Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2024 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 :
9 : #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP) && \
10 : (LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT)
11 :
12 1 : libspdm_return_t libspdm_get_encap_request_get_digest(libspdm_context_t *spdm_context,
13 : size_t *encap_request_size,
14 : void *encap_request)
15 : {
16 : spdm_get_digest_request_t *spdm_request;
17 : libspdm_return_t status;
18 :
19 1 : spdm_context->encap_context.last_encap_request_size = 0;
20 :
21 1 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
22 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
23 : }
24 :
25 1 : if (!libspdm_is_capabilities_flag_supported(
26 : spdm_context, false,
27 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CERT_CAP, 0)) {
28 0 : return LIBSPDM_STATUS_UNSUPPORTED_CAP;
29 : }
30 :
31 1 : LIBSPDM_ASSERT(*encap_request_size >= sizeof(spdm_get_digest_request_t));
32 1 : *encap_request_size = sizeof(spdm_get_digest_request_t);
33 :
34 1 : spdm_request = encap_request;
35 :
36 1 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
37 1 : spdm_request->header.request_response_code);
38 :
39 1 : spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
40 1 : spdm_request->header.request_response_code = SPDM_GET_DIGESTS;
41 1 : spdm_request->header.param1 = 0;
42 1 : spdm_request->header.param2 = 0;
43 :
44 :
45 : /* Cache data*/
46 :
47 1 : status = libspdm_append_message_mut_b(spdm_context, spdm_request,
48 : *encap_request_size);
49 1 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
50 0 : return LIBSPDM_STATUS_BUFFER_FULL;
51 : }
52 :
53 1 : libspdm_copy_mem(&spdm_context->encap_context.last_encap_request_header,
54 : sizeof(spdm_context->encap_context.last_encap_request_header),
55 1 : &spdm_request->header, sizeof(spdm_message_header_t));
56 1 : spdm_context->encap_context.last_encap_request_size =
57 1 : *encap_request_size;
58 :
59 1 : return LIBSPDM_STATUS_SUCCESS;
60 : }
61 :
62 11 : libspdm_return_t libspdm_process_encap_response_digest(
63 : libspdm_context_t *spdm_context, size_t encap_response_size,
64 : const void *encap_response, bool *need_continue)
65 : {
66 : const spdm_digest_response_t *spdm_response;
67 : size_t spdm_response_size;
68 : size_t digest_size;
69 : size_t digest_count;
70 : size_t index;
71 : libspdm_return_t status;
72 : uint32_t session_id;
73 : libspdm_session_info_t *session_info;
74 : size_t additional_size;
75 : spdm_key_pair_id_t *key_pair_id;
76 : spdm_certificate_info_t *cert_info;
77 : spdm_key_usage_bit_mask_t *key_usage_bit_mask;
78 : size_t slot_index;
79 : uint8_t cert_model;
80 11 : uint8_t zero_digest[LIBSPDM_MAX_HASH_SIZE] = {0};
81 :
82 11 : spdm_response = encap_response;
83 11 : spdm_response_size = encap_response_size;
84 :
85 11 : if (spdm_response_size < sizeof(spdm_message_header_t)) {
86 1 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
87 : }
88 10 : if (spdm_response->header.spdm_version != libspdm_get_connection_version (spdm_context)) {
89 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
90 : }
91 9 : if (spdm_response->header.request_response_code == SPDM_ERROR) {
92 2 : status = libspdm_handle_encap_error_response_main(
93 : spdm_context,
94 2 : spdm_response->header.param1);
95 2 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
96 2 : return status;
97 : }
98 7 : } else if (spdm_response->header.request_response_code !=
99 : SPDM_DIGESTS) {
100 1 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
101 : }
102 6 : if (spdm_response_size < sizeof(spdm_digest_response_t)) {
103 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
104 : }
105 :
106 6 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "provisioned_slot_mask - 0x%02x\n",
107 : spdm_response->header.param2));
108 6 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
109 3 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "supported_slot_mask - 0x%02x\n",
110 : spdm_response->header.param1));
111 3 : if ((spdm_response->header.param1 & spdm_response->header.param2) !=
112 3 : spdm_response->header.param2) {
113 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
114 : }
115 : }
116 :
117 6 : digest_size = libspdm_get_hash_size(
118 : spdm_context->connection_info.algorithm.base_hash_algo);
119 6 : digest_count = 0;
120 54 : for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
121 48 : if (spdm_response->header.param2 & (1 << index)) {
122 13 : digest_count++;
123 : }
124 : }
125 6 : if (digest_count == 0) {
126 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
127 : }
128 :
129 6 : additional_size = 0;
130 6 : if ((spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
131 3 : spdm_context->connection_info.multi_key_conn_req) {
132 2 : additional_size = sizeof(spdm_key_pair_id_t) + sizeof(spdm_certificate_info_t) +
133 : sizeof(spdm_key_usage_bit_mask_t);
134 : }
135 6 : if (spdm_response_size <
136 6 : sizeof(spdm_digest_response_t) + digest_count * (digest_size + additional_size)) {
137 0 : return LIBSPDM_STATUS_INVALID_MSG_SIZE;
138 : }
139 6 : spdm_response_size =
140 6 : sizeof(spdm_digest_response_t) + digest_count * (digest_size + additional_size);
141 :
142 : /* Cache data*/
143 :
144 6 : status = libspdm_append_message_mut_b(spdm_context, spdm_response,
145 : spdm_response_size);
146 6 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
147 0 : return LIBSPDM_STATUS_BUFFER_FULL;
148 : }
149 :
150 6 : if (spdm_context->last_spdm_request_session_id_valid) {
151 5 : session_id = spdm_context->last_spdm_request_session_id;
152 : } else {
153 1 : session_id = spdm_context->latest_session_id;
154 : }
155 6 : if (session_id != INVALID_SESSION_ID) {
156 5 : session_info = libspdm_get_session_info_via_session_id(spdm_context, session_id);
157 : } else {
158 1 : session_info = NULL;
159 : }
160 6 : if (session_info != NULL) {
161 5 : if (spdm_context->connection_info.multi_key_conn_req) {
162 2 : status = libspdm_append_message_encap_d(spdm_context, session_info, false,
163 : spdm_response, spdm_response_size);
164 2 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
165 0 : return LIBSPDM_STATUS_BUFFER_FULL;
166 : }
167 : }
168 : }
169 :
170 6 : key_pair_id =
171 6 : (spdm_key_pair_id_t *)((size_t)(spdm_response + 1) + digest_size * digest_count);
172 6 : cert_info =
173 : (spdm_certificate_info_t *)((uint8_t *)key_pair_id + sizeof(spdm_key_pair_id_t) *
174 : digest_count);
175 6 : key_usage_bit_mask =
176 : (spdm_key_usage_bit_mask_t *)((uint8_t *)cert_info + sizeof(spdm_certificate_info_t) *
177 : digest_count);
178 19 : for (index = 0; index < digest_count; index++) {
179 13 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "digest (0x%zx) - ", index));
180 13 : LIBSPDM_INTERNAL_DUMP_DATA(
181 : (const uint8_t *)(spdm_response + 1) + (digest_size * index), digest_size);
182 13 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
183 : }
184 6 : if ((spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
185 3 : spdm_context->connection_info.multi_key_conn_req) {
186 11 : for (index = 0; index < digest_count; index++) {
187 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "key_pair_id (0x%zx) - 0x%02x\n", index,
188 : key_pair_id[index]));
189 : }
190 11 : for (index = 0; index < digest_count; index++) {
191 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "cert_info (0x%zx) - 0x%02x\n", index,
192 : cert_info[index]));
193 : }
194 11 : for (index = 0; index < digest_count; index++) {
195 9 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "key_usage_bit_mask (0x%zx) - 0x%04x\n", index,
196 : key_usage_bit_mask[index]));
197 : }
198 : }
199 :
200 6 : spdm_context->connection_info.peer_provisioned_slot_mask = spdm_response->header.param2;
201 6 : if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
202 3 : spdm_context->connection_info.peer_supported_slot_mask = spdm_response->header.param1;
203 : } else {
204 3 : spdm_context->connection_info.peer_supported_slot_mask = spdm_response->header.param2;
205 : }
206 6 : libspdm_copy_mem(
207 6 : spdm_context->connection_info.peer_total_digest_buffer,
208 : sizeof(spdm_context->connection_info.peer_total_digest_buffer),
209 6 : spdm_response + 1, digest_size * digest_count);
210 6 : libspdm_zero_mem(spdm_context->connection_info.peer_key_pair_id,
211 : sizeof(spdm_context->connection_info.peer_key_pair_id));
212 6 : libspdm_zero_mem(spdm_context->connection_info.peer_cert_info,
213 : sizeof(spdm_context->connection_info.peer_cert_info));
214 6 : libspdm_zero_mem(spdm_context->connection_info.peer_key_usage_bit_mask,
215 : sizeof(spdm_context->connection_info.peer_key_usage_bit_mask));
216 6 : if ((spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
217 3 : spdm_context->connection_info.multi_key_conn_req) {
218 2 : slot_index = 0;
219 18 : for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
220 16 : if (spdm_response->header.param2 & (1 << index)) {
221 9 : spdm_context->connection_info.peer_key_pair_id[index] = key_pair_id[slot_index];
222 9 : cert_model = cert_info[slot_index] & SPDM_CERTIFICATE_INFO_CERT_MODEL_MASK;
223 9 : if (cert_model > SPDM_CERTIFICATE_INFO_CERT_MODEL_GENERIC_CERT) {
224 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
225 : }
226 9 : if (index == 0) {
227 2 : if (cert_model == SPDM_CERTIFICATE_INFO_CERT_MODEL_GENERIC_CERT) {
228 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
229 : }
230 2 : if ((key_usage_bit_mask[slot_index] &
231 : (SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE |
232 : SPDM_KEY_USAGE_BIT_MASK_CHALLENGE_USE |
233 : SPDM_KEY_USAGE_BIT_MASK_MEASUREMENT_USE |
234 : SPDM_KEY_USAGE_BIT_MASK_ENDPOINT_INFO_USE)) == 0) {
235 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
236 : }
237 : }
238 9 : if ((cert_model == SPDM_CERTIFICATE_INFO_CERT_MODEL_NONE) &&
239 0 : (!libspdm_consttime_is_mem_equal(
240 0 : (const uint8_t *)(spdm_response + 1) + digest_size * slot_index,
241 : zero_digest,
242 : digest_size))) {
243 0 : return LIBSPDM_STATUS_INVALID_MSG_FIELD;
244 : }
245 9 : spdm_context->connection_info.peer_cert_info[index] = cert_model;
246 9 : spdm_context->connection_info.peer_key_usage_bit_mask[index] =
247 9 : key_usage_bit_mask[slot_index];
248 9 : slot_index++;
249 : }
250 : }
251 : }
252 :
253 6 : *need_continue = false;
254 :
255 6 : return LIBSPDM_STATUS_SUCCESS;
256 : }
257 :
258 : #endif /* (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (...) */
|
