Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 8 : bool libspdm_generate_key_exchange_rsp_hmac(libspdm_context_t *spdm_context,
13 : libspdm_session_info_t *session_info,
14 : uint8_t *hmac)
15 : {
16 : uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
17 : size_t hash_size;
18 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
19 : uint8_t slot_id;
20 : uint8_t *cert_chain_buffer;
21 : size_t cert_chain_buffer_size;
22 : uint8_t *th_curr_data;
23 : size_t th_curr_data_size;
24 : libspdm_th_managed_buffer_t th_curr;
25 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
26 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
27 : bool result;
28 :
29 8 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
30 :
31 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
32 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
33 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
34 : if (slot_id == 0xFF) {
35 : result = libspdm_get_local_public_key_buffer(
36 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
37 : } else {
38 : result = libspdm_get_local_cert_chain_buffer(
39 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
40 : }
41 : if (!result) {
42 : return false;
43 : }
44 :
45 : result = libspdm_calculate_th_for_exchange(
46 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
47 : if (!result) {
48 : return false;
49 : }
50 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
51 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
52 :
53 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
54 : th_curr_data, th_curr_data_size, hash_data);
55 : if (!result) {
56 : return false;
57 : }
58 :
59 : result = libspdm_hmac_all_with_response_finished_key(
60 : session_info->secured_message_context, hash_data, hash_size, hmac_data);
61 : if (!result) {
62 : return false;
63 : }
64 : #else
65 8 : result = libspdm_calculate_th_hmac_for_exchange_rsp(
66 : spdm_context, session_info, &hash_size, hmac_data);
67 8 : if (!result) {
68 0 : return false;
69 : }
70 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
71 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
72 8 : LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
73 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
74 8 : libspdm_copy_mem(hmac, hash_size, hmac_data, hash_size);
75 :
76 8 : return true;
77 : }
78 :
79 11 : bool libspdm_generate_key_exchange_rsp_signature(libspdm_context_t *spdm_context,
80 : libspdm_session_info_t *session_info,
81 : uint8_t slot_id,
82 : uint8_t *signature)
83 : {
84 : bool result;
85 : size_t signature_size;
86 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
87 : uint8_t *th_curr_data;
88 : size_t th_curr_data_size;
89 : libspdm_th_managed_buffer_t th_curr;
90 : const uint8_t *cert_chain_buffer;
91 : size_t cert_chain_buffer_size;
92 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
93 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
94 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
95 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
96 : #endif
97 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
98 : size_t hash_size;
99 :
100 11 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
101 : #endif
102 :
103 11 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
104 0 : signature_size = libspdm_get_pqc_asym_signature_size(
105 : spdm_context->connection_info.algorithm.pqc_asym_algo);
106 : } else {
107 11 : signature_size = libspdm_get_asym_signature_size(
108 : spdm_context->connection_info.algorithm.base_asym_algo);
109 : }
110 :
111 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
112 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
113 : if (slot_id == 0xFF) {
114 : result = libspdm_get_local_public_key_buffer(
115 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
116 : } else {
117 : result = libspdm_get_local_cert_chain_buffer(
118 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
119 : }
120 : if (!result) {
121 : return false;
122 : }
123 :
124 : result = libspdm_calculate_th_for_exchange(
125 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
126 : if (!result) {
127 : return false;
128 : }
129 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
130 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
131 :
132 : /* Debug code only - required for debug print of th_curr hash below*/
133 : LIBSPDM_DEBUG_CODE(
134 : if (!libspdm_hash_all(
135 : spdm_context->connection_info.algorithm.base_hash_algo,
136 : th_curr_data, th_curr_data_size, hash_data)) {
137 : return false;
138 : }
139 : );
140 : #else
141 11 : result = libspdm_calculate_th_hash_for_exchange(
142 : spdm_context, session_info, &hash_size, hash_data);
143 11 : if (!result) {
144 0 : return false;
145 : }
146 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
147 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
148 11 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
149 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
150 :
151 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
152 : result = libspdm_responder_data_sign(
153 : spdm_context,
154 : spdm_context->connection_info.version,
155 : libspdm_slot_id_to_key_pair_id(spdm_context, slot_id, false),
156 : SPDM_KEY_EXCHANGE_RSP,
157 : spdm_context->connection_info.algorithm.base_asym_algo,
158 : spdm_context->connection_info.algorithm.pqc_asym_algo,
159 : spdm_context->connection_info.algorithm.base_hash_algo,
160 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
161 : #else
162 22 : result = libspdm_responder_data_sign(
163 : spdm_context,
164 11 : spdm_context->connection_info.version,
165 11 : libspdm_slot_id_to_key_pair_id(spdm_context, slot_id, false),
166 : SPDM_KEY_EXCHANGE_RSP,
167 : spdm_context->connection_info.algorithm.base_asym_algo,
168 : spdm_context->connection_info.algorithm.pqc_asym_algo,
169 : spdm_context->connection_info.algorithm.base_hash_algo,
170 : true, hash_data, hash_size, signature, &signature_size);
171 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
172 11 : if (result) {
173 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
174 11 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
175 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
176 : }
177 11 : return result;
178 : }
179 :
180 23 : libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_context,
181 : size_t request_size,
182 : const void *request,
183 : size_t *response_size,
184 : void *response)
185 : {
186 : const spdm_key_exchange_request_t *spdm_request;
187 : spdm_key_exchange_response_t *spdm_response;
188 : size_t dhe_key_size;
189 : size_t kem_encap_key_size;
190 : size_t kem_cipher_text_size;
191 : size_t req_key_exchange_size;
192 : size_t rsp_key_exchange_size;
193 : uint32_t measurement_summary_hash_size;
194 : uint32_t signature_size;
195 : uint32_t hmac_size;
196 : const uint8_t *cptr;
197 : uint8_t *ptr;
198 : uint16_t opaque_data_length;
199 : bool result;
200 : uint8_t slot_id;
201 : uint32_t session_id;
202 : void *dhe_context;
203 : void *kem_context;
204 : libspdm_session_info_t *session_info;
205 : size_t total_size;
206 : uint16_t req_session_id;
207 : uint16_t rsp_session_id;
208 : libspdm_return_t status;
209 : size_t opaque_key_exchange_rsp_size;
210 : uint8_t th1_hash_data[LIBSPDM_MAX_HASH_SIZE];
211 : spdm_version_number_t secured_message_version;
212 :
213 23 : spdm_request = request;
214 :
215 : /* -=[Check Parameters Phase]=- */
216 23 : LIBSPDM_ASSERT(spdm_request->header.request_response_code == SPDM_KEY_EXCHANGE);
217 :
218 23 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
219 0 : return libspdm_generate_error_response(spdm_context,
220 : SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
221 : SPDM_KEY_EXCHANGE,
222 : response_size, response);
223 : }
224 :
225 23 : if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
226 0 : return libspdm_generate_error_response(spdm_context,
227 : SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
228 : response_size, response);
229 : }
230 23 : if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_NORMAL) {
231 3 : return libspdm_responder_handle_response_state(
232 : spdm_context,
233 3 : spdm_request->header.request_response_code,
234 : response_size, response);
235 : }
236 20 : if (!libspdm_is_capabilities_flag_supported(
237 : spdm_context, false,
238 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
239 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
240 0 : return libspdm_generate_error_response(
241 : spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
242 : SPDM_KEY_EXCHANGE, response_size, response);
243 : }
244 :
245 : /* While clearing MAC_CAP and setting ENCRYPT_CAP is legal according to DSP0274, libspdm
246 : * also implements DSP0277 secure messages, which requires at least MAC_CAP to be set.
247 : */
248 20 : if (!libspdm_is_capabilities_flag_supported(
249 : spdm_context, false,
250 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MAC_CAP,
251 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) {
252 0 : return libspdm_generate_error_response(
253 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
254 : SPDM_KEY_EXCHANGE, response_size, response);
255 : }
256 :
257 20 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
258 1 : return libspdm_generate_error_response(spdm_context,
259 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
260 : 0, response_size, response);
261 : }
262 19 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
263 6 : if ((spdm_context->connection_info.algorithm.other_params_support &
264 : SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_MASK) != SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_1) {
265 0 : return libspdm_generate_error_response(
266 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
267 : 0, response_size, response);
268 : }
269 : }
270 19 : if (spdm_context->last_spdm_request_session_id_valid) {
271 0 : return libspdm_generate_error_response(spdm_context,
272 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
273 : 0, response_size, response);
274 : }
275 :
276 19 : if (spdm_request->header.param1 > 0) {
277 4 : if (!libspdm_is_capabilities_flag_supported(
278 : spdm_context, false,
279 3 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) ||
280 3 : (spdm_context->connection_info.algorithm.measurement_spec == 0) ||
281 3 : (spdm_context->connection_info.algorithm.measurement_hash_algo == 0) ) {
282 1 : return libspdm_generate_error_response(
283 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
284 : 0, response_size, response);
285 : }
286 : }
287 :
288 18 : slot_id = spdm_request->header.param2;
289 :
290 18 : if (libspdm_is_capabilities_flag_supported(
291 : spdm_context, false,
292 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP)) {
293 16 : if (slot_id >= SPDM_MAX_SLOT_COUNT) {
294 1 : return libspdm_generate_error_response(spdm_context,
295 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
296 : response_size, response);
297 : }
298 15 : if (spdm_context->local_context.local_cert_chain_provision[slot_id] == NULL) {
299 0 : return libspdm_generate_error_response(spdm_context,
300 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
301 : response_size, response);
302 : }
303 : } else {
304 2 : if (slot_id != 0xff) {
305 1 : return libspdm_generate_error_response(spdm_context,
306 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
307 : response_size, response);
308 : }
309 1 : if (spdm_context->local_context.local_public_key_provision == NULL) {
310 0 : return libspdm_generate_error_response(spdm_context,
311 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
312 : response_size, response);
313 : }
314 : }
315 :
316 16 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
317 3 : if (spdm_context->connection_info.multi_key_conn_rsp && (slot_id != 0xff)) {
318 1 : if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
319 : SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE) == 0) {
320 1 : return libspdm_generate_error_response(
321 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST, 0, response_size, response);
322 : }
323 : }
324 :
325 2 : if ((spdm_request->session_policy &
326 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
327 2 : if (!libspdm_is_capabilities_flag_supported(
328 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_EVENT_CAP)) {
329 0 : return libspdm_generate_error_response(spdm_context,
330 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
331 : response_size, response);
332 : }
333 : }
334 : }
335 15 : spdm_context->connection_info.local_used_cert_chain_slot_id = slot_id;
336 :
337 15 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
338 0 : signature_size = libspdm_get_pqc_asym_signature_size(
339 : spdm_context->connection_info.algorithm.pqc_asym_algo);
340 : } else {
341 15 : signature_size = libspdm_get_asym_signature_size(
342 : spdm_context->connection_info.algorithm.base_asym_algo);
343 : }
344 15 : hmac_size = libspdm_get_hash_size(
345 : spdm_context->connection_info.algorithm.base_hash_algo);
346 15 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
347 0 : kem_encap_key_size = libspdm_get_kem_encap_key_size(
348 : spdm_context->connection_info.algorithm.kem_alg);
349 0 : kem_cipher_text_size = libspdm_get_kem_cipher_text_size(
350 : spdm_context->connection_info.algorithm.kem_alg);
351 0 : req_key_exchange_size = kem_encap_key_size;
352 0 : rsp_key_exchange_size = kem_cipher_text_size;
353 : } else {
354 30 : dhe_key_size = libspdm_get_dhe_pub_key_size(
355 15 : spdm_context->connection_info.algorithm.dhe_named_group);
356 15 : req_key_exchange_size = dhe_key_size;
357 15 : rsp_key_exchange_size = dhe_key_size;
358 : }
359 15 : measurement_summary_hash_size = libspdm_get_measurement_summary_hash_size(
360 15 : spdm_context, false, spdm_request->header.param1);
361 :
362 15 : if ((measurement_summary_hash_size == 0) &&
363 13 : (spdm_request->header.param1 != SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH)) {
364 1 : return libspdm_generate_error_response(spdm_context,
365 : SPDM_ERROR_CODE_INVALID_REQUEST,
366 : 0, response_size, response);
367 : }
368 14 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchange_size +
369 : sizeof(uint16_t)) {
370 1 : return libspdm_generate_error_response(spdm_context,
371 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
372 : response_size, response);
373 : }
374 13 : opaque_data_length = libspdm_read_uint16((const uint8_t *)request +
375 13 : sizeof(spdm_key_exchange_request_t) +
376 : req_key_exchange_size);
377 13 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchange_size +
378 13 : sizeof(uint16_t) + opaque_data_length) {
379 0 : return libspdm_generate_error_response(spdm_context,
380 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
381 : response_size, response);
382 : }
383 13 : request_size = sizeof(spdm_key_exchange_request_t) + req_key_exchange_size +
384 13 : sizeof(uint16_t) + opaque_data_length;
385 :
386 13 : if (opaque_data_length != 0) {
387 13 : cptr = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
388 13 : req_key_exchange_size + sizeof(uint16_t);
389 13 : result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length, cptr);
390 13 : if (!result) {
391 0 : return libspdm_generate_error_response(spdm_context,
392 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
393 : response_size, response);
394 : }
395 13 : status = libspdm_process_opaque_data_supported_version_data(
396 : spdm_context, opaque_data_length, cptr, &secured_message_version);
397 13 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
398 0 : return libspdm_generate_error_response(spdm_context,
399 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
400 : response_size, response);
401 : }
402 : }
403 :
404 13 : opaque_key_exchange_rsp_size =
405 13 : libspdm_get_opaque_data_version_selection_data_size(spdm_context);
406 :
407 13 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
408 13 : spdm_request->header.request_response_code);
409 :
410 13 : if (libspdm_is_capabilities_flag_supported(
411 : spdm_context, false,
412 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
413 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
414 3 : hmac_size = 0;
415 : }
416 :
417 13 : total_size = sizeof(spdm_key_exchange_response_t) + rsp_key_exchange_size +
418 13 : measurement_summary_hash_size + sizeof(uint16_t) +
419 13 : opaque_key_exchange_rsp_size + signature_size + hmac_size;
420 :
421 13 : LIBSPDM_ASSERT(*response_size >= total_size);
422 13 : *response_size = total_size;
423 13 : libspdm_zero_mem(response, *response_size);
424 13 : spdm_response = response;
425 :
426 13 : spdm_response->header.spdm_version = spdm_request->header.spdm_version;
427 13 : spdm_response->header.request_response_code = SPDM_KEY_EXCHANGE_RSP;
428 :
429 13 : if (libspdm_is_capabilities_flag_supported(
430 : spdm_context, false,
431 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
432 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
433 0 : spdm_response->header.param1 = spdm_context->local_context.heartbeat_period;
434 : } else {
435 13 : spdm_response->header.param1 = 0x00;
436 : }
437 :
438 13 : req_session_id = spdm_request->req_session_id;
439 13 : rsp_session_id = libspdm_allocate_rsp_session_id(spdm_context, false);
440 13 : if (rsp_session_id == ((INVALID_SESSION_ID & 0xFFFF0000) >> 16)) {
441 0 : return libspdm_generate_error_response(
442 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
443 : response_size, response);
444 : }
445 13 : session_id = libspdm_generate_session_id(req_session_id, rsp_session_id);
446 13 : session_info = libspdm_assign_session_id(spdm_context, session_id, secured_message_version,
447 : false);
448 13 : if (session_info == NULL) {
449 0 : return libspdm_generate_error_response(
450 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
451 : response_size, response);
452 : }
453 :
454 13 : if (libspdm_is_capabilities_flag_supported(
455 : spdm_context, false,
456 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
457 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
458 0 : session_info->heartbeat_period = spdm_context->local_context.heartbeat_period;
459 : } else {
460 13 : session_info->heartbeat_period = 0x00;
461 : }
462 :
463 13 : spdm_response->rsp_session_id = rsp_session_id;
464 13 : spdm_response->mut_auth_requested = 0;
465 :
466 13 : if (libspdm_is_capabilities_flag_supported(
467 : spdm_context, false,
468 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP,
469 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
470 0 : spdm_response->mut_auth_requested =
471 0 : spdm_context->local_context.mut_auth_requested;
472 13 : } else if (spdm_context->local_context.mandatory_mut_auth) {
473 2 : LIBSPDM_ASSERT(spdm_context->local_context.capability.flags &
474 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
475 2 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
476 1 : return libspdm_generate_error_response(spdm_context,
477 : SPDM_ERROR_CODE_INVALID_POLICY, 0,
478 : response_size, response);
479 : } else {
480 1 : return libspdm_generate_error_response(spdm_context,
481 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
482 : response_size, response);
483 : }
484 : }
485 :
486 11 : if (spdm_response->mut_auth_requested != 0) {
487 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
488 0 : spdm_context->connection_info.peer_used_cert_chain_slot_id =
489 0 : spdm_context->encap_context.req_slot_id;
490 0 : libspdm_init_mut_auth_encap_state(spdm_context, spdm_response->mut_auth_requested);
491 0 : if (spdm_response->mut_auth_requested == SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED) {
492 : /* no need to libspdm_init_mut_auth_encap_state() because of no ENCAP message */
493 0 : spdm_response->req_slot_id_param = spdm_context->encap_context.req_slot_id & 0xF;
494 : } else {
495 : /* req_slot_id is always 0 if ENCAP message is needed */
496 0 : spdm_response->req_slot_id_param = 0;
497 : }
498 : #else
499 : spdm_response->mut_auth_requested = 0;
500 : spdm_response->req_slot_id_param = 0;
501 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
502 : } else {
503 11 : spdm_response->req_slot_id_param = 0;
504 : }
505 :
506 11 : if (!libspdm_get_random_number(SPDM_RANDOM_DATA_SIZE, spdm_response->random_data)) {
507 0 : libspdm_free_session_id(spdm_context, session_id);
508 0 : return libspdm_generate_error_response(spdm_context,
509 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
510 : response_size, response);
511 : }
512 :
513 11 : ptr = (void *)(spdm_response + 1);
514 11 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
515 0 : kem_context = libspdm_secured_message_kem_new(
516 0 : spdm_context->connection_info.version,
517 : spdm_context->connection_info.algorithm.kem_alg, false);
518 0 : if (kem_context == NULL) {
519 0 : libspdm_free_session_id(spdm_context, session_id);
520 0 : return libspdm_generate_error_response(spdm_context,
521 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
522 : response_size, response);
523 : }
524 :
525 0 : result = libspdm_secured_message_kem_encapsulate(
526 : spdm_context->connection_info.algorithm.kem_alg,
527 : kem_context,
528 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
529 : kem_encap_key_size, ptr, &kem_cipher_text_size, session_info->secured_message_context);
530 0 : libspdm_secured_message_kem_free(
531 : spdm_context->connection_info.algorithm.kem_alg,
532 : kem_context);
533 0 : if (!result) {
534 0 : libspdm_free_session_id(spdm_context, session_id);
535 0 : return libspdm_generate_error_response(spdm_context,
536 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
537 : response_size, response);
538 : }
539 :
540 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc Self cipher_text (0x%zx):\n", kem_cipher_text_size));
541 0 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, kem_cipher_text_size);
542 :
543 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer encap_key (0x%zx):\n", kem_encap_key_size));
544 0 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
545 : sizeof(spdm_key_exchange_request_t),
546 : kem_encap_key_size);
547 :
548 0 : ptr += kem_cipher_text_size;
549 : } else {
550 11 : dhe_context = libspdm_secured_message_dhe_new(
551 11 : spdm_context->connection_info.version,
552 11 : spdm_context->connection_info.algorithm.dhe_named_group, false);
553 11 : if (dhe_context == NULL) {
554 0 : libspdm_free_session_id(spdm_context, session_id);
555 0 : return libspdm_generate_error_response(spdm_context,
556 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
557 : response_size, response);
558 : }
559 :
560 11 : result = libspdm_secured_message_dhe_generate_key(
561 11 : spdm_context->connection_info.algorithm.dhe_named_group,
562 : dhe_context, ptr, &dhe_key_size);
563 11 : if (!result) {
564 0 : libspdm_secured_message_dhe_free(
565 0 : spdm_context->connection_info.algorithm.dhe_named_group,
566 : dhe_context);
567 0 : libspdm_free_session_id(spdm_context, session_id);
568 0 : return libspdm_generate_error_response(spdm_context,
569 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
570 : response_size, response);
571 : }
572 :
573 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc SelfKey (0x%zx):\n", dhe_key_size));
574 11 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, dhe_key_size);
575 :
576 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer_key (0x%zx):\n", dhe_key_size));
577 11 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
578 : sizeof(spdm_key_exchange_request_t),
579 : dhe_key_size);
580 :
581 11 : result = libspdm_secured_message_dhe_compute_key(
582 11 : spdm_context->connection_info.algorithm.dhe_named_group,
583 : dhe_context,
584 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
585 : dhe_key_size, session_info->secured_message_context);
586 11 : libspdm_secured_message_dhe_free(
587 11 : spdm_context->connection_info.algorithm.dhe_named_group, dhe_context);
588 11 : if (!result) {
589 0 : libspdm_free_session_id(spdm_context, session_id);
590 0 : return libspdm_generate_error_response(spdm_context,
591 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
592 : response_size, response);
593 : }
594 :
595 11 : ptr += dhe_key_size;
596 : }
597 :
598 : #if LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP
599 11 : if (libspdm_is_capabilities_flag_supported(
600 2 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) &&
601 2 : ((spdm_request->header.param1 == SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH) ||
602 1 : (spdm_request->header.param1 == SPDM_REQUEST_ALL_MEASUREMENTS_HASH))) {
603 2 : result = libspdm_generate_measurement_summary_hash(
604 : spdm_context,
605 2 : spdm_context->connection_info.version,
606 : spdm_context->connection_info.algorithm.base_hash_algo,
607 2 : spdm_context->connection_info.algorithm.measurement_spec,
608 : spdm_context->connection_info.algorithm.measurement_hash_algo,
609 2 : spdm_request->header.param1,
610 : ptr,
611 : measurement_summary_hash_size);
612 :
613 2 : if (!result) {
614 0 : libspdm_free_session_id(spdm_context, session_id);
615 0 : return libspdm_generate_error_response(spdm_context,
616 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
617 : response_size, response);
618 : }
619 : }
620 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP */
621 :
622 11 : ptr += measurement_summary_hash_size;
623 :
624 11 : libspdm_write_uint16(ptr, (uint16_t)opaque_key_exchange_rsp_size);
625 11 : ptr += sizeof(uint16_t);
626 11 : libspdm_build_opaque_data_version_selection_data(
627 : spdm_context, secured_message_version, &opaque_key_exchange_rsp_size, ptr);
628 11 : ptr += opaque_key_exchange_rsp_size;
629 :
630 11 : if (slot_id != 0xFF) {
631 10 : spdm_context->connection_info.local_used_cert_chain_buffer =
632 10 : spdm_context->local_context.local_cert_chain_provision[slot_id];
633 10 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
634 10 : spdm_context->local_context.local_cert_chain_provision_size[slot_id];
635 : }
636 :
637 11 : status = libspdm_append_message_k(spdm_context, session_info, false, request, request_size);
638 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
639 0 : libspdm_free_session_id(spdm_context, session_id);
640 0 : return libspdm_generate_error_response(spdm_context,
641 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
642 : response_size, response);
643 : }
644 :
645 11 : status = libspdm_append_message_k(spdm_context, session_info, false, spdm_response,
646 11 : (size_t)ptr - (size_t)spdm_response);
647 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
648 0 : libspdm_free_session_id(spdm_context, session_id);
649 0 : return libspdm_generate_error_response(spdm_context,
650 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
651 : response_size, response);
652 : }
653 11 : result = libspdm_generate_key_exchange_rsp_signature(
654 : spdm_context, session_info, slot_id, ptr);
655 11 : if (!result) {
656 0 : libspdm_free_session_id(spdm_context, session_id);
657 0 : return libspdm_generate_error_response(
658 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
659 : 0, response_size, response);
660 : }
661 :
662 11 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, signature_size);
663 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
664 0 : libspdm_free_session_id(spdm_context, session_id);
665 0 : return libspdm_generate_error_response(spdm_context,
666 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
667 : response_size, response);
668 : }
669 :
670 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_handshake_key[%x]\n", session_id));
671 11 : result = libspdm_calculate_th1_hash(spdm_context, session_info, false, th1_hash_data);
672 11 : if (!result) {
673 0 : libspdm_free_session_id(spdm_context, session_id);
674 0 : return libspdm_generate_error_response(spdm_context,
675 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
676 : response_size, response);
677 : }
678 11 : result = libspdm_generate_session_handshake_key(
679 : session_info->secured_message_context, th1_hash_data);
680 11 : if (!result) {
681 0 : libspdm_free_session_id(spdm_context, session_id);
682 0 : return libspdm_generate_error_response(spdm_context,
683 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
684 : response_size, response);
685 : }
686 :
687 11 : ptr += signature_size;
688 :
689 11 : if (!libspdm_is_capabilities_flag_supported(
690 : spdm_context, false,
691 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
692 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
693 8 : result = libspdm_generate_key_exchange_rsp_hmac(spdm_context, session_info, ptr);
694 8 : if (!result) {
695 0 : libspdm_free_session_id(spdm_context, session_id);
696 0 : return libspdm_generate_error_response(
697 : spdm_context,
698 : SPDM_ERROR_CODE_UNSPECIFIED,
699 : 0, response_size, response);
700 : }
701 8 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, hmac_size);
702 8 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
703 0 : libspdm_free_session_id(spdm_context, session_id);
704 0 : return libspdm_generate_error_response(
705 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
706 : 0, response_size, response);
707 : }
708 :
709 8 : ptr += hmac_size;
710 : }
711 :
712 : #if LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP
713 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
714 1 : if ((spdm_request->session_policy &
715 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
716 1 : if (!libspdm_event_subscribe(spdm_context, spdm_context->connection_info.version,
717 : session_id, LIBSPDM_EVENT_SUBSCRIBE_ALL, 0, 0, NULL)) {
718 0 : libspdm_free_session_id(spdm_context, session_id);
719 0 : return libspdm_generate_error_response(spdm_context,
720 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
721 : response_size, response);
722 : }
723 : }
724 : }
725 : #endif /* LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP */
726 :
727 11 : session_info->mut_auth_requested = spdm_response->mut_auth_requested;
728 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
729 3 : session_info->session_policy = spdm_request->session_policy;
730 : }
731 11 : libspdm_set_session_state(spdm_context, session_id, LIBSPDM_SESSION_STATE_HANDSHAKING);
732 :
733 11 : return LIBSPDM_STATUS_SUCCESS;
734 : }
735 :
736 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP */
|
