_SVN_LENGTH - ISV_SVN_LENGTH - PCE_ID_LENGTH - ENCRYPTED_PPID_LENGTH; - jsonString += "\"enc_ppid\": \""; - if ((ret = append_body_context(jsonString, position, ENCRYPTED_PPID_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"pce_id\": \""; - position = position + ENCRYPTED_PPID_LENGTH; - if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { - return ret; - } - jsonString += "\" ,\"cpu_svn\": \""; - position = position + PCE_ID_LENGTH; - if ((ret = append_body_context(jsonString, position, CPU_SVN_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"pce_svn\": \""; - position = position + CPU_SVN_LENGTH; - if ((ret = append_body_context(jsonString, position, ISV_SVN_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"qe_id\": \""; - position = position + ISV_SVN_LENGTH; - if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"platform_manifest\": \""; - if (left_size != 0) { - position = position + platform_id_length; - if ((ret = append_body_context(jsonString, position, left_size)) != POST_SUCCESS) { - return ret; - } - } - } - jsonString += "\" }"; - return ret; -} - /** * This method calls curl library to perform https post requet: diff --git a/tools/PCKRetrievalTool/App/utility.cpp b/tools/PCKRetrievalTool/App/utility.cpp index c8b8f8b9..b2c9307a 100644 --- a/tools/PCKRetrievalTool/App/utility.cpp +++ b/tools/PCKRetrievalTool/App/utility.cpp @@ -446,7 +446,10 @@ uefi_status_t set_registration_status() status.registrationStatus = MP_TASK_COMPLETED; status.errorCode = MPA_SUCCESS; mpResult = p_mp_uefi_set_registration_status(&status); - if (mpResult != MP_SUCCESS) { + if (mpResult == MP_INSUFFICIENT_PRIVILEGES) { + printf("Warning: the UEFI variable was in read-only mode, could NOT write it. \n"); + } + else if (mpResult != MP_SUCCESS) { printf("Warning: error occurred while setting registration status, the error code is: %d \n", mpResult); } else { @@ -652,3 +655,154 @@ bool is_valid_use_secure_cert(std::string& use_secure_cert) { return false; } } + +bool is_valid_tcb_update_type(std::string& tcb_update_type) { + if (tcb_update_type.compare("STANDARD") == 0 || + tcb_update_type.compare("EARLY") == 0 || + tcb_update_type.compare("ALL") == 0 ) { + return true; + } + else { + return false; + } +} + + +/** +* Method converts byte containing value from 0x00-0x0F into its corresponding ASCII code, +* e.g. converts 0x00 to '0', 0x0A to 'A'. +* Note: This is mainly a helper method for internal use in byte_array_to_hex_string(). +* +* @param in byte to be converted (allowed values: 0x00-0x0F) +* +* @return ASCII code representation of the byte or 0 if method failed (e.g input value was not in provided range). +*/ +uint8_t convert_value_to_ascii(uint8_t in) +{ + if (in <= 0x09) + { + return (uint8_t)(in + '0'); + } + else if (in <= 0x0F) + { + return (uint8_t)(in - 10 + 'A'); + } + + return 0; +} + +//Function to do HEX encoding of array of bytes +//@param in_buf, bytes array whose length is in_size +// out_buf, output the HEX encoding of in_buf on success. +//@return true on success and false on error +//The out_size must always be 2*in_size since each byte into encoded by 2 characters +bool byte_array_to_hex_string(const uint8_t *in_buf, uint32_t in_size, uint8_t *out_buf, uint32_t out_size) +{ + if (in_size>UINT32_MAX / 2)return false; + if (in_buf == NULL || out_buf == NULL || out_size != in_size * 2)return false; + + for (uint32_t i = 0; i< in_size; i++) + { + *out_buf++ = convert_value_to_ascii(static_cast(*in_buf >> 4)); + *out_buf++ = convert_value_to_ascii(static_cast(*in_buf & 0xf)); + in_buf++; + } + return true; +} + + +/** +* This function appends request parameters of byte array type to the UR in HEX string format +* +* @param url Request UR +* @param request Request parameter in byte array +* @param request_size Size of byte array +* +* @return true If the byte array was appended to the UR successfully +*/ +network_post_error_t append_body_context(string& url, const uint8_t* request, const uint32_t request_size) +{ + if (request_size >= UINT32_MAX / 2) + return POST_INVALID_PARAMETER_ERROR; + + uint8_t* hex = (uint8_t*)malloc(request_size * 2); + if (!hex) + return POST_OUT_OF_MEMORY_ERROR; + if (!byte_array_to_hex_string(request, request_size, hex, request_size * 2)) { + free(hex); + return POST_UNEXPECTED_ERROR; + } + url.append(reinterpret_cast(hex), request_size * 2); + free(hex); + return POST_SUCCESS; +} + +network_post_error_t generate_json_message_body(const uint8_t *raw_data, + const uint32_t raw_data_size, + const uint16_t platform_id_length, + const bool non_enclave_mode, + string &jsonString) +{ + network_post_error_t ret = POST_SUCCESS; + const uint8_t *position = raw_data; + + jsonString = "{"; + if (true == non_enclave_mode) { + jsonString += "\"pce_id\": \""; + if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { + return ret; + } + jsonString += "\" ,\"qe_id\": \""; + position = position + PCE_ID_LENGTH; + if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { + return ret; + } + + jsonString += "\" ,\"platform_manifest\": \""; + position = position + platform_id_length; + if ((ret = append_body_context(jsonString, position, raw_data_size - PCE_ID_LENGTH - platform_id_length)) != POST_SUCCESS) { + return ret; + } + } + else { + uint32_t left_size = raw_data_size - platform_id_length - CPU_SVN_LENGTH - ISV_SVN_LENGTH - PCE_ID_LENGTH - ENCRYPTED_PPID_LENGTH; + jsonString += "\"enc_ppid\": \""; + if ((ret = append_body_context(jsonString, position, ENCRYPTED_PPID_LENGTH)) != POST_SUCCESS) { + return ret; + } + + jsonString += "\" ,\"pce_id\": \""; + position = position + ENCRYPTED_PPID_LENGTH; + if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { + return ret; + } + jsonString += "\" ,\"cpu_svn\": \""; + position = position + PCE_ID_LENGTH; + if ((ret = append_body_context(jsonString, position, CPU_SVN_LENGTH)) != POST_SUCCESS) { + return ret; + } + + jsonString += "\" ,\"pce_svn\": \""; + position = position + CPU_SVN_LENGTH; + if ((ret = append_body_context(jsonString, position, ISV_SVN_LENGTH)) != POST_SUCCESS) { + return ret; + } + + jsonString += "\" ,\"qe_id\": \""; + position = position + ISV_SVN_LENGTH; + if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { + return ret; + } + + jsonString += "\" ,\"platform_manifest\": \""; + if (left_size != 0) { + position = position + platform_id_length; + if ((ret = append_body_context(jsonString, position, left_size)) != POST_SUCCESS) { + return ret; + } + } + + } + jsonString += "\" }"; + return ret; +} diff --git a/tools/PCKRetrievalTool/App/win/network_wrapper.cpp b/tools/PCKRetrievalTool/App/win/network_wrapper.cpp index a8e0484d..693fa11a 100644 --- a/tools/PCKRetrievalTool/App/win/network_wrapper.cpp +++ b/tools/PCKRetrievalTool/App/win/network_wrapper.cpp @@ -70,6 +70,7 @@ extern string proxy_type_string; extern string proxy_url_string ; extern string user_token_string ; extern string use_secure_cert_string ; +extern string tcb_update_type_string; static network_post_error_t windows_last_error_to_network_post_error(void) { @@ -174,13 +175,19 @@ static bool process_configuration_setting(const char *config_file_name, string& user_token = value; } } + else if (name.compare("TCB_UPDATE_TYPE") == 0){ + if(tcb_update_type_string.empty() == true) { + std::transform(value.begin(), value.end(), value.begin(), [](auto ch) {return static_cast(::towupper(ch)); }); + tcb_update_type_string = value; + } + } else { continue; } } } else { - config_file_exist = false; + config_file_exist = false; if (proxy_type_string.compare("DIRECT") == 0 || proxy_type_string.compare("direct") == 0) { proxy_type = PROXY_TYPE_DIRECT_ACCESS; @@ -195,8 +202,7 @@ static bool process_configuration_setting(const char *config_file_name, string& proxy_type = PROXY_TYPE_DEFAULT_PROXY; } - - if(server_url_string.empty() == false) { + if(server_url_string.empty() == false) { url = server_url_string + "/sgx/certification/v4/platforms"; } ret = false; @@ -207,6 +213,14 @@ static bool process_configuration_setting(const char *config_file_name, string& url = server_url_string + "/sgx/certification/v4/platforms"; } } + + if(tcb_update_type_string.compare("EARLY") == 0) { + url = url + "?update=early"; + } + else if(tcb_update_type_string.compare("ALL") == 0) { + url = url + "?update=all"; + } + return ret; } @@ -219,145 +233,6 @@ static void network_configuration(string &url, ProxyType &proxy_type, string &pr process_configuration_setting(LOCAL_NETWORK_SETTING, url, proxy_type, proxy_url, user_token); } -/** -* Method converts byte containing value from 0x00-0x0F into its corresponding ASCII code, -* e.g. converts 0x00 to '0', 0x0A to 'A'. -* Note: This is mainly a helper method for internal use in byte_array_to_hex_string(). -* -* @param in byte to be converted (allowed values: 0x00-0x0F) -* -* @return ASCII code representation of the byte or 0 if method failed (e.g input value was not in provided range). -*/ -static uint8_t convert_value_to_ascii(uint8_t in) -{ - if (in <= 0x09) - { - return (uint8_t)(in + '0'); - } - else if (in <= 0x0F) - { - return (uint8_t)(in - 10 + 'A'); - } - - return 0; -} - -//Function to do HEX encoding of array of bytes -//@param in_buf, bytes array whose length is in_size -// out_buf, output the HEX encoding of in_buf on success. -//@return true on success and false on error -//The out_size must always be 2*in_size since each byte into encoded by 2 characters -static bool byte_array_to_hex_string(const uint8_t *in_buf, uint32_t in_size, uint8_t *out_buf, uint32_t out_size) -{ - if (in_size>UINT32_MAX / 2)return false; - if (in_buf == NULL || out_buf == NULL || out_size != in_size * 2)return false; - - for (uint32_t i = 0; i< in_size; i++) - { - *out_buf++ = convert_value_to_ascii(static_cast(*in_buf >> 4)); - *out_buf++ = convert_value_to_ascii(static_cast(*in_buf & 0xf)); - in_buf++; - } - return true; -} - - -/** -* This function appends request parameters of byte array type to the UR in HEX string format -* -* @param url Request UR -* @param request Request parameter in byte array -* @param request_size Size of byte array -* -* @return true If the byte array was appended to the UR successfully -*/ -static network_post_error_t append_body_context(string& url, const uint8_t* request, const uint32_t request_size) -{ - if (request_size >= UINT32_MAX / 2) - return POST_INVALID_PARAMETER_ERROR; - - uint8_t* hex = (uint8_t*)malloc(request_size * 2); - if (!hex) - return POST_OUT_OF_MEMORY_ERROR; - if (!byte_array_to_hex_string(request, request_size, hex, request_size * 2)) { - free(hex); - return POST_UNEXPECTED_ERROR; - } - url.append(reinterpret_cast(hex), request_size * 2); - free(hex); - return POST_SUCCESS; -} - -static network_post_error_t generate_json_message_body(const uint8_t *raw_data, - const uint32_t raw_data_size, - const uint16_t platform_id_length, - const bool non_enclave_mode, - string &jsonString) -{ - network_post_error_t ret = POST_SUCCESS; - const uint8_t *position = raw_data; - - jsonString = "{"; - if (true == non_enclave_mode) { - jsonString += "\"pce_id\": \""; - if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { - return ret; - } - jsonString += "\" ,\"qe_id\": \""; - position = position + PCE_ID_LENGTH; - if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"platform_manifest\": \""; - position = position + platform_id_length; - if ((ret = append_body_context(jsonString, position, raw_data_size - PCE_ID_LENGTH - platform_id_length)) != POST_SUCCESS) { - return ret; - } - } - else { - uint32_t left_size = raw_data_size - platform_id_length - CPU_SVN_LENGTH - ISV_SVN_LENGTH - PCE_ID_LENGTH - ENCRYPTED_PPID_LENGTH; - jsonString += "\"enc_ppid\": \""; - if ((ret = append_body_context(jsonString, position, ENCRYPTED_PPID_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"pce_id\": \""; - position = position + ENCRYPTED_PPID_LENGTH; - if ((ret = append_body_context(jsonString, position, PCE_ID_LENGTH)) != POST_SUCCESS) { - return ret; - } - jsonString += "\" ,\"cpu_svn\": \""; - position = position + PCE_ID_LENGTH; - if ((ret = append_body_context(jsonString, position, CPU_SVN_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"pce_svn\": \""; - position = position + CPU_SVN_LENGTH; - if ((ret = append_body_context(jsonString, position, ISV_SVN_LENGTH)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"qe_id\": \""; - position = position + ISV_SVN_LENGTH; - if ((ret = append_body_context(jsonString, position, platform_id_length)) != POST_SUCCESS) { - return ret; - } - - jsonString += "\" ,\"platform_manifest\": \""; - if (left_size != 0) { - position = position + platform_id_length; - if ((ret = append_body_context(jsonString, position, left_size)) != POST_SUCCESS) { - return ret; - } - } - - } - jsonString += "\" }"; - return ret; -} - network_post_error_t network_https_post(const uint8_t* raw_data, const uint32_t raw_data_size, const uint16_t platform_id_length, const bool non_enclave_mode) { if (raw_data_size < platform_id_length + static_cast(PCE_ID_LENGTH )) { diff --git a/tools/PCKRetrievalTool/README.build b/tools/PCKRetrievalTool/README.build index eedaf6a9..909a0510 100644 --- a/tools/PCKRetrievalTool/README.build +++ b/tools/PCKRetrievalTool/README.build @@ -27,7 +27,8 @@ Options: -user_token token_string - user token to access the cache server -proxy_type proxy_type - proxy setting when access the cache server -proxy_url proxy_server_address - proxy server's address - -use_secure_cert [true | false] - accept secure/insecure https cert,default value is true + -use_secure_cert {true | false} - accept secure/insecure https cert,default value is true + -tcb_update_type {stardard, early,all} - update type for tcb material,default value is stardard -platform_id \"platform_id_string\" - in this mode, enclave is not needed to load, but platform id need to input -? - show command help -h - show command help diff --git a/tools/PCKRetrievalTool/README.txt b/tools/PCKRetrievalTool/README.txt index aff879bc..dfe7e5ca 100644 --- a/tools/PCKRetrievalTool/README.txt +++ b/tools/PCKRetrievalTool/README.txt @@ -42,7 +42,8 @@ Options: -user_token token_string - user token to access the cache server -proxy_type proxy_type - proxy setting when access the cache server -proxy_url proxy_server_address - proxy server's address - -use_secure_cert [true | false] - accept secure/insecure https cert,default value is true + -use_secure_cert {true | false} - accept secure/insecure https cert,default value is true + -tcb_update_type {stardard,early,all} - update type for tcb material,default value is stardard -platform_id \"platform_id_string\" - in this mode, enclave is not needed to load, but platform id need to input -? - show command help -h - show command help diff --git a/tools/PCKRetrievalTool/installer/deb/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool-1.0/debian/control b/tools/PCKRetrievalTool/installer/deb/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool-1.0/debian/control index a113fe78..892ee15a 100644 --- a/tools/PCKRetrievalTool/installer/deb/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool-1.0/debian/control +++ b/tools/PCKRetrievalTool/installer/deb/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool-1.0/debian/control @@ -9,6 +9,6 @@ Homepage: https://github.com/intel/SGXDataCenterAttestationPrimitives Package: sgx-pck-id-retrieval-tool Architecture: amd64 Depends: ${shlibs:Depends}, ${misc:Depends} -Recommends: libsgx-urts (>= 2.23), libsgx-ae-pce (>= @dep_version@),libsgx-ae-id-enclave (>=@dep_version@), libsgx-ra-uefi (>= @dep_version@) +Recommends: libsgx-urts (>= 2.24), libsgx-ae-pce (>= @dep_version@),libsgx-ae-id-enclave (>=@dep_version@), libsgx-ra-uefi (>= @dep_version@) Description: Intel(R) Software Guard Extensions: this tool is used to collect the platform information to retrieve the PCK certs from PCS(Provisioning Certification Server) diff --git a/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool.spec b/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool.spec index ba7ed93f..daa632b3 100644 --- a/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool.spec +++ b/tools/PCKRetrievalTool/installer/rpm/sgx-pck-id-retrieval-tool/sgx-pck-id-retrieval-tool.spec @@ -37,7 +37,7 @@ Version: @version@ Release: 1%{?dist} Summary: Intel(R) Software Guard Extensions:this tool is used to collect the platform information to retrieve the PCK certs from PCS(Provisioning Certification Server) Group: Development/System -Recommends: libsgx-urts >= 2.23, libsgx-ae-pce >= %{version}-%{release}, libsgx-ae-id-enclave >= %{version}-%{release},libsgx-ra-uefi >= %{version}-%{release} +Recommends: libsgx-urts >= 2.24, libsgx-ae-pce >= %{version}-%{release}, libsgx-ae-id-enclave >= %{version}-%{release},libsgx-ra-uefi >= %{version}-%{release} License: BSD License URL: https://github.com/intel/SGXDataCenterAttestationPrimitives diff --git a/tools/PCKRetrievalTool/network_setting.conf b/tools/PCKRetrievalTool/network_setting.conf index cb3e52b7..b59e4f4c 100644 --- a/tools/PCKRetrievalTool/network_setting.conf +++ b/tools/PCKRetrievalTool/network_setting.conf @@ -3,9 +3,11 @@ # support V3 version PCCS #PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms # support V4 version PCCS -#PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms +PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms # To accept insecure HTTPS cert, set this option to FALSE -#USE_SECURE_CERT=TRUE +USE_SECURE_CERT=FALSE +# When PCCS running in REQ mode, set "tcb update type": STANDARD, EARLY or ALL +#TCB_UPDATE_TYPE=EARLY ############################################################### diff --git a/tools/PccsAdminTool/README.txt b/tools/PccsAdminTool/README.txt index 4b6c41b5..22eb80d9 100644 --- a/tools/PccsAdminTool/README.txt +++ b/tools/PccsAdminTool/README.txt @@ -39,21 +39,25 @@ optional arguments: -u URL, --url URL The URL of the Intel PCS service; default: https://api.trustedservices.intel.com/sgx/certification/v4/ -p PLATFORM, --platform PLATFORM Specify what kind of platform you want to fetch FMSPCs and tcbinfos for; default: all", choices=['all','client','E3','E5'] + -t {standard,early,all}, --tcb_update_type {standard,early,all} + Type of update to TCB info and enclave identities; default: standard -c, --crl Retrieve only the certificate revocation list (CRL). If an input file is provided, this option will be ignored. 3. Put platform collateral data or appraisal policy files to PCCS cache db ./pccsadmin.py put [-h] [-u URL] [-i INPUT_FILE] [-d] [-f FMSPC] This put command supports the following formats([] means optional): - 1) pccsadmin put [-u https://localhost:8081/sgx/certification/v4/platformcollateral] [-i your_collateral_file] - 2) pccsamdin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i your_policy_file + 1) pccsadmin put [-u https://localhost:8081/sgx/certification/v4/platformcollateral] [-i collateral_file(*.json)] + 2) pccsamdin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i policy_file(*.jwt) optional arguments: -h, --help show this help message and exit -u URL, --url URL The URL of the PCCS's PUT collateral API; default: https://localhost:8081/sgx/certification/v4/platformcollateral -i INPUT_FILE, --input_file INPUT_FILE - The input file name for platform collaterals; default: platform_collaterals.json + The input file name for platform collaterals or appraisal policy; + For /platformcollateral API, default is platform_collaterals.json; + For /appraisalpolicy API, the filename of the jwt file must be provided explicitly. -d, --default This policy will become the default policy for this FMSPC. -f FMSPC, --fmspc FMSPC FMSPC value diff --git a/tools/PccsAdminTool/lib/intelsgx/credential.py b/tools/PccsAdminTool/lib/intelsgx/credential.py index fb94633a..638cd88e 100644 --- a/tools/PccsAdminTool/lib/intelsgx/credential.py +++ b/tools/PccsAdminTool/lib/intelsgx/credential.py @@ -9,6 +9,7 @@ class Credentials: def get_admin_token(self): admin_token = "" try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN) except keyring.errors.KeyringError as ke: admin_token = "" @@ -25,6 +26,7 @@ def get_admin_token(self): def set_admin_token(self, token): try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token) except keyring.errors.PasswordSetError as ke: print("Failed to store admin token.") @@ -34,6 +36,7 @@ def set_admin_token(self, token): def get_pcs_api_key(self): pcs_api_key = "" try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") pcs_api_key = keyring.get_password(self.APPNAME, self.KEY_PCS_APIKEY) except keyring.errors.KeyringError as ke: pcs_api_key = "" @@ -50,6 +53,7 @@ def get_pcs_api_key(self): def set_pcs_api_key(self, apikey): try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") keyring.set_password(self.APPNAME, self.KEY_PCS_APIKEY, apikey) except keyring.errors.PasswordSetError as ke: print("Failed to store PCS API key.") diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py index 2e158fb8..9f1d2245 100644 --- a/tools/PccsAdminTool/lib/intelsgx/pcs.py +++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py @@ -136,7 +136,9 @@ def verify_cert_trust(self, pychain, pycerts): store_ctx= crypto.X509StoreContext(store, pycert) try: store_ctx.verify_certificate() - except crypto.X509StoreContextError: + except crypto.X509StoreContextError as e: + # Printing or logging the error details + print(e) return False return True @@ -432,7 +434,6 @@ def get_pck_certs(self, eppid, pceid, platform_manifest, dec=None): return None # Validate the certificates with signer - chain= parse.unquote( response.headers[PCS.HDR_PCK_Certificate_Issuer_Chain] ) @@ -558,10 +559,10 @@ def get_fmspcs(self, platform, dec=None): # PCS: Get TCB Info #---------------------------------------------------------------------------- - def get_tcb_info(self, fmspc, type, dec=None): + def get_tcb_info(self, fmspc, type, update, dec=None): self.clear_errors() url= self._geturl('tcb', type) - url+= "?fmspc={:s}".format(fmspc) + url+= "?fmspc={:s}&update={:s}".format(fmspc,update) response= self._get_request(url, False) if response.status_code != 200: @@ -635,13 +636,14 @@ def get_tcb_info(self, fmspc, type, dec=None): # PCS: Get QE/QVE/TD_QE Identity #---------------------------------------------------------------------------- - def get_enclave_identity(self, name, dec=None): + def get_enclave_identity(self, name, update, dec=None): self.clear_errors() if name == 'tdqe': url= self._geturl('qe/identity', 'tdx') else: url= self._geturl(name + '/identity', 'sgx') + url+= "?update={:s}".format(update) response= self._get_request(url, False) if response.status_code != 200: diff --git a/tools/PccsAdminTool/pccsadmin.py b/tools/PccsAdminTool/pccsadmin.py index bbd26083..9be59edb 100755 --- a/tools/PccsAdminTool/pccsadmin.py +++ b/tools/PccsAdminTool/pccsadmin.py @@ -37,13 +37,15 @@ def main(): # subparser for put description_put = ( "This put command supports the following formats([] means optional):\n" - "1. pccsadmin put [-u https://localhost:8081/sgx/certification/v4/platformcollateral] [-i your_collateral_file]\n" - "2. pccsamdin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i your_policy_file" + "1. pccsadmin put [-u https://localhost:8081/sgx/certification/v4/platformcollateral] [-i collateral_file(*.json)]\n" + "2. pccsamdin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy [-d] -f fmspc -i policy_file(*.jwt)" ) parser_put = subparsers.add_parser('put', description=description_put, formatter_class=argparse.RawTextHelpFormatter) # add optional arguments for put parser_put.add_argument("-u", "--url", help="The URL of the PCCS's API; default: https://localhost:8081/sgx/certification/v4/platformcollateral") - parser_put.add_argument("-i", "--input_file", help="The input file name for platform collaterals or appraisal policy; default: platform_collaterals.json") + parser_put.add_argument("-i", "--input_file", help="The input file name for platform collaterals or appraisal policy;\ + \nFor /platformcollateral API, default is platform_collaterals.json;\ + \nFor /appraisalpolicy API, the filename of the jwt file must be provided explicitly.") parser_put.add_argument("-d", "--default", help="This policy will become the default policy for this FMSPC.", action="store_true") parser_put.add_argument('-f', '--fmspc', type=str, help="FMSPC value") parser_put.set_defaults(func=pccs_put) @@ -55,6 +57,7 @@ def main(): parser_fetch.add_argument("-i", "--input_file", help="The input file name for platform list; default: platform_list.json") parser_fetch.add_argument("-o", "--output_file", help="The output file name for platform collaterals; default: platform_collaterals.json") parser_fetch.add_argument("-p", "--platform", help="Specify what kind of platform you want to fetch FMSPCs and tcbinfos for; default: all", choices=['all','client','E3','E5']) + parser_fetch.add_argument("-t", "--tcb_update_type", help="Type of update to TCB info and enclave identities; default: standard", choices=['standard','early','all']) parser_fetch.add_argument("-c", "--crl", help="Retrieve only the certificate revocation list (CRL). If an input file is provided, this option will be ignored.", action="store_true") parser_fetch.set_defaults(func=pcs_fetch) @@ -308,6 +311,7 @@ def __init__(self, credentials, args): self.input_file = args.input_file or 'platform_list.json' self.output_file = args.output_file or 'platform_collaterals.json' self.fmspc_platform = args.platform or 'all' + self.tcb_update_type = args.tcb_update_type or 'standard' self.crl_only = bool(args.crl and not args.input_file) self.apikey = "" if not self.crl_only: @@ -331,12 +335,12 @@ def fetch_collateral(self): return if not self._fetch_tcbinfos(): return - if not self._fetch_qeidentity(): + if not self._fetch_identity('qe'): return if self.ApiVersion >= 4: - if not self._fetch_tdqeidentity(): + if not self._fetch_identity('tdqe'): return - if not self._fetch_qveidentity(): + if not self._fetch_identity('qve'): return self._write_output_json() except Exception as e: @@ -464,52 +468,55 @@ def _fetch_tcbinfos(self): for fmspc in fmspcs: self.fmspc_set.add(fmspc['fmspc']) + updates = ['standard', 'early'] if self.tcb_update_type == 'all' else [self.tcb_update_type] # output.collaterals.tcbinfos for fmspc in self.fmspc_set: - # tcbinfo : [tcbinfo, chain] - sgx_tcbinfo = self.pcsclient.get_tcb_info(fmspc, 'sgx', 'ascii') tcbinfoJson = {"fmspc" : fmspc} - if sgx_tcbinfo != None: - if self.ApiVersion >= 4: - tcbinfoJson['sgx_tcbinfo'] = json.loads(sgx_tcbinfo[0]) + for update in updates: + # tcbinfo : [tcbinfo, chain] + sgx_tcbinfo = self.pcsclient.get_tcb_info(fmspc, 'sgx', update, 'ascii') + + if sgx_tcbinfo is None: + if update == 'standard': + print(f"Failed to get SGXtcbinfo for FMSPC:{fmspc}") + return False + continue + + # Handling different keys based on update type and ApiVersion + key_suffix = '_early' if update == 'early' else '' + if self.ApiVersion >= 4: + tcbinfo_key = f'sgx_tcbinfo{key_suffix}' else: - tcbinfoJson['tcbinfo'] = json.loads(sgx_tcbinfo[0]) - else: - print("Failed to get SGXtcbinfo for FMSPC:%s" %(fmspc)) - return False - # TDX tcbinfo is optional - if self.ApiVersion >= 4: - tdx_tcbinfo = self.pcsclient.get_tcb_info(fmspc, 'tdx', 'ascii') - if tdx_tcbinfo != None: - tcbinfoJson['tdx_tcbinfo'] = json.loads(tdx_tcbinfo[0]) - self.output_json["collaterals"]["tcbinfos"].append(tcbinfoJson) - if self.output_json["collaterals"]["certificates"][PCS.HDR_TCB_INFO_ISSUER_CHAIN] == '': - self.output_json["collaterals"]["certificates"][PCS.HDR_TCB_INFO_ISSUER_CHAIN] = sgx_tcbinfo[1] - return True + tcbinfo_key = f'tcbinfo{key_suffix}' - def _fetch_qeidentity(self): - qe_identity = self.pcsclient.get_enclave_identity('qe', 'ascii') - if qe_identity == None: - print("Failed to get QE identity") - return False - self.output_json["collaterals"]["qeidentity"] = qe_identity[0] - self.output_json["collaterals"]["certificates"][PCS.HDR_Enclave_Identity_Issuer_Chain] = qe_identity[1] - return True + tcbinfoJson[tcbinfo_key] = json.loads(sgx_tcbinfo[0]) - def _fetch_tdqeidentity(self): - tdqe_identity = self.pcsclient.get_enclave_identity('tdqe', 'ascii') - if tdqe_identity == None: - print("Failed to get TDQE identity") - return False - self.output_json["collaterals"]["tdqeidentity"] = tdqe_identity[0] + # TDX tcbinfo is optional + if self.ApiVersion >= 4: + tdx_tcbinfo = self.pcsclient.get_tcb_info(fmspc, 'tdx', update, 'ascii') + if tdx_tcbinfo is not None: + tdx_tcbinfo_key = f'tdx_tcbinfo{key_suffix}' + tcbinfoJson[tdx_tcbinfo_key] = json.loads(tdx_tcbinfo[0]) + # End loop + + self.output_json["collaterals"]["tcbinfos"].append(tcbinfoJson) + if not self.output_json["collaterals"]["certificates"][PCS.HDR_TCB_INFO_ISSUER_CHAIN]: + self.output_json["collaterals"]["certificates"][PCS.HDR_TCB_INFO_ISSUER_CHAIN] = sgx_tcbinfo[1] return True - def _fetch_qveidentity(self): - qve_identity = self.pcsclient.get_enclave_identity('qve', 'ascii') - if qve_identity == None: - print("Failed to get QvE identity") - return False - self.output_json["collaterals"]["qveidentity"] = qve_identity[0] + def _fetch_identity(self, identity_type): + updates = ['standard', 'early'] if self.tcb_update_type == 'all' else [self.tcb_update_type] + for update in updates: + identity = self.pcsclient.get_enclave_identity(identity_type, update, 'ascii') + if identity is None: + if update == 'standard': + print(f"Failed to get {identity_type.upper()} identity") + return False + else: + key_suffix = '_early' if update == 'early' else '' + self.output_json["collaterals"][f"{identity_type}identity{key_suffix}"] = identity[0] + if identity_type == 'qe': + self.output_json["collaterals"]["certificates"][PCS.HDR_Enclave_Identity_Issuer_Chain] = identity[1] return True def _write_output_json(self): diff --git a/tools/SGXPlatformRegistration/README.md b/tools/SGXPlatformRegistration/README.md index 9d5d0131..6c48540a 100755 --- a/tools/SGXPlatformRegistration/README.md +++ b/tools/SGXPlatformRegistration/README.md @@ -22,16 +22,15 @@ See [license.txt](license.txt) for details. Documentation ------------- -See [doc/README](doc/README) for details. +See [config/README](config/README) for details. Build the Intel(R) SGX Multi-package Registration Agent and Libraries ------------------------ ### Prerequisites - Ensure that you have one of the following operating systems: - * Red Hat Enterprise Linux Server release 7.6 64bits - * Red Hat Enterprise Linux Server release 8.0 64bits - * Ubuntu Server 16.04 - * Ubuntu Server 18.04 + * Red Hat Enterprise Linux Server release 9.2 64bits + * Ubuntu Server 20.04 + * Ubuntu Server 22.04 * Microsoft Windows Server 2019 RS5 - Linux Prerequisites list: @@ -67,21 +66,17 @@ You can find the tools and libraries generated in the `build` directory. $ make clean ``` - To build the Intel(R) SGX Multi-package Registration Agent installer, enter the following command: - * On Ubuntu 16.04 and Ubuntu 18.04: + * On Ubuntu 20.04 and Ubuntu 22.04: ``` $ make deb_pkg ``` You can find the generated Intel(R) SGX Multi-package Registration Agent installers located under `build/installer`. - **Note**: On Ubuntu 18.04, besides the Intel(R) SGX Multi-package Registration Agent installer, the above command generates another debug symbol package named ``package-name-dbgsym_${version}-${revision}_amd64.ddeb`` for debug purpose. On Ubuntu 16.04, if you want to keep debug symbols in the Intel(R) SGX Multi-package Registration Agent installer, before building the Intel(R) SGX Multi-package Registration Agent installer, you need to export an environment variable to ensure the debug symbols not stripped: - ``` - $ export DEB_BUILD_OPTIONS="nostrip" - ``` **Note**: The above command builds the Intel(R) SGX Multi-package Registration Agent with default configuration firstly and then generates the target Multi-package Registration Agent Installer. To build the Intel(R) SGX Multi-package Registration Agent Installer without optimization and with full debug information kept in the tools and libraries, enter the following command: ``` $ make deb_pkg DEBUG=1 ``` - * On Red Hat Enterprise Linux 7.4, Red Hat Enterprise Linux 8.0: + * On Red Hat Enterprise Linux 9.2: ``` $ make rpm_pkg ``` diff --git a/tools/SGXPlatformRegistration/agent/agent.vcxproj b/tools/SGXPlatformRegistration/agent/agent.vcxproj index f77e73ea..2ee29285 100644 --- a/tools/SGXPlatformRegistration/agent/agent.vcxproj +++ b/tools/SGXPlatformRegistration/agent/agent.vcxproj @@ -51,6 +51,7 @@ true inc;..\include;..\uefi\inc;..\common\inc;..\common\inc\internal;..\..\..\QuoteGeneration\common\inc\internal MultiThreaded + Guard true @@ -66,6 +67,7 @@ true inc;..\include;..\uefi\inc;..\common\inc;..\common\inc\internal;..\..\..\QuoteGeneration\common\inc\internal MultiThreaded + Guard true diff --git a/tools/SGXPlatformRegistration/agent/src/PerformBase.cpp b/tools/SGXPlatformRegistration/agent/src/PerformBase.cpp index 69274c65..64820e79 100644 --- a/tools/SGXPlatformRegistration/agent/src/PerformBase.cpp +++ b/tools/SGXPlatformRegistration/agent/src/PerformBase.cpp @@ -53,7 +53,7 @@ bool PerformBase::perform(const uint8_t *request, const uint16_t &requestSize, u if (MP_SUCCESS != res) { agent_log_message(MP_REG_LOG_LEVEL_ERROR, "getRegistrationStatus failed, error: %d\n", res); status.errorCode = MPA_AG_BIOS_PROTOCOL_ERROR; - goto error; + return false; } do @@ -151,9 +151,17 @@ bool PerformBase::perform(const uint8_t *request, const uint16_t &requestSize, u error: res = m_uefi->setRegistrationStatus(status); - if (MP_SUCCESS != res) { - agent_log_message(MP_REG_LOG_LEVEL_ERROR, "setRegistrationStatus failed, error: %d\n", res); - return false; + if (MP_SUCCESS != res) + { + if (MP_INSUFFICIENT_PRIVILEGES == res) + { + agent_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: The UEFI variable is in read-only mode, so the registration status could NOT be set.\n"); + } + else + { + agent_log_message(MP_REG_LOG_LEVEL_ERROR, "setRegistrationStatus failed, error: %d\n", res); + return false; + } } if ((MPA_SUCCESS == status.errorCode) && (MP_TASK_COMPLETED == status.registrationStatus)) { diff --git a/tools/SGXPlatformRegistration/agent/src/RegistrationLogic.cpp b/tools/SGXPlatformRegistration/agent/src/RegistrationLogic.cpp index c5915e6c..a1d953af 100644 --- a/tools/SGXPlatformRegistration/agent/src/RegistrationLogic.cpp +++ b/tools/SGXPlatformRegistration/agent/src/RegistrationLogic.cpp @@ -56,21 +56,23 @@ void RegistrationLogic::registerPlatform() { RegistrationService registrationService(conf); agent_log_message(MP_REG_LOG_LEVEL_FUNC, "SGX Registration Agent version: %s\n", STRPRODUCTVER); -#ifdef _WIN32 if (!registrationService.isMultiPackageCapable()) { +#ifdef _WIN32 agent_log_message(MP_REG_LOG_LEVEL_FUNC, "Platform doesn't support registration. removing service..\n"); if (!SvcUninstall()) { agent_log_message(MP_REG_LOG_LEVEL_FUNC, "Failed to remove service.\n"); } else { agent_log_message(MP_REG_LOG_LEVEL_FUNC, "Successfully removed windows SGX registration service.\n"); } +#else + agent_log_message(MP_REG_LOG_LEVEL_FUNC, "Platform doesn't support registration. \n"); +#endif return; } else { agent_log_message(MP_REG_LOG_LEVEL_INFO, "Multi-Package capable.\n"); } -#endif agent_log_message(MP_REG_LOG_LEVEL_FUNC, "Starts Registration Agent Flow.\n"); // Preform registration flow if needed diff --git a/tools/SGXPlatformRegistration/common/common.vcxproj b/tools/SGXPlatformRegistration/common/common.vcxproj index 413e9280..6fcd190f 100644 --- a/tools/SGXPlatformRegistration/common/common.vcxproj +++ b/tools/SGXPlatformRegistration/common/common.vcxproj @@ -56,6 +56,7 @@ true ..\include;inc;..\windows\events MultiThreaded + Guard @@ -75,6 +76,7 @@ true ..\include;inc;..\windows\events MultiThreaded + Guard true diff --git a/tools/SGXPlatformRegistration/config/README b/tools/SGXPlatformRegistration/config/README index 8832cb6a..eb80d8a6 100644 --- a/tools/SGXPlatformRegistration/config/README +++ b/tools/SGXPlatformRegistration/config/README @@ -23,11 +23,11 @@ Linux: libsgx-ra-uefi-dev_{version}-{revision}_{arch}.deb-------uefi library headers sgx-ra-service_{version}-{revision}_{arch}.deb-----------multi-package registration agent service and management tool For Redhat: - libsgx-ra-network--1.el8.x86_64.rpm-------------network library - libsgx-ra-network-devel--1.el8.x86_64.rpm-------network library headers - libsgx-ra-uefi--1.el8.x86_64.rpm----------------uefi library - libsgx-ra-uefi-devel--1.el8.x86_64.rpm----------uefi library headers - sgx-ra-service--1.el8.x86_64.rpm----------------multi-package registration agent service and management tool + libsgx-ra-network--1.el9.x86_64.rpm-------------network library + libsgx-ra-network-devel--1.el9.x86_64.rpm-------network library headers + libsgx-ra-uefi--1.el9.x86_64.rpm----------------uefi library + libsgx-ra-uefi-devel--1.el9.x86_64.rpm----------uefi library headers + sgx-ra-service--1.el9.x86_64.rpm----------------multi-package registration agent service and management tool mpa_registration.conf - Sample configuration file README - This file @@ -36,9 +36,9 @@ Linux: /opt/intel/sgx-ra-service RHEL Installation instructions: - sudo yum install libsgx-ra-network--1.el8.x86_64.rpm - sudo yum install libsgx-ra-uefi--1.el8.x86_64.rpm - sudo yum install sgx-ra-service--1.el8.x86_64.rpm + sudo yum install libsgx-ra-network--1.el9.x86_64.rpm + sudo yum install libsgx-ra-uefi--1.el9.x86_64.rpm + sudo yum install sgx-ra-service--1.el9.x86_64.rpm RHEL Uninstallation instructions: sudo yum remove sgx-ra-service.x86_64 diff --git a/tools/SGXPlatformRegistration/management/management.vcxproj b/tools/SGXPlatformRegistration/management/management.vcxproj index aa9af4a6..1e0275a1 100644 --- a/tools/SGXPlatformRegistration/management/management.vcxproj +++ b/tools/SGXPlatformRegistration/management/management.vcxproj @@ -56,6 +56,7 @@ true inc;..\include;..\include\c_wrapper;..\common\inc;..\uefi\inc;$(SGXSDKInstallPath)include MultiThreaded + Guard true @@ -71,6 +72,7 @@ true inc;..\include;..\include\c_wrapper;..\common\inc;..\uefi\inc;$(SGXSDKInstallPath)include MultiThreaded + Guard true diff --git a/tools/SGXPlatformRegistration/network/network.vcxproj b/tools/SGXPlatformRegistration/network/network.vcxproj index 2f8a216c..b51eaf2d 100644 --- a/tools/SGXPlatformRegistration/network/network.vcxproj +++ b/tools/SGXPlatformRegistration/network/network.vcxproj @@ -68,6 +68,7 @@ MultiThreaded CURL_STATICLIB;%(PreprocessorDefinitions) + Guard true @@ -94,6 +95,7 @@ MultiThreaded CURL_STATICLIB;%(PreprocessorDefinitions) + Guard true diff --git a/tools/SGXPlatformRegistration/package/mpa.vcxproj b/tools/SGXPlatformRegistration/package/mpa.vcxproj index d88d53c6..fac80a15 100644 --- a/tools/SGXPlatformRegistration/package/mpa.vcxproj +++ b/tools/SGXPlatformRegistration/package/mpa.vcxproj @@ -61,6 +61,7 @@ _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true ..\include;..\common;..\uefi\inc;..\agent\inc;..\common\inc + Guard Console @@ -94,6 +95,7 @@ true ..\include;..\common;..\uefi\inc;..\agent\inc;..\common\inc MultiThreaded + Guard Console diff --git a/tools/SGXPlatformRegistration/tool/mpa_manage.vcxproj b/tools/SGXPlatformRegistration/tool/mpa_manage.vcxproj index ed2b131d..21a35e71 100644 --- a/tools/SGXPlatformRegistration/tool/mpa_manage.vcxproj +++ b/tools/SGXPlatformRegistration/tool/mpa_manage.vcxproj @@ -52,6 +52,7 @@ true inc;..\common\inc;..\management\inc;..\agent\inc;..\include;..\windows\regex-2.7\src MultiThreaded + Guard agent.lib;management.lib;mp_uefi.lib;sgx_capable.lib;%(AdditionalDependencies) @@ -70,6 +71,7 @@ true inc;..\common\inc;..\management\inc;..\agent\inc;..\include;..\windows\regex-2.7\src MultiThreaded + Guard true diff --git a/tools/SGXPlatformRegistration/tool/src/main.cpp b/tools/SGXPlatformRegistration/tool/src/main.cpp index 0c3d4e50..8c6c1b9b 100644 --- a/tools/SGXPlatformRegistration/tool/src/main.cpp +++ b/tools/SGXPlatformRegistration/tool/src/main.cpp @@ -142,6 +142,9 @@ int performGetPlatformManifest(const char *fileName) { res = manage->getPlatformManifest(buffer, buffSize); if (MP_SUCCESS != res) { + if(MP_INSUFFICIENT_PRIVILEGES == res) { + management_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: The registration complete flag could NOT be set, maybe the UEFI variable is in read-only mode.\n"); + } ret = (int)res; goto out; } @@ -170,7 +173,10 @@ int performGetKeyBlob(const char *fileName) { } res = manage->getPackageInfoKeyBlobs(buffer, buffSize); - if (MP_SUCCESS != res) { + if (MP_SUCCESS != res ) { + if(MP_INSUFFICIENT_PRIVILEGES == res) { + management_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: The package info complete flag could NOT be set, maybe the UEFI variable is in read-only mode.\n"); + } ret = (int)res; goto out; } @@ -255,6 +261,9 @@ int performSetServerInfo(const char *fileName) { res = manage->setRegistrationServerInfo(flags, string(param2, strnlen(param2, MAX_PATH_SIZE)), (uint8_t*)&serverId, (uint16_t)buffSize); if (MP_SUCCESS != res) { + if(MP_INSUFFICIENT_PRIVILEGES == res) { + management_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: The registration server information could NOT be set, maybe the UEFI variable is in read-only mode.\n"); + } ret = (int)res; goto out; } @@ -279,6 +288,7 @@ int performGetRegErrorCode() { } management_log_message(MP_REG_LOG_LEVEL_FUNC, "Last reported registration error code: %x\n", (int)err); + management_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: Maybe the whole SGX UEFI variables are in read-only mode, so this error code is not accurate.\n"); ret = (int)err; out: return ret; @@ -301,6 +311,7 @@ int performGetRegStatus() { management_log_message(MP_REG_LOG_LEVEL_FUNC, "Registration process completed successfully.\n"); } else { management_log_message(MP_REG_LOG_LEVEL_FUNC, "Registration is in progress.\n"); + management_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: Maybe the whole SGX UEFI variables are in read-only mode, so the registration status is not accurate.\n"); } ret = (int)status; diff --git a/tools/SGXPlatformRegistration/uefi/src/FSUefi.cpp b/tools/SGXPlatformRegistration/uefi/src/FSUefi.cpp index f0bfd708..070fad9a 100644 --- a/tools/SGXPlatformRegistration/uefi/src/FSUefi.cpp +++ b/tools/SGXPlatformRegistration/uefi/src/FSUefi.cpp @@ -176,6 +176,32 @@ int FSUefi::writeUEFIVar(const char* varName, const uint8_t* data, size_t dataSi } break; } + } else { + // get uefi file size + long tempSize = fdGetVarFileSize(fd); + if (tempSize < 0) { + uefi_log_message(MP_REG_LOG_LEVEL_ERROR, "writeUEFIVar: failed to get variable file size %l \n", tempSize); + break; + } + + uint8_t uefiAttributes[4]; + errno = 0; + ssize_t bytesRead = read(fd, uefiAttributes, 4); + if (bytesRead != 4) { + uefi_log_message(MP_REG_LOG_LEVEL_ERROR, "writeUEFIVar: failed to read uefi variable %s attributes ,error: %s\n", UEFIvarNamePath, strerror(errno)); + break; + } + /// + /// Attributes of variable. + /// + /// #define EFI_VARIABLE_NON_VOLATILE 0x00000001 + /// #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 + /// #define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 + if((uefiAttributes[0] & 0x01) == 0) { + close(fd); + delete[] buffer; + return -1; + } } // remove immutable flag diff --git a/tools/SGXPlatformRegistration/uefi/src/MPUefi.cpp b/tools/SGXPlatformRegistration/uefi/src/MPUefi.cpp index 29b097a4..296cc56c 100644 --- a/tools/SGXPlatformRegistration/uefi/src/MPUefi.cpp +++ b/tools/SGXPlatformRegistration/uefi/src/MPUefi.cpp @@ -385,7 +385,7 @@ MpResult MPUefi::setServerResponse(const uint8_t *response, const uint16_t &size responseUefi->version = MP_BIOS_UEFI_VARIABLE_VERSION_1; responseUefi->size = size; - // copy cets to uefi structure + // copy certs to uefi structure memcpy(&(responseUefi->header), response, size); #if MP_VERIFY_INTERNAL_DATA_STRUCT_WRITE == 1 @@ -617,6 +617,11 @@ MpResult MPUefi::setRegistrationStatus(const MpRegistrationStatus& status) { // write registration status to uefi int numOfBytes = m_uefi->writeUEFIVar(UEFI_VAR_STATUS, (const uint8_t*)(&statusUefi), sizeof(statusUefi), false); if (numOfBytes != sizeof(statusUefi)) { + if(numOfBytes == -1) { + uefi_log_message(MP_REG_LOG_LEVEL_INFO, "Warning: fail to write regsitration status uefi variable, maybe it is in read-only mode.\n"); + res = MP_INSUFFICIENT_PRIVILEGES; + break; + } uefi_log_message(MP_REG_LOG_LEVEL_ERROR, "setRegistrationStatus: failed to write uefi variable.\n"); res = MP_UEFI_INTERNAL_ERROR; break; @@ -897,10 +902,10 @@ MpResult MPUefi::setRegistrationServerInfo(const uint16_t &flags, const string & int numOfBytes = m_uefi->writeUEFIVar(UEFI_VAR_CONFIGURATION, (const uint8_t*)configurationUefi, sizeof(ConfigurationUEFI) + serverIdSize - sizeof(configurationUefi->headerId), false); if (numOfBytes != (int)(sizeof(ConfigurationUEFI) + serverIdSize - sizeof(configurationUefi->headerId))) { - if(numOfBytes == -1) { + if(numOfBytes == -1) { uefi_log_message(MP_REG_LOG_LEVEL_ERROR, "setRegistrationServerInfo: Can't write Registration Configuration UEFI variable, please check whether the SGX has been disabled.\n"); res = MP_INSUFFICIENT_PRIVILEGES; - } + } else { uefi_log_message(MP_REG_LOG_LEVEL_ERROR, "setRegistrationServerInfo: failed to write uefi variable.\n"); res = MP_UNEXPECTED_ERROR; diff --git a/tools/SGXPlatformRegistration/uefi/uefi.vcxproj b/tools/SGXPlatformRegistration/uefi/uefi.vcxproj index 08944e79..1c176201 100644 --- a/tools/SGXPlatformRegistration/uefi/uefi.vcxproj +++ b/tools/SGXPlatformRegistration/uefi/uefi.vcxproj @@ -59,6 +59,7 @@ true inc;..\include;..\include\c_wrapper;..\common\inc; ..\windows\regex-2.7\src MultiThreaded + Guard true @@ -82,6 +83,7 @@ true inc;..\include;..\include\c_wrapper;..\common\inc; ..\windows\regex-2.7\src MultiThreaded + Guard true