Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2026 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 :
9 : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
10 : (LIBSPDM_SEND_CHALLENGE_SUPPORT)
11 :
12 1 : libspdm_return_t libspdm_get_encap_request_challenge(libspdm_context_t *spdm_context,
13 : size_t *encap_request_size,
14 : void *encap_request)
15 : {
16 : spdm_challenge_request_t *spdm_request;
17 : size_t spdm_request_size;
18 : libspdm_return_t status;
19 :
20 1 : spdm_context->encap_context.last_encap_request_size = 0;
21 :
22 1 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
23 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
24 : }
25 :
26 1 : if (!libspdm_is_capabilities_flag_supported(
27 : spdm_context, false,
28 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP, 0)) {
29 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
30 : }
31 :
32 1 : spdm_request_size = sizeof(spdm_challenge_request_t);
33 1 : if (libspdm_get_connection_version (spdm_context) >= SPDM_MESSAGE_VERSION_13) {
34 0 : spdm_request_size = sizeof(spdm_challenge_request_t) + SPDM_REQ_CONTEXT_SIZE;
35 : }
36 :
37 1 : if (*encap_request_size < spdm_request_size) {
38 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
39 : }
40 1 : *encap_request_size = spdm_request_size;
41 :
42 1 : spdm_request = encap_request;
43 :
44 1 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
45 1 : spdm_request->header.request_response_code = SPDM_CHALLENGE;
46 1 : spdm_request->header.param1 = spdm_context->encap_context.req_slot_id;
47 1 : spdm_request->header.param2 = SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH;
48 1 : if (!libspdm_get_random_number(SPDM_NONCE_SIZE, spdm_request->nonce)) {
49 0 : return LIBSPDM_STATUS_LOW_ENTROPY;
50 : }
51 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterNonce - "));
52 1 : LIBSPDM_INTERNAL_DUMP_DATA(spdm_request->nonce, SPDM_NONCE_SIZE);
53 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
54 1 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
55 0 : libspdm_copy_mem(spdm_request + 1, SPDM_REQ_CONTEXT_SIZE,
56 0 : spdm_context->encap_context.req_context, SPDM_REQ_CONTEXT_SIZE);
57 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
58 0 : LIBSPDM_INTERNAL_DUMP_DATA((uint8_t *)(spdm_request + 1), SPDM_REQ_CONTEXT_SIZE);
59 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
60 : }
61 :
62 1 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
63 1 : spdm_request->header.request_response_code);
64 :
65 :
66 : /* Cache data */
67 1 : status = libspdm_append_message_mut_c(spdm_context, spdm_request, spdm_request_size);
68 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
69 0 : return LIBSPDM_STATUS_BUFFER_FULL;
70 : }
71 :
72 1 : libspdm_copy_mem(&spdm_context->encap_context.last_encap_request_header,
73 : sizeof(spdm_context->encap_context.last_encap_request_header),
74 1 : &spdm_request->header, sizeof(spdm_message_header_t));
75 1 : spdm_context->encap_context.last_encap_request_size = spdm_request_size;
76 :
77 1 : return LIBSPDM_STATUS_SUCCESS;
78 : }
79 :
80 6 : libspdm_return_t libspdm_process_encap_response_challenge_auth(
81 : libspdm_context_t *spdm_context, size_t encap_response_size,
82 : const void *encap_response, bool *need_continue)
83 : {
84 : bool result;
85 : const spdm_challenge_auth_response_t *spdm_response;
86 : size_t spdm_response_size;
87 : const uint8_t *ptr;
88 : const void *cert_chain_hash;
89 : size_t hash_size;
90 : uint32_t measurement_summary_hash_size;
91 : uint16_t opaque_length;
92 : const void *signature;
93 : size_t signature_size;
94 : uint8_t auth_attribute;
95 : libspdm_return_t status;
96 :
97 6 : spdm_response = encap_response;
98 6 : spdm_response_size = encap_response_size;
99 :
100 6 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
101 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
102 : }
103 6 : if (spdm_response->header.spdm_version != libspdm_get_connection_version (spdm_context)) {
104 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
105 : }
106 6 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
107 1 : status = libspdm_handle_encap_error_response_main(
108 1 : spdm_context, spdm_response->header.param1);
109 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
110 1 : return status;
111 : }
112 5 : } else if (spdm_response->header.request_response_code != SPDM_CHALLENGE_AUTH) {
113 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
114 : }
115 4 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t)) {
116 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
117 : }
118 4 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
119 1 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t) + SPDM_REQ_CONTEXT_SIZE) {
120 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
121 : }
122 : }
123 :
124 4 : auth_attribute = spdm_response->header.param1;
125 4 : if (spdm_context->encap_context.req_slot_id == 0xFF) {
126 1 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) != 0xF) {
127 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
128 : }
129 1 : if (spdm_response->header.param2 != 0) {
130 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
131 : }
132 : } else {
133 3 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) !=
134 3 : spdm_context->encap_context.req_slot_id) {
135 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
136 : }
137 3 : if ((spdm_response->header.param2 &
138 3 : (1 << spdm_context->encap_context.req_slot_id)) == 0) {
139 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
140 : }
141 : }
142 :
143 3 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ) != 0) {
144 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
145 : }
146 :
147 3 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
148 3 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
149 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
150 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
151 : } else {
152 3 : signature_size = libspdm_get_req_asym_signature_size(
153 3 : spdm_context->connection_info.algorithm.req_base_asym_alg);
154 : }
155 3 : measurement_summary_hash_size = 0;
156 :
157 3 : if (spdm_response_size <=
158 3 : (sizeof(spdm_challenge_auth_response_t) + hash_size + SPDM_NONCE_SIZE +
159 3 : measurement_summary_hash_size + sizeof(uint16_t))) {
160 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
161 : }
162 :
163 3 : ptr = (const void *)(spdm_response + 1);
164 :
165 3 : cert_chain_hash = ptr;
166 3 : ptr += hash_size;
167 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap cert_chain_hash (0x%zx) - ", hash_size));
168 3 : LIBSPDM_INTERNAL_DUMP_DATA(cert_chain_hash, hash_size);
169 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
170 3 : if (spdm_context->encap_context.req_slot_id == 0xFF) {
171 1 : result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
172 : } else {
173 2 : result = libspdm_verify_certificate_chain_hash(
174 2 : spdm_context, spdm_context->encap_context.req_slot_id,
175 : cert_chain_hash, hash_size);
176 : }
177 3 : if (!result) {
178 0 : return LIBSPDM_STATUS_INVALID_CERT;
179 : }
180 :
181 3 : LIBSPDM_DEBUG_CODE(
182 : const void *nonce;
183 : nonce = ptr;
184 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap nonce (0x%x) - ", SPDM_NONCE_SIZE));
185 : LIBSPDM_INTERNAL_DUMP_DATA(nonce, SPDM_NONCE_SIZE);
186 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
187 : );
188 3 : ptr += SPDM_NONCE_SIZE;
189 :
190 3 : LIBSPDM_DEBUG_CODE(
191 : const void *measurement_summary_hash;
192 : measurement_summary_hash = ptr;
193 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap measurement_summary_hash (0x%x) - ",
194 : measurement_summary_hash_size));
195 : LIBSPDM_INTERNAL_DUMP_DATA(measurement_summary_hash, measurement_summary_hash_size);
196 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
197 : );
198 3 : ptr += measurement_summary_hash_size;
199 :
200 3 : opaque_length = *(const uint16_t *)ptr;
201 3 : if (opaque_length > SPDM_MAX_OPAQUE_DATA_SIZE) {
202 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
203 : }
204 3 : ptr += sizeof(uint16_t);
205 :
206 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
207 1 : if (spdm_response_size <
208 : sizeof(spdm_challenge_auth_response_t) + hash_size +
209 1 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
210 1 : sizeof(uint16_t) + opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size) {
211 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
212 : }
213 1 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
214 1 : hash_size + SPDM_NONCE_SIZE +
215 1 : measurement_summary_hash_size + sizeof(uint16_t) +
216 1 : opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size;
217 : } else {
218 2 : if (spdm_response_size <
219 : sizeof(spdm_challenge_auth_response_t) + hash_size +
220 2 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
221 2 : sizeof(uint16_t) + opaque_length + signature_size) {
222 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
223 : }
224 2 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
225 2 : hash_size + SPDM_NONCE_SIZE +
226 2 : measurement_summary_hash_size + sizeof(uint16_t) +
227 2 : opaque_length + signature_size;
228 : }
229 :
230 3 : LIBSPDM_DEBUG_CODE(
231 : const void *opaque;
232 : opaque = ptr;
233 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap opaque (0x%x):\n", opaque_length));
234 : LIBSPDM_INTERNAL_DUMP_HEX(opaque, opaque_length);
235 : );
236 3 : ptr += opaque_length;
237 :
238 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
239 1 : if (!libspdm_consttime_is_mem_equal(spdm_context->encap_context.req_context, ptr,
240 : SPDM_REQ_CONTEXT_SIZE)) {
241 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
242 : }
243 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
244 1 : LIBSPDM_INTERNAL_DUMP_DATA(ptr, SPDM_REQ_CONTEXT_SIZE);
245 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
246 1 : ptr += SPDM_REQ_CONTEXT_SIZE;
247 : }
248 :
249 3 : status = libspdm_append_message_mut_c(spdm_context, spdm_response,
250 : spdm_response_size - signature_size);
251 3 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
252 0 : return LIBSPDM_STATUS_BUFFER_FULL;
253 : }
254 :
255 3 : signature = ptr;
256 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap signature (0x%zx):\n", signature_size));
257 3 : LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
258 3 : result = libspdm_verify_challenge_auth_signature(
259 3 : spdm_context, false, spdm_context->encap_context.req_slot_id, signature, signature_size);
260 3 : if (!result) {
261 0 : return LIBSPDM_STATUS_VERIF_FAIL;
262 : }
263 :
264 3 : libspdm_set_connection_state(spdm_context, LIBSPDM_CONNECTION_STATE_AUTHENTICATED);
265 :
266 3 : *need_continue = false;
267 :
268 3 : return LIBSPDM_STATUS_SUCCESS;
269 : }
270 :
271 : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (..) */
|
