dcap-ql: should accept extra trailing data in quote

[jason-liang-vault]

Describe the bug:

we've recently receive following error, which is generated in this line (https://github.com/fortanix/rust-sgx/blob/master/intel-sgx/dcap-ql/src/quote.rs#L240)
Invalid signature length, expected 4164, got 4168

After some investigation, following is the root cause

The quote function in dcap-ql which generate quote contains following two steps

1. get_quote_size, to get an ESTIMATED size of the quote, and it is the application's (which is our) responsibility to allocate a buffer that is AT LEAST this big, and pass to get_quote function. Since this is just estimation, it has some default value if PCCS return empty data / failed to return data at the moment
2. get_quote

The erroneous signature that trigger the error above is actually still valid, just that there are four trailing '\x00' at the end of the quote, which should be caused by a larger estimated quote size
get quote function looks like this, and the let mut quote = vec![0; quote_size as _]; should be the root cause of those trailing '\x00'

pub fn quote(report: &Report) -> Result<Vec<u8>, Quote3Error> {
    unsafe {
        let mut quote_size = 0;
        err_code_to_result(get_quote_size(&mut quote_size))?;

        let mut quote = vec![0; quote_size as _];
        err_code_to_result(get_quote(&report, quote_size, quote.as_mut_ptr()))?;
        Ok(quote)
    }
}

And when parsing the signature in fortanix's library, it requires the input buffer (which is vec![0; quote_size as _] to match the exact content (which is represented by format [length_of_following_bytes, byte_1, byte_2, ...], e.g. [0x5, 0xab, 0xcd, 0xef, 0x01, 0x23])

And the fix is simple, instead of failing when the expected quote length and actual quote length mismatch, we just keep parsing, and discard any trailing data (so effectively accepting longer quote, but will still reject quote that is shorter than expected)

To Reproduce:
Steps to reproduce the behavior:

1. Append several random bytes after getting quote from dcap_ql::quote
2. Parse the quote using dcap_ql crate

Expected behavior:
Extra bytes are ignored, and parsing passed

Reproducibility:

• Always

Environment:

• Ubuntu 22.04 LTS

Possible Solution:
Parse the quote as normal, but instead of failing directly after detecting extra trailing bytes, simply discard them

Severity:

• Critical
• Major
• Normal
• Minor

[jethrogb]

I don't think this is a bug as described. It is correct that a validation function errors out when extraneous data is passed in. The bug is that fn quote returns data that is longer than the quote.

See https://download.01.org/intel-sgx/sgx-dcap/1.3/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf for the data structure specification.

[jason-liang-vault]

hi then seems that we need to update quote function?

It is also in dcap_ql crate

[mzohreva]

After internal discussions we decided not to change the behavior described in the issue, because doing so runs the risk of future issues due to format changes or other unforeseen issues. I recommend changing the code producing the quote to return the exact size upon get_quote_size

[jethrogb]

@jason-liang-vault which CPU family are you running on and which DCAP provider are you using?