LCOV - code coverage report
Current view: top level - library/spdm_responder_lib - libspdm_rsp_encap_challenge.c (source / functions) Coverage Total Hit
Test: coverage.info Lines: 80.3 % 137 110
Test Date: 2025-08-24 08:11:14 Functions: 100.0 % 2 2

            Line data    Source code
       1              : /**
       2              :  *  Copyright Notice:
       3              :  *  Copyright 2021-2025 DMTF. All rights reserved.
       4              :  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
       5              :  **/
       6              : 
       7              : #include "internal/libspdm_responder_lib.h"
       8              : 
       9              : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
      10              :     (LIBSPDM_SEND_CHALLENGE_SUPPORT)
      11              : 
      12            1 : libspdm_return_t libspdm_get_encap_request_challenge(libspdm_context_t *spdm_context,
      13              :                                                      size_t *encap_request_size,
      14              :                                                      void *encap_request)
      15              : {
      16              :     spdm_challenge_request_t *spdm_request;
      17              :     size_t spdm_request_size;
      18              :     libspdm_return_t status;
      19              : 
      20            1 :     spdm_context->encap_context.last_encap_request_size = 0;
      21              : 
      22            1 :     if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
      23            0 :         return LIBSPDM_STATUS_UNSUPPORTED_CAP;
      24              :     }
      25              : 
      26            1 :     if (!libspdm_is_capabilities_flag_supported(
      27              :             spdm_context, false,
      28              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP, 0)) {
      29            0 :         return LIBSPDM_STATUS_UNSUPPORTED_CAP;
      30              :     }
      31              : 
      32            1 :     spdm_request_size = sizeof(spdm_challenge_request_t);
      33            1 :     if (libspdm_get_connection_version (spdm_context) >= SPDM_MESSAGE_VERSION_13) {
      34            0 :         spdm_request_size = sizeof(spdm_challenge_request_t) + SPDM_REQ_CONTEXT_SIZE;
      35              :     }
      36              : 
      37            1 :     if (*encap_request_size < spdm_request_size) {
      38            0 :         return LIBSPDM_STATUS_INVALID_MSG_SIZE;
      39              :     }
      40            1 :     *encap_request_size = spdm_request_size;
      41              : 
      42            1 :     spdm_request = encap_request;
      43              : 
      44            1 :     spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
      45            1 :     spdm_request->header.request_response_code = SPDM_CHALLENGE;
      46            1 :     spdm_request->header.param1 = spdm_context->encap_context.req_slot_id;
      47            1 :     spdm_request->header.param2 =
      48              :         SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH;
      49            1 :     if (!libspdm_get_random_number(SPDM_NONCE_SIZE, spdm_request->nonce)) {
      50            0 :         return LIBSPDM_STATUS_LOW_ENTROPY;
      51              :     }
      52            1 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterNonce - "));
      53            1 :     LIBSPDM_INTERNAL_DUMP_DATA(spdm_request->nonce, SPDM_NONCE_SIZE);
      54            1 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
      55            1 :     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
      56            0 :         libspdm_copy_mem(spdm_request + 1, SPDM_REQ_CONTEXT_SIZE,
      57            0 :                          spdm_context->encap_context.req_context, SPDM_REQ_CONTEXT_SIZE);
      58            0 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
      59            0 :         LIBSPDM_INTERNAL_DUMP_DATA((uint8_t *)(spdm_request + 1), SPDM_REQ_CONTEXT_SIZE);
      60            0 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
      61              :     }
      62              : 
      63            1 :     libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
      64            1 :                                                   spdm_request->header.request_response_code);
      65              : 
      66              : 
      67              :     /* Cache data*/
      68              : 
      69            1 :     status = libspdm_append_message_mut_c(spdm_context, spdm_request,
      70              :                                           spdm_request_size);
      71            1 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
      72            0 :         return LIBSPDM_STATUS_BUFFER_FULL;
      73              :     }
      74              : 
      75            1 :     libspdm_copy_mem(&spdm_context->encap_context.last_encap_request_header,
      76              :                      sizeof(spdm_context->encap_context.last_encap_request_header),
      77            1 :                      &spdm_request->header, sizeof(spdm_message_header_t));
      78            1 :     spdm_context->encap_context.last_encap_request_size = spdm_request_size;
      79              : 
      80            1 :     return LIBSPDM_STATUS_SUCCESS;
      81              : }
      82              : 
      83            6 : libspdm_return_t libspdm_process_encap_response_challenge_auth(
      84              :     libspdm_context_t *spdm_context, size_t encap_response_size,
      85              :     const void *encap_response, bool *need_continue)
      86              : {
      87              :     bool result;
      88              :     const spdm_challenge_auth_response_t *spdm_response;
      89              :     size_t spdm_response_size;
      90              :     const uint8_t *ptr;
      91              :     const void *cert_chain_hash;
      92              :     size_t hash_size;
      93              :     uint32_t measurement_summary_hash_size;
      94              :     uint16_t opaque_length;
      95              :     const void *signature;
      96              :     size_t signature_size;
      97              :     uint8_t auth_attribute;
      98              :     libspdm_return_t status;
      99              : 
     100            6 :     spdm_response = encap_response;
     101            6 :     spdm_response_size = encap_response_size;
     102              : 
     103            6 :     if (spdm_response_size < sizeof(spdm_message_header_t)) {
     104            0 :         return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     105              :     }
     106            6 :     if (spdm_response->header.spdm_version != libspdm_get_connection_version (spdm_context)) {
     107            0 :         return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     108              :     }
     109            6 :     if (spdm_response->header.request_response_code == SPDM_ERROR) {
     110            1 :         status = libspdm_handle_encap_error_response_main(
     111              :             spdm_context,
     112            1 :             spdm_response->header.param1);
     113            1 :         if (LIBSPDM_STATUS_IS_ERROR(status)) {
     114            1 :             return status;
     115              :         }
     116            5 :     } else if (spdm_response->header.request_response_code != SPDM_CHALLENGE_AUTH) {
     117            1 :         return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     118              :     }
     119            4 :     if (spdm_response_size < sizeof(spdm_challenge_auth_response_t)) {
     120            0 :         return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     121              :     }
     122            4 :     if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
     123            1 :         if (spdm_response_size < sizeof(spdm_challenge_auth_response_t) + SPDM_REQ_CONTEXT_SIZE) {
     124            0 :             return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     125              :         }
     126              :     }
     127              : 
     128            4 :     auth_attribute = spdm_response->header.param1;
     129            4 :     if (spdm_context->encap_context.req_slot_id == 0xFF) {
     130            1 :         if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) != 0xF) {
     131            0 :             return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     132              :         }
     133            1 :         if (spdm_response->header.param2 != 0) {
     134            0 :             return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     135              :         }
     136              :     } else {
     137            3 :         if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) !=
     138            3 :             spdm_context->encap_context.req_slot_id) {
     139            0 :             return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     140              :         }
     141            3 :         if ((spdm_response->header.param2 &
     142            3 :              (1 << spdm_context->encap_context.req_slot_id)) == 0) {
     143            1 :             return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     144              :         }
     145              :     }
     146              : 
     147            3 :     spdm_context->connection_info.peer_used_cert_chain_slot_id =
     148            3 :         spdm_context->encap_context.req_slot_id;
     149              : 
     150            3 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
     151            3 :     if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     152            0 :         signature_size = libspdm_get_req_pqc_asym_signature_size(
     153              :             spdm_context->connection_info.algorithm.req_pqc_asym_alg);
     154              :     } else {
     155            3 :         signature_size = libspdm_get_req_asym_signature_size(
     156            3 :             spdm_context->connection_info.algorithm.req_base_asym_alg);
     157              :     }
     158            3 :     measurement_summary_hash_size = 0;
     159              : 
     160            3 :     if (spdm_response_size <= sizeof(spdm_challenge_auth_response_t) +
     161            3 :         hash_size + SPDM_NONCE_SIZE +
     162            3 :         measurement_summary_hash_size +
     163              :         sizeof(uint16_t)) {
     164            0 :         return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     165              :     }
     166              : 
     167            3 :     ptr = (const void *)(spdm_response + 1);
     168              : 
     169            3 :     cert_chain_hash = ptr;
     170            3 :     ptr += hash_size;
     171            3 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap cert_chain_hash (0x%zx) - ", hash_size));
     172            3 :     LIBSPDM_INTERNAL_DUMP_DATA(cert_chain_hash, hash_size);
     173            3 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     174            3 :     if (spdm_context->connection_info.peer_used_cert_chain_slot_id == 0xFF) {
     175            1 :         result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
     176              :     } else {
     177            2 :         result = libspdm_verify_certificate_chain_hash(spdm_context, cert_chain_hash, hash_size);
     178              :     }
     179            3 :     if (!result) {
     180            0 :         return LIBSPDM_STATUS_INVALID_CERT;
     181              :     }
     182              : 
     183            3 :     LIBSPDM_DEBUG_CODE(
     184              :         const void *nonce;
     185              :         nonce = ptr;
     186              :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap nonce (0x%x) - ", SPDM_NONCE_SIZE));
     187              :         LIBSPDM_INTERNAL_DUMP_DATA(nonce, SPDM_NONCE_SIZE);
     188              :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     189              :         );
     190            3 :     ptr += SPDM_NONCE_SIZE;
     191              : 
     192            3 :     LIBSPDM_DEBUG_CODE(
     193              :         const void *measurement_summary_hash;
     194              :         measurement_summary_hash = ptr;
     195              :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap measurement_summary_hash (0x%x) - ",
     196              :                        measurement_summary_hash_size));
     197              :         LIBSPDM_INTERNAL_DUMP_DATA(measurement_summary_hash, measurement_summary_hash_size);
     198              :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     199              :         );
     200            3 :     ptr += measurement_summary_hash_size;
     201              : 
     202            3 :     opaque_length = *(const uint16_t *)ptr;
     203            3 :     if (opaque_length > SPDM_MAX_OPAQUE_DATA_SIZE) {
     204            0 :         return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     205              :     }
     206            3 :     ptr += sizeof(uint16_t);
     207              : 
     208            3 :     if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
     209            1 :         if (spdm_response_size <
     210              :             sizeof(spdm_challenge_auth_response_t) + hash_size +
     211            1 :             SPDM_NONCE_SIZE + measurement_summary_hash_size +
     212            1 :             sizeof(uint16_t) + opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size) {
     213            0 :             return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     214              :         }
     215            1 :         spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
     216            1 :                              hash_size + SPDM_NONCE_SIZE +
     217            1 :                              measurement_summary_hash_size + sizeof(uint16_t) +
     218            1 :                              opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size;
     219              :     } else {
     220            2 :         if (spdm_response_size <
     221              :             sizeof(spdm_challenge_auth_response_t) + hash_size +
     222            2 :             SPDM_NONCE_SIZE + measurement_summary_hash_size +
     223            2 :             sizeof(uint16_t) + opaque_length + signature_size) {
     224            0 :             return LIBSPDM_STATUS_INVALID_MSG_SIZE;
     225              :         }
     226            2 :         spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
     227            2 :                              hash_size + SPDM_NONCE_SIZE +
     228            2 :                              measurement_summary_hash_size + sizeof(uint16_t) +
     229            2 :                              opaque_length + signature_size;
     230              :     }
     231              : 
     232            3 :     LIBSPDM_DEBUG_CODE(
     233              :         const void *opaque;
     234              :         opaque = ptr;
     235              :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap opaque (0x%x):\n", opaque_length));
     236              :         LIBSPDM_INTERNAL_DUMP_HEX(opaque, opaque_length);
     237              :         );
     238            3 :     ptr += opaque_length;
     239              : 
     240            3 :     if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
     241            1 :         if (!libspdm_consttime_is_mem_equal(spdm_context->encap_context.req_context, ptr,
     242              :                                             SPDM_REQ_CONTEXT_SIZE)) {
     243            0 :             return LIBSPDM_STATUS_INVALID_MSG_FIELD;
     244              :         }
     245            1 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
     246            1 :         LIBSPDM_INTERNAL_DUMP_DATA(ptr, SPDM_REQ_CONTEXT_SIZE);
     247            1 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     248            1 :         ptr += SPDM_REQ_CONTEXT_SIZE;
     249              :     }
     250              : 
     251            3 :     status = libspdm_append_message_mut_c(spdm_context, spdm_response,
     252              :                                           spdm_response_size - signature_size);
     253            3 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     254            0 :         return LIBSPDM_STATUS_BUFFER_FULL;
     255              :     }
     256              : 
     257            3 :     signature = ptr;
     258            3 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap signature (0x%zx):\n", signature_size));
     259            3 :     LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
     260            3 :     result = libspdm_verify_challenge_auth_signature(
     261              :         spdm_context, false, signature, signature_size);
     262            3 :     if (!result) {
     263            0 :         return LIBSPDM_STATUS_VERIF_FAIL;
     264              :     }
     265              : 
     266            3 :     libspdm_set_connection_state(spdm_context,
     267              :                                  LIBSPDM_CONNECTION_STATE_AUTHENTICATED);
     268              : 
     269            3 :     *need_continue = false;
     270              : 
     271            3 :     return LIBSPDM_STATUS_SUCCESS;
     272              : }
     273              : 
     274              : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (..) */
        

Generated by: LCOV version 2.0-1