Re: [intel-sgx-kernel-dev] [PATCH RFC v3 10/12] intel_sgx: in-kernel launch enclave

Sean Christopherson <sean.j.christopherson@xxxxxxxxx> · Wed, 08 Nov 2017 12:07:26 -0800

On Tue, 2017-10-10 at 17:32 +0300, Jarkko Sakkinen wrote:
> +static RSA *load_sign_key(const char *path)
> +{
> +	FILE *f;
> +	RSA *key;
> +
> +	f = fopen(path, "rb");
> +	if (!f) {
> +		fprintf(stderr, "Unable to open %s\n", path);
> +		return NULL;
> +	}
> +	key = RSA_new();
> +	if (!PEM_read_RSAPrivateKey(f, &key, pem_passwd_cb, NULL))
> +		return NULL;
> +	fclose(f);
> +
> +	if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {

Dereferencing the RSA pointer (key) breaks on OpenSSL 1.1.0 as RSA is now an
opaque object.  It's relatively easy to fudge around the issue, patch below.

https://github.com/openssl/openssl/issues/1491
https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes

> +		fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key-
> >n));
> +		RSA_free(key);
> +		return NULL;
> +	}
> +
> +	return key;
> +}
> +

diff --git drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
index 27e8c61d033c..e454dc95f438 100644
--- drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
+++ drivers/platform/x86/intel_sgx/le/enclave/sgxsign.c
@@ -110,6 +110,17 @@ static int pem_passwd_cb(char *buf, int size, int rwflag,
void *u)
        return strlen(buf) >= size ? size - 1 : strlen(buf);
 }
 
+static inline const BIGNUM *get_modulus(RSA *key)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+       return key->n;
+#else
+       const BIGNUM *n;
+       RSA_get0_key(key, &n, NULL, NULL);
+       return n;
+#endif
+}
+
 static RSA *load_sign_key(const char *path)
 {
        FILE *f;
@@ -125,8 +136,9 @@ static RSA *load_sign_key(const char *path)
                return NULL;
        fclose(f);
 
-       if (BN_num_bytes(key->n) != SGX_MODULUS_SIZE) {
-               fprintf(stderr, "Invalid key size %d\n", BN_num_bytes(key->n));
+       if (BN_num_bytes(get_modulus(key)) != SGX_MODULUS_SIZE) {
+               fprintf(stderr, "Invalid key size %d\n",
+                       BN_num_bytes(get_modulus(key)));
                RSA_free(key);
                return NULL;
        }
@@ -511,7 +523,7 @@ int main(int argc, char **argv)
        if (!sign_key)
                goto out;
 
-       BN_bn2bin(sign_key->n, ss.modulus);
+       BN_bn2bin(get_modulus(sign_key), ss.modulus);
 
        if (!measure_encl(argv[1], ss.body.mrenclave))
                goto out;







