From 139f6423584322312fbac5f1c1d66731f8d4949e Mon Sep 17 00:00:00 2001 From: Dmitrii Kuvaiskii Date: Tue, 23 Jul 2024 23:59:06 -0700 Subject: [PATCH] [tools/RA-TLS] Copy quote from X.509 cert into a separate object Previously, `extract_quote_and_verify_pubkey()` returned a pointer to the SGX quote located inside the X.509 certificate. This is a confusing pattern, so this commit introduces a copy operation, to copy the SGX quote into a newly allocated object whose ownership is passed to the callers of this func. Signed-off-by: Dmitrii Kuvaiskii --- tools/sgx/ra-tls/ra_tls_attest.c | 3 ++- tools/sgx/ra-tls/ra_tls_common.h | 1 - tools/sgx/ra-tls/ra_tls_verify_common.c | 11 +++++++++-- tools/sgx/ra-tls/ra_tls_verify_dcap.c | 3 ++- tools/sgx/ra-tls/ra_tls_verify_epid.c | 4 +++- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/tools/sgx/ra-tls/ra_tls_attest.c b/tools/sgx/ra-tls/ra_tls_attest.c index e45b95ffb0..aac3820699 100644 --- a/tools/sgx/ra-tls/ra_tls_attest.c +++ b/tools/sgx/ra-tls/ra_tls_attest.c @@ -133,7 +133,8 @@ static int generate_x509(mbedtls_pk_context* pk, const uint8_t* quote, size_t qu goto out; /* finally, embed the quote into the generated certificate (as X.509 extension) */ - ret = mbedtls_x509write_crt_set_extension(writecrt, (const char*)g_quote_oid, g_quote_oid_size, + ret = mbedtls_x509write_crt_set_extension(writecrt, (const char*)g_quote_oid, + sizeof(g_quote_oid), /*critical=*/0, quote, quote_size); if (ret < 0) goto out; diff --git a/tools/sgx/ra-tls/ra_tls_common.h b/tools/sgx/ra-tls/ra_tls_common.h index b5ea32c467..d1aaa89b52 100644 --- a/tools/sgx/ra-tls/ra_tls_common.h +++ b/tools/sgx/ra-tls/ra_tls_common.h @@ -24,7 +24,6 @@ #define OID(N) \ { 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF8, 0x4D, 0x8A, 0x39, (N) } static const uint8_t g_quote_oid[] = OID(0x06); -static const size_t g_quote_oid_size = sizeof(g_quote_oid); bool getenv_allow_outdated_tcb(void); bool getenv_allow_hw_config_needed(void); diff --git a/tools/sgx/ra-tls/ra_tls_verify_common.c b/tools/sgx/ra-tls/ra_tls_verify_common.c index e8270812d4..baae82e202 100644 --- a/tools/sgx/ra-tls/ra_tls_verify_common.c +++ b/tools/sgx/ra-tls/ra_tls_verify_common.c @@ -227,7 +227,7 @@ int extract_quote_and_verify_pubkey(mbedtls_x509_crt* crt, sgx_quote_t** out_quo sgx_quote_t* quote; size_t quote_size; int ret = find_oid_in_cert_extensions(crt->v3_ext.p, crt->v3_ext.len, g_quote_oid, - g_quote_oid_size, (uint8_t**)"e, "e_size); + sizeof(g_quote_oid), (uint8_t**)"e, "e_size); if (ret < 0) return ret; @@ -239,7 +239,14 @@ int extract_quote_and_verify_pubkey(mbedtls_x509_crt* crt, sgx_quote_t** out_quo if (ret < 0) return ret; - *out_quote = quote; + /* quote returned by find_oid_in_cert_extensions() is a pointer somewhere inside of the X.509 + * cert object; let's copy it into a newly allocated object to make tracing ownership easier */ + sgx_quote_t* allocated_quote = malloc(quote_size); + if (!allocated_quote) + return MBEDTLS_ERR_X509_ALLOC_FAILED; + memcpy(allocated_quote, quote, quote_size); + + *out_quote = allocated_quote; *out_quote_size = quote_size; return 0; } diff --git a/tools/sgx/ra-tls/ra_tls_verify_dcap.c b/tools/sgx/ra-tls/ra_tls_verify_dcap.c index 8633caff55..fd1b81da7d 100644 --- a/tools/sgx/ra-tls/ra_tls_verify_dcap.c +++ b/tools/sgx/ra-tls/ra_tls_verify_dcap.c @@ -99,6 +99,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ struct ra_tls_verify_callback_results* results = (struct ra_tls_verify_callback_results*)data; int ret; + sgx_quote_t* quote = NULL; uint8_t* supplemental_data = NULL; uint32_t supplemental_data_size = 0; @@ -124,7 +125,6 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ results->err_loc = AT_EXTRACT_QUOTE; /* extract SGX quote from "quote" OID extension from crt */ - sgx_quote_t* quote; size_t quote_size; ret = extract_quote_and_verify_pubkey(crt, "e, "e_size); if (ret < 0) { @@ -263,6 +263,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ results->err_loc = AT_NONE; ret = 0; out: + free(quote); free(supplemental_data); return ret; } diff --git a/tools/sgx/ra-tls/ra_tls_verify_epid.c b/tools/sgx/ra-tls/ra_tls_verify_epid.c index 2708af2198..85a4b68c55 100644 --- a/tools/sgx/ra-tls/ra_tls_verify_epid.c +++ b/tools/sgx/ra-tls/ra_tls_verify_epid.c @@ -121,6 +121,8 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ struct ra_tls_verify_callback_results* results = (struct ra_tls_verify_callback_results*)data; int ret; + sgx_quote_t* quote = NULL; + struct ias_context_t* ias = NULL; char* ias_pub_key_pem = NULL; @@ -168,7 +170,6 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ results->err_loc = AT_EXTRACT_QUOTE; /* extract SGX quote from "quote" OID extension from crt */ - sgx_quote_t* quote; size_t quote_size; ret = extract_quote_and_verify_pubkey(crt, "e, "e_size); if (ret < 0) { @@ -281,6 +282,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ if (ias) ias_cleanup(ias); + free(quote); free(ias_pub_key_pem); free(quote_from_ias); free(report_data);