From a3e5b9966da2021a5908420a5bfa51634eebc1e5 Mon Sep 17 00:00:00 2001
From: Steven Bellock <sbellock@nvidia.com>
Date: Wed, 14 Aug 2024 15:37:59 -0700
Subject: [PATCH] Mask capability flags based on negotiated version

Fix #2796.

Signed-off-by: Steven Bellock <sbellock@nvidia.com>
---
 include/internal/libspdm_common_lib.h         | 13 +++++++
 library/spdm_common_lib/libspdm_com_support.c | 35 +++++++++++++++++++
 .../libspdm_req_get_capabilities.c            | 20 +++--------
 .../libspdm_rsp_capabilities.c                | 20 ++++-------
 4 files changed, 59 insertions(+), 29 deletions(-)

diff --git a/include/internal/libspdm_common_lib.h b/include/internal/libspdm_common_lib.h
index 63db3d178fb..60af4978e4c 100644
--- a/include/internal/libspdm_common_lib.h
+++ b/include/internal/libspdm_common_lib.h
@@ -1711,4 +1711,17 @@ static inline uint64_t libspdm_le_to_be_64(uint64_t value)
             ((value & 0xff00000000000000) >> 56));
 }
 
+/**
+ * Return capability flags that are masked by the negotiated SPDM version.
+ *
+ * @param  spdm_context      A pointer to the SPDM context.
+ * @param  is_request_flags  If true then flags are from a request message or Requester.
+ *                           If false then flags are from a response message or Responder.
+ * @param  flags             A bitmask of capability flags.
+ *
+ * @return The masked capability flags.
+ */
+uint32_t libspdm_mask_capability_flags(libspdm_context_t *spdm_context,
+                                       bool is_request_flags, uint32_t flags);
+
 #endif /* SPDM_COMMON_LIB_INTERNAL_H */
diff --git a/library/spdm_common_lib/libspdm_com_support.c b/library/spdm_common_lib/libspdm_com_support.c
index 025624c6266..723557cd230 100644
--- a/library/spdm_common_lib/libspdm_com_support.c
+++ b/library/spdm_common_lib/libspdm_com_support.c
@@ -331,3 +331,38 @@ bool libspdm_get_fips_mode(void)
     return false;
 #endif
 }
+
+uint32_t libspdm_mask_capability_flags(libspdm_context_t *spdm_context,
+                                       bool is_request_flags, uint32_t flags)
+{
+    switch (libspdm_get_connection_version(spdm_context)) {
+    case SPDM_MESSAGE_VERSION_10:
+        if (is_request_flags) {
+            /* A 1.0 Requester does not have any capability flags. */
+            return 0;
+        } else {
+            return (flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_10_MASK);
+        }
+    case SPDM_MESSAGE_VERSION_11:
+        if (is_request_flags) {
+            return (flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_11_MASK);
+        } else {
+            return (flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_11_MASK);
+        }
+    case SPDM_MESSAGE_VERSION_12:
+        if (is_request_flags) {
+            return (flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_12_MASK);
+        } else {
+            return (flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_12_MASK);
+        }
+    case SPDM_MESSAGE_VERSION_13:
+        if (is_request_flags) {
+            return (flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_13_MASK);
+        } else {
+            return (flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_13_MASK);
+        }
+    default:
+        LIBSPDM_ASSERT(false);
+        return 0;
+    }
+}
diff --git a/library/spdm_requester_lib/libspdm_req_get_capabilities.c b/library/spdm_requester_lib/libspdm_req_get_capabilities.c
index 356bc36cf64..131a123a47d 100644
--- a/library/spdm_requester_lib/libspdm_req_get_capabilities.c
+++ b/library/spdm_requester_lib/libspdm_req_get_capabilities.c
@@ -247,7 +247,9 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
     spdm_request->header.param2 = 0;
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_11) {
         spdm_request->ct_exponent = spdm_context->local_context.capability.ct_exponent;
-        spdm_request->flags = spdm_context->local_context.capability.flags;
+        spdm_request->flags =
+            libspdm_mask_capability_flags(spdm_context, true,
+                                          spdm_context->local_context.capability.flags);
     }
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
         spdm_request->data_transfer_size =
@@ -354,20 +356,8 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
     }
 
     spdm_context->connection_info.capability.ct_exponent = spdm_response->ct_exponent;
-
-    if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_10) {
-        spdm_context->connection_info.capability.flags =
-            spdm_response->flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_10_MASK;
-    } else if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_11) {
-        spdm_context->connection_info.capability.flags =
-            spdm_response->flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_11_MASK;
-    } else if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_12) {
-        spdm_context->connection_info.capability.flags =
-            spdm_response->flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_12_MASK;
-    } else {
-        spdm_context->connection_info.capability.flags =
-            spdm_response->flags & SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_13_MASK;
-    }
+    spdm_context->connection_info.capability.flags =
+        libspdm_mask_capability_flags(spdm_context, false, spdm_response->flags);
 
     if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
         spdm_context->connection_info.capability.data_transfer_size =
diff --git a/library/spdm_responder_lib/libspdm_rsp_capabilities.c b/library/spdm_responder_lib/libspdm_rsp_capabilities.c
index 05acbfe5f4a..0c34208244b 100644
--- a/library/spdm_responder_lib/libspdm_rsp_capabilities.c
+++ b/library/spdm_responder_lib/libspdm_rsp_capabilities.c
@@ -1,6 +1,6 @@
 /**
  *  Copyright Notice:
- *  Copyright 2021-2022 DMTF. All rights reserved.
+ *  Copyright 2021-2024 DMTF. All rights reserved.
  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
  **/
 
@@ -247,7 +247,9 @@ libspdm_return_t libspdm_get_response_capabilities(libspdm_context_t *spdm_conte
     spdm_response->header.param1 = 0;
     spdm_response->header.param2 = 0;
     spdm_response->ct_exponent = spdm_context->local_context.capability.ct_exponent;
-    spdm_response->flags = spdm_context->local_context.capability.flags;
+    spdm_response->flags =
+        libspdm_mask_capability_flags(spdm_context, false,
+                                      spdm_context->local_context.capability.flags);
     if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
         spdm_response->data_transfer_size =
             spdm_context->local_context.capability.data_transfer_size;
@@ -284,18 +286,8 @@ libspdm_return_t libspdm_get_response_capabilities(libspdm_context_t *spdm_conte
         spdm_context->connection_info.capability.ct_exponent = 0;
     }
 
-    if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_10) {
-        spdm_context->connection_info.capability.flags = 0;
-    } else if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_11) {
-        spdm_context->connection_info.capability.flags =
-            spdm_request->flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_11_MASK;
-    } else if (spdm_response->header.spdm_version == SPDM_MESSAGE_VERSION_12) {
-        spdm_context->connection_info.capability.flags =
-            spdm_request->flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_12_MASK;
-    } else {
-        spdm_context->connection_info.capability.flags =
-            spdm_request->flags & SPDM_GET_CAPABILITIES_REQUEST_FLAGS_13_MASK;
-    }
+    spdm_context->connection_info.capability.flags =
+        libspdm_mask_capability_flags(spdm_context, true, spdm_request->flags);
 
     if (spdm_response->header.spdm_version >= SPDM_MESSAGE_VERSION_12) {
         spdm_context->connection_info.capability.data_transfer_size =