Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_common_lib.h"
8 :
9 : /**
10 : * This function returns peer certificate chain buffer including spdm_cert_chain_t header.
11 : *
12 : * @param spdm_context A pointer to the SPDM context.
13 : * @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
14 : * @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
15 : *
16 : * @retval true Peer certificate chain buffer including spdm_cert_chain_t header is returned.
17 : * @retval false Peer certificate chain buffer including spdm_cert_chain_t header is not found.
18 : **/
19 0 : bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
20 : const void **cert_chain_buffer,
21 : size_t *cert_chain_buffer_size)
22 : {
23 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
24 : libspdm_context_t *context;
25 : uint8_t slot_id;
26 :
27 : context = spdm_context;
28 : slot_id = context->connection_info.peer_used_cert_chain_slot_id;
29 : LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
30 : if (context->connection_info.peer_used_cert_chain[slot_id].buffer_size != 0) {
31 : *cert_chain_buffer = context->connection_info.peer_used_cert_chain[slot_id].buffer;
32 : *cert_chain_buffer_size = context->connection_info
33 : .peer_used_cert_chain[slot_id].buffer_size;
34 : return true;
35 : }
36 : #endif
37 0 : return false;
38 : }
39 :
40 : /**
41 : * This function returns peer certificate chain data without spdm_cert_chain_t header.
42 : *
43 : * @param spdm_context A pointer to the SPDM context.
44 : * @param cert_chain_data Certificate chain data without spdm_cert_chain_t header.
45 : * @param cert_chain_data_size size in bytes of the certificate chain data.
46 : *
47 : * @retval true Peer certificate chain data without spdm_cert_chain_t header is returned.
48 : * @retval false Peer certificate chain data without spdm_cert_chain_t header is not found.
49 : **/
50 0 : bool libspdm_get_peer_cert_chain_data(void *spdm_context,
51 : const void **cert_chain_data,
52 : size_t *cert_chain_data_size)
53 : {
54 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
55 : libspdm_context_t *context;
56 : size_t hash_size;
57 : bool result;
58 :
59 : context = spdm_context;
60 : hash_size = libspdm_get_hash_size(context->connection_info.algorithm.base_hash_algo);
61 :
62 : result = libspdm_get_peer_cert_chain_buffer(context, cert_chain_data,
63 : cert_chain_data_size);
64 : if (result) {
65 : *cert_chain_data =
66 : (const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
67 : *cert_chain_data_size =
68 : *cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
69 : return true;
70 : }
71 : #endif
72 0 : return false;
73 : }
74 :
75 : /**
76 : * This function returns local used certificate chain buffer including spdm_cert_chain_t header.
77 : *
78 : * @param spdm_context A pointer to the SPDM context.
79 : * @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
80 : * @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
81 : *
82 : * @retval true Local used certificate chain buffer including spdm_cert_chain_t header is returned.
83 : * @retval false Local used certificate chain buffer including spdm_cert_chain_t header is not found.
84 : **/
85 34 : bool libspdm_get_local_cert_chain_buffer(void *spdm_context,
86 : const void **cert_chain_buffer,
87 : size_t *cert_chain_buffer_size)
88 : {
89 : libspdm_context_t *context;
90 :
91 34 : context = spdm_context;
92 34 : if (context->connection_info.local_used_cert_chain_buffer_size != 0) {
93 34 : *cert_chain_buffer = context->connection_info.local_used_cert_chain_buffer;
94 34 : *cert_chain_buffer_size = context->connection_info.local_used_cert_chain_buffer_size;
95 34 : return true;
96 : }
97 0 : return false;
98 : }
99 :
100 : /**
101 : * This function returns local used certificate chain data without spdm_cert_chain_t header.
102 : *
103 : * @param spdm_context A pointer to the SPDM context.
104 : * @param cert_chain_data Certificate chain data without spdm_cert_chain_t header.
105 : * @param cert_chain_data_size size in bytes of the certificate chain data.
106 : *
107 : * @retval true Local used certificate chain data without spdm_cert_chain_t header is returned.
108 : * @retval false Local used certificate chain data without spdm_cert_chain_t header is not found.
109 : **/
110 0 : bool libspdm_get_local_cert_chain_data(void *spdm_context,
111 : const void **cert_chain_data,
112 : size_t *cert_chain_data_size)
113 : {
114 : libspdm_context_t *context;
115 : bool result;
116 : size_t hash_size;
117 :
118 0 : context = spdm_context;
119 :
120 0 : result = libspdm_get_local_cert_chain_buffer(context, cert_chain_data,
121 : cert_chain_data_size);
122 0 : if (!result) {
123 0 : return false;
124 : }
125 :
126 0 : hash_size = libspdm_get_hash_size(context->connection_info.algorithm.base_hash_algo);
127 :
128 0 : *cert_chain_data = (const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
129 0 : *cert_chain_data_size = *cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
130 0 : return true;
131 : }
132 :
133 : /**
134 : * This function returns peer public key buffer.
135 : *
136 : * @param spdm_context A pointer to the SPDM context.
137 : * @param peer_public_key_buffer Peer public key buffer.
138 : * @param peer_public_key_buffer_size Size in bytes of peer public key buffer.
139 : *
140 : * @retval true Peer public key buffer is returned.
141 : * @retval false Peer public key buffer is not found.
142 : **/
143 3 : bool libspdm_get_peer_public_key_buffer(void *spdm_context,
144 : const void **peer_public_key_buffer,
145 : size_t *peer_public_key_buffer_size)
146 : {
147 : libspdm_context_t *context;
148 :
149 3 : context = spdm_context;
150 3 : if (context->local_context.peer_public_key_provision_size != 0) {
151 3 : *peer_public_key_buffer = context->local_context.peer_public_key_provision;
152 3 : *peer_public_key_buffer_size = context->local_context.peer_public_key_provision_size;
153 3 : return true;
154 : }
155 0 : return false;
156 : }
157 :
158 : /**
159 : * This function returns local public key buffer.
160 : *
161 : * @param spdm_context A pointer to the SPDM context.
162 : * @param local_public_key_buffer Local public key buffer.
163 : * @param local_public_key_buffer_size Size in bytes of local public key buffer.
164 : *
165 : * @retval true Local public key buffer is returned.
166 : * @retval false Local public key buffer is not found.
167 : **/
168 2 : bool libspdm_get_local_public_key_buffer(void *spdm_context,
169 : const void **local_public_key_buffer,
170 : size_t *local_public_key_buffer_size)
171 : {
172 : libspdm_context_t *context;
173 :
174 2 : context = spdm_context;
175 2 : if (context->local_context.local_public_key_provision_size != 0) {
176 2 : *local_public_key_buffer = context->local_context.local_public_key_provision;
177 2 : *local_public_key_buffer_size = context->local_context.local_public_key_provision_size;
178 2 : return true;
179 : }
180 0 : return false;
181 : }
182 :
183 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
184 : /*
185 : * This function calculates l1l2.
186 : * If session_info is NULL, this function will use M cache of SPDM context,
187 : * else will use M cache of SPDM session context.
188 : *
189 : * @param spdm_context A pointer to the SPDM context.
190 : * @param session_info A pointer to the SPDM session context.
191 : * @param l1l2 The buffer to store the l1l2.
192 : *
193 : * @retval RETURN_SUCCESS l1l2 is calculated.
194 : */
195 : bool libspdm_calculate_l1l2(libspdm_context_t *spdm_context,
196 : void *session_info,
197 : libspdm_l1l2_managed_buffer_t *l1l2)
198 : {
199 : libspdm_return_t status;
200 : libspdm_session_info_t *spdm_session_info;
201 :
202 : spdm_session_info = session_info;
203 :
204 : libspdm_init_managed_buffer(l1l2, sizeof(l1l2->buffer));
205 :
206 : if ((spdm_context->connection_info.version >> SPDM_VERSION_NUMBER_SHIFT_BIT) >
207 : SPDM_MESSAGE_VERSION_11) {
208 :
209 : /* Need append VCA since 1.2 script*/
210 :
211 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_a data :\n"));
212 : LIBSPDM_INTERNAL_DUMP_HEX(
213 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
214 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
215 : status = libspdm_append_managed_buffer(
216 : l1l2,
217 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
218 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
219 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
220 : return false;
221 : }
222 : }
223 :
224 : if (spdm_session_info == NULL) {
225 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_m data :\n"));
226 : LIBSPDM_INTERNAL_DUMP_HEX(
227 : libspdm_get_managed_buffer(&spdm_context->transcript.message_m),
228 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_m));
229 : status = libspdm_append_managed_buffer(
230 : l1l2,
231 : libspdm_get_managed_buffer(&spdm_context->transcript.message_m),
232 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_m));
233 : } else {
234 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "use message_m in session :\n"));
235 : LIBSPDM_INTERNAL_DUMP_HEX(
236 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_m),
237 : libspdm_get_managed_buffer_size(&spdm_session_info->session_transcript.message_m));
238 : status = libspdm_append_managed_buffer(
239 : l1l2,
240 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_m),
241 : libspdm_get_managed_buffer_size(&spdm_session_info->session_transcript.message_m));
242 : }
243 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
244 : return false;
245 : }
246 :
247 : /* Debug code only - calculate and print value of l1l2 hash*/
248 : LIBSPDM_DEBUG_CODE(
249 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
250 : uint32_t hash_size = libspdm_get_hash_size(
251 : spdm_context->connection_info.algorithm.base_hash_algo);
252 : if (!libspdm_hash_all(
253 : spdm_context->connection_info.algorithm.base_hash_algo,
254 : libspdm_get_managed_buffer(l1l2),
255 : libspdm_get_managed_buffer_size(l1l2), hash_data)) {
256 : return false;
257 : }
258 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "l1l2 hash - "));
259 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
260 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
261 : );
262 :
263 : return true;
264 : }
265 : #else
266 : /*
267 : * This function calculates l1l2 hash.
268 : * If session_info is NULL, this function will use M cache of SPDM context,
269 : * else will use M cache of SPDM session context.
270 : *
271 : * @param spdm_context A pointer to the SPDM context.
272 : * @param session_info A pointer to the SPDM session context.
273 : * @param l1l2_hash_size size in bytes of the l1l2 hash
274 : * @param l1l2_hash The buffer to store the l1l2 hash
275 : *
276 : * @retval RETURN_SUCCESS l1l2 is calculated.
277 : */
278 39 : bool libspdm_calculate_l1l2_hash(libspdm_context_t *spdm_context,
279 : void *session_info,
280 : size_t *l1l2_hash_size, void *l1l2_hash)
281 : {
282 : libspdm_session_info_t *spdm_session_info;
283 : bool result;
284 :
285 : uint32_t hash_size;
286 :
287 39 : spdm_session_info = session_info;
288 :
289 39 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
290 :
291 39 : if (spdm_session_info == NULL) {
292 37 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
293 : spdm_context->transcript.digest_context_l1l2, l1l2_hash);
294 : } else {
295 2 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "use message_m in session :\n"));
296 2 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
297 : spdm_session_info->session_transcript.digest_context_l1l2,
298 : l1l2_hash);
299 : }
300 39 : if (!result) {
301 0 : return false;
302 : }
303 39 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "l1l2 hash - "));
304 39 : LIBSPDM_INTERNAL_DUMP_DATA(l1l2_hash, hash_size);
305 39 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
306 :
307 39 : *l1l2_hash_size = hash_size;
308 :
309 39 : return true;
310 : }
311 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
312 :
313 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
314 : /*
315 : * This function calculates m1m2.
316 : *
317 : * @param spdm_context A pointer to the SPDM context.
318 : * @param is_mut Indicate if this is from mutual authentication.
319 : * @param m1m2 The buffer to store the m1m2
320 : *
321 : * @retval RETURN_SUCCESS m1m2 is calculated.
322 : */
323 : static bool libspdm_calculate_m1m2(void *context, bool is_mut,
324 : libspdm_m1m2_managed_buffer_t *m1m2)
325 : {
326 : libspdm_context_t *spdm_context;
327 : libspdm_return_t status;
328 :
329 : spdm_context = context;
330 :
331 : libspdm_init_managed_buffer(m1m2, sizeof(m1m2->buffer));
332 :
333 : if (is_mut) {
334 : if ((spdm_context->connection_info.version >> SPDM_VERSION_NUMBER_SHIFT_BIT) >
335 : SPDM_MESSAGE_VERSION_11) {
336 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_a data :\n"));
337 : LIBSPDM_INTERNAL_DUMP_HEX(
338 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
339 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
340 : status = libspdm_append_managed_buffer(
341 : m1m2,
342 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
343 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
344 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
345 : return false;
346 : }
347 : }
348 :
349 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_mut_b data :\n"));
350 : LIBSPDM_INTERNAL_DUMP_HEX(
351 : libspdm_get_managed_buffer(&spdm_context->transcript.message_mut_b),
352 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_mut_b));
353 : status = libspdm_append_managed_buffer(
354 : m1m2,
355 : libspdm_get_managed_buffer(&spdm_context->transcript.message_mut_b),
356 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_mut_b));
357 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
358 : return false;
359 : }
360 :
361 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_mut_c data :\n"));
362 : LIBSPDM_INTERNAL_DUMP_HEX(
363 : libspdm_get_managed_buffer(&spdm_context->transcript.message_mut_c),
364 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_mut_c));
365 : status = libspdm_append_managed_buffer(
366 : m1m2,
367 : libspdm_get_managed_buffer(&spdm_context->transcript.message_mut_c),
368 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_mut_c));
369 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
370 : return false;
371 : }
372 :
373 : /* Debug code only - calculate and print value of m1m2 mut hash*/
374 : LIBSPDM_DEBUG_CODE(
375 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
376 : uint32_t hash_size = libspdm_get_hash_size(
377 : spdm_context->connection_info.algorithm.base_hash_algo);
378 : if (!libspdm_hash_all(
379 : spdm_context->connection_info.algorithm.base_hash_algo,
380 : libspdm_get_managed_buffer(m1m2),
381 : libspdm_get_managed_buffer_size(m1m2), hash_data)) {
382 : return false;
383 : }
384 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "m1m2 Mut hash - "));
385 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
386 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
387 : );
388 :
389 : } else {
390 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_a data :\n"));
391 : LIBSPDM_INTERNAL_DUMP_HEX(
392 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
393 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
394 : status = libspdm_append_managed_buffer(
395 : m1m2,
396 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
397 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
398 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
399 : return false;
400 : }
401 :
402 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_b data :\n"));
403 : LIBSPDM_INTERNAL_DUMP_HEX(
404 : libspdm_get_managed_buffer(&spdm_context->transcript.message_b),
405 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_b));
406 : status = libspdm_append_managed_buffer(
407 : m1m2,
408 : libspdm_get_managed_buffer(&spdm_context->transcript.message_b),
409 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_b));
410 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
411 : return false;
412 : }
413 :
414 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_c data :\n"));
415 : LIBSPDM_INTERNAL_DUMP_HEX(
416 : libspdm_get_managed_buffer(&spdm_context->transcript.message_c),
417 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_c));
418 : status = libspdm_append_managed_buffer(
419 : m1m2,
420 : libspdm_get_managed_buffer(&spdm_context->transcript.message_c),
421 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_c));
422 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
423 : return false;
424 : }
425 :
426 : /* Debug code only - calculate and print value of m1m2 hash*/
427 : LIBSPDM_DEBUG_CODE(
428 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
429 : uint32_t hash_size = libspdm_get_hash_size(
430 : spdm_context->connection_info.algorithm.base_hash_algo);
431 : if (!libspdm_hash_all(
432 : spdm_context->connection_info.algorithm.base_hash_algo,
433 : libspdm_get_managed_buffer(m1m2),
434 : libspdm_get_managed_buffer_size(m1m2), hash_data)) {
435 : return false;
436 : }
437 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "m1m2 hash - "));
438 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
439 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
440 : );
441 : }
442 :
443 : return true;
444 : }
445 : #else
446 : /*
447 : * This function calculates m1m2 hash.
448 : *
449 : * @param spdm_context A pointer to the SPDM context.
450 : * @param is_mut Indicate if this is from mutual authentication.
451 : * @param m1m2_hash_size size in bytes of the m1m2 hash
452 : * @param m1m2_hash The buffer to store the m1m2 hash
453 : *
454 : * @retval RETURN_SUCCESS m1m2 is calculated.
455 : */
456 31 : static bool libspdm_calculate_m1m2_hash(void *context, bool is_mut,
457 : size_t *m1m2_hash_size,
458 : void *m1m2_hash)
459 : {
460 : libspdm_context_t *spdm_context;
461 : uint32_t hash_size;
462 : bool result;
463 :
464 31 : spdm_context = context;
465 :
466 31 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
467 :
468 31 : if (is_mut) {
469 6 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
470 : spdm_context->transcript.digest_context_mut_m1m2, m1m2_hash);
471 6 : if (!result) {
472 0 : return false;
473 : }
474 6 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "m1m2 Mut hash - "));
475 6 : LIBSPDM_INTERNAL_DUMP_DATA(m1m2_hash, hash_size);
476 6 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
477 :
478 : } else {
479 25 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
480 : spdm_context->transcript.digest_context_m1m2, m1m2_hash);
481 25 : if (!result) {
482 0 : return false;
483 : }
484 25 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "m1m2 hash - "));
485 25 : LIBSPDM_INTERNAL_DUMP_DATA(m1m2_hash, hash_size);
486 25 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
487 : }
488 :
489 31 : *m1m2_hash_size = hash_size;
490 :
491 31 : return true;
492 : }
493 : #endif
494 :
495 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
496 : /*
497 : * This function calculates il1il2.
498 : * If session_info is NULL, this function will use E cache of SPDM context,
499 : * else will use E cache of SPDM session context.
500 : *
501 : * @param spdm_context A pointer to the SPDM context.
502 : * @param session_info A pointer to the SPDM session context.
503 : * @param is_mut Indicate if this is from mutual authentication.
504 : * @param il1il2 The buffer to store the il1il2.
505 : *
506 : * @retval RETURN_SUCCESS il1il2 is calculated.
507 : */
508 : bool libspdm_calculate_il1il2(libspdm_context_t *spdm_context,
509 : void *session_info,
510 : bool is_mut,
511 : libspdm_il1il2_managed_buffer_t *il1il2)
512 : {
513 : libspdm_return_t status;
514 : libspdm_session_info_t *spdm_session_info;
515 :
516 : spdm_session_info = session_info;
517 :
518 : libspdm_init_managed_buffer(il1il2, sizeof(il1il2->buffer));
519 :
520 :
521 : if (is_mut) {
522 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_a data :\n"));
523 : LIBSPDM_INTERNAL_DUMP_HEX(
524 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
525 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
526 : status = libspdm_append_managed_buffer(
527 : il1il2,
528 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
529 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
530 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
531 : return false;
532 : }
533 :
534 : if (spdm_session_info == NULL) {
535 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_encap_e data :\n"));
536 : LIBSPDM_INTERNAL_DUMP_HEX(
537 : libspdm_get_managed_buffer(&spdm_context->transcript.message_encap_e),
538 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_encap_e));
539 : status = libspdm_append_managed_buffer(
540 : il1il2,
541 : libspdm_get_managed_buffer(&spdm_context->transcript.message_encap_e),
542 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_encap_e));
543 : } else {
544 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "use message_encap_e in session :\n"));
545 : LIBSPDM_INTERNAL_DUMP_HEX(
546 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_encap_e),
547 : libspdm_get_managed_buffer_size(
548 : &spdm_session_info->session_transcript.message_encap_e));
549 : status = libspdm_append_managed_buffer(
550 : il1il2,
551 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_encap_e),
552 : libspdm_get_managed_buffer_size(
553 : &spdm_session_info->session_transcript.message_encap_e));
554 : }
555 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
556 : return false;
557 : }
558 :
559 : /* Debug code only - calculate and print value of il1il2 hash*/
560 : LIBSPDM_DEBUG_CODE(
561 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
562 : uint32_t hash_size = libspdm_get_hash_size(
563 : spdm_context->connection_info.algorithm.base_hash_algo);
564 : if (!libspdm_hash_all(
565 : spdm_context->connection_info.algorithm.base_hash_algo,
566 : libspdm_get_managed_buffer(il1il2),
567 : libspdm_get_managed_buffer_size(il1il2), hash_data)) {
568 : return false;
569 : }
570 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "il1il2 mut hash - "));
571 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
572 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
573 : );
574 : } else {
575 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_a data :\n"));
576 : LIBSPDM_INTERNAL_DUMP_HEX(
577 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
578 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
579 : status = libspdm_append_managed_buffer(
580 : il1il2,
581 : libspdm_get_managed_buffer(&spdm_context->transcript.message_a),
582 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_a));
583 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
584 : return false;
585 : }
586 :
587 : if (spdm_session_info == NULL) {
588 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "message_e data :\n"));
589 : LIBSPDM_INTERNAL_DUMP_HEX(
590 : libspdm_get_managed_buffer(&spdm_context->transcript.message_e),
591 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_e));
592 : status = libspdm_append_managed_buffer(
593 : il1il2,
594 : libspdm_get_managed_buffer(&spdm_context->transcript.message_e),
595 : libspdm_get_managed_buffer_size(&spdm_context->transcript.message_e));
596 : } else {
597 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "use message_e in session :\n"));
598 : LIBSPDM_INTERNAL_DUMP_HEX(
599 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_e),
600 : libspdm_get_managed_buffer_size(&spdm_session_info->session_transcript.message_e));
601 : status = libspdm_append_managed_buffer(
602 : il1il2,
603 : libspdm_get_managed_buffer(&spdm_session_info->session_transcript.message_e),
604 : libspdm_get_managed_buffer_size(&spdm_session_info->session_transcript.message_e));
605 : }
606 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
607 : return false;
608 : }
609 :
610 : /* Debug code only - calculate and print value of il1il2 hash*/
611 : LIBSPDM_DEBUG_CODE(
612 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
613 : uint32_t hash_size = libspdm_get_hash_size(
614 : spdm_context->connection_info.algorithm.base_hash_algo);
615 : if (!libspdm_hash_all(
616 : spdm_context->connection_info.algorithm.base_hash_algo,
617 : libspdm_get_managed_buffer(il1il2),
618 : libspdm_get_managed_buffer_size(il1il2), hash_data)) {
619 : return false;
620 : }
621 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "il1il2 hash - "));
622 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
623 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
624 : );
625 : }
626 :
627 : return true;
628 : }
629 : #else
630 : /*
631 : * This function calculates il1il2 hash.
632 : * If session_info is NULL, this function will use E cache of SPDM context,
633 : * else will use E cache of SPDM session context.
634 : *
635 : * @param spdm_context A pointer to the SPDM context.
636 : * @param session_info A pointer to the SPDM session context.
637 : * @param is_encap Indicate if this is from encapsulate request.
638 : * @param il1il2_hash_size size in bytes of the il1il2 hash
639 : * @param il1il2_hash The buffer to store the il1il2 hash
640 : *
641 : * @retval RETURN_SUCCESS il1il2 is calculated.
642 : */
643 31 : bool libspdm_calculate_il1il2_hash(libspdm_context_t *spdm_context,
644 : void *session_info, bool is_encap,
645 : size_t *il1il2_hash_size, void *il1il2_hash)
646 : {
647 : libspdm_session_info_t *spdm_session_info;
648 : bool result;
649 :
650 : uint32_t hash_size;
651 :
652 31 : spdm_session_info = session_info;
653 :
654 31 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
655 :
656 31 : if (spdm_session_info == NULL) {
657 26 : if (is_encap) {
658 12 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
659 : spdm_context->transcript.digest_context_encap_il1il2,
660 : il1il2_hash);
661 : } else {
662 14 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
663 : spdm_context->transcript.digest_context_il1il2,
664 : il1il2_hash);
665 : }
666 : } else {
667 5 : if (is_encap) {
668 2 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
669 : spdm_session_info->session_transcript.digest_context_encap_il1il2,
670 : il1il2_hash);
671 : } else {
672 3 : result = libspdm_hash_final (spdm_context->connection_info.algorithm.base_hash_algo,
673 : spdm_session_info->session_transcript.digest_context_il1il2,
674 : il1il2_hash);
675 : }
676 : }
677 31 : if (!result) {
678 0 : return false;
679 : }
680 31 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "il1il2 hash - "));
681 31 : LIBSPDM_INTERNAL_DUMP_DATA(il1il2_hash, hash_size);
682 31 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
683 :
684 31 : *il1il2_hash_size = hash_size;
685 :
686 31 : return true;
687 : }
688 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
689 :
690 : /**
691 : * This function generates the certificate chain hash.
692 : *
693 : * @param spdm_context A pointer to the SPDM context.
694 : * @param slot_id The slot index of the certificate chain.
695 : * @param signature The buffer to store the certificate chain hash.
696 : *
697 : * @retval true certificate chain hash is generated.
698 : * @retval false certificate chain hash is not generated.
699 : **/
700 36 : bool libspdm_generate_cert_chain_hash(libspdm_context_t *spdm_context,
701 : size_t slot_id, uint8_t *hash)
702 : {
703 36 : LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
704 36 : return libspdm_hash_all(
705 : spdm_context->connection_info.algorithm.base_hash_algo,
706 : spdm_context->local_context.local_cert_chain_provision[slot_id],
707 : spdm_context->local_context.local_cert_chain_provision_size[slot_id], hash);
708 : }
709 :
710 : /**
711 : * This function generates the public key hash.
712 : *
713 : * @param spdm_context A pointer to the SPDM context.
714 : * @param hash The buffer to store the public key hash.
715 : *
716 : * @retval true public key hash is generated.
717 : * @retval false public key hash is not generated.
718 : **/
719 2 : bool libspdm_generate_public_key_hash(libspdm_context_t *spdm_context,
720 : uint8_t *hash)
721 : {
722 2 : return libspdm_hash_all(
723 : spdm_context->connection_info.algorithm.base_hash_algo,
724 : spdm_context->local_context.local_public_key_provision,
725 : spdm_context->local_context.local_public_key_provision_size, hash);
726 : }
727 :
728 : /**
729 : * Get the certificate slot mask
730 : *
731 : * @param[in] context A pointer to the SPDM context.
732 : *
733 : * @retval slot_mask get slot mask
734 : **/
735 10 : uint8_t libspdm_get_cert_slot_mask(libspdm_context_t *spdm_context)
736 : {
737 : size_t index;
738 : uint8_t slot_mask;
739 :
740 10 : slot_mask = 0;
741 90 : for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
742 80 : if (spdm_context->local_context.local_cert_chain_provision[index] != NULL) {
743 11 : slot_mask |= (1 << index);
744 : }
745 : }
746 :
747 10 : return slot_mask;
748 : }
749 :
750 : /**
751 : * Get the certificate slot count
752 : *
753 : * @param[in] context A pointer to the SPDM context.
754 : *
755 : * @retval slot_count get slot count
756 : **/
757 15 : uint8_t libspdm_get_cert_slot_count(libspdm_context_t *spdm_context)
758 : {
759 : size_t index;
760 : uint8_t slot_count;
761 :
762 15 : slot_count = 0;
763 135 : for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
764 120 : if (spdm_context->local_context.local_cert_chain_provision[index] != NULL) {
765 26 : slot_count++;
766 : }
767 : }
768 :
769 15 : return slot_count;
770 : }
771 :
772 : #if LIBSPDM_CERT_PARSE_SUPPORT
773 : /**
774 : * This function verifies the integrity of peer certificate chain buffer including
775 : * spdm_cert_chain_t header.
776 : *
777 : * @param spdm_context A pointer to the SPDM context.
778 : * @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
779 : * @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
780 : *
781 : * @retval true Peer certificate chain buffer integrity verification passed.
782 : * @retval false Peer certificate chain buffer integrity verification failed.
783 : **/
784 34 : bool libspdm_verify_peer_cert_chain_buffer_integrity(libspdm_context_t *spdm_context,
785 : const void *cert_chain_buffer,
786 : size_t cert_chain_buffer_size)
787 : {
788 : bool result;
789 : uint8_t cert_model;
790 : bool is_requester;
791 :
792 34 : is_requester = spdm_context->local_context.is_requester;
793 :
794 34 : cert_model = SPDM_CERTIFICATE_INFO_CERT_MODEL_ALIAS_CERT;
795 : /* Responder does not determine Requester's certificate model */
796 34 : if (is_requester) {
797 34 : if ((spdm_context->connection_info.capability.flags &
798 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP) == 0) {
799 31 : cert_model = SPDM_CERTIFICATE_INFO_CERT_MODEL_DEVICE_CERT;
800 : }
801 : }
802 :
803 34 : if (is_requester) {
804 34 : result = libspdm_verify_certificate_chain_buffer_with_pqc(
805 : spdm_context->connection_info.algorithm.base_hash_algo,
806 : spdm_context->connection_info.algorithm.base_asym_algo,
807 : spdm_context->connection_info.algorithm.pqc_asym_algo,
808 : cert_chain_buffer, cert_chain_buffer_size,
809 : false, cert_model);
810 : } else {
811 0 : result = libspdm_verify_certificate_chain_buffer_with_pqc(
812 : spdm_context->connection_info.algorithm.base_hash_algo,
813 0 : spdm_context->connection_info.algorithm.req_base_asym_alg,
814 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
815 : cert_chain_buffer, cert_chain_buffer_size,
816 : true, cert_model);
817 : }
818 :
819 34 : return result;
820 : }
821 :
822 : /**
823 : * This function verifies peer certificate chain authority.
824 : *
825 : * @param spdm_context A pointer to the SPDM context.
826 : * @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
827 : * @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
828 : * @param trust_anchor A buffer to hold the trust_anchor which is used to validate the peer certificate, if not NULL.
829 : * @param trust_anchor_size A buffer to hold the trust_anchor_size, if not NULL.
830 : *
831 : * @retval true Peer certificate chain buffer authority verification passed.
832 : * Or there is no root_cert in local_context.
833 : * @retval false Peer certificate chain buffer authority verification failed.
834 : **/
835 29 : bool libspdm_verify_peer_cert_chain_buffer_authority(libspdm_context_t *spdm_context,
836 : const void *cert_chain_buffer,
837 : size_t cert_chain_buffer_size,
838 : const void **trust_anchor,
839 : size_t *trust_anchor_size)
840 : {
841 : const uint8_t *root_cert;
842 : size_t root_cert_size;
843 : uint8_t root_cert_index;
844 : size_t root_cert_hash_size;
845 : uint8_t root_cert_hash[LIBSPDM_MAX_HASH_SIZE];
846 : const uint8_t *received_root_cert;
847 : size_t received_root_cert_size;
848 : bool result;
849 :
850 29 : root_cert_index = 0;
851 29 : root_cert = spdm_context->local_context.peer_root_cert_provision[root_cert_index];
852 29 : root_cert_size = spdm_context->local_context.peer_root_cert_provision_size[root_cert_index];
853 :
854 29 : root_cert_hash_size = libspdm_get_hash_size(
855 : spdm_context->connection_info.algorithm.base_hash_algo);
856 :
857 29 : if ((root_cert != NULL) && (root_cert_size != 0)) {
858 60 : while ((root_cert != NULL) && (root_cert_size != 0)) {
859 60 : result = libspdm_hash_all(
860 : spdm_context->connection_info.algorithm.base_hash_algo,
861 : root_cert, root_cert_size, root_cert_hash);
862 60 : if (!result) {
863 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
864 : "!!! verify_peer_cert_chain_buffer - FAIL (hash calculation) !!!\n"));
865 0 : return false;
866 : }
867 :
868 60 : if (libspdm_consttime_is_mem_equal((const uint8_t *)cert_chain_buffer +
869 : sizeof(spdm_cert_chain_t),
870 : root_cert_hash, root_cert_hash_size)) {
871 21 : break;
872 : }
873 :
874 : #if (LIBSPDM_MAX_ROOT_CERT_SUPPORT) > 1
875 39 : if ((root_cert_index < ((LIBSPDM_MAX_ROOT_CERT_SUPPORT) -1)) &&
876 38 : (spdm_context->local_context.peer_root_cert_provision[root_cert_index + 1] !=
877 : NULL)) {
878 34 : root_cert_index++;
879 34 : root_cert = spdm_context->local_context.peer_root_cert_provision[root_cert_index];
880 34 : root_cert_size =
881 34 : spdm_context->local_context.peer_root_cert_provision_size[root_cert_index];
882 : } else
883 : #endif /* LIBSPDM_MAX_ROOT_CERT_SUPPORT */
884 : {
885 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
886 : "!!! verify_peer_cert_chain_buffer - "
887 : "FAIL (all root cert hash mismatch) !!!\n"));
888 5 : return false;
889 : }
890 : }
891 :
892 21 : result = libspdm_x509_get_cert_from_cert_chain(
893 21 : (const uint8_t *)cert_chain_buffer + sizeof(spdm_cert_chain_t) + root_cert_hash_size,
894 21 : cert_chain_buffer_size - sizeof(spdm_cert_chain_t) - root_cert_hash_size,
895 : 0, &received_root_cert, &received_root_cert_size);
896 21 : if (!result) {
897 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
898 : "!!! verify_peer_cert_chain_buffer - FAIL (cert retrieval fail) !!!\n"));
899 0 : return false;
900 : }
901 21 : if (libspdm_is_root_certificate(received_root_cert, received_root_cert_size)) {
902 20 : if ((root_cert != NULL) &&
903 20 : !libspdm_consttime_is_mem_equal(received_root_cert, root_cert, root_cert_size)) {
904 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
905 : "!!! verify_peer_cert_chain_buffer - "
906 : "FAIL (root cert mismatch) !!!\n"));
907 0 : return false;
908 : }
909 : } else {
910 1 : if (!libspdm_x509_verify_cert(received_root_cert, received_root_cert_size,
911 : root_cert, root_cert_size)) {
912 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
913 : "!!! verify_peer_cert_chain_buffer - "
914 : "FAIL (received root cert verify failed)!!!\n"));
915 0 : return false;
916 : }
917 : }
918 21 : if (trust_anchor != NULL) {
919 5 : *trust_anchor = root_cert;
920 : }
921 21 : if (trust_anchor_size != NULL) {
922 5 : *trust_anchor_size = root_cert_size;
923 : }
924 : }
925 : /*
926 : * When there is no root_cert in local_context, the return is true too.
927 : * No root_cert means the caller wants to verify the trust anchor of the cert chain.
928 : */
929 24 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_peer_cert_chain_buffer - PASS !!!\n"));
930 :
931 24 : return true;
932 : }
933 : #endif
934 :
935 : /**
936 : * This function generates the challenge signature based upon m1m2 for authentication.
937 : *
938 : * @param spdm_context A pointer to the SPDM context.
939 : * @param is_requester Indicate of the signature generation for a requester or a responder.
940 : * @param signature The buffer to store the challenge signature.
941 : *
942 : * @retval true challenge signature is generated.
943 : * @retval false challenge signature is not generated.
944 : **/
945 12 : bool libspdm_generate_challenge_auth_signature(libspdm_context_t *spdm_context,
946 : bool is_requester,
947 : uint8_t *signature)
948 : {
949 : bool result;
950 : size_t signature_size;
951 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
952 : libspdm_m1m2_managed_buffer_t m1m2;
953 : uint8_t *m1m2_buffer;
954 : size_t m1m2_buffer_size;
955 : #else
956 : uint8_t m1m2_hash[LIBSPDM_MAX_HASH_SIZE];
957 : size_t m1m2_hash_size;
958 : #endif
959 :
960 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
961 : result = libspdm_calculate_m1m2(spdm_context, is_requester, &m1m2);
962 : m1m2_buffer = libspdm_get_managed_buffer(&m1m2);
963 : m1m2_buffer_size = libspdm_get_managed_buffer_size(&m1m2);
964 : #else
965 12 : m1m2_hash_size = sizeof(m1m2_hash);
966 12 : result = libspdm_calculate_m1m2_hash(spdm_context, is_requester, &m1m2_hash_size, &m1m2_hash);
967 : #endif
968 12 : if (is_requester) {
969 3 : libspdm_reset_message_mut_b(spdm_context);
970 3 : libspdm_reset_message_mut_c(spdm_context);
971 : } else {
972 9 : libspdm_reset_message_b(spdm_context);
973 9 : libspdm_reset_message_c(spdm_context);
974 : }
975 12 : if (!result) {
976 0 : return false;
977 : }
978 :
979 12 : if (is_requester) {
980 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
981 3 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
982 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
983 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
984 : } else {
985 3 : signature_size = libspdm_get_req_asym_signature_size(
986 3 : spdm_context->connection_info.algorithm.req_base_asym_alg);
987 : }
988 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
989 : result = libspdm_requester_data_sign(
990 : spdm_context,
991 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
992 : spdm_context->connection_info.algorithm.req_base_asym_alg,
993 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
994 : spdm_context->connection_info.algorithm.base_hash_algo,
995 : false, m1m2_buffer, m1m2_buffer_size, signature, &signature_size);
996 : #else
997 3 : result = libspdm_requester_data_sign(
998 : spdm_context,
999 3 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1000 3 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1001 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1002 : spdm_context->connection_info.algorithm.base_hash_algo,
1003 : true, m1m2_hash, m1m2_hash_size, signature, &signature_size);
1004 : #endif
1005 : #else /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
1006 : result = false;
1007 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
1008 : } else {
1009 9 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1010 0 : signature_size = libspdm_get_pqc_asym_signature_size(
1011 : spdm_context->connection_info.algorithm.pqc_asym_algo);
1012 : } else {
1013 9 : signature_size = libspdm_get_asym_signature_size(
1014 : spdm_context->connection_info.algorithm.base_asym_algo);
1015 : }
1016 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1017 : result = libspdm_responder_data_sign(
1018 : spdm_context,
1019 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1020 : spdm_context->connection_info.algorithm.base_asym_algo,
1021 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1022 : spdm_context->connection_info.algorithm.base_hash_algo,
1023 : false, m1m2_buffer, m1m2_buffer_size, signature,
1024 : &signature_size);
1025 : #else
1026 9 : result = libspdm_responder_data_sign(
1027 : spdm_context,
1028 9 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1029 : spdm_context->connection_info.algorithm.base_asym_algo,
1030 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1031 : spdm_context->connection_info.algorithm.base_hash_algo,
1032 : true, m1m2_hash, m1m2_hash_size, signature,
1033 : &signature_size);
1034 : #endif
1035 : }
1036 :
1037 12 : return result;
1038 : }
1039 :
1040 : /**
1041 : * This function verifies the certificate chain hash.
1042 : *
1043 : * @param spdm_context A pointer to the SPDM context.
1044 : * @param certificate_chain_hash The certificate chain hash data buffer.
1045 : * @param certificate_chain_hash_size size in bytes of the certificate chain hash data buffer.
1046 : *
1047 : * @retval true hash verification pass.
1048 : * @retval false hash verification fail.
1049 : **/
1050 19 : bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
1051 : const void *certificate_chain_hash,
1052 : size_t certificate_chain_hash_size)
1053 : {
1054 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1055 : size_t hash_size;
1056 : uint8_t cert_chain_buffer_hash[LIBSPDM_MAX_HASH_SIZE];
1057 : const uint8_t *cert_chain_buffer;
1058 : size_t cert_chain_buffer_size;
1059 : bool result;
1060 : #else
1061 : uint8_t slot_id;
1062 : #endif
1063 :
1064 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1065 : result = libspdm_get_peer_cert_chain_buffer(spdm_context,
1066 : (const void **)&cert_chain_buffer,
1067 : &cert_chain_buffer_size);
1068 : if (!result) {
1069 : return false;
1070 : }
1071 :
1072 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
1073 :
1074 : result = libspdm_hash_all(spdm_context->connection_info.algorithm.base_hash_algo,
1075 : cert_chain_buffer, cert_chain_buffer_size,
1076 : cert_chain_buffer_hash);
1077 : if (!result) {
1078 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
1079 : "!!! verify_certificate_chain_hash - FAIL (hash calculation) !!!\n"));
1080 : return false;
1081 : }
1082 :
1083 : if (hash_size != certificate_chain_hash_size) {
1084 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_certificate_chain_hash - FAIL !!!\n"));
1085 : return false;
1086 : }
1087 : if (!libspdm_consttime_is_mem_equal(certificate_chain_hash, cert_chain_buffer_hash,
1088 : certificate_chain_hash_size)) {
1089 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_certificate_chain_hash - FAIL !!!\n"));
1090 : return false;
1091 : }
1092 : #else
1093 19 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1094 19 : LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
1095 :
1096 19 : LIBSPDM_ASSERT(
1097 : spdm_context->connection_info.peer_used_cert_chain[slot_id].buffer_hash_size != 0);
1098 :
1099 19 : if (spdm_context->connection_info.peer_used_cert_chain[slot_id].buffer_hash_size !=
1100 : certificate_chain_hash_size) {
1101 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_certificate_chain_hash - FAIL !!!\n"));
1102 0 : return false;
1103 : }
1104 :
1105 19 : if (!libspdm_consttime_is_mem_equal(certificate_chain_hash,
1106 19 : spdm_context->connection_info.peer_used_cert_chain[slot_id].
1107 : buffer_hash, certificate_chain_hash_size)) {
1108 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_certificate_chain_hash - FAIL !!!\n"));
1109 0 : return false;
1110 : }
1111 : #endif
1112 19 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_certificate_chain_hash - PASS !!!\n"));
1113 19 : return true;
1114 : }
1115 :
1116 : /**
1117 : * This function verifies the public key hash.
1118 : *
1119 : * @param spdm_context A pointer to the SPDM context.
1120 : * @param public_key_hash The public key hash data buffer.
1121 : * @param public_key_hash_size size in bytes of the public key hash data buffer.
1122 : *
1123 : * @retval true hash verification pass.
1124 : * @retval false hash verification fail.
1125 : **/
1126 2 : bool libspdm_verify_public_key_hash(libspdm_context_t *spdm_context,
1127 : const void *public_key_hash,
1128 : size_t public_key_hash_size)
1129 : {
1130 : size_t hash_size;
1131 : uint8_t public_key_buffer_hash[LIBSPDM_MAX_HASH_SIZE];
1132 : bool result;
1133 :
1134 2 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
1135 :
1136 2 : result = libspdm_hash_all(spdm_context->connection_info.algorithm.base_hash_algo,
1137 : spdm_context->local_context.peer_public_key_provision,
1138 : spdm_context->local_context.peer_public_key_provision_size,
1139 : public_key_buffer_hash);
1140 2 : if (!result) {
1141 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
1142 : "!!! verify_public_key_hash - FAIL (hash calculation) !!!\n"));
1143 0 : return false;
1144 : }
1145 :
1146 2 : if (hash_size != public_key_hash_size) {
1147 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_public_key_hash - FAIL !!!\n"));
1148 0 : return false;
1149 : }
1150 2 : if (!libspdm_consttime_is_mem_equal(public_key_hash, public_key_buffer_hash,
1151 : public_key_hash_size)) {
1152 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_public_key_hash - FAIL !!!\n"));
1153 0 : return false;
1154 : }
1155 :
1156 2 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_public_key_hash - PASS !!!\n"));
1157 2 : return true;
1158 : }
1159 :
1160 : /**
1161 : * This function verifies the challenge signature based upon m1m2.
1162 : *
1163 : * @param spdm_context A pointer to the SPDM context.
1164 : * @param is_requester Indicate of the signature verification for a requester or a responder.
1165 : * @param sign_data The signature data buffer.
1166 : * @param sign_data_size size in bytes of the signature data buffer.
1167 : *
1168 : * @retval true signature verification pass.
1169 : * @retval false signature verification fail.
1170 : **/
1171 19 : bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
1172 : bool is_requester,
1173 : const void *sign_data,
1174 : size_t sign_data_size)
1175 : {
1176 : bool result;
1177 : void *context;
1178 : uint8_t slot_id;
1179 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1180 : libspdm_m1m2_managed_buffer_t m1m2;
1181 : uint8_t *m1m2_buffer;
1182 : size_t m1m2_buffer_size;
1183 : const uint8_t *cert_buffer;
1184 : size_t cert_buffer_size;
1185 : const uint8_t *cert_chain_data;
1186 : size_t cert_chain_data_size;
1187 : #else
1188 : uint8_t m1m2_hash[LIBSPDM_MAX_HASH_SIZE];
1189 : size_t m1m2_hash_size;
1190 : #endif
1191 :
1192 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1193 : result = libspdm_calculate_m1m2(spdm_context, !is_requester, &m1m2);
1194 : m1m2_buffer = libspdm_get_managed_buffer(&m1m2);
1195 : m1m2_buffer_size = libspdm_get_managed_buffer_size(&m1m2);
1196 : #else
1197 19 : m1m2_hash_size = sizeof(m1m2_hash);
1198 19 : result = libspdm_calculate_m1m2_hash(spdm_context, !is_requester, &m1m2_hash_size, &m1m2_hash);
1199 : #endif
1200 19 : if (is_requester) {
1201 16 : libspdm_reset_message_b(spdm_context);
1202 16 : libspdm_reset_message_c(spdm_context);
1203 : } else {
1204 3 : libspdm_reset_message_mut_b(spdm_context);
1205 3 : libspdm_reset_message_mut_c(spdm_context);
1206 : }
1207 19 : if (!result) {
1208 0 : return false;
1209 : }
1210 :
1211 19 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1212 19 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
1213 :
1214 19 : if (slot_id == 0xFF) {
1215 2 : if (is_requester) {
1216 1 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1217 0 : result = libspdm_pqc_asym_get_public_key_from_der(
1218 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1219 0 : spdm_context->local_context.peer_public_key_provision,
1220 : spdm_context->local_context.peer_public_key_provision_size,
1221 : &context);
1222 : } else {
1223 1 : result = libspdm_asym_get_public_key_from_der(
1224 : spdm_context->connection_info.algorithm.base_asym_algo,
1225 1 : spdm_context->local_context.peer_public_key_provision,
1226 : spdm_context->local_context.peer_public_key_provision_size,
1227 : &context);
1228 : }
1229 : } else {
1230 1 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1231 0 : result = libspdm_req_pqc_asym_get_public_key_from_der(
1232 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1233 0 : spdm_context->local_context.peer_public_key_provision,
1234 : spdm_context->local_context.peer_public_key_provision_size,
1235 : &context);
1236 : } else {
1237 1 : result = libspdm_req_asym_get_public_key_from_der(
1238 1 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1239 1 : spdm_context->local_context.peer_public_key_provision,
1240 : spdm_context->local_context.peer_public_key_provision_size,
1241 : &context);
1242 : }
1243 : }
1244 2 : if (!result) {
1245 0 : return false;
1246 : }
1247 : } else {
1248 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1249 : result = libspdm_get_peer_cert_chain_data(
1250 : spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
1251 : if (!result) {
1252 : return false;
1253 : }
1254 :
1255 : /* Get leaf cert from cert chain*/
1256 : result = libspdm_x509_get_cert_from_cert_chain(
1257 : cert_chain_data, cert_chain_data_size, -1, &cert_buffer, &cert_buffer_size);
1258 : if (!result) {
1259 : return false;
1260 : }
1261 :
1262 : if (is_requester) {
1263 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1264 : result = libspdm_pqc_asym_get_public_key_from_x509(
1265 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1266 : cert_buffer, cert_buffer_size, &context);
1267 : } else {
1268 : result = libspdm_asym_get_public_key_from_x509(
1269 : spdm_context->connection_info.algorithm.base_asym_algo,
1270 : cert_buffer, cert_buffer_size, &context);
1271 : }
1272 : } else {
1273 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1274 : result = libspdm_req_pqc_asym_get_public_key_from_x509(
1275 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1276 : cert_buffer, cert_buffer_size, &context);
1277 : } else {
1278 : result = libspdm_req_asym_get_public_key_from_x509(
1279 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1280 : cert_buffer, cert_buffer_size, &context);
1281 : }
1282 : }
1283 : if (!result) {
1284 : return false;
1285 : }
1286 : #else
1287 17 : context = spdm_context->connection_info.peer_used_cert_chain[slot_id].leaf_cert_public_key;
1288 17 : LIBSPDM_ASSERT(context != NULL);
1289 : #endif
1290 : }
1291 :
1292 19 : if (is_requester) {
1293 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1294 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1295 : result = libspdm_pqc_asym_verify(
1296 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1297 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1298 : spdm_context->connection_info.algorithm.base_hash_algo,
1299 : context, m1m2_buffer, m1m2_buffer_size, sign_data, sign_data_size);
1300 : libspdm_pqc_asym_free(
1301 : spdm_context->connection_info.algorithm.pqc_asym_algo, context);
1302 : } else {
1303 : result = libspdm_asym_verify_ex(
1304 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1305 : spdm_context->connection_info.algorithm.base_asym_algo,
1306 : spdm_context->connection_info.algorithm.base_hash_algo,
1307 : context, m1m2_buffer, m1m2_buffer_size, sign_data, sign_data_size,
1308 : &spdm_context->spdm_10_11_verify_signature_endian);
1309 : libspdm_asym_free(
1310 : spdm_context->connection_info.algorithm.base_asym_algo, context);
1311 : }
1312 : #else
1313 16 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1314 0 : result = libspdm_pqc_asym_verify_hash(
1315 0 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1316 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1317 : spdm_context->connection_info.algorithm.base_hash_algo,
1318 : context, m1m2_hash, m1m2_hash_size, sign_data, sign_data_size);
1319 0 : if (slot_id == 0xFF) {
1320 0 : libspdm_pqc_asym_free(
1321 : spdm_context->connection_info.algorithm.pqc_asym_algo, context);
1322 : }
1323 : } else {
1324 16 : result = libspdm_asym_verify_hash_ex(
1325 16 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1326 : spdm_context->connection_info.algorithm.base_asym_algo,
1327 : spdm_context->connection_info.algorithm.base_hash_algo,
1328 : context, m1m2_hash, m1m2_hash_size, sign_data, sign_data_size,
1329 : &spdm_context->spdm_10_11_verify_signature_endian);
1330 16 : if (slot_id == 0xFF) {
1331 1 : libspdm_asym_free(
1332 : spdm_context->connection_info.algorithm.base_asym_algo, context);
1333 : }
1334 : }
1335 : #endif
1336 : } else {
1337 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1338 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1339 : result = libspdm_req_pqc_asym_verify(
1340 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1341 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1342 : spdm_context->connection_info.algorithm.base_hash_algo,
1343 : context, m1m2_buffer, m1m2_buffer_size, sign_data, sign_data_size);
1344 : libspdm_req_pqc_asym_free(
1345 : spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
1346 : } else {
1347 : result = libspdm_req_asym_verify_ex(
1348 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1349 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1350 : spdm_context->connection_info.algorithm.base_hash_algo,
1351 : context, m1m2_buffer, m1m2_buffer_size, sign_data, sign_data_size,
1352 : &spdm_context->spdm_10_11_verify_signature_endian);
1353 : libspdm_req_asym_free(
1354 : spdm_context->connection_info.algorithm.req_base_asym_alg, context);
1355 : }
1356 : #else
1357 3 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1358 0 : result = libspdm_req_pqc_asym_verify_hash(
1359 0 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1360 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1361 : spdm_context->connection_info.algorithm.base_hash_algo,
1362 : context, m1m2_hash, m1m2_hash_size, sign_data, sign_data_size);
1363 0 : if (slot_id == 0xFF) {
1364 0 : libspdm_req_pqc_asym_free(
1365 : spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
1366 : }
1367 : } else {
1368 3 : result = libspdm_req_asym_verify_hash_ex(
1369 3 : spdm_context->connection_info.version, SPDM_CHALLENGE_AUTH,
1370 3 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1371 : spdm_context->connection_info.algorithm.base_hash_algo,
1372 : context, m1m2_hash, m1m2_hash_size, sign_data, sign_data_size,
1373 : &spdm_context->spdm_10_11_verify_signature_endian);
1374 3 : if (slot_id == 0xFF) {
1375 1 : libspdm_req_asym_free(
1376 1 : spdm_context->connection_info.algorithm.req_base_asym_alg, context);
1377 : }
1378 : }
1379 : #endif
1380 : }
1381 19 : if (!result) {
1382 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR,
1383 : "!!! verify_challenge_signature - FAIL !!!\n"));
1384 1 : return false;
1385 : }
1386 :
1387 18 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_challenge_signature - PASS !!!\n"));
1388 :
1389 18 : return true;
1390 : }
1391 :
1392 : /**
1393 : * This function calculate the measurement summary hash size.
1394 : *
1395 : * @param spdm_context A pointer to the SPDM context.
1396 : * @param is_requester Is the function called from a requester.
1397 : * @param measurement_summary_hash_type The type of the measurement summary hash.
1398 : *
1399 : * @return 0 measurement summary hash type is invalid, NO_MEAS hash type or no MEAS capabilities.
1400 : * @return measurement summary hash size according to type.
1401 : **/
1402 : uint32_t
1403 106 : libspdm_get_measurement_summary_hash_size(libspdm_context_t *spdm_context,
1404 : bool is_requester,
1405 : uint8_t measurement_summary_hash_type)
1406 : {
1407 106 : if (!libspdm_is_capabilities_flag_supported(
1408 : spdm_context, is_requester, 0,
1409 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP)) {
1410 55 : return 0;
1411 : }
1412 :
1413 51 : switch (measurement_summary_hash_type) {
1414 25 : case SPDM_REQUEST_NO_MEASUREMENT_SUMMARY_HASH:
1415 25 : return 0;
1416 : break;
1417 :
1418 24 : case SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH:
1419 : case SPDM_REQUEST_ALL_MEASUREMENTS_HASH:
1420 24 : return libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
1421 : break;
1422 2 : default:
1423 2 : return 0;
1424 : break;
1425 : }
1426 : }
1427 :
1428 : #if LIBSPDM_ENABLE_CAPABILITY_ENDPOINT_INFO_CAP
1429 : /**
1430 : * This function generates the endpoint info signature based upon il1il2 for authentication.
1431 : *
1432 : * @param spdm_context A pointer to the SPDM context.
1433 : * @param session_info A pointer to the SPDM session context.
1434 : * @param is_requester Indicate of the signature generation for a requester or a responder.
1435 : * @param signature The buffer to store the endpoint info signature.
1436 : *
1437 : * @retval true challenge signature is generated.
1438 : * @retval false challenge signature is not generated.
1439 : **/
1440 9 : bool libspdm_generate_endpoint_info_signature(libspdm_context_t *spdm_context,
1441 : libspdm_session_info_t *session_info,
1442 : bool is_requester,
1443 : uint8_t *signature)
1444 : {
1445 : bool result;
1446 : size_t signature_size;
1447 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1448 : libspdm_il1il2_managed_buffer_t il1il2;
1449 : uint8_t *il1il2_buffer;
1450 : size_t il1il2_buffer_size;
1451 : #else
1452 : uint8_t il1il2_hash[LIBSPDM_MAX_HASH_SIZE];
1453 : size_t il1il2_hash_size;
1454 : #endif
1455 :
1456 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1457 : result = libspdm_calculate_il1il2(spdm_context, session_info, is_requester, &il1il2);
1458 : il1il2_buffer = libspdm_get_managed_buffer(&il1il2);
1459 : il1il2_buffer_size = libspdm_get_managed_buffer_size(&il1il2);
1460 : #else
1461 9 : il1il2_hash_size = sizeof(il1il2_hash);
1462 9 : result = libspdm_calculate_il1il2_hash(spdm_context, session_info, is_requester,
1463 : &il1il2_hash_size, &il1il2_hash);
1464 : #endif
1465 9 : if (is_requester) {
1466 5 : libspdm_reset_message_encap_e(spdm_context, session_info);
1467 : } else {
1468 4 : libspdm_reset_message_e(spdm_context, session_info);
1469 : }
1470 9 : if (!result) {
1471 0 : return false;
1472 : }
1473 :
1474 9 : if (is_requester) {
1475 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1476 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
1477 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
1478 : } else {
1479 5 : signature_size = libspdm_get_req_asym_signature_size(
1480 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
1481 : }
1482 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1483 : result = libspdm_requester_data_sign(
1484 : spdm_context,
1485 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1486 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1487 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1488 : spdm_context->connection_info.algorithm.base_hash_algo,
1489 : false, il1il2_buffer, il1il2_buffer_size, signature, &signature_size);
1490 : #else
1491 5 : result = libspdm_requester_data_sign(
1492 : spdm_context,
1493 5 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1494 5 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1495 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1496 : spdm_context->connection_info.algorithm.base_hash_algo,
1497 : true, il1il2_hash, il1il2_hash_size, signature, &signature_size);
1498 : #endif
1499 : } else {
1500 4 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1501 0 : signature_size = libspdm_get_pqc_asym_signature_size(
1502 : spdm_context->connection_info.algorithm.pqc_asym_algo);
1503 : } else {
1504 4 : signature_size = libspdm_get_asym_signature_size(
1505 : spdm_context->connection_info.algorithm.base_asym_algo);
1506 : }
1507 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1508 : result = libspdm_responder_data_sign(
1509 : spdm_context,
1510 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1511 : spdm_context->connection_info.algorithm.base_asym_algo,
1512 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1513 : spdm_context->connection_info.algorithm.base_hash_algo,
1514 : false, il1il2_buffer, il1il2_buffer_size, signature,
1515 : &signature_size);
1516 : #else
1517 4 : result = libspdm_responder_data_sign(
1518 : spdm_context,
1519 4 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1520 : spdm_context->connection_info.algorithm.base_asym_algo,
1521 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1522 : spdm_context->connection_info.algorithm.base_hash_algo,
1523 : true, il1il2_hash, il1il2_hash_size, signature,
1524 : &signature_size);
1525 : #endif
1526 : }
1527 :
1528 9 : return result;
1529 : }
1530 : #endif /* LIBSPDM_ENABLE_CAPABILITY_ENDPOINT_INFO_CAP */
1531 :
1532 : /**
1533 : * This function verifies the endpoint info signature based upon il1il2.
1534 : *
1535 : * @param spdm_context A pointer to the SPDM context.
1536 : * @param session_info A pointer to the SPDM session context.
1537 : * @param is_requester Indicate of the signature verification for a requester or a responder.
1538 : * @param sign_data The signature data buffer.
1539 : * @param sign_data_size size in bytes of the signature data buffer.
1540 : *
1541 : * @retval true signature verification pass.
1542 : * @retval false signature verification fail.
1543 : **/
1544 22 : bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
1545 : libspdm_session_info_t *session_info,
1546 : bool is_requester,
1547 : const void *sign_data,
1548 : size_t sign_data_size)
1549 : {
1550 : bool result;
1551 : void *context;
1552 : uint8_t slot_id;
1553 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1554 : libspdm_il1il2_managed_buffer_t il1il2;
1555 : uint8_t *il1il2_buffer;
1556 : size_t il1il2_buffer_size;
1557 : const uint8_t *cert_chain_data;
1558 : size_t cert_chain_data_size;
1559 : const uint8_t *cert_buffer;
1560 : size_t cert_buffer_size;
1561 : #else
1562 : uint8_t il1il2_hash[LIBSPDM_MAX_HASH_SIZE];
1563 : size_t il1il2_hash_size;
1564 : #endif
1565 :
1566 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1567 : result = libspdm_calculate_il1il2(spdm_context, session_info,!is_requester, &il1il2);
1568 : il1il2_buffer = libspdm_get_managed_buffer(&il1il2);
1569 : il1il2_buffer_size = libspdm_get_managed_buffer_size(&il1il2);
1570 : #else
1571 22 : il1il2_hash_size = sizeof(il1il2_hash);
1572 22 : result = libspdm_calculate_il1il2_hash(spdm_context, session_info, !is_requester,
1573 22 : &il1il2_hash_size, il1il2_hash);
1574 : #endif
1575 22 : if (is_requester) {
1576 13 : libspdm_reset_message_e(spdm_context, session_info);
1577 : } else {
1578 9 : libspdm_reset_message_encap_e(spdm_context, session_info);
1579 : }
1580 22 : if (!result) {
1581 0 : return false;
1582 : }
1583 :
1584 22 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1585 22 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xF));
1586 :
1587 22 : if (slot_id == 0xF) {
1588 5 : if (is_requester) {
1589 2 : if (spdm_context->connection_info.algorithm.base_asym_algo != 0) {
1590 2 : result = libspdm_asym_get_public_key_from_der(
1591 : spdm_context->connection_info.algorithm.base_asym_algo,
1592 2 : spdm_context->local_context.peer_public_key_provision,
1593 : spdm_context->local_context.peer_public_key_provision_size,
1594 : &context);
1595 : }
1596 2 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1597 0 : result = libspdm_pqc_asym_get_public_key_from_der(
1598 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1599 0 : spdm_context->local_context.peer_public_key_provision,
1600 : spdm_context->local_context.peer_public_key_provision_size,
1601 : &context);
1602 : }
1603 : } else {
1604 3 : if (spdm_context->connection_info.algorithm.req_base_asym_alg != 0) {
1605 3 : result = libspdm_req_asym_get_public_key_from_der(
1606 3 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1607 3 : spdm_context->local_context.peer_public_key_provision,
1608 : spdm_context->local_context.peer_public_key_provision_size,
1609 : &context);
1610 : }
1611 3 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1612 0 : result = libspdm_req_pqc_asym_get_public_key_from_der(
1613 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1614 0 : spdm_context->local_context.peer_public_key_provision,
1615 : spdm_context->local_context.peer_public_key_provision_size,
1616 : &context);
1617 : }
1618 : }
1619 5 : if (!result) {
1620 0 : return false;
1621 : }
1622 : } else {
1623 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1624 : result = libspdm_get_peer_cert_chain_data(
1625 : spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
1626 : if (!result) {
1627 : return false;
1628 : }
1629 :
1630 : /* Get leaf cert from cert chain*/
1631 : result = libspdm_x509_get_cert_from_cert_chain(cert_chain_data,
1632 : cert_chain_data_size, -1,
1633 : &cert_buffer, &cert_buffer_size);
1634 : if (!result) {
1635 : return false;
1636 : }
1637 :
1638 : if (is_requester) {
1639 : result = libspdm_asym_get_public_key_from_x509(
1640 : spdm_context->connection_info.algorithm.base_asym_algo,
1641 : cert_buffer, cert_buffer_size, &context);
1642 : } else {
1643 : result = libspdm_req_asym_get_public_key_from_x509(
1644 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1645 : cert_buffer, cert_buffer_size, &context);
1646 : }
1647 : if (!result) {
1648 : return false;
1649 : }
1650 : #else
1651 17 : context = spdm_context->connection_info.peer_used_cert_chain[slot_id].leaf_cert_public_key;
1652 17 : LIBSPDM_ASSERT(context != NULL);
1653 : #endif
1654 : }
1655 :
1656 22 : if (is_requester) {
1657 13 : if (spdm_context->connection_info.algorithm.base_asym_algo != 0) {
1658 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1659 : result = libspdm_asym_verify_ex(
1660 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1661 : spdm_context->connection_info.algorithm.base_asym_algo,
1662 : spdm_context->connection_info.algorithm.base_hash_algo,
1663 : context, il1il2_buffer, il1il2_buffer_size, sign_data, sign_data_size,
1664 : &spdm_context->spdm_10_11_verify_signature_endian);
1665 : libspdm_asym_free(
1666 : spdm_context->connection_info.algorithm.base_asym_algo, context);
1667 : #else
1668 13 : result = libspdm_asym_verify_hash_ex(
1669 13 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1670 : spdm_context->connection_info.algorithm.base_asym_algo,
1671 : spdm_context->connection_info.algorithm.base_hash_algo,
1672 : context, il1il2_hash, il1il2_hash_size, sign_data, sign_data_size,
1673 : &spdm_context->spdm_10_11_verify_signature_endian);
1674 13 : if (slot_id == 0xF) {
1675 2 : libspdm_asym_free(
1676 : spdm_context->connection_info.algorithm.base_asym_algo, context);
1677 : }
1678 : #endif
1679 : }
1680 13 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
1681 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1682 : result = libspdm_pqc_asym_verify(
1683 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1684 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1685 : spdm_context->connection_info.algorithm.base_hash_algo,
1686 : context, il1il2_buffer, il1il2_buffer_size, sign_data, sign_data_size);
1687 : libspdm_pqc_asym_free(
1688 : spdm_context->connection_info.algorithm.pqc_asym_algo, context);
1689 : #else
1690 0 : result = libspdm_pqc_asym_verify_hash(
1691 0 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1692 : spdm_context->connection_info.algorithm.pqc_asym_algo,
1693 : spdm_context->connection_info.algorithm.base_hash_algo,
1694 : context, il1il2_hash, il1il2_hash_size, sign_data, sign_data_size);
1695 0 : if (slot_id == 0xFF) {
1696 0 : libspdm_pqc_asym_free(
1697 : spdm_context->connection_info.algorithm.pqc_asym_algo, context);
1698 : }
1699 : #endif
1700 : }
1701 : } else {
1702 9 : if (spdm_context->connection_info.algorithm.req_base_asym_alg != 0) {
1703 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1704 : result = libspdm_req_asym_verify_ex(
1705 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1706 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1707 : spdm_context->connection_info.algorithm.base_hash_algo,
1708 : context, il1il2_buffer, il1il2_buffer_size, sign_data, sign_data_size,
1709 : &spdm_context->spdm_10_11_verify_signature_endian);
1710 : libspdm_req_asym_free(
1711 : spdm_context->connection_info.algorithm.req_base_asym_alg, context);
1712 : #else
1713 9 : result = libspdm_req_asym_verify_hash_ex(
1714 9 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1715 9 : spdm_context->connection_info.algorithm.req_base_asym_alg,
1716 : spdm_context->connection_info.algorithm.base_hash_algo,
1717 : context, il1il2_hash, il1il2_hash_size, sign_data, sign_data_size,
1718 : &spdm_context->spdm_10_11_verify_signature_endian);
1719 9 : if (slot_id == 0xF) {
1720 3 : libspdm_req_asym_free(
1721 3 : spdm_context->connection_info.algorithm.req_base_asym_alg, context);
1722 : }
1723 : #endif
1724 : }
1725 9 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
1726 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1727 : result = libspdm_req_pqc_asym_verify(
1728 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1729 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1730 : spdm_context->connection_info.algorithm.base_hash_algo,
1731 : context, il1il2_buffer, il1il2_buffer_size, sign_data, sign_data_size);
1732 : libspdm_req_pqc_asym_free(
1733 : spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
1734 : #else
1735 0 : result = libspdm_req_pqc_asym_verify_hash(
1736 0 : spdm_context->connection_info.version, SPDM_ENDPOINT_INFO,
1737 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
1738 : spdm_context->connection_info.algorithm.base_hash_algo,
1739 : context, il1il2_hash, il1il2_hash_size, sign_data, sign_data_size);
1740 0 : if (slot_id == 0xFF) {
1741 0 : libspdm_req_pqc_asym_free(
1742 : spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
1743 : }
1744 : #endif
1745 : }
1746 : }
1747 22 : if (!result) {
1748 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_endpoint_info_signature - FAIL !!!\n"));
1749 3 : return false;
1750 : }
1751 :
1752 19 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_endpoint_info_signature - PASS !!!\n"));
1753 19 : return true;
1754 : }
|
