DMTF
diff --git a/‎include/hal/library/responder/keyexlib.h‎
Lines changed: 56 additions & 0 deletions b/‎include/hal/library/responder/keyexlib.h‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎include/internal/libspdm_common_lib.h‎
Lines changed: 1 addition & 2 deletions b/‎include/internal/libspdm_common_lib.h‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎include/library/spdm_common_lib.h‎
Lines changed: 0 additions & 1 deletion b/‎include/library/spdm_common_lib.h‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎library/spdm_common_lib/libspdm_com_context_data.c‎
Lines changed: 0 additions & 10 deletions b/‎library/spdm_common_lib/libspdm_com_context_data.c‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎library/spdm_responder_lib/libspdm_rsp_key_exchange.c‎
Lines changed: 64 additions & 41 deletions b/‎library/spdm_responder_lib/libspdm_rsp_key_exchange.c‎
Lines changed: 64 additions & 41 deletions
diff --git a/‎os_stub/spdm_device_secret_lib_null/lib.c‎
Lines changed: 17 additions & 0 deletions b/‎os_stub/spdm_device_secret_lib_null/lib.c‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎os_stub/spdm_device_secret_lib_sample/CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions b/‎os_stub/spdm_device_secret_lib_sample/CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎os_stub/spdm_device_secret_lib_sample/key_ex.c‎
Lines changed: 31 additions & 0 deletions b/‎os_stub/spdm_device_secret_lib_sample/key_ex.c‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎unit_test/fuzzing/test_responder/test_spdm_responder_end_session/end_session.c‎
Lines changed: 0 additions & 1 deletion b/‎unit_test/fuzzing/test_responder/test_spdm_responder_end_session/end_session.c‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎unit_test/fuzzing/test_responder/test_spdm_responder_finish_rsp/finish_rsp.c‎
Lines changed: 3 additions & 3 deletions b/‎unit_test/fuzzing/test_responder/test_spdm_responder_finish_rsp/finish_rsp.c‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,56 @@
+/**
+ *  Copyright Notice:
+ *  Copyright 2025 DMTF. All rights reserved.
+ *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
+ **/
+
+#ifndef RESPONDER_KEYEXLIB_H
+#define RESPONDER_KEYEXLIB_H
+
+#include "hal/base.h"
+#include "internal/libspdm_lib_config.h"
+#include "industry_standard/spdm.h"
+
+#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP)
+/**
+ * Queries whether session-based mutual authentication should be initiated or not.
+ *
+ * @param  spdm_context  A pointer to the SPDM context.
+ * @param  session_id    Secure session identifier.
+ * @param  spdm_version  Indicates the negotiated version.
+ * @param  slot_id       The certificate slot within the KEY_EXCHANGE request.
+ * @param  req_slot_id   The certificate slot within the KEY_EXCHANGE_RSP response.
+ *                       This value can be non-zero only when
+ *                       SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED is returned.
+ *
+ * @param  session_policy  Policy for the session. A bitmask whose values are
+ *                         SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_*.
+
+ * @param  opaque_data_length  Size, in bytes, of opaque_data.
+ * @param  opaque_data         The KEY_EXCHANGE OpaqueData field. Its value is NULL if value of
+ *                             opaque_data_length is 0.
+ * @param  mandatory_mut_auth  If true, then mutual authentication must be completed, and libspdm
+ *                             will return an error to the Requester if the Requester does not
+ *                             support mutual authentication. If false, and Requester does not
+ *                             support mutual authentication, then the session will still be
+ *                             established.
+ *
+ * @retval 0  Do not initiate the session-based mutual authentication flow.
+ * @retval SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED
+ * @retval SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_ENCAP_REQUEST
+ * @retval SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_GET_DIGESTS
+ */
+extern uint8_t libspdm_key_exchange_start_mut_auth(
+    void *spdm_context,
+    uint32_t session_id,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    uint8_t *req_slot_id,
+    uint8_t session_policy,
+    size_t opaque_data_length,
+    const void *opaque_data,
+    bool *mandatory_mut_auth
+);
+#endif /* (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) */
+
+#endif /* RESPONDER_KEYEXLIB_H */
@@ -18,6 +18,7 @@
 #include "hal/library/responder/asymsignlib.h"
 #include "hal/library/responder/csrlib.h"
 #include "hal/library/responder/measlib.h"
+#include "hal/library/responder/keyexlib.h"
 #include "hal/library/responder/key_pair_info.h"
 #include "hal/library/responder/psklib.h"
 #include "hal/library/responder/setcertlib.h"
@@ -121,8 +122,6 @@ typedef struct {
 
     /* Responder policy*/
     bool basic_mut_auth_requested;
-    uint8_t mut_auth_requested;
-    bool mandatory_mut_auth;
     uint8_t heartbeat_period;
 
     /*The device role*/
 
@@ -78,7 +78,6 @@ typedef enum {
     LIBSPDM_DATA_LOCAL_KEY_USAGE_BIT_MASK,
 
     LIBSPDM_DATA_MUT_AUTH_REQUESTED,
-    LIBSPDM_DATA_MANDATORY_MUT_AUTH,
     LIBSPDM_DATA_HEARTBEAT_PERIOD,
 
     /* Negotiated result */
 
@@ -687,23 +687,13 @@ libspdm_return_t libspdm_set_data(void *spdm_context, libspdm_data_type_t data_t
               SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_GET_DIGESTS))) {
             return LIBSPDM_STATUS_INVALID_PARAMETER;
         }
-        context->local_context.mut_auth_requested = mut_auth_requested;
         context->encap_context.request_id = 0;
         slot_id = parameter->additional_data[0];
         if ((slot_id >= SPDM_MAX_SLOT_COUNT) && (slot_id != 0xFF)) {
             return LIBSPDM_STATUS_INVALID_PARAMETER;
         }
         context->encap_context.req_slot_id = slot_id;
         break;
-    case LIBSPDM_DATA_MANDATORY_MUT_AUTH:
-        if (data_size != sizeof(bool)) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) {
-            return LIBSPDM_STATUS_INVALID_PARAMETER;
-        }
-        context->local_context.mandatory_mut_auth = *(const bool *)data;
-        break;
     case LIBSPDM_DATA_HEARTBEAT_PERIOD:
         if (data_size != sizeof(uint8_t)) {
             return LIBSPDM_STATUS_INVALID_PARAMETER;
 
@@ -193,8 +193,8 @@ libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_conte
     uint32_t measurement_summary_hash_size;
     uint32_t signature_size;
     uint32_t hmac_size;
-    const uint8_t *cptr;
     uint8_t *ptr;
+    const uint8_t *req_opaque_data;
     uint16_t opaque_data_length;
     bool result;
     uint8_t slot_id;
@@ -209,6 +209,11 @@ libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_conte
     size_t opaque_key_exchange_rsp_size;
     uint8_t th1_hash_data[LIBSPDM_MAX_HASH_SIZE];
     spdm_version_number_t secured_message_version;
+#if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
+    uint8_t req_slot_id;
+    uint8_t mut_auth_requested;
+    bool mandatory_mut_auth;
+#endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 
     spdm_request = request;
 
@@ -384,21 +389,24 @@ libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_conte
                    sizeof(uint16_t) + opaque_data_length;
 
     if (opaque_data_length != 0) {
-        cptr = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
+        req_opaque_data = (const uint8_t *)request + sizeof(spdm_key_exchange_request_t) +
                req_key_exchange_size + sizeof(uint16_t);
-        result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length, cptr);
+        result = libspdm_process_general_opaque_data_check(spdm_context, opaque_data_length,
+                                                           req_opaque_data);
         if (!result) {
             return libspdm_generate_error_response(spdm_context,
                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
                                                    response_size, response);
         }
         status = libspdm_process_opaque_data_supported_version_data(
-            spdm_context, opaque_data_length, cptr, &secured_message_version);
+            spdm_context, opaque_data_length, req_opaque_data, &secured_message_version);
         if (LIBSPDM_STATUS_IS_ERROR(status)) {
             return libspdm_generate_error_response(spdm_context,
                                                    SPDM_ERROR_CODE_INVALID_REQUEST, 0,
                                                    response_size, response);
         }
+    } else {
+        req_opaque_data = NULL;
     }
 
     opaque_key_exchange_rsp_size =
@@ -462,48 +470,63 @@ libspdm_return_t libspdm_get_response_key_exchange(libspdm_context_t *spdm_conte
 
     spdm_response->rsp_session_id = rsp_session_id;
     spdm_response->mut_auth_requested = 0;
+    spdm_response->req_slot_id_param = 0;
 
+    #if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
     if (libspdm_is_capabilities_flag_supported(
-            spdm_context, false,
-            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP,
-            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
-        spdm_response->mut_auth_requested =
-            spdm_context->local_context.mut_auth_requested;
-    } else if (spdm_context->local_context.mandatory_mut_auth) {
-        LIBSPDM_ASSERT(spdm_context->local_context.capability.flags &
-                       SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
-        if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
-            libspdm_free_session_id(spdm_context, session_id);
-            return libspdm_generate_error_response(spdm_context,
-                                                   SPDM_ERROR_CODE_INVALID_POLICY, 0,
-                                                   response_size, response);
-        } else {
-            libspdm_free_session_id(spdm_context, session_id);
-            return libspdm_generate_error_response(spdm_context,
-                                                   SPDM_ERROR_CODE_UNSPECIFIED, 0,
-                                                   response_size, response);
-        }
-    }
+        spdm_context, false, 0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP)) {
+        req_slot_id = 0;
+
+        mut_auth_requested =
+            libspdm_key_exchange_start_mut_auth(spdm_context,
+                                                session_id,
+                                                spdm_context->connection_info.version,
+                                                slot_id,
+                                                &req_slot_id,
+                                                spdm_request->session_policy,
+                                                opaque_data_length,
+                                                req_opaque_data,
+                                                &mandatory_mut_auth);
+        if (mut_auth_requested != 0) {
+            const bool req_mut_auth_cap = libspdm_is_capabilities_flag_supported(
+                spdm_context, false, SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP, 0);
+            const bool req_encap_cap = libspdm_is_capabilities_flag_supported(
+                spdm_context, false, SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP, 0);
+            const bool need_encap =
+                (mut_auth_requested ==
+                 SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_ENCAP_REQUEST) ||
+                (mut_auth_requested ==
+                 SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_GET_DIGESTS);
+
+            /* If Integrator requires mutual authentication but Requester does not support mutual
+             * authentication, or Integrator requires the encapsulated mutual authentication flow
+             * and Requester does not support encapsulated messages, then return an error to
+             * Requester. */
+            if (mandatory_mut_auth && (!req_mut_auth_cap || (need_encap && !req_encap_cap))) {
+                if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
+                    libspdm_free_session_id(spdm_context, session_id);
+                    return libspdm_generate_error_response(spdm_context,
+                                                           SPDM_ERROR_CODE_INVALID_POLICY, 0,
+                                                           response_size, response);
+                } else {
+                    libspdm_free_session_id(spdm_context, session_id);
+                    return libspdm_generate_error_response(spdm_context,
+                                                           SPDM_ERROR_CODE_UNSPECIFIED, 0,
+                                                           response_size, response);
+                }
+            }
 
-    if (spdm_response->mut_auth_requested != 0) {
-#if LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
-        spdm_context->connection_info.peer_used_cert_chain_slot_id =
-            spdm_context->encap_context.req_slot_id;
-        libspdm_init_mut_auth_encap_state(spdm_context, spdm_response->mut_auth_requested);
-        if (spdm_response->mut_auth_requested == SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED) {
-            /* no need to libspdm_init_mut_auth_encap_state() because of no ENCAP message */
-            spdm_response->req_slot_id_param = spdm_context->encap_context.req_slot_id & 0xF;
-        } else {
-            /* req_slot_id is always 0 if ENCAP message is needed */
-            spdm_response->req_slot_id_param = 0;
+            if (!need_encap) {
+                spdm_response->mut_auth_requested = mut_auth_requested;
+                spdm_response->req_slot_id_param = req_slot_id;
+            } else if (need_encap && req_encap_cap) {
+                spdm_response->mut_auth_requested = mut_auth_requested;
+                spdm_context->connection_info.peer_used_cert_chain_slot_id = req_slot_id;
+                libspdm_init_mut_auth_encap_state(spdm_context, mut_auth_requested);
+            }
         }
-#else
-        spdm_response->mut_auth_requested = 0;
-        spdm_response->req_slot_id_param = 0;
-#endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
-    } else {
-        spdm_response->req_slot_id_param = 0;
     }
+    #endif /* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP */
 
     if (!libspdm_get_random_number(SPDM_RANDOM_DATA_SIZE, spdm_response->random_data)) {
         libspdm_free_session_id(spdm_context, session_id);
 
@@ -117,6 +117,23 @@ bool libspdm_measurement_extension_log_collection(
 }
 #endif /* LIBSPDM_ENABLE_CAPABILITY_MEL_CAP */
 
+#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP)
+extern uint8_t libspdm_key_exchange_start_mut_auth(
+    void *spdm_context,
+    uint32_t session_id,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    uint8_t *req_slot_id,
+    uint8_t session_policy,
+    size_t opaque_data_length,
+    const void *opaque_data,
+    bool *mandatory_mut_auth
+)
+{
+    return false;
+}
+#endif /* (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) */
+
 #if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) || (LIBSPDM_ENABLE_CAPABILITY_ENDPOINT_INFO_CAP)
 bool libspdm_requester_data_sign(
     void *spdm_context,
 
@@ -16,6 +16,7 @@ target_sources(spdm_device_secret_lib_sample
         csr.c
         endpointinfo.c
         event.c
+        key_ex.c
         key_pair.c
         meas.c
         psk.c
 
@@ -0,0 +1,31 @@
+/**
+ *  Copyright Notice:
+ *  Copyright 2024-2025 DMTF. All rights reserved.
+ *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
+ **/
+
+#include "hal/base.h"
+#include "internal/libspdm_common_lib.h"
+
+uint8_t g_key_exchange_start_mut_auth = 0;
+bool g_mandatory_mut_auth = false;
+
+#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP)
+extern uint8_t libspdm_key_exchange_start_mut_auth(
+    void *spdm_context,
+    uint32_t session_id,
+    spdm_version_number_t spdm_version,
+    uint8_t slot_id,
+    uint8_t *req_slot_id,
+    uint8_t session_policy,
+    size_t opaque_data_length,
+    const void *opaque_data,
+    bool *mandatory_mut_auth
+)
+{
+    *req_slot_id = 0;
+    *mandatory_mut_auth = g_mandatory_mut_auth;
+
+    return g_key_exchange_start_mut_auth;
+}
+#endif /* (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) */
@@ -64,7 +64,6 @@ void libspdm_test_responder_end_session(void **State)
         data_size;
 
     libspdm_reset_message_a(spdm_context);
-    spdm_context->local_context.mut_auth_requested = 0;
 
     session_id = 0xFFFFFFFF;
     spdm_context->latest_session_id = session_id;
 
@@ -12,6 +12,7 @@
 #if LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
 
 static libspdm_th_managed_buffer_t th_curr;
+extern uint8_t g_key_exchange_start_mut_auth;
 
 size_t libspdm_get_max_buffer_size(void)
 {
@@ -98,7 +99,6 @@ void libspdm_test_responder_finish_case1(void **State)
     spdm_context->connection_info.local_used_cert_chain_buffer_size = data_size1;
 
     libspdm_reset_message_a(spdm_context);
-    spdm_context->local_context.mut_auth_requested = 0;
 
     session_id = 0xFFFFFFFF;
     spdm_context->latest_session_id = session_id;
@@ -319,7 +319,6 @@ void libspdm_test_responder_finish_case7(void **State)
     spdm_context->connection_info.local_used_cert_chain_buffer_size = data_size1;
 
     libspdm_reset_message_a(spdm_context);
-    spdm_context->local_context.mut_auth_requested = 0;
 
     session_id = 0xFFFFFFFF;
     spdm_context->latest_session_id = session_id;
@@ -402,7 +401,7 @@ void libspdm_test_responder_finish_case8(void **State)
     spdm_context->connection_info.local_used_cert_chain_buffer_size = data_size1;
 
     libspdm_reset_message_a(spdm_context);
-    spdm_context->local_context.mut_auth_requested = 1;
+    g_key_exchange_start_mut_auth = SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED;
     libspdm_read_requester_public_certificate_chain(m_libspdm_use_hash_algo,
                                                     m_libspdm_use_req_asym_algo,
                                                     &data2,
@@ -504,6 +503,7 @@ void libspdm_test_responder_finish_case8(void **State)
         spdm_context->connection_info.algorithm.req_base_asym_alg,
         spdm_context->connection_info.peer_used_cert_chain[0].leaf_cert_public_key);
 #endif
+    g_key_exchange_start_mut_auth = 0;
 }
 
 void libspdm_run_test_harness(void *test_buffer, size_t test_buffer_size)