Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 :
9 : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
10 : (LIBSPDM_SEND_CHALLENGE_SUPPORT)
11 :
12 1 : libspdm_return_t libspdm_get_encap_request_challenge(libspdm_context_t *spdm_context,
13 : size_t *encap_request_size,
14 : void *encap_request)
15 : {
16 : spdm_challenge_request_t *spdm_request;
17 : size_t spdm_request_size;
18 : libspdm_return_t status;
19 :
20 1 : spdm_context->encap_context.last_encap_request_size = 0;
21 :
22 1 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
23 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
24 : }
25 :
26 1 : if (!libspdm_is_capabilities_flag_supported(
27 : spdm_context, false,
28 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP, 0)) {
29 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
30 : }
31 :
32 1 : spdm_request_size = sizeof(spdm_challenge_request_t);
33 1 : if (libspdm_get_connection_version (spdm_context) >= SPDM_MESSAGE_VERSION_13) {
34 0 : spdm_request_size = sizeof(spdm_challenge_request_t) + SPDM_REQ_CONTEXT_SIZE;
35 : }
36 :
37 1 : if (*encap_request_size < spdm_request_size) {
38 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
39 : }
40 1 : *encap_request_size = spdm_request_size;
41 :
42 1 : spdm_request = encap_request;
43 :
44 1 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
45 1 : spdm_request->header.request_response_code = SPDM_CHALLENGE;
46 1 : spdm_request->header.param1 = spdm_context->encap_context.req_slot_id;
47 1 : spdm_request->header.param2 =
48 : SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH;
49 1 : if (!libspdm_get_random_number(SPDM_NONCE_SIZE, spdm_request->nonce)) {
50 0 : return LIBSPDM_STATUS_LOW_ENTROPY;
51 : }
52 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterNonce - "));
53 1 : LIBSPDM_INTERNAL_DUMP_DATA(spdm_request->nonce, SPDM_NONCE_SIZE);
54 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
55 1 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
56 0 : libspdm_copy_mem(spdm_request + 1, SPDM_REQ_CONTEXT_SIZE,
57 0 : spdm_context->encap_context.req_context, SPDM_REQ_CONTEXT_SIZE);
58 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
59 0 : LIBSPDM_INTERNAL_DUMP_DATA((uint8_t *)(spdm_request + 1), SPDM_REQ_CONTEXT_SIZE);
60 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
61 : }
62 :
63 1 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
64 1 : spdm_request->header.request_response_code);
65 :
66 :
67 : /* Cache data*/
68 :
69 1 : status = libspdm_append_message_mut_c(spdm_context, spdm_request,
70 : spdm_request_size);
71 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
72 0 : return LIBSPDM_STATUS_BUFFER_FULL;
73 : }
74 :
75 1 : libspdm_copy_mem(&spdm_context->encap_context.last_encap_request_header,
76 : sizeof(spdm_context->encap_context.last_encap_request_header),
77 1 : &spdm_request->header, sizeof(spdm_message_header_t));
78 1 : spdm_context->encap_context.last_encap_request_size = spdm_request_size;
79 :
80 1 : return LIBSPDM_STATUS_SUCCESS;
81 : }
82 :
83 6 : libspdm_return_t libspdm_process_encap_response_challenge_auth(
84 : libspdm_context_t *spdm_context, size_t encap_response_size,
85 : const void *encap_response, bool *need_continue)
86 : {
87 : bool result;
88 : const spdm_challenge_auth_response_t *spdm_response;
89 : size_t spdm_response_size;
90 : const uint8_t *ptr;
91 : const void *cert_chain_hash;
92 : size_t hash_size;
93 : uint32_t measurement_summary_hash_size;
94 : uint16_t opaque_length;
95 : const void *signature;
96 : size_t signature_size;
97 : uint8_t auth_attribute;
98 : libspdm_return_t status;
99 :
100 6 : spdm_response = encap_response;
101 6 : spdm_response_size = encap_response_size;
102 :
103 6 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
104 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
105 : }
106 6 : if (spdm_response->header.spdm_version != libspdm_get_connection_version (spdm_context)) {
107 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
108 : }
109 6 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
110 1 : status = libspdm_handle_encap_error_response_main(
111 : spdm_context,
112 1 : spdm_response->header.param1);
113 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
114 1 : return status;
115 : }
116 5 : } else if (spdm_response->header.request_response_code != SPDM_CHALLENGE_AUTH) {
117 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
118 : }
119 4 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t)) {
120 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
121 : }
122 4 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
123 1 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t) + SPDM_REQ_CONTEXT_SIZE) {
124 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
125 : }
126 : }
127 :
128 4 : auth_attribute = spdm_response->header.param1;
129 4 : if (spdm_context->encap_context.req_slot_id == 0xFF) {
130 1 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) != 0xF) {
131 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
132 : }
133 1 : if (spdm_response->header.param2 != 0) {
134 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
135 : }
136 : } else {
137 3 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) !=
138 3 : spdm_context->encap_context.req_slot_id) {
139 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
140 : }
141 3 : if ((spdm_response->header.param2 &
142 3 : (1 << spdm_context->encap_context.req_slot_id)) == 0) {
143 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
144 : }
145 : }
146 :
147 3 : spdm_context->connection_info.peer_used_cert_chain_slot_id =
148 3 : spdm_context->encap_context.req_slot_id;
149 :
150 3 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
151 3 : if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
152 0 : signature_size = libspdm_get_req_pqc_asym_signature_size(
153 : spdm_context->connection_info.algorithm.req_pqc_asym_alg);
154 : } else {
155 3 : signature_size = libspdm_get_req_asym_signature_size(
156 3 : spdm_context->connection_info.algorithm.req_base_asym_alg);
157 : }
158 3 : measurement_summary_hash_size = 0;
159 :
160 3 : if (spdm_response_size <= sizeof(spdm_challenge_auth_response_t) +
161 3 : hash_size + SPDM_NONCE_SIZE +
162 3 : measurement_summary_hash_size +
163 : sizeof(uint16_t)) {
164 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
165 : }
166 :
167 3 : ptr = (const void *)(spdm_response + 1);
168 :
169 3 : cert_chain_hash = ptr;
170 3 : ptr += hash_size;
171 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap cert_chain_hash (0x%zx) - ", hash_size));
172 3 : LIBSPDM_INTERNAL_DUMP_DATA(cert_chain_hash, hash_size);
173 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
174 3 : if (spdm_context->connection_info.peer_used_cert_chain_slot_id == 0xFF) {
175 1 : result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
176 : } else {
177 2 : result = libspdm_verify_certificate_chain_hash(spdm_context, cert_chain_hash, hash_size);
178 : }
179 3 : if (!result) {
180 0 : return LIBSPDM_STATUS_INVALID_CERT;
181 : }
182 :
183 3 : LIBSPDM_DEBUG_CODE(
184 : const void *nonce;
185 : nonce = ptr;
186 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap nonce (0x%x) - ", SPDM_NONCE_SIZE));
187 : LIBSPDM_INTERNAL_DUMP_DATA(nonce, SPDM_NONCE_SIZE);
188 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
189 : );
190 3 : ptr += SPDM_NONCE_SIZE;
191 :
192 3 : LIBSPDM_DEBUG_CODE(
193 : const void *measurement_summary_hash;
194 : measurement_summary_hash = ptr;
195 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap measurement_summary_hash (0x%x) - ",
196 : measurement_summary_hash_size));
197 : LIBSPDM_INTERNAL_DUMP_DATA(measurement_summary_hash, measurement_summary_hash_size);
198 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
199 : );
200 3 : ptr += measurement_summary_hash_size;
201 :
202 3 : opaque_length = *(const uint16_t *)ptr;
203 3 : if (opaque_length > SPDM_MAX_OPAQUE_DATA_SIZE) {
204 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
205 : }
206 3 : ptr += sizeof(uint16_t);
207 :
208 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
209 1 : if (spdm_response_size <
210 : sizeof(spdm_challenge_auth_response_t) + hash_size +
211 1 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
212 1 : sizeof(uint16_t) + opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size) {
213 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
214 : }
215 1 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
216 1 : hash_size + SPDM_NONCE_SIZE +
217 1 : measurement_summary_hash_size + sizeof(uint16_t) +
218 1 : opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size;
219 : } else {
220 2 : if (spdm_response_size <
221 : sizeof(spdm_challenge_auth_response_t) + hash_size +
222 2 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
223 2 : sizeof(uint16_t) + opaque_length + signature_size) {
224 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
225 : }
226 2 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
227 2 : hash_size + SPDM_NONCE_SIZE +
228 2 : measurement_summary_hash_size + sizeof(uint16_t) +
229 2 : opaque_length + signature_size;
230 : }
231 :
232 3 : LIBSPDM_DEBUG_CODE(
233 : const void *opaque;
234 : opaque = ptr;
235 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap opaque (0x%x):\n", opaque_length));
236 : LIBSPDM_INTERNAL_DUMP_HEX(opaque, opaque_length);
237 : );
238 3 : ptr += opaque_length;
239 :
240 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
241 1 : if (!libspdm_consttime_is_mem_equal(spdm_context->encap_context.req_context, ptr,
242 : SPDM_REQ_CONTEXT_SIZE)) {
243 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
244 : }
245 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
246 1 : LIBSPDM_INTERNAL_DUMP_DATA(ptr, SPDM_REQ_CONTEXT_SIZE);
247 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
248 1 : ptr += SPDM_REQ_CONTEXT_SIZE;
249 : }
250 :
251 3 : status = libspdm_append_message_mut_c(spdm_context, spdm_response,
252 : spdm_response_size - signature_size);
253 3 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
254 0 : return LIBSPDM_STATUS_BUFFER_FULL;
255 : }
256 :
257 3 : signature = ptr;
258 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap signature (0x%zx):\n", signature_size));
259 3 : LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
260 3 : result = libspdm_verify_challenge_auth_signature(
261 : spdm_context, false, signature, signature_size);
262 3 : if (!result) {
263 0 : return LIBSPDM_STATUS_VERIF_FAIL;
264 : }
265 :
266 3 : libspdm_set_connection_state(spdm_context,
267 : LIBSPDM_CONNECTION_STATE_AUTHENTICATED);
268 :
269 3 : *need_continue = false;
270 :
271 3 : return LIBSPDM_STATUS_SUCCESS;
272 : }
273 :
274 : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (..) */
|