CAPABILITIES: Add SupportedAlgorithms

fix DMTF#2279

Signed-off-by: Shital Jumbad <[email protected]>

Author: ShitalJumbad

doc/api/requester_api.md

@@ -31,6 +31,27 @@ returns early with value not equal to `LIBSPDM_STATUS_SUCCESS` then the SPDM con
 before attempting establish a new connection.
 <br/><br/>
 
+---
+### libspdm_get_supported_algorithms
+---
+
+### Description
+Sends the `GET_VERSION` and `GET_CAPABILITIES where `GET_CAPABILITIES.Param1[0]` is set.
+If the requester wishes to continue with the connection, they can call `libspdm_init_connection` to restart the connection process.
+
+### Parameters
+
+**spdm_context**<br/>
+The SPDM context.
+
+### Details
+Before calling this function, the integrator must ensure that the SPDM context is initialized
+with the necessary configuration, including the requester's capabilities and supported
+cryptographic algorithms. When this function returns with the value `RETURN_SUCCESS`,
+the SPDM context can be queried to determine the capabilities and algorithms supported
+by the responder. If this function returns with a value not equal to `RETURN_SUCCESS`,
+the SPDM context should be reset before attempting to establish a new connection.
+<br/><br/>
 
 ---
 ### libspdm_get_digest

include/industry_standard/spdm.h

@@ -161,6 +161,28 @@ typedef struct {
     uint32_t max_spdm_msg_size;
 } spdm_get_capabilities_request_t;
 
+/* SPDM supported algorithms block */
+typedef struct {
+    uint8_t param1;  /* Number of Algorithms Structure Tables */
+    uint8_t param2;  /* Reserved */
+    uint16_t length;
+    uint8_t measurement_specification;
+    uint8_t other_params_support;
+    uint32_t base_asym_algo;
+    uint32_t base_hash_algo;
+    uint8_t reserved2[12];
+    uint8_t ext_asym_count;
+    uint8_t ext_hash_count;
+    uint8_t reserved3;
+    uint8_t mel_specification;
+    /* Followed by dynamic arrays for ext_asym, ext_hash, and struct_tableif needed
+     * spdm_extended_algorithm_t ext_asym[ext_asym_count];
+     * spdm_extended_algorithm_t ext_hash[ext_hash_count]; 
+     * spdm_negotiate_algorithms_common_struct_table_t struct_table[
+     *  SPDM_NEGOTIATE_ALGORITHMS_MAX_NUM_STRUCT_TABLE_ALG];*/
+} spdm_supported_algorithms_block_t;
+
+
 /* SPDM GET_CAPABILITIES response*/
 
 typedef struct {
@@ -174,6 +196,8 @@ typedef struct {
     /* Below field is added in 1.2.*/
     uint32_t data_transfer_size;
     uint32_t max_spdm_msg_size;
+    /* Below field is added in 1.3.*/
+    spdm_supported_algorithms_block_t supported_algorithms;
 } spdm_capabilities_response_t;
 
 #define SPDM_MIN_DATA_TRANSFER_SIZE_VERSION_12  42
@@ -363,7 +387,6 @@ typedef struct {
     uint16_t alg_supported;
 } spdm_negotiate_algorithms_common_struct_table_t;
 
-
 /* SPDM NEGOTIATE_ALGORITHMS request base_asym_algo/REQ_BASE_ASYM_ALG */
 #define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048 0x00000001
 #define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_2048 0x00000002

include/internal/libspdm_requester_lib.h

@@ -133,6 +133,7 @@ libspdm_return_t libspdm_get_version(libspdm_context_t *spdm_context,
  * This function sends GET_CAPABILITIES and receives CAPABILITIES.
  *
  * @param  spdm_context                  A pointer to the SPDM context.
+ * @param  get_supported_algorithms     If true, indicates that the requester wants the responder to include its supported algorithms in the CAPABILITIES response.
  * @param  RequesterCTExponent          RequesterCTExponent to the GET_CAPABILITIES request.
  * @param  RequesterFlags               RequesterFlags to the GET_CAPABILITIES request.
  * @param  ResponderCTExponent          ResponderCTExponent from the CAPABILITIES response.
@@ -141,7 +142,7 @@ libspdm_return_t libspdm_get_version(libspdm_context_t *spdm_context,
  * @retval RETURN_SUCCESS               The GET_CAPABILITIES is sent and the CAPABILITIES is received.
  * @retval RETURN_DEVICE_ERROR          A device error occurs when communicates with the device.
  **/
-libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context);
+libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context, bool get_supported_algorithms);
 
 /**
  * This function sends NEGOTIATE_ALGORITHMS and receives ALGORITHMS.

include/library/spdm_requester_lib.h

@@ -491,6 +491,18 @@ libspdm_return_t libspdm_start_session(void *spdm_context, bool use_psk,
                                        uint8_t *heartbeat_period,
                                        void *measurement_hash);
 
+/**
+ * This function sends GET_VERSION, GET_CAPABILITIES, NEGOTIATE_ALGORITHMS
+ * to initialize the connection with SPDM responder.
+ *
+ * @param spdm_context The SPDM context.
+ *
+ * @retval RETURN_SUCCESS               The connection is initialized successfully.
+ * @retval RETURN_DEVICE_ERROR          A device error occurs when communicates with the device.
+ **/
+libspdm_return_t libspdm_get_supported_algorithms(
+    void *spdm_context);
+
 /**
  * This function sends KEY_EXCHANGE/FINISH or PSK_EXCHANGE/PSK_FINISH to start an SPDM Session.
  *

library/spdm_requester_lib/libspdm_req_communication.c

@@ -19,7 +19,7 @@ libspdm_return_t libspdm_init_connection(void *spdm_context, bool get_version_on
     }
 
     if (!get_version_only) {
-        status = libspdm_get_capabilities(context);
+        status = libspdm_get_capabilities(context, false);
         if (LIBSPDM_STATUS_IS_ERROR(status)) {
             return status;
         }

library/spdm_requester_lib/libspdm_req_get_capabilities.c

@@ -211,7 +211,7 @@ static bool validate_responder_capability(uint32_t capabilities_flag, uint8_t ve
  * @retval LIBSPDM_STATUS_BUFFER_FULL
  *         The buffer used to store transcripts is exhausted.
  **/
-static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_context)
+static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_context, bool get_supported_algorithms)
 {
     libspdm_return_t status;
     spdm_get_capabilities_request_t *spdm_request;
@@ -241,6 +241,11 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
                         spdm_context->local_context.capability.transport_tail_size;
 
     LIBSPDM_ASSERT (spdm_request_size >= sizeof(spdm_request->header));
+
+    LIBSPDM_ASSERT(!((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+                     get_supported_algorithms &&
+                     ((spdm_request->flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHUNK_CAP) == 0)));
+
     libspdm_zero_mem(spdm_request, spdm_request_size);
     spdm_request->header.spdm_version = libspdm_get_connection_version (spdm_context);
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
@@ -258,6 +263,10 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
     }
     spdm_request->header.request_response_code = SPDM_GET_CAPABILITIES;
     spdm_request->header.param1 = 0;
+    if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13 &&
+        get_supported_algorithms) {
+        spdm_request->header.param1 |= 0x01;
+    }
     spdm_request->header.param2 = 0;
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_11) {
         spdm_request->ct_exponent = spdm_context->local_context.capability.ct_exponent;
@@ -315,22 +324,54 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
         status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
         goto receive_done;
     }
-    if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
+    if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
         if (spdm_response_size < sizeof(spdm_capabilities_response_t)) {
             status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
             goto receive_done;
         }
+    } else if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
+        if (spdm_response_size < (sizeof(spdm_capabilities_response_t) -
+                                  sizeof(spdm_supported_algorithms_block_t))) {
+            status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
+            goto receive_done;
+        }
     } else {
-        if (spdm_response_size < sizeof(spdm_capabilities_response_t) -
-            sizeof(spdm_response->data_transfer_size) - sizeof(spdm_response->max_spdm_msg_size)) {
+        if (spdm_response_size < (sizeof(spdm_capabilities_response_t) -
+                                  sizeof(spdm_supported_algorithms_block_t) -
+                                  sizeof(spdm_response->data_transfer_size) -
+                                  sizeof(spdm_response->max_spdm_msg_size))) {
             status = LIBSPDM_STATUS_INVALID_MSG_SIZE;
             goto receive_done;
         }
     }
-    if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
-        spdm_response_size = sizeof(spdm_capabilities_response_t);
+
+    if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13 &&
+        (spdm_request->header.param1 & 0x01)) {
+
+        uint8_t index = 0;
+        if (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP) {
+            index++;
+        }
+        if ((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCRYPT_CAP) ||
+             (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) {
+            index++;
+        }
+        if (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP) {
+            index++;
+        }
+        if ((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_UPD_CAP) ||
+            (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_PSK_CAP)) {
+            index++;
+        }
+        spdm_response_size = sizeof(spdm_capabilities_response_t)+ index*
+            sizeof(spdm_negotiate_algorithms_common_struct_table_t);
+
+    } else if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
+        spdm_response_size = sizeof(spdm_capabilities_response_t)-
+                             sizeof(spdm_supported_algorithms_block_t);
     } else {
         spdm_response_size = sizeof(spdm_capabilities_response_t) -
+                             sizeof(spdm_supported_algorithms_block_t) -
                              sizeof(spdm_response->data_transfer_size) -
                              sizeof(spdm_response->max_spdm_msg_size);
     }
@@ -397,7 +438,7 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
     return status;
 }
 
-libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context)
+libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context, bool get_supported_algorithms)
 {
     size_t retry;
     uint64_t retry_delay_time;
@@ -407,7 +448,7 @@ libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context)
     retry = spdm_context->retry_times;
     retry_delay_time = spdm_context->retry_delay_time;
     do {
-        status = libspdm_try_get_capabilities(spdm_context);
+        status = libspdm_try_get_capabilities(spdm_context, get_supported_algorithms);
         if (status != LIBSPDM_STATUS_BUSY_PEER) {
             return status;
         }
@@ -417,3 +458,23 @@ libspdm_return_t libspdm_get_capabilities(libspdm_context_t *spdm_context)
 
     return status;
 }
+
+libspdm_return_t libspdm_get_supported_algorithms(void *spdm_context)
+{
+    libspdm_return_t status;
+    libspdm_context_t *context;
+
+    context = spdm_context;
+
+    status = libspdm_get_version(context, NULL, NULL);
+    if (LIBSPDM_STATUS_IS_ERROR(status)) {
+        return status;
+    }
+
+    status = libspdm_get_capabilities(context, true);
+    if (LIBSPDM_STATUS_IS_ERROR(status)) {
+        return status;
+    }
+
+    return LIBSPDM_STATUS_SUCCESS;
+}

library/spdm_responder_lib/libspdm_rsp_capabilities.c

@@ -98,14 +98,7 @@ static bool libspdm_check_request_flag_compatibility(uint32_t capabilities_flag,
             if ((cert_cap == 1) && (pub_key_id_cap == 1)) {
                 return false;
             }
-            /* If certificates or public keys are enabled then at least one of these capabilities
-             * must be enabled to use the key. */
             if ((chal_cap == 0) && (key_ex_cap == 0)) {
-                if (version >= SPDM_MESSAGE_VERSION_13) {
-                    if ((ep_info_cap == 0) || (ep_info_cap == 1)) {
-                        return false;
-                    }
-                }
                 return false;
             }
         } else {
@@ -271,10 +264,87 @@ libspdm_return_t libspdm_get_response_capabilities(libspdm_context_t *spdm_conte
             spdm_context->local_context.capability.max_spdm_msg_size;
     }
 
-    if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
+    LIBSPDM_ASSERT(!((spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) &&
+                     (spdm_request->header.param1 & 0x01) &&
+                     (((spdm_request->flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHUNK_CAP) != 0) &&
+                     ((spdm_response->flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHUNK_CAP) != 0))));
+
+
+    if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_13 &&
+        (spdm_request->header.param1 & 0x01)) {
         *response_size = sizeof(spdm_capabilities_response_t);
+
+        spdm_response->supported_algorithms.param2 = 0;
+        spdm_response->supported_algorithms.length = sizeof(spdm_supported_algorithms_block_t);
+        spdm_response->supported_algorithms.measurement_specification =
+            spdm_context->local_context.algorithm.measurement_spec;
+        spdm_response->supported_algorithms.other_params_support =
+            spdm_context->local_context.algorithm.other_params_support;
+        spdm_response->supported_algorithms.base_asym_algo=
+            spdm_context->local_context.algorithm.base_asym_algo;
+        spdm_response->supported_algorithms.base_hash_algo=
+            spdm_context->local_context.algorithm.base_hash_algo;
+        spdm_response->supported_algorithms.ext_asym_count = 0;
+        spdm_response->supported_algorithms.ext_hash_count = 0;
+        spdm_response->supported_algorithms.mel_specification =
+            spdm_context->local_context.algorithm.mel_spec;
+
+        uint8_t index = 0;
+
+        spdm_negotiate_algorithms_common_struct_table_t *struct_table =
+        (spdm_negotiate_algorithms_common_struct_table_t*)(&spdm_response->supported_algorithms + 1);
+
+        if ((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP) && 
+            (spdm_context->local_context.algorithm.dhe_named_group != 0)) {
+            struct_table[index].alg_type = SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_DHE;
+            struct_table[index].alg_count = 0x20;
+            struct_table[index].alg_supported = spdm_context->local_context.algorithm.dhe_named_group;
+            index++;
+        }
+
+        // Check if either ENCRYPT_CAP or MAC_CAP is set before including AEADCipherSuite
+        if (((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCRYPT_CAP) ||
+            (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP)) &&
+            (spdm_context->local_context.algorithm.aead_cipher_suite != 0)) {
+            struct_table[index].alg_type = SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_AEAD;
+            struct_table[index].alg_count = 0x20;
+            struct_table[index].alg_supported = spdm_context->local_context.algorithm.aead_cipher_suite;
+            index++;
+        }
+
+        if ((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP) && 
+            (spdm_context->local_context.algorithm.req_base_asym_alg != 0)) {
+            struct_table[index].alg_type = SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_REQ_BASE_ASYM_ALG;
+            struct_table[index].alg_count = 0x20;
+            struct_table[index].alg_supported = spdm_context->local_context.algorithm.req_base_asym_alg;
+            index++;
+        }
+
+        // Check if either KEY_EX_CAP or PSK_CAP is set before including KeySchedule
+        if (((spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP) || 
+            (spdm_context->connection_info.capability.flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_PSK_CAP)) &&
+            (spdm_context->local_context.algorithm.key_schedule != 0)) {
+            struct_table[index].alg_type = SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_KEY_SCHEDULE;
+            struct_table[index].alg_count = 0x20;
+            struct_table[index].alg_supported = spdm_context->local_context.algorithm.key_schedule;
+            index++;
+        }
+
+        spdm_response->supported_algorithms.param1 = index;
+        spdm_response->supported_algorithms.length +=
+            spdm_response->supported_algorithms.param1*
+            sizeof(spdm_negotiate_algorithms_common_struct_table_t);
+
+        *response_size = sizeof(spdm_capabilities_response_t) + 
+                        (spdm_response->supported_algorithms.param1*
+                        sizeof(spdm_negotiate_algorithms_common_struct_table_t));
+
+    } else if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
+        *response_size = sizeof(spdm_capabilities_response_t) -
+                         sizeof(spdm_supported_algorithms_block_t);
     } else {
         *response_size = sizeof(spdm_capabilities_response_t) -
+                         sizeof(spdm_supported_algorithms_block_t)-
                          sizeof(spdm_response->data_transfer_size) -
                          sizeof(spdm_response->max_spdm_msg_size);
     }

unit_test/fuzzing/test_requester/test_spdm_requester_get_capabilities/get_capabilities.c

@@ -73,7 +73,7 @@ void libspdm_test_requester_get_capabilities(void **State)
         spdm_context->connection_info.connection_state = LIBSPDM_CONNECTION_STATE_AFTER_VERSION;
         libspdm_reset_message_a(spdm_context);
 
-        libspdm_get_capabilities(spdm_context);
+        libspdm_get_capabilities(spdm_context, false);
     }
 }