libspdm icon indicating copy to clipboard operation
libspdm copied to clipboard

Error message when receiving Challenge via secure session

Open KwonHyunSoo opened this issue 3 years ago • 9 comments

Hi all,

The Spec. says transmitting Challenge via session is prohibited. (outside of a session is allowed.) What is the error response type when the responder receives Challenge message under the secure session?

Thanks.

KwonHyunSoo avatar Nov 02 '22 05:11 KwonHyunSoo

It seems a bug in current libspdm. There is no such check.

I think we may return SPDM_ERROR_CODE_UNEXPECTED_REQUEST

jyao1 avatar Nov 03 '22 14:11 jyao1

I don't know why the specification has that restriction.

steven-bellock avatar Nov 03 '22 15:11 steven-bellock

I guess below reason:

  1. it is not needed, when you setup session. Authentication is already done.

  2. It will be confusing to construct the transcript. how to calculate message_b?

jyao1 avatar Nov 03 '22 15:11 jyao1

Thanks for checking it :)

KwonHyunSoo avatar Nov 04 '22 00:11 KwonHyunSoo

I guess below reason:

  1. it is not needed, when you setup session. Authentication is already done.
  2. It will be confusing to construct the transcript. how to calculate message_b?

For 1, setup session is not grantee that authentication is done because KEY_EXCHANGE can be executed after negotiation as follow; https://github.com/DMTF/libspdm/blob/2e9f68389eba83f38cf586d2cadf2b5b05526e98/library/spdm_responder_lib/libspdm_rsp_key_exchange.c#L232-L237

For 2, why the calculating message_b is confunsing in application phase? I seems similar to GET_MEAS.

hiption avatar Nov 04 '22 08:11 hiption

11/7/2022 - Agree it is a bug. We may check other messages.

  1. KEY_EXCHANGE will setup authenticated secure session.
  2. It is different from GET_MEAS. because GET_MEAS does not have message_b.

jyao1 avatar Nov 07 '22 15:11 jyao1

It is different from GET_MEAS. because GET_MEAS does not have message_b.

I mean the message_b is also distinguished according to session id or no session. So, the transcript used in CHALLENGE is distinguished.

hiption avatar Nov 08 '22 04:11 hiption

@hiption , if you want to support CHALLENGE in session, please submit SPDM spec issue.

libspdm will follow the SPDM spec.

jyao1 avatar Nov 08 '22 06:11 jyao1

Thank you for your reply. I just want to know why SPDM allows GET_MEASUREMTNS in session, but CHALLENGE does not.

hiption avatar Nov 09 '22 01:11 hiption

@jyao1 This check needs to be present for a lot of other requests, correct? Like GET_CAPABILITIES and NEGOTIATE_ALGORITHMS.

steven-bellock avatar Dec 07 '22 23:12 steven-bellock

I think so.

jyao1 avatar Dec 11 '22 14:12 jyao1