|
@@ -272,6 +272,7 @@ int _DkProcessCreate (PAL_HANDLE * handle, const char * uri, const char ** args)
|
|
child->process.cargo = cargo_fd;
|
|
child->process.cargo = cargo_fd;
|
|
child->process.pid = child_pid;
|
|
child->process.pid = child_pid;
|
|
child->process.nonblocking = PAL_FALSE;
|
|
child->process.nonblocking = PAL_FALSE;
|
|
|
|
+ child->process.ssl_ctx = NULL;
|
|
|
|
|
|
ret = _DkStreamKeyExchange(child, &child->process.session_key);
|
|
ret = _DkStreamKeyExchange(child, &child->process.session_key);
|
|
if (ret < 0)
|
|
if (ret < 0)
|
|
@@ -287,6 +288,11 @@ int _DkProcessCreate (PAL_HANDLE * handle, const char * uri, const char ** args)
|
|
if (ret < 0)
|
|
if (ret < 0)
|
|
goto failed;
|
|
goto failed;
|
|
|
|
|
|
|
|
+ ret = _DkStreamSecureInit(child, /*is_server=*/true, &child->process.session_key,
|
|
|
|
+ (LIB_SSL_CONTEXT**)&child->process.ssl_ctx);
|
|
|
|
+ if (ret < 0)
|
|
|
|
+ goto failed;
|
|
|
|
+
|
|
*handle = child;
|
|
*handle = child;
|
|
return 0;
|
|
return 0;
|
|
|
|
|
|
@@ -317,10 +323,11 @@ int init_child_process (PAL_HANDLE * parent_handle)
|
|
SET_HANDLE_TYPE(parent, process);
|
|
SET_HANDLE_TYPE(parent, process);
|
|
HANDLE_HDR(parent)->flags |= RFD(0)|WFD(0)|RFD(1)|WFD(1);
|
|
HANDLE_HDR(parent)->flags |= RFD(0)|WFD(0)|RFD(1)|WFD(1);
|
|
|
|
|
|
- parent->process.stream = pal_sec.stream_fd;
|
|
|
|
- parent->process.cargo = pal_sec.cargo_fd;
|
|
|
|
- parent->process.pid = pal_sec.ppid;
|
|
|
|
|
|
+ parent->process.stream = pal_sec.stream_fd;
|
|
|
|
+ parent->process.cargo = pal_sec.cargo_fd;
|
|
|
|
+ parent->process.pid = pal_sec.ppid;
|
|
parent->process.nonblocking = PAL_FALSE;
|
|
parent->process.nonblocking = PAL_FALSE;
|
|
|
|
+ parent->process.ssl_ctx = NULL;
|
|
|
|
|
|
int ret = _DkStreamKeyExchange(parent, &parent->process.session_key);
|
|
int ret = _DkStreamKeyExchange(parent, &parent->process.session_key);
|
|
if (ret < 0)
|
|
if (ret < 0)
|
|
@@ -336,6 +343,11 @@ int init_child_process (PAL_HANDLE * parent_handle)
|
|
if (ret < 0)
|
|
if (ret < 0)
|
|
return ret;
|
|
return ret;
|
|
|
|
|
|
|
|
+ ret = _DkStreamSecureInit(parent, /*is_server=*/false, &parent->process.session_key,
|
|
|
|
+ (LIB_SSL_CONTEXT**)&parent->process.ssl_ctx);
|
|
|
|
+ if (ret < 0)
|
|
|
|
+ return ret;
|
|
|
|
+
|
|
*parent_handle = parent;
|
|
*parent_handle = parent;
|
|
return 0;
|
|
return 0;
|
|
}
|
|
}
|
|
@@ -364,8 +376,15 @@ static int64_t proc_read (PAL_HANDLE handle, uint64_t offset, uint64_t count,
|
|
if (count >= (1ULL << (sizeof(unsigned int) * 8)))
|
|
if (count >= (1ULL << (sizeof(unsigned int) * 8)))
|
|
return -PAL_ERROR_INVAL;
|
|
return -PAL_ERROR_INVAL;
|
|
|
|
|
|
- int bytes = ocall_read(handle->process.stream, buffer, count);
|
|
|
|
- return IS_ERR(bytes) ? unix_to_pal_error(ERRNO(bytes)) : bytes;
|
|
|
|
|
|
+ int bytes;
|
|
|
|
+ if (handle->process.ssl_ctx) {
|
|
|
|
+ bytes = _DkStreamSecureRead(handle->process.ssl_ctx, buffer, count);
|
|
|
|
+ } else {
|
|
|
|
+ bytes = ocall_read(handle->process.stream, buffer, count);
|
|
|
|
+ bytes = IS_ERR(bytes) ? unix_to_pal_error(ERRNO(bytes)) : bytes;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return bytes;
|
|
}
|
|
}
|
|
|
|
|
|
static int64_t proc_write (PAL_HANDLE handle, uint64_t offset, uint64_t count,
|
|
static int64_t proc_write (PAL_HANDLE handle, uint64_t offset, uint64_t count,
|
|
@@ -377,9 +396,13 @@ static int64_t proc_write (PAL_HANDLE handle, uint64_t offset, uint64_t count,
|
|
if (count >= (1ULL << (sizeof(unsigned int) * 8)))
|
|
if (count >= (1ULL << (sizeof(unsigned int) * 8)))
|
|
return -PAL_ERROR_INVAL;
|
|
return -PAL_ERROR_INVAL;
|
|
|
|
|
|
- int bytes = ocall_write(handle->process.stream, buffer, count);
|
|
|
|
- if (IS_ERR(bytes))
|
|
|
|
- return unix_to_pal_error(ERRNO(bytes));
|
|
|
|
|
|
+ int bytes;
|
|
|
|
+ if (handle->process.ssl_ctx) {
|
|
|
|
+ bytes = _DkStreamSecureWrite(handle->process.ssl_ctx, buffer, count);
|
|
|
|
+ } else {
|
|
|
|
+ bytes = ocall_write(handle->process.stream, buffer, count);
|
|
|
|
+ bytes = IS_ERR(bytes) ? unix_to_pal_error(ERRNO(bytes)) : bytes;
|
|
|
|
+ }
|
|
|
|
|
|
return bytes;
|
|
return bytes;
|
|
}
|
|
}
|
|
@@ -396,6 +419,11 @@ static int proc_close (PAL_HANDLE handle)
|
|
handle->process.cargo = PAL_IDX_POISON;
|
|
handle->process.cargo = PAL_IDX_POISON;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
+ if (handle->process.ssl_ctx) {
|
|
|
|
+ _DkStreamSecureFree((LIB_SSL_CONTEXT*)handle->process.ssl_ctx);
|
|
|
|
+ handle->process.ssl_ctx = NULL;
|
|
|
|
+ }
|
|
|
|
+
|
|
return 0;
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
|
|
@@ -434,6 +462,7 @@ static int proc_attrquerybyhdl(PAL_HANDLE handle, PAL_STREAM_ATTR* attr) {
|
|
attr->handle_type = HANDLE_HDR(handle)->type;
|
|
attr->handle_type = HANDLE_HDR(handle)->type;
|
|
attr->nonblocking = handle->process.nonblocking;
|
|
attr->nonblocking = handle->process.nonblocking;
|
|
attr->disconnected = HANDLE_HDR(handle)->flags & ERROR(0);
|
|
attr->disconnected = HANDLE_HDR(handle)->flags & ERROR(0);
|
|
|
|
+ attr->secure = handle->process.ssl_ctx ? PAL_TRUE : PAL_FALSE;
|
|
|
|
|
|
/* get number of bytes available for reading */
|
|
/* get number of bytes available for reading */
|
|
ret = ocall_fionread(handle->process.stream);
|
|
ret = ocall_fionread(handle->process.stream);
|
|
@@ -467,6 +496,16 @@ static int proc_attrsetbyhdl (PAL_HANDLE handle, PAL_STREAM_ATTR * attr)
|
|
handle->process.nonblocking = attr->nonblocking;
|
|
handle->process.nonblocking = attr->nonblocking;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
+ if (!attr->secure && handle->process.ssl_ctx) {
|
|
|
|
+ /* remove TLS protection from process.stream */
|
|
|
|
+ _DkStreamSecureFree((LIB_SSL_CONTEXT*)handle->process.ssl_ctx);
|
|
|
|
+ handle->process.ssl_ctx = NULL;
|
|
|
|
+ } else if (attr->secure && !handle->process.ssl_ctx) {
|
|
|
|
+ /* adding TLS protection for process.stream is not yet implemented */
|
|
|
|
+ SGX_DBG(DBG_E, "Securing a non-secure process handle is not supported!\n");
|
|
|
|
+ return -PAL_ERROR_NOTSUPPORT;
|
|
|
|
+ }
|
|
|
|
+
|
|
return 0;
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
|