[intel-sgx-kernel-dev,RFC,v3,10/12] intel_sgx: in-kernel launch enclave
diff mbox

Message ID 1510171646.4659.5.camel@intel.com
State New
Headers show

Commit Message

Sean Christopherson Nov. 8, 2017, 8:07 p.m. UTC
On Tue, 2017-10-10 at 17:32 +0300, Jarkko Sakkinen wrote:
> +static RSA *load_sign_key(const char *path)
> +{
> +	FILE *f;
> +	RSA *key;
> +
> +	f = fopen(path, "rb");
> +	if (!f) {
> +		fprintf(stderr, "Unable to open %s\n", path);
> +		return NULL;
> +	}
> +	key = RSA_new();
> +	if (!PEM_read_RSAPrivateKey(f, &key, pem_passwd_cb, NULL))
> +		return NULL;
> +	fclose(f);
> +
> +	if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {

Dereferencing the RSA pointer (key) breaks on OpenSSL 1.1.0 as RSA is now an
opaque object.  It's relatively easy to fudge around the issue, patch below.

https://github.com/openssl/openssl/issues/1491
https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes

> +		fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key-
> >n));
> +		RSA_free(key);
> +		return NULL;
> +	}
> +
> +	return key;
> +}
> +

        FILE *f;
@@ -125,8 +136,9 @@ static RSA *load_sign_key(const char *path)
                return NULL;
        fclose(f);
 
-       if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
-               fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key->n));
+       if (BN_num_bytes(get_modulus(key)) != SGX_MODULUS_SIZE) {
+               fprintf(stderr, "Invalid key size %d\n",
+                       BN_num_bytes(get_modulus(key)));
                RSA_free(key);
                return NULL;
        }
@@ -511,7 +523,7 @@ int main(int argc, char **argv)
        if (!sign_key)
                goto out;
 
-       BN_bn2bin(sign_key->n, ss.modulus);
+       BN_bn2bin(get_modulus(sign_key), ss.modulus);
 
        if (!measure_encl(argv[1], ss.body.mrenclave))
                goto out;

Comments

Jarkko Sakkinen Nov. 14, 2017, 2:22 p.m. UTC | #1
On Wed, Nov 08, 2017 at 12:07:26PM -0800, Sean Christopherson wrote:
> On Tue, 2017-10-10 at 17:32 +0300, Jarkko Sakkinen wrote:
> > +static RSA *load_sign_key(const char *path)
> > +{
> > +	FILE *f;
> > +	RSA *key;
> > +
> > +	f = fopen(path, "rb");
> > +	if (!f) {
> > +		fprintf(stderr, "Unable to open %s\n", path);
> > +		return NULL;
> > +	}
> > +	key = RSA_new();
> > +	if (!PEM_read_RSAPrivateKey(f, &key, pem_passwd_cb, NULL))
> > +		return NULL;
> > +	fclose(f);
> > +
> > +	if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
> 
> Dereferencing the RSA pointer (key) breaks on OpenSSL 1.1.0 as RSA is now an
> opaque object.  It's relatively easy to fudge around the issue, patch below.
> 
> https://github.com/openssl/openssl/issues/1491
> https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
> 
> > +		fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key-
> > >n));
> > +		RSA_free(key);
> > +		return NULL;
> > +	}
> > +
> > +	return key;
> > +}
> > +
> 
> diff --git drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> index 27e8c61d033c..e454dc95f438 100644
> --- drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> +++ drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
> @@ -110,6 +110,17 @@ static int pem_passwd_cb(char *buf, int size, int rwflag,
> void *u)
>         return strlen(buf) >= size ? size - 1 : strlen(buf);
>  }
>  
> +static inline const BIGNUM *get_modulus(RSA *key)
> +{
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +       return key->n;
> +#else
> +       const BIGNUM *n;
> +       RSA_get0_key(key, &n, NULL, NULL);
> +       return n;
> +#endif
> +}
> +
>  static RSA *load_sign_key(const char *path)
>  {
>         FILE *f;
> @@ -125,8 +136,9 @@ static RSA *load_sign_key(const char *path)
>                 return NULL;
>         fclose(f);
>  
> -       if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
> -               fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key->n));
> +       if (BN_num_bytes(get_modulus(key)) != SGX_MODULUS_SIZE) {
> +               fprintf(stderr, "Invalid key size %d\n",
> +                       BN_num_bytes(get_modulus(key)));
>                 RSA_free(key);
>                 return NULL;
>         }
> @@ -511,7 +523,7 @@ int main(int argc, char **argv)
>         if (!sign_key)
>                 goto out;
>  
> -       BN_bn2bin(sign_key->n, ss.modulus);
> +       BN_bn2bin(get_modulus(sign_key), ss.modulus);
>  
>         if (!measure_encl(argv[1], ss.body.mrenclave))
>                 goto out;
> 

Already sent v5 but I'll put this to v6. Thanks.

/Jarkko
Jarkko Sakkinen Nov. 26, 2017, 3:37 p.m. UTC | #2
On Wed, Nov 08, 2017 at 12:07:26PM -0800, Sean Christopherson wrote:
> Dereferencing the RSA pointer (key) breaks on OpenSSL 1.1.0 as RSA is now an
> opaque object.  It's relatively easy to fudge around the issue, patch below.
> 
> https://github.com/openssl/openssl/issues/1491
> https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes

I think Evolution has broken your patch i.e. you might have forgotten to
switch to "preformatted" mode [1]. Can you resend this to me in private
and I will include it to v7. Thank you.

[1] https://www.kernel.org/doc/html/v4.11/process/email-clients.html

/Jarkko

Patch
diff mbox

diff --git drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
index 27e8c61d033c..e454dc95f438 100644
--- drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
+++ drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
@@ -110,6 +110,17 @@  static int pem_passwd_cb(char *buf, int size, int rwflag,
void *u)
        return strlen(buf) >= size ? size - 1 : strlen(buf);
 }
 
+static inline const BIGNUM *get_modulus(RSA *key)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+       return key->n;
+#else
+       const BIGNUM *n;
+       RSA_get0_key(key, &n, NULL, NULL);
+       return n;
+#endif
+}
+
 static RSA *load_sign_key(const char *path)
 {