Releases: DMTF/libspdm
3.0.0
Tag 3.0.0 adds new features:
- Support for FIPS 140-3 including known-answer-tests (KAT). See fips.
- Raw public keys are now ASN.1 DER encoded. See raw_public_key.
- Support AEAD limit configuration. See aead_limit.
- Support for OpenSSL 3.0.
The API in 3.0.0 is incompatible with the API in 2.3.x release. See changelog, design and user_guide.
This version fixed L1/L2 measurement transcript error handling issue, which is incompatible to previous libspdm version.
The endianness in libspdm is documented at crypto_endianness.
2.3.3
Tag 2.3.3 fixes a security issue - DMTF-2023-0002: Responder can Invoke Undefined Behavior in libspdm Requester. #2068
Please also see GHSA-56h8-4gv5-jf2c.
Tag 2.3.3 fixes an implementation defect present in tags 2.3.2 and previous. #2039. The order of RequesterInfo and OpaqueData in GET_CSR is reversed. While tag 2.3.3 has corrected this defect it means that a tag 2.3.3 endpoint will not be able to send GET_CSR to a tag 2.3.2 and previous endpoint.
This is an SPDM implementation security issue and SPDM specification compliance issue, we suggest the consumers use the tag 2.3.3 for further development and do not use any previous tags.
2.3.2
Tag 2.3.2 fixes a security issue - DMTF-2023-0001: SPDM mutual authentication bypass. #2005
Please also see GHSA-qw76-4v8p-xq9f.
This is an SPDM implementation security issue, we suggest the consumers use the tag 2.3.2 for further development and do not use any previous tags.
2.3.1
Tag 2.3.1 fixes two implementation defects present in tag 2.3.0. #1608. If a Requester sets (CERT_CAP=0, PUB_KEY_ID_CAP=0, KEY_EX_CAP=1) in its GET_CAPABILITIES request, then a 2.3.0 Responder will incorrectly send an InvalidRequest error response to the Requester. Similarly, if a Requester sets (KEY_EX_CAP=0, PSK_CAP=0, MUT_AUTH_CAP=1), then a 2.3.0 Responder will incorrectly send an InvalidRequest error response to the Requester.
2.3.0
Tag 2.3.0 fixes an implementation defect present in tags 2.2.0 and previous. #1424. According to the SPDM specification, the session ID should be Concatenate (ReqSessionID, RspSessionID). In tags 2.2.0 and previous, libspdm calculated the session ID as Concatenate (RspSessionID, ReqSessionID). While tag 2.3.0 has corrected this defect it means that a tag 2.3.0 endpoint will not be able to establish a secure session with a tag 2.2.0 and previous endpoint.
In addition the MDEPKG_NDEBUG macro has been deprecated and replaced with the LIBSPDM_DEBUG_ENABLE macro.
This is an SPDM specification compliance issue, we suggest the consumers use the tag 2.3.0 for further development.
2.2.0
Tag 2.2.0 fixes an implementation defect present in tags 2.1.0 and previous. #1136. According to the SPDM specification, the ResponderVerifyData / RequesterVerifyData during secure session establishment should be calculated based on HMAC(finished_key, hash(transcript)). In tags 2.1.0 and previous, the libspdm calculated ResponderVerifyData / RequesterVerifyData as HMAC(finished_key, transcript). While tag 2.2.0 has corrected this defect it means that a tag 2.2.0 endpoint will not be able to establish a secure session with a tag 2.1.0 and previous endpoint.
This is an SPDM specification compliance issue, we suggest the consumers use the tag 2.2.0 for further development.
Major feature:
- Align to SPDM 1.2.1 spec https://www.dmtf.org/dsp/DSP0274
2.1.0
Tag 2.1.0 fixes an implementation defect present in tags 1.0.0 and 2.0.0. #987. According to the SPDM specification, during secure session establishment the Handshake-Secret is derived as HMAC-Hash(Salt_0, Secret) where Secret is either the DHE Secret or the Pre-shared Key. In tags 1.0.0 and 2.0.0 libspdm swapped these two parameters as HMAC-Hash(Secret, Salt_0). While tag 2.1.0 has corrected this defect it means that a tag 2.1.0 endpoint will not be able to establish a secure session with a tag 1.0.0 or 2.0.0 endpoint.
This is an SPDM specification compliance issue, we suggest the consumers use the tag 2.1.0 for further development.
Major feature:
- Align to SPDM 1.2.1 spec https://www.dmtf.org/dsp/DSP0274
- Finish all SPDM 1.2.1 new features, including identity provisioning and chunking.