Skip to content

Commit a887f55

Browse files
jyao1jyao1
committed
Add 1.3 DIGEST handling
Signed-off-by: Jiewen Yao <[email protected]>
1 parent 69946ef commit a887f55

File tree

5 files changed

+227
-9
lines changed

5 files changed

+227
-9
lines changed

include/internal/libspdm_common_lib.h

+10-1
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,10 @@ typedef struct {
8080
/* My Certificate */
8181
const void *local_cert_chain_provision[SPDM_MAX_SLOT_COUNT];
8282
size_t local_cert_chain_provision_size[SPDM_MAX_SLOT_COUNT];
83+
uint8_t local_supported_slot_mask;
84+
spdm_key_pair_id_t local_key_pair_id[SPDM_MAX_SLOT_COUNT];
85+
spdm_certificate_info_t local_cert_info[SPDM_MAX_SLOT_COUNT];
86+
spdm_key_usage_bit_mask_t local_key_usage_bit_mask[SPDM_MAX_SLOT_COUNT];
8387
/* My raw public key (slot_id - 0xFF) */
8488
const void *local_public_key_provision;
8589
size_t local_public_key_provision_size;
@@ -114,9 +118,14 @@ typedef struct {
114118
spdm_version_number_t secured_message_version;
115119

116120
/* Peer digests buffer */
117-
uint8_t peer_digest_slot_mask;
121+
uint8_t peer_provisioned_slot_mask;
122+
uint8_t peer_supported_slot_mask;
118123
uint8_t peer_total_digest_buffer[LIBSPDM_MAX_HASH_SIZE * SPDM_MAX_SLOT_COUNT];
119124

125+
spdm_key_pair_id_t peer_key_pair_id[SPDM_MAX_SLOT_COUNT];
126+
spdm_certificate_info_t peer_cert_info[SPDM_MAX_SLOT_COUNT];
127+
spdm_key_usage_bit_mask_t peer_key_usage_bit_mask[SPDM_MAX_SLOT_COUNT];
128+
120129
/* Peer CertificateChain */
121130
libspdm_peer_used_cert_chain_t peer_used_cert_chain[SPDM_MAX_SLOT_COUNT];
122131
uint8_t peer_used_cert_chain_slot_id;

include/library/spdm_common_lib.h

+9
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,10 @@ typedef enum {
6464
LIBSPDM_DATA_PEER_PUBLIC_ROOT_CERT,
6565
LIBSPDM_DATA_PEER_PUBLIC_KEY,
6666
LIBSPDM_DATA_LOCAL_PUBLIC_KEY,
67+
LIBSPDM_DATA_LOCAL_SUPPORTED_SLOT_MASK,
68+
LIBSPDM_DATA_LOCAL_KEY_PAIR_ID,
69+
LIBSPDM_DATA_LOCAL_CERT_INFO,
70+
LIBSPDM_DATA_LOCAL_KEY_USAGE_BIT_MASK,
6771

6872
LIBSPDM_DATA_BASIC_MUT_AUTH_REQUESTED,
6973
LIBSPDM_DATA_MUT_AUTH_REQUESTED,
@@ -72,7 +76,12 @@ typedef enum {
7276
/* Negotiated result */
7377
LIBSPDM_DATA_PEER_USED_CERT_CHAIN_BUFFER,
7478
LIBSPDM_DATA_PEER_SLOT_MASK,
79+
LIBSPDM_DATA_PEER_PROVISIONED_SLOT_MASK = LIBSPDM_DATA_PEER_SLOT_MASK,
80+
LIBSPDM_DATA_PEER_SUPPORTED_SLOT_MASK,
7581
LIBSPDM_DATA_PEER_TOTAL_DIGEST_BUFFER,
82+
LIBSPDM_DATA_PEER_KEY_PAIR_ID,
83+
LIBSPDM_DATA_PEER_CERT_INFO,
84+
LIBSPDM_DATA_PEER_KEY_USAGE_BIT_MASK,
7685

7786
/* SessionData */
7887
LIBSPDM_DATA_SESSION_USE_PSK,

library/spdm_common_lib/libspdm_com_context_data.c

+94-3
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,56 @@ libspdm_return_t libspdm_set_data(void *spdm_context, libspdm_data_type_t data_t
477477
context->local_context.local_cert_chain_provision_size[slot_id] = data_size;
478478
context->local_context.local_cert_chain_provision[slot_id] = data;
479479
break;
480+
case LIBSPDM_DATA_LOCAL_SUPPORTED_SLOT_MASK:
481+
if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
482+
return LIBSPDM_STATUS_INVALID_PARAMETER;
483+
}
484+
slot_id = parameter->additional_data[0];
485+
if (data_size != sizeof(uint8_t)) {
486+
return LIBSPDM_STATUS_INVALID_PARAMETER;
487+
}
488+
context->local_context.local_supported_slot_mask = *(uint8_t *)data;
489+
break;
490+
case LIBSPDM_DATA_LOCAL_KEY_PAIR_ID:
491+
if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
492+
return LIBSPDM_STATUS_INVALID_PARAMETER;
493+
}
494+
slot_id = parameter->additional_data[0];
495+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
496+
return LIBSPDM_STATUS_INVALID_PARAMETER;
497+
}
498+
if (data_size != sizeof(spdm_key_pair_id_t)) {
499+
return LIBSPDM_STATUS_INVALID_PARAMETER;
500+
}
501+
context->local_context.local_key_pair_id[slot_id] = *(spdm_key_pair_id_t *)data;
502+
break;
503+
case LIBSPDM_DATA_LOCAL_CERT_INFO:
504+
if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
505+
return LIBSPDM_STATUS_INVALID_PARAMETER;
506+
}
507+
slot_id = parameter->additional_data[0];
508+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
509+
return LIBSPDM_STATUS_INVALID_PARAMETER;
510+
}
511+
if (data_size != sizeof(spdm_certificate_info_t)) {
512+
return LIBSPDM_STATUS_INVALID_PARAMETER;
513+
}
514+
context->local_context.local_cert_info[slot_id] = *(spdm_certificate_info_t *)data;
515+
break;
516+
case LIBSPDM_DATA_LOCAL_KEY_USAGE_BIT_MASK:
517+
if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
518+
return LIBSPDM_STATUS_INVALID_PARAMETER;
519+
}
520+
slot_id = parameter->additional_data[0];
521+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
522+
return LIBSPDM_STATUS_INVALID_PARAMETER;
523+
}
524+
if (data_size != sizeof(spdm_key_usage_bit_mask_t)) {
525+
return LIBSPDM_STATUS_INVALID_PARAMETER;
526+
}
527+
context->local_context.local_key_usage_bit_mask[slot_id] =
528+
libspdm_read_uint16((const uint8_t *)data);
529+
break;
480530
case LIBSPDM_DATA_PEER_USED_CERT_CHAIN_BUFFER:
481531
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
482532
return LIBSPDM_STATUS_INVALID_PARAMETER;
@@ -775,6 +825,7 @@ libspdm_return_t libspdm_get_data(void *spdm_context, libspdm_data_type_t data_t
775825
libspdm_session_info_t *session_info;
776826
size_t digest_size;
777827
size_t digest_count;
828+
uint8_t slot_id;
778829
size_t index;
779830

780831
if (spdm_context == NULL || data == NULL || data_size == NULL ||
@@ -949,27 +1000,67 @@ libspdm_return_t libspdm_get_data(void *spdm_context, libspdm_data_type_t data_t
9491000
target_data_size = sizeof(libspdm_response_state_t);
9501001
target_data = &context->response_state;
9511002
break;
952-
case LIBSPDM_DATA_PEER_SLOT_MASK:
1003+
case LIBSPDM_DATA_PEER_PROVISIONED_SLOT_MASK:
9531004
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
9541005
return LIBSPDM_STATUS_INVALID_PARAMETER;
9551006
}
9561007
target_data_size = sizeof(uint8_t);
957-
target_data = &context->connection_info.peer_digest_slot_mask;
1008+
target_data = &context->connection_info.peer_provisioned_slot_mask;
1009+
break;
1010+
case LIBSPDM_DATA_PEER_SUPPORTED_SLOT_MASK:
1011+
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
1012+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1013+
}
1014+
target_data_size = sizeof(uint8_t);
1015+
target_data = &context->connection_info.peer_supported_slot_mask;
9581016
break;
9591017
case LIBSPDM_DATA_PEER_TOTAL_DIGEST_BUFFER:
9601018
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
9611019
return LIBSPDM_STATUS_INVALID_PARAMETER;
9621020
}
9631021
digest_count = 0;
9641022
for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
965-
if (context->connection_info.peer_digest_slot_mask & (1 << index)) {
1023+
if (context->connection_info.peer_provisioned_slot_mask & (1 << index)) {
9661024
digest_count++;
9671025
}
9681026
}
9691027
digest_size = libspdm_get_hash_size(context->connection_info.algorithm.base_hash_algo);
9701028
target_data_size = digest_size * digest_count;
9711029
target_data = context->connection_info.peer_total_digest_buffer;
9721030
break;
1031+
case LIBSPDM_DATA_PEER_KEY_PAIR_ID:
1032+
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
1033+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1034+
}
1035+
slot_id = parameter->additional_data[0];
1036+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
1037+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1038+
}
1039+
target_data_size = sizeof(spdm_key_pair_id_t);
1040+
target_data = &context->connection_info.peer_key_pair_id[slot_id];
1041+
break;
1042+
case LIBSPDM_DATA_PEER_CERT_INFO:
1043+
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
1044+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1045+
}
1046+
slot_id = parameter->additional_data[0];
1047+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
1048+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1049+
}
1050+
target_data_size = sizeof(spdm_certificate_info_t);
1051+
target_data = &context->connection_info.peer_cert_info[slot_id];
1052+
break;
1053+
case LIBSPDM_DATA_PEER_KEY_USAGE_BIT_MASK:
1054+
if (parameter->location != LIBSPDM_DATA_LOCATION_CONNECTION) {
1055+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1056+
}
1057+
slot_id = parameter->additional_data[0];
1058+
if (slot_id >= SPDM_MAX_SLOT_COUNT) {
1059+
return LIBSPDM_STATUS_INVALID_PARAMETER;
1060+
}
1061+
target_data_size = sizeof(spdm_key_usage_bit_mask_t);
1062+
target_data = &context->connection_info.peer_key_usage_bit_mask[slot_id];
1063+
break;
9731064
case LIBSPDM_DATA_SESSION_USE_PSK:
9741065
target_data_size = sizeof(bool);
9751066
target_data = &session_info->use_psk;

library/spdm_requester_lib/libspdm_req_get_digests.c

+84-3
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@
1212
typedef struct {
1313
spdm_message_header_t header;
1414
uint8_t digest[LIBSPDM_MAX_HASH_SIZE * SPDM_MAX_SLOT_COUNT];
15+
spdm_key_pair_id_t key_pair_id[SPDM_MAX_SLOT_COUNT];
16+
spdm_certificate_info_t cert_info[SPDM_MAX_SLOT_COUNT];
17+
spdm_key_usage_bit_mask_t key_usage_bit_mask[SPDM_MAX_SLOT_COUNT];
1518
} libspdm_digests_response_max_t;
1619
#pragma pack()
1720

@@ -59,6 +62,12 @@ static libspdm_return_t libspdm_try_get_digest(libspdm_context_t *spdm_context,
5962
size_t transport_header_size;
6063
libspdm_session_info_t *session_info;
6164
libspdm_session_state_t session_state;
65+
size_t additional_size;
66+
spdm_key_pair_id_t *key_pair_id;
67+
spdm_certificate_info_t *cert_info;
68+
spdm_key_usage_bit_mask_t *key_usage_bit_mask;
69+
size_t slot_index;
70+
uint8_t cert_model;
6271

6372
/* -=[Verify State Phase]=- */
6473
if (!libspdm_is_capabilities_flag_supported(
@@ -159,6 +168,18 @@ static libspdm_return_t libspdm_try_get_digest(libspdm_context_t *spdm_context,
159168
*slot_mask = spdm_response->header.param2;
160169
}
161170

171+
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "provisioned_slot_mask - 0x%02x\n",
172+
spdm_response->header.param2));
173+
if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
174+
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "supported_slot_mask - 0x%02x\n",
175+
spdm_response->header.param1));
176+
if ((spdm_response->header.param1 & spdm_response->header.param2) !=
177+
spdm_response->header.param2) {
178+
status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
179+
goto receive_done;
180+
}
181+
}
182+
162183
digest_count = 0;
163184
for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
164185
if (spdm_response->header.param2 & (1 << index)) {
@@ -170,11 +191,19 @@ static libspdm_return_t libspdm_try_get_digest(libspdm_context_t *spdm_context,
170191
goto receive_done;
171192
}
172193

173-
if (spdm_response_size < sizeof(spdm_digest_response_t) + digest_count * digest_size) {
194+
additional_size = 0;
195+
if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
196+
spdm_context->connection_info.multi_key_conn_rsp) {
197+
additional_size = sizeof(spdm_key_pair_id_t) + sizeof(spdm_certificate_info_t) +
198+
sizeof(spdm_key_usage_bit_mask_t);
199+
}
200+
if (spdm_response_size <
201+
sizeof(spdm_digest_response_t) + digest_count * (digest_size + additional_size)) {
174202
status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
175203
goto receive_done;
176204
}
177-
spdm_response_size = sizeof(spdm_digest_response_t) + digest_count * digest_size;
205+
spdm_response_size =
206+
sizeof(spdm_digest_response_t) + digest_count * (digest_size + additional_size);
178207

179208
/* -=[Process Response Phase]=- */
180209
if (session_id == NULL) {
@@ -196,22 +225,74 @@ static libspdm_return_t libspdm_try_get_digest(libspdm_context_t *spdm_context,
196225
}
197226
}
198227

228+
key_pair_id =
229+
(spdm_key_pair_id_t *)((uint8_t *)spdm_response->digest + digest_size * digest_count);
230+
cert_info =
231+
(spdm_certificate_info_t *)((uint8_t *)key_pair_id + sizeof(spdm_key_pair_id_t) *
232+
digest_count);
233+
key_usage_bit_mask =
234+
(spdm_key_usage_bit_mask_t *)((uint8_t *)cert_info + sizeof(spdm_certificate_info_t) *
235+
digest_count);
199236
for (index = 0; index < digest_count; index++) {
200237
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "digest (0x%x) - ", index));
201238
LIBSPDM_INTERNAL_DUMP_DATA(&spdm_response->digest[digest_size * index], digest_size);
202239
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "\n"));
203240
}
241+
if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
242+
spdm_context->connection_info.multi_key_conn_rsp) {
243+
for (index = 0; index < digest_count; index++) {
244+
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "key_pair_id (0x%x) - 0x%02x\n", index,
245+
key_pair_id[index]));
246+
}
247+
for (index = 0; index < digest_count; index++) {
248+
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "cert_info (0x%x) - 0x%02x\n", index,
249+
cert_info[index]));
250+
}
251+
for (index = 0; index < digest_count; index++) {
252+
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "key_usage_bit_mask (0x%x) - 0x%04x\n", index,
253+
key_usage_bit_mask[index]));
254+
}
255+
}
204256

205257
if (total_digest_buffer != NULL) {
206258
libspdm_copy_mem(total_digest_buffer, digest_size * digest_count,
207259
spdm_response->digest, digest_size * digest_count);
208260
}
209261

210-
spdm_context->connection_info.peer_digest_slot_mask = spdm_response->header.param2;
262+
spdm_context->connection_info.peer_provisioned_slot_mask = spdm_response->header.param2;
263+
if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
264+
spdm_context->connection_info.peer_supported_slot_mask = spdm_response->header.param1;
265+
} else {
266+
spdm_context->connection_info.peer_supported_slot_mask = spdm_response->header.param2;
267+
}
211268
libspdm_copy_mem(
212269
spdm_context->connection_info.peer_total_digest_buffer,
213270
sizeof(spdm_context->connection_info.peer_total_digest_buffer),
214271
spdm_response->digest, digest_size * digest_count);
272+
libspdm_zero_mem(spdm_context->connection_info.peer_key_pair_id,
273+
sizeof(spdm_context->connection_info.peer_key_pair_id));
274+
libspdm_zero_mem(spdm_context->connection_info.peer_cert_info,
275+
sizeof(spdm_context->connection_info.peer_cert_info));
276+
libspdm_zero_mem(spdm_context->connection_info.peer_key_usage_bit_mask,
277+
sizeof(spdm_context->connection_info.peer_key_usage_bit_mask));
278+
if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
279+
spdm_context->connection_info.multi_key_conn_rsp) {
280+
slot_index = 0;
281+
for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
282+
if (spdm_response->header.param2 & (1 << index)) {
283+
spdm_context->connection_info.peer_key_pair_id[index] = key_pair_id[slot_index];
284+
cert_model = cert_info[slot_index] & SPDM_CERTIFICATE_INFO_CERT_MODEL_MASK;
285+
if (cert_model > SPDM_CERTIFICATE_INFO_CERT_MODEL_GENERIC_CERT) {
286+
status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
287+
goto receive_done;
288+
}
289+
spdm_context->connection_info.peer_cert_info[index] = cert_model;
290+
spdm_context->connection_info.peer_key_usage_bit_mask[index] =
291+
key_usage_bit_mask[slot_index];
292+
slot_index++;
293+
}
294+
}
295+
}
215296

216297
/* -=[Update State Phase]=- */
217298
if (spdm_context->connection_info.connection_state < LIBSPDM_CONNECTION_STATE_AFTER_DIGESTS) {

library/spdm_responder_lib/libspdm_rsp_digests.c

+30-2
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@ libspdm_return_t libspdm_get_response_digests(libspdm_context_t *spdm_context, s
2727
uint8_t slot_count;
2828
/*populated slot index*/
2929
uint8_t slot_index;
30+
size_t additional_size;
31+
spdm_key_pair_id_t *key_pair_id;
32+
spdm_certificate_info_t *cert_info;
33+
spdm_key_usage_bit_mask_t *key_usage_bit_mask;
3034

3135
spdm_request = request;
3236

@@ -104,9 +108,15 @@ libspdm_return_t libspdm_get_response_digests(libspdm_context_t *spdm_context, s
104108
spdm_context->connection_info.algorithm.base_hash_algo);
105109

106110
slot_count = libspdm_get_cert_slot_count(spdm_context);
111+
additional_size = 0;
112+
if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
113+
spdm_context->connection_info.multi_key_conn_rsp) {
114+
additional_size = sizeof(spdm_key_pair_id_t) + sizeof(spdm_certificate_info_t) +
115+
sizeof(spdm_key_usage_bit_mask_t);
116+
}
107117
LIBSPDM_ASSERT(*response_size >=
108-
sizeof(spdm_digest_response_t) + hash_size * slot_count);
109-
*response_size = sizeof(spdm_digest_response_t) + hash_size * slot_count;
118+
sizeof(spdm_digest_response_t) + (hash_size + additional_size) * slot_count);
119+
*response_size = sizeof(spdm_digest_response_t) + (hash_size + additional_size) * slot_count;
110120
libspdm_zero_mem(response, *response_size);
111121
spdm_response = response;
112122

@@ -115,14 +125,32 @@ libspdm_return_t libspdm_get_response_digests(libspdm_context_t *spdm_context, s
115125
spdm_response->header.param1 = 0;
116126
spdm_response->header.param2 = 0;
117127

128+
if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
129+
spdm_response->header.param1 = spdm_context->local_context.local_supported_slot_mask;
130+
}
131+
118132
digest = (void *)(spdm_response + 1);
133+
key_pair_id = (spdm_key_pair_id_t *)((uint8_t *)digest + hash_size * slot_count);
134+
cert_info = (spdm_certificate_info_t *)((uint8_t *)key_pair_id +
135+
sizeof(spdm_key_pair_id_t) * slot_count);
136+
key_usage_bit_mask = (spdm_key_usage_bit_mask_t *)((uint8_t *)cert_info +
137+
sizeof(spdm_certificate_info_t) *
138+
slot_count);
139+
119140
slot_index = 0;
120141
for (index = 0; index < SPDM_MAX_SLOT_COUNT; index++) {
121142
if (spdm_context->local_context
122143
.local_cert_chain_provision[index] != NULL) {
123144
spdm_response->header.param2 |= (1 << index);
124145
result = libspdm_generate_cert_chain_hash(spdm_context, index,
125146
&digest[hash_size * slot_index]);
147+
if ((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
148+
spdm_context->connection_info.multi_key_conn_rsp) {
149+
key_pair_id[slot_index] = spdm_context->local_context.local_key_pair_id[index];
150+
cert_info[slot_index] = spdm_context->local_context.local_cert_info[index];
151+
key_usage_bit_mask[slot_index] =
152+
spdm_context->local_context.local_key_usage_bit_mask[index];
153+
}
126154
slot_index++;
127155
if (!result) {
128156
return libspdm_generate_error_response(

0 commit comments

Comments
 (0)