Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_requester_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 : #pragma pack(1)
13 : typedef struct {
14 : spdm_message_header_t header;
15 : uint16_t opaque_length;
16 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
17 : uint8_t signature[LIBSPDM_REQ_SIGNATURE_DATA_MAX_SIZE];
18 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
19 : } libspdm_finish_request_mine_t;
20 :
21 : typedef struct {
22 : spdm_message_header_t header;
23 : uint16_t opaque_length;
24 : uint8_t opaque_data[SPDM_MAX_OPAQUE_DATA_SIZE];
25 : uint8_t verify_data[LIBSPDM_MAX_HASH_SIZE];
26 : } libspdm_finish_response_mine_t;
27 : #pragma pack()
28 :
29 9 : bool libspdm_verify_finish_rsp_hmac(libspdm_context_t *spdm_context,
30 : libspdm_session_info_t *session_info,
31 : const void *hmac_data, size_t hmac_data_size)
32 : {
33 : size_t hash_size;
34 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
35 : bool result;
36 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
37 : uint8_t slot_id;
38 : uint8_t *cert_chain_buffer;
39 : size_t cert_chain_buffer_size;
40 : uint8_t *mut_cert_chain_buffer;
41 : size_t mut_cert_chain_buffer_size;
42 : uint8_t *th_curr_data;
43 : size_t th_curr_data_size;
44 : libspdm_th_managed_buffer_t th_curr;
45 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
46 : #endif
47 :
48 9 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
49 9 : LIBSPDM_ASSERT(hash_size == hmac_data_size);
50 :
51 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
52 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
53 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
54 : if (slot_id == 0xFF) {
55 : result = libspdm_get_peer_public_key_buffer(
56 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
57 : } else {
58 : result = libspdm_get_peer_cert_chain_buffer(
59 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
60 : }
61 : if (!result) {
62 : return false;
63 : }
64 :
65 : if (session_info->mut_auth_requested != 0) {
66 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
67 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
68 : if (slot_id == 0xFF) {
69 : result = libspdm_get_local_public_key_buffer(
70 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
71 : } else {
72 : result = libspdm_get_local_cert_chain_buffer(
73 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
74 : }
75 : if (!result) {
76 : return false;
77 : }
78 : } else {
79 : mut_cert_chain_buffer = NULL;
80 : mut_cert_chain_buffer_size = 0;
81 : }
82 :
83 : result = libspdm_calculate_th_for_finish(
84 : spdm_context, session_info, cert_chain_buffer,
85 : cert_chain_buffer_size, mut_cert_chain_buffer,
86 : mut_cert_chain_buffer_size, &th_curr);
87 : if (!result) {
88 : return false;
89 : }
90 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
91 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
92 :
93 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
94 : th_curr_data, th_curr_data_size, hash_data);
95 : if (!result) {
96 : return false;
97 : }
98 :
99 : result = libspdm_hmac_all_with_response_finished_key(
100 : session_info->secured_message_context, hash_data,
101 : hash_size, calc_hmac_data);
102 : if (!result) {
103 : return false;
104 : }
105 : #else
106 9 : result = libspdm_calculate_th_hmac_for_finish_rsp(
107 : spdm_context, session_info, &hash_size, calc_hmac_data);
108 9 : if (!result) {
109 0 : return false;
110 : }
111 : #endif
112 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
113 9 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
114 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
115 :
116 9 : if (!libspdm_consttime_is_mem_equal(calc_hmac_data, hmac_data, hash_size)) {
117 2 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - FAIL !!!\n"));
118 2 : return false;
119 : }
120 7 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_rsp_hmac - PASS !!!\n"));
121 :
122 7 : return true;
123 : }
124 :
125 38 : bool libspdm_generate_finish_req_hmac(libspdm_context_t *spdm_context,
126 : libspdm_session_info_t *session_info,
127 : void *hmac)
128 : {
129 : size_t hash_size;
130 : uint8_t calc_hmac_data[LIBSPDM_MAX_HASH_SIZE];
131 : bool result;
132 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
133 : uint8_t slot_id;
134 : uint8_t *cert_chain_buffer;
135 : size_t cert_chain_buffer_size;
136 : uint8_t *mut_cert_chain_buffer;
137 : size_t mut_cert_chain_buffer_size;
138 : uint8_t *th_curr_data;
139 : size_t th_curr_data_size;
140 : libspdm_th_managed_buffer_t th_curr;
141 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
142 : #endif
143 :
144 38 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
145 :
146 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
147 : slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
148 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
149 : if (slot_id == 0xFF) {
150 : result = libspdm_get_peer_public_key_buffer(
151 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
152 : } else {
153 : result = libspdm_get_peer_cert_chain_buffer(
154 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
155 : }
156 : if (!result) {
157 : return false;
158 : }
159 :
160 : if (session_info->mut_auth_requested != 0) {
161 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
162 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
163 : if (slot_id == 0xFF) {
164 : result = libspdm_get_local_public_key_buffer(
165 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
166 : } else {
167 : result = libspdm_get_local_cert_chain_buffer(
168 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
169 : }
170 : if (!result) {
171 : return false;
172 : }
173 : } else {
174 : mut_cert_chain_buffer = NULL;
175 : mut_cert_chain_buffer_size = 0;
176 : }
177 :
178 : result = libspdm_calculate_th_for_finish(
179 : spdm_context, session_info, cert_chain_buffer,
180 : cert_chain_buffer_size, mut_cert_chain_buffer,
181 : mut_cert_chain_buffer_size, &th_curr);
182 : if (!result) {
183 : return false;
184 : }
185 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
186 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
187 :
188 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
189 : th_curr_data, th_curr_data_size, hash_data);
190 : if (!result) {
191 : return false;
192 : }
193 :
194 : result = libspdm_hmac_all_with_request_finished_key(
195 : session_info->secured_message_context, hash_data,
196 : hash_size, calc_hmac_data);
197 : if (!result) {
198 : return false;
199 : }
200 : #else
201 38 : result = libspdm_calculate_th_hmac_for_finish_req(
202 : spdm_context, session_info, &hash_size, calc_hmac_data);
203 38 : if (!result) {
204 0 : return false;
205 : }
206 : #endif
207 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
208 38 : LIBSPDM_INTERNAL_DUMP_DATA(calc_hmac_data, hash_size);
209 38 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
210 :
211 38 : libspdm_copy_mem(hmac, hash_size, calc_hmac_data, hash_size);
212 :
213 38 : return true;
214 : }
215 :
216 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
217 :
218 5 : bool libspdm_generate_finish_req_signature(libspdm_context_t *spdm_context,
219 : libspdm_session_info_t *session_info,
220 : uint8_t slot_id,
221 : uint8_t *signature)
222 : {
223 : bool result;
224 : size_t signature_size;
225 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
226 : uint8_t *cert_chain_buffer;
227 : size_t cert_chain_buffer_size;
228 : uint8_t *mut_cert_chain_buffer;
229 : size_t mut_cert_chain_buffer_size;
230 : uint8_t *th_curr_data;
231 : size_t th_curr_data_size;
232 : libspdm_th_managed_buffer_t th_curr;
233 : #endif
234 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
235 : size_t hash_size;
236 : #endif
237 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
238 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
239 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
240 : #endif
241 :
242 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
243 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
244 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
245 : } else {
246 5 : signature_size = libspdm_get_req_asym_signature_size(
247 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
248 : }
249 :
250 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
251 5 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
252 : #endif
253 :
254 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
255 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
256 : if (slot_id == 0xFF) {
257 : result = libspdm_get_peer_public_key_buffer(
258 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
259 : } else {
260 : result = libspdm_get_peer_cert_chain_buffer(
261 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
262 : }
263 : if (!result) {
264 : return false;
265 : }
266 :
267 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
268 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
269 : if (slot_id == 0xFF) {
270 : result = libspdm_get_local_public_key_buffer(
271 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
272 : } else {
273 : result = libspdm_get_local_cert_chain_buffer(
274 : spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
275 : }
276 : if (!result) {
277 : return false;
278 : }
279 :
280 : result = libspdm_calculate_th_for_finish(
281 : spdm_context, session_info, cert_chain_buffer,
282 : cert_chain_buffer_size, mut_cert_chain_buffer,
283 : mut_cert_chain_buffer_size, &th_curr);
284 : if (!result) {
285 : return false;
286 : }
287 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
288 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
289 :
290 : /* Debug code only - required for debug print of th_curr below*/
291 : LIBSPDM_DEBUG_CODE(
292 : if (!libspdm_hash_all(
293 : spdm_context->connection_info.algorithm.base_hash_algo,
294 : th_curr_data, th_curr_data_size, hash_data)) {
295 : return false;
296 : }
297 : );
298 : #else
299 5 : result = libspdm_calculate_th_hash_for_finish(
300 : spdm_context, session_info, &hash_size, hash_data);
301 5 : if (!result) {
302 0 : return false;
303 : }
304 : #endif
305 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
306 5 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
307 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
308 :
309 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
310 : result = libspdm_requester_data_sign(
311 : spdm_context,
312 : spdm_context->connection_info.version,
313 : libspdm_slot_id_to_key_pair_id(spdm_context, slot_id, true),
314 : SPDM_FINISH,
315 : spdm_context->connection_info.algorithm.req_base_asym_alg,
316 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
317 : spdm_context->connection_info.algorithm.base_hash_algo,
318 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
319 : #else
320 10 : result = libspdm_requester_data_sign(
321 : spdm_context,
322 5 : spdm_context->connection_info.version,
323 5 : libspdm_slot_id_to_key_pair_id(spdm_context, slot_id, true),
324 : SPDM_FINISH,
325 5 : spdm_context->connection_info.algorithm.req_base_asym_alg,
326 : spdm_context->connection_info.algorithm.req_pqc_asym_alg,
327 : spdm_context->connection_info.algorithm.base_hash_algo,
328 : true, hash_data, hash_size, signature, &signature_size);
329 : #endif
330 5 : if (result) {
331 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
332 5 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
333 5 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
334 : }
335 :
336 5 : return result;
337 : }
338 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
339 :
340 : /**
341 : * This function sends FINISH and receives FINISH_RSP for SPDM finish.
342 : *
343 : * @param spdm_context A pointer to the SPDM context.
344 : * @param session_id session_id to the FINISH request.
345 : * @param req_slot_id_param req_slot_id_param to the FINISH request.
346 : **/
347 42 : static libspdm_return_t libspdm_try_send_receive_finish(
348 : libspdm_context_t *spdm_context,
349 : uint32_t session_id,
350 : uint8_t req_slot_id_param,
351 : const void *requester_opaque_data,
352 : size_t requester_opaque_data_size,
353 : void *responder_opaque_data,
354 : size_t *responder_opaque_data_size)
355 : {
356 : libspdm_return_t status;
357 : libspdm_finish_request_mine_t *spdm_request;
358 : size_t spdm_request_size;
359 : size_t signature_size;
360 : size_t hmac_size;
361 : libspdm_finish_response_mine_t *spdm_response;
362 : size_t spdm_response_size;
363 : libspdm_session_info_t *session_info;
364 : uint8_t *ptr;
365 : bool result;
366 : uint8_t th2_hash_data[LIBSPDM_MAX_HASH_SIZE];
367 : libspdm_session_state_t session_state;
368 : uint8_t *message;
369 : size_t message_size;
370 : size_t transport_header_size;
371 : size_t opaque_data_entry_size;
372 : size_t opaque_data_size;
373 :
374 : /* -=[Check Parameters Phase]=- */
375 42 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
376 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
377 : }
378 :
379 42 : session_info = libspdm_get_session_info_via_session_id(spdm_context, session_id);
380 42 : if (session_info == NULL) {
381 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
382 0 : goto error;
383 : }
384 :
385 : /* -=[Verify State Phase]=- */
386 42 : if (!libspdm_is_capabilities_flag_supported(
387 : spdm_context, true,
388 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
389 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
390 1 : status = LIBSPDM_STATUS_UNSUPPORTED_CAP;
391 1 : goto error;
392 : }
393 :
394 41 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
395 2 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
396 2 : goto error;
397 : }
398 :
399 39 : session_state = libspdm_secured_message_get_session_state(
400 : session_info->secured_message_context);
401 39 : if (session_state != LIBSPDM_SESSION_STATE_HANDSHAKING) {
402 1 : status = LIBSPDM_STATUS_INVALID_STATE_LOCAL;
403 1 : goto error;
404 : }
405 38 : if (session_info->mut_auth_requested != 0) {
406 5 : if ((req_slot_id_param >= SPDM_MAX_SLOT_COUNT) && (req_slot_id_param != 0xFF)) {
407 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
408 0 : goto error;
409 : }
410 : } else {
411 33 : if (req_slot_id_param != 0) {
412 0 : status = LIBSPDM_STATUS_INVALID_PARAMETER;
413 0 : goto error;
414 : }
415 : }
416 :
417 : /* -=[Construct Request Phase]=- */
418 38 : transport_header_size = spdm_context->local_context.capability.transport_header_size;
419 38 : status = libspdm_acquire_sender_buffer (spdm_context, &message_size, (void **)&message);
420 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
421 0 : goto error;
422 : }
423 38 : LIBSPDM_ASSERT (message_size >= transport_header_size +
424 : spdm_context->local_context.capability.transport_tail_size);
425 38 : spdm_request = (void *)(message + transport_header_size);
426 38 : spdm_request_size = message_size - transport_header_size -
427 38 : spdm_context->local_context.capability.transport_tail_size;
428 :
429 38 : LIBSPDM_ASSERT(spdm_request_size >= sizeof(spdm_request->header));
430 38 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
431 38 : spdm_request->header.request_response_code = SPDM_FINISH;
432 38 : spdm_request->header.param1 = 0;
433 38 : spdm_request->header.param2 = 0;
434 :
435 38 : ptr = (uint8_t *)spdm_request + sizeof(spdm_finish_request_t);
436 38 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
437 1 : if (requester_opaque_data != NULL) {
438 0 : LIBSPDM_ASSERT(requester_opaque_data_size <= SPDM_MAX_OPAQUE_DATA_SIZE);
439 0 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
440 : sizeof(uint16_t) + requester_opaque_data_size);
441 :
442 0 : libspdm_write_uint16(ptr, (uint16_t)requester_opaque_data_size);
443 0 : ptr += sizeof(uint16_t);
444 :
445 0 : libspdm_copy_mem(ptr,
446 : (spdm_request_size - (sizeof(spdm_finish_request_t) +
447 : sizeof(uint16_t))),
448 : requester_opaque_data, requester_opaque_data_size);
449 0 : opaque_data_size = requester_opaque_data_size;
450 : } else {
451 1 : opaque_data_size = 0;
452 1 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) +
453 : sizeof(uint16_t) + opaque_data_size);
454 :
455 1 : libspdm_write_uint16(ptr, (uint16_t)opaque_data_size);
456 1 : ptr += sizeof(uint16_t);
457 : }
458 1 : ptr += opaque_data_size;
459 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
460 : } else {
461 37 : opaque_data_entry_size = 0;
462 : }
463 :
464 38 : signature_size = 0;
465 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
466 38 : if (session_info->mut_auth_requested != 0) {
467 5 : spdm_request->header.param1 = SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED;
468 5 : spdm_request->header.param2 = req_slot_id_param;
469 5 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
470 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
471 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
472 : } else {
473 5 : signature_size = libspdm_get_req_asym_signature_size(
474 5 : spdm_context->connection_info.algorithm.req_base_asym_alg);
475 : }
476 : }
477 : #endif
478 :
479 38 : spdm_context->connection_info.local_used_cert_chain_slot_id = req_slot_id_param;
480 38 : if ((session_info->mut_auth_requested != 0) && (req_slot_id_param != 0xFF)) {
481 5 : LIBSPDM_ASSERT(req_slot_id_param < SPDM_MAX_SLOT_COUNT);
482 5 : spdm_context->connection_info.local_used_cert_chain_buffer =
483 5 : spdm_context->local_context.local_cert_chain_provision[req_slot_id_param];
484 5 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
485 5 : spdm_context->local_context.local_cert_chain_provision_size[req_slot_id_param];
486 : }
487 :
488 38 : hmac_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
489 38 : LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_finish_request_t) + opaque_data_entry_size +
490 : signature_size + hmac_size);
491 38 : spdm_request_size = sizeof(spdm_finish_request_t) + opaque_data_entry_size +
492 38 : signature_size + hmac_size;
493 :
494 38 : status = libspdm_append_message_f(spdm_context, session_info, true, (uint8_t *)spdm_request,
495 38 : spdm_request_size - signature_size - hmac_size);
496 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
497 0 : libspdm_release_sender_buffer (spdm_context);
498 0 : goto error;
499 : }
500 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
501 38 : if (session_info->mut_auth_requested != 0) {
502 5 : result = libspdm_generate_finish_req_signature(
503 : spdm_context, session_info, req_slot_id_param, ptr);
504 5 : if (!result) {
505 0 : libspdm_release_sender_buffer (spdm_context);
506 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
507 0 : goto error;
508 : }
509 5 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, signature_size);
510 5 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
511 0 : libspdm_release_sender_buffer (spdm_context);
512 0 : goto error;
513 : }
514 5 : ptr += signature_size;
515 : }
516 : #endif
517 :
518 38 : result = libspdm_generate_finish_req_hmac(spdm_context, session_info, ptr);
519 38 : if (!result) {
520 0 : libspdm_release_sender_buffer (spdm_context);
521 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
522 0 : goto error;
523 : }
524 :
525 38 : status = libspdm_append_message_f(spdm_context, session_info, true, ptr, hmac_size);
526 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
527 0 : libspdm_release_sender_buffer (spdm_context);
528 0 : goto error;
529 : }
530 :
531 : /* -=[Send Request Phase]=- */
532 38 : status = libspdm_send_spdm_request(spdm_context, &session_id, spdm_request_size, spdm_request);
533 38 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
534 1 : libspdm_release_sender_buffer (spdm_context);
535 1 : goto error;
536 : }
537 :
538 37 : libspdm_reset_message_buffer_via_request_code(spdm_context, session_info, SPDM_FINISH);
539 :
540 37 : libspdm_release_sender_buffer (spdm_context);
541 37 : spdm_request = (void *)spdm_context->last_spdm_request;
542 :
543 : /* -=[Receive Response Phase]=- */
544 37 : status = libspdm_acquire_receiver_buffer (spdm_context, &message_size, (void **)&message);
545 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
546 0 : goto error;
547 : }
548 37 : LIBSPDM_ASSERT (message_size >= transport_header_size);
549 37 : spdm_response = (void *)(message);
550 37 : spdm_response_size = message_size;
551 :
552 37 : status = libspdm_receive_spdm_response(
553 : spdm_context, &session_id, &spdm_response_size, (void **)&spdm_response);
554 37 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
555 0 : goto receive_done;
556 : }
557 :
558 : /* -=[Validate Response Phase]=- */
559 37 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
560 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
561 0 : goto receive_done;
562 : }
563 37 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
564 25 : if (spdm_response->header.param1 == SPDM_ERROR_CODE_DECRYPT_ERROR) {
565 2 : status = LIBSPDM_STATUS_SESSION_MSG_ERROR;
566 2 : goto receive_done;
567 : }
568 23 : if (spdm_response->header.param1 != SPDM_ERROR_CODE_RESPONSE_NOT_READY) {
569 21 : libspdm_reset_message_f (spdm_context, session_info);
570 : }
571 23 : status = libspdm_handle_error_response_main(
572 : spdm_context, &session_id,
573 : &spdm_response_size, (void **)&spdm_response,
574 : SPDM_FINISH, SPDM_FINISH_RSP);
575 23 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
576 22 : goto receive_done;
577 : }
578 12 : } else if (spdm_response->header.request_response_code != SPDM_FINISH_RSP) {
579 1 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
580 1 : goto receive_done;
581 : }
582 12 : if (spdm_response->header.spdm_version != spdm_request->header.spdm_version) {
583 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
584 0 : goto receive_done;
585 : }
586 :
587 12 : if (!libspdm_is_capabilities_flag_supported(
588 : spdm_context, true,
589 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
590 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
591 2 : hmac_size = 0;
592 : }
593 :
594 12 : ptr = (uint8_t *)spdm_response + sizeof(spdm_finish_response_t);
595 :
596 12 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
597 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) + hmac_size) {
598 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
599 0 : goto receive_done;
600 : }
601 1 : opaque_data_size = libspdm_read_uint16((const uint8_t *)ptr);
602 1 : ptr += sizeof(uint16_t);
603 1 : if (opaque_data_size > SPDM_MAX_OPAQUE_DATA_SIZE) {
604 0 : status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
605 0 : goto receive_done;
606 : }
607 1 : if (spdm_response_size < sizeof(spdm_finish_response_t) + sizeof(uint16_t) +
608 1 : opaque_data_size + hmac_size) {
609 0 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
610 0 : goto receive_done;
611 : }
612 :
613 1 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
614 0 : if (opaque_data_size >= *responder_opaque_data_size) {
615 0 : status = LIBSPDM_STATUS_BUFFER_TOO_SMALL;
616 0 : goto receive_done;
617 : }
618 0 : libspdm_copy_mem(responder_opaque_data, *responder_opaque_data_size,
619 : ptr, opaque_data_size);
620 0 : *responder_opaque_data_size = opaque_data_size;
621 : }
622 :
623 1 : ptr += opaque_data_size;
624 1 : opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
625 : } else {
626 11 : if (spdm_response_size < sizeof(spdm_finish_response_t) + hmac_size) {
627 1 : status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
628 1 : goto receive_done;
629 : }
630 10 : if ((responder_opaque_data != NULL) && (responder_opaque_data_size != NULL)) {
631 0 : *responder_opaque_data_size = 0;
632 : }
633 10 : opaque_data_entry_size = 0;
634 : }
635 11 : spdm_response_size = sizeof(spdm_finish_response_t) + opaque_data_entry_size + hmac_size;
636 :
637 11 : status = libspdm_append_message_f(spdm_context, session_info, true, spdm_response,
638 : spdm_response_size - hmac_size);
639 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
640 0 : goto receive_done;
641 : }
642 :
643 11 : if (libspdm_is_capabilities_flag_supported(
644 : spdm_context, true,
645 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
646 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
647 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "verify_data (0x%zx):\n", hmac_size));
648 9 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, hmac_size);
649 9 : result = libspdm_verify_finish_rsp_hmac(spdm_context, session_info,
650 : ptr, hmac_size);
651 9 : if (!result) {
652 2 : status = LIBSPDM_STATUS_VERIF_FAIL;
653 2 : goto receive_done;
654 : }
655 :
656 7 : status = libspdm_append_message_f(
657 : spdm_context, session_info, true,
658 : ptr, hmac_size);
659 7 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
660 0 : goto receive_done;
661 : }
662 : }
663 :
664 : /* -=[Process Response Phase]=- */
665 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_data_key[%x]\n", session_id));
666 9 : result = libspdm_calculate_th2_hash(spdm_context, session_info, true, th2_hash_data);
667 9 : if (!result) {
668 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
669 0 : goto receive_done;
670 : }
671 9 : result = libspdm_generate_session_data_key(
672 : session_info->secured_message_context, th2_hash_data);
673 9 : if (!result) {
674 0 : status = LIBSPDM_STATUS_CRYPTO_ERROR;
675 0 : goto receive_done;
676 : }
677 :
678 : /* -=[Update State Phase]=- */
679 9 : libspdm_secured_message_set_session_state(
680 : session_info->secured_message_context, LIBSPDM_SESSION_STATE_ESTABLISHED);
681 :
682 : /* -=[Log Message Phase]=- */
683 : #if LIBSPDM_ENABLE_MSG_LOG
684 9 : libspdm_append_msg_log(spdm_context, spdm_response, spdm_response_size);
685 : #endif /* LIBSPDM_ENABLE_MSG_LOG */
686 :
687 9 : libspdm_release_receiver_buffer (spdm_context);
688 :
689 9 : return LIBSPDM_STATUS_SUCCESS;
690 :
691 28 : receive_done:
692 28 : libspdm_release_receiver_buffer (spdm_context);
693 33 : error:
694 33 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
695 31 : libspdm_free_session_id(spdm_context, session_id);
696 : }
697 :
698 33 : return status;
699 : }
700 :
701 41 : libspdm_return_t libspdm_send_receive_finish(libspdm_context_t *spdm_context,
702 : uint32_t session_id,
703 : uint8_t req_slot_id_param)
704 : {
705 : size_t retry;
706 : uint64_t retry_delay_time;
707 : libspdm_return_t status;
708 :
709 41 : spdm_context->crypto_request = true;
710 41 : retry = spdm_context->retry_times;
711 41 : retry_delay_time = spdm_context->retry_delay_time;
712 : do {
713 42 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
714 : req_slot_id_param,
715 : NULL, 0, NULL, NULL);
716 42 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
717 40 : return status;
718 : }
719 :
720 2 : libspdm_sleep(retry_delay_time);
721 2 : } while (retry-- != 0);
722 :
723 1 : return status;
724 : }
725 :
726 0 : libspdm_return_t libspdm_send_receive_finish_ex(
727 : libspdm_context_t *spdm_context,
728 : uint32_t session_id,
729 : uint8_t req_slot_id_param,
730 : const void *requester_opaque_data,
731 : size_t requester_opaque_data_size,
732 : void *responder_opaque_data,
733 : size_t *responder_opaque_data_size)
734 : {
735 : size_t retry;
736 : uint64_t retry_delay_time;
737 : libspdm_return_t status;
738 :
739 0 : spdm_context->crypto_request = true;
740 0 : retry = spdm_context->retry_times;
741 0 : retry_delay_time = spdm_context->retry_delay_time;
742 : do {
743 0 : status = libspdm_try_send_receive_finish(spdm_context, session_id,
744 : req_slot_id_param,
745 : requester_opaque_data,
746 : requester_opaque_data_size,
747 : responder_opaque_data,
748 : responder_opaque_data_size);
749 0 : if (status != LIBSPDM_STATUS_BUSY_PEER) {
750 0 : return status;
751 : }
752 :
753 0 : libspdm_sleep(retry_delay_time);
754 0 : } while (retry-- != 0);
755 :
756 0 : return status;
757 : }
758 :
759 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP*/
|
