ias-ra.c 7.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
#define _GNU_SOURCE		// for memmem()

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>

#if defined(USE_OPENSSL)
#include <openssl/evp.h>	// for base64 encode/decode
#elif defined(USE_WOLFSSL)
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/coding.h>
#elif defined(USE_MBEDTLS)
#include <mbedtls/base64.h>
#else
#error Must use one of OpenSSL/wolfSSL/mbedtls
#endif

#include <stdint.h>

#include <sgx_report.h>

#include "ra.h"
#include "ra-attester.h"
#include "ias-ra.h"
#include "curl_helper.h"

static
size_t accumulate_function(void *ptr, size_t size, size_t nmemb, void *userdata)
{
	struct buffer_and_size *s = (struct buffer_and_size *)userdata;
	s->data = (char *)realloc(s->data, s->len + size * nmemb);
	assert(s->data != NULL);
	memcpy(s->data + s->len, ptr, size * nmemb);
	s->len += size * nmemb;

	return size * nmemb;
}

void http_get
    (CURL * curl,
     const char *url,
     struct buffer_and_size *header,
     struct buffer_and_size *body,
     struct curl_slist *request_headers, char *request_body) {
	curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
	curl_easy_setopt(curl, CURLOPT_URL, url);
	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1L);

	curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, accumulate_function);
	curl_easy_setopt(curl, CURLOPT_HEADERDATA, header);
	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, accumulate_function);
	curl_easy_setopt(curl, CURLOPT_WRITEDATA, body);

	if (request_headers) {
		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, request_headers);
	}
	if (request_body) {
		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request_body);
	}

	CURLcode res = curl_easy_perform(curl);
	assert(res == CURLE_OK);
}

static const char pem_marker_begin[] = "-----BEGIN CERTIFICATE-----";
static const char pem_marker_end[] = "-----END CERTIFICATE-----";

static
void extract_certificates_from_response_header
    (CURL * curl,
     const char *header,
     size_t header_len, attestation_verification_report_t * attn_report) {
	// Locate x-iasreport-signature HTTP header field in the response.
	const char response_header_name[] = "X-IASReport-Signing-Certificate: ";
	char *field_begin = memmem(header,
				   header_len,
				   response_header_name,
				   strlen(response_header_name));
	assert(field_begin != NULL);
	field_begin += strlen(response_header_name);
	const char http_line_break[] = "\r\n";
	char *field_end = memmem(field_begin,
				 header_len - (field_begin - header),
				 http_line_break,
				 strlen(http_line_break));
	size_t field_len = field_end - field_begin;

	// Remove urlencoding from x-iasreport-signing-certificate field.
	int unescaped_len = 0;
	char *unescaped = curl_easy_unescape(curl,
					     field_begin,
					     field_len,
					     &unescaped_len);

	char *cert_begin = memmem(unescaped,
				  unescaped_len,
				  pem_marker_begin,
				  strlen(pem_marker_begin));
	assert(cert_begin != NULL);
	char *cert_end = memmem(unescaped, unescaped_len,
				pem_marker_end, strlen(pem_marker_end));
	assert(cert_end != NULL);
	uint32_t cert_len = cert_end - cert_begin + strlen(pem_marker_end);

	assert(cert_len <= sizeof(attn_report->ias_sign_cert));
	memcpy(attn_report->ias_sign_cert, cert_begin, cert_len);
	attn_report->ias_sign_cert_len = cert_len;

	cert_begin = memmem(cert_end,
			    unescaped_len - (cert_end - unescaped),
			    pem_marker_begin, strlen(pem_marker_begin));
	assert(cert_begin != NULL);
	cert_end = memmem(cert_begin,
			  unescaped_len - (cert_begin - unescaped),
			  pem_marker_end, strlen(pem_marker_end));
	assert(cert_end != NULL);
	cert_len = cert_end - cert_begin + strlen(pem_marker_end);

	assert(cert_len <= sizeof(attn_report->ias_sign_ca_cert));
	memcpy((char *)attn_report->ias_sign_ca_cert, cert_begin, cert_len);
	attn_report->ias_sign_ca_cert_len = cert_len;

	curl_free(unescaped);
	unescaped = NULL;
}

/* The header has the certificates and report signature. */
void parse_response_header
    (const char *header,
     size_t header_len,
     unsigned char *signature,
     const size_t signature_max_size, uint32_t * signature_size) {
	const char sig_tag[] = "X-IASReport-Signature: ";
	char *sig_begin = memmem((const char *)header,
				 header_len,
				 sig_tag,
				 strlen(sig_tag));
	assert(sig_begin != NULL);
	sig_begin += strlen(sig_tag);
	char *sig_end = memmem(sig_begin,
			       header_len - (sig_begin - header),
			       "\r\n",
			       strlen("\r\n"));
	assert(sig_end);

	assert((size_t) (sig_end - sig_begin) <= signature_max_size);
	memcpy(signature, sig_begin, sig_end - sig_begin);
	*signature_size = sig_end - sig_begin;
}

/**
 * @return Length of base64 encoded data including terminating NUL-byte.
 */
static void base64_encode(uint8_t * in, uint32_t in_len, uint8_t * out, uint32_t * out_len	/* in/out */
    )
{
	// + 1 to account for the terminating \0.
	assert(*out_len >= (in_len + 3 - 1) / 3 * 4 + 1);
	bzero(out, *out_len);

#if defined(USE_OPENSSL)
	int ret = EVP_EncodeBlock(out, in, in_len);
	// + 1 since EVP_EncodeBlock() returns length excluding the terminating \0.
	assert((size_t) ret + 1 <= *out_len);
	*out_len = ret + 1;
#elif defined(USE_WOLFSSL)
	int ret = Base64_Encode_NoNl(in, in_len, out, out_len);
	assert(ret == 0);
	// No need append terminating \0 since we memset() the whole
	// buffer in the beginning.
	*out_len += 1;
#elif defined(USE_MBEDTLS)
	size_t olen;
	int ret = mbedtls_base64_encode(out, *out_len, &olen, in, in_len);
	assert(ret == 0);
	assert(olen <= UINT32_MAX);
	*out_len = (uint32_t) olen;
#endif
}

/** Turns a binary quote into an attestation verification report.

  Communicates with Intel Attestation Service via its HTTP REST interface.
*/
void obtain_attestation_verification_report
    (const sgx_quote_t * quote,
     const uint32_t quote_size,
     const struct ra_tls_options *opts,
     attestation_verification_report_t * attn_report) {
	int ret;

	char url[512];
	ret = snprintf(url, sizeof(url), "https://%s/attestation/v3/report",
		       opts->ias_server);
	assert(ret < (int)sizeof(url));

	char buf[128];
	int rc = snprintf(buf, sizeof(buf), "Ocp-Apim-Subscription-Key: %.32s",
			  opts->subscription_key);
	assert(rc < (int)sizeof(buf));

	struct curl_slist *request_headers =
	    curl_slist_append(NULL, "Content-Type: application/json");
	request_headers = curl_slist_append(request_headers, buf);

	const char json_template[] = "{\"isvEnclaveQuote\":\"%s\"}";
	unsigned char quote_base64[quote_size * 2];
	uint32_t quote_base64_len = sizeof(quote_base64);
	char json[quote_size * 2];

	base64_encode((uint8_t *) quote, quote_size,
		      quote_base64, &quote_base64_len);

	snprintf(json, sizeof(json), json_template, quote_base64);

	CURL *curl = curl_easy_init();
	assert(curl != NULL);
	struct buffer_and_size header = { (char *)malloc(1), 0 };
	struct buffer_and_size body = { (char *)malloc(1), 0 };
	http_get(curl, url, &header, &body, request_headers, json);

	parse_response_header(header.data, header.len,
			      attn_report->ias_report_signature,
			      sizeof(attn_report->ias_report_signature),
			      &attn_report->ias_report_signature_len);

	assert(sizeof(attn_report->ias_report) >= body.len);
	memcpy(attn_report->ias_report, body.data, body.len);
	attn_report->ias_report_len = body.len;

	extract_certificates_from_response_header(curl,
						  header.data, header.len,
						  attn_report);

	curl_easy_cleanup(curl);
	free(header.data);
	free(body.data);
	curl_slist_free_all(request_headers);
}