Merge pull request #262 from jbdelcuv/ossl_fips_integration

OpenSSL FIPS provider support

Author: jbdelcuv

.github/workflows/c-cpp.yml

@@ -25,7 +25,7 @@ jobs:
     - name: install SDK
       run: chmod +x *.bin; echo yes | ./sgx_linux_x64_sdk_2.*.bin
     - name: download OpenSSL code
-      run: wget https://www.openssl.org/source/openssl-3.0.14.tar.gz --directory-prefix=openssl_source/
+      run: wget https://www.openssl.org/source/openssl-3.1.6.tar.gz --directory-prefix=openssl_source/
     - name: build SGXSSL
       run: source sgxsdk/environment; cd Linux; make all; DEBUG=1 make all
     - name: run unit test in SIM

.github/workflows/codeql.yml

@@ -69,7 +69,7 @@ jobs:
          echo "Run, Build Application using script"
          wget https://download.01.org/intel-sgx/sgx-linux/2.24/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.24.100.3.bin;
          chmod +x *.bin; echo yes | ./sgx_linux_x64_sdk_2.*.bin;  
-         wget https://www.openssl.org/source/openssl-3.0.14.tar.gz --directory-prefix=openssl_source/;
+         wget https://www.openssl.org/source/openssl-3.1.6.tar.gz --directory-prefix=openssl_source/; 
          source sgxsdk/environment; cd Linux; make sgxssl_no_mitigation
 
     - name: Perform CodeQL Analysis

Linux/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+# Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -34,8 +34,13 @@ LINUX_SGX_BUILD ?= 0
 EMPTY_SRC = check_lvi_toolset
 .PHONY: sgxssl sgxssl_no_mitigation clean install uninstall
 
+ifeq ($(FIPS), 1)
+BUILD_TARGET = sgxssl_no_mitigation
+else
+BUILD_TARGET = sgxssl
+endif
 
-all: sgxssl
+all: $(BUILD_TARGET)
 
 sgxssl:
 	@rm -rf $(EMPTY_SRC).* && touch $(EMPTY_SRC).cpp
@@ -50,17 +55,22 @@ sgxssl:
 	$(MAKE) -C sgx/ 
 
 sgxssl_no_mitigation:
-	$(MAKE) -C sgx/ all
+	$(MAKE) -C sgx/ all FIPS=$(FIPS)
+	$(MAKE) -C ../openssl_source/ all
 
 clean:
 	$(MAKE) -C sgx/ clean
 	rm -rf $(PACKAGE_LIB)/$(OPENSSL_LIB) $(PACKAGE_INC)/openssl/
 	rm -rf $(PACKAGE_LIB)/cve_2020_0551_load
 	rm -rf $(PACKAGE_LIB)/cve_2020_0551_cf
+	$(MAKE) -C ../openssl_source/ clean
 
 test:
 	$(MAKE) -C sgx/ test
 
+fips_test:
+	$(MAKE) -C sgx/ fips_test
+
 install: $(PACKAGE_LIB)/$(TRUSTED_LIB) $(PACKAGE_LIB)/$(UNTRUSTED_LIB) $(PACKAGE_LIB)/$(OPENSSL_LIB)
 ifeq ($(DEBUG), 1)
 	@echo "WARNING: Installing Debug libraries."
@@ -69,6 +79,8 @@ endif
 	mkdir -p $(DESTDIR)/include/
 	cp -prf $(PACKAGE_LIB)/*  $(DESTDIR)/lib64/
 	cp -prf $(PACKAGE_INC)/* $(DESTDIR)/include/
+	$(MAKE) -C ../openssl_source/ install
 
 uninstall:
 	rm -rf $(DESTDIR)/
+	$(MAKE) -C ../openssl_source/ uninstall

Linux/build_openssl.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
-
 #
-# Copyright (C) 2011-2020 Intel Corporation. All rights reserved.
+# Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -37,7 +36,7 @@
 SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 echo $SGXSSL_ROOT
 
-OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*3.0.*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*3.1.*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
 if [ "$OPENSSL_VERSION" == "" ] 
 then
 	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
@@ -53,7 +52,7 @@ mkdir -p $SGXSSL_ROOT/package/lib64/
 # build openssl modules, clean previous openssl dir if it exist
 cd $SGXSSL_ROOT/../openssl_source || exit 1
 rm -rf $OPENSSL_VERSION
-tar xvf $OPENSSL_VERSION.tar.gz || exit 1
+tar xvf $OPENSSL_VERSION.tar.gz > /dev/null || exit 1
 
 # Remove AESBS to support only AESNI and VPAES
 sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
@@ -80,6 +79,13 @@ if [[ "$*" == *"only3x"* ]] ; then
 	ADDITIONAL_CONF+="--api=3.0 no-deprecated "
 fi
 
+if [[ "$*" == *"fips"* ]] ; then
+    ADDITIONAL_CONF+="-DSGXSSL_FIPS "
+    cp bss_file.c $OPENSSL_VERSION/crypto/bio/ || exit 1
+    cp conf_mod.c $OPENSSL_VERSION/crypto/conf/ || exit 1
+    cp o_fopen.c $OPENSSL_VERSION/crypto/ || exit 1
+fi
+
 # Mitigation flags
 MITIGATION_OPT=""
 MITIGATION_FLAGS=""
@@ -139,7 +145,7 @@ cp sgx_config.conf $OPENSSL_VERSION/ || exit 1
 cp x86_64-xlate.pl $OPENSSL_VERSION/crypto/perlasm/ || exit 1
 
 cd $SGXSSL_ROOT/../openssl_source/$OPENSSL_VERSION || exit 1
-perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
+perl Configure --config=sgx_config.conf sgx-linux-x86_64 --with-rand-seed=none $ADDITIONAL_CONF $SPACE_OPT $MITIGATION_FLAGS no-idea no-mdc2 no-rc5 no-rc4 no-bf no-ec2m no-camellia no-cast no-srp no-async no-padlockeng no-dso no-shared no-ssl3 no-md2 no-md4 no-ui-console no-stdio no-afalgeng -D_FORTIFY_SOURCE=2 -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_POSIX_IO -include$SGXSSL_ROOT/../openssl_source/bypass_to_sgxssl.h || exit 1
 
 sed -i 's/ENGINE_set_default_RAND/dummy_ENGINE_set_default_RAND/' crypto/engine/tb_rand.c || exit 1
 sed -i 's/return RUN_ONCE(&locale_base, ossl_init_locale_base);/return 1;/' crypto/ctype.c || exit 1
@@ -166,4 +172,6 @@ cp include/openssl/* $SGXSSL_ROOT/package/include/openssl/ || exit 1
 grep OPENSSL_VERSION_STR include/openssl/opensslv.h > $SGXSSL_ROOT/sgx/osslverstr.h || exit 1
 cp -r include/crypto $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1
 cp -r include/internal $SGXSSL_ROOT/sgx/test_app/enclave/ || exit 1
+cp -r include/crypto $SGXSSL_ROOT/sgx/fips_test/trusted/ || exit 1
+cp -r include/internal $SGXSSL_ROOT/sgx/fips_test/trusted/ || exit 1
 exit 0

Linux/package/include/filefunc/sgxssl_file.edl

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of Intel Corporation nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* sgxssl_file.edl - with declarations. */
+
+enclave {
+    
+    untrusted {
+        uint64_t* u_sgxssl_fopen([in, string]const char* filename, [in, string]const char* mode);
+        char* u_sgxssl_fgets([out, size=size]char* buffer, uint32_t size, [user_check]uint64_t* stream);
+        void u_sgxssl_fclose([user_check]uint64_t* stream);
+        uint32_t u_sgxssl_fread([out, size=size, count=nmemb] void *ptr, uint32_t size, uint32_t nmemb, [user_check] uint64_t* stream);
+        int u_sgxssl_ferror([user_check]uint64_t* stream);
+        int u_sgxssl_getpid(void);
+    };
+
+};

Linux/package/include/nofilefunc/sgxssl_file.edl

@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of Intel Corporation nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* sgxssl_file.edl - with empty declarations. */
+
+enclave {
+
+};

Linux/package/include/sgx_tsgxssl.edl

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ * Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -34,7 +34,8 @@
 enclave {
 
     from "sgx_tstdc.edl" import *;
-    
+    from "sgxssl_file.edl" import *;
+ 
     untrusted {
         void u_sgxssl_ftime([out, size=timeb_len] void * timeptr, uint32_t timeb_len);
         //void u_sgxssl_usleep(int micro_seconds);

Linux/package/include/tsgxsslio.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+ * Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -32,6 +32,6 @@
 #ifndef _TSGXSSL_IO_H_
 #define _TSGXSSL_IO_H_
 
-typedef void FILE;
+typedef unsigned long FILE;
 
 #endif // _TSGXSSL_IO_H_

Linux/sgx/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2011-2017 Intel Corporation. All rights reserved.
+# Copyright (C) 2011-2024 Intel Corporation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -53,17 +53,26 @@ ifeq ($(OSSL3ONLY), 1)
 	OPENSSL_CONFIG += only3x
 endif
 
+ifeq ($(FIPS), 1)
+	OPENSSL_CONFIG += fips
+endif
+
 all: $(PACKAGE_LIB)/$(OPENSSL_LIB)
 ifneq ($(CRYPTO_ONLY), 1)
 	$(MAKE) -C $(TRUSTED_LIB_DIR) all
 	$(MAKE) -C $(UNTRUSTED_LIB_DIR) all
 
 ifeq ($(LINUX_SGX_BUILD), 0)
 ifneq ($(NO_THREADS), 1)
+# Don't build the test app by default in FIPS mode since it depends on
+# the FIPS provider.
+# Execute the install target first.
+ifneq ($(FIPS), 1)
 	$(MAKE) -C $(TEST_DIR) all
 endif
 endif
 endif
+endif
 
 ifneq ($(MITIGATION-CVE-2020-0551),)
 	$(RM) -r $(PACKAGE_LIB)$(MITIGATION_LIB_PATH)/$(TRUSTED_LIB)
@@ -82,8 +91,12 @@ clean:
 	$(MAKE) -C $(TRUSTED_LIB_DIR) clean
 	$(MAKE) -C $(UNTRUSTED_LIB_DIR) clean
 	$(MAKE) -C $(TEST_DIR) clean
+	$(MAKE) -C $(FIPS_TEST_DIR) clean
 	rm -f $(PACKAGE_LIB)/$(TRUSTED_LIB) $(PACKAGE_LIB)/$(UNTRUSTED_LIB)
 
 test: $(PACKAGE_LIB)/$(OPENSSL_LIB) all
 	$(MAKE) -C $(TEST_DIR) test 
 
+fips_test: $(PACKAGE_LIB)/$(OPENSSL_LIB) all
+	$(MAKE) -C $(FIPS_TEST_DIR) run
+

Linux/sgx/buildenv.mk

@@ -51,6 +51,7 @@ export PACKAGE_INC := $(ROOT_DIR)/../package/include/
 export TRUSTED_LIB_DIR := $(ROOT_DIR)/libsgx_tsgxssl/
 export UNTRUSTED_LIB_DIR := $(ROOT_DIR)/libsgx_usgxssl/
 export TEST_DIR := $(ROOT_DIR)/test_app/
+export FIPS_TEST_DIR := $(ROOT_DIR)/fips_test/
 export OS_ID=0
 export LINUX_SGX_BUILD ?= 0
 export TRUSTED_LIB := libsgx_tsgxssl.a