Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_requester_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 : #pragma pack(1)
13 : typedef struct {
14 : spdm_message_header_t header;
15 : uint16_t opaque_length;
16 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
17 : uint8_t signature[LIBSPDM_REQ_SIGNATURE_DATA_MAX_SIZE];
18 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
19 : } libspdm_finish_request_mine_t;
20 :
21 : typedef struct {
22 : spdm_message_header_t header;
23 : uint16_t opaque_length;
24 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
25 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
26 : } libspdm_finish_response_mine_t;
27 : #pragma pack()
28 :
29 9 : bool libspdm_verify_finish_rsp_hmac(libspdm_context_t *spdm_context,
30 : libspdm_session_info_t *session_info,
31 : const void *hmac_data, size_t hmac_data_size)
32 : {
33 : size_t hash_size;
34 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
35 : bool result;
36 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
37 : uint8_t slot_id;
38 : uint8_t *cert_chain_buffer;
39 : size_t cert_chain_buffer_size;
40 : uint8_t *mut_cert_chain_buffer;
41 : size_t mut_cert_chain_buffer_size;
42 : uint8_t *th_curr_data;
43 : size_t th_curr_data_size;
44 : libspdm_th_managed_buffer_t th_curr;
45 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
46 : #endif
47 :
48 9 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
49 9 : LIBSPDM_ASSERT(hash_size == hmac_data_size);
50 :
51 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
52 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
53 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
54 : if (slot_id == 0xFF) {
55 : result = libspdm_get_peer_public_key_buffer(
56 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
57 : } else {
58 : result = libspdm_get_peer_cert_chain_buffer(
59 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
60 : }
61 : if (!result) {
62 : return false;
63 : }
64 :
65 : if (session_info->mut_auth_requested != 0) {
66 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
67 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
68 : if (slot_id == 0xFF) {
69 : result = libspdm_get_local_public_key_buffer(
70 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
71 : } else {
72 : result = libspdm_get_local_cert_chain_buffer(
73 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
74 : }
75 : if (!result) {
76 : return false;
77 : }
78 : } else {
79 : mut_cert_chain_buffer = NULL;
80 : mut_cert_chain_buffer_size = 0;
81 : }
82 :
83 : result = libspdm_calculate_th_for_finish(
84 : spdm_context, session_info, cert_chain_buffer,
85 : cert_chain_buffer_size, mut_cert_chain_buffer,
86 : mut_cert_chain_buffer_size, &th_curr);
87 : if (!result) {
88 : return false;
89 : }
90 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
91 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
92 :
93 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
94 : th_curr_data, th_curr_data_size, hash_data);
95 : if (!result) {
96 : return false;
97 : }
98 :
99 : result = libspdm_hmac_all_with_response_finished_key(
100 : session_info->secured_message_context, hash_data,
101 : hash_size, calc_hmac_data);
102 : if (!result) {
103 : return false;
104 : }
105 : #else
106 9 : result = libspdm_calculate_th_hmac_for_finish_rsp(
107 : spdm_context, session_info, &hash_size, calc_hmac_data);
108 9 : if (!result) {
109 0 : return false;
110 : }
111 : #endif
112 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
113 9 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
114 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
115 :
116 9 : if (!libspdm_consttime_is_mem_equal(calc_hmac_data, hmac_data, hash_size)) {
117 2 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - FAIL !!!\n"));
118 2 : return false;
119 : }
120 7 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - PASS !!!\n"));
121 :
122 7 : return true;
123 : }
124 :
125 38 : bool libspdm_generate_finish_req_hmac(libspdm_context_t *spdm_context,
126 : libspdm_session_info_t *session_info,
127 : void *hmac)
128 : {
129 : size_t hash_size;
130 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
131 : bool result;
132 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
133 : uint8_t slot_id;
134 : uint8_t *cert_chain_buffer;
135 : size_t cert_chain_buffer_size;
136 : uint8_t *mut_cert_chain_buffer;
137 : size_t mut_cert_chain_buffer_size;
138 : uint8_t *th_curr_data;
139 : size_t th_curr_data_size;
140 : libspdm_th_managed_buffer_t th_curr;
141 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
142 : #endif
143 :
144 38 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
145 :
146 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
147 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
148 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
149 : if (slot_id == 0xFF) {
150 : result = libspdm_get_peer_public_key_buffer(
151 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
152 : } else {
153 : result = libspdm_get_peer_cert_chain_buffer(
154 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
155 : }
156 : if (!result) {
157 : return false;
158 : }
159 :
160 : if (session_info->mut_auth_requested != 0) {
161 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
162 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
163 : if (slot_id == 0xFF) {
164 : result = libspdm_get_local_public_key_buffer(
165 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
166 : } else {
167 : result = libspdm_get_local_cert_chain_buffer(
168 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
169 : }
170 : if (!result) {
171 : return false;
172 : }
173 : } else {
174 : mut_cert_chain_buffer = NULL;
175 : mut_cert_chain_buffer_size = 0;
176 : }
177 :
178 : result = libspdm_calculate_th_for_finish(
179 : spdm_context, session_info, cert_chain_buffer,
180 : cert_chain_buffer_size, mut_cert_chain_buffer,
181 : mut_cert_chain_buffer_size, &th_curr);
182 : if (!result) {
183 : return false;
184 : }
185 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
186 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
187 :
188 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
189 : th_curr_data, th_curr_data_size, hash_data);
190 : if (!result) {
191 : return false;
192 : }
193 :
194 : result = libspdm_hmac_all_with_request_finished_key(
195 : session_info->secured_message_context, hash_data,
196 : hash_size, calc_hmac_data);
197 : if (!result) {
198 : return false;
199 : }
200 : #else
201 38 : result = libspdm_calculate_th_hmac_for_finish_req(
202 : spdm_context, session_info, &hash_size, calc_hmac_data);
203 38 : if (!result) {
204 0 : return false;
205 : }
206 : #endif
207 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
208 38 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
209 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
210 :
211 38 : libspdm_copy_mem(hmac, hash_size, calc_hmac_data, hash_size);
212 :
213 38 : return true;
214 : }
215 :
216 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
217 :
218 5 : bool libspdm_generate_finish_req_signature(libspdm_context_t *spdm_context,
219 : libspdm_session_info_t *session_info,
220 : uint8_t *signature)
221 : {
222 : bool result;
223 : size_t signature_size;
224 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
225 : uint8_t slot_id;
226 : uint8_t *cert_chain_buffer;
227 : size_t cert_chain_buffer_size;
228 : uint8_t *mut_cert_chain_buffer;
229 : size_t mut_cert_chain_buffer_size;
230 : uint8_t *th_curr_data;
231 : size_t th_curr_data_size;
232 : libspdm_th_managed_buffer_t th_curr;
233 : #endif
234 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
235 : size_t hash_size;
236 : #endif
237 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
238 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
239 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
240 : #endif
241 :
242 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
243 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
244 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
245 : } else {
246 5 : signature_size = libspdm_get_req_asym_signature_size(
247 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
248 : }
249 :
250 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
251 5 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
252 : #endif
253 :
254 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
255 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
256 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
257 : if (slot_id == 0xFF) {
258 : result = libspdm_get_peer_public_key_buffer(
259 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
260 : } else {
261 : result = libspdm_get_peer_cert_chain_buffer(
262 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
263 : }
264 : if (!result) {
265 : return false;
266 : }
267 :
268 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
269 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
270 : if (slot_id == 0xFF) {
271 : result = libspdm_get_local_public_key_buffer(
272 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
273 : } else {
274 : result = libspdm_get_local_cert_chain_buffer(
275 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
276 : }
277 : if (!result) {
278 : return false;
279 : }
280 :
281 : result = libspdm_calculate_th_for_finish(
282 : spdm_context, session_info, cert_chain_buffer,
283 : cert_chain_buffer_size, mut_cert_chain_buffer,
284 : mut_cert_chain_buffer_size, &th_curr);
285 : if (!result) {
286 : return false;
287 : }
288 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
289 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
290 :
291 : /* Debug code only - required for debug print of th_curr below*/
292 : LIBSPDM_DEBUG_CODE(
293 : if (!libspdm_hash_all(
294 : spdm_context->connection_info.algorithm.base_hash_algo,
295 : th_curr_data, th_curr_data_size, hash_data)) {
296 : return false;
297 : }
298 : );
299 : #else
300 5 : result = libspdm_calculate_th_hash_for_finish(
301 : spdm_context, session_info, &hash_size, hash_data);
302 5 : if (!result) {
303 0 : return false;
304 : }
305 : #endif
306 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
307 5 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
308 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
309 :
310 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
311 : result = libspdm_requester_data_sign(
312 : spdm_context,
313 : spdm_context->connection_info.version, SPDM_FINISH,
314 : spdm_context->connection_info.algorithm.req_base_asym_alg,
315 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
316 : spdm_context->connection_info.algorithm.base_hash_algo,
317 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
318 : #else
319 5 : result = libspdm_requester_data_sign(
320 : spdm_context,
321 5 : spdm_context->connection_info.version, SPDM_FINISH,
322 5 : spdm_context->connection_info.algorithm.req_base_asym_alg,
323 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
324 : spdm_context->connection_info.algorithm.base_hash_algo,
325 : true, hash_data, hash_size, signature, &signature_size);
326 : #endif
327 5 : if (result) {
328 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
329 5 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
330 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
331 : }
332 :
333 5 : return result;
334 : }
335 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
336 :
337 : /**
338 : * This function sends FINISH and receives FINISH_RSP for SPDM finish.
339 : *
340 : * @param spdm_context A pointer to the SPDM context.
341 : * @param session_id session_id to the FINISH request.
342 : * @param req_slot_id_param req_slot_id_param to the FINISH request.
343 : *
344 : * @retval RETURN_SUCCESS The FINISH is sent and the FINISH_RSP is received.
345 : * @retval RETURN_DEVICE_ERROR A device error occurs when communicates with the device.
346 : **/
347 42 : static libspdm_return_t libspdm_try_send_receive_finish(
348 : libspdm_context_t *spdm_context,
349 : uint32_t session_id,
350 : uint8_t req_slot_id_param,
351 : const void *requester_opaque_data,
352 : size_t requester_opaque_data_size,
353 : void *responder_opaque_data,
354 : size_t *responder_opaque_data_size)
355 : {
356 : libspdm_return_t status;
357 : libspdm_finish_request_mine_t *spdm_request;
358 : size_t spdm_request_size;
359 : size_t signature_size;
360 : size_t hmac_size;
361 : libspdm_finish_response_mine_t *spdm_response;
362 : size_t spdm_response_size;
363 : libspdm_session_info_t *session_info;
364 : uint8_t *ptr;
365 : bool result;
366 : uint8_t th2_hash_data[LIBSPDM_MAX_HASH_SIZE];
367 : libspdm_session_state_t session_state;
368 : uint8_t *message;
369 : size_t message_size;
370 : size_t transport_header_size;
371 : size_t opaque_data_entry_size;
372 : size_t opaque_data_size;
373 :
374 : /* -=[Check Parameters Phase]=- */
375 42 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
376 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
377 : }
378 :
379 42 : session_info = libspdm_get_session_info_via_session_id(spdm_context, session_id);
380 42 : if (session_info == NULL) {
381 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
382 0 : goto error;
383 : }
384 :
385 : /* -=[Verify State Phase]=- */
386 42 : if (!libspdm_is_capabilities_flag_supported(
387 : spdm_context, true,
388 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
389 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
390 1 : status = LIBSPDM_STATUS_UNSUPPORTED_CAP;
391 1 : goto error;
392 : }
393 :
394 41 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
395 2 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
396 2 : goto error;
397 : }
398 :
399 39 : session_state = libspdm_secured_message_get_session_state(
400 : session_info->secured_message_context);
401 39 : if (session_state != LIBSPDM_SESSION_STATE_HANDSHAKING) {
402 1 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
403 1 : goto error;
404 : }
405 38 : if (session_info->mut_auth_requested != 0) {
406 5 : if ((req_slot_id_param >= SPDM_MAX_SLOT_COUNT) && (req_slot_id_param != 0xFF)) {
407 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
408 0 : goto error;
409 : }
410 : } else {
411 33 : if (req_slot_id_param != 0) {
412 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
413 0 : goto error;
414 : }
415 : }
416 :
417 : /* -=[Construct Request Phase]=- */
418 38 : transport_header_size = spdm_context->local_context.capability.transport_header_size;
419 38 : status = libspdm_acquire_sender_buffer (spdm_context, &message_size, (void **)&message);
420 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
421 0 : goto error;
422 : }
423 38 : LIBSPDM_ASSERT (message_size >= transport_header_size +
424 : spdm_context->local_context.capability.transport_tail_size);
425 38 : spdm_request = (void *)(message + transport_header_size);
426 38 : spdm_request_size = message_size - transport_header_size -
427 38 : spdm_context->local_context.capability.transport_tail_size;
428 :
429 38 : LIBSPDM_ASSERT(spdm_request_size >= sizeof(spdm_request->header));
430 38 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
431 38 : spdm_request->header.request_response_code = SPDM_FINISH;
432 38 : spdm_request->header.param1 = 0;
433 38 : spdm_request->header.param2 = 0;
434 :
435 38 : ptr = (uint8_t *)spdm_request + sizeof(spdm_finish_request_t);
436 38 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
437 1 : if (requester_opaque_data != NULL) {
438 0 : LIBSPDM_ASSERT(requester_opaque_data_size <= SPDM_MAX_OPAQUE_DATA_SIZE);
439 0 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
440 : sizeof(uint16_t) + requester_opaque_data_size);
441 :
442 0 : libspdm_write_uint16(ptr, (uint16_t)requester_opaque_data_size);
443 0 : ptr += sizeof(uint16_t);
444 :
445 0 : libspdm_copy_mem(ptr,
446 : (spdm_request_size - (sizeof(spdm_finish_request_t) +
447 : sizeof(uint16_t))),
448 : requester_opaque_data, requester_opaque_data_size);
449 0 : opaque_data_size = requester_opaque_data_size;
450 : } else {
451 1 : opaque_data_size = 0;
452 1 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
453 : sizeof(uint16_t) + opaque_data_size);
454 :
455 1 : libspdm_write_uint16(ptr, (uint16_t)opaque_data_size);
456 1 : ptr += sizeof(uint16_t);
457 : }
458 1 : ptr += opaque_data_size;
459 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
460 : } else {
461 37 : opaque_data_entry_size = 0;
462 : }
463 :
464 38 : signature_size = 0;
465 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
466 38 : if (session_info->mut_auth_requested != 0) {
467 5 : spdm_request->header.param1 = SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED;
468 5 : spdm_request->header.param2 = req_slot_id_param;
469 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
470 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
471 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
472 : } else {
473 5 : signature_size = libspdm_get_req_asym_signature_size(
474 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
475 : }
476 : }
477 : #endif
478 :
479 38 : spdm_context->connection_info.local_used_cert_chain_slot_id = req_slot_id_param;
480 38 : if ((session_info->mut_auth_requested != 0) && (req_slot_id_param != 0xFF)) {
481 5 : LIBSPDM_ASSERT(req_slot_id_param < SPDM_MAX_SLOT_COUNT);
482 5 : spdm_context->connection_info.local_used_cert_chain_buffer =
483 5 : spdm_context->local_context.local_cert_chain_provision[req_slot_id_param];
484 5 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
485 5 : spdm_context->local_context.local_cert_chain_provision_size[req_slot_id_param];
486 : }
487 :
488 38 : hmac_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
489 38 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) + opaque_data_entry_size +
490 : signature_size + hmac_size);
491 38 : spdm_request_size = sizeof(spdm_finish_request_t) + opaque_data_entry_size +
492 38 : signature_size + hmac_size;
493 :
494 38 : status = libspdm_append_message_f(spdm_context, session_info, true, (uint8_t *)spdm_request,
495 38 : spdm_request_size - signature_size - hmac_size);
496 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
497 0 : libspdm_release_sender_buffer (spdm_context);
498 0 : goto error;
499 : }
500 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
501 38 : if (session_info->mut_auth_requested != 0) {
502 5 : result = libspdm_generate_finish_req_signature(spdm_context, session_info, ptr);
503 5 : if (!result) {
504 0 : libspdm_release_sender_buffer (spdm_context);
505 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
506 0 : goto error;
507 : }
508 5 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, signature_size);
509 5 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
510 0 : libspdm_release_sender_buffer (spdm_context);
511 0 : goto error;
512 : }
513 5 : ptr += signature_size;
514 : }
515 : #endif
516 :
517 38 : result = libspdm_generate_finish_req_hmac(spdm_context, session_info, ptr);
518 38 : if (!result) {
519 0 : libspdm_release_sender_buffer (spdm_context);
520 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
521 0 : goto error;
522 : }
523 :
524 38 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, hmac_size);
525 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
526 0 : libspdm_release_sender_buffer (spdm_context);
527 0 : goto error;
528 : }
529 :
530 : /* -=[Send Request Phase]=- */
531 38 : status = libspdm_send_spdm_request(spdm_context, &session_id, spdm_request_size, spdm_request);
532 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
533 1 : libspdm_release_sender_buffer (spdm_context);
534 1 : goto error;
535 : }
536 :
537 37 : libspdm_reset_message_buffer_via_request_code(spdm_context, session_info, SPDM_FINISH);
538 :
539 37 : libspdm_release_sender_buffer (spdm_context);
540 37 : spdm_request = (void *)spdm_context->last_spdm_request;
541 :
542 : /* -=[Receive Response Phase]=- */
543 37 : status = libspdm_acquire_receiver_buffer (spdm_context, &message_size, (void **)&message);
544 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
545 0 : goto error;
546 : }
547 37 : LIBSPDM_ASSERT (message_size >= transport_header_size);
548 37 : spdm_response = (void *)(message);
549 37 : spdm_response_size = message_size;
550 :
551 37 : status = libspdm_receive_spdm_response(
552 : spdm_context, &session_id, &spdm_response_size, (void **)&spdm_response);
553 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
554 0 : goto receive_done;
555 : }
556 :
557 : /* -=[Validate Response Phase]=- */
558 37 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
559 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
560 0 : goto receive_done;
561 : }
562 37 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
563 25 : if (spdm_response->header.param1 == SPDM_ERROR_CODE_DECRYPT_ERROR) {
564 2 : status = LIBSPDM_STATUS_SESSION_MSG_ERROR;
565 2 : goto receive_done;
566 : }
567 23 : if (spdm_response->header.param1 != SPDM_ERROR_CODE_RESPONSE_NOT_READY) {
568 21 : libspdm_reset_message_f (spdm_context, session_info);
569 : }
570 23 : status = libspdm_handle_error_response_main(
571 : spdm_context, &session_id,
572 : &spdm_response_size, (void **)&spdm_response,
573 : SPDM_FINISH, SPDM_FINISH_RSP);
574 23 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
575 22 : goto receive_done;
576 : }
577 12 : } else if (spdm_response->header.request_response_code != SPDM_FINISH_RSP) {
578 1 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
579 1 : goto receive_done;
580 : }
581 12 : if (spdm_response->header.spdm_version != spdm_request->header.spdm_version) {
582 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
583 0 : goto receive_done;
584 : }
585 :
586 12 : if (!libspdm_is_capabilities_flag_supported(
587 : spdm_context, true,
588 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
589 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
590 2 : hmac_size = 0;
591 : }
592 :
593 12 : ptr = (uint8_t *)spdm_response + sizeof(spdm_finish_response_t);
594 :
595 12 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
596 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) + hmac_size) {
597 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
598 0 : goto receive_done;
599 : }
600 1 : opaque_data_size = libspdm_read_uint16((const uint8_t *)ptr);
601 1 : ptr += sizeof(uint16_t);
602 1 : if (opaque_data_size > SPDM_MAX_OPAQUE_DATA_SIZE) {
603 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
604 0 : goto receive_done;
605 : }
606 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) +
607 1 : opaque_data_size + hmac_size) {
608 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
609 0 : goto receive_done;
610 : }
611 :
612 1 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
613 0 : if (opaque_data_size >= *responder_opaque_data_size) {
614 0 : status = LIBSPDM_STATUS_BUFFER_TOO_SMALL;
615 0 : goto receive_done;
616 : }
617 0 : libspdm_copy_mem(responder_opaque_data, *responder_opaque_data_size,
618 : ptr, opaque_data_size);
619 0 : *responder_opaque_data_size = opaque_data_size;
620 : }
621 :
622 1 : ptr += opaque_data_size;
623 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
624 : } else {
625 11 : if (spdm_response_size < sizeof(spdm_finish_response_t) + hmac_size) {
626 1 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
627 1 : goto receive_done;
628 : }
629 10 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
630 0 : *responder_opaque_data_size = 0;
631 : }
632 10 : opaque_data_entry_size = 0;
633 : }
634 11 : spdm_response_size = sizeof(spdm_finish_response_t) + opaque_data_entry_size + hmac_size;
635 :
636 11 : status = libspdm_append_message_f(spdm_context, session_info, true, spdm_response,
637 : spdm_response_size - hmac_size);
638 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
639 0 : goto receive_done;
640 : }
641 :
642 11 : if (libspdm_is_capabilities_flag_supported(
643 : spdm_context, true,
644 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
645 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
646 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "verify_data (0x%zx):\n", hmac_size));
647 9 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, hmac_size);
648 9 : result = libspdm_verify_finish_rsp_hmac(spdm_context, session_info,
649 : ptr, hmac_size);
650 9 : if (!result) {
651 2 : status = LIBSPDM_STATUS_VERIF_FAIL;
652 2 : goto receive_done;
653 : }
654 :
655 7 : status = libspdm_append_message_f(
656 : spdm_context, session_info, true,
657 : ptr, hmac_size);
658 7 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
659 0 : goto receive_done;
660 : }
661 : }
662 :
663 : /* -=[Process Response Phase]=- */
664 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_data_key[%x]\n", session_id));
665 9 : result = libspdm_calculate_th2_hash(spdm_context, session_info, true, th2_hash_data);
666 9 : if (!result) {
667 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
668 0 : goto receive_done;
669 : }
670 9 : result = libspdm_generate_session_data_key(
671 : session_info->secured_message_context, th2_hash_data);
672 9 : if (!result) {
673 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
674 0 : goto receive_done;
675 : }
676 :
677 : /* -=[Update State Phase]=- */
678 9 : libspdm_secured_message_set_session_state(
679 : session_info->secured_message_context, LIBSPDM_SESSION_STATE_ESTABLISHED);
680 :
681 : /* -=[Log Message Phase]=- */
682 : #if LIBSPDM_ENABLE_MSG_LOG
683 9 : libspdm_append_msg_log(spdm_context, spdm_response, spdm_response_size);
684 : #endif /* LIBSPDM_ENABLE_MSG_LOG */
685 :
686 9 : libspdm_release_receiver_buffer (spdm_context);
687 :
688 9 : return LIBSPDM_STATUS_SUCCESS;
689 :
690 28 : receive_done:
691 28 : libspdm_release_receiver_buffer (spdm_context);
692 33 : error:
693 33 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
694 31 : libspdm_free_session_id(spdm_context, session_id);
695 : }
696 :
697 33 : return status;
698 : }
699 :
700 41 : libspdm_return_t libspdm_send_receive_finish(libspdm_context_t *spdm_context,
701 : uint32_t session_id,
702 : uint8_t req_slot_id_param)
703 : {
704 : size_t retry;
705 : uint64_t retry_delay_time;
706 : libspdm_return_t status;
707 :
708 41 : spdm_context->crypto_request = true;
709 41 : retry = spdm_context->retry_times;
710 41 : retry_delay_time = spdm_context->retry_delay_time;
711 : do {
712 42 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
713 : req_slot_id_param,
714 : NULL, 0, NULL, NULL);
715 42 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
716 40 : return status;
717 : }
718 :
719 2 : libspdm_sleep(retry_delay_time);
720 2 : } while (retry-- != 0);
721 :
722 1 : return status;
723 : }
724 :
725 0 : libspdm_return_t libspdm_send_receive_finish_ex(
726 : libspdm_context_t *spdm_context,
727 : uint32_t session_id,
728 : uint8_t req_slot_id_param,
729 : const void *requester_opaque_data,
730 : size_t requester_opaque_data_size,
731 : void *responder_opaque_data,
732 : size_t *responder_opaque_data_size)
733 : {
734 : size_t retry;
735 : uint64_t retry_delay_time;
736 : libspdm_return_t status;
737 :
738 0 : spdm_context->crypto_request = true;
739 0 : retry = spdm_context->retry_times;
740 0 : retry_delay_time = spdm_context->retry_delay_time;
741 : do {
742 0 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
743 : req_slot_id_param,
744 : requester_opaque_data,
745 : requester_opaque_data_size,
746 : responder_opaque_data,
747 : responder_opaque_data_size);
748 0 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
749 0 : return status;
750 : }
751 :
752 0 : libspdm_sleep(retry_delay_time);
753 0 : } while (retry-- != 0);
754 :
755 0 : return status;
756 : }
757 :
758 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP*/
|
