3.8.2

What's Changed

This release brings a fix for the security issues described in

• GHSA-j54w-759w-xj3m
• GHSA-m4wc-xmvg-369f

as well as additional bug fixes described below.

• os_stub/openssllib: Allow building with older OpenSSL versions by @alistair23 in #3418
• Ignore MSVC warning when compiling OpenSSL by @steven-bellock in #3496
• Bring fixes from main to 3.8 by @steven-bellock and @jyao1 in #3494

Full Changelog: 3.8.1...3.8.2

3.8.1

Tag 3.8.1 fixes two issues:

• Unaligned memory access in VENDOR_DEFINED_* : #3196
• Build failure when mutual authentication is disabled : #3178

3.8.0

Tag 3.8.0 adds new features:

• Support for DSP0286 1.0 - Security Protocol and Data Model (SPDM) to Storage Binding Specification.
• Support for DSP0287 1.0 - SPDM over TCP Binding Specification.
• SPDM 1.3 encapsulated GET_ENDPOINT_INFO.
• Update OpenSSL to 3.5.1, which supports PQC.
• Fix Ed448 signing/verification issue that it did not pass context in signing (#3037). This is an SPDM specification compliance issue, we suggest the consumers use the tag 3.8.0 for further development if Ed448 is enabled.
• Add EdDSA and SM2 in libspdm_gen_x509_csr().

3.7.0

Tag 3.7.0 adds new features:

• SPDM 1.3 GET_ENDPOINT_INFO.
• SPDM 1.3 encapsulated SEND_EVENT for receipt by the Requester.

Support for encapsulated GET_ENDPOINT_INFO and additional SEND_EVENT schemes will be included in subsequent releases.

3.6.0

Tag 3.6.0 adds new features:

• Update OpenSSL to 3.0.14
• Update MbedTls to 3.6.2
• Support Non-Zero VendorID in OpaqueData Element. (#2934)

3.5.0

Tag 3.5.0 adds new features:

• SPDM 1.3 GET_KEY_PAIR_INFO.
• SPDM 1.3 SET_KEY_PAIR_INFO.
• SPDM 1.3 SUBSCRIBE_EVENT_TYPE.
• Support PCIE DOE discovery version 2.
• Setup nightly Coverity scanning and fix some issues, such as Dead code after loop, Out-of-bounds array read, unused value.

3.4.0

Tag 3.4.0 adds new features:

• SPDM 1.3 GET_MEASUREMENT_EXTENSION_LOG.
• Support for DSP0277 1.2 - Secured Messages using SPDM.
• Support for MbedTLS 3.0.

3.3.0

Tag 3.3.0 adds GET_SUPPORTED_EVENT_TYPES. Additional SPDM 1.3 messages will be implemented in future releases.

Since tag 3.3.0, libspdm is registered to oss-fuzz (#2593). Several potential buffer overflow issues are fixed, such as CSR, CHUNK_SEND_ACK.

3.2.0

Tag 3.2.0 starts adding SPDM 1.3 support. The existing SPDM commands are updated to support 1.3-defined fields in

• GET_CAPABILITIES / CAPABILITIES
• NEGOTIATE_ALGORITHMS / ALGORITHMS
• GET_DIGESTS / DIGESTS
• GET_CERTIFICATE / CERTIFICATE
• CHALLENGE / CHALLENGE_AUTH
• GET_MEASUREMENTS / MEASUREMENTS
• GET_CSR / CSR
• SET_CERTIFICATE / SET_CERTIFICATE_RSP

Support for new SPDM 1.3 messages, such as GET_ENDPOINT_INFO, GET_SUPPORTED_EVENT_TYPES, GET_MEASUREMENT_EXTENSION_LOG, SUBSCRIBE_EVENT_TYPES, SEND_EVENT, GET_KEY_PAIR_INFO, SET_KEY_PAIR_INFO will be included in subsequent releases.

3.1.1

Tag 3.1.1 fixes two bugs (#2393 and #2395) found in the endianness detection feature that was introduced in 3.1.0. An incorrect endianness may be inferred if the AEAD sequence number or asymmetric signature has the same byte layout when interpreted as a big or little endian value.