I am attempting to use TaLoS as a drop-in library to do TLS termination on a WebSocket server within an SGX enclave.

I am using the uWebSockets C++ Websockets server library, which depends on uSockets.

I have modified the uWebSockets and uSockets Makefiles to use TaLoS rather than openSSL or boringSSL:

else ifeq ($(WITH_TALOS),1)
    override CFLAGS += -IuSockets/TaLoS/src/libressl-2.4.1/include -DLIBUS_USE_OPENSSL
    override LDFLAGS += uSockets/TaLoS/src/libressl-2.4.1/lib/libssl.a uSockets/TaLoS/src/libressl-2.4.1/lib/libcrypto.a -LuSockets/TaLoS/src/libressl-2.4.1/lib -lstdc++ -lssl -lcrypto -ldl -lrt -lcrypt -lpthread -lsgx_urts -lsgx_uae_service

While it is successfully linking some cryptographic functions against the TaLoS-modified libreSSL lib, it is failing to find some functions:

$ WITH_TALOS=1 make
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `uWS::Loop::LoopCleaner::~LoopCleaner()':
<artificial>:(.text+0x18bc): undefined reference to `BIO_meth_free'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `sni_hostname_destructor':
<artificial>:(.text+0x1a7c): undefined reference to `SSL_CTX_get_default_passwd_cb_userdata'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `BIO_s_custom_create':
<artificial>:(.text+0x1acc): undefined reference to `BIO_set_init'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `BIO_s_custom_read':
<artificial>:(.text+0x1af3): undefined reference to `BIO_get_data'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `ssl_on_open':
<artificial>:(.text+0x2551): undefined reference to `BIO_up_ref'
<artificial>:(.text+0x255c): undefined reference to `BIO_up_ref'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `BIO_s_custom_write':
<artificial>:(.text+0x5723): undefined reference to `BIO_get_data'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `sni_cb':
<artificial>:(.text+0x5893): undefined reference to `sni_find'
<artificial>:(.text+0x58cf): undefined reference to `sni_find'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `create_ssl_context_from_options.isra.0':
<artificial>:(.text+0x7fc5): undefined reference to `SSL_CTX_set_min_proto_version'
<artificial>:(.text+0x810b): undefined reference to `SSL_CTX_get_default_passwd_cb_userdata'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `ofats::any_detail::handler_traits<void, char const*>::small_handler<main::{lambda(char const*)#1}>::call(ofats::any_detail::storage&, char const*)':
<artificial>:(.text+0x81ea): undefined reference to `sni_add'
<artificial>:(.text+0x822e): undefined reference to `SSL_CTX_get_default_passwd_cb_userdata'
/tmp/ccAm2lwl.ltrans0.ltrans.o: In function `uWS::TemplatedApp<true>::~TemplatedApp()':
<artificial>:(.text+0x845a): undefined reference to `SSL_CTX_get_default_passwd_cb_userdata'
<artificial>:(.text+0x847d): undefined reference to `sni_free'
...

It appears there is a collection of cryptographic functions used by uWebSockets's openSSL interface that are not implemented in TaLoS' libreSSL. Do you have advice on bridging this gap? Is this due to differences in openSSL and libreSSL, or due to differences in version? I see TaLoS' libreSSL version is 5 years old.

Hi. TaLoS does not implement all the libreSSL functions inside the enclave, but only the ones we needed for our use cases. In particular my guess is that it does not implement the functions you list above, hence the compilation error.

TaLoS was developed a few years ago for our (research) use-cases. Due to lack of time and manpower we did not have the opportunity to ensure its maintenance. Given that we apply a series of patches to libreSSL, it might not be too difficult to port it to a newer version of libreSSL.

The good news is this problem should be fairly easy to fix (provided there are no complicated corner cases) by following this procedure: for each function F() for which there is an undefined reference:

1. create a new function with the same name and signature in enclaveshim_ecalls.c;
2. create an ecall ecall_F() and call it from the new function F() (you want to modify enclave.edl and need to take care of passing data/pointers in/out the enclave);
3. in the libressl file where F() is defined, add a new function ecall_F() whose sole role is to call F().

(Note that the BIO_*() functions are implemented outside the enclave for performance without negative impact on the security, so step 2 would be skipped.)

Thanks a lot for the explanation @plaublin 👍
woflssl has built-in SGX support and I've had some success with it so far.