diff --git a/.azure-pipelines-templates/matrix.yml b/.azure-pipelines-templates/matrix.yml
index 90e6c13c19b4..1cd890bc0a27 100644
--- a/.azure-pipelines-templates/matrix.yml
+++ b/.azure-pipelines-templates/matrix.yml
@@ -33,7 +33,7 @@ parameters:
common:
cmake_args: '-DCMAKE_C_COMPILER_LAUNCHER="ccache" -DCMAKE_CXX_COMPILER_LAUNCHER="ccache"'
NoSGX:
- cmake_args: '-DTARGET=virtual -DCOVERAGE=ON'
+ cmake_args: '-DCOMPILE_TARGETS=virtual -DCOVERAGE=ON'
SGX:
cmake_args: ''
debug:
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 44909e33ccc7..59fe69af6edd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -42,7 +42,7 @@ option(BUILD_SMALLBANK "Build SmallBank sample app and clients" ON)
# Build common library for CCF enclaves
add_custom_target(ccf ALL)
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
# enclave version
add_library(
ccf.enclave STATIC
@@ -94,7 +94,7 @@ if("sgx" IN_LIST TARGET)
add_dependencies(ccf ccf.enclave)
endif()
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
# virtual version
add_library(
ccf.virtual STATIC ${CCF_DIR}/src/enclave/main.cpp
diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake
index 1752c9c2625c..7d6ecd99d03a 100644
--- a/cmake/ccf_app.cmake
+++ b/cmake/ccf_app.cmake
@@ -2,8 +2,16 @@
# Licensed under the Apache 2.0 License.
set(ALLOWED_TARGETS "sgx;virtual")
+
+set(COMPILE_TARGETS
+ "sgx;virtual"
+ CACHE
+ STRING
+ "List of target compilation platforms. Choose from: ${ALLOWED_TARGETS}"
+)
+
set(IS_VALID_TARGET "FALSE")
-foreach(REQUESTED_TARGET ${TARGET})
+foreach(REQUESTED_TARGET ${COMPILE_TARGETS})
if(${REQUESTED_TARGET} IN_LIST ALLOWED_TARGETS)
set(IS_VALID_TARGET "TRUE")
else()
@@ -17,10 +25,16 @@ endforeach()
if((NOT ${IS_VALID_TARGET}))
message(
FATAL_ERROR
- "Variable list 'TARGET' must include at least one supported target. Choose from: ${ALLOWED_TARGETS}"
+ "Variable list 'COMPILE_TARGETS' must include at least one supported target. Choose from: ${ALLOWED_TARGETS}"
)
endif()
+find_package(OpenEnclave 0.8 CONFIG REQUIRED)
+# As well as pulling in openenclave:: targets, this sets variables which can be
+# used for our edge cases (eg - for virtual libraries). These do not follow the
+# standard naming patterns, for example use OE_INCLUDEDIR rather than
+# OpenEnclave_INCLUDE_DIRS
+
# Sign a built enclave library with oesign
function(sign_app_library name app_oe_conf_path enclave_sign_key_path)
if(TARGET ${name})
@@ -100,7 +114,7 @@ function(add_ccf_app name)
add_custom_target(${name} ALL)
- if("sgx" IN_LIST TARGET)
+ if("sgx" IN_LIST COMPILE_TARGETS)
set(enc_name ${name}.enclave)
add_library(${enc_name} SHARED ${PARSED_ARGS_SRCS})
@@ -125,7 +139,7 @@ function(add_ccf_app name)
add_dependencies(${name} ${enc_name})
endif()
- if("virtual" IN_LIST TARGET)
+ if("virtual" IN_LIST COMPILE_TARGETS)
# Build a virtual enclave, loaded as a shared library without OE
set(virt_name ${name}.virtual)
diff --git a/cmake/common.cmake b/cmake/common.cmake
index ee2af5c58662..582d68d75810 100644
--- a/cmake/common.cmake
+++ b/cmake/common.cmake
@@ -25,29 +25,6 @@ find_package(Threads REQUIRED)
set(PYTHON unbuffer python3)
-set(SERVICE_IDENTITY_CURVE_CHOICE
- "secp384r1"
- CACHE STRING
- "One of secp384r1, ed25519, secp256k1_mbedtls, secp256k1_bitcoin"
-)
-if(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp384r1")
- add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP384R1)
- set(DEFAULT_PARTICIPANTS_CURVE "secp384r1")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "ed25519")
- add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_ED25519)
- set(DEFAULT_PARTICIPANTS_CURVE "ed25519")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_mbedtls")
- add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_MBEDTLS)
- set(DEFAULT_PARTICIPANTS_CURVE "secp256k1")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_bitcoin")
- add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_BITCOIN)
- set(DEFAULT_PARTICIPANTS_CURVE "secp256k1")
-else()
- message(
- FATAL_ERROR "Unsupported curve choice ${SERVICE_IDENTITY_CURVE_CHOICE}"
- )
-endif()
-
set(DISTRIBUTE_PERF_TESTS
""
CACHE
@@ -72,7 +49,7 @@ endif()
option(VERBOSE_LOGGING "Enable verbose logging" OFF)
set(TEST_HOST_LOGGING_LEVEL "info")
if(VERBOSE_LOGGING)
- add_definitions(-DVERBOSE_LOGGING)
+ add_compile_definitions(VERBOSE_LOGGING)
set(TEST_HOST_LOGGING_LEVEL "debug")
endif()
@@ -80,14 +57,14 @@ option(NO_STRICT_TLS_CIPHERSUITES
"Disable strict list of valid TLS ciphersuites" OFF
)
if(NO_STRICT_TLS_CIPHERSUITES)
- add_definitions(-DNO_STRICT_TLS_CIPHERSUITES)
+ add_compile_definitions(NO_STRICT_TLS_CIPHERSUITES)
endif()
option(USE_NULL_ENCRYPTOR "Turn off encryption of ledger updates - debug only"
OFF
)
if(USE_NULL_ENCRYPTOR)
- add_definitions(-DUSE_NULL_ENCRYPTOR)
+ add_compile_definitions(USE_NULL_ENCRYPTOR)
endif()
option(SAN "Enable Address and Undefined Behavior Sanitizers" OFF)
@@ -99,12 +76,12 @@ option(DEBUG_CONFIG "Enable non-production options options to aid debugging"
OFF
)
if(DEBUG_CONFIG)
- add_definitions(-DDEBUG_CONFIG)
+ add_compile_definitions(DEBUG_CONFIG)
endif()
option(USE_NLJSON_KV_SERIALISER "Use nlohmann JSON as the KV serialiser" OFF)
if(USE_NLJSON_KV_SERIALISER)
- add_definitions(-DUSE_NLJSON_KV_SERIALISER)
+ add_compile_definitions(USE_NLJSON_KV_SERIALISER)
endif()
enable_language(ASM)
@@ -117,21 +94,13 @@ include_directories(
${CCF_DIR}/3rdparty/flatbuffers/include
)
-set(TARGET
- "sgx;virtual"
- CACHE STRING "One of sgx, virtual, or 'sgx;virtual'"
-)
-
find_package(MbedTLS REQUIRED)
set(CLIENT_MBEDTLS_INCLUDE_DIR "${MBEDTLS_INCLUDE_DIRS}")
set(CLIENT_MBEDTLS_LIBRARIES "${MBEDTLS_LIBRARIES}")
-find_package(OpenEnclave CONFIG REQUIRED)
-# As well as pulling in openenclave:: targets, this sets variables which can be
-# used for our edge cases (eg - for virtual libraries). These do not follow the
-# standard naming patterns, for example use OE_INCLUDEDIR rather than
-# OpenEnclave_INCLUDE_DIRS
+include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake)
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake DESTINATION cmake)
add_custom_command(
COMMAND openenclave::oeedger8r ${CCF_DIR}/edl/ccf.edl --trusted --trusted-dir
@@ -143,9 +112,6 @@ add_custom_command(
COMMENT "Generating code from EDL, and renaming to .cpp"
)
-include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake)
-install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake DESTINATION cmake)
-
# Copy utilities from tests directory
set(CCF_UTILITIES tests.sh keygenerator.sh cimetrics_env.sh
upload_pico_metrics.py scurl.sh
@@ -164,7 +130,7 @@ install(PROGRAMS ${CCF_DIR}/tests/scurl.sh ${CCF_DIR}/tests/keygenerator.sh
# Install getting_started scripts for VM creation and setup
install(DIRECTORY ${CCF_DIR}/getting_started/ DESTINATION getting_started)
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
# If OE was built with LINK_SGX=1, then we also need to link SGX
if(OE_SGX)
message(STATUS "Linking SGX")
@@ -244,7 +210,7 @@ function(add_unit_test name)
set_property(TEST ${name} APPEND PROPERTY LABELS unit_test)
endfunction()
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
# Host Executable
add_executable(
cchost ${CCF_DIR}/src/host/main.cpp ${CCF_GENERATED_DIR}/ccf_u.cpp
@@ -272,7 +238,7 @@ if("sgx" IN_LIST TARGET)
install(TARGETS cchost DESTINATION bin)
endif()
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
if(SAN)
set(SNMALLOC_LIB)
set(SNMALLOC_CPP)
@@ -430,8 +396,7 @@ function(add_e2e_test)
NAME ${PARSED_ARGS_NAME}
COMMAND
${PYTHON} ${PARSED_ARGS_PYTHON_SCRIPT} -b . --label ${PARSED_ARGS_NAME}
- ${CCF_NETWORK_TEST_ARGS} --participants-curve
- ${DEFAULT_PARTICIPANTS_CURVE} --consensus ${PARSED_ARGS_CONSENSUS}
+ ${CCF_NETWORK_TEST_ARGS} --consensus ${PARSED_ARGS_CONSENSUS}
${PARSED_ARGS_ADDITIONAL_ARGS}
)
@@ -473,7 +438,7 @@ function(add_perf_test)
endif()
set(TESTS_SUFFIX "")
- if("sgx" IN_LIST TARGET)
+ if("sgx" IN_LIST COMPILE_TARGETS)
set(TESTS_SUFFIX "${TESTS_SUFFIX}_SGX")
endif()
if("raft" STREQUAL ${PARSED_ARGS_CONSENSUS})
diff --git a/cmake/crypto.cmake b/cmake/crypto.cmake
index 00426836cdfe..f3480a0cb1be 100644
--- a/cmake/crypto.cmake
+++ b/cmake/crypto.cmake
@@ -16,7 +16,7 @@ file(GLOB_RECURSE EVERCRYPT_SRC "${EVERCRYPT_PREFIX}/*.[cS]")
# We need two versions of EverCrypt, because it depends on libc
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(evercrypt.enclave STATIC ${EVERCRYPT_SRC})
target_compile_options(
evercrypt.enclave PRIVATE -Wno-implicit-function-declaration
@@ -53,7 +53,7 @@ set(CCFCRYPTO_SRC ${CCF_DIR}/src/crypto/hash.cpp
set(CCFCRYPTO_INC ${CCF_DIR}/src/crypto/ ${EVERCRYPT_INC})
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(ccfcrypto.enclave STATIC ${CCFCRYPTO_SRC})
target_compile_definitions(
ccfcrypto.enclave PRIVATE INSIDE_ENCLAVE _LIBCPP_HAS_THREAD_API_PTHREAD
diff --git a/cmake/pbft.cmake b/cmake/pbft.cmake
index 012b55ba9c07..33df4f1dd9a4 100644
--- a/cmake/pbft.cmake
+++ b/cmake/pbft.cmake
@@ -2,11 +2,11 @@
# Licensed under the Apache 2.0 License.
# PBFT
-add_definitions(-DSIGN_BATCH)
+add_compile_definitions(SIGN_BATCH)
set(SIGN_BATCH ON)
if(SAN)
- add_definitions(-DUSE_STD_MALLOC)
+ add_compile_definitions(USE_STD_MALLOC)
endif()
set(PBFT_SRC
@@ -54,7 +54,7 @@ set(PBFT_SRC
${CMAKE_SOURCE_DIR}/src/consensus/pbft/libbyz/Append_entries.cpp
)
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(libbyz.enclave STATIC ${PBFT_SRC})
target_compile_options(libbyz.enclave PRIVATE -nostdinc)
target_compile_definitions(
@@ -76,7 +76,7 @@ endif()
set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
add_library(libbyz.host STATIC ${PBFT_SRC})
target_compile_options(libbyz.host PRIVATE -stdlib=libc++)
diff --git a/cmake/quickjs.cmake b/cmake/quickjs.cmake
index 2d0dc39f5d00..3343bc324784 100644
--- a/cmake/quickjs.cmake
+++ b/cmake/quickjs.cmake
@@ -23,7 +23,7 @@ message(STATUS "QuickJS prefix: ${QUICKJS_PREFIX} version: ${QUICKJS_VERSION}")
# We need two versions of libquickjs, because it depends on libc
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(
quickjs.enclave STATIC ${QUICKJS_SRC} ${CCF_DIR}/3rdparty/stub/stub.c
)
diff --git a/cmake/secp256k1.cmake b/cmake/secp256k1.cmake
index 5d511423c1d9..2f4a60678ea7 100644
--- a/cmake/secp256k1.cmake
+++ b/cmake/secp256k1.cmake
@@ -1,7 +1,7 @@
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the Apache 2.0 License.
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(
secp256k1.enclave STATIC ${CCF_DIR}/3rdparty/secp256k1/src/secp256k1.c
)
diff --git a/cmake/sss.cmake b/cmake/sss.cmake
index 63d574db5578..d4120e8567bf 100644
--- a/cmake/sss.cmake
+++ b/cmake/sss.cmake
@@ -11,7 +11,7 @@ set(SSS_SRC ${SSS_PREFIX}/sss.c ${SSS_PREFIX}/hazmat.c
${SSS_PREFIX}/tweetnacl.c
)
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
add_library(sss.enclave STATIC ${SSS_SRC})
set_property(TARGET sss.enclave PROPERTY POSITION_INDEPENDENT_CODE ON)
install(
diff --git a/samples/apps/smallbank/smallbank.cmake b/samples/apps/smallbank/smallbank.cmake
index b5079f3e529f..d16d7ee9707c 100644
--- a/samples/apps/smallbank/smallbank.cmake
+++ b/samples/apps/smallbank/smallbank.cmake
@@ -14,17 +14,27 @@ sign_app_library(
${CCF_DIR}/src/apps/sample_key.pem
)
-if(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_bitcoin")
- set(SMALL_BANK_SIGNED_VERIFICATION_FILE
- ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_50k.json
+function(get_verification_file iterations output_var)
+ math(EXPR thousand_iterations "${iterations} / 1000")
+ set(proposed_name
+ ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_${thousand_iterations}k.json
)
- set(SMALL_BANK_SIGNED_ITERATIONS 50000)
-else()
- set(SMALL_BANK_SIGNED_VERIFICATION_FILE
- ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_2k.json
+ if(NOT EXISTS "${proposed_name}")
+ message(
+ FATAL_ERROR
+ "Could not find verification file for ${iterations} iterations (looking for ${proposed_name})"
+ )
+ endif()
+ set(${output_var}
+ ${proposed_name}
+ PARENT_SCOPE
)
- set(SMALL_BANK_SIGNED_ITERATIONS 2000)
-endif()
+endfunction()
+
+set(SMALL_BANK_SIGNED_ITERATIONS 50000)
+get_verification_file(
+ ${SMALL_BANK_SIGNED_ITERATIONS} SMALL_BANK_SIGNED_VERIFICATION_FILE
+)
if(BUILD_TESTS)
# Small Bank end to end and performance test
@@ -32,22 +42,14 @@ if(BUILD_TESTS)
if(${CONSENSUS} STREQUAL pbft)
if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
- set(SMALL_BANK_VERIFICATION_FILE
- ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_50k.json
- )
set(SMALL_BANK_ITERATIONS 50000)
else()
- set(SMALL_BANK_VERIFICATION_FILE
- ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_2k.json
- )
set(SMALL_BANK_ITERATIONS 2000)
endif()
else()
- set(SMALL_BANK_VERIFICATION_FILE
- ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank.json
- )
set(SMALL_BANK_ITERATIONS 200000)
endif()
+ get_verification_file(${SMALL_BANK_ITERATIONS} SMALL_BANK_VERIFICATION_FILE)
add_perf_test(
NAME small_bank_client_test_${CONSENSUS}
@@ -103,4 +105,5 @@ if(BUILD_TESTS)
--participants-curve
"secp256k1"
)
+
endif()
diff --git a/samples/apps/smallbank/tests/verify_small_bank.json b/samples/apps/smallbank/tests/verify_small_bank_200k.json
similarity index 100%
rename from samples/apps/smallbank/tests/verify_small_bank.json
rename to samples/apps/smallbank/tests/verify_small_bank_200k.json
diff --git a/sphinx/source/developers/cryptography.rst b/sphinx/source/developers/cryptography.rst
index b87dfcf2cb80..f450e8a37e8c 100644
--- a/sphinx/source/developers/cryptography.rst
+++ b/sphinx/source/developers/cryptography.rst
@@ -44,8 +44,11 @@ Algorithms and Curves
Authenticated encryption in CCF relies on AES256-GCM. Ledger authentication relies on Merkle trees using SHA2-256. These algorithms are provided by `project Everest `_.
-Public-key certificates, signatures, and ephemeral Diffie-Hellman key exchanges all rely on
-elliptic curves. They can be configured to use one of the following implementations:
+Public-key certificates, signatures, and ephemeral Diffie-Hellman key exchanges all rely on elliptic curves. The supported curves are listed in `tls/curve.h`:
- * secp384r1 from `mbedTLS `_.
- * secp256k1 from `bitcoin core `_.
+ .. literalinclude:: ../../../src/tls/curve.h
+ :language: cpp
+ :start-after: SNIPPET_START: supported_curves
+ :end-before: SNIPPET_END: supported_curves
+
+The ``service_identity_curve_choice`` determines the curve used by CCF for the service and node identities. User and member certificates do not need to match this, and can be created on any supported curve.
\ No newline at end of file
diff --git a/sphinx/source/quickstart/build.rst b/sphinx/source/quickstart/build.rst
index ba19349de0ab..7123a41f7ddc 100644
--- a/sphinx/source/quickstart/build.rst
+++ b/sphinx/source/quickstart/build.rst
@@ -44,11 +44,9 @@ The full list of build switches can be obtained by running:
* **BUILD_TESTS**: Boolean. Build all tests for CCF. Default to ON.
* **BUILD_SMALLBANK**: Boolean. Build SmallBank performance benchmark. Default to OFF.
* **CLIENT_MBEDTLS_PREFIX**: Path. Prefix to mbedtls install to be used by test clients. Default to ``/usr/local``.
-* **SERVICE_IDENTITY_CURVE_CHOICE**: String, one of ``secp384r1``, ``secp256k1_mbedtls``, ``secp256k1_bitcoin``. Elliptic curve to use for CCF network and node identities. Defaults to ``secp384r1``.
* **NO_STRICT_TLS_CIPHERSUITES**: Boolean. Relax the list of accepted TLS ciphersuites. Default to OFF.
-* **OpenEnclave_DIR**: Path. Open Enclave install directory. Default to ``/opt/openenclave/lib/openenclave/cmake``.
* **SAN**: Boolean. Build unit tests with Address and Undefined behaviour sanitizers enabled. Default to OFF.
-* **TARGET**: String, one of ``sgx``, ``virtual``, or ``sgx;virtual``. Defaults to ``sgx;virtual``, which builds both "virtual" enclaves and actual SGX enclaves.
+* **COMPILE_TARGETS**: String. List of target compilation platforms. Defaults to ``sgx;virtual``, which builds both "virtual" enclaves and actual SGX enclaves.
* **VERBOSE_LOGGING**: Boolean. Enable all logging levels. Default to OFF.
Running Tests
diff --git a/src/tls/curve.h b/src/tls/curve.h
index 92bee16a3889..99862dbe364c 100644
--- a/src/tls/curve.h
+++ b/src/tls/curve.h
@@ -12,6 +12,7 @@
namespace tls
{
+ // SNIPPET_START: supported_curves
enum class CurveImpl
{
secp384r1 = 1,
@@ -21,20 +22,9 @@ namespace tls
secp256k1_mbedtls = 3,
secp256k1_bitcoin = 4,
-#if SERVICE_IDENTITY_CURVE_CHOICE_SECP384R1
service_identity_curve_choice = secp384r1,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_ED25519
- service_identity_curve_choice = ed25519,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_MBEDTLS
- service_identity_curve_choice = secp256k1_mbedtls,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_BITCOIN
- service_identity_curve_choice = secp256k1_bitcoin,
-#else
-# pragma message( \
- "No service identity curve specified - defaulting to secp384r1")
- service_identity_curve_choice = secp384r1,
-#endif
};
+ // SNIPPET_END: supported_curves
// 2 implementations of secp256k1 are available - mbedtls and bitcoin. Either
// can be asked for explicitly via the CurveImpl enum. For cases where we