From cf2aad610c7975ac93f7d0a50002f3383e945a0d Mon Sep 17 00:00:00 2001
From: Linux_zhang <zhangruifang1@h-partners.com>
Date: Wed, 17 Dec 2025 16:52:36 +0800
Subject: [PATCH] sync patches from upstream

(cherry picked from commit 725a2a674c7db90092cfd07e6b15116d194eab2e)
---
 ...null-check-in-cc_sl_get_async_result.patch | 27 +++++++
 ...fix-clear-decrypted-data-when-failed.patch | 47 +++++++++++
 ...er-order-for-get_sealed_data_size_ex.patch | 81 +++++++++++++++++++
 backport-seal-unseal-adds-AAD-parameter.patch | 76 +++++++++++++++++
 secGear.spec                                  |  9 ++-
 5 files changed, 239 insertions(+), 1 deletion(-)
 create mode 100644 backport-add-null-check-in-cc_sl_get_async_result.patch
 create mode 100644 backport-bugfix-clear-decrypted-data-when-failed.patch
 create mode 100644 backport-fix-the-incorrect-parameter-order-for-get_sealed_data_size_ex.patch
 create mode 100644 backport-seal-unseal-adds-AAD-parameter.patch

diff --git a/backport-add-null-check-in-cc_sl_get_async_result.patch b/backport-add-null-check-in-cc_sl_get_async_result.patch
new file mode 100644
index 0000000..9ac43d5
--- /dev/null
+++ b/backport-add-null-check-in-cc_sl_get_async_result.patch
@@ -0,0 +1,27 @@
+From 9ba01f9d19bef6be97b50907e1edcf75d3e2d8d2 Mon Sep 17 00:00:00 2001
+From: zhengxiaoxiaoGitee <zhengxiaoxiao2@huawei.com>
+Date: Thu, 27 Nov 2025 21:23:54 +0800
+Subject: [PATCH] add null check in cc_sl_get_async_result
+
+---
+ src/host_src/enclave.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
+index f13feec7..15704b58 100644
+--- a/src/host_src/enclave.c
++++ b/src/host_src/enclave.c
+@@ -323,6 +323,10 @@ cc_enclave_result_t cc_sl_get_async_result(cc_enclave_t *enclave, int task_id, v
+         return CC_ERROR_BAD_PARAMETERS;
+     }
+ 
++    if (enclave->list_ops_node == NULL || enclave->list_ops_node->ops_desc->ops->cc_sl_async_ecall_get_result == NULL) {
++        return CC_ERROR_BAD_PARAMETERS;
++    }
++
+     CC_RWLOCK_LOCK_RD(&enclave->rwlock);
+ 
+     ret = enclave->list_ops_node->ops_desc->ops->cc_sl_async_ecall_get_result(enclave, task_id, retval);
+-- 
+2.43.0
+
diff --git a/backport-bugfix-clear-decrypted-data-when-failed.patch b/backport-bugfix-clear-decrypted-data-when-failed.patch
new file mode 100644
index 0000000..d9296e3
--- /dev/null
+++ b/backport-bugfix-clear-decrypted-data-when-failed.patch
@@ -0,0 +1,47 @@
+From 81fb5eb93ce086d3328c8117c3abbdfad8671da1 Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Sat, 19 Aug 2023 10:57:00 +0800
+Subject: [PATCH] bugfix clear decrypted data when failed
+
+---
+ src/enclave_src/gp/itrustee/itrustee_seal_data.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+index 14b7f991..4d030815 100644
+--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c
++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+@@ -234,7 +234,6 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint
+         goto done;
+     }
+     *decrypted_data_len = tmp_sealed_data->encrypted_data_len;
+-    *mac_data_len = tmp_sealed_data->aad_len;
+     result = aes_seal_unseal_data(key_buf, key_len, (uint8_t *)&(tmp_sealed_data->nonce), SEAL_DATA_NONCE_LEN,
+         TEE_MODE_DECRYPT, (uint8_t *)&(tmp_sealed_data->payload_data), tmp_sealed_data->encrypted_data_len,
+         decrypted_data, decrypted_data_len, (uint8_t *)&(tmp_sealed_data->tag),
+@@ -244,17 +243,16 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint
+         goto done;
+     }
+ 
+-    uint32_t temp_mac_len = *mac_data_len;
+-    if (temp_mac_len < tmp_sealed_data->aad_len) {
+-        result = TEE_ERROR_WRITE_DATA;
+-        goto done;
+-    }
+     if (mac_data != NULL) {
+         uint32_t encrypted_data_len = tmp_sealed_data->encrypted_data_len;
+         if (*mac_data_len  >= tmp_sealed_data->aad_len) {
+             memcpy(mac_data, &(tmp_sealed_data->payload_data[encrypted_data_len]), tmp_sealed_data->aad_len);
++            *mac_data_len = tmp_sealed_data->aad_len;
++        } else {
++            explicit_bzero(decrypted_data, *decrypted_data_len);
++            result = TEE_ERROR_WRITE_DATA;
++            goto done;
+         }
+-        *mac_data_len = tmp_sealed_data->aad_len;
+     }
+ 
+ done:
+-- 
+2.43.0
+
diff --git a/backport-fix-the-incorrect-parameter-order-for-get_sealed_data_size_ex.patch b/backport-fix-the-incorrect-parameter-order-for-get_sealed_data_size_ex.patch
new file mode 100644
index 0000000..169da08
--- /dev/null
+++ b/backport-fix-the-incorrect-parameter-order-for-get_sealed_data_size_ex.patch
@@ -0,0 +1,81 @@
+From 91214741365cecd270577175ff89e24e31a97c2a Mon Sep 17 00:00:00 2001
+From: zhengxiaoxiaoGitee <zhengxiaoxiao2@huawei.com>
+Date: Wed, 26 Nov 2025 10:01:09 +0800
+Subject: [PATCH] fix the incorrect parameter order for get_sealed_data_size_ex
+
+---
+ examples/seal_data/enclave/seal_data.c           | 2 +-
+ inc/enclave_inc/gp/itrustee/dataseal_internal.h  | 2 +-
+ inc/enclave_inc/sgx/dataseal_internal.h          | 2 +-
+ src/enclave_src/gp/itrustee/itrustee_seal_data.c | 2 +-
+ src/enclave_src/sgx/sgx_seal_data.c              | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/examples/seal_data/enclave/seal_data.c b/examples/seal_data/enclave/seal_data.c
+index 5697981f..d35b660d 100644
+--- a/examples/seal_data/enclave/seal_data.c
++++ b/examples/seal_data/enclave/seal_data.c
+@@ -38,7 +38,7 @@ int seal_data_test_func(char *buf, uint32_t buf_len)
+     uint32_t data_len = strlen((const char *)seal_data);
+     uint32_t add_len = strlen((const char *)additional_text);
+     /******** prepare to seal data *********/
+-    uint32_t sealed_data_len = cc_enclave_get_sealed_data_size(data_len, add_len);
++    uint32_t sealed_data_len = cc_enclave_get_sealed_data_size(add_len, data_len);
+     if (sealed_data_len == UINT32_MAX)
+         return CC_ERROR_OUT_OF_MEMORY;
+     
+diff --git a/inc/enclave_inc/gp/itrustee/dataseal_internal.h b/inc/enclave_inc/gp/itrustee/dataseal_internal.h
+index c05aacb2..0ed2f5ba 100644
+--- a/inc/enclave_inc/gp/itrustee/dataseal_internal.h
++++ b/inc/enclave_inc/gp/itrustee/dataseal_internal.h
+@@ -42,7 +42,7 @@ typedef struct _itrustee_seal_data {
+     uint8_t payload_data[];
+ } itrustee_seal_data_t;
+ 
+-uint32_t get_sealed_data_size_ex(const uint32_t seal_data_len, const uint32_t aad_len);
++uint32_t get_sealed_data_size_ex(const uint32_t aad_len, const uint32_t seal_data_len);
+ uint32_t get_encrypted_text_size_ex(const void *sealed_data);
+ uint32_t get_add_text_size_ex(const void *sealed_data);
+ 
+diff --git a/inc/enclave_inc/sgx/dataseal_internal.h b/inc/enclave_inc/sgx/dataseal_internal.h
+index 9a1dad14..eb049c77 100644
+--- a/inc/enclave_inc/sgx/dataseal_internal.h
++++ b/inc/enclave_inc/sgx/dataseal_internal.h
+@@ -21,7 +21,7 @@
+ #define UNSEAL_DATA_FN(in, out, outl, aad, aadl) \
+         internel_sgx_unseal_data(in, out, outl, aad, aadl)
+ 
+-uint32_t get_sealed_data_size_ex(uint32_t seal_data_len, uint32_t aad_len);
++uint32_t get_sealed_data_size_ex(const uint32_t aad_len, const uint32_t seal_data_len);
+ uint32_t get_encrypted_text_size_ex(const void *sealed_data);
+ uint32_t get_add_text_size_ex(const void *sealed_data);       
+ 
+diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+index 7b6b0411..14b7f991 100644
+--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c
++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+@@ -22,7 +22,7 @@ CC_OPTIMIZE_OFF static void *memset_no_optimize(void *ptr, int value, size_t num
+     memset(ptr, 0, num);
+ }
+ 
+-uint32_t get_sealed_data_size_ex(uint32_t seal_data_len, uint32_t aad_len)
++uint32_t get_sealed_data_size_ex(const uint32_t aad_len, const uint32_t seal_data_len)
+ {
+     if (UINT32_MAX - aad_len <= seal_data_len) {
+         return UINT32_MAX;
+diff --git a/src/enclave_src/sgx/sgx_seal_data.c b/src/enclave_src/sgx/sgx_seal_data.c
+index 50a49582..9b5ca287 100644
+--- a/src/enclave_src/sgx/sgx_seal_data.c
++++ b/src/enclave_src/sgx/sgx_seal_data.c
+@@ -13,7 +13,7 @@
+ #include "dataseal_internal.h"
+ 
+ 
+-uint32_t get_sealed_data_size_ex(uint32_t aad_len, uint32_t seal_data_len)
++uint32_t get_sealed_data_size_ex(const uint32_t aad_len, const uint32_t seal_data_len)
+ {
+     return sgx_calc_sealed_data_size(aad_len, seal_data_len);
+ }
+-- 
+2.43.0
+
diff --git a/backport-seal-unseal-adds-AAD-parameter.patch b/backport-seal-unseal-adds-AAD-parameter.patch
new file mode 100644
index 0000000..28171c7
--- /dev/null
+++ b/backport-seal-unseal-adds-AAD-parameter.patch
@@ -0,0 +1,76 @@
+From deb6fb23ccc4643e9a745fc6da55bf611d592cd6 Mon Sep 17 00:00:00 2001
+From: zhengxiaoxiaoGitee <zhengxiaoxiao2@huawei.com>
+Date: Wed, 3 Dec 2025 15:41:48 +0800
+Subject: [PATCH] seal_unseal adds AAD parameter
+
+---
+ inc/enclave_inc/gp/itrustee/dataseal_internal.h  |  3 ++-
+ src/enclave_src/gp/itrustee/itrustee_seal_data.c | 14 +++++++++++---
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/inc/enclave_inc/gp/itrustee/dataseal_internal.h b/inc/enclave_inc/gp/itrustee/dataseal_internal.h
+index 0ed2f5ba..d03e24a8 100644
+--- a/inc/enclave_inc/gp/itrustee/dataseal_internal.h
++++ b/inc/enclave_inc/gp/itrustee/dataseal_internal.h
+@@ -53,7 +53,8 @@ TEE_Result itrustee_unseal_data(void *cc_enclave_sealed_data, uint8_t *decrypted
+     uint8_t *mac_data, uint32_t *mac_data_len);
+ 
+ TEE_Result aes_seal_unseal_data(uint8_t *key_buf, uint32_t key_len, uint8_t *nonce, uint32_t nonce_len, uint32_t mode,
+-    uint8_t *src_data, uint32_t src_len, uint8_t *dest_data, uint32_t *dest_len, uint8_t *tag, uint32_t *tag_len);
++    uint8_t *src_data, uint32_t src_len, uint8_t *dest_data, uint32_t *dest_len, uint8_t *tag, uint32_t *tag_len,
++    uint8_t *aad_data, uint32_t aad_len);
+ 
+ 
+ 
+diff --git a/src/enclave_src/gp/itrustee/itrustee_seal_data.c b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+index 4d030815..d1fa8f08 100644
+--- a/src/enclave_src/gp/itrustee/itrustee_seal_data.c
++++ b/src/enclave_src/gp/itrustee/itrustee_seal_data.c
+@@ -137,7 +137,8 @@ TEE_Result itrustee_seal_data(uint8_t *seal_data, uint32_t seal_data_len, void *
+     result = aes_seal_unseal_data(key_buf, SEAL_KEY_LEN, nonce, SEAL_DATA_NONCE_LEN, 
+                     TEE_MODE_ENCRYPT, seal_data, seal_data_len, 
+                     (uint8_t *)&(tmp_sealed_data->payload_data), (uint32_t *)&(tmp_sealed_data->encrypted_data_len),
+-                    (uint8_t *)&(tmp_sealed_data->tag), (uint32_t *)&(tmp_sealed_data->tag_len));
++                    (uint8_t *)&(tmp_sealed_data->tag), (uint32_t *)&(tmp_sealed_data->tag_len),
++		            mac_data, mac_data_len);
+     if (result != TEE_SUCCESS) {
+         SLogError("aes_seal_unseal_data failed");
+         goto error0;
+@@ -158,7 +159,8 @@ error2:
+ }
+ 
+ TEE_Result aes_seal_unseal_data(uint8_t *key_buf, uint32_t key_len, uint8_t *nonce, uint32_t nonce_len, uint32_t mode,
+-    uint8_t *src_data, uint32_t src_len, uint8_t *dest_data, uint32_t *dest_len, uint8_t *tag, uint32_t *tag_len)
++    uint8_t *src_data, uint32_t src_len, uint8_t *dest_data, uint32_t *dest_len, uint8_t *tag, uint32_t *tag_len,
++    uint8_t *aad_data, uint32_t aad_len)
+ {
+     TEE_Result ret;
+     TEE_ObjectHandle key_object;
+@@ -186,6 +188,10 @@ TEE_Result aes_seal_unseal_data(uint8_t *key_buf, uint32_t key_len, uint8_t *non
+         goto error2;
+     }
+ 
++    if (aad_data != NULL && aad_len > 0) {
++        TEE_AEUpdateAAD(crypto_ops, aad_data, aad_len);
++    }
++
+     size_t temp_dest_len = *dest_len;
+     size_t temp_tag_len = *tag_len;
+     if (TEE_MODE_ENCRYPT == mode) {
+@@ -234,10 +240,12 @@ TEE_Result itrustee_unseal_data(void *sealed_data, uint8_t *decrypted_data, uint
+         goto done;
+     }
+     *decrypted_data_len = tmp_sealed_data->encrypted_data_len;
++    uint8_t *saved_aad = tmp_sealed_data->payload_data + tmp_sealed_data->encrypted_data_len;
++    uint32_t saved_aad_len = tmp_sealed_data->aad_len;
+     result = aes_seal_unseal_data(key_buf, key_len, (uint8_t *)&(tmp_sealed_data->nonce), SEAL_DATA_NONCE_LEN,
+         TEE_MODE_DECRYPT, (uint8_t *)&(tmp_sealed_data->payload_data), tmp_sealed_data->encrypted_data_len,
+         decrypted_data, decrypted_data_len, (uint8_t *)&(tmp_sealed_data->tag),
+-        (uint32_t *)&(tmp_sealed_data->tag_len));
++        (uint32_t *)&(tmp_sealed_data->tag_len), saved_aad, saved_aad_len);
+     if (result != TEE_SUCCESS) {
+         SLogError("AES unseal data failed\n");
+         goto done;
+-- 
+2.43.0
+
diff --git a/secGear.spec b/secGear.spec
index 0706d3f..15f59a8 100644
--- a/secGear.spec
+++ b/secGear.spec
@@ -1,6 +1,6 @@
 Name:		secGear
 Version:	0.1.0
-Release:	58
+Release:	59
 Summary:	secGear is an SDK to develop confidential computing apps based on hardware enclave features
 
 
@@ -114,6 +114,10 @@ Patch100:   0101-generate-random-by-ra_tls-itself.patch
 Patch101:   0102-Add-support-for-UEFI-measured-boot-attestation.patch
 Patch102:   0103-fix-ima-attestation-log-and-add-pcr-check.patch
 Patch103:   0104-attestation-service-Do-not-hardcode-the-token-path.patch 
+Patch104: 	backport-add-null-check-in-cc_sl_get_async_result.patch
+Patch105: 	backport-fix-the-incorrect-parameter-order-for-get_sealed_data_size_ex.patch
+Patch106: 	backport-bugfix-clear-decrypted-data-when-failed.patch
+Patch107: 	backport-seal-unseal-adds-AAD-parameter.patch
 
 BuildRequires:	gcc python automake autoconf libtool
 BUildRequires:	glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel
@@ -356,6 +360,9 @@ popd
 systemctl restart rsyslog
 
 %changelog
+* Wed Dec 17 2025 Linux_zhang <zhangruifang@h-partners.com> - 0.1.0-59
+- sync patches from upstream
+
 * Fri Jun 6 2025 xuraoqing<xuraoqing@huawei.com> - 0.1.0-58
 - attestation service Do not hardcode the token path 
 
-- 
Gitee