Remove basic mutual auth from context

Replace LIBSPDM_DATA_BASIC_MUT_AUTH_REQUESTED in the spdm_context with a hal call to the Integrator.

Signed-off-by: Steven Bellock <[email protected]>

Author: steven-bellock

doc/api/common_api.md

@@ -276,14 +276,6 @@ Enumeration value used for the `libspdm_set_data` and/or `libspdm_get_data` func
     - Specifies the Responder's `HeartbeatPeriod` in units of seconds. This value is communicated to
       the Requester in the `KEY_EXCHANGE_RSP` and `PSK_EXCHANGE_RSP` messages. The actual timeout
       limit is twice the `HeartbeatPeriod`.
-- `LIBSPDM_DATA_BASIC_MUT_AUTH_REQUESTED`
-    - Specifies whether the Responder requires basic mutual authentication with the Requester via
-      the `CHALLENGE / CHALLENGE_AUTH` messages.
-        - If `true` then Responder requires basic mutual authentication.
-        - If `false` then Responder does not require basic mutual authentication.
-    - Note that basic mutual authentication was deprecated in SPDM 1.2 and should also be considered
-      deprecated in SPDM 1.1. If a Responder requires mutual authentication then it should use
-      session-based mutual authentication via symmetric or asymmetric key exchange.
 - `LIBSPDM_DATA_MUT_AUTH_REQUESTED`
     - Specifies whether the Responder requires session-based mutual authentication with the
       Requester via asymmetric key exchange. Its value can be one of

include/hal/library/responder/asymsignlib.h

@@ -19,10 +19,10 @@
  * @param  spdm_context  A pointer to the SPDM context.
  * @param  spdm_version  Indicates the negotiated version.
  *
- * @param  slot_id          The number of slot for the certificate chain.
+ * @param  slot_id               Slot ID of the CHALLENGE request.
  * @param  request_context_size  The size, in bytes, of request_context.
  * @param  request_context       If spdm_version is greater than 1.2, then it is a pointer to the
- *                               Context field in the request message, else it is NULL and ignore
+ *                               Context field in the request message, else it is NULL and ignore.
  *
  * @param opaque_data
  * A pointer to a destination buffer whose size, in bytes, is opaque_data_size. The opaque data is
@@ -40,7 +40,30 @@ extern bool libspdm_challenge_opaque_data(
     const void *request_context,
     void *opaque_data,
     size_t *opaque_data_size);
-#endif/*LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP*/
+
+#if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
+/**
+ * Queries whether basic mutual authentication should be initiated or not.
+ *
+ * @param  spdm_context  A pointer to the SPDM context.
+ * @param  spdm_version  Indicates the negotiated version.
+ *
+ * @param  slot_id               Slot ID of the CHALLENGE request.
+ * @param  request_context_size  The size, in bytes, of request_context.
+ * @param  request_context       If spdm_version is greater than 1.2, then it is a pointer to the
+ *                               Context field in the request message, else it is NULL and ignore.
+ *
+ * @retval true   Initiate the basic mutual authentication flow.
+ * @retval false  Do not initiate the basic mutual authentication flow.
+ */
+extern bool libspdm_challenge_start_mut_auth(
+    void *spdm_context,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    size_t request_context_size,
+    const void *request_context);
+#endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
+#endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */
 
 /**
  * Sign an SPDM message data.

include/library/spdm_common_lib.h

@@ -77,7 +77,6 @@ typedef enum {
     LIBSPDM_DATA_LOCAL_CERT_INFO,
     LIBSPDM_DATA_LOCAL_KEY_USAGE_BIT_MASK,
 
-    LIBSPDM_DATA_BASIC_MUT_AUTH_REQUESTED,
     LIBSPDM_DATA_MUT_AUTH_REQUESTED,
     LIBSPDM_DATA_MANDATORY_MUT_AUTH,
     LIBSPDM_DATA_HEARTBEAT_PERIOD,

library/spdm_common_lib/libspdm_com_context_data.c

@@ -670,32 +670,6 @@ libspdm_return_t libspdm_set_data(void *spdm_context, libspdm_data_type_t data_t
         context->local_context.local_public_key_provision_size = data_size;
         context->local_context.local_public_key_provision = data;
         break;
-    case LIBSPDM_DATA_BASIC_MUT_AUTH_REQUESTED:
-        if (data_size != sizeof(bool)) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        mut_auth_requested = *(const uint8_t *)data;
-        if (((mut_auth_requested != 0) && (mut_auth_requested != 1))) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        context->local_context.basic_mut_auth_requested = mut_auth_requested;
-        context->encap_context.request_id = 0;
-        slot_id = parameter->additional_data[0];
-        if ((slot_id >= SPDM_MAX_SLOT_COUNT) && (slot_id != 0xFF)) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        context->encap_context.req_slot_id = slot_id;
-
-        #if LIBSPDM_DEBUG_PRINT_ENABLE
-        if (mut_auth_requested) {
-            LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
-                           "Basic mutual authentication is a deprecated feature.\n"));
-        }
-        #endif /* LIBSPDM_DEBUG_PRINT_ENABLE */
-        break;
     case LIBSPDM_DATA_MUT_AUTH_REQUESTED:
         if (data_size != sizeof(uint8_t)) {
             return LIBSPDM_STATUS_INVALID_PARAMETER;

library/spdm_responder_lib/libspdm_rsp_challenge_auth.c

@@ -164,6 +164,8 @@ libspdm_return_t libspdm_get_response_challenge_auth(libspdm_context_t *spdm_con
     spdm_response->header.spdm_version = spdm_request->header.spdm_version;
     spdm_response->header.request_response_code = SPDM_CHALLENGE_AUTH;
     auth_attribute = (uint8_t)(slot_id & 0xF);
+
+    #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_11) {
         if (libspdm_is_capabilities_flag_supported(
                 spdm_context, false,
@@ -178,22 +180,19 @@ libspdm_return_t libspdm_get_response_challenge_auth(libspdm_context_t *spdm_con
              libspdm_is_capabilities_flag_supported(
                  spdm_context, false,
                  SPDM_GET_CAPABILITIES_REQUEST_FLAGS_PUB_KEY_ID_CAP, 0))) {
-            if (spdm_context->local_context.basic_mut_auth_requested) {
-                auth_attribute =
-                    (uint8_t)(auth_attribute |
-                              SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ);
+            if (libspdm_challenge_start_mut_auth(spdm_context,
+                                                 spdm_context->connection_info.version,
+                                                 slot_id,
+                                                 request_context_size,
+                                                 request_context)) {
+                auth_attribute |= SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ;
+                libspdm_init_basic_mut_auth_encap_state(spdm_context);
+                LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO,
+                              "Basic mutual authentication is a deprecated feature.\n"));
             }
         }
-        if ((auth_attribute & SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ) != 0) {
-#if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && (LIBSPDM_SEND_CHALLENGE_SUPPORT)
-            libspdm_init_basic_mut_auth_encap_state(spdm_context);
-#else
-            auth_attribute =
-                (uint8_t)(auth_attribute &
-                          ~SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ);
-#endif
-        }
     }
+    #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 
     spdm_response->header.param1 = auth_attribute;
 

os_stub/spdm_device_secret_lib_null/lib.c

@@ -77,9 +77,7 @@ bool libspdm_challenge_opaque_data(
 {
     return false;
 }
-#endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */
 
-#if LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP
 bool libspdm_encap_challenge_opaque_data(
     void *spdm_context,
     spdm_version_number_t spdm_version,
@@ -91,6 +89,18 @@ bool libspdm_encap_challenge_opaque_data(
 {
     return false;
 }
+
+#if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
+bool libspdm_challenge_start_mut_auth(
+    void *spdm_context,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    size_t request_context_size,
+    const void *request_context)
+{
+    return false;
+}
+#endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 #endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */
 
 #if LIBSPDM_ENABLE_CAPABILITY_MEL_CAP

os_stub/spdm_device_secret_lib_sample/chal.c

@@ -22,6 +22,7 @@
 size_t libspdm_secret_lib_challenge_opaque_data_size;
 bool g_check_challenge_request_context = false;
 uint64_t g_challenge_request_context;
+bool g_start_basic_mut_auth = false;
 
 bool libspdm_challenge_opaque_data(
     void *spdm_context,
@@ -88,4 +89,16 @@ bool libspdm_encap_challenge_opaque_data(
 
     return true;
 }
+
+#if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
+bool libspdm_challenge_start_mut_auth(
+    void *spdm_context,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    size_t request_context_size,
+    const void *request_context)
+{
+    return g_start_basic_mut_auth;
+}
+#endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 #endif /* LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP */

unit_test/fuzzing/test_responder/test_spdm_responder_challenge_auth/challenge_auth.c

@@ -22,6 +22,7 @@ libspdm_test_context_t m_libspdm_responder_challenge_test_context = {
 };
 
 extern size_t libspdm_secret_lib_challenge_opaque_data_size;
+extern bool g_start_basic_mut_auth;
 
 void libspdm_test_responder_challenge_case1(void **State)
 {
@@ -175,12 +176,13 @@ void libspdm_test_responder_challenge_case4(void **State)
     spdm_context->local_context.local_cert_chain_provision_size[0] = data_size;
 
     libspdm_secret_lib_challenge_opaque_data_size = 0;
-    spdm_context->local_context.basic_mut_auth_requested = 1;
+    g_start_basic_mut_auth = true;
     response_size = sizeof(response);
     libspdm_reset_message_c(spdm_context);
     libspdm_get_response_challenge_auth(spdm_context, spdm_test_context->test_buffer_size,
                                         spdm_test_context->test_buffer, &response_size, response);
     free(data);
+    g_start_basic_mut_auth = false;
 }
 
 void libspdm_test_responder_challenge_case5(void **State)
@@ -259,12 +261,13 @@ void libspdm_test_responder_challenge_case6(void **State)
     spdm_context->local_context.local_cert_chain_provision_size[0] = data_size;
 
     libspdm_secret_lib_challenge_opaque_data_size = 0;
-    spdm_context->local_context.basic_mut_auth_requested = 1;
     response_size = sizeof(response);
     libspdm_reset_message_c(spdm_context);
+    g_start_basic_mut_auth = true;
     libspdm_get_response_challenge_auth(spdm_context, spdm_test_context->test_buffer_size,
                                         spdm_test_context->test_buffer, &response_size, response);
     free(data);
+    g_start_basic_mut_auth = false;
 }
 
 void libspdm_test_responder_challenge_case7(void **State)