Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_requester_lib.h"
8 :
9 : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
10 : (LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP)
11 :
12 7 : libspdm_return_t libspdm_get_encap_response_challenge_auth(
13 : void *spdm_context, size_t request_size, void *request,
14 : size_t *response_size, void *response)
15 : {
16 : spdm_challenge_request_t *spdm_request;
17 : spdm_challenge_auth_response_t *spdm_response;
18 : bool result;
19 : size_t signature_size;
20 : uint8_t slot_id;
21 : uint32_t hash_size;
22 : uint8_t *measurement_summary_hash;
23 : uint32_t measurement_summary_hash_size;
24 : uint8_t *ptr;
25 : libspdm_context_t *context;
26 : uint8_t auth_attribute;
27 : libspdm_return_t status;
28 : uint8_t slot_mask;
29 : uint8_t *opaque_data;
30 : size_t opaque_data_size;
31 : size_t spdm_request_size;
32 : size_t spdm_response_size;
33 :
34 7 : context = spdm_context;
35 7 : spdm_request = request;
36 :
37 7 : if (libspdm_get_connection_version(context) < SPDM_MESSAGE_VERSION_11) {
38 0 : return libspdm_generate_encap_error_response(
39 : context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
40 : SPDM_CHALLENGE, response_size, response);
41 : }
42 :
43 7 : if (spdm_request->header.spdm_version != libspdm_get_connection_version(context)) {
44 0 : return libspdm_generate_encap_error_response(
45 : context, SPDM_ERROR_CODE_VERSION_MISMATCH,
46 : 0, response_size, response);
47 : }
48 :
49 7 : if (!libspdm_is_capabilities_flag_supported(
50 : context, true,
51 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP, 0)) {
52 1 : return libspdm_generate_encap_error_response(
53 : context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
54 : SPDM_CHALLENGE, response_size, response);
55 : }
56 :
57 6 : if (request_size < sizeof(spdm_challenge_request_t)) {
58 0 : return libspdm_generate_encap_error_response(
59 : context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
60 : response_size, response);
61 : }
62 6 : spdm_request_size = sizeof(spdm_challenge_request_t);
63 6 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
64 2 : if (request_size < sizeof(spdm_challenge_request_t) + SPDM_REQ_CONTEXT_SIZE) {
65 0 : return libspdm_generate_encap_error_response(
66 : context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
67 : response_size, response);
68 : }
69 2 : spdm_request_size += SPDM_REQ_CONTEXT_SIZE;
70 : }
71 :
72 6 : if (spdm_request->header.param2 != SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH) {
73 0 : return libspdm_generate_encap_error_response(
74 : context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
75 : response_size, response);
76 : }
77 :
78 6 : slot_id = spdm_request->header.param1;
79 :
80 6 : if ((slot_id != 0xFF) &&
81 : (slot_id >= SPDM_MAX_SLOT_COUNT)) {
82 2 : return libspdm_generate_encap_error_response(
83 : context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
84 : response_size, response);
85 : }
86 :
87 4 : if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
88 2 : context->connection_info.multi_key_conn_req &&
89 : (slot_id != 0xFF)) {
90 1 : if ((context->local_context.local_key_usage_bit_mask[slot_id] &
91 : SPDM_KEY_USAGE_BIT_MASK_CHALLENGE_USE) == 0) {
92 1 : return libspdm_generate_encap_error_response(
93 : context, SPDM_ERROR_CODE_INVALID_REQUEST, 0,
94 : response_size, response);
95 : }
96 : }
97 :
98 3 : libspdm_reset_message_buffer_via_request_code(context, NULL,
99 3 : spdm_request->header.request_response_code);
100 :
101 3 : if (context->connection_info.algorithm.req_pqc_asym_alg != 0) {
102 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
103 : context->connection_info.algorithm.req_pqc_asym_alg);
104 : } else {
105 3 : signature_size = libspdm_get_req_asym_signature_size(
106 3 : context->connection_info.algorithm.req_base_asym_alg);
107 : }
108 3 : hash_size = libspdm_get_hash_size(
109 : context->connection_info.algorithm.base_hash_algo);
110 3 : measurement_summary_hash_size = 0;
111 :
112 : /* response_size should be large enough to hold a challenge response without opaque data. */
113 3 : LIBSPDM_ASSERT(*response_size >= sizeof(spdm_challenge_auth_response_t) + hash_size +
114 : SPDM_NONCE_SIZE + measurement_summary_hash_size + sizeof(uint16_t) +
115 : SPDM_REQ_CONTEXT_SIZE + signature_size);
116 :
117 3 : libspdm_zero_mem(response, *response_size);
118 3 : spdm_response = response;
119 :
120 3 : spdm_response->header.spdm_version = spdm_request->header.spdm_version;
121 3 : spdm_response->header.request_response_code = SPDM_CHALLENGE_AUTH;
122 3 : auth_attribute = (uint8_t)(slot_id & 0xF);
123 3 : spdm_response->header.param1 = auth_attribute;
124 :
125 3 : if (slot_id == 0xFF) {
126 1 : spdm_response->header.param2 = 0;
127 : } else {
128 2 : slot_mask = libspdm_get_cert_slot_mask(context);
129 2 : if (slot_mask != 0) {
130 2 : spdm_response->header.param2 = slot_mask;
131 : } else {
132 0 : return libspdm_generate_encap_error_response(
133 : context, SPDM_ERROR_CODE_UNSPECIFIED,
134 : 0, response_size, response);
135 : }
136 : }
137 :
138 3 : ptr = (void *)(spdm_response + 1);
139 3 : if (slot_id == 0xFF) {
140 1 : result = libspdm_generate_public_key_hash(context, ptr);
141 : } else {
142 2 : result = libspdm_generate_cert_chain_hash(context, slot_id, ptr);
143 : }
144 3 : if (!result) {
145 0 : return libspdm_generate_encap_error_response(
146 : context, SPDM_ERROR_CODE_UNSPECIFIED, 0,
147 : response_size, response);
148 : }
149 3 : ptr += hash_size;
150 :
151 3 : if (!libspdm_get_random_number(SPDM_NONCE_SIZE, ptr)) {
152 0 : return LIBSPDM_STATUS_LOW_ENTROPY;
153 : }
154 3 : ptr += SPDM_NONCE_SIZE;
155 :
156 3 : measurement_summary_hash = ptr;
157 3 : ptr += measurement_summary_hash_size;
158 :
159 3 : opaque_data_size = *response_size - (sizeof(spdm_challenge_auth_response_t) + hash_size +
160 3 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
161 3 : sizeof(uint16_t) + signature_size);
162 3 : opaque_data =
163 3 : (uint8_t*)response + sizeof(spdm_challenge_auth_response_t) + hash_size + SPDM_NONCE_SIZE +
164 3 : measurement_summary_hash_size + sizeof(uint16_t);
165 :
166 3 : result = libspdm_encap_challenge_opaque_data(
167 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
168 : spdm_context,
169 : #endif
170 3 : context->connection_info.version,
171 : slot_id,
172 : measurement_summary_hash, measurement_summary_hash_size,
173 : opaque_data, &opaque_data_size);
174 3 : if (!result) {
175 0 : return libspdm_generate_encap_error_response(
176 : context, SPDM_ERROR_CODE_UNSPECIFIED,
177 : 0, response_size, response);
178 : }
179 :
180 : /*write opaque_data_size*/
181 3 : libspdm_write_uint16 (ptr, (uint16_t)opaque_data_size);
182 3 : ptr += sizeof(uint16_t);
183 :
184 : /*the opaque_data is stored by libspdm_encap_challenge_opaque_data*/
185 3 : ptr += opaque_data_size;
186 :
187 3 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
188 1 : libspdm_copy_mem(ptr, SPDM_REQ_CONTEXT_SIZE,
189 1 : spdm_request + 1, SPDM_REQ_CONTEXT_SIZE);
190 1 : ptr += SPDM_REQ_CONTEXT_SIZE;
191 : }
192 :
193 : /*get actual response size*/
194 3 : spdm_response_size =
195 : sizeof(spdm_challenge_auth_response_t) + hash_size +
196 3 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
197 3 : sizeof(uint16_t) + opaque_data_size + signature_size;
198 3 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
199 1 : spdm_response_size += SPDM_REQ_CONTEXT_SIZE;
200 : }
201 :
202 3 : LIBSPDM_ASSERT(*response_size >= spdm_response_size);
203 :
204 3 : *response_size = spdm_response_size;
205 :
206 : /* Calc Sign*/
207 :
208 3 : status = libspdm_append_message_mut_c(context, spdm_request,
209 : spdm_request_size);
210 3 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
211 0 : return libspdm_generate_encap_error_response(
212 : context, SPDM_ERROR_CODE_UNSPECIFIED, 0,
213 : response_size, response);
214 : }
215 :
216 3 : status = libspdm_append_message_mut_c(context, spdm_response,
217 3 : (size_t)ptr - (size_t)spdm_response);
218 3 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
219 0 : libspdm_reset_message_mut_c(context);
220 0 : return libspdm_generate_encap_error_response(
221 : context, SPDM_ERROR_CODE_UNSPECIFIED, 0,
222 : response_size, response);
223 : }
224 : result =
225 3 : libspdm_generate_challenge_auth_signature(context, true, ptr);
226 3 : if (!result) {
227 0 : return libspdm_generate_encap_error_response(
228 : context, SPDM_ERROR_CODE_UNSPECIFIED,
229 : 0, response_size, response);
230 : }
231 3 : ptr += signature_size;
232 :
233 3 : return LIBSPDM_STATUS_SUCCESS;
234 : }
235 :
236 : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (..) */
|