Line data Source code
1 : /**
2 : * Copyright Notice:
3 : * Copyright 2021-2025 DMTF. All rights reserved.
4 : * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
5 : **/
6 :
7 : #include "internal/libspdm_responder_lib.h"
8 : #include "internal/libspdm_secured_message_lib.h"
9 :
10 : #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
11 :
12 8 : bool libspdm_generate_key_exchange_rsp_hmac(libspdm_context_t *spdm_context,
13 : libspdm_session_info_t *session_info,
14 : uint8_t *hmac)
15 : {
16 : uint8_t hmac_data[LIBSPDM_MAX_HASH_SIZE];
17 : size_t hash_size;
18 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
19 : uint8_t slot_id;
20 : uint8_t *cert_chain_buffer;
21 : size_t cert_chain_buffer_size;
22 : uint8_t *th_curr_data;
23 : size_t th_curr_data_size;
24 : libspdm_th_managed_buffer_t th_curr;
25 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
26 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
27 : bool result;
28 :
29 8 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
30 :
31 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
32 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
33 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
34 : if (slot_id == 0xFF) {
35 : result = libspdm_get_local_public_key_buffer(
36 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
37 : } else {
38 : result = libspdm_get_local_cert_chain_buffer(
39 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
40 : }
41 : if (!result) {
42 : return false;
43 : }
44 :
45 : result = libspdm_calculate_th_for_exchange(
46 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
47 : if (!result) {
48 : return false;
49 : }
50 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
51 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
52 :
53 : result = libspdm_hash_all (spdm_context->connection_info.algorithm.base_hash_algo,
54 : th_curr_data, th_curr_data_size, hash_data);
55 : if (!result) {
56 : return false;
57 : }
58 :
59 : result = libspdm_hmac_all_with_response_finished_key(
60 : session_info->secured_message_context, hash_data, hash_size, hmac_data);
61 : if (!result) {
62 : return false;
63 : }
64 : #else
65 8 : result = libspdm_calculate_th_hmac_for_exchange_rsp(
66 : spdm_context, session_info, false, &hash_size, hmac_data);
67 8 : if (!result) {
68 0 : return false;
69 : }
70 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
71 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hmac - "));
72 8 : LIBSPDM_INTERNAL_DUMP_DATA(hmac_data, hash_size);
73 8 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
74 8 : libspdm_copy_mem(hmac, hash_size, hmac_data, hash_size);
75 :
76 8 : return true;
77 : }
78 :
79 11 : bool libspdm_generate_key_exchange_rsp_signature(libspdm_context_t *spdm_context,
80 : libspdm_session_info_t *session_info,
81 : uint8_t *signature)
82 : {
83 : bool result;
84 : size_t signature_size;
85 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
86 : uint8_t slot_id;
87 : uint8_t *th_curr_data;
88 : size_t th_curr_data_size;
89 : libspdm_th_managed_buffer_t th_curr;
90 : const uint8_t *cert_chain_buffer;
91 : size_t cert_chain_buffer_size;
92 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
93 : #if ((LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) && (LIBSPDM_DEBUG_BLOCK_ENABLE)) || \
94 : !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT)
95 : uint8_t hash_data[LIBSPDM_MAX_HASH_SIZE];
96 : #endif
97 : #if !(LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT) || (LIBSPDM_DEBUG_PRINT_ENABLE)
98 : size_t hash_size;
99 :
100 11 : hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
101 : #endif
102 :
103 11 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
104 0 : signature_size = libspdm_get_pqc_asym_signature_size(
105 : spdm_context->connection_info.algorithm.pqc_asym_algo);
106 : } else {
107 11 : signature_size = libspdm_get_asym_signature_size(
108 : spdm_context->connection_info.algorithm.base_asym_algo);
109 : }
110 :
111 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
112 : slot_id = spdm_context->connection_info.local_used_cert_chain_slot_id;
113 : LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
114 : if (slot_id == 0xFF) {
115 : result = libspdm_get_local_public_key_buffer(
116 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
117 : } else {
118 : result = libspdm_get_local_cert_chain_buffer(
119 : spdm_context, (const void **)&cert_chain_buffer, &cert_chain_buffer_size);
120 : }
121 : if (!result) {
122 : return false;
123 : }
124 :
125 : result = libspdm_calculate_th_for_exchange(
126 : spdm_context, session_info, cert_chain_buffer, cert_chain_buffer_size, &th_curr);
127 : if (!result) {
128 : return false;
129 : }
130 : th_curr_data = libspdm_get_managed_buffer(&th_curr);
131 : th_curr_data_size = libspdm_get_managed_buffer_size(&th_curr);
132 :
133 : /* Debug code only - required for debug print of th_curr hash below*/
134 : LIBSPDM_DEBUG_CODE(
135 : if (!libspdm_hash_all(
136 : spdm_context->connection_info.algorithm.base_hash_algo,
137 : th_curr_data, th_curr_data_size, hash_data)) {
138 : return false;
139 : }
140 : );
141 : #else
142 11 : result = libspdm_calculate_th_hash_for_exchange(
143 : spdm_context, session_info, &hash_size, hash_data);
144 11 : if (!result) {
145 0 : return false;
146 : }
147 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
148 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "th_curr hash - "));
149 11 : LIBSPDM_INTERNAL_DUMP_DATA(hash_data, hash_size);
150 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
151 :
152 : #if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
153 : result = libspdm_responder_data_sign(
154 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
155 : spdm_context,
156 : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
157 : spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
158 : spdm_context->connection_info.algorithm.base_asym_algo,
159 : spdm_context->connection_info.algorithm.pqc_asym_algo,
160 : spdm_context->connection_info.algorithm.base_hash_algo,
161 : false, th_curr_data, th_curr_data_size, signature, &signature_size);
162 : #else
163 11 : result = libspdm_responder_data_sign(
164 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
165 : spdm_context,
166 : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
167 11 : spdm_context->connection_info.version, SPDM_KEY_EXCHANGE_RSP,
168 : spdm_context->connection_info.algorithm.base_asym_algo,
169 : spdm_context->connection_info.algorithm.pqc_asym_algo,
170 : spdm_context->connection_info.algorithm.base_hash_algo,
171 : true, hash_data, hash_size, signature, &signature_size);
172 : #endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
173 11 : if (result) {
174 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature - "));
175 11 : LIBSPDM_INTERNAL_DUMP_DATA(signature, signature_size);
176 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
177 : }
178 11 : return result;
179 : }
180 :
181 23 : libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_context,
182 : size_t request_size,
183 : const void *request,
184 : size_t *response_size,
185 : void *response)
186 : {
187 : const spdm_key_exchange_request_t *spdm_request;
188 : spdm_key_exchange_response_t *spdm_response;
189 : size_t dhe_key_size;
190 : size_t kem_encap_key_size;
191 : size_t kem_cipher_text_size;
192 : size_t req_key_exchage_size;
193 : size_t rsp_key_exchage_size;
194 : uint32_t measurement_summary_hash_size;
195 : uint32_t signature_size;
196 : uint32_t hmac_size;
197 : const uint8_t *cptr;
198 : uint8_t *ptr;
199 : uint16_t opaque_data_length;
200 : bool result;
201 : uint8_t slot_id;
202 : uint32_t session_id;
203 : void *dhe_context;
204 : void *kem_context;
205 : libspdm_session_info_t *session_info;
206 : size_t total_size;
207 : uint16_t req_session_id;
208 : uint16_t rsp_session_id;
209 : libspdm_return_t status;
210 : size_t opaque_key_exchange_rsp_size;
211 : uint8_t th1_hash_data[LIBSPDM_MAX_HASH_SIZE];
212 :
213 23 : spdm_request = request;
214 :
215 : /* -=[Check Parameters Phase]=- */
216 23 : LIBSPDM_ASSERT(spdm_request->header.request_response_code == SPDM_KEY_EXCHANGE);
217 :
218 23 : if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
219 0 : return libspdm_generate_error_response(spdm_context,
220 : SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
221 : SPDM_KEY_EXCHANGE,
222 : response_size, response);
223 : }
224 :
225 23 : if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
226 0 : return libspdm_generate_error_response(spdm_context,
227 : SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
228 : response_size, response);
229 : }
230 23 : if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_NORMAL) {
231 3 : return libspdm_responder_handle_response_state(
232 : spdm_context,
233 3 : spdm_request->header.request_response_code,
234 : response_size, response);
235 : }
236 20 : if (!libspdm_is_capabilities_flag_supported(
237 : spdm_context, false,
238 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP,
239 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP)) {
240 0 : return libspdm_generate_error_response(
241 : spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
242 : SPDM_KEY_EXCHANGE, response_size, response);
243 : }
244 :
245 : /* While clearing MAC_CAP and setting ENCRYPT_CAP is legal according to DSP0274, libspdm
246 : * also implements DSP0277 secure messages, which requires at least MAC_CAP to be set.
247 : */
248 20 : if (!libspdm_is_capabilities_flag_supported(
249 : spdm_context, false,
250 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MAC_CAP,
251 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) {
252 0 : return libspdm_generate_error_response(
253 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
254 : SPDM_KEY_EXCHANGE, response_size, response);
255 : }
256 :
257 20 : if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_NEGOTIATED) {
258 1 : return libspdm_generate_error_response(spdm_context,
259 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
260 : 0, response_size, response);
261 : }
262 19 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
263 6 : if ((spdm_context->connection_info.algorithm.other_params_support &
264 : SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_MASK) != SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_1) {
265 0 : return libspdm_generate_error_response(
266 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
267 : 0, response_size, response);
268 : }
269 : }
270 19 : if (spdm_context->last_spdm_request_session_id_valid) {
271 0 : return libspdm_generate_error_response(spdm_context,
272 : SPDM_ERROR_CODE_UNEXPECTED_REQUEST,
273 : 0, response_size, response);
274 : }
275 :
276 19 : if (spdm_request->header.param1 > 0) {
277 4 : if (!libspdm_is_capabilities_flag_supported(
278 : spdm_context, false,
279 3 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) ||
280 3 : (spdm_context->connection_info.algorithm.measurement_spec == 0) ||
281 3 : (spdm_context->connection_info.algorithm.measurement_hash_algo == 0) ) {
282 1 : return libspdm_generate_error_response(
283 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST,
284 : 0, response_size, response);
285 : }
286 : }
287 :
288 18 : slot_id = spdm_request->header.param2;
289 :
290 18 : if (libspdm_is_capabilities_flag_supported(
291 : spdm_context, false,
292 : 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP)) {
293 16 : if (slot_id >= SPDM_MAX_SLOT_COUNT) {
294 1 : return libspdm_generate_error_response(spdm_context,
295 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
296 : response_size, response);
297 : }
298 15 : if (spdm_context->local_context.local_cert_chain_provision[slot_id] == NULL) {
299 0 : return libspdm_generate_error_response(spdm_context,
300 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
301 : response_size, response);
302 : }
303 : } else {
304 2 : if (slot_id != 0xff) {
305 1 : return libspdm_generate_error_response(spdm_context,
306 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
307 : response_size, response);
308 : }
309 1 : if (spdm_context->local_context.local_public_key_provision == NULL) {
310 0 : return libspdm_generate_error_response(spdm_context,
311 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
312 : response_size, response);
313 : }
314 : }
315 :
316 16 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
317 3 : if (spdm_context->connection_info.multi_key_conn_rsp && (slot_id != 0xff)) {
318 1 : if ((spdm_context->local_context.local_key_usage_bit_mask[slot_id] &
319 : SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE) == 0) {
320 1 : return libspdm_generate_error_response(
321 : spdm_context, SPDM_ERROR_CODE_INVALID_REQUEST, 0, response_size, response);
322 : }
323 : }
324 :
325 2 : if ((spdm_request->session_policy &
326 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
327 2 : if (!libspdm_is_capabilities_flag_supported(
328 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_EVENT_CAP)) {
329 0 : return libspdm_generate_error_response(spdm_context,
330 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
331 : response_size, response);
332 : }
333 : }
334 : }
335 15 : spdm_context->connection_info.local_used_cert_chain_slot_id = slot_id;
336 :
337 15 : if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
338 0 : signature_size = libspdm_get_pqc_asym_signature_size(
339 : spdm_context->connection_info.algorithm.pqc_asym_algo);
340 : } else {
341 15 : signature_size = libspdm_get_asym_signature_size(
342 : spdm_context->connection_info.algorithm.base_asym_algo);
343 : }
344 15 : hmac_size = libspdm_get_hash_size(
345 : spdm_context->connection_info.algorithm.base_hash_algo);
346 15 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
347 0 : kem_encap_key_size = libspdm_get_kem_encap_key_size(
348 : spdm_context->connection_info.algorithm.kem_alg);
349 0 : kem_cipher_text_size = libspdm_get_kem_cipher_text_size(
350 : spdm_context->connection_info.algorithm.kem_alg);
351 0 : req_key_exchage_size = kem_encap_key_size;
352 0 : rsp_key_exchage_size = kem_cipher_text_size;
353 : } else {
354 30 : dhe_key_size = libspdm_get_dhe_pub_key_size(
355 15 : spdm_context->connection_info.algorithm.dhe_named_group);
356 15 : req_key_exchage_size = dhe_key_size;
357 15 : rsp_key_exchage_size = dhe_key_size;
358 : }
359 15 : measurement_summary_hash_size = libspdm_get_measurement_summary_hash_size(
360 15 : spdm_context, false, spdm_request->header.param1);
361 :
362 15 : if ((measurement_summary_hash_size == 0) &&
363 13 : (spdm_request->header.param1 != SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH)) {
364 1 : return libspdm_generate_error_response(spdm_context,
365 : SPDM_ERROR_CODE_INVALID_REQUEST,
366 : 0, response_size, response);
367 : }
368 14 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
369 : sizeof(uint16_t)) {
370 1 : return libspdm_generate_error_response(spdm_context,
371 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
372 : response_size, response);
373 : }
374 13 : opaque_data_length = libspdm_read_uint16((const uint8_t *)request +
375 13 : sizeof(spdm_key_exchange_request_t) +
376 : req_key_exchage_size);
377 13 : if (request_size < sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
378 13 : sizeof(uint16_t) + opaque_data_length) {
379 0 : return libspdm_generate_error_response(spdm_context,
380 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
381 : response_size, response);
382 : }
383 13 : request_size = sizeof(spdm_key_exchange_request_t) + req_key_exchage_size +
384 13 : sizeof(uint16_t) + opaque_data_length;
385 :
386 13 : if (opaque_data_length != 0) {
387 13 : cptr = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
388 13 : req_key_exchage_size + sizeof(uint16_t);
389 13 : result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length, cptr);
390 13 : if (!result) {
391 0 : return libspdm_generate_error_response(spdm_context,
392 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
393 : response_size, response);
394 : }
395 13 : status = libspdm_process_opaque_data_supported_version_data(
396 : spdm_context, opaque_data_length, cptr);
397 13 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
398 0 : return libspdm_generate_error_response(spdm_context,
399 : SPDM_ERROR_CODE_INVALID_REQUEST, 0,
400 : response_size, response);
401 : }
402 : }
403 :
404 13 : opaque_key_exchange_rsp_size =
405 13 : libspdm_get_opaque_data_version_selection_data_size(spdm_context);
406 :
407 13 : libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
408 13 : spdm_request->header.request_response_code);
409 :
410 13 : if (libspdm_is_capabilities_flag_supported(
411 : spdm_context, false,
412 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
413 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
414 3 : hmac_size = 0;
415 : }
416 :
417 13 : total_size = sizeof(spdm_key_exchange_response_t) + rsp_key_exchage_size +
418 13 : measurement_summary_hash_size + sizeof(uint16_t) +
419 13 : opaque_key_exchange_rsp_size + signature_size + hmac_size;
420 :
421 13 : LIBSPDM_ASSERT(*response_size >= total_size);
422 13 : *response_size = total_size;
423 13 : libspdm_zero_mem(response, *response_size);
424 13 : spdm_response = response;
425 :
426 13 : spdm_response->header.spdm_version = spdm_request->header.spdm_version;
427 13 : spdm_response->header.request_response_code = SPDM_KEY_EXCHANGE_RSP;
428 :
429 13 : if (libspdm_is_capabilities_flag_supported(
430 : spdm_context, false,
431 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
432 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
433 0 : spdm_response->header.param1 = spdm_context->local_context.heartbeat_period;
434 : } else {
435 13 : spdm_response->header.param1 = 0x00;
436 : }
437 :
438 13 : req_session_id = spdm_request->req_session_id;
439 13 : rsp_session_id = libspdm_allocate_rsp_session_id(spdm_context, false);
440 13 : if (rsp_session_id == ((INVALID_SESSION_ID & 0xFFFF0000) >> 16)) {
441 0 : return libspdm_generate_error_response(
442 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
443 : response_size, response);
444 : }
445 13 : session_id = libspdm_generate_session_id(req_session_id, rsp_session_id);
446 13 : session_info = libspdm_assign_session_id(spdm_context, session_id, false);
447 13 : if (session_info == NULL) {
448 0 : return libspdm_generate_error_response(
449 : spdm_context, SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED, 0,
450 : response_size, response);
451 : }
452 :
453 13 : if (libspdm_is_capabilities_flag_supported(
454 : spdm_context, false,
455 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP,
456 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP)) {
457 0 : session_info->heartbeat_period = spdm_context->local_context.heartbeat_period;
458 : } else {
459 13 : session_info->heartbeat_period = 0x00;
460 : }
461 :
462 13 : spdm_response->rsp_session_id = rsp_session_id;
463 13 : spdm_response->mut_auth_requested = 0;
464 :
465 13 : if (libspdm_is_capabilities_flag_supported(
466 : spdm_context, false,
467 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP,
468 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
469 0 : spdm_response->mut_auth_requested =
470 0 : spdm_context->local_context.mut_auth_requested;
471 13 : } else if (spdm_context->local_context.mandatory_mut_auth) {
472 2 : LIBSPDM_ASSERT(spdm_context->local_context.capability.flags &
473 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
474 2 : if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
475 1 : return libspdm_generate_error_response(spdm_context,
476 : SPDM_ERROR_CODE_INVALID_POLICY, 0,
477 : response_size, response);
478 : } else {
479 1 : return libspdm_generate_error_response(spdm_context,
480 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
481 : response_size, response);
482 : }
483 : }
484 :
485 11 : if (spdm_response->mut_auth_requested != 0) {
486 : #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
487 0 : spdm_context->connection_info.peer_used_cert_chain_slot_id =
488 0 : spdm_context->encap_context.req_slot_id;
489 0 : libspdm_init_mut_auth_encap_state(spdm_context, spdm_response->mut_auth_requested);
490 0 : if (spdm_response->mut_auth_requested == SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED) {
491 : /* no need to libspdm_init_mut_auth_encap_state() because of no ENCAP message */
492 0 : spdm_response->req_slot_id_param = spdm_context->encap_context.req_slot_id & 0xF;
493 : } else {
494 : /* req_slot_id is always 0 if ENCAP message is needed */
495 0 : spdm_response->req_slot_id_param = 0;
496 : }
497 : #else
498 : spdm_response->mut_auth_requested = 0;
499 : spdm_response->req_slot_id_param = 0;
500 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
501 : } else {
502 11 : spdm_response->req_slot_id_param = 0;
503 : }
504 :
505 11 : if (!libspdm_get_random_number(SPDM_RANDOM_DATA_SIZE, spdm_response->random_data)) {
506 0 : libspdm_free_session_id(spdm_context, session_id);
507 0 : return libspdm_generate_error_response(spdm_context,
508 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
509 : response_size, response);
510 : }
511 :
512 11 : ptr = (void *)(spdm_response + 1);
513 11 : if (spdm_context->connection_info.algorithm.kem_alg != 0) {
514 0 : kem_context = libspdm_secured_message_kem_new(
515 0 : spdm_context->connection_info.version,
516 : spdm_context->connection_info.algorithm.kem_alg, false);
517 0 : if (kem_context == NULL) {
518 0 : libspdm_free_session_id(spdm_context, session_id);
519 0 : return libspdm_generate_error_response(spdm_context,
520 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
521 : response_size, response);
522 : }
523 :
524 0 : result = libspdm_secured_message_kem_encapsulate(
525 : spdm_context->connection_info.algorithm.kem_alg,
526 : kem_context,
527 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
528 : kem_encap_key_size, ptr, &kem_cipher_text_size, session_info->secured_message_context);
529 0 : libspdm_secured_message_kem_free(
530 : spdm_context->connection_info.algorithm.kem_alg,
531 : kem_context);
532 0 : if (!result) {
533 0 : libspdm_free_session_id(spdm_context, session_id);
534 0 : return libspdm_generate_error_response(spdm_context,
535 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
536 : response_size, response);
537 : }
538 :
539 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc Self cipher_text (0x%zx):\n", kem_cipher_text_size));
540 0 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, kem_cipher_text_size);
541 :
542 0 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer encap_key (0x%zx):\n", kem_encap_key_size));
543 0 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
544 : sizeof(spdm_key_exchange_request_t),
545 : kem_encap_key_size);
546 :
547 0 : ptr += kem_cipher_text_size;
548 : } else {
549 11 : dhe_context = libspdm_secured_message_dhe_new(
550 11 : spdm_context->connection_info.version,
551 11 : spdm_context->connection_info.algorithm.dhe_named_group, false);
552 11 : if (dhe_context == NULL) {
553 0 : libspdm_free_session_id(spdm_context, session_id);
554 0 : return libspdm_generate_error_response(spdm_context,
555 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
556 : response_size, response);
557 : }
558 :
559 11 : result = libspdm_secured_message_dhe_generate_key(
560 11 : spdm_context->connection_info.algorithm.dhe_named_group,
561 : dhe_context, ptr, &dhe_key_size);
562 11 : if (!result) {
563 0 : libspdm_secured_message_dhe_free(
564 0 : spdm_context->connection_info.algorithm.dhe_named_group,
565 : dhe_context);
566 0 : libspdm_free_session_id(spdm_context, session_id);
567 0 : return libspdm_generate_error_response(spdm_context,
568 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
569 : response_size, response);
570 : }
571 :
572 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc SelfKey (0x%zx):\n", dhe_key_size));
573 11 : LIBSPDM_INTERNAL_DUMP_HEX(ptr, dhe_key_size);
574 :
575 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "Calc peer_key (0x%zx):\n", dhe_key_size));
576 11 : LIBSPDM_INTERNAL_DUMP_HEX((const uint8_t *)request +
577 : sizeof(spdm_key_exchange_request_t),
578 : dhe_key_size);
579 :
580 11 : result = libspdm_secured_message_dhe_compute_key(
581 11 : spdm_context->connection_info.algorithm.dhe_named_group,
582 : dhe_context,
583 : (const uint8_t *)request + sizeof(spdm_key_exchange_request_t),
584 : dhe_key_size, session_info->secured_message_context);
585 11 : libspdm_secured_message_dhe_free(
586 11 : spdm_context->connection_info.algorithm.dhe_named_group, dhe_context);
587 11 : if (!result) {
588 0 : libspdm_free_session_id(spdm_context, session_id);
589 0 : return libspdm_generate_error_response(spdm_context,
590 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
591 : response_size, response);
592 : }
593 :
594 11 : ptr += dhe_key_size;
595 : }
596 :
597 : #if LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP
598 11 : if (libspdm_is_capabilities_flag_supported(
599 2 : spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP) &&
600 2 : ((spdm_request->header.param1 == SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH) ||
601 1 : (spdm_request->header.param1 == SPDM_REQUEST_ALL_MEASUREMENTS_HASH))) {
602 2 : result = libspdm_generate_measurement_summary_hash(
603 : #if LIBSPDM_HAL_PASS_SPDM_CONTEXT
604 : spdm_context,
605 : #endif /* LIBSPDM_HAL_PASS_SPDM_CONTEXT */
606 2 : spdm_context->connection_info.version,
607 : spdm_context->connection_info.algorithm.base_hash_algo,
608 2 : spdm_context->connection_info.algorithm.measurement_spec,
609 : spdm_context->connection_info.algorithm.measurement_hash_algo,
610 2 : spdm_request->header.param1,
611 : ptr,
612 : measurement_summary_hash_size);
613 :
614 2 : if (!result) {
615 0 : libspdm_free_session_id(spdm_context, session_id);
616 0 : return libspdm_generate_error_response(spdm_context,
617 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
618 : response_size, response);
619 : }
620 : }
621 : #endif /* LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP */
622 :
623 11 : ptr += measurement_summary_hash_size;
624 :
625 11 : libspdm_write_uint16(ptr, (uint16_t)opaque_key_exchange_rsp_size);
626 11 : ptr += sizeof(uint16_t);
627 11 : libspdm_build_opaque_data_version_selection_data(
628 : spdm_context, &opaque_key_exchange_rsp_size, ptr);
629 11 : ptr += opaque_key_exchange_rsp_size;
630 :
631 11 : if (slot_id != 0xFF) {
632 10 : spdm_context->connection_info.local_used_cert_chain_buffer =
633 10 : spdm_context->local_context.local_cert_chain_provision[slot_id];
634 10 : spdm_context->connection_info.local_used_cert_chain_buffer_size =
635 10 : spdm_context->local_context.local_cert_chain_provision_size[slot_id];
636 : }
637 :
638 11 : status = libspdm_append_message_k(spdm_context, session_info, false, request, request_size);
639 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
640 0 : libspdm_free_session_id(spdm_context, session_id);
641 0 : return libspdm_generate_error_response(spdm_context,
642 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
643 : response_size, response);
644 : }
645 :
646 11 : status = libspdm_append_message_k(spdm_context, session_info, false, spdm_response,
647 11 : (size_t)ptr - (size_t)spdm_response);
648 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
649 0 : libspdm_free_session_id(spdm_context, session_id);
650 0 : return libspdm_generate_error_response(spdm_context,
651 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
652 : response_size, response);
653 : }
654 11 : result = libspdm_generate_key_exchange_rsp_signature(spdm_context, session_info, ptr);
655 11 : if (!result) {
656 0 : libspdm_free_session_id(spdm_context, session_id);
657 0 : return libspdm_generate_error_response(
658 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
659 : 0, response_size, response);
660 : }
661 :
662 11 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, signature_size);
663 11 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
664 0 : libspdm_free_session_id(spdm_context, session_id);
665 0 : return libspdm_generate_error_response(spdm_context,
666 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
667 : response_size, response);
668 : }
669 :
670 11 : LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "libspdm_generate_session_handshake_key[%x]\n", session_id));
671 11 : result = libspdm_calculate_th1_hash(spdm_context, session_info, false, th1_hash_data);
672 11 : if (!result) {
673 0 : libspdm_free_session_id(spdm_context, session_id);
674 0 : return libspdm_generate_error_response(spdm_context,
675 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
676 : response_size, response);
677 : }
678 11 : result = libspdm_generate_session_handshake_key(
679 : session_info->secured_message_context, th1_hash_data);
680 11 : if (!result) {
681 0 : libspdm_free_session_id(spdm_context, session_id);
682 0 : return libspdm_generate_error_response(spdm_context,
683 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
684 : response_size, response);
685 : }
686 :
687 11 : ptr += signature_size;
688 :
689 11 : if (!libspdm_is_capabilities_flag_supported(
690 : spdm_context, false,
691 : SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP,
692 : SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP)) {
693 8 : result = libspdm_generate_key_exchange_rsp_hmac(spdm_context, session_info, ptr);
694 8 : if (!result) {
695 0 : libspdm_free_session_id(spdm_context, session_id);
696 0 : return libspdm_generate_error_response(
697 : spdm_context,
698 : SPDM_ERROR_CODE_UNSPECIFIED,
699 : 0, response_size, response);
700 : }
701 8 : status = libspdm_append_message_k(spdm_context, session_info, false, ptr, hmac_size);
702 8 : if (LIBSPDM_STATUS_IS_ERROR(status)) {
703 0 : libspdm_free_session_id(spdm_context, session_id);
704 0 : return libspdm_generate_error_response(
705 : spdm_context, SPDM_ERROR_CODE_UNSPECIFIED,
706 : 0, response_size, response);
707 : }
708 :
709 8 : ptr += hmac_size;
710 : }
711 :
712 : #if LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP
713 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
714 1 : if ((spdm_request->session_policy &
715 : SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_EVENT_ALL_POLICY) != 0) {
716 1 : if (!libspdm_event_subscribe(spdm_context, spdm_context->connection_info.version,
717 : session_id, LIBSPDM_EVENT_SUBSCRIBE_ALL, 0, 0, NULL)) {
718 0 : libspdm_free_session_id(spdm_context, session_id);
719 0 : return libspdm_generate_error_response(spdm_context,
720 : SPDM_ERROR_CODE_UNSPECIFIED, 0,
721 : response_size, response);
722 : }
723 : }
724 : }
725 : #endif /* LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP */
726 :
727 11 : session_info->mut_auth_requested = spdm_response->mut_auth_requested;
728 11 : if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
729 3 : session_info->session_policy = spdm_request->session_policy;
730 : }
731 11 : libspdm_set_session_state(spdm_context, session_id, LIBSPDM_SESSION_STATE_HANDSHAKING);
732 :
733 11 : return LIBSPDM_STATUS_SUCCESS;
734 : }
735 :
736 : #endif /* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP */
|