Add the OpenSSL-based crypto wrapper

Signed-off-by: Ming-Wei Shih <[email protected]>
BRMcLaren · Nov 4, 2020 · 20a3d56 · 20a3d56
1 parent 561f3bf
commit 20a3d56
Show file tree

Hide file tree

Showing 48 changed files with 1,250 additions and 478 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -164,6 +164,24 @@ if (BUILD_OPENSSL AND OE_TRUSTZONE)
   message(FATAL_ERROR "BUILD_OPENSSL is not supported on ARM yet.")
 endif ()
 
+set(DEFAULT_TEST_ENCLAVE_CRYPTO_LIB
+    "mbedtls"
+    CACHE STRING "Default crypto library used by the enclaves.")
+string(TOLOWER "${DEFAULT_TEST_ENCLAVE_CRYPTO_LIB}"
+               DEFAULT_TEST_ENCLAVE_CRYPTO_LIB_LOWER)
+if ((NOT DEFAULT_TEST_ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "mbedtls")
+    AND (NOT DEFAULT_TEST_ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "openssl"))
+  message(
+    FATAL_ERROR "Unsupported crypto library: ${DEFAULT_ENCLAVE_CRYPTO_LIB}")
+endif ()
+if ((DEFAULT_TEST_ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "openssl")
+    AND (NOT BUILD_OPENSSL))
+  message(
+    FATAL_ERROR
+      "Cannot set OpenSSL as the default crypto library when BUILD_OPENSSL is OFF"
+  )
+endif ()
+
 if (WIN32)
   # NOTE: On Windows we have found that we must use Git Bash, not the
   # Bash from the Windows Subsystem for Linux. Hence this is

diff --git a/cmake/add_enclave.cmake b/cmake/add_enclave.cmake
@@ -10,6 +10,7 @@
 #              [<UUID uuid>]
 #              [CXX]
 #              [ADD_LVI_MITIGATION]
+#              [<CRYPTO_LIB lib>]
 #              <SOURCES sources>
 #              [<CONFIG config>]
 #              [<KEY key>])
@@ -54,7 +55,8 @@ macro (add_enclave)
       KEY
       SIGNING_ENGINE
       ENGINE_LOAD_PATH
-      ENGINE_KEY_ID)
+      ENGINE_KEY_ID
+      CRYPTO_LIB)
   set(multiValueArgs SOURCES)
   cmake_parse_arguments(ENCLAVE "${options}" "${oneValueArgs}"
                         "${multiValueArgs}" ${ARGN})
@@ -75,6 +77,8 @@ macro (add_enclave)
       ${ENCLAVE_ENGINE_LOAD_PATH}
       ENGINE_KEY_ID
       ${ENCLAVE_ENGINE_KEY_ID}
+      CRYPTO_LIB
+      ${ENCLAVE_CRYPTO_LIB}
       ADD_LVI_MITIGATION
       ${ENCLAVE_ADD_LVI_MITIGATION}
       SOURCES
@@ -89,6 +93,8 @@ macro (add_enclave)
       ${ENCLAVE_UUID}
       KEY
       ${ENCLAVE_KEY}
+      CRYPTO_LIB
+      ${ENCLAVE_CRYPTO_LIB}
       SOURCES
       ${ENCLAVE_SOURCES})
   endif ()
@@ -156,6 +162,7 @@ function (add_enclave_sgx)
       SIGNING_ENGINE
       ENGINE_LOAD_PATH
       ENGINE_KEY_ID
+      CRYPTO_LIB
       CXX
       ADD_LVI_MITIGATION)
   set(multiValueArgs SOURCES)
@@ -182,6 +189,24 @@ function (add_enclave_sgx)
   endif ()
 
   enclave_link_libraries(${ENCLAVE_TARGET} oeenclave)
+
+  # If the CRYPTO_LIB argument to add_enclave() is not set, the following
+  # logic determines the default crypto library based on the value of the
+  # DEFAULT_TEST_ENCLAVE_CRYPTO_LIB global variable (e.g., either "MbedTLS" or "OpenSSL").
+  # If the CRYPTO_LIB argument is set, it overrides the DEFAULT_TEST_ENCLAVE_CRYPTO_LIB.
+  if (NOT ENCLAVE_CRYPTO_LIB)
+    set(ENCLAVE_CRYPTO_LIB ${DEFAULT_TEST_ENCLAVE_CRYPTO_LIB})
+  endif ()
+
+  string(TOLOWER "${ENCLAVE_CRYPTO_LIB}" ENCLAVE_CRYPTO_LIB_LOWER)
+  if (ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "mbedtls")
+    enclave_link_libraries(${ENCLAVE_TARGET} oecryptombedtls)
+  elseif (ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "openssl")
+    enclave_link_libraries(${ENCLAVE_TARGET} oecryptoopenssl)
+  else ()
+    message(FATAL_ERROR "Unsupported crypto library ${ENCLAVE_CRYPTO_LIB}.")
+  endif ()
+
   if (ENCLAVE_CXX)
     enclave_link_libraries(${ENCLAVE_TARGET} oelibcxx)
   endif ()
@@ -269,7 +294,7 @@ function (add_enclave_sgx)
 endfunction ()
 
 macro (add_enclave_optee)
-  set(oneValueArgs TARGET UUID KEY CXX)
+  set(oneValueArgs TARGET UUID KEY CRYPTO_LIB CXX)
   set(multiValueArgs SOURCES)
   cmake_parse_arguments(ENCLAVE "" "${oneValueArgs}" "${multiValueArgs}"
                         ${ARGN})
@@ -318,7 +343,27 @@ macro (add_enclave_optee)
   add_dependencies(${ENCLAVE_TARGET} ${ENCLAVE_TARGET}.ld)
   target_include_directories(${ENCLAVE_TARGET}
                              PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/optee)
+
   target_link_libraries(${ENCLAVE_TARGET} oeenclave)
+
+  # If the CRYPTO_LIB argument to add_enclave() is not set, the following
+  # logic determines the default crypto library based on the value of the
+  # DEFAULT_TEST_ENCLAVE_CRYPTO_LIB global variable (e.g., either "MbedTLS" or "OpenSSL").
+  # If the CRYPTO_LIB argument is set, it overrides the DEFAULT_TEST_ENCLAVE_CRYPTO_LIB.
+  # Note that the OpenSSL-based crypto library is currently not supported on OP-TEE.
+  if (NOT ENCLAVE_CRYPTO_LIB)
+    set(ENCLAVE_CRYPTO_LIB ${DEFAULT_TEST_ENCLAVE_CRYPTO_LIB})
+  endif ()
+
+  string(TOLOWER "${ENCLAVE_CRYPTO_LIB}" ENCLAVE_CRYPTO_LIB_LOWER)
+  if (ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "mbedtls")
+    enclave_link_libraries(${ENCLAVE_TARGET} oecryptombedtls)
+  elseif (ENCLAVE_CRYPTO_LIB_LOWER STREQUAL "openssl")
+    enclave_link_libraries(${ENCLAVE_TARGET} oecryptoopenssl)
+  else ()
+    message(FATAL_ERROR "Unsupported crypto library ${ENCLAVE_CRYPTO_LIB}.")
+  endif ()
+
   if (ENCLAVE_CXX)
     target_link_libraries(${ENCLAVE_TARGET} oelibcxx)
   endif ()

diff --git a/host/crypto/openssl/asn1.c → common/crypto/openssl/asn1.c b/host/crypto/openssl/asn1.c → common/crypto/openssl/asn1.c
@@ -1,7 +1,7 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
-#include "../common/asn1.h"
+#include "../../asn1.h"
 #include <openenclave/internal/asn1.h>
 #include <openenclave/internal/datetime.h>
 #include <openenclave/internal/defs.h>

diff --git a/host/crypto/openssl/asn1.h → common/crypto/openssl/asn1.h b/host/crypto/openssl/asn1.h → common/crypto/openssl/asn1.h
@@ -1,8 +1,8 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
-#ifndef _OE_HOST_CRYPTO_ASN1_OPENSSL_H
-#define _OE_HOST_CRYPTO_ASN1_OPENSSL_H
+#ifndef _OE_COMMON_CRYPTO_OPENSSL_ASN1_H
+#define _OE_COMMON_CRYPTO_OPENSSL_ASN1_H
 
 #include <openenclave/internal/datetime.h>
 #include <openenclave/internal/result.h>
@@ -25,4 +25,4 @@ oe_result_t oe_asn1_string_to_date(const char* str, oe_datetime_t* date);
  */
 oe_result_t oe_asn1_time_to_date(const ASN1_TIME* time, oe_datetime_t* date);
 
-#endif /* _OE_HOST_CRYPTO_ASN1_OPENSSL_H */
+#endif /* _OE_COMMON_CRYPTO_OPENSSL_ASN1_H */
diff --git a/host/crypto/openssl/cert.c → common/crypto/openssl/cert.c b/host/crypto/openssl/cert.c → common/crypto/openssl/cert.c
@@ -5,6 +5,9 @@
 #include <openenclave/bits/result.h>
 #include <openenclave/internal/asn1.h>
 #include <openenclave/internal/cert.h>
+#if !defined(OE_BUILD_ENCLAVE)
+#include <openenclave/internal/crypto/init.h>
+#endif
 #include <openenclave/internal/pem.h>
 #include <openenclave/internal/raise.h>
 #include <openenclave/internal/safecrt.h>
@@ -14,15 +17,12 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
-#include <openssl/x509_vfy.h>
-#include <openssl/x509v3.h>
 #include <string.h>
-#include "../../../common/oe_host_stdlib.h"
-#include "../magic.h"
+#include "../../oe_host_stdlib.h"
 #include "asn1.h"
 #include "crl.h"
 #include "ec.h"
-#include "init.h"
+#include "magic.h"
 #include "rsa.h"
 
 /*
@@ -498,8 +498,10 @@ oe_result_t oe_cert_read_pem(
     if (strnlen((const char*)pem_data, pem_size) != pem_size - 1)
         OE_RAISE(OE_INVALID_PARAMETER);
 
+#if !defined(OE_BUILD_ENCLAVE)
     /* Initialize OpenSSL (if not already initialized) */
-    oe_initialize_openssl();
+    oe_crypto_initialize();
+#endif
 
     /* Create a BIO object for reading the PEM data */
     if (!(bio = BIO_new_mem_buf(pem_data, (int)pem_size)))
@@ -543,8 +545,10 @@ oe_result_t oe_cert_read_der(
     if (!der_data || !der_size || der_size > OE_INT_MAX || !cert)
         OE_RAISE(OE_INVALID_PARAMETER);
 
+#if !defined(OE_BUILD_ENCLAVE)
     /* Initialize OpenSSL (if not already initialized) */
-    oe_initialize_openssl();
+    oe_crypto_initialize();
+#endif
 
     p = (unsigned char*)der_data;
 
@@ -651,8 +655,10 @@ oe_result_t oe_cert_chain_read_pem(
         tmp_pem_data[pem_size] = '\0';
     }
 
+#if !defined(OE_BUILD_ENCLAVE)
     /* Initialize OpenSSL (if not already initialized) */
-    oe_initialize_openssl();
+    oe_crypto_initialize();
+#endif
 
     /* Read the certificate chain into memory */
     if (!(sk = _read_cert_chain((const char*)tmp_pem_data)))
@@ -721,8 +727,10 @@ oe_result_t oe_cert_verify(
         OE_RAISE_MSG(OE_INVALID_PARAMETER, "Invalid chain parameter", NULL);
     }
 
+#if !defined(OE_BUILD_ENCLAVE)
     /* Initialize OpenSSL (if not already initialized) */
-    oe_initialize_openssl();
+    oe_crypto_initialize();
+#endif
 
     /* Verify the certificate */
     OE_CHECK(_verify_cert(

diff --git a/common/crypto/openssl/cmac.c b/common/crypto/openssl/cmac.c
@@ -0,0 +1,46 @@
+// Copyright (c) Open Enclave SDK contributors.
+// Licensed under the MIT License.
+
+#include <openssl/cmac.h>
+#include <openssl/evp.h>
+
+#include <openenclave/internal/crypto/cmac.h>
+#include <openenclave/internal/raise.h>
+#include <openenclave/internal/utils.h>
+
+oe_result_t oe_aes_cmac_sign(
+    const uint8_t* key,
+    size_t key_size,
+    const uint8_t* message,
+    size_t message_length,
+    oe_aes_cmac_t* aes_cmac)
+{
+    oe_result_t result = OE_UNEXPECTED;
+    size_t key_size_bits = key_size * 8;
+    size_t final_size = sizeof(oe_aes_cmac_t);
+    CMAC_CTX* ctx = NULL;
+
+    if (aes_cmac == NULL)
+        OE_RAISE(OE_INVALID_PARAMETER);
+
+    if (key_size_bits != 128)
+        OE_RAISE(OE_UNSUPPORTED);
+
+    oe_secure_zero_fill(aes_cmac->impl, sizeof(*aes_cmac));
+
+    ctx = CMAC_CTX_new();
+    if (ctx == NULL)
+        OE_RAISE(OE_CRYPTO_ERROR);
+
+    CMAC_Init(ctx, key, key_size, EVP_aes_128_cbc(), NULL);
+    CMAC_Update(ctx, message, message_length);
+    CMAC_Final(ctx, (unsigned char*)aes_cmac->impl, &final_size);
+
+    result = OE_OK;
+
+done:
+    if (ctx)
+        CMAC_CTX_free(ctx);
+
+    return result;
+}
diff --git a/host/crypto/openssl/crl.c → common/crypto/openssl/crl.c b/host/crypto/openssl/crl.c → common/crypto/openssl/crl.c
@@ -14,9 +14,9 @@
 #include <string.h>
 #include <time.h>
 
-#include "../magic.h"
 #include "asn1.h"
 #include "crl.h"
+#include "magic.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 /* Needed for compatibility with ssl1.1 */

diff --git a/host/crypto/openssl/crl.h → common/crypto/openssl/crl.h b/host/crypto/openssl/crl.h → common/crypto/openssl/crl.h
@@ -1,8 +1,8 @@
 // Copyright (c) Open Enclave SDK contributors.
 // Licensed under the MIT License.
 
-#ifndef _OE_HOST_CRYPTO_CRL_H
-#define _OE_HOST_CRYPTO_CRL_H
+#ifndef _OE_COMMON_CRYPTO_OPENSSL_CRL_H
+#define _OE_COMMON_CRYPTO_OPENSSL_CRL_H
 
 #include <openenclave/internal/crypto/crl.h>
 #include <openssl/x509.h>
@@ -15,4 +15,4 @@ typedef struct _crl
 
 bool crl_is_valid(const crl_t* impl);
 
-#endif /* _OE_HOST_CRYPTO_CRL_H */
+#endif /* _OE_COMMON_CRYPTO_OPENSSL_CRL_H */