LCOV - code coverage report
Current view: top level - library/spdm_responder_lib - libspdm_rsp_key_exchange.c (source / functions) Coverage Total Hit
Test: coverage.info Lines: 71.4 % 269 192
Test Date: 2025-08-24 08:11:14 Functions: 100.0 % 3 3

            Line data    Source code
       1              : /**
       2              :  *  Copyright Notice:
       3              :  *  Copyright 2021-2025 DMTF. All rights reserved.
       4              :  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
       5              :  **/
       6              : 
       7              : #include "internal/libspdm_responder_lib.h"
       8              : #include "internal/libspdm_secured_message_lib.h"
       9              : 
      10              : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
      11              : 
      12            8 : bool libspdm_generate_key_exchange_rsp_hmac(libspdm_context_t *spdm_context,
      13              :                                             libspdm_session_info_t *session_info,
      14              :                                             uint8_t *hmac)
      15              : {
      16              :     uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
      17              :     size_t hash_size;
      18              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
      19              :     uint8_t slot_id;
      20              :     uint8_t *cert_chain_buffer;
      21              :     size_t cert_chain_buffer_size;
      22              :     uint8_t *th_curr_data;
      23              :     size_t th_curr_data_size;
      24              :     libspdm_th_managed_buffer_t th_curr;
      25              :     uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
      26              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
      27              :     bool result;
      28              : 
      29            8 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
      30              : 
      31              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
      32              :     slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
      33              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
      34              :     if (slot_id == 0xFF) {
      35              :         result = libspdm_get_local_public_key_buffer(
      36              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
      37              :     } else {
      38              :         result = libspdm_get_local_cert_chain_buffer(
      39              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
      40              :     }
      41              :     if (!result) {
      42              :         return false;
      43              :     }
      44              : 
      45              :     result = libspdm_calculate_th_for_exchange(
      46              :         spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
      47              :     if (!result) {
      48              :         return false;
      49              :     }
      50              :     th_curr_data = libspdm_get_managed_buffer(&th_curr);
      51              :     th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
      52              : 
      53              :     result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
      54              :                                th_curr_data, th_curr_data_size, hash_data);
      55              :     if (!result) {
      56              :         return false;
      57              :     }
      58              : 
      59              :     result = libspdm_hmac_all_with_response_finished_key(
      60              :         session_info->secured_message_context, hash_data, hash_size, hmac_data);
      61              :     if (!result) {
      62              :         return false;
      63              :     }
      64              : #else
      65            8 :     result = libspdm_calculate_th_hmac_for_exchange_rsp(
      66              :         spdm_context, session_info, false, &hash_size, hmac_data);
      67            8 :     if (!result) {
      68            0 :         return false;
      69              :     }
      70              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
      71            8 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
      72            8 :     LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
      73            8 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
      74            8 :     libspdm_copy_mem(hmac, hash_size, hmac_data, hash_size);
      75              : 
      76            8 :     return true;
      77              : }
      78              : 
      79           11 : bool libspdm_generate_key_exchange_rsp_signature(libspdm_context_t *spdm_context,
      80              :                                                  libspdm_session_info_t *session_info,
      81              :                                                  uint8_t *signature)
      82              : {
      83              :     bool result;
      84              :     size_t signature_size;
      85              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
      86              :     uint8_t slot_id;
      87              :     uint8_t *th_curr_data;
      88              :     size_t th_curr_data_size;
      89              :     libspdm_th_managed_buffer_t th_curr;
      90              :     const uint8_t *cert_chain_buffer;
      91              :     size_t cert_chain_buffer_size;
      92              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
      93              : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
      94              :     !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
      95              :     uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
      96              : #endif
      97              : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
      98              :     size_t hash_size;
      99              : 
     100           11 :     hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
     101              : #endif
     102              : 
     103           11 :     if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
     104            0 :         signature_size = libspdm_get_pqc_asym_signature_size(
     105              :             spdm_context->connection_info.algorithm.pqc_asym_algo);
     106              :     } else {
     107           11 :         signature_size = libspdm_get_asym_signature_size(
     108              :             spdm_context->connection_info.algorithm.base_asym_algo);
     109              :     }
     110              : 
     111              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     112              :     slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
     113              :     LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
     114              :     if (slot_id == 0xFF) {
     115              :         result = libspdm_get_local_public_key_buffer(
     116              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     117              :     } else {
     118              :         result = libspdm_get_local_cert_chain_buffer(
     119              :             spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
     120              :     }
     121              :     if (!result) {
     122              :         return false;
     123              :     }
     124              : 
     125              :     result = libspdm_calculate_th_for_exchange(
     126              :         spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
     127              :     if (!result) {
     128              :         return false;
     129              :     }
     130              :     th_curr_data = libspdm_get_managed_buffer(&th_curr);
     131              :     th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
     132              : 
     133              :     /* Debug code only - required for debug print of th_curr hash below*/
     134              :     LIBSPDM_DEBUG_CODE(
     135              :         if (!libspdm_hash_all(
     136              :                 spdm_context->connection_info.algorithm.base_hash_algo,
     137              :                 th_curr_data, th_curr_data_size, hash_data)) {
     138              :         return false;
     139              :     }
     140              :         );
     141              : #else
     142           11 :     result = libspdm_calculate_th_hash_for_exchange(
     143              :         spdm_context, session_info, &hash_size, hash_data);
     144           11 :     if (!result) {
     145            0 :         return false;
     146              :     }
     147              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
     148           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
     149           11 :     LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
     150           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     151              : 
     152              : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
     153              :     result = libspdm_responder_data_sign(
     154              : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
     155              :         spdm_context,
     156              : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
     157              :         spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
     158              :         spdm_context->connection_info.algorithm.base_asym_algo,
     159              :         spdm_context->connection_info.algorithm.pqc_asym_algo,
     160              :         spdm_context->connection_info.algorithm.base_hash_algo,
     161              :         false, th_curr_data, th_curr_data_size, signature, &signature_size);
     162              : #else
     163           11 :     result = libspdm_responder_data_sign(
     164              : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
     165              :         spdm_context,
     166              : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
     167           11 :         spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
     168              :         spdm_context->connection_info.algorithm.base_asym_algo,
     169              :         spdm_context->connection_info.algorithm.pqc_asym_algo,
     170              :         spdm_context->connection_info.algorithm.base_hash_algo,
     171              :         true, hash_data, hash_size, signature, &signature_size);
     172              : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
     173           11 :     if (result) {
     174           11 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
     175           11 :         LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
     176           11 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
     177              :     }
     178           11 :     return result;
     179              : }
     180              : 
     181           23 : libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_context,
     182              :                                                    size_t request_size,
     183              :                                                    const void *request,
     184              :                                                    size_t *response_size,
     185              :                                                    void *response)
     186              : {
     187              :     const spdm_key_exchange_request_t *spdm_request;
     188              :     spdm_key_exchange_response_t *spdm_response;
     189              :     size_t dhe_key_size;
     190              :     size_t kem_encap_key_size;
     191              :     size_t kem_cipher_text_size;
     192              :     size_t req_key_exchage_size;
     193              :     size_t rsp_key_exchage_size;
     194              :     uint32_t measurement_summary_hash_size;
     195              :     uint32_t signature_size;
     196              :     uint32_t hmac_size;
     197              :     const uint8_t *cptr;
     198              :     uint8_t *ptr;
     199              :     uint16_t opaque_data_length;
     200              :     bool result;
     201              :     uint8_t slot_id;
     202              :     uint32_t session_id;
     203              :     void *dhe_context;
     204              :     void *kem_context;
     205              :     libspdm_session_info_t *session_info;
     206              :     size_t total_size;
     207              :     uint16_t req_session_id;
     208              :     uint16_t rsp_session_id;
     209              :     libspdm_return_t status;
     210              :     size_t opaque_key_exchange_rsp_size;
     211              :     uint8_t th1_hash_data[LIBSPDM_MAX_HASH_SIZE];
     212              : 
     213           23 :     spdm_request = request;
     214              : 
     215              :     /* -=[Check Parameters Phase]=- */
     216           23 :     LIBSPDM_ASSERT(spdm_request->header.request_response_code == SPDM_KEY_EXCHANGE);
     217              : 
     218           23 :     if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
     219            0 :         return libspdm_generate_error_response(spdm_context,
     220              :                                                SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
     221              :                                                SPDM_KEY_EXCHANGE,
     222              :                                                response_size, response);
     223              :     }
     224              : 
     225           23 :     if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
     226            0 :         return libspdm_generate_error_response(spdm_context,
     227              :                                                SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
     228              :                                                response_size, response);
     229              :     }
     230           23 :     if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_NORMAL) {
     231            3 :         return libspdm_responder_handle_response_state(
     232              :             spdm_context,
     233            3 :             spdm_request->header.request_response_code,
     234              :             response_size, response);
     235              :     }
     236           20 :     if (!libspdm_is_capabilities_flag_supported(
     237              :             spdm_context, false,
     238              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
     239              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
     240            0 :         return libspdm_generate_error_response(
     241              :             spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
     242              :             SPDM_KEY_EXCHANGE, response_size, response);
     243              :     }
     244              : 
     245              :     /* While clearing MAC_CAP and setting ENCRYPT_CAP is legal according to DSP0274, libspdm
     246              :      * also implements DSP0277 secure messages, which requires at least MAC_CAP to be set.
     247              :      */
     248           20 :     if (!libspdm_is_capabilities_flag_supported(
     249              :             spdm_context, false,
     250              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MAC_CAP,
     251              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) {
     252            0 :         return libspdm_generate_error_response(
     253              :             spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
     254              :             SPDM_KEY_EXCHANGE, response_size, response);
     255              :     }
     256              : 
     257           20 :     if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
     258            1 :         return libspdm_generate_error_response(spdm_context,
     259              :                                                SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
     260              :                                                0, response_size, response);
     261              :     }
     262           19 :     if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
     263            6 :         if ((spdm_context->connection_info.algorithm.other_params_support &
     264              :              SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_MASK) != SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_1) {
     265            0 :             return libspdm_generate_error_response(
     266              :                 spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
     267              :                 0, response_size, response);
     268              :         }
     269              :     }
     270           19 :     if (spdm_context->last_spdm_request_session_id_valid) {
     271            0 :         return libspdm_generate_error_response(spdm_context,
     272              :                                                SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
     273              :                                                0, response_size, response);
     274              :     }
     275              : 
     276           19 :     if (spdm_request->header.param1 > 0) {
     277            4 :         if (!libspdm_is_capabilities_flag_supported(
     278              :                 spdm_context, false,
     279            3 :                 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) ||
     280            3 :             (spdm_context->connection_info.algorithm.measurement_spec == 0) ||
     281            3 :             (spdm_context->connection_info.algorithm.measurement_hash_algo == 0) ) {
     282            1 :             return libspdm_generate_error_response(
     283              :                 spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
     284              :                 0, response_size, response);
     285              :         }
     286              :     }
     287              : 
     288           18 :     slot_id = spdm_request->header.param2;
     289              : 
     290           18 :     if (libspdm_is_capabilities_flag_supported(
     291              :             spdm_context, false,
     292              :             0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP)) {
     293           16 :         if (slot_id >= SPDM_MAX_SLOT_COUNT) {
     294            1 :             return libspdm_generate_error_response(spdm_context,
     295              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     296              :                                                    response_size, response);
     297              :         }
     298           15 :         if (spdm_context->local_context.local_cert_chain_provision[slot_id] == NULL) {
     299            0 :             return libspdm_generate_error_response(spdm_context,
     300              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     301              :                                                    response_size, response);
     302              :         }
     303              :     } else {
     304            2 :         if (slot_id != 0xff) {
     305            1 :             return libspdm_generate_error_response(spdm_context,
     306              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     307              :                                                    response_size, response);
     308              :         }
     309            1 :         if (spdm_context->local_context.local_public_key_provision == NULL) {
     310            0 :             return libspdm_generate_error_response(spdm_context,
     311              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     312              :                                                    response_size, response);
     313              :         }
     314              :     }
     315              : 
     316           16 :     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
     317            3 :         if (spdm_context->connection_info.multi_key_conn_rsp && (slot_id != 0xff)) {
     318            1 :             if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
     319              :                  SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE) == 0) {
     320            1 :                 return libspdm_generate_error_response(
     321              :                     spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST, 0, response_size, response);
     322              :             }
     323              :         }
     324              : 
     325            2 :         if ((spdm_request->session_policy &
     326              :              SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
     327            2 :             if (!libspdm_is_capabilities_flag_supported(
     328              :                     spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_EVENT_CAP)) {
     329            0 :                 return libspdm_generate_error_response(spdm_context,
     330              :                                                        SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     331              :                                                        response_size, response);
     332              :             }
     333              :         }
     334              :     }
     335           15 :     spdm_context->connection_info.local_used_cert_chain_slot_id = slot_id;
     336              : 
     337           15 :     if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
     338            0 :         signature_size = libspdm_get_pqc_asym_signature_size(
     339              :             spdm_context->connection_info.algorithm.pqc_asym_algo);
     340              :     } else {
     341           15 :         signature_size = libspdm_get_asym_signature_size(
     342              :             spdm_context->connection_info.algorithm.base_asym_algo);
     343              :     }
     344           15 :     hmac_size = libspdm_get_hash_size(
     345              :         spdm_context->connection_info.algorithm.base_hash_algo);
     346           15 :     if (spdm_context->connection_info.algorithm.kem_alg != 0) {
     347            0 :         kem_encap_key_size = libspdm_get_kem_encap_key_size(
     348              :             spdm_context->connection_info.algorithm.kem_alg);
     349            0 :         kem_cipher_text_size = libspdm_get_kem_cipher_text_size(
     350              :             spdm_context->connection_info.algorithm.kem_alg);
     351            0 :         req_key_exchage_size = kem_encap_key_size;
     352            0 :         rsp_key_exchage_size = kem_cipher_text_size;
     353              :     } else {
     354           30 :         dhe_key_size = libspdm_get_dhe_pub_key_size(
     355           15 :             spdm_context->connection_info.algorithm.dhe_named_group);
     356           15 :         req_key_exchage_size = dhe_key_size;
     357           15 :         rsp_key_exchage_size = dhe_key_size;
     358              :     }
     359           15 :     measurement_summary_hash_size = libspdm_get_measurement_summary_hash_size(
     360           15 :         spdm_context, false, spdm_request->header.param1);
     361              : 
     362           15 :     if ((measurement_summary_hash_size == 0) &&
     363           13 :         (spdm_request->header.param1 != SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH)) {
     364            1 :         return libspdm_generate_error_response(spdm_context,
     365              :                                                SPDM_ERROR_CODE_INVALID_REQUEST,
     366              :                                                0, response_size, response);
     367              :     }
     368           14 :     if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
     369              :         sizeof(uint16_t)) {
     370            1 :         return libspdm_generate_error_response(spdm_context,
     371              :                                                SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     372              :                                                response_size, response);
     373              :     }
     374           13 :     opaque_data_length = libspdm_read_uint16((const uint8_t *)request +
     375           13 :                                              sizeof(spdm_key_exchange_request_t) +
     376              :                                              req_key_exchage_size);
     377           13 :     if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
     378           13 :         sizeof(uint16_t) + opaque_data_length) {
     379            0 :         return libspdm_generate_error_response(spdm_context,
     380              :                                                SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     381              :                                                response_size, response);
     382              :     }
     383           13 :     request_size = sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
     384           13 :                    sizeof(uint16_t) + opaque_data_length;
     385              : 
     386           13 :     if (opaque_data_length != 0) {
     387           13 :         cptr = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
     388           13 :                req_key_exchage_size + sizeof(uint16_t);
     389           13 :         result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length, cptr);
     390           13 :         if (!result) {
     391            0 :             return libspdm_generate_error_response(spdm_context,
     392              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     393              :                                                    response_size, response);
     394              :         }
     395           13 :         status = libspdm_process_opaque_data_supported_version_data(
     396              :             spdm_context, opaque_data_length, cptr);
     397           13 :         if (LIBSPDM_STATUS_IS_ERROR(status)) {
     398            0 :             return libspdm_generate_error_response(spdm_context,
     399              :                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
     400              :                                                    response_size, response);
     401              :         }
     402              :     }
     403              : 
     404           13 :     opaque_key_exchange_rsp_size =
     405           13 :         libspdm_get_opaque_data_version_selection_data_size(spdm_context);
     406              : 
     407           13 :     libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
     408           13 :                                                   spdm_request->header.request_response_code);
     409              : 
     410           13 :     if (libspdm_is_capabilities_flag_supported(
     411              :             spdm_context, false,
     412              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     413              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     414            3 :         hmac_size = 0;
     415              :     }
     416              : 
     417           13 :     total_size = sizeof(spdm_key_exchange_response_t) + rsp_key_exchage_size +
     418           13 :                  measurement_summary_hash_size + sizeof(uint16_t) +
     419           13 :                  opaque_key_exchange_rsp_size + signature_size + hmac_size;
     420              : 
     421           13 :     LIBSPDM_ASSERT(*response_size >= total_size);
     422           13 :     *response_size = total_size;
     423           13 :     libspdm_zero_mem(response, *response_size);
     424           13 :     spdm_response = response;
     425              : 
     426           13 :     spdm_response->header.spdm_version = spdm_request->header.spdm_version;
     427           13 :     spdm_response->header.request_response_code = SPDM_KEY_EXCHANGE_RSP;
     428              : 
     429           13 :     if (libspdm_is_capabilities_flag_supported(
     430              :             spdm_context, false,
     431              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
     432              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
     433            0 :         spdm_response->header.param1 = spdm_context->local_context.heartbeat_period;
     434              :     } else {
     435           13 :         spdm_response->header.param1 = 0x00;
     436              :     }
     437              : 
     438           13 :     req_session_id = spdm_request->req_session_id;
     439           13 :     rsp_session_id = libspdm_allocate_rsp_session_id(spdm_context, false);
     440           13 :     if (rsp_session_id == ((INVALID_SESSION_ID & 0xFFFF0000) >> 16)) {
     441            0 :         return libspdm_generate_error_response(
     442              :             spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
     443              :             response_size, response);
     444              :     }
     445           13 :     session_id = libspdm_generate_session_id(req_session_id, rsp_session_id);
     446           13 :     session_info = libspdm_assign_session_id(spdm_context, session_id, false);
     447           13 :     if (session_info == NULL) {
     448            0 :         return libspdm_generate_error_response(
     449              :             spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
     450              :             response_size, response);
     451              :     }
     452              : 
     453           13 :     if (libspdm_is_capabilities_flag_supported(
     454              :             spdm_context, false,
     455              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
     456              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
     457            0 :         session_info->heartbeat_period = spdm_context->local_context.heartbeat_period;
     458              :     } else {
     459           13 :         session_info->heartbeat_period = 0x00;
     460              :     }
     461              : 
     462           13 :     spdm_response->rsp_session_id = rsp_session_id;
     463           13 :     spdm_response->mut_auth_requested = 0;
     464              : 
     465           13 :     if (libspdm_is_capabilities_flag_supported(
     466              :             spdm_context, false,
     467              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP,
     468              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
     469            0 :         spdm_response->mut_auth_requested =
     470            0 :             spdm_context->local_context.mut_auth_requested;
     471           13 :     } else if (spdm_context->local_context.mandatory_mut_auth) {
     472            2 :         LIBSPDM_ASSERT(spdm_context->local_context.capability.flags &
     473              :                        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
     474            2 :         if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
     475            1 :             return libspdm_generate_error_response(spdm_context,
     476              :                                                    SPDM_ERROR_CODE_INVALID_POLICY, 0,
     477              :                                                    response_size, response);
     478              :         } else {
     479            1 :             return libspdm_generate_error_response(spdm_context,
     480              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     481              :                                                    response_size, response);
     482              :         }
     483              :     }
     484              : 
     485           11 :     if (spdm_response->mut_auth_requested != 0) {
     486              : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     487            0 :         spdm_context->connection_info.peer_used_cert_chain_slot_id =
     488            0 :             spdm_context->encap_context.req_slot_id;
     489            0 :         libspdm_init_mut_auth_encap_state(spdm_context, spdm_response->mut_auth_requested);
     490            0 :         if (spdm_response->mut_auth_requested == SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED) {
     491              :             /* no need to libspdm_init_mut_auth_encap_state() because of no ENCAP message */
     492            0 :             spdm_response->req_slot_id_param = spdm_context->encap_context.req_slot_id & 0xF;
     493              :         } else {
     494              :             /* req_slot_id is always 0 if ENCAP message is needed */
     495            0 :             spdm_response->req_slot_id_param = 0;
     496              :         }
     497              : #else
     498              :         spdm_response->mut_auth_requested = 0;
     499              :         spdm_response->req_slot_id_param = 0;
     500              : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
     501              :     } else {
     502           11 :         spdm_response->req_slot_id_param = 0;
     503              :     }
     504              : 
     505           11 :     if (!libspdm_get_random_number(SPDM_RANDOM_DATA_SIZE, spdm_response->random_data)) {
     506            0 :         libspdm_free_session_id(spdm_context, session_id);
     507            0 :         return libspdm_generate_error_response(spdm_context,
     508              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     509              :                                                response_size, response);
     510              :     }
     511              : 
     512           11 :     ptr = (void *)(spdm_response + 1);
     513           11 :     if (spdm_context->connection_info.algorithm.kem_alg != 0) {
     514            0 :         kem_context = libspdm_secured_message_kem_new(
     515            0 :             spdm_context->connection_info.version,
     516              :             spdm_context->connection_info.algorithm.kem_alg, false);
     517            0 :         if (kem_context == NULL) {
     518            0 :             libspdm_free_session_id(spdm_context, session_id);
     519            0 :             return libspdm_generate_error_response(spdm_context,
     520              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     521              :                                                    response_size, response);
     522              :         }
     523              : 
     524            0 :         result = libspdm_secured_message_kem_encapsulate(
     525              :             spdm_context->connection_info.algorithm.kem_alg,
     526              :             kem_context,
     527              :             (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
     528              :             kem_encap_key_size, ptr, &kem_cipher_text_size, session_info->secured_message_context);
     529            0 :         libspdm_secured_message_kem_free(
     530              :             spdm_context->connection_info.algorithm.kem_alg,
     531              :             kem_context);
     532            0 :         if (!result) {
     533            0 :             libspdm_free_session_id(spdm_context, session_id);
     534            0 :             return libspdm_generate_error_response(spdm_context,
     535              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     536              :                                                    response_size, response);
     537              :         }
     538              : 
     539            0 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc Self cipher_text (0x%zx):\n", kem_cipher_text_size));
     540            0 :         LIBSPDM_INTERNAL_DUMP_HEX(ptr, kem_cipher_text_size);
     541              : 
     542            0 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer encap_key (0x%zx):\n", kem_encap_key_size));
     543            0 :         LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
     544              :                                   sizeof(spdm_key_exchange_request_t),
     545              :                                   kem_encap_key_size);
     546              : 
     547            0 :         ptr += kem_cipher_text_size;
     548              :     } else {
     549           11 :         dhe_context = libspdm_secured_message_dhe_new(
     550           11 :             spdm_context->connection_info.version,
     551           11 :             spdm_context->connection_info.algorithm.dhe_named_group, false);
     552           11 :         if (dhe_context == NULL) {
     553            0 :             libspdm_free_session_id(spdm_context, session_id);
     554            0 :             return libspdm_generate_error_response(spdm_context,
     555              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     556              :                                                    response_size, response);
     557              :         }
     558              : 
     559           11 :         result = libspdm_secured_message_dhe_generate_key(
     560           11 :             spdm_context->connection_info.algorithm.dhe_named_group,
     561              :             dhe_context, ptr, &dhe_key_size);
     562           11 :         if (!result) {
     563            0 :             libspdm_secured_message_dhe_free(
     564            0 :                 spdm_context->connection_info.algorithm.dhe_named_group,
     565              :                 dhe_context);
     566            0 :             libspdm_free_session_id(spdm_context, session_id);
     567            0 :             return libspdm_generate_error_response(spdm_context,
     568              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     569              :                                                    response_size, response);
     570              :         }
     571              : 
     572           11 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc SelfKey (0x%zx):\n", dhe_key_size));
     573           11 :         LIBSPDM_INTERNAL_DUMP_HEX(ptr, dhe_key_size);
     574              : 
     575           11 :         LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer_key (0x%zx):\n", dhe_key_size));
     576           11 :         LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
     577              :                                   sizeof(spdm_key_exchange_request_t),
     578              :                                   dhe_key_size);
     579              : 
     580           11 :         result = libspdm_secured_message_dhe_compute_key(
     581           11 :             spdm_context->connection_info.algorithm.dhe_named_group,
     582              :             dhe_context,
     583              :             (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
     584              :             dhe_key_size, session_info->secured_message_context);
     585           11 :         libspdm_secured_message_dhe_free(
     586           11 :             spdm_context->connection_info.algorithm.dhe_named_group, dhe_context);
     587           11 :         if (!result) {
     588            0 :             libspdm_free_session_id(spdm_context, session_id);
     589            0 :             return libspdm_generate_error_response(spdm_context,
     590              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     591              :                                                    response_size, response);
     592              :         }
     593              : 
     594           11 :         ptr += dhe_key_size;
     595              :     }
     596              : 
     597              : #if LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP
     598           11 :     if (libspdm_is_capabilities_flag_supported(
     599            2 :             spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) &&
     600            2 :         ((spdm_request->header.param1 == SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH) ||
     601            1 :          (spdm_request->header.param1 == SPDM_REQUEST_ALL_MEASUREMENTS_HASH))) {
     602            2 :         result = libspdm_generate_measurement_summary_hash(
     603              : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
     604              :             spdm_context,
     605              : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
     606            2 :             spdm_context->connection_info.version,
     607              :             spdm_context->connection_info.algorithm.base_hash_algo,
     608            2 :             spdm_context->connection_info.algorithm.measurement_spec,
     609              :             spdm_context->connection_info.algorithm.measurement_hash_algo,
     610            2 :             spdm_request->header.param1,
     611              :             ptr,
     612              :             measurement_summary_hash_size);
     613              : 
     614            2 :         if (!result) {
     615            0 :             libspdm_free_session_id(spdm_context, session_id);
     616            0 :             return libspdm_generate_error_response(spdm_context,
     617              :                                                    SPDM_ERROR_CODE_UNSPECIFIED, 0,
     618              :                                                    response_size, response);
     619              :         }
     620              :     }
     621              : #endif /* LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP */
     622              : 
     623           11 :     ptr += measurement_summary_hash_size;
     624              : 
     625           11 :     libspdm_write_uint16(ptr, (uint16_t)opaque_key_exchange_rsp_size);
     626           11 :     ptr += sizeof(uint16_t);
     627           11 :     libspdm_build_opaque_data_version_selection_data(
     628              :         spdm_context, &opaque_key_exchange_rsp_size, ptr);
     629           11 :     ptr += opaque_key_exchange_rsp_size;
     630              : 
     631           11 :     if (slot_id != 0xFF) {
     632           10 :         spdm_context->connection_info.local_used_cert_chain_buffer =
     633           10 :             spdm_context->local_context.local_cert_chain_provision[slot_id];
     634           10 :         spdm_context->connection_info.local_used_cert_chain_buffer_size =
     635           10 :             spdm_context->local_context.local_cert_chain_provision_size[slot_id];
     636              :     }
     637              : 
     638           11 :     status = libspdm_append_message_k(spdm_context, session_info, false, request, request_size);
     639           11 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     640            0 :         libspdm_free_session_id(spdm_context, session_id);
     641            0 :         return libspdm_generate_error_response(spdm_context,
     642              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     643              :                                                response_size, response);
     644              :     }
     645              : 
     646           11 :     status = libspdm_append_message_k(spdm_context, session_info, false, spdm_response,
     647           11 :                                       (size_t)ptr - (size_t)spdm_response);
     648           11 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     649            0 :         libspdm_free_session_id(spdm_context, session_id);
     650            0 :         return libspdm_generate_error_response(spdm_context,
     651              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     652              :                                                response_size, response);
     653              :     }
     654           11 :     result = libspdm_generate_key_exchange_rsp_signature(spdm_context, session_info, ptr);
     655           11 :     if (!result) {
     656            0 :         libspdm_free_session_id(spdm_context, session_id);
     657            0 :         return libspdm_generate_error_response(
     658              :             spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
     659              :             0, response_size, response);
     660              :     }
     661              : 
     662           11 :     status = libspdm_append_message_k(spdm_context, session_info, false, ptr, signature_size);
     663           11 :     if (LIBSPDM_STATUS_IS_ERROR(status)) {
     664            0 :         libspdm_free_session_id(spdm_context, session_id);
     665            0 :         return libspdm_generate_error_response(spdm_context,
     666              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     667              :                                                response_size, response);
     668              :     }
     669              : 
     670           11 :     LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_handshake_key[%x]\n", session_id));
     671           11 :     result = libspdm_calculate_th1_hash(spdm_context, session_info, false, th1_hash_data);
     672           11 :     if (!result) {
     673            0 :         libspdm_free_session_id(spdm_context, session_id);
     674            0 :         return libspdm_generate_error_response(spdm_context,
     675              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     676              :                                                response_size, response);
     677              :     }
     678           11 :     result = libspdm_generate_session_handshake_key(
     679              :         session_info->secured_message_context, th1_hash_data);
     680           11 :     if (!result) {
     681            0 :         libspdm_free_session_id(spdm_context, session_id);
     682            0 :         return libspdm_generate_error_response(spdm_context,
     683              :                                                SPDM_ERROR_CODE_UNSPECIFIED, 0,
     684              :                                                response_size, response);
     685              :     }
     686              : 
     687           11 :     ptr += signature_size;
     688              : 
     689           11 :     if (!libspdm_is_capabilities_flag_supported(
     690              :             spdm_context, false,
     691              :             SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
     692              :             SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
     693            8 :         result = libspdm_generate_key_exchange_rsp_hmac(spdm_context, session_info, ptr);
     694            8 :         if (!result) {
     695            0 :             libspdm_free_session_id(spdm_context, session_id);
     696            0 :             return libspdm_generate_error_response(
     697              :                 spdm_context,
     698              :                 SPDM_ERROR_CODE_UNSPECIFIED,
     699              :                 0, response_size, response);
     700              :         }
     701            8 :         status = libspdm_append_message_k(spdm_context, session_info, false, ptr, hmac_size);
     702            8 :         if (LIBSPDM_STATUS_IS_ERROR(status)) {
     703            0 :             libspdm_free_session_id(spdm_context, session_id);
     704            0 :             return libspdm_generate_error_response(
     705              :                 spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
     706              :                 0, response_size, response);
     707              :         }
     708              : 
     709            8 :         ptr += hmac_size;
     710              :     }
     711              : 
     712              :     #if LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP
     713           11 :     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
     714            1 :         if ((spdm_request->session_policy &
     715              :              SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
     716            1 :             if (!libspdm_event_subscribe(spdm_context, spdm_context->connection_info.version,
     717              :                                          session_id, LIBSPDM_EVENT_SUBSCRIBE_ALL, 0, 0, NULL)) {
     718            0 :                 libspdm_free_session_id(spdm_context, session_id);
     719            0 :                 return libspdm_generate_error_response(spdm_context,
     720              :                                                        SPDM_ERROR_CODE_UNSPECIFIED, 0,
     721              :                                                        response_size, response);
     722              :             }
     723              :         }
     724              :     }
     725              :     #endif /* LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP */
     726              : 
     727           11 :     session_info->mut_auth_requested = spdm_response->mut_auth_requested;
     728           11 :     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
     729            3 :         session_info->session_policy = spdm_request->session_policy;
     730              :     }
     731           11 :     libspdm_set_session_state(spdm_context, session_id, LIBSPDM_SESSION_STATE_HANDSHAKING);
     732              : 
     733           11 :     return LIBSPDM_STATUS_SUCCESS;
     734              : }
     735              : 
     736              : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP */
        

Generated by: LCOV version 2.0-1