When I compile my SGX app, I get a lot of undefined reference errors:
- undefined reference to TLS_method' undefined reference to SSL_CTX_new'
- undefined reference to SSL_CTX_callback_ctrl' undefined reference to SSL_CTX_set_default_passwd_cb'
- undefined reference to SSL_CTX_set_default_passwd_cb_userdata' undefined reference to SSL_CTX_use_certificate_file'
- undefined reference to SSL_CTX_use_PrivateKey_file' undefined reference to SSL_CTX_check_private_key'
- undefined reference to SSL_CTX_load_verify_locations' undefined reference to SSL_CTX_set_verify'
- undefined reference to `SSL_CTX_set_options'
I don't find any of these function definitions in the following SGX libraries:
libsgx_tsgxssl.a libsgx_tsgxssl_crypto.a libsgx_usgxssl.a
How can I properly use the above 12 functions from within my program?
Hi Ronny, I hope this note finds your day going well.
The focus of the Intel supplied implementation of SGX/OpenSSL is on supplying cryptographic primitives rather then an implementation of SSL/TLS that can be terminated inside of an enclave. The unresolved references you receive are secondary to the fact that these functions are simply not implemented.
There is an implementation of OpenSSL that allows SSL connections to be originated and terminated inside of an enclave. The project can be found at the following URL:
Unfortunately that code is based on the 1.0.x release of OpenSSL, while the Intel implementation is based on the 1.1.x release. Avoiding insanity involves choosing one implementation to base your SGX code on since there are API changes between the 1.0 and 1.1 releases of OpenSSL. The version 1.1 API is obviously the path forward.
The challenge with doing SSL inside of an enclave is the need to provide OCALL implementations of the network socket system calls that are needed to implement the basic network communications which transports the SSL/TSL protocol. In addition support needs to be provided for other basics such as accessing key and certificate files.
It would be helpful for the SGX community if someone were to roll up their sleeves and port the necessary code from the GITHUB hosted project above to the Intel supplied OpenSSL implementation. Being able to implement TLS based communications from inside of an enclave seems to be fairly high on people's want list.
We actually have a need for that functionality ourselves so we may take a look at doing the work since we are firmly committed to the OpenSSL version 1.1 API and the Intel SGX/OpenSSL implementation is arguably the easiest path forward.
Hopefully this information is helpful.
Good luck with your project.
I really appreciate your detailed kind comments. I checked out https://github.com/sparkly9399/SGX-OpenSSL and this works fine. There was a compatibility issue with the latest SGX SDK, but I reported the issue and they fixed it now. This works temporarily, but I really hope in the near future the original OpenSSL repository begins supporting SSL.
Thanks again and have a nice day!