Skip to content

Commit 49ec002

Browse files
steven-bellocksteven-bellock
committed
Add peer_used_cert_chain_slot_id to session_info
Fix #3434 Signed-off-by: Steven Bellock <[email protected]>
1 parent 16bbbc7 commit 49ec002

18 files changed

+159
-196
lines changed

include/internal/libspdm_common_lib.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -474,6 +474,7 @@ typedef struct {
474474
void *secured_message_context;
475475
/* Only present in session info as it is currently only used within a secure session. */
476476
uint8_t local_used_cert_chain_slot_id;
477+
uint8_t peer_used_cert_chain_slot_id;
477478
} libspdm_session_info_t;
478479

479480
#define LIBSPDM_MAX_ENCAP_REQUEST_OP_CODE_SEQUENCE_COUNT 3
@@ -1036,6 +1037,7 @@ bool libspdm_generate_challenge_auth_signature(libspdm_context_t *spdm_context,
10361037
* @retval false hash verification fail.
10371038
**/
10381039
bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
1040+
uint8_t slot_id,
10391041
const void *certificate_chain_hash,
10401042
size_t certificate_chain_hash_size);
10411043

@@ -1066,6 +1068,7 @@ bool libspdm_verify_public_key_hash(libspdm_context_t *spdm_context,
10661068
**/
10671069
bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
10681070
bool is_requester,
1071+
uint8_t slot_id,
10691072
const void *sign_data,
10701073
size_t sign_data_size);
10711074

@@ -1115,6 +1118,7 @@ bool libspdm_generate_endpoint_info_signature(libspdm_context_t *spdm_context,
11151118
bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
11161119
libspdm_session_info_t *session_info,
11171120
bool is_requester,
1121+
uint8_t slot_id,
11181122
const void *sign_data,
11191123
size_t sign_data_size);
11201124

include/library/spdm_common_lib.h

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -845,6 +845,7 @@ void *libspdm_get_secured_message_context_via_session_id(void *spdm_context, uin
845845
**/
846846
void *libspdm_get_secured_message_context_via_session_info(void *spdm_session_info);
847847

848+
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
848849
/**
849850
* This function returns peer certificate chain buffer including spdm_cert_chain_t header.
850851
*
@@ -855,7 +856,8 @@ void *libspdm_get_secured_message_context_via_session_info(void *spdm_session_in
855856
* @retval true Peer certificate chain buffer including spdm_cert_chain_t header is returned.
856857
* @retval false Peer certificate chain buffer including spdm_cert_chain_t header is not found.
857858
**/
858-
bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
859+
void libspdm_get_peer_cert_chain_buffer(void *spdm_context,
860+
uint8_t slot_id,
859861
const void **cert_chain_buffer,
860862
size_t *cert_chain_buffer_size);
861863

@@ -869,9 +871,11 @@ bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
869871
* @retval true Peer certificate chain data without spdm_cert_chain_t header is returned.
870872
* @retval false Peer certificate chain data without spdm_cert_chain_t header is not found.
871873
**/
872-
bool libspdm_get_peer_cert_chain_data(void *spdm_context,
874+
void libspdm_get_peer_cert_chain_data(void *spdm_context,
875+
uint8_t slot_id,
873876
const void **cert_chain_data,
874877
size_t *cert_chain_data_size);
878+
#endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
875879

876880
/**
877881
* This function returns local used certificate chain buffer including spdm_cert_chain_t header.

library/spdm_common_lib/libspdm_com_context_data.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1969,7 +1969,7 @@ libspdm_return_t libspdm_append_message_k(libspdm_context_t *spdm_context,
19691969
if (spdm_session_info->session_transcript.digest_context_th == NULL) {
19701970
if (!spdm_session_info->use_psk) {
19711971
if (is_requester) {
1972-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1972+
slot_id = spdm_session_info->peer_used_cert_chain_slot_id;
19731973
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
19741974
if (slot_id == 0xFF) {
19751975
result = libspdm_get_peer_public_key_buffer(
@@ -2171,7 +2171,7 @@ libspdm_return_t libspdm_append_message_f(libspdm_context_t *spdm_context,
21712171
return LIBSPDM_STATUS_CRYPTO_ERROR;
21722172
}
21732173
} else {
2174-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
2174+
slot_id = spdm_session_info->peer_used_cert_chain_slot_id;
21752175
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
21762176
if (slot_id == 0xFF) {
21772177
result = libspdm_get_peer_public_key_buffer(

library/spdm_common_lib/libspdm_com_crypto_service.c

Lines changed: 25 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -39,71 +39,39 @@ uint8_t libspdm_slot_id_to_key_pair_id (
3939
return context->local_context.local_key_pair_id[slot_id];
4040
}
4141

42-
/**
43-
* This function returns peer certificate chain buffer including spdm_cert_chain_t header.
44-
*
45-
* @param spdm_context A pointer to the SPDM context.
46-
* @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
47-
* @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
48-
*
49-
* @retval true Peer certificate chain buffer including spdm_cert_chain_t header is returned.
50-
* @retval false Peer certificate chain buffer including spdm_cert_chain_t header is not found.
51-
**/
52-
bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
42+
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
43+
void libspdm_get_peer_cert_chain_buffer(void *spdm_context,
44+
uint8_t slot_id,
5345
const void **cert_chain_buffer,
5446
size_t *cert_chain_buffer_size)
5547
{
56-
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
48+
5749
libspdm_context_t *context;
58-
uint8_t slot_id;
5950

6051
context = spdm_context;
61-
slot_id = context->connection_info.peer_used_cert_chain_slot_id;
52+
6253
LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
63-
if (context->connection_info.peer_used_cert_chain[slot_id].buffer_size != 0) {
64-
*cert_chain_buffer = context->connection_info.peer_used_cert_chain[slot_id].buffer;
65-
*cert_chain_buffer_size = context->connection_info
66-
.peer_used_cert_chain[slot_id].buffer_size;
67-
return true;
68-
}
69-
#endif
70-
return false;
54+
55+
*cert_chain_buffer = context->connection_info.peer_used_cert_chain[slot_id].buffer;
56+
*cert_chain_buffer_size = context->connection_info.peer_used_cert_chain[slot_id].buffer_size;
7157
}
7258

73-
/**
74-
* This function returns peer certificate chain data without spdm_cert_chain_t header.
75-
*
76-
* @param spdm_context A pointer to the SPDM context.
77-
* @param cert_chain_data Certificate chain data without spdm_cert_chain_t header.
78-
* @param cert_chain_data_size size in bytes of the certificate chain data.
79-
*
80-
* @retval true Peer certificate chain data without spdm_cert_chain_t header is returned.
81-
* @retval false Peer certificate chain data without spdm_cert_chain_t header is not found.
82-
**/
83-
bool libspdm_get_peer_cert_chain_data(void *spdm_context,
59+
void libspdm_get_peer_cert_chain_data(void *spdm_context,
60+
uint8_t slot_id,
8461
const void **cert_chain_data,
8562
size_t *cert_chain_data_size)
8663
{
87-
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
8864
libspdm_context_t *context;
8965
size_t hash_size;
90-
bool result;
9166

9267
context = spdm_context;
9368
hash_size = libspdm_get_hash_size(context->connection_info.algorithm.base_hash_algo);
9469

95-
result = libspdm_get_peer_cert_chain_buffer(context, cert_chain_data,
96-
cert_chain_data_size);
97-
if (result) {
98-
*cert_chain_data =
99-
(const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
100-
*cert_chain_data_size =
101-
*cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
102-
return true;
103-
}
104-
#endif
105-
return false;
70+
libspdm_get_peer_cert_chain_buffer(context, slot_id, cert_chain_data, cert_chain_data_size);
71+
*cert_chain_data = (const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
72+
*cert_chain_data_size = *cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
10673
}
74+
#endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */
10775

10876
/**
10977
* This function returns local used certificate chain buffer including spdm_cert_chain_t header.
@@ -1038,6 +1006,7 @@ bool libspdm_generate_challenge_auth_signature(libspdm_context_t *spdm_context,
10381006
* @retval false hash verification fail.
10391007
**/
10401008
bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
1009+
uint8_t slot_id,
10411010
const void *certificate_chain_hash,
10421011
size_t certificate_chain_hash_size)
10431012
{
@@ -1047,17 +1016,11 @@ bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
10471016
const uint8_t *cert_chain_buffer;
10481017
size_t cert_chain_buffer_size;
10491018
bool result;
1050-
#else
1051-
uint8_t slot_id;
1052-
#endif
10531019

1054-
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1055-
result = libspdm_get_peer_cert_chain_buffer(spdm_context,
1056-
(const void **)&cert_chain_buffer,
1057-
&cert_chain_buffer_size);
1058-
if (!result) {
1059-
return false;
1060-
}
1020+
libspdm_get_peer_cert_chain_buffer(spdm_context,
1021+
slot_id,
1022+
(const void **)&cert_chain_buffer,
1023+
&cert_chain_buffer_size);
10611024

10621025
hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);
10631026

@@ -1080,9 +1043,6 @@ bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
10801043
return false;
10811044
}
10821045
#else
1083-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1084-
LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
1085-
10861046
LIBSPDM_ASSERT(
10871047
spdm_context->connection_info.peer_used_cert_chain[slot_id].buffer_hash_size != 0);
10881048

@@ -1160,12 +1120,12 @@ bool libspdm_verify_public_key_hash(libspdm_context_t *spdm_context,
11601120
**/
11611121
bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
11621122
bool is_requester,
1123+
uint8_t slot_id,
11631124
const void *sign_data,
11641125
size_t sign_data_size)
11651126
{
11661127
bool result;
11671128
void *context;
1168-
uint8_t slot_id;
11691129
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
11701130
libspdm_m1m2_managed_buffer_t m1m2;
11711131
uint8_t *m1m2_buffer;
@@ -1198,9 +1158,6 @@ bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
11981158
return false;
11991159
}
12001160

1201-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1202-
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
1203-
12041161
if (slot_id == 0xFF) {
12051162
if (is_requester) {
12061163
if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
@@ -1236,11 +1193,8 @@ bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
12361193
}
12371194
} else {
12381195
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1239-
result = libspdm_get_peer_cert_chain_data(
1240-
spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
1241-
if (!result) {
1242-
return false;
1243-
}
1196+
libspdm_get_peer_cert_chain_data(
1197+
spdm_context, slot_id, (const void **)&cert_chain_data, &cert_chain_data_size);
12441198

12451199
/* Get leaf cert from cert chain*/
12461200
result = libspdm_x509_get_cert_from_cert_chain(
@@ -1543,12 +1497,12 @@ bool libspdm_generate_endpoint_info_signature(libspdm_context_t *spdm_context,
15431497
bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
15441498
libspdm_session_info_t *session_info,
15451499
bool is_requester,
1500+
uint8_t slot_id,
15461501
const void *sign_data,
15471502
size_t sign_data_size)
15481503
{
15491504
bool result;
15501505
void *context;
1551-
uint8_t slot_id;
15521506
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
15531507
libspdm_il1il2_managed_buffer_t il1il2;
15541508
uint8_t *il1il2_buffer;
@@ -1580,9 +1534,6 @@ bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
15801534
return false;
15811535
}
15821536

1583-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
1584-
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xF));
1585-
15861537
if (slot_id == 0xF) {
15871538
if (is_requester) {
15881539
if (spdm_context->connection_info.algorithm.base_asym_algo != 0) {
@@ -1620,11 +1571,8 @@ bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
16201571
}
16211572
} else {
16221573
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
1623-
result = libspdm_get_peer_cert_chain_data(
1624-
spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
1625-
if (!result) {
1626-
return false;
1627-
}
1574+
libspdm_get_peer_cert_chain_data(
1575+
spdm_context, slot_id, (const void **)&cert_chain_data, &cert_chain_data_size);
16281576

16291577
/* Get leaf cert from cert chain*/
16301578
result = libspdm_x509_get_cert_from_cert_chain(cert_chain_data,

library/spdm_common_lib/libspdm_com_crypto_service_session.c

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -459,16 +459,17 @@ bool libspdm_calculate_th1_hash(libspdm_context_t *spdm_context,
459459
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
460460
if (!session_info->use_psk) {
461461
if (is_requester) {
462-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
462+
slot_id = session_info->peer_used_cert_chain_slot_id;
463463
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
464464
if (slot_id == 0xFF) {
465465
result = libspdm_get_peer_public_key_buffer(
466466
spdm_context, (const void **)&cert_chain_buffer,
467467
&cert_chain_buffer_size);
468468
} else {
469-
result = libspdm_get_peer_cert_chain_buffer(
470-
spdm_context, (const void **)&cert_chain_buffer,
469+
libspdm_get_peer_cert_chain_buffer(
470+
spdm_context, slot_id, (const void **)&cert_chain_buffer,
471471
&cert_chain_buffer_size);
472+
result = true;
472473
}
473474
} else {
474475
slot_id = session_info->local_used_cert_chain_slot_id;
@@ -552,16 +553,17 @@ bool libspdm_calculate_th2_hash(libspdm_context_t *spdm_context,
552553
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
553554
if (!session_info->use_psk) {
554555
if (is_requester) {
555-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
556+
slot_id = session_info->peer_used_cert_chain_slot_id;
556557
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
557558
if (slot_id == 0xFF) {
558559
result = libspdm_get_peer_public_key_buffer(
559560
spdm_context, (const void **)&cert_chain_buffer,
560561
&cert_chain_buffer_size);
561562
} else {
562-
result = libspdm_get_peer_cert_chain_buffer(
563-
spdm_context, (const void **)&cert_chain_buffer,
563+
libspdm_get_peer_cert_chain_buffer(
564+
spdm_context, slot_id, (const void **)&cert_chain_buffer,
564565
&cert_chain_buffer_size);
566+
result = true;
565567
}
566568
} else {
567569
slot_id = session_info->local_used_cert_chain_slot_id;
@@ -595,16 +597,17 @@ bool libspdm_calculate_th2_hash(libspdm_context_t *spdm_context,
595597
result = true;
596598
}
597599
} else {
598-
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
600+
slot_id = session_info->peer_used_cert_chain_slot_id;
599601
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
600602
if (slot_id == 0xFF) {
601603
result = libspdm_get_peer_public_key_buffer(
602604
spdm_context, (const void **)&mut_cert_chain_buffer,
603605
&mut_cert_chain_buffer_size);
604606
} else {
605-
result = libspdm_get_peer_cert_chain_buffer(
606-
spdm_context, (const void **)&mut_cert_chain_buffer,
607+
libspdm_get_peer_cert_chain_buffer(
608+
spdm_context, slot_id, (const void **)&mut_cert_chain_buffer,
607609
&mut_cert_chain_buffer_size);
610+
result = true;
608611
}
609612
}
610613
if (!result) {

library/spdm_requester_lib/libspdm_req_challenge.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,8 @@ static libspdm_return_t libspdm_try_challenge(libspdm_context_t *spdm_context,
250250
if (slot_id == 0xFF) {
251251
result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
252252
} else {
253-
result = libspdm_verify_certificate_chain_hash(spdm_context, cert_chain_hash, hash_size);
253+
result = libspdm_verify_certificate_chain_hash(spdm_context, slot_id, cert_chain_hash,
254+
hash_size);
254255
}
255256
if (!result) {
256257
status = LIBSPDM_STATUS_VERIF_FAIL;
@@ -359,7 +360,8 @@ static libspdm_return_t libspdm_try_challenge(libspdm_context_t *spdm_context,
359360
signature = ptr;
360361
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature (0x%zx):\n", signature_size));
361362
LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
362-
result = libspdm_verify_challenge_auth_signature(spdm_context, true, signature, signature_size);
363+
result = libspdm_verify_challenge_auth_signature(spdm_context, true, slot_id,
364+
signature, signature_size);
363365
if (!result) {
364366
libspdm_reset_message_c(spdm_context);
365367
status = LIBSPDM_STATUS_VERIF_FAIL;

0 commit comments

Comments
 (0)