Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 8 : bool libspdm_generate_key_exchange_rsp_hmac(libspdm_context_t *spdm_context,
13 : libspdm_session_info_t *session_info,
14 : uint8_t *hmac)
15 : {
16 : uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
17 : size_t hash_size;
18 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
19 : uint8_t slot_id;
20 : uint8_t *cert_chain_buffer;
21 : size_t cert_chain_buffer_size;
22 : uint8_t *th_curr_data;
23 : size_t th_curr_data_size;
24 : libspdm_th_managed_buffer_t th_curr;
25 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
26 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
27 : bool result;
28 :
29 8 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
30 :
31 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
32 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
33 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
34 : if (slot_id == 0xFF) {
35 : result = libspdm_get_local_public_key_buffer(
36 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
37 : } else {
38 : result = libspdm_get_local_cert_chain_buffer(
39 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
40 : }
41 : if (!result) {
42 : return false;
43 : }
44 :
45 : result = libspdm_calculate_th_for_exchange(
46 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
47 : if (!result) {
48 : return false;
49 : }
50 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
51 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
52 :
53 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
54 : th_curr_data, th_curr_data_size, hash_data);
55 : if (!result) {
56 : return false;
57 : }
58 :
59 : result = libspdm_hmac_all_with_response_finished_key(
60 : session_info->secured_message_context, hash_data, hash_size, hmac_data);
61 : if (!result) {
62 : return false;
63 : }
64 : #else
65 8 : result = libspdm_calculate_th_hmac_for_exchange_rsp(
66 : spdm_context, session_info, false, &hash_size, hmac_data);
67 8 : if (!result) {
68 0 : return false;
69 : }
70 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
71 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
72 8 : LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
73 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
74 8 : libspdm_copy_mem(hmac, hash_size, hmac_data, hash_size);
75 :
76 8 : return true;
77 : }
78 :
79 11 : bool libspdm_generate_key_exchange_rsp_signature(libspdm_context_t *spdm_context,
80 : libspdm_session_info_t *session_info,
81 : uint8_t *signature)
82 : {
83 : bool result;
84 : size_t signature_size;
85 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
86 : uint8_t slot_id;
87 : uint8_t *th_curr_data;
88 : size_t th_curr_data_size;
89 : libspdm_th_managed_buffer_t th_curr;
90 : const uint8_t *cert_chain_buffer;
91 : size_t cert_chain_buffer_size;
92 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
93 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
94 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
95 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
96 : #endif
97 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
98 : size_t hash_size;
99 :
100 11 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
101 : #endif
102 :
103 11 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
104 0 : signature_size = libspdm_get_pqc_asym_signature_size(
105 : spdm_context->connection_info.algorithm.pqc_asym_algo);
106 : } else {
107 11 : signature_size = libspdm_get_asym_signature_size(
108 : spdm_context->connection_info.algorithm.base_asym_algo);
109 : }
110 :
111 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
112 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
113 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
114 : if (slot_id == 0xFF) {
115 : result = libspdm_get_local_public_key_buffer(
116 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
117 : } else {
118 : result = libspdm_get_local_cert_chain_buffer(
119 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
120 : }
121 : if (!result) {
122 : return false;
123 : }
124 :
125 : result = libspdm_calculate_th_for_exchange(
126 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
127 : if (!result) {
128 : return false;
129 : }
130 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
131 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
132 :
133 : /* Debug code only - required for debug print of th_curr hash below*/
134 : LIBSPDM_DEBUG_CODE(
135 : if (!libspdm_hash_all(
136 : spdm_context->connection_info.algorithm.base_hash_algo,
137 : th_curr_data, th_curr_data_size, hash_data)) {
138 : return false;
139 : }
140 : );
141 : #else
142 11 : result = libspdm_calculate_th_hash_for_exchange(
143 : spdm_context, session_info, &hash_size, hash_data);
144 11 : if (!result) {
145 0 : return false;
146 : }
147 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
148 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
149 11 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
150 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
151 :
152 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
153 : result = libspdm_responder_data_sign(
154 : spdm_context,
155 : spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
156 : spdm_context->connection_info.algorithm.base_asym_algo,
157 : spdm_context->connection_info.algorithm.pqc_asym_algo,
158 : spdm_context->connection_info.algorithm.base_hash_algo,
159 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
160 : #else
161 11 : result = libspdm_responder_data_sign(
162 : spdm_context,
163 11 : spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
164 : spdm_context->connection_info.algorithm.base_asym_algo,
165 : spdm_context->connection_info.algorithm.pqc_asym_algo,
166 : spdm_context->connection_info.algorithm.base_hash_algo,
167 : true, hash_data, hash_size, signature, &signature_size);
168 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
169 11 : if (result) {
170 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
171 11 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
172 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
173 : }
174 11 : return result;
175 : }
176 :
177 23 : libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_context,
178 : size_t request_size,
179 : const void *request,
180 : size_t *response_size,
181 : void *response)
182 : {
183 : const spdm_key_exchange_request_t *spdm_request;
184 : spdm_key_exchange_response_t *spdm_response;
185 : size_t dhe_key_size;
186 : size_t kem_encap_key_size;
187 : size_t kem_cipher_text_size;
188 : size_t req_key_exchage_size;
189 : size_t rsp_key_exchage_size;
190 : uint32_t measurement_summary_hash_size;
191 : uint32_t signature_size;
192 : uint32_t hmac_size;
193 : const uint8_t *cptr;
194 : uint8_t *ptr;
195 : uint16_t opaque_data_length;
196 : bool result;
197 : uint8_t slot_id;
198 : uint32_t session_id;
199 : void *dhe_context;
200 : void *kem_context;
201 : libspdm_session_info_t *session_info;
202 : size_t total_size;
203 : uint16_t req_session_id;
204 : uint16_t rsp_session_id;
205 : libspdm_return_t status;
206 : size_t opaque_key_exchange_rsp_size;
207 : uint8_t th1_hash_data[LIBSPDM_MAX_HASH_SIZE];
208 :
209 23 : spdm_request = request;
210 :
211 : /* -=[Check Parameters Phase]=- */
212 23 : LIBSPDM_ASSERT(spdm_request->header.request_response_code == SPDM_KEY_EXCHANGE);
213 :
214 23 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
215 0 : return libspdm_generate_error_response(spdm_context,
216 : SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
217 : SPDM_KEY_EXCHANGE,
218 : response_size, response);
219 : }
220 :
221 23 : if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
222 0 : return libspdm_generate_error_response(spdm_context,
223 : SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
224 : response_size, response);
225 : }
226 23 : if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_NORMAL) {
227 3 : return libspdm_responder_handle_response_state(
228 : spdm_context,
229 3 : spdm_request->header.request_response_code,
230 : response_size, response);
231 : }
232 20 : if (!libspdm_is_capabilities_flag_supported(
233 : spdm_context, false,
234 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
235 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
236 0 : return libspdm_generate_error_response(
237 : spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
238 : SPDM_KEY_EXCHANGE, response_size, response);
239 : }
240 :
241 : /* While clearing MAC_CAP and setting ENCRYPT_CAP is legal according to DSP0274, libspdm
242 : * also implements DSP0277 secure messages, which requires at least MAC_CAP to be set.
243 : */
244 20 : if (!libspdm_is_capabilities_flag_supported(
245 : spdm_context, false,
246 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MAC_CAP,
247 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) {
248 0 : return libspdm_generate_error_response(
249 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
250 : SPDM_KEY_EXCHANGE, response_size, response);
251 : }
252 :
253 20 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
254 1 : return libspdm_generate_error_response(spdm_context,
255 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
256 : 0, response_size, response);
257 : }
258 19 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
259 6 : if ((spdm_context->connection_info.algorithm.other_params_support &
260 : SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_MASK) != SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_1) {
261 0 : return libspdm_generate_error_response(
262 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
263 : 0, response_size, response);
264 : }
265 : }
266 19 : if (spdm_context->last_spdm_request_session_id_valid) {
267 0 : return libspdm_generate_error_response(spdm_context,
268 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
269 : 0, response_size, response);
270 : }
271 :
272 19 : if (spdm_request->header.param1 > 0) {
273 4 : if (!libspdm_is_capabilities_flag_supported(
274 : spdm_context, false,
275 3 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) ||
276 3 : (spdm_context->connection_info.algorithm.measurement_spec == 0) ||
277 3 : (spdm_context->connection_info.algorithm.measurement_hash_algo == 0) ) {
278 1 : return libspdm_generate_error_response(
279 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
280 : 0, response_size, response);
281 : }
282 : }
283 :
284 18 : slot_id = spdm_request->header.param2;
285 :
286 18 : if (libspdm_is_capabilities_flag_supported(
287 : spdm_context, false,
288 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP)) {
289 16 : if (slot_id >= SPDM_MAX_SLOT_COUNT) {
290 1 : return libspdm_generate_error_response(spdm_context,
291 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
292 : response_size, response);
293 : }
294 15 : if (spdm_context->local_context.local_cert_chain_provision[slot_id] == NULL) {
295 0 : return libspdm_generate_error_response(spdm_context,
296 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
297 : response_size, response);
298 : }
299 : } else {
300 2 : if (slot_id != 0xff) {
301 1 : return libspdm_generate_error_response(spdm_context,
302 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
303 : response_size, response);
304 : }
305 1 : if (spdm_context->local_context.local_public_key_provision == NULL) {
306 0 : return libspdm_generate_error_response(spdm_context,
307 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
308 : response_size, response);
309 : }
310 : }
311 :
312 16 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
313 3 : if (spdm_context->connection_info.multi_key_conn_rsp && (slot_id != 0xff)) {
314 1 : if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
315 : SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE) == 0) {
316 1 : return libspdm_generate_error_response(
317 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST, 0, response_size, response);
318 : }
319 : }
320 :
321 2 : if ((spdm_request->session_policy &
322 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
323 2 : if (!libspdm_is_capabilities_flag_supported(
324 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_EVENT_CAP)) {
325 0 : return libspdm_generate_error_response(spdm_context,
326 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
327 : response_size, response);
328 : }
329 : }
330 : }
331 15 : spdm_context->connection_info.local_used_cert_chain_slot_id = slot_id;
332 :
333 15 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
334 0 : signature_size = libspdm_get_pqc_asym_signature_size(
335 : spdm_context->connection_info.algorithm.pqc_asym_algo);
336 : } else {
337 15 : signature_size = libspdm_get_asym_signature_size(
338 : spdm_context->connection_info.algorithm.base_asym_algo);
339 : }
340 15 : hmac_size = libspdm_get_hash_size(
341 : spdm_context->connection_info.algorithm.base_hash_algo);
342 15 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
343 0 : kem_encap_key_size = libspdm_get_kem_encap_key_size(
344 : spdm_context->connection_info.algorithm.kem_alg);
345 0 : kem_cipher_text_size = libspdm_get_kem_cipher_text_size(
346 : spdm_context->connection_info.algorithm.kem_alg);
347 0 : req_key_exchage_size = kem_encap_key_size;
348 0 : rsp_key_exchage_size = kem_cipher_text_size;
349 : } else {
350 30 : dhe_key_size = libspdm_get_dhe_pub_key_size(
351 15 : spdm_context->connection_info.algorithm.dhe_named_group);
352 15 : req_key_exchage_size = dhe_key_size;
353 15 : rsp_key_exchage_size = dhe_key_size;
354 : }
355 15 : measurement_summary_hash_size = libspdm_get_measurement_summary_hash_size(
356 15 : spdm_context, false, spdm_request->header.param1);
357 :
358 15 : if ((measurement_summary_hash_size == 0) &&
359 13 : (spdm_request->header.param1 != SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH)) {
360 1 : return libspdm_generate_error_response(spdm_context,
361 : SPDM_ERROR_CODE_INVALID_REQUEST,
362 : 0, response_size, response);
363 : }
364 14 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
365 : sizeof(uint16_t)) {
366 1 : return libspdm_generate_error_response(spdm_context,
367 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
368 : response_size, response);
369 : }
370 13 : opaque_data_length = libspdm_read_uint16((const uint8_t *)request +
371 13 : sizeof(spdm_key_exchange_request_t) +
372 : req_key_exchage_size);
373 13 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
374 13 : sizeof(uint16_t) + opaque_data_length) {
375 0 : return libspdm_generate_error_response(spdm_context,
376 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
377 : response_size, response);
378 : }
379 13 : request_size = sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
380 13 : sizeof(uint16_t) + opaque_data_length;
381 :
382 13 : if (opaque_data_length != 0) {
383 13 : cptr = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
384 13 : req_key_exchage_size + sizeof(uint16_t);
385 13 : result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length, cptr);
386 13 : if (!result) {
387 0 : return libspdm_generate_error_response(spdm_context,
388 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
389 : response_size, response);
390 : }
391 13 : status = libspdm_process_opaque_data_supported_version_data(
392 : spdm_context, opaque_data_length, cptr);
393 13 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
394 0 : return libspdm_generate_error_response(spdm_context,
395 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
396 : response_size, response);
397 : }
398 : }
399 :
400 13 : opaque_key_exchange_rsp_size =
401 13 : libspdm_get_opaque_data_version_selection_data_size(spdm_context);
402 :
403 13 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
404 13 : spdm_request->header.request_response_code);
405 :
406 13 : if (libspdm_is_capabilities_flag_supported(
407 : spdm_context, false,
408 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
409 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
410 3 : hmac_size = 0;
411 : }
412 :
413 13 : total_size = sizeof(spdm_key_exchange_response_t) + rsp_key_exchage_size +
414 13 : measurement_summary_hash_size + sizeof(uint16_t) +
415 13 : opaque_key_exchange_rsp_size + signature_size + hmac_size;
416 :
417 13 : LIBSPDM_ASSERT(*response_size >= total_size);
418 13 : *response_size = total_size;
419 13 : libspdm_zero_mem(response, *response_size);
420 13 : spdm_response = response;
421 :
422 13 : spdm_response->header.spdm_version = spdm_request->header.spdm_version;
423 13 : spdm_response->header.request_response_code = SPDM_KEY_EXCHANGE_RSP;
424 :
425 13 : if (libspdm_is_capabilities_flag_supported(
426 : spdm_context, false,
427 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
428 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
429 0 : spdm_response->header.param1 = spdm_context->local_context.heartbeat_period;
430 : } else {
431 13 : spdm_response->header.param1 = 0x00;
432 : }
433 :
434 13 : req_session_id = spdm_request->req_session_id;
435 13 : rsp_session_id = libspdm_allocate_rsp_session_id(spdm_context, false);
436 13 : if (rsp_session_id == ((INVALID_SESSION_ID & 0xFFFF0000) >> 16)) {
437 0 : return libspdm_generate_error_response(
438 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
439 : response_size, response);
440 : }
441 13 : session_id = libspdm_generate_session_id(req_session_id, rsp_session_id);
442 13 : session_info = libspdm_assign_session_id(spdm_context, session_id, false);
443 13 : if (session_info == NULL) {
444 0 : return libspdm_generate_error_response(
445 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
446 : response_size, response);
447 : }
448 :
449 13 : if (libspdm_is_capabilities_flag_supported(
450 : spdm_context, false,
451 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
452 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
453 0 : session_info->heartbeat_period = spdm_context->local_context.heartbeat_period;
454 : } else {
455 13 : session_info->heartbeat_period = 0x00;
456 : }
457 :
458 13 : spdm_response->rsp_session_id = rsp_session_id;
459 13 : spdm_response->mut_auth_requested = 0;
460 :
461 13 : if (libspdm_is_capabilities_flag_supported(
462 : spdm_context, false,
463 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP,
464 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
465 0 : spdm_response->mut_auth_requested =
466 0 : spdm_context->local_context.mut_auth_requested;
467 13 : } else if (spdm_context->local_context.mandatory_mut_auth) {
468 2 : LIBSPDM_ASSERT(spdm_context->local_context.capability.flags &
469 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
470 2 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
471 1 : return libspdm_generate_error_response(spdm_context,
472 : SPDM_ERROR_CODE_INVALID_POLICY, 0,
473 : response_size, response);
474 : } else {
475 1 : return libspdm_generate_error_response(spdm_context,
476 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
477 : response_size, response);
478 : }
479 : }
480 :
481 11 : if (spdm_response->mut_auth_requested != 0) {
482 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
483 0 : spdm_context->connection_info.peer_used_cert_chain_slot_id =
484 0 : spdm_context->encap_context.req_slot_id;
485 0 : libspdm_init_mut_auth_encap_state(spdm_context, spdm_response->mut_auth_requested);
486 0 : if (spdm_response->mut_auth_requested == SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED) {
487 : /* no need to libspdm_init_mut_auth_encap_state() because of no ENCAP message */
488 0 : spdm_response->req_slot_id_param = spdm_context->encap_context.req_slot_id & 0xF;
489 : } else {
490 : /* req_slot_id is always 0 if ENCAP message is needed */
491 0 : spdm_response->req_slot_id_param = 0;
492 : }
493 : #else
494 : spdm_response->mut_auth_requested = 0;
495 : spdm_response->req_slot_id_param = 0;
496 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
497 : } else {
498 11 : spdm_response->req_slot_id_param = 0;
499 : }
500 :
501 11 : if (!libspdm_get_random_number(SPDM_RANDOM_DATA_SIZE, spdm_response->random_data)) {
502 0 : libspdm_free_session_id(spdm_context, session_id);
503 0 : return libspdm_generate_error_response(spdm_context,
504 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
505 : response_size, response);
506 : }
507 :
508 11 : ptr = (void *)(spdm_response + 1);
509 11 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
510 0 : kem_context = libspdm_secured_message_kem_new(
511 0 : spdm_context->connection_info.version,
512 : spdm_context->connection_info.algorithm.kem_alg, false);
513 0 : if (kem_context == NULL) {
514 0 : libspdm_free_session_id(spdm_context, session_id);
515 0 : return libspdm_generate_error_response(spdm_context,
516 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
517 : response_size, response);
518 : }
519 :
520 0 : result = libspdm_secured_message_kem_encapsulate(
521 : spdm_context->connection_info.algorithm.kem_alg,
522 : kem_context,
523 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
524 : kem_encap_key_size, ptr, &kem_cipher_text_size, session_info->secured_message_context);
525 0 : libspdm_secured_message_kem_free(
526 : spdm_context->connection_info.algorithm.kem_alg,
527 : kem_context);
528 0 : if (!result) {
529 0 : libspdm_free_session_id(spdm_context, session_id);
530 0 : return libspdm_generate_error_response(spdm_context,
531 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
532 : response_size, response);
533 : }
534 :
535 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc Self cipher_text (0x%zx):\n", kem_cipher_text_size));
536 0 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, kem_cipher_text_size);
537 :
538 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer encap_key (0x%zx):\n", kem_encap_key_size));
539 0 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
540 : sizeof(spdm_key_exchange_request_t),
541 : kem_encap_key_size);
542 :
543 0 : ptr += kem_cipher_text_size;
544 : } else {
545 11 : dhe_context = libspdm_secured_message_dhe_new(
546 11 : spdm_context->connection_info.version,
547 11 : spdm_context->connection_info.algorithm.dhe_named_group, false);
548 11 : if (dhe_context == NULL) {
549 0 : libspdm_free_session_id(spdm_context, session_id);
550 0 : return libspdm_generate_error_response(spdm_context,
551 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
552 : response_size, response);
553 : }
554 :
555 11 : result = libspdm_secured_message_dhe_generate_key(
556 11 : spdm_context->connection_info.algorithm.dhe_named_group,
557 : dhe_context, ptr, &dhe_key_size);
558 11 : if (!result) {
559 0 : libspdm_secured_message_dhe_free(
560 0 : spdm_context->connection_info.algorithm.dhe_named_group,
561 : dhe_context);
562 0 : libspdm_free_session_id(spdm_context, session_id);
563 0 : return libspdm_generate_error_response(spdm_context,
564 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
565 : response_size, response);
566 : }
567 :
568 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc SelfKey (0x%zx):\n", dhe_key_size));
569 11 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, dhe_key_size);
570 :
571 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer_key (0x%zx):\n", dhe_key_size));
572 11 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
573 : sizeof(spdm_key_exchange_request_t),
574 : dhe_key_size);
575 :
576 11 : result = libspdm_secured_message_dhe_compute_key(
577 11 : spdm_context->connection_info.algorithm.dhe_named_group,
578 : dhe_context,
579 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
580 : dhe_key_size, session_info->secured_message_context);
581 11 : libspdm_secured_message_dhe_free(
582 11 : spdm_context->connection_info.algorithm.dhe_named_group, dhe_context);
583 11 : if (!result) {
584 0 : libspdm_free_session_id(spdm_context, session_id);
585 0 : return libspdm_generate_error_response(spdm_context,
586 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
587 : response_size, response);
588 : }
589 :
590 11 : ptr += dhe_key_size;
591 : }
592 :
593 : #if LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP
594 11 : if (libspdm_is_capabilities_flag_supported(
595 2 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) &&
596 2 : ((spdm_request->header.param1 == SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH) ||
597 1 : (spdm_request->header.param1 == SPDM_REQUEST_ALL_MEASUREMENTS_HASH))) {
598 2 : result = libspdm_generate_measurement_summary_hash(
599 : spdm_context,
600 2 : spdm_context->connection_info.version,
601 : spdm_context->connection_info.algorithm.base_hash_algo,
602 2 : spdm_context->connection_info.algorithm.measurement_spec,
603 : spdm_context->connection_info.algorithm.measurement_hash_algo,
604 2 : spdm_request->header.param1,
605 : ptr,
606 : measurement_summary_hash_size);
607 :
608 2 : if (!result) {
609 0 : libspdm_free_session_id(spdm_context, session_id);
610 0 : return libspdm_generate_error_response(spdm_context,
611 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
612 : response_size, response);
613 : }
614 : }
615 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP */
616 :
617 11 : ptr += measurement_summary_hash_size;
618 :
619 11 : libspdm_write_uint16(ptr, (uint16_t)opaque_key_exchange_rsp_size);
620 11 : ptr += sizeof(uint16_t);
621 11 : libspdm_build_opaque_data_version_selection_data(
622 : spdm_context, &opaque_key_exchange_rsp_size, ptr);
623 11 : ptr += opaque_key_exchange_rsp_size;
624 :
625 11 : if (slot_id != 0xFF) {
626 10 : spdm_context->connection_info.local_used_cert_chain_buffer =
627 10 : spdm_context->local_context.local_cert_chain_provision[slot_id];
628 10 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
629 10 : spdm_context->local_context.local_cert_chain_provision_size[slot_id];
630 : }
631 :
632 11 : status = libspdm_append_message_k(spdm_context, session_info, false, request, request_size);
633 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
634 0 : libspdm_free_session_id(spdm_context, session_id);
635 0 : return libspdm_generate_error_response(spdm_context,
636 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
637 : response_size, response);
638 : }
639 :
640 11 : status = libspdm_append_message_k(spdm_context, session_info, false, spdm_response,
641 11 : (size_t)ptr - (size_t)spdm_response);
642 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
643 0 : libspdm_free_session_id(spdm_context, session_id);
644 0 : return libspdm_generate_error_response(spdm_context,
645 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
646 : response_size, response);
647 : }
648 11 : result = libspdm_generate_key_exchange_rsp_signature(spdm_context, session_info, ptr);
649 11 : if (!result) {
650 0 : libspdm_free_session_id(spdm_context, session_id);
651 0 : return libspdm_generate_error_response(
652 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
653 : 0, response_size, response);
654 : }
655 :
656 11 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, signature_size);
657 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
658 0 : libspdm_free_session_id(spdm_context, session_id);
659 0 : return libspdm_generate_error_response(spdm_context,
660 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
661 : response_size, response);
662 : }
663 :
664 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_handshake_key[%x]\n", session_id));
665 11 : result = libspdm_calculate_th1_hash(spdm_context, session_info, false, th1_hash_data);
666 11 : if (!result) {
667 0 : libspdm_free_session_id(spdm_context, session_id);
668 0 : return libspdm_generate_error_response(spdm_context,
669 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
670 : response_size, response);
671 : }
672 11 : result = libspdm_generate_session_handshake_key(
673 : session_info->secured_message_context, th1_hash_data);
674 11 : if (!result) {
675 0 : libspdm_free_session_id(spdm_context, session_id);
676 0 : return libspdm_generate_error_response(spdm_context,
677 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
678 : response_size, response);
679 : }
680 :
681 11 : ptr += signature_size;
682 :
683 11 : if (!libspdm_is_capabilities_flag_supported(
684 : spdm_context, false,
685 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
686 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
687 8 : result = libspdm_generate_key_exchange_rsp_hmac(spdm_context, session_info, ptr);
688 8 : if (!result) {
689 0 : libspdm_free_session_id(spdm_context, session_id);
690 0 : return libspdm_generate_error_response(
691 : spdm_context,
692 : SPDM_ERROR_CODE_UNSPECIFIED,
693 : 0, response_size, response);
694 : }
695 8 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, hmac_size);
696 8 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
697 0 : libspdm_free_session_id(spdm_context, session_id);
698 0 : return libspdm_generate_error_response(
699 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
700 : 0, response_size, response);
701 : }
702 :
703 8 : ptr += hmac_size;
704 : }
705 :
706 : #if LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP
707 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
708 1 : if ((spdm_request->session_policy &
709 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
710 1 : if (!libspdm_event_subscribe(spdm_context, spdm_context->connection_info.version,
711 : session_id, LIBSPDM_EVENT_SUBSCRIBE_ALL, 0, 0, NULL)) {
712 0 : libspdm_free_session_id(spdm_context, session_id);
713 0 : return libspdm_generate_error_response(spdm_context,
714 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
715 : response_size, response);
716 : }
717 : }
718 : }
719 : #endif /* LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP */
720 :
721 11 : session_info->mut_auth_requested = spdm_response->mut_auth_requested;
722 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
723 3 : session_info->session_policy = spdm_request->session_policy;
724 : }
725 11 : libspdm_set_session_state(spdm_context, session_id, LIBSPDM_SESSION_STATE_HANDSHAKING);
726 :
727 11 : return LIBSPDM_STATUS_SUCCESS;
728 : }
729 :
730 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP */
|
