DMTF · jyao1 · Nov 12, 2024
@@ -580,6 +580,9 @@ if(NOT ENABLE_BINARY_BUILD STREQUAL "1")
     endif()
 endif()
 
+    ADD_SUBDIRECTORY(${LIBSPDM_DIR}/os_stub/oqslib out/oqslib.out)
+    ADD_SUBDIRECTORY(${LIBSPDM_DIR}/os_stub/pqccryptlib_oqs out/pqccryptlib_oqs.out)
+
     ADD_SUBDIRECTORY(library/spdm_device_secret_lib_dump)
     ADD_SUBDIRECTORY(${LIBSPDM_DIR}/library/spdm_common_lib out/spdm_common_lib.out)
     ADD_SUBDIRECTORY(${LIBSPDM_DIR}/library/spdm_requester_lib out/spdm_requester_lib.out)

@@ -23,8 +23,9 @@ This document describes spdm_dump tool. It can be used to parse the SPDM message
          [-x] (dump message in hex)
          [--psk <pre-shared key>]
          [--dhe_secret <session DHE secret>]
-         [--req_cap       CERT|CHAL|                                ENCRYPT|MAC|MUT_AUTH|KEY_EX|PSK|                 ENCAP|HBEAT|KEY_UPD|HANDSHAKE_IN_CLEAR|PUB_KEY_ID|                                EP_INFO_NO_SIG|EP_INFO_SIG|    EVENT|MULTI_KEY_ONLY|MULTI_KEY_NEG]
-         [--rsp_cap CACHE|CERT|CHAL|MEAS_NO_SIG|MEAS_SIG|MEAS_FRESH|ENCRYPT|MAC|MUT_AUTH|KEY_EX|PSK|PSK_WITH_CONTEXT|ENCAP|HBEAT|KEY_UPD|HANDSHAKE_IN_CLEAR|PUB_KEY_ID|SET_CERT|CSR|CERT_INSTALL_RESET|EP_INFO_NO_SIG|EP_INFO_SIG|MEL|EVENT|MULTI_KEY_ONLY|MULTI_KEY_NEG|GET_KEY_PAIR_INFO|SET_KEY_PAIR_INFO]
+         [--kem_secret <session KEM secret>]
+         [--req_cap       CERT|CHAL|                                ENCRYPT|MAC|MUT_AUTH|KEY_EX|PSK|                 ENCAP|HBEAT|KEY_UPD|HANDSHAKE_IN_CLEAR|PUB_KEY_ID|                                EP_INFO_NO_SIG|EP_INFO_SIG|    EVENT|MULTI_KEY_ONLY|MULTI_KEY_NEG|                                                       LARGE_CERT]
+         [--rsp_cap CACHE|CERT|CHAL|MEAS_NO_SIG|MEAS_SIG|MEAS_FRESH|ENCRYPT|MAC|MUT_AUTH|KEY_EX|PSK|PSK_WITH_CONTEXT|ENCAP|HBEAT|KEY_UPD|HANDSHAKE_IN_CLEAR|PUB_KEY_ID|SET_CERT|CSR|CERT_INSTALL_RESET|EP_INFO_NO_SIG|EP_INFO_SIG|MEL|EVENT|MULTI_KEY_ONLY|MULTI_KEY_NEG|GET_KEY_PAIR_INFO|SET_KEY_PAIR_INFO|SET_KEY_PAIR_RESET|LARGE_CERT]
          [--hash SHA_256|SHA_384|SHA_512|SHA3_256|SHA3_384|SHA3_512|SM3_256]
          [--meas_spec DMTF]
          [--meas_hash RAW_BIT|SHA_256|SHA_384|SHA_512|SHA3_256|SHA3_384|SHA3_512|SM3_256]
@@ -47,7 +48,7 @@ This document describes spdm_dump tool. It can be used to parse the SPDM message
 
       NOTE:
          [--psk] is required to decrypt a PSK session
-         [--dhe_secret] is required to decrypt a non-PSK session
+         [--dhe_secret] or [--kem_secret] is required to decrypt a non-PSK session
             Format: A hex string, whose count of char must be even.
                   It must not have prefix '0x'. The leading '0' must be included.
                   '0123CDEF' means 4 bytes 0x01, 0x23, 0xCD, 0xEF,
@@ -149,14 +150,16 @@ This document describes spdm_dump tool. It can be used to parse the SPDM message
       ......
    ```
 
-2. In order to dump the SPDM secure session, you need use `--psk` or `--dhe_secret`.
+2. In order to dump the SPDM secure session, you need use `--psk`, `--dhe_secret` or `--kem_secret`.
 
    The DHE secret can be found from SPDM debug message.
-   Take [spdm_emu](https://github.com/DMTF/spdm-emu/blob/main/doc/spdm_emu.md) tool as an example, a user may use `spdm_requester_emu --pcap SpdmRequester.pcap > SpdmRequester.log` or `spdm_responder_emu --pcap SpdmResponder.pcap > SpdmResponder.log` to get the PCAP file and the log file, search "\[DHE Secret\]" or "\[PSK\]" in the log file to get the HEX string.
+   Take [spdm_emu](https://github.com/DMTF/spdm-emu/blob/main/doc/spdm_emu.md) tool as an example, a user may use `spdm_requester_emu --pcap SpdmRequester.pcap > SpdmRequester.log` or `spdm_responder_emu --pcap SpdmResponder.pcap > SpdmResponder.log` to get the PCAP file and the log file, search "\[DHE Secret\]", "\[KEM Secret\]" or "\[PSK\]" in the log file to get the HEX string.
 
    ```
    [DHE Secret]: c7ac17ee29b6a4f84e978223040b7eddff792477a6f7fc0f51faa553fee58175
    ...
+   [KEM Secret]: d74195f8f57188ccb773de4d95350a9bbe940d035c9aa764c253d495c8ad8d57
+   ...
    [PSK]: 5465737450736b4461746100
    ```
 

@@ -91,6 +91,17 @@ bool libspdm_requester_data_sign(
 {
     return false;
 }
+
+bool libspdm_requester_data_pqc_sign(
+    void *spdm_context,
+    spdm_version_number_t spdm_version, uint8_t op_code,
+    uint32_t req_pqc_asym_alg,
+    uint32_t base_hash_algo, bool is_data_hash,
+    const uint8_t *message, size_t message_size,
+    uint8_t *signature, size_t *sig_size)
+{
+    return false;
+}
 #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 
 bool libspdm_responder_data_sign(
@@ -103,6 +114,17 @@ bool libspdm_responder_data_sign(
     return false;
 }
 
+bool libspdm_responder_data_pqc_sign(
+    void *spdm_context,
+    spdm_version_number_t spdm_version, uint8_t op_code,
+    uint32_t base_pqc_algo,
+    uint32_t base_hash_algo, bool is_data_hash,
+    const uint8_t *message, size_t message_size,
+    uint8_t *signature, size_t *sig_size)
+{
+    return false;
+}
+
 #if LIBSPDM_ENABLE_CAPABILITY_PSK_CAP
 
 void *m_spdm_dump_psk;

@@ -31,6 +31,8 @@ SET(spdm_dump_LIBRARY
     ${CRYPTO_LIB_PATHS}
     rnglib
     cryptlib_${CRYPTO}
+    oqslib
+    pqccryptlib_oqs
     malloclib
     spdm_crypt_lib
     spdm_secured_message_lib

@@ -15,8 +15,13 @@ extern size_t m_peer_cert_chain_buffer_size;
 extern void *m_spdm_dump_psk;
 extern size_t m_spdm_dump_psk_size;
 
+extern uint16_t m_spdm_dhe_named_group;
+extern uint32_t m_spdm_kem_alg;
+
 void *m_dhe_secret_buffer[LIBSPDM_MAX_SESSION_COUNT] = {NULL};
 size_t m_dhe_secret_buffer_size[LIBSPDM_MAX_SESSION_COUNT] = {0};
+void *m_kem_secret_buffer[LIBSPDM_MAX_SESSION_COUNT] = {NULL};
+size_t m_kem_secret_buffer_size[LIBSPDM_MAX_SESSION_COUNT] = {0};
 void *m_psk_buffer[LIBSPDM_MAX_SESSION_COUNT] = {NULL};
 size_t m_psk_buffer_size[LIBSPDM_MAX_SESSION_COUNT] = {0};
 uint8_t m_responder_cert_chain_slot_id = 0;
@@ -25,6 +30,7 @@ uint8_t m_requester_cert_chain_slot_id = 0;
 
 /*current used key index, index++ when finish command dump complete*/
 uint8_t m_dhe_secret_buffer_count = 0;
+uint8_t m_kem_secret_buffer_count = 0;
 uint8_t m_psk_secret_buffer_count = 0;
 
 void spdm_dump_set_session_info_use_psk (void *spdm_session_info, bool use_psk)
@@ -90,13 +96,24 @@ libspdm_return_t spdm_dump_session_data_provision(void *spdm_context,
                      &parameter, &mut_auth_requested, &data_size);
 
     if (!use_psk) {
-        if (m_dhe_secret_buffer[m_dhe_secret_buffer_count] == NULL ||
-            m_dhe_secret_buffer_size[m_dhe_secret_buffer_count] == 0) {
-            return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+        if (m_spdm_dhe_named_group != 0) {
+            if (m_dhe_secret_buffer[m_dhe_secret_buffer_count] == NULL ||
+                m_dhe_secret_buffer_size[m_dhe_secret_buffer_count] == 0) {
+                return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+            }
+            libspdm_secured_message_import_dhe_secret(
+                secured_message_context, m_dhe_secret_buffer[m_dhe_secret_buffer_count],
+                m_dhe_secret_buffer_size[m_dhe_secret_buffer_count]);
+        }
+        if (m_spdm_kem_alg != 0) {
+            if (m_kem_secret_buffer[m_kem_secret_buffer_count] == NULL ||
+                m_kem_secret_buffer_size[m_kem_secret_buffer_count] == 0) {
+                return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+            }
+            libspdm_secured_message_import_kem_secret(
+                secured_message_context, m_kem_secret_buffer[m_kem_secret_buffer_count],
+                m_kem_secret_buffer_size[m_kem_secret_buffer_count]);
         }
-        libspdm_secured_message_import_dhe_secret(
-            secured_message_context, m_dhe_secret_buffer[m_dhe_secret_buffer_count],
-            m_dhe_secret_buffer_size[m_dhe_secret_buffer_count]);
 
         hash_size = libspdm_get_hash_size(m_spdm_base_hash_algo);
 
@@ -146,7 +163,6 @@ libspdm_return_t spdm_dump_session_data_provision(void *spdm_context,
                             (uint16_t)(
                                 m_requester_cert_chain_data_size[m_requester_cert_chain_slot_id] +
                                 cert_chain_offset);
-                        cert_chain_header->reserved = 0;
                         res = libspdm_x509_get_cert_from_cert_chain(
                                 m_requester_cert_chain_data[m_requester_cert_chain_slot_id],
                                 m_requester_cert_chain_data_size[m_requester_cert_chain_slot_id],
@@ -203,7 +219,6 @@ libspdm_return_t spdm_dump_session_data_provision(void *spdm_context,
                             (uint16_t)(
                                 m_responder_cert_chain_data_size[m_responder_cert_chain_slot_id] +
                                 cert_chain_offset);
-                        cert_chain_header->reserved = 0;
                         res = libspdm_x509_get_cert_from_cert_chain(
                                 m_responder_cert_chain_data[m_responder_cert_chain_slot_id],
                                 m_responder_cert_chain_data_size[m_responder_cert_chain_slot_id],
@@ -379,9 +394,17 @@ libspdm_return_t spdm_dump_session_data_check(void *spdm_context,
                      &parameter, &mut_auth_requested, &data_size);
 
     if (!use_psk) {
-        if (m_dhe_secret_buffer[m_dhe_secret_buffer_count] == NULL ||
-            m_dhe_secret_buffer_size[m_dhe_secret_buffer_count] == 0) {
-            return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+        if (m_spdm_dhe_named_group != 0) {
+            if (m_dhe_secret_buffer[m_dhe_secret_buffer_count] == NULL ||
+                m_dhe_secret_buffer_size[m_dhe_secret_buffer_count] == 0) {
+                return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+            }
+        }
+        if (m_spdm_kem_alg != 0) {
+            if (m_kem_secret_buffer[m_kem_secret_buffer_count] == NULL ||
+                m_kem_secret_buffer_size[m_kem_secret_buffer_count] == 0) {
+                return LIBSPDM_STATUS_INVALID_STATE_LOCAL;
+            }
         }
         if (is_requester) {
             if (mut_auth_requested) {