Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2024 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 :
9 : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
10 : (LIBSPDM_SEND_CHALLENGE_SUPPORT)
11 :
12 1 : libspdm_return_t libspdm_get_encap_request_challenge(libspdm_context_t *spdm_context,
13 : size_t *encap_request_size,
14 : void *encap_request)
15 : {
16 : spdm_challenge_request_t *spdm_request;
17 : size_t spdm_request_size;
18 : libspdm_return_t status;
19 :
20 1 : spdm_context->encap_context.last_encap_request_size = 0;
21 :
22 1 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
23 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
24 : }
25 :
26 1 : if (!libspdm_is_capabilities_flag_supported(
27 : spdm_context, false,
28 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP, 0)) {
29 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
30 : }
31 :
32 1 : spdm_request_size = sizeof(spdm_challenge_request_t);
33 1 : if (libspdm_get_connection_version (spdm_context) >= SPDM_MESSAGE_VERSION_13) {
34 0 : spdm_request_size = sizeof(spdm_challenge_request_t) + SPDM_REQ_CONTEXT_SIZE;
35 : }
36 :
37 1 : if(*encap_request_size < spdm_request_size) {
38 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
39 : }
40 1 : *encap_request_size = spdm_request_size;
41 :
42 1 : spdm_request = encap_request;
43 :
44 1 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
45 1 : spdm_request->header.request_response_code = SPDM_CHALLENGE;
46 1 : spdm_request->header.param1 = spdm_context->encap_context.req_slot_id;
47 1 : spdm_request->header.param2 =
48 : SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH;
49 1 : if(!libspdm_get_random_number(SPDM_NONCE_SIZE, spdm_request->nonce)) {
50 0 : return LIBSPDM_STATUS_LOW_ENTROPY;
51 : }
52 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterNonce - "));
53 1 : LIBSPDM_INTERNAL_DUMP_DATA(spdm_request->nonce, SPDM_NONCE_SIZE);
54 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
55 1 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
56 0 : libspdm_copy_mem(spdm_request + 1, SPDM_REQ_CONTEXT_SIZE,
57 0 : spdm_context->encap_context.req_context, SPDM_REQ_CONTEXT_SIZE);
58 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
59 0 : LIBSPDM_INTERNAL_DUMP_DATA((uint8_t *)(spdm_request + 1), SPDM_REQ_CONTEXT_SIZE);
60 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
61 : }
62 :
63 1 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
64 1 : spdm_request->header.request_response_code);
65 :
66 :
67 : /* Cache data*/
68 :
69 1 : status = libspdm_append_message_mut_c(spdm_context, spdm_request,
70 : spdm_request_size);
71 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
72 0 : return LIBSPDM_STATUS_BUFFER_FULL;
73 : }
74 :
75 1 : libspdm_copy_mem(&spdm_context->encap_context.last_encap_request_header,
76 : sizeof(spdm_context->encap_context.last_encap_request_header),
77 1 : &spdm_request->header, sizeof(spdm_message_header_t));
78 1 : spdm_context->encap_context.last_encap_request_size = spdm_request_size;
79 :
80 1 : return LIBSPDM_STATUS_SUCCESS;
81 : }
82 :
83 6 : libspdm_return_t libspdm_process_encap_response_challenge_auth(
84 : libspdm_context_t *spdm_context, size_t encap_response_size,
85 : const void *encap_response, bool *need_continue)
86 : {
87 : bool result;
88 : const spdm_challenge_auth_response_t *spdm_response;
89 : size_t spdm_response_size;
90 : const uint8_t *ptr;
91 : const void *cert_chain_hash;
92 : size_t hash_size;
93 : uint32_t measurement_summary_hash_size;
94 : uint16_t opaque_length;
95 : const void *signature;
96 : size_t signature_size;
97 : uint8_t auth_attribute;
98 : libspdm_return_t status;
99 :
100 6 : spdm_response = encap_response;
101 6 : spdm_response_size = encap_response_size;
102 :
103 6 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
104 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
105 : }
106 6 : if (spdm_response->header.spdm_version != libspdm_get_connection_version (spdm_context)) {
107 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
108 : }
109 6 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
110 1 : status = libspdm_handle_encap_error_response_main(
111 : spdm_context,
112 1 : spdm_response->header.param1);
113 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
114 1 : return status;
115 : }
116 5 : } else if (spdm_response->header.request_response_code != SPDM_CHALLENGE_AUTH) {
117 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
118 : }
119 4 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t)) {
120 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
121 : }
122 4 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
123 1 : if (spdm_response_size < sizeof(spdm_challenge_auth_response_t) + SPDM_REQ_CONTEXT_SIZE) {
124 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
125 : }
126 : }
127 :
128 4 : auth_attribute = spdm_response->header.param1;
129 4 : if (spdm_context->encap_context.req_slot_id == 0xFF) {
130 1 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) != 0xF) {
131 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
132 : }
133 1 : if (spdm_response->header.param2 != 0) {
134 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
135 : }
136 : } else {
137 3 : if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK) !=
138 3 : spdm_context->encap_context.req_slot_id) {
139 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
140 : }
141 3 : if ((spdm_response->header.param2 &
142 3 : (1 << spdm_context->encap_context.req_slot_id)) == 0) {
143 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
144 : }
145 : }
146 :
147 3 : spdm_context->connection_info.peer_used_cert_chain_slot_id =
148 3 : spdm_context->encap_context.req_slot_id;
149 :
150 3 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
151 6 : signature_size = libspdm_get_req_asym_signature_size(
152 3 : spdm_context->connection_info.algorithm.req_base_asym_alg);
153 3 : measurement_summary_hash_size = 0;
154 :
155 3 : if (spdm_response_size <= sizeof(spdm_challenge_auth_response_t) +
156 3 : hash_size + SPDM_NONCE_SIZE +
157 3 : measurement_summary_hash_size +
158 : sizeof(uint16_t)) {
159 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
160 : }
161 :
162 3 : ptr = (const void *)(spdm_response + 1);
163 :
164 3 : cert_chain_hash = ptr;
165 3 : ptr += hash_size;
166 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap cert_chain_hash (0x%zx) - ", hash_size));
167 3 : LIBSPDM_INTERNAL_DUMP_DATA(cert_chain_hash, hash_size);
168 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
169 3 : if (spdm_context->connection_info.peer_used_cert_chain_slot_id == 0xFF) {
170 1 : result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
171 : } else {
172 2 : result = libspdm_verify_certificate_chain_hash(spdm_context, cert_chain_hash, hash_size);
173 : }
174 3 : if (!result) {
175 0 : return LIBSPDM_STATUS_INVALID_CERT;
176 : }
177 :
178 3 : LIBSPDM_DEBUG_CODE(
179 : const void *nonce;
180 : nonce = ptr;
181 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap nonce (0x%x) - ", SPDM_NONCE_SIZE));
182 : LIBSPDM_INTERNAL_DUMP_DATA(nonce, SPDM_NONCE_SIZE);
183 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
184 : );
185 3 : ptr += SPDM_NONCE_SIZE;
186 :
187 3 : LIBSPDM_DEBUG_CODE(
188 : const void *measurement_summary_hash;
189 : measurement_summary_hash = ptr;
190 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap measurement_summary_hash (0x%x) - ",
191 : measurement_summary_hash_size));
192 : LIBSPDM_INTERNAL_DUMP_DATA(measurement_summary_hash, measurement_summary_hash_size);
193 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
194 : );
195 3 : ptr += measurement_summary_hash_size;
196 :
197 3 : opaque_length = *(const uint16_t *)ptr;
198 3 : if (opaque_length > SPDM_MAX_OPAQUE_DATA_SIZE) {
199 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
200 : }
201 3 : ptr += sizeof(uint16_t);
202 :
203 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
204 1 : if (spdm_response_size <
205 : sizeof(spdm_challenge_auth_response_t) + hash_size +
206 1 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
207 1 : sizeof(uint16_t) + opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size) {
208 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
209 : }
210 1 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
211 1 : hash_size + SPDM_NONCE_SIZE +
212 1 : measurement_summary_hash_size + sizeof(uint16_t) +
213 1 : opaque_length + SPDM_REQ_CONTEXT_SIZE + signature_size;
214 : } else {
215 2 : if (spdm_response_size <
216 : sizeof(spdm_challenge_auth_response_t) + hash_size +
217 2 : SPDM_NONCE_SIZE + measurement_summary_hash_size +
218 2 : sizeof(uint16_t) + opaque_length + signature_size) {
219 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
220 : }
221 2 : spdm_response_size = sizeof(spdm_challenge_auth_response_t) +
222 2 : hash_size + SPDM_NONCE_SIZE +
223 2 : measurement_summary_hash_size + sizeof(uint16_t) +
224 2 : opaque_length + signature_size;
225 : }
226 :
227 3 : LIBSPDM_DEBUG_CODE(
228 : const void *opaque;
229 : opaque = ptr;
230 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap opaque (0x%x):\n", opaque_length));
231 : LIBSPDM_INTERNAL_DUMP_HEX(opaque, opaque_length);
232 : );
233 3 : ptr += opaque_length;
234 :
235 3 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
236 1 : if (!libspdm_consttime_is_mem_equal(spdm_context->encap_context.req_context, ptr,
237 : SPDM_REQ_CONTEXT_SIZE)) {
238 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
239 : }
240 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap RequesterContext - "));
241 1 : LIBSPDM_INTERNAL_DUMP_DATA(ptr, SPDM_REQ_CONTEXT_SIZE);
242 1 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
243 1 : ptr += SPDM_REQ_CONTEXT_SIZE;
244 : }
245 :
246 3 : status = libspdm_append_message_mut_c(spdm_context, spdm_response,
247 : spdm_response_size - signature_size);
248 3 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
249 0 : return LIBSPDM_STATUS_BUFFER_FULL;
250 : }
251 :
252 3 : signature = ptr;
253 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Encap signature (0x%zx):\n", signature_size));
254 3 : LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
255 3 : result = libspdm_verify_challenge_auth_signature(
256 : spdm_context, false, signature, signature_size);
257 3 : if (!result) {
258 0 : return LIBSPDM_STATUS_VERIF_FAIL;
259 : }
260 :
261 3 : libspdm_set_connection_state(spdm_context,
262 : LIBSPDM_CONNECTION_STATE_AUTHENTICATED);
263 :
264 3 : *need_continue = false;
265 :
266 3 : return LIBSPDM_STATUS_SUCCESS;
267 : }
268 :
269 : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (..) */
|
