Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_requester_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 : #pragma pack(1)
13 : typedef struct {
14 : spdm_message_header_t header;
15 : uint16_t opaque_length;
16 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
17 : uint8_t signature[LIBSPDM_REQ_SIGNATURE_DATA_MAX_SIZE];
18 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
19 : } libspdm_finish_request_mine_t;
20 :
21 : typedef struct {
22 : spdm_message_header_t header;
23 : uint16_t opaque_length;
24 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
25 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
26 : } libspdm_finish_response_mine_t;
27 : #pragma pack()
28 :
29 9 : bool libspdm_verify_finish_rsp_hmac(libspdm_context_t *spdm_context,
30 : libspdm_session_info_t *session_info,
31 : const void *hmac_data, size_t hmac_data_size)
32 : {
33 : size_t hash_size;
34 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
35 : bool result;
36 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
37 : uint8_t slot_id;
38 : uint8_t *cert_chain_buffer;
39 : size_t cert_chain_buffer_size;
40 : uint8_t *mut_cert_chain_buffer;
41 : size_t mut_cert_chain_buffer_size;
42 : uint8_t *th_curr_data;
43 : size_t th_curr_data_size;
44 : libspdm_th_managed_buffer_t th_curr;
45 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
46 : #endif
47 :
48 9 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
49 9 : LIBSPDM_ASSERT(hash_size == hmac_data_size);
50 :
51 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
52 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
53 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
54 : if (slot_id == 0xFF) {
55 : result = libspdm_get_peer_public_key_buffer(
56 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
57 : } else {
58 : result = libspdm_get_peer_cert_chain_buffer(
59 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
60 : }
61 : if (!result) {
62 : return false;
63 : }
64 :
65 : if (session_info->mut_auth_requested != 0) {
66 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
67 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
68 : if (slot_id == 0xFF) {
69 : result = libspdm_get_local_public_key_buffer(
70 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
71 : } else {
72 : result = libspdm_get_local_cert_chain_buffer(
73 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
74 : }
75 : if (!result) {
76 : return false;
77 : }
78 : } else {
79 : mut_cert_chain_buffer = NULL;
80 : mut_cert_chain_buffer_size = 0;
81 : }
82 :
83 : result = libspdm_calculate_th_for_finish(
84 : spdm_context, session_info, cert_chain_buffer,
85 : cert_chain_buffer_size, mut_cert_chain_buffer,
86 : mut_cert_chain_buffer_size, &th_curr);
87 : if (!result) {
88 : return false;
89 : }
90 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
91 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
92 :
93 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
94 : th_curr_data, th_curr_data_size, hash_data);
95 : if (!result) {
96 : return false;
97 : }
98 :
99 : result = libspdm_hmac_all_with_response_finished_key(
100 : session_info->secured_message_context, hash_data,
101 : hash_size, calc_hmac_data);
102 : if (!result) {
103 : return false;
104 : }
105 : #else
106 9 : result = libspdm_calculate_th_hmac_for_finish_rsp(
107 : spdm_context, session_info, &hash_size, calc_hmac_data);
108 9 : if (!result) {
109 0 : return false;
110 : }
111 : #endif
112 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
113 9 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
114 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
115 :
116 9 : if (!libspdm_consttime_is_mem_equal(calc_hmac_data, hmac_data, hash_size)) {
117 2 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - FAIL !!!\n"));
118 2 : return false;
119 : }
120 7 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - PASS !!!\n"));
121 :
122 7 : return true;
123 : }
124 :
125 38 : bool libspdm_generate_finish_req_hmac(libspdm_context_t *spdm_context,
126 : libspdm_session_info_t *session_info,
127 : void *hmac)
128 : {
129 : size_t hash_size;
130 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
131 : bool result;
132 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
133 : uint8_t slot_id;
134 : uint8_t *cert_chain_buffer;
135 : size_t cert_chain_buffer_size;
136 : uint8_t *mut_cert_chain_buffer;
137 : size_t mut_cert_chain_buffer_size;
138 : uint8_t *th_curr_data;
139 : size_t th_curr_data_size;
140 : libspdm_th_managed_buffer_t th_curr;
141 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
142 : #endif
143 :
144 38 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
145 :
146 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
147 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
148 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
149 : if (slot_id == 0xFF) {
150 : result = libspdm_get_peer_public_key_buffer(
151 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
152 : } else {
153 : result = libspdm_get_peer_cert_chain_buffer(
154 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
155 : }
156 : if (!result) {
157 : return false;
158 : }
159 :
160 : if (session_info->mut_auth_requested != 0) {
161 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
162 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
163 : if (slot_id == 0xFF) {
164 : result = libspdm_get_local_public_key_buffer(
165 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
166 : } else {
167 : result = libspdm_get_local_cert_chain_buffer(
168 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
169 : }
170 : if (!result) {
171 : return false;
172 : }
173 : } else {
174 : mut_cert_chain_buffer = NULL;
175 : mut_cert_chain_buffer_size = 0;
176 : }
177 :
178 : result = libspdm_calculate_th_for_finish(
179 : spdm_context, session_info, cert_chain_buffer,
180 : cert_chain_buffer_size, mut_cert_chain_buffer,
181 : mut_cert_chain_buffer_size, &th_curr);
182 : if (!result) {
183 : return false;
184 : }
185 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
186 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
187 :
188 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
189 : th_curr_data, th_curr_data_size, hash_data);
190 : if (!result) {
191 : return false;
192 : }
193 :
194 : result = libspdm_hmac_all_with_request_finished_key(
195 : session_info->secured_message_context, hash_data,
196 : hash_size, calc_hmac_data);
197 : if (!result) {
198 : return false;
199 : }
200 : #else
201 38 : result = libspdm_calculate_th_hmac_for_finish_req(
202 : spdm_context, session_info, &hash_size, calc_hmac_data);
203 38 : if (!result) {
204 0 : return false;
205 : }
206 : #endif
207 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
208 38 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
209 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
210 :
211 38 : libspdm_copy_mem(hmac, hash_size, calc_hmac_data, hash_size);
212 :
213 38 : return true;
214 : }
215 :
216 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
217 :
218 5 : bool libspdm_generate_finish_req_signature(libspdm_context_t *spdm_context,
219 : libspdm_session_info_t *session_info,
220 : uint8_t *signature)
221 : {
222 : bool result;
223 : size_t signature_size;
224 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
225 : uint8_t slot_id;
226 : uint8_t *cert_chain_buffer;
227 : size_t cert_chain_buffer_size;
228 : uint8_t *mut_cert_chain_buffer;
229 : size_t mut_cert_chain_buffer_size;
230 : uint8_t *th_curr_data;
231 : size_t th_curr_data_size;
232 : libspdm_th_managed_buffer_t th_curr;
233 : #endif
234 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
235 : size_t hash_size;
236 : #endif
237 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
238 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
239 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
240 : #endif
241 :
242 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
243 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
244 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
245 : } else {
246 5 : signature_size = libspdm_get_req_asym_signature_size(
247 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
248 : }
249 :
250 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
251 5 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
252 : #endif
253 :
254 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
255 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
256 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
257 : if (slot_id == 0xFF) {
258 : result = libspdm_get_peer_public_key_buffer(
259 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
260 : } else {
261 : result = libspdm_get_peer_cert_chain_buffer(
262 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
263 : }
264 : if (!result) {
265 : return false;
266 : }
267 :
268 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
269 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
270 : if (slot_id == 0xFF) {
271 : result = libspdm_get_local_public_key_buffer(
272 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
273 : } else {
274 : result = libspdm_get_local_cert_chain_buffer(
275 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
276 : }
277 : if (!result) {
278 : return false;
279 : }
280 :
281 : result = libspdm_calculate_th_for_finish(
282 : spdm_context, session_info, cert_chain_buffer,
283 : cert_chain_buffer_size, mut_cert_chain_buffer,
284 : mut_cert_chain_buffer_size, &th_curr);
285 : if (!result) {
286 : return false;
287 : }
288 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
289 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
290 :
291 : /* Debug code only - required for debug print of th_curr below*/
292 : LIBSPDM_DEBUG_CODE(
293 : if (!libspdm_hash_all(
294 : spdm_context->connection_info.algorithm.base_hash_algo,
295 : th_curr_data, th_curr_data_size, hash_data)) {
296 : return false;
297 : }
298 : );
299 : #else
300 5 : result = libspdm_calculate_th_hash_for_finish(
301 : spdm_context, session_info, &hash_size, hash_data);
302 5 : if (!result) {
303 0 : return false;
304 : }
305 : #endif
306 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
307 5 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
308 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
309 :
310 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
311 : result = libspdm_requester_data_sign(
312 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
313 : spdm_context,
314 : #endif
315 : spdm_context->connection_info.version, SPDM_FINISH,
316 : spdm_context->connection_info.algorithm.req_base_asym_alg,
317 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
318 : spdm_context->connection_info.algorithm.base_hash_algo,
319 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
320 : #else
321 5 : result = libspdm_requester_data_sign(
322 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
323 : spdm_context,
324 : #endif
325 5 : spdm_context->connection_info.version, SPDM_FINISH,
326 5 : spdm_context->connection_info.algorithm.req_base_asym_alg,
327 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
328 : spdm_context->connection_info.algorithm.base_hash_algo,
329 : true, hash_data, hash_size, signature, &signature_size);
330 : #endif
331 5 : if (result) {
332 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
333 5 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
334 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
335 : }
336 :
337 5 : return result;
338 : }
339 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
340 :
341 : /**
342 : * This function sends FINISH and receives FINISH_RSP for SPDM finish.
343 : *
344 : * @param spdm_context A pointer to the SPDM context.
345 : * @param session_id session_id to the FINISH request.
346 : * @param req_slot_id_param req_slot_id_param to the FINISH request.
347 : *
348 : * @retval RETURN_SUCCESS The FINISH is sent and the FINISH_RSP is received.
349 : * @retval RETURN_DEVICE_ERROR A device error occurs when communicates with the device.
350 : **/
351 42 : static libspdm_return_t libspdm_try_send_receive_finish(
352 : libspdm_context_t *spdm_context,
353 : uint32_t session_id,
354 : uint8_t req_slot_id_param,
355 : const void *requester_opaque_data,
356 : size_t requester_opaque_data_size,
357 : void *responder_opaque_data,
358 : size_t *responder_opaque_data_size)
359 : {
360 : libspdm_return_t status;
361 : libspdm_finish_request_mine_t *spdm_request;
362 : size_t spdm_request_size;
363 : size_t signature_size;
364 : size_t hmac_size;
365 : libspdm_finish_response_mine_t *spdm_response;
366 : size_t spdm_response_size;
367 : libspdm_session_info_t *session_info;
368 : uint8_t *ptr;
369 : bool result;
370 : uint8_t th2_hash_data[LIBSPDM_MAX_HASH_SIZE];
371 : libspdm_session_state_t session_state;
372 : uint8_t *message;
373 : size_t message_size;
374 : size_t transport_header_size;
375 : size_t opaque_data_entry_size;
376 : size_t opaque_data_size;
377 :
378 : /* -=[Check Parameters Phase]=- */
379 42 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
380 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
381 : }
382 :
383 42 : session_info = libspdm_get_session_info_via_session_id(spdm_context, session_id);
384 42 : if (session_info == NULL) {
385 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
386 0 : goto error;
387 : }
388 :
389 : /* -=[Verify State Phase]=- */
390 42 : if (!libspdm_is_capabilities_flag_supported(
391 : spdm_context, true,
392 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
393 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
394 1 : status = LIBSPDM_STATUS_UNSUPPORTED_CAP;
395 1 : goto error;
396 : }
397 :
398 41 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
399 2 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
400 2 : goto error;
401 : }
402 :
403 39 : session_state = libspdm_secured_message_get_session_state(
404 : session_info->secured_message_context);
405 39 : if (session_state != LIBSPDM_SESSION_STATE_HANDSHAKING) {
406 1 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
407 1 : goto error;
408 : }
409 38 : if (session_info->mut_auth_requested != 0) {
410 5 : if ((req_slot_id_param >= SPDM_MAX_SLOT_COUNT) && (req_slot_id_param != 0xFF)) {
411 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
412 0 : goto error;
413 : }
414 : } else {
415 33 : if (req_slot_id_param != 0) {
416 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
417 0 : goto error;
418 : }
419 : }
420 :
421 : /* -=[Construct Request Phase]=- */
422 38 : transport_header_size = spdm_context->local_context.capability.transport_header_size;
423 38 : status = libspdm_acquire_sender_buffer (spdm_context, &message_size, (void **)&message);
424 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
425 0 : goto error;
426 : }
427 38 : LIBSPDM_ASSERT (message_size >= transport_header_size +
428 : spdm_context->local_context.capability.transport_tail_size);
429 38 : spdm_request = (void *)(message + transport_header_size);
430 38 : spdm_request_size = message_size - transport_header_size -
431 38 : spdm_context->local_context.capability.transport_tail_size;
432 :
433 38 : LIBSPDM_ASSERT(spdm_request_size >= sizeof(spdm_request->header));
434 38 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
435 38 : spdm_request->header.request_response_code = SPDM_FINISH;
436 38 : spdm_request->header.param1 = 0;
437 38 : spdm_request->header.param2 = 0;
438 :
439 38 : ptr = (uint8_t *)spdm_request + sizeof(spdm_finish_request_t);
440 38 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
441 1 : if (requester_opaque_data != NULL) {
442 0 : LIBSPDM_ASSERT(requester_opaque_data_size <= SPDM_MAX_OPAQUE_DATA_SIZE);
443 0 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
444 : sizeof(uint16_t) + requester_opaque_data_size);
445 :
446 0 : libspdm_write_uint16(ptr, (uint16_t)requester_opaque_data_size);
447 0 : ptr += sizeof(uint16_t);
448 :
449 0 : libspdm_copy_mem(ptr,
450 : (spdm_request_size - (sizeof(spdm_finish_request_t) +
451 : sizeof(uint16_t))),
452 : requester_opaque_data, requester_opaque_data_size);
453 0 : opaque_data_size = requester_opaque_data_size;
454 : } else {
455 1 : opaque_data_size = 0;
456 1 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
457 : sizeof(uint16_t) + opaque_data_size);
458 :
459 1 : libspdm_write_uint16(ptr, (uint16_t)opaque_data_size);
460 1 : ptr += sizeof(uint16_t);
461 : }
462 1 : ptr += opaque_data_size;
463 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
464 : } else {
465 37 : opaque_data_entry_size = 0;
466 : }
467 :
468 38 : signature_size = 0;
469 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
470 38 : if (session_info->mut_auth_requested != 0) {
471 5 : spdm_request->header.param1 = SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED;
472 5 : spdm_request->header.param2 = req_slot_id_param;
473 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
474 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
475 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
476 : } else {
477 5 : signature_size = libspdm_get_req_asym_signature_size(
478 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
479 : }
480 : }
481 : #endif
482 :
483 38 : spdm_context->connection_info.local_used_cert_chain_slot_id = req_slot_id_param;
484 38 : if ((session_info->mut_auth_requested != 0) && (req_slot_id_param != 0xFF)) {
485 5 : LIBSPDM_ASSERT(req_slot_id_param < SPDM_MAX_SLOT_COUNT);
486 5 : spdm_context->connection_info.local_used_cert_chain_buffer =
487 5 : spdm_context->local_context.local_cert_chain_provision[req_slot_id_param];
488 5 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
489 5 : spdm_context->local_context.local_cert_chain_provision_size[req_slot_id_param];
490 : }
491 :
492 38 : hmac_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
493 38 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) + opaque_data_entry_size +
494 : signature_size + hmac_size);
495 38 : spdm_request_size = sizeof(spdm_finish_request_t) + opaque_data_entry_size +
496 38 : signature_size + hmac_size;
497 :
498 38 : status = libspdm_append_message_f(spdm_context, session_info, true, (uint8_t *)spdm_request,
499 38 : spdm_request_size - signature_size - hmac_size);
500 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
501 0 : libspdm_release_sender_buffer (spdm_context);
502 0 : goto error;
503 : }
504 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
505 38 : if (session_info->mut_auth_requested != 0) {
506 5 : result = libspdm_generate_finish_req_signature(spdm_context, session_info, ptr);
507 5 : if (!result) {
508 0 : libspdm_release_sender_buffer (spdm_context);
509 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
510 0 : goto error;
511 : }
512 5 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, signature_size);
513 5 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
514 0 : libspdm_release_sender_buffer (spdm_context);
515 0 : goto error;
516 : }
517 5 : ptr += signature_size;
518 : }
519 : #endif
520 :
521 38 : result = libspdm_generate_finish_req_hmac(spdm_context, session_info, ptr);
522 38 : if (!result) {
523 0 : libspdm_release_sender_buffer (spdm_context);
524 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
525 0 : goto error;
526 : }
527 :
528 38 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, hmac_size);
529 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
530 0 : libspdm_release_sender_buffer (spdm_context);
531 0 : goto error;
532 : }
533 :
534 : /* -=[Send Request Phase]=- */
535 38 : status = libspdm_send_spdm_request(spdm_context, &session_id, spdm_request_size, spdm_request);
536 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
537 1 : libspdm_release_sender_buffer (spdm_context);
538 1 : goto error;
539 : }
540 :
541 37 : libspdm_reset_message_buffer_via_request_code(spdm_context, session_info, SPDM_FINISH);
542 :
543 37 : libspdm_release_sender_buffer (spdm_context);
544 37 : spdm_request = (void *)spdm_context->last_spdm_request;
545 :
546 : /* -=[Receive Response Phase]=- */
547 37 : status = libspdm_acquire_receiver_buffer (spdm_context, &message_size, (void **)&message);
548 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
549 0 : goto error;
550 : }
551 37 : LIBSPDM_ASSERT (message_size >= transport_header_size);
552 37 : spdm_response = (void *)(message);
553 37 : spdm_response_size = message_size;
554 :
555 37 : status = libspdm_receive_spdm_response(
556 : spdm_context, &session_id, &spdm_response_size, (void **)&spdm_response);
557 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
558 0 : goto receive_done;
559 : }
560 :
561 : /* -=[Validate Response Phase]=- */
562 37 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
563 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
564 0 : goto receive_done;
565 : }
566 37 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
567 25 : if (spdm_response->header.param1 == SPDM_ERROR_CODE_DECRYPT_ERROR) {
568 2 : status = LIBSPDM_STATUS_SESSION_MSG_ERROR;
569 2 : goto receive_done;
570 : }
571 23 : if (spdm_response->header.param1 != SPDM_ERROR_CODE_RESPONSE_NOT_READY) {
572 21 : libspdm_reset_message_f (spdm_context, session_info);
573 : }
574 23 : status = libspdm_handle_error_response_main(
575 : spdm_context, &session_id,
576 : &spdm_response_size, (void **)&spdm_response,
577 : SPDM_FINISH, SPDM_FINISH_RSP);
578 23 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
579 22 : goto receive_done;
580 : }
581 12 : } else if (spdm_response->header.request_response_code != SPDM_FINISH_RSP) {
582 1 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
583 1 : goto receive_done;
584 : }
585 12 : if (spdm_response->header.spdm_version != spdm_request->header.spdm_version) {
586 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
587 0 : goto receive_done;
588 : }
589 :
590 12 : if (!libspdm_is_capabilities_flag_supported(
591 : spdm_context, true,
592 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
593 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
594 2 : hmac_size = 0;
595 : }
596 :
597 12 : ptr = (uint8_t *)spdm_response + sizeof(spdm_finish_response_t);
598 :
599 12 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
600 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) + hmac_size) {
601 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
602 0 : goto receive_done;
603 : }
604 1 : opaque_data_size = libspdm_read_uint16((const uint8_t *)ptr);
605 1 : ptr += sizeof(uint16_t);
606 1 : if (opaque_data_size > SPDM_MAX_OPAQUE_DATA_SIZE) {
607 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
608 0 : goto receive_done;
609 : }
610 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) +
611 1 : opaque_data_size + hmac_size) {
612 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
613 0 : goto receive_done;
614 : }
615 :
616 1 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
617 0 : if (opaque_data_size >= *responder_opaque_data_size) {
618 0 : status = LIBSPDM_STATUS_BUFFER_TOO_SMALL;
619 0 : goto receive_done;
620 : }
621 0 : libspdm_copy_mem(responder_opaque_data, *responder_opaque_data_size,
622 : ptr, opaque_data_size);
623 0 : *responder_opaque_data_size = opaque_data_size;
624 : }
625 :
626 1 : ptr += opaque_data_size;
627 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
628 : } else {
629 11 : if (spdm_response_size < sizeof(spdm_finish_response_t) + hmac_size) {
630 1 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
631 1 : goto receive_done;
632 : }
633 10 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
634 0 : *responder_opaque_data_size = 0;
635 : }
636 10 : opaque_data_entry_size = 0;
637 : }
638 11 : spdm_response_size = sizeof(spdm_finish_response_t) + opaque_data_entry_size + hmac_size;
639 :
640 11 : status = libspdm_append_message_f(spdm_context, session_info, true, spdm_response,
641 : spdm_response_size - hmac_size);
642 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
643 0 : goto receive_done;
644 : }
645 :
646 11 : if (libspdm_is_capabilities_flag_supported(
647 : spdm_context, true,
648 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
649 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
650 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "verify_data (0x%zx):\n", hmac_size));
651 9 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, hmac_size);
652 9 : result = libspdm_verify_finish_rsp_hmac(spdm_context, session_info,
653 : ptr, hmac_size);
654 9 : if (!result) {
655 2 : status = LIBSPDM_STATUS_VERIF_FAIL;
656 2 : goto receive_done;
657 : }
658 :
659 7 : status = libspdm_append_message_f(
660 : spdm_context, session_info, true,
661 : ptr, hmac_size);
662 7 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
663 0 : goto receive_done;
664 : }
665 : }
666 :
667 : /* -=[Process Response Phase]=- */
668 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_data_key[%x]\n", session_id));
669 9 : result = libspdm_calculate_th2_hash(spdm_context, session_info, true, th2_hash_data);
670 9 : if (!result) {
671 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
672 0 : goto receive_done;
673 : }
674 9 : result = libspdm_generate_session_data_key(
675 : session_info->secured_message_context, th2_hash_data);
676 9 : if (!result) {
677 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
678 0 : goto receive_done;
679 : }
680 :
681 : /* -=[Update State Phase]=- */
682 9 : libspdm_secured_message_set_session_state(
683 : session_info->secured_message_context, LIBSPDM_SESSION_STATE_ESTABLISHED);
684 :
685 : /* -=[Log Message Phase]=- */
686 : #if LIBSPDM_ENABLE_MSG_LOG
687 9 : libspdm_append_msg_log(spdm_context, spdm_response, spdm_response_size);
688 : #endif /* LIBSPDM_ENABLE_MSG_LOG */
689 :
690 9 : libspdm_release_receiver_buffer (spdm_context);
691 :
692 9 : return LIBSPDM_STATUS_SUCCESS;
693 :
694 28 : receive_done:
695 28 : libspdm_release_receiver_buffer (spdm_context);
696 33 : error:
697 33 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
698 31 : libspdm_free_session_id(spdm_context, session_id);
699 : }
700 :
701 33 : return status;
702 : }
703 :
704 41 : libspdm_return_t libspdm_send_receive_finish(libspdm_context_t *spdm_context,
705 : uint32_t session_id,
706 : uint8_t req_slot_id_param)
707 : {
708 : size_t retry;
709 : uint64_t retry_delay_time;
710 : libspdm_return_t status;
711 :
712 41 : spdm_context->crypto_request = true;
713 41 : retry = spdm_context->retry_times;
714 41 : retry_delay_time = spdm_context->retry_delay_time;
715 : do {
716 42 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
717 : req_slot_id_param,
718 : NULL, 0, NULL, NULL);
719 42 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
720 40 : return status;
721 : }
722 :
723 2 : libspdm_sleep(retry_delay_time);
724 2 : } while (retry-- != 0);
725 :
726 1 : return status;
727 : }
728 :
729 0 : libspdm_return_t libspdm_send_receive_finish_ex(
730 : libspdm_context_t *spdm_context,
731 : uint32_t session_id,
732 : uint8_t req_slot_id_param,
733 : const void *requester_opaque_data,
734 : size_t requester_opaque_data_size,
735 : void *responder_opaque_data,
736 : size_t *responder_opaque_data_size)
737 : {
738 : size_t retry;
739 : uint64_t retry_delay_time;
740 : libspdm_return_t status;
741 :
742 0 : spdm_context->crypto_request = true;
743 0 : retry = spdm_context->retry_times;
744 0 : retry_delay_time = spdm_context->retry_delay_time;
745 : do {
746 0 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
747 : req_slot_id_param,
748 : requester_opaque_data,
749 : requester_opaque_data_size,
750 : responder_opaque_data,
751 : responder_opaque_data_size);
752 0 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
753 0 : return status;
754 : }
755 :
756 0 : libspdm_sleep(retry_delay_time);
757 0 : } while (retry-- != 0);
758 :
759 0 : return status;
760 : }
761 :
762 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP*/
|
