LCOV - code coverage report
Current view: top level - library/spdm_responder_lib - libspdm_rsp_finish.c (source / functions) Coverage Total Hit
Test: coverage.info Lines: 80.1 % 206 165
Test Date: 2025-08-24 08:11:14 Functions: 100.0 % 4 4

            Line data    Source code
       1              : /**
       2              :  *  Copyright Notice:
       3              :  *  Copyright 2021-2025 DMTF. All rights reserved.
       4              :  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
       5              :  **/
       6              : 
       7              : #include "internal/libspdm_responder_lib.h"
       8              : #include "internal/libspdm_secured_message_lib.h"
       9              : 
      10              : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
      11              : 
      12           16 : bool libspdm_verify_finish_req_hmac(libspdm_context_t *spdm_context,
      13              :                                     libspdm_session_info_t *session_info,
      14              :                                     const uint8_t *hmac, size_t hmac_size)
      15              : {
      16              :     uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
      17              :     size_t hash_size;
      18              :     bool result;
      19              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
      20              :     uint8_t slot_id;
      21              :     uint8_t *cert_chain_buffer;
      22              :     size_t cert_chain_buffer_size;
      23              :     uint8_t *mut_cert_chain_buffer;
      24              :     size_t mut_cert_chain_buffer_size;
      25              :     uint8_t *th_curr_data;
      26              :     size_t th_curr_data_size;
      27              :     libspdm_th_managed_buffer_t th_curr;
      28              :     uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
      29              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
      30              : 
      31           16 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
      32           16 :     LIBSPDM_ASSERT(hmac_size == hash_size);
      33              : 
      34              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
      35              :     slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
      36              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
      37              :     if (slot_id == 0xFF) {
      38              :         result = libspdm_get_local_public_key_buffer(
      39              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
      40              :     } else {
      41              :         result = libspdm_get_local_cert_chain_buffer(
      42              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
      43              :     }
      44              :     if (!result) {
      45              :         return false;
      46              :     }
      47              : 
      48              :     if (session_info->mut_auth_requested != 0) {
      49              :         slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
      50              :         LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
      51              :         if (slot_id == 0xFF) {
      52              :             result = libspdm_get_peer_public_key_buffer(
      53              :                 spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
      54              :         } else {
      55              :             result = libspdm_get_peer_cert_chain_buffer(
      56              :                 spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
      57              :         }
      58              :         if (!result) {
      59              :             return false;
      60              :         }
      61              :     } else {
      62              :         mut_cert_chain_buffer = NULL;
      63              :         mut_cert_chain_buffer_size = 0;
      64              :     }
      65              : 
      66              :     result = libspdm_calculate_th_for_finish(
      67              :         spdm_context, session_info, cert_chain_buffer,
      68              :         cert_chain_buffer_size, mut_cert_chain_buffer,
      69              :         mut_cert_chain_buffer_size, &th_curr);
      70              :     if (!result) {
      71              :         return false;
      72              :     }
      73              :     th_curr_data = libspdm_get_managed_buffer(&th_curr);
      74              :     th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
      75              : 
      76              :     result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
      77              :                                th_curr_data, th_curr_data_size, hash_data);
      78              :     if (!result) {
      79              :         return false;
      80              :     }
      81              : 
      82              :     result = libspdm_hmac_all_with_request_finished_key(
      83              :         session_info->secured_message_context, hash_data, hash_size, hmac_data);
      84              :     if (!result) {
      85              :         return false;
      86              :     }
      87              : #else
      88           16 :     result = libspdm_calculate_th_hmac_for_finish_req(
      89              :         spdm_context, session_info, &hash_size, hmac_data);
      90           16 :     if (!result) {
      91            0 :         return false;
      92              :     }
      93              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
      94           16 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
      95           16 :     LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
      96           16 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
      97              : 
      98           16 :     if (!libspdm_consttime_is_mem_equal(hmac, hmac_data, hash_size)) {
      99            2 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! verify_finish_req_hmac - FAIL !!!\n"));
     100            2 :         return false;
     101              :     }
     102           14 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! verify_finish_req_hmac - PASS !!!\n"));
     103           14 :     return true;
     104              : }
     105              : 
     106              : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     107           11 : bool libspdm_verify_finish_req_signature(libspdm_context_t *spdm_context,
     108              :                                          libspdm_session_info_t *session_info,
     109              :                                          const void *sign_data,
     110              :                                          const size_t sign_data_size)
     111              : {
     112              :     bool result;
     113              :     void *context;
     114              :     uint8_t slot_id;
     115              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     116              :     uint8_t *cert_chain_buffer;
     117              :     size_t cert_chain_buffer_size;
     118              :     uint8_t *mut_cert_chain_buffer;
     119              :     size_t mut_cert_chain_buffer_size;
     120              :     uint8_t *th_curr_data;
     121              :     size_t th_curr_data_size;
     122              :     libspdm_th_managed_buffer_t th_curr;
     123              :     const uint8_t *mut_cert_chain_data;
     124              :     size_t mut_cert_chain_data_size;
     125              :     const uint8_t *mut_cert_buffer;
     126              :     size_t mut_cert_buffer_size;
     127              : #endif
     128              : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
     129              :     !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
     130              :     uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
     131              : #endif
     132              : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
     133              :     size_t hash_size;
     134              : 
     135           11 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
     136              : #endif
     137              : 
     138              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     139              :     slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
     140              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     141              :     if (slot_id == 0xFF) {
     142              :         result = libspdm_get_local_public_key_buffer(
     143              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     144              :     } else {
     145              :         result = libspdm_get_local_cert_chain_buffer(
     146              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     147              :     }
     148              :     if (!result) {
     149              :         return false;
     150              :     }
     151              : 
     152              :     slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
     153              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     154              :     if (slot_id == 0xFF) {
     155              :         result = libspdm_get_peer_public_key_buffer(
     156              :             spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
     157              :     } else {
     158              :         result = libspdm_get_peer_cert_chain_buffer(
     159              :             spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
     160              :     }
     161              :     if (!result) {
     162              :         return false;
     163              :     }
     164              : 
     165              :     result = libspdm_calculate_th_for_finish(
     166              :         spdm_context, session_info, cert_chain_buffer,
     167              :         cert_chain_buffer_size, mut_cert_chain_buffer,
     168              :         mut_cert_chain_buffer_size, &th_curr);
     169              :     if (!result) {
     170              :         return false;
     171              :     }
     172              :     th_curr_data = libspdm_get_managed_buffer(&th_curr);
     173              :     th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
     174              : 
     175              :     /* Debug code only - required for debug print of th_curr below*/
     176              :     LIBSPDM_DEBUG_CODE(
     177              :         if (!libspdm_hash_all(
     178              :                 spdm_context->connection_info.algorithm.base_hash_algo,
     179              :                 th_curr_data, th_curr_data_size, hash_data)) {
     180              :         return false;
     181              :     }
     182              :         );
     183              : #else
     184           11 :     result = libspdm_calculate_th_hash_for_finish(
     185              :         spdm_context, session_info, &hash_size, hash_data);
     186           11 :     if (!result) {
     187            0 :         return false;
     188              :     }
     189              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
     190           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
     191           11 :     LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
     192           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     193              : 
     194           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
     195           11 :     LIBSPDM_INTERNAL_DUMP_DATA(sign_data, sign_data_size);
     196           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     197              : 
     198           11 :     slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
     199           11 :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     200              : 
     201           11 :     if (slot_id == 0xFF) {
     202            1 :         if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     203            0 :             result = libspdm_req_pqc_asym_get_public_key_from_der(
     204              :                 spdm_context->connection_info.algorithm.req_pqc_asym_alg,
     205            0 :                 spdm_context->local_context.peer_public_key_provision,
     206              :                 spdm_context->local_context.peer_public_key_provision_size,
     207              :                 &context);
     208              :         } else {
     209            1 :             result = libspdm_req_asym_get_public_key_from_der(
     210            1 :                 spdm_context->connection_info.algorithm.req_base_asym_alg,
     211            1 :                 spdm_context->local_context.peer_public_key_provision,
     212              :                 spdm_context->local_context.peer_public_key_provision_size,
     213              :                 &context);
     214              :         }
     215            1 :         if (!result) {
     216            0 :             return false;
     217              :         }
     218              :     } else {
     219              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     220              :         /* Get leaf cert from cert chain*/
     221              :         result = libspdm_get_peer_cert_chain_data(spdm_context,
     222              :                                                   (const void **)&mut_cert_chain_data,
     223              :                                                   &mut_cert_chain_data_size);
     224              :         if (!result) {
     225              :             return false;
     226              :         }
     227              : 
     228              :         result = libspdm_x509_get_cert_from_cert_chain(mut_cert_chain_data,
     229              :                                                        mut_cert_chain_data_size, -1,
     230              :                                                        &mut_cert_buffer,
     231              :                                                        &mut_cert_buffer_size);
     232              :         if (!result) {
     233              :             return false;
     234              :         }
     235              : 
     236              :         if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     237              :             result = libspdm_req_pqc_asym_get_public_key_from_x509(
     238              :                 spdm_context->connection_info.algorithm.req_pqc_asym_alg,
     239              :                 mut_cert_buffer, mut_cert_buffer_size, &context);
     240              :         } else {
     241              :             result = libspdm_req_asym_get_public_key_from_x509(
     242              :                 spdm_context->connection_info.algorithm.req_base_asym_alg,
     243              :                 mut_cert_buffer, mut_cert_buffer_size, &context);
     244              :         }
     245              :         if (!result) {
     246              :             return false;
     247              :         }
     248              : #else
     249           10 :         context = spdm_context->connection_info.peer_used_cert_chain[slot_id].leaf_cert_public_key;
     250           10 :         LIBSPDM_ASSERT(context != NULL);
     251              : #endif
     252              :     }
     253              : 
     254              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     255              :     if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     256              :         result = libspdm_req_pqc_asym_verify(
     257              :             spdm_context->connection_info.version, SPDM_FINISH,
     258              :             spdm_context->connection_info.algorithm.req_pqc_asym_alg,
     259              :             spdm_context->connection_info.algorithm.base_hash_algo,
     260              :             context, th_curr_data, th_curr_data_size, sign_data, sign_data_size);
     261              :         libspdm_req_pqc_asym_free(spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
     262              :     } else {
     263              :         result = libspdm_req_asym_verify_ex(
     264              :             spdm_context->connection_info.version, SPDM_FINISH,
     265              :             spdm_context->connection_info.algorithm.req_base_asym_alg,
     266              :             spdm_context->connection_info.algorithm.base_hash_algo,
     267              :             context, th_curr_data, th_curr_data_size, sign_data, sign_data_size,
     268              :             &spdm_context->spdm_10_11_verify_signature_endian);
     269              :         libspdm_req_asym_free(spdm_context->connection_info.algorithm.req_base_asym_alg, context);
     270              :     }
     271              : #else
     272           11 :     if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     273            0 :         result = libspdm_req_pqc_asym_verify_hash(
     274            0 :             spdm_context->connection_info.version, SPDM_FINISH,
     275              :             spdm_context->connection_info.algorithm.req_pqc_asym_alg,
     276              :             spdm_context->connection_info.algorithm.base_hash_algo,
     277              :             context, hash_data, hash_size, sign_data, sign_data_size);
     278            0 :         if (slot_id == 0xFF) {
     279            0 :             libspdm_req_pqc_asym_free(spdm_context->connection_info.algorithm.req_pqc_asym_alg, context);
     280              :         }
     281              :     } else {
     282           11 :         result = libspdm_req_asym_verify_hash_ex(
     283           11 :             spdm_context->connection_info.version, SPDM_FINISH,
     284           11 :             spdm_context->connection_info.algorithm.req_base_asym_alg,
     285              :             spdm_context->connection_info.algorithm.base_hash_algo,
     286              :             context, hash_data, hash_size, sign_data, sign_data_size,
     287              :             &spdm_context->spdm_10_11_verify_signature_endian);
     288           11 :         if (slot_id == 0xFF) {
     289            1 :             libspdm_req_asym_free(spdm_context->connection_info.algorithm.req_base_asym_alg, context);
     290              :         }
     291              :     }
     292              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
     293              : 
     294           11 :     if (!result) {
     295            4 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_ERROR, "!!! VerifyFinishSignature - FAIL !!!\n"));
     296            4 :         return false;
     297              :     }
     298            7 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "!!! VerifyFinishSignature - PASS !!!\n"));
     299              : 
     300            7 :     return true;
     301              : }
     302              : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
     303              : 
     304           12 : bool libspdm_generate_finish_rsp_hmac(libspdm_context_t *spdm_context,
     305              :                                       libspdm_session_info_t *session_info,
     306              :                                       uint8_t *hmac)
     307              : {
     308              :     uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
     309              :     size_t hash_size;
     310              :     bool result;
     311              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     312              :     uint8_t slot_id;
     313              :     uint8_t *cert_chain_buffer;
     314              :     size_t cert_chain_buffer_size;
     315              :     uint8_t *mut_cert_chain_buffer;
     316              :     size_t mut_cert_chain_buffer_size;
     317              :     uint8_t *th_curr_data;
     318              :     size_t th_curr_data_size;
     319              :     libspdm_th_managed_buffer_t th_curr;
     320              :     uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
     321              : #endif
     322              : 
     323           12 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
     324              : 
     325              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     326              :     slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
     327              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     328              :     if (slot_id == 0xFF) {
     329              :         result = libspdm_get_local_public_key_buffer(
     330              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     331              :     } else {
     332              :         result = libspdm_get_local_cert_chain_buffer(
     333              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     334              :     }
     335              :     if (!result) {
     336              :         return false;
     337              :     }
     338              : 
     339              :     if (session_info->mut_auth_requested != 0) {
     340              :         slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
     341              :         LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     342              :         if (slot_id == 0xFF) {
     343              :             result = libspdm_get_peer_public_key_buffer(
     344              :                 spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
     345              :         } else {
     346              :             result = libspdm_get_peer_cert_chain_buffer(
     347              :                 spdm_context, (const void **)&mut_cert_chain_buffer, &mut_cert_chain_buffer_size);
     348              :         }
     349              :         if (!result) {
     350              :             return false;
     351              :         }
     352              :     } else {
     353              :         mut_cert_chain_buffer = NULL;
     354              :         mut_cert_chain_buffer_size = 0;
     355              :     }
     356              : 
     357              :     result = libspdm_calculate_th_for_finish(
     358              :         spdm_context, session_info, cert_chain_buffer,
     359              :         cert_chain_buffer_size, mut_cert_chain_buffer,
     360              :         mut_cert_chain_buffer_size, &th_curr);
     361              :     if (!result) {
     362              :         return false;
     363              :     }
     364              :     th_curr_data = libspdm_get_managed_buffer(&th_curr);
     365              :     th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
     366              : 
     367              :     result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
     368              :                                th_curr_data, th_curr_data_size, hash_data);
     369              :     if (!result) {
     370              :         return false;
     371              :     }
     372              : 
     373              :     result = libspdm_hmac_all_with_response_finished_key(
     374              :         session_info->secured_message_context, hash_data, hash_size, hmac_data);
     375              :     if (!result) {
     376              :         return false;
     377              :     }
     378              : #else
     379           12 :     result = libspdm_calculate_th_hmac_for_finish_rsp(
     380              :         spdm_context, session_info, &hash_size, hmac_data);
     381           12 :     if (!result) {
     382            0 :         return false;
     383              :     }
     384              : #endif
     385           12 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
     386           12 :     LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
     387           12 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     388              : 
     389           12 :     libspdm_copy_mem(hmac, hash_size, hmac_data, hash_size);
     390              : 
     391           12 :     return true;
     392              : }
     393              : 
     394           29 : libspdm_return_t libspdm_get_response_finish(libspdm_context_t *spdm_context, size_t request_size,
     395              :                                              const void *request,
     396              :                                              size_t *response_size,
     397              :                                              void *response)
     398              : {
     399              :     uint32_t session_id;
     400              :     bool result;
     401              :     uint32_t hmac_size;
     402              :     uint32_t signature_size;
     403              :     uint8_t req_slot_id;
     404              :     const spdm_finish_request_t *spdm_request;
     405              :     spdm_finish_response_t *spdm_response;
     406              :     libspdm_session_info_t *session_info;
     407              :     uint8_t th2_hash_data[LIBSPDM_MAX_HASH_SIZE];
     408              :     libspdm_return_t status;
     409              :     libspdm_session_state_t session_state;
     410              :     uint8_t *ptr;
     411              :     size_t opaque_data_entry_size;
     412              :     size_t opaque_data_size;
     413              : 
     414           29 :     spdm_request = request;
     415              : 
     416              :     /* -=[Check Parameters Phase]=- */
     417           29 :     LIBSPDM_ASSERT(spdm_request->header.request_response_code == SPDM_FINISH);
     418              : 
     419           29 :     if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
     420            0 :         return libspdm_generate_error_response(spdm_context,
     421              :                                                SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
     422              :                                                SPDM_FINISH,
     423              :                                                response_size, response);
     424              :     }
     425              : 
     426           29 :     if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
     427            0 :         return libspdm_generate_error_response(spdm_context,
     428              :                                                SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
     429              :                                                response_size, response);
     430              :     }
     431           29 :     if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_NORMAL) {
     432            3 :         return libspdm_responder_handle_response_state(
     433              :             spdm_context,
     434            3 :             spdm_request->header.request_response_code,
     435              :             response_size, response);
     436              :     }
     437           26 :     if (!libspdm_is_capabilities_flag_supported(
     438              :             spdm_context, false,
     439              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
     440              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
     441            1 :         return libspdm_generate_error_response(
     442              :             spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
     443              :             SPDM_FINISH, response_size, response);
     444              :     }
     445           25 :     if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
     446            1 :         return libspdm_generate_error_response(spdm_context,
     447              :                                                SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
     448              :                                                0, response_size, response);
     449              :     }
     450           24 :     if (!libspdm_is_capabilities_flag_supported(
     451              :             spdm_context, false,
     452              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     453              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     454              :         /* No handshake in clear, then it must be in a session.*/
     455            2 :         if (!spdm_context->last_spdm_request_session_id_valid) {
     456            0 :             if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
     457            0 :                 return libspdm_generate_error_response(
     458              :                     spdm_context, SPDM_ERROR_CODE_SESSION_REQUIRED, 0, response_size, response);
     459              :             } else {
     460            0 :                 return libspdm_generate_error_response(
     461              :                     spdm_context, SPDM_ERROR_CODE_UNSPECIFIED, 0, response_size, response);
     462              :             }
     463              :         }
     464              :     } else {
     465              :         /* handshake in clear, then it must not be in a session.*/
     466           22 :         if (spdm_context->last_spdm_request_session_id_valid) {
     467            0 :             if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
     468            0 :                 return libspdm_generate_error_response(
     469              :                     spdm_context, SPDM_ERROR_CODE_SESSION_REQUIRED, 0, response_size, response);
     470              :             } else {
     471            0 :                 return libspdm_generate_error_response(
     472              :                     spdm_context, SPDM_ERROR_CODE_UNSPECIFIED, 0, response_size, response);
     473              :             }
     474              :         }
     475              :     }
     476           24 :     if (spdm_context->last_spdm_request_session_id_valid) {
     477            2 :         session_id = spdm_context->last_spdm_request_session_id;
     478              :     } else {
     479           22 :         session_id = spdm_context->latest_session_id;
     480              :     }
     481           24 :     session_info = libspdm_get_session_info_via_session_id(spdm_context, session_id);
     482           24 :     if (session_info == NULL) {
     483            0 :         if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
     484            0 :             return libspdm_generate_error_response(spdm_context,
     485              :                                                    SPDM_ERROR_CODE_SESSION_REQUIRED, 0,
     486              :                                                    response_size, response);
     487              :         } else {
     488            0 :             return libspdm_generate_error_response(spdm_context,
     489              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     490              :                                                    response_size, response);
     491              :         }
     492              :     }
     493           24 :     if (session_info->use_psk) {
     494            0 :         return libspdm_generate_error_response(spdm_context,
     495              :                                                SPDM_ERROR_CODE_UNEXPECTED_REQUEST, 0,
     496              :                                                response_size, response);
     497              :     }
     498           24 :     session_state = libspdm_secured_message_get_session_state(
     499              :         session_info->secured_message_context);
     500           24 :     if (session_state != LIBSPDM_SESSION_STATE_HANDSHAKING) {
     501            1 :         return libspdm_generate_error_response(spdm_context,
     502              :                                                SPDM_ERROR_CODE_UNEXPECTED_REQUEST, 0,
     503              :                                                response_size, response);
     504              :     }
     505              : 
     506           23 :     if (((session_info->mut_auth_requested == 0) &&
     507           10 :          ((spdm_request->header.param1 & SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED) !=
     508           23 :           0)) ||
     509           23 :         ((session_info->mut_auth_requested != 0) &&
     510           13 :          ((spdm_request->header.param1 & SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED) ==
     511              :           0))) {
     512            0 :         return libspdm_generate_error_response(spdm_context,
     513              :                                                SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     514              :                                                response_size, response);
     515              :     }
     516              : 
     517           23 :     hmac_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
     518           23 :     signature_size = 0;
     519              : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     520           23 :     if (session_info->mut_auth_requested != 0) {
     521           13 :         if (spdm_context->connection_info.algorithm.req_pqc_asym_alg != 0) {
     522            0 :             signature_size = libspdm_get_req_pqc_asym_signature_size(
     523              :                 spdm_context->connection_info.algorithm.req_pqc_asym_alg);
     524              :         } else {
     525           13 :             signature_size = libspdm_get_req_asym_signature_size(
     526           13 :                 spdm_context->connection_info.algorithm.req_base_asym_alg);
     527              :         }
     528              :     }
     529              : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
     530              : 
     531           23 :     ptr = (uint8_t *)(size_t)spdm_request + sizeof(spdm_finish_request_t);
     532           23 :     if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
     533            1 :         opaque_data_size = libspdm_read_uint16((const uint8_t *)request +
     534              :                                                sizeof(spdm_finish_request_t));
     535            1 :         ptr += sizeof(uint16_t);
     536            1 :         if (request_size < sizeof(spdm_finish_request_t) +
     537            1 :             sizeof(uint16_t) + opaque_data_size) {
     538            0 :             return libspdm_generate_error_response(spdm_context,
     539              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     540              :                                                    response_size, response);
     541              :         }
     542            1 :         ptr += opaque_data_size;
     543            1 :         opaque_data_entry_size = sizeof(uint16_t) + opaque_data_size;
     544              :     } else {
     545           22 :         opaque_data_entry_size = 0;
     546              :     }
     547              : 
     548           23 :     if (request_size < sizeof(spdm_finish_request_t) + opaque_data_entry_size +
     549           23 :         signature_size + hmac_size) {
     550            1 :         return libspdm_generate_error_response(spdm_context,
     551              :                                                SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     552              :                                                response_size, response);
     553              :     }
     554           22 :     request_size = sizeof(spdm_finish_request_t) + opaque_data_entry_size +
     555           22 :                    signature_size + hmac_size;
     556              : 
     557           22 :     if ((spdm_request->header.param1 & SPDM_FINISH_REQUEST_ATTRIBUTES_SIGNATURE_INCLUDED) != 0) {
     558           13 :         req_slot_id = spdm_request->header.param2;
     559           13 :         if ((req_slot_id != 0xFF) && (req_slot_id >= SPDM_MAX_SLOT_COUNT)) {
     560            1 :             return libspdm_generate_error_response(spdm_context,
     561              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     562              :                                                    response_size, response);
     563              :         }
     564              : 
     565           12 :         if (libspdm_is_capabilities_flag_supported(
     566              :                 spdm_context, false,
     567              :                 SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     568              :                 SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     569           12 :             if (((session_info->mut_auth_requested ==
     570           11 :                   SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_ENCAP_REQUEST) ||
     571           11 :                  (session_info->mut_auth_requested ==
     572            1 :                   SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_GET_DIGESTS)) &&
     573            1 :                 (req_slot_id != spdm_context->encap_context.req_slot_id)) {
     574            1 :                 return libspdm_generate_error_response(spdm_context,
     575              :                                                        SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     576              :                                                        response_size, response);
     577              :             }
     578              :         }
     579              :     }
     580              : 
     581           20 :     libspdm_reset_message_buffer_via_request_code(spdm_context, session_info,
     582           20 :                                                   spdm_request->header.request_response_code);
     583              : 
     584           20 :     status = libspdm_append_message_f(spdm_context, session_info, false, request,
     585           20 :                                       request_size - (signature_size + hmac_size));
     586           20 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     587            0 :         return libspdm_generate_error_response(spdm_context,
     588              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     589              :                                                response_size, response);
     590              :     }
     591              : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     592           20 :     if (session_info->mut_auth_requested != 0) {
     593           11 :         result = libspdm_verify_finish_req_signature(
     594              :             spdm_context, session_info,
     595              :             ptr, signature_size);
     596           11 :         if (!result) {
     597            4 :             if ((spdm_context->handle_error_return_policy &
     598              :                  LIBSPDM_DATA_HANDLE_ERROR_RETURN_POLICY_DROP_ON_DECRYPT_ERROR) == 0) {
     599            4 :                 return libspdm_generate_error_response(
     600              :                     spdm_context, SPDM_ERROR_CODE_DECRYPT_ERROR, 0,
     601              :                     response_size, response);
     602              :             } else {
     603              :                 /**
     604              :                  * just ignore this message
     605              :                  * return UNSUPPORTED and clear response_size to continue the dispatch without send response.
     606              :                  **/
     607            0 :                 *response_size = 0;
     608            0 :                 return LIBSPDM_STATUS_UNSUPPORTED_CAP;
     609              :             }
     610              :         }
     611            7 :         status = libspdm_append_message_f(
     612              :             spdm_context, session_info, false,
     613              :             ptr, signature_size);
     614            7 :         if (LIBSPDM_STATUS_IS_ERROR(status)) {
     615            0 :             return libspdm_generate_error_response(
     616              :                 spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
     617              :                 0, response_size, response);
     618              :         }
     619              :     }
     620           16 :     ptr += signature_size;
     621              : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
     622              : 
     623           16 :     result = libspdm_verify_finish_req_hmac(
     624              :         spdm_context, session_info, ptr, hmac_size);
     625           16 :     if (!result) {
     626            2 :         if ((spdm_context->handle_error_return_policy &
     627              :              LIBSPDM_DATA_HANDLE_ERROR_RETURN_POLICY_DROP_ON_DECRYPT_ERROR) == 0) {
     628            2 :             return libspdm_generate_error_response(
     629              :                 spdm_context, SPDM_ERROR_CODE_DECRYPT_ERROR, 0,
     630              :                 response_size, response);
     631              :         } else {
     632              :             /**
     633              :              * just ignore this message
     634              :              * return UNSUPPORTED and clear response_size to continue the dispatch without send response
     635              :              **/
     636            0 :             *response_size = 0;
     637            0 :             return LIBSPDM_STATUS_UNSUPPORTED_CAP;
     638              :         }
     639              :     }
     640              : 
     641           14 :     status = libspdm_append_message_f(spdm_context, session_info, false,
     642              :                                       ptr, hmac_size);
     643           14 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     644            0 :         return libspdm_generate_error_response(spdm_context,
     645              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     646              :                                                response_size, response);
     647              :     }
     648              : 
     649           14 :     if (!libspdm_is_capabilities_flag_supported(
     650              :             spdm_context, false,
     651              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     652              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     653            2 :         hmac_size = 0;
     654              :     }
     655              : 
     656           14 :     if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
     657            1 :         opaque_data_entry_size = sizeof(uint16_t);
     658              :     } else {
     659           13 :         opaque_data_entry_size = 0;
     660              :     }
     661              : 
     662           14 :     LIBSPDM_ASSERT(*response_size >= sizeof(spdm_finish_response_t) +
     663              :                    opaque_data_entry_size + hmac_size);
     664           14 :     *response_size = sizeof(spdm_finish_response_t) + opaque_data_entry_size + hmac_size;
     665           14 :     libspdm_zero_mem(response, *response_size);
     666           14 :     spdm_response = response;
     667              : 
     668           14 :     spdm_response->header.spdm_version = spdm_request->header.spdm_version;
     669           14 :     spdm_response->header.request_response_code = SPDM_FINISH_RSP;
     670           14 :     spdm_response->header.param1 = 0;
     671           14 :     spdm_response->header.param2 = 0;
     672              : 
     673           14 :     ptr = (uint8_t *)spdm_response + sizeof(spdm_finish_response_t);
     674           14 :     if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
     675            1 :         opaque_data_size = 0;
     676            1 :         libspdm_write_uint16(ptr, (uint16_t)opaque_data_size);
     677            1 :         ptr += sizeof(uint16_t);
     678              :     }
     679              : 
     680           14 :     status = libspdm_append_message_f(spdm_context, session_info, false, spdm_response,
     681           14 :                                       (size_t)ptr - (size_t)spdm_response);
     682           14 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     683            0 :         return libspdm_generate_error_response(spdm_context,
     684              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     685              :                                                response_size, response);
     686              :     }
     687              : 
     688           14 :     if (libspdm_is_capabilities_flag_supported(
     689              :             spdm_context, false,
     690              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     691              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     692           12 :         result = libspdm_generate_finish_rsp_hmac(
     693              :             spdm_context, session_info, ptr);
     694           12 :         if (!result) {
     695            0 :             return libspdm_generate_error_response(
     696              :                 spdm_context,
     697              :                 SPDM_ERROR_CODE_UNSPECIFIED,
     698              :                 0, response_size, response);
     699              :         }
     700              : 
     701           12 :         status = libspdm_append_message_f(
     702              :             spdm_context, session_info, false,
     703              :             ptr, hmac_size);
     704           12 :         if (LIBSPDM_STATUS_IS_ERROR(status)) {
     705            0 :             return libspdm_generate_error_response(
     706              :                 spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
     707              :                 0, response_size, response);
     708              :         }
     709              :     }
     710              : 
     711           14 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_data_key[%x]\n", session_id));
     712           14 :     result = libspdm_calculate_th2_hash(spdm_context, session_info, false, th2_hash_data);
     713           14 :     if (!result) {
     714            0 :         return libspdm_generate_error_response(spdm_context,
     715              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     716              :                                                response_size, response);
     717              :     }
     718           14 :     result = libspdm_generate_session_data_key(
     719              :         session_info->secured_message_context, th2_hash_data);
     720           14 :     if (!result) {
     721            0 :         return libspdm_generate_error_response(spdm_context,
     722              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     723              :                                                response_size, response);
     724              :     }
     725              : 
     726              :     #if LIBSPDM_ENABLE_CAPABILITY_HBEAT_CAP
     727           14 :     if (libspdm_is_capabilities_flag_supported(
     728              :             spdm_context, false,
     729              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
     730              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
     731            0 :         result = libspdm_start_watchdog(
     732            0 :             session_id, spdm_context->local_context.heartbeat_period * 2);
     733            0 :         if (!result) {
     734            0 :             return libspdm_generate_error_response(spdm_context,
     735              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     736              :                                                    response_size, response);
     737              :         }
     738              :     }
     739              :     #endif /* LIBSPDM_ENABLE_CAPABILITY_HBEAT_CAP */
     740              : 
     741           14 :     return LIBSPDM_STATUS_SUCCESS;
     742              : }
     743              : 
     744              : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP */
        

Generated by: LCOV version 2.0-1