Upgrade to OpenSSL 3.0.17

Upgrade the SGX-SSL library to utilize OpenSSL 3.0.17 while leaving OpenSSL 3.1.6 to provide FIPS support.

Signed-off-by: Juan del Cuvillo <juan.b.del.cuvillo@intel.com>

Author: jbdelcuv

.github/workflows/c-cpp.yml

@@ -21,11 +21,11 @@ jobs:
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: download SDK
-      run: wget https://download.01.org/intel-sgx/sgx-linux/2.24/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.24.100.3.bin
+      run: wget https://download.01.org/intel-sgx/sgx-linux/2.26/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.26.100.0.bin
     - name: install SDK
       run: chmod +x *.bin; echo yes | ./sgx_linux_x64_sdk_2.*.bin
     - name: download OpenSSL code
-      run: wget https://www.openssl.org/source/openssl-3.1.6.tar.gz --directory-prefix=openssl_source/
+      run: wget https://www.openssl.org/source/openssl-3.0.17.tar.gz --directory-prefix=openssl_source/
     - name: build SGXSSL
       run: source sgxsdk/environment; cd Linux; make all; DEBUG=1 make all
     - name: run unit test in SIM

.github/workflows/codeql.yml

@@ -67,9 +67,10 @@ jobs:
 
     - run: |
          echo "Run, Build Application using script"
-         wget https://download.01.org/intel-sgx/sgx-linux/2.24/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.24.100.3.bin;
+         wget https://download.01.org/intel-sgx/sgx-linux/2.26/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.26.100.0.bin;
          chmod +x *.bin; echo yes | ./sgx_linux_x64_sdk_2.*.bin;  
-         wget https://www.openssl.org/source/openssl-3.1.6.tar.gz --directory-prefix=openssl_source/; 
+         wget https://www.openssl.org/source/openssl-3.0.17.tar.gz --directory-prefix=openssl_source/;
+         wget https://www.openssl.org/source/openssl-3.1.6.tar.gz --directory-prefix=openssl_source/;
          source sgxsdk/environment; cd Linux; make sgxssl_no_mitigation
 
     - name: Perform CodeQL Analysis

Linux/Makefile

@@ -31,6 +31,7 @@
 include buildenv.mk
 include sgx/buildenv.mk
 LINUX_SGX_BUILD ?= 0
+FIPS ?= 0
 EMPTY_SRC = check_lvi_toolset
 .PHONY: sgxssl sgxssl_no_mitigation clean install uninstall
 

Linux/build_openssl.sh

@@ -36,10 +36,10 @@
 SGXSSL_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 echo $SGXSSL_ROOT
 
-OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*3.1.*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
-if [ "$OPENSSL_VERSION" == "" ] 
+OPENSSL_VERSION=`ls $SGXSSL_ROOT/../openssl_source/*3.0.*.tar.gz | head -1 | grep -o '[^/]*$' | sed -s -- 's/\.tar\.gz//'`
+if [ "$OPENSSL_VERSION" == "" ]
 then
-	echo "In order to run this script, OpenSSL tar.gz package must be located in openssl_source/ directory."
+	echo "In order to run this script, the OpenSSL tar.gz package must be located in the openssl_source/ directory."
 	exit 1
 fi
 echo $OPENSSL_VERSION

Linux/sgx/Makefile

@@ -64,9 +64,8 @@ ifneq ($(CRYPTO_ONLY), 1)
 
 ifeq ($(LINUX_SGX_BUILD), 0)
 ifneq ($(NO_THREADS), 1)
-# Don't build the test app by default in FIPS mode since it depends on
-# the FIPS provider.
-# Execute the install target first.
+# Don't build the test app in FIPS mode since it depends on the FIPS provider,
+# which is not ready yet.
 ifneq ($(FIPS), 1)
 	$(MAKE) -C $(TEST_DIR) all
 endif

Linux/sgx/libsgx_tsgxssl/Makefile

@@ -87,9 +87,9 @@ endif
 endif
 
 ifeq ($(FIPS), 1)
-SGXSSL_ADDTIONAL_EDL_PATH=$(PACKAGE_INC)/filefunc
+SGXSSL_ADDITIONAL_EDL_PATH=$(PACKAGE_INC)/filefunc
 else
-SGXSSL_ADDTIONAL_EDL_PATH=$(PACKAGE_INC)/nofilefunc
+SGXSSL_ADDITIONAL_EDL_PATH=$(PACKAGE_INC)/nofilefunc
 endif
 
 SGX_EDL_FILE := $(PACKAGE_INC)/sgx_tsgxssl.edl
@@ -122,27 +122,27 @@ $(shell mkdir -p $(OBJDIR))
 all: $(TRUSTED_LIB)
 
 ######## sgx_tsgxssl Objects ########
-sgx_tsgxssl_t.c: $(SGX_EDGER8R) $(SGX_EDL_FILE)
-	$(SGX_EDGER8R) --header-only --trusted $(SGX_EDL_FILE) --search-path $(SGX_SDK_INC) --search-path $(SGXSSL_ADDTIONAL_EDL_PATH)
+sgx_tsgxssl_t.h: $(SGX_EDGER8R) $(SGX_EDL_FILE)
+	$(SGX_EDGER8R) --header-only --trusted $(SGX_EDL_FILE) --search-path $(SGX_SDK_INC) --search-path $(SGXSSL_ADDITIONAL_EDL_PATH)
 	@echo "GEN  =>  $@"
 
 sgx_tsgxssl_t.o: sgx_tsgxssl_t.c
 	$(VCC) $(Sgx_tssl_C_Flags) -c $< -o $@
 	@echo "CC   <=  $<"
 
-$(OBJDIR)/%.o : %.cpp sgx_tsgxssl_t.c
+$(OBJDIR)/%.o : %.cpp sgx_tsgxssl_t.h
 	$(VCXX) $(Sgx_tssl_Cpp_Flags) -c $< -o $@
 	@echo "CXX  <=  $<"
 
-$(OBJDIR)/%.o : %.c sgx_tsgxssl_t.c
+$(OBJDIR)/%.o : %.c sgx_tsgxssl_t.h
 	$(VCC) $(Sgx_tssl_C_Flags) -c $< -o $@
 	@echo "CC  <=  $<"
 
 $(OBJDIR)/%.o : %.S
 	$(VCC) $(Common_C_Cpp_Flags) -c $< -o $@
 	@echo "CC  <=  $<"
 
-$(TRUSTED_LIB): sgx_tsgxssl_t.c $(Sgx_tssl_Cpp_Objects) $(Sgx_tssl_C_Objects) $(Sgx_tssl_S_Objects)
+$(TRUSTED_LIB): sgx_tsgxssl_t.h $(Sgx_tssl_Cpp_Objects) $(Sgx_tssl_C_Objects) $(Sgx_tssl_S_Objects)
 	ar rcs $(TRUSTED_LIB) $(Sgx_tssl_Cpp_Objects) $(Sgx_tssl_C_Objects) $(Sgx_tssl_S_Objects) 
 	@echo "LINK =>  $@"
 	@cp $@ $(PACKAGE_LIB)/$(TRUSTED_LIB)

Linux/sgx/libsgx_tsgxssl/texceptions.c

@@ -33,6 +33,7 @@
 #include <sgx_trts_exception.h>
 #include <sgx_cpuid.h>
 #include <stdlib.h>
+#include <string.h>
 
 #include "tcommon.h"
 

README.md

@@ -1,14 +1,14 @@
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/intel/intel-sgx-ssl/badge)](https://securityscorecards.dev/viewer/?uri=github.com/intel/intel-sgx-ssl)
 
-Intel® Software Guard Extensions SSL
+Intel® Software Guard Extensions SSL (SGX SSL)
 ================================================
 
 Introduction
 ------------
 The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications.
 The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library.
 
-This branch supports OpenSSL version 3.1.*, but works in 1.1.1 compatible mode. 
+This branch supports the OpenSSL 3.0 series, but works in 1.1.1 compatible mode.
 
 License
 -------
@@ -22,10 +22,11 @@ Documentation
   * [Windows developer guide](Windows/package/docs/Intel(R)%20Software%20Guard%20Extensions%20SSL%20Library%20Windows%20Developer%20Guide.pdf)
 
 
-Build Intel® SGX SSL package
-----------------------------
-Windows
-----------------------------
+Building the Intel® SGX SSL package
+-----------------------------------
+
+## Windows
+
 ### Prerequisites
 - Microsoft Visual Studio 2019
 - Perl
@@ -34,53 +35,72 @@ Windows
 
  (Note: Perl, NASM need to be included in machine's PATH variable)
 
-To build Intel® SGX SSL package in Windows OS:
-1. Download OpenSSL package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.1.*.tar.gz)
-2. Download and install latest SGX SDK from [Intel Developer Zone](https://software.intel.com/en-us/sgx-sdk/download). You can find installation guide from the same website.
+### Building
+
+To build the Intel® SGX SSL package in Windows OS:
+1. Download the OpenSSL package into the openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
+2. Download and install the latest SGX SDK from [Intel Developer Zone](https://software.intel.com/en-us/sgx-sdk/download). You can find the installation guide in the same website.
 3. Change the directory to the SGXSSL path and enter the following command:
 ```
-build_all.cmd <OPENSSL_VERSION> [default == openssl-3.1.0]
+build_all.cmd <OPENSSL_VERSION> [default == openssl-3.0.17]
 ```
-This will build the Intel® SGX SSL libraries (libsgx_tsgxssl.lib, libsgx_usgxssl.lib, libsgx_tsgxssl_crypto.lib), which can be found in package/lib/{Win32|X64}/{debug|release}/. And the version with CVE-2020-0551 Mitigation enabled can be found in package/lib/X64/{CVE-2020-0551-CF-Release|CVE-2020-0551-Load-Release}/.
+This builds the Intel® SGX SSL libraries (libsgx_tsgxssl.lib, libsgx_usgxssl.lib, libsgx_tsgxssl_crypto.lib) that can be found in package/lib/{Win32|X64}/{debug|release}/. The version with CVE-2020-0551 mitigation enabled can be found in package/lib/X64/{CVE-2020-0551-CF-Release|CVE-2020-0551-Load-Release}/.
+
+## Linux
 
-Linux
-----------------------------
 ### Prerequisites
 - Perl
 - Toolchain with mitigation (refer to [SGX Linux README](https://github.com/intel/linux-sgx/blob/master/README.md))
-- Intel(R) SGX Linux latest release, including SDK, PSW, and driver
+- Intel(R) SGX Linux latest release, including SDK and PSW.
 
-To build Intel® SGX SSL package in Linux OS:
-=======
-1. Download OpenSSL 3.1.* package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.1.*.tar.gz)
-2. Download and install latest SGX SDK from [01.org](https://download.01.org/intel-sgx/latest/). You can find the installation guide in the same website.
+### Building
+
+To build the Intel® SGX SSL package in Linux OS:
+1. Download the OpenSSL 3.0.* package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
+2. Download and install the latest SGX SDK from [01.org](https://download.01.org/intel-sgx/latest/). You can find the installation guide in the same website.
 3. Source SGX SDK's environment variables.
-4. Cd to Linux/ directory and run:
+4. Change into the Linux/ directory and run:
 ```
 make all test
 ```
-This will build and test the Intel® SGX SSL libraries (libsgx_tsgxssl.a, libsgx_usgxssl.a, libsgx_tsgxssl_crypto.a), which can be found in package/lib64/. And the Intel® SGX SSL trusted libraries (libsgx_tsgxssl.lib,  libsgx_tsgxssl_crypto.lib) with CVE-2020-0551 Mitigation enabled can be found in package/lib64/{cve_2020_0551_cf|cve_2020_0551_load}/.
+This builds and tests the Intel® SGX SSL libraries (libsgx_tsgxssl.a, libsgx_usgxssl.a, libsgx_tsgxssl_crypto.a), which can be found in package/lib64/. The Intel® SGX SSL trusted libraries (libsgx_tsgxssl.lib,  libsgx_tsgxssl_crypto.lib) with CVE-2020-0551 mitigation enabled can be found in package/lib64/{cve_2020_0551_cf|cve_2020_0551_load}/.
 
 ### Available `make` flags:
 - DEBUG={1,0}: Libraries build mode, with debug symbols or without. Default ``0``.
 - NO_THREADS={1,0}: Enable ``no-threads`` in the OpenSSL's build configuration options. Default ``0``.
 - SGX_MODE={HW,SIM}: User can take ``SIM`` to run the unit test on non-SGX platform if necessary. Default ``HW``. 
 - DESTDIR=\<PATH\>: Directory realpath to install Intel® SGX SSL libraries in. Default ``/opt/intel/sgxssl/``. 
 - VERBOSE={1,0}: Makefile verbose mode. Print compilation commands before executing it. Default ``0``.
-- OSSL3ONLY={1,0}: USE only OpenSSL 3.x APIs, and legacy functions will not be valid. Default ``0``.
+- OSSL3ONLY={1,0}: Use only OpenSSL 3.x APIs, and legacy functions will not be valid. Default ``0``.
+- FIPS={1,0}: Use the OpenSSL FIPS provider as an experimental feature. Default ``0``.
 
 To install Intel® SGX SSL libraries in Linux OS, run:
 ```
 make all test
 sudo make install
 ```
 
-Note for Version 3.*
---------------------
-To use the trusted cryptography library with SGX SSL/OpenSSL 3.*, it possibly needs to increase the value in the enclave signing configuration XML file:
+## Note for Version 3.*
+
+To use the trusted cryptography library with SGX SSL/OpenSSL 3.*, especially for the multithreaded enclaves, you may need to increase the enclave heap size adjusting the enclave signing configuration XML file:
 ```
 ...
 <HeapMaxSize>...</HeapMaxSize>
 ...
 ```
-, especially for the enclave with multithreads. 
+
+## OpenSSL FIPS Provider
+
+As an experimental feature, the SGX SDK supports building the SGX SSL library using the OpenSSL FIPS provider, instead of the default provider. Note: This feature is only supported on Linux and OpenSSL 3.1.6. You must download two separate OpenSSL packages: one from the OpenSSL 3.0 series and one for OpenSSL 3.1.6.
+To build and install the Intel® SGX SSL package and the OpenSSL FIPS provider run:
+
+```
+make all FIPS=1
+sudo make install
+```
+
+You may build and run one or both test programs that utilize the FIPS provider. The `FIPS=1` option must be specified; otherwise, a linker error will occur.
+```
+make test FIPS=1
+make fips_test FIPS=1
+```

openssl_source/Makefile

@@ -62,14 +62,12 @@ fips:
 	mkdir -p $(OSSL_FIPS_INSTALL_DIR)
 	mkdir -p $(OSSL_FIPS_BUILD_DIR)
 	tar xvf $(OPENSSL_VERSION).tar.gz -C $(OSSL_FIPS_SOURCE_DIR) --strip-components=1  > /dev/null
-	cd $(OSSL_FIPS_BUILD_DIR) && $(OSSL_FIPS_SOURCE_DIR)/Configure enable-fips --prefix=$(OSSL_FIPS_INSTALL_DIR) && \
+	cd $(OSSL_FIPS_BUILD_DIR) && $(OSSL_FIPS_SOURCE_DIR)/Configure enable-fips --with-rand-seed=rdcpu --prefix=$(OSSL_FIPS_INSTALL_DIR) && \
 		$(MAKE) -j$(shell getconf _NPROCESSORS_ONLN) && $(MAKE) install_fips
 
 # Install the FIPS provider and its configuration file in the SGX SDK location
 install:
-ifeq ($(OSSL_FIPS_INSTALL_DIR_SET), 0)
-	$(error "Missing directory : $(OSSL_FIPS_INSTALL_DIR). Have you built the FIPS module yet?")
-endif
+ifeq ($(OSSL_FIPS_INSTALL_DIR_SET), 1)
 	@echo "*** Installing FIPS module"
 	@echo "install $(FIPSMODULE) -> $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULE)"
 	cp -f $(OSSL_FIPS_INSTALL_DIR)/$(LIBDIR)/ossl-modules/$(FIPSMODULE) $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULE).new
@@ -80,7 +78,8 @@ endif
 	@echo "install $(FIPSMODULECONF) -> $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)"
 	echo "module-filename = $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULE)" >> $(OSSL_FIPS_INSTALL_DIR)/ssl/$(FIPSMODULECONF)
 	cp -f $(OSSL_FIPS_INSTALL_DIR)/ssl/$(FIPSMODULECONF) $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)
-	chmod 744 $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)
+	chmod 644 $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)
+endif
 
 # Remove the FIPS provider and configuration file from the SGX SDK location
 uninstall:
@@ -90,7 +89,7 @@ uninstall:
 
 	@echo "*** Uninstalling FIPS module configuration"
 	@echo "uninstall $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)"
-	rm -rf $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)
+	rm -f $(SGX_SDK)/$(LIBDIR)/$(FIPSMODULECONF)
 
 clean:
 ifeq ($(OSSL_FIPS_BUILD_DIR_SET), 1)

openssl_source/o_fopen.c

@@ -25,7 +25,7 @@
 #  endif
 # endif
 
-#include "internal/e_os.h"
+#include "e_os.h"
 #include "internal/cryptlib.h"
 
 #if !defined(OPENSSL_NO_STDIO)