Relax capabilities check for encapsulated messages

Fix #2447. Signed-off-by: Steven Bellock <[email protected]>
DMTF · Dec 12, 2023 · e79077b · e79077b
1 parent 3bbcb24
commit e79077b
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 12 deletions.
diff --git a/include/internal/libspdm_common_lib.h b/include/internal/libspdm_common_lib.h
@@ -851,6 +851,17 @@ bool libspdm_is_capabilities_flag_supported(const libspdm_context_t *spdm_contex
                                             uint32_t requester_capabilities_flag,
                                             uint32_t responder_capabilities_flag);
 
+/**
+ * Checks the negotiated SPDM version and endpoint capabilities to determine if encapsulated
+ * messages are supported or not.
+ *
+ * @param  spdm_context  A pointer to the SPDM context.
+ *
+ * @retval true   Both endpoints support encapsulated messages.
+ * @retval false  At least one endpoint does not support encapsulated messages.
+ **/
+bool libspdm_is_encap_supported(const libspdm_context_t *spdm_context);
+
 /**
  * This function generates the certificate chain hash.
  *

diff --git a/library/spdm_common_lib/libspdm_com_context_data.c b/library/spdm_common_lib/libspdm_com_context_data.c
@@ -2340,6 +2340,39 @@ bool libspdm_is_capabilities_flag_supported(const libspdm_context_t *spdm_contex
     }
 }
 
+bool libspdm_is_encap_supported(const libspdm_context_t *spdm_context)
+{
+    if (libspdm_get_connection_version(spdm_context) == SPDM_MESSAGE_VERSION_10) {
+        return false;
+    } else if (libspdm_get_connection_version(spdm_context) == SPDM_MESSAGE_VERSION_12) {
+        /* ENCAP_CAP was erroneously deprecated in SPDM 1.2.0 and 1.2.1, and MUT_AUTH_CAP
+         * was used in its place. In SPDM 1.2.2 and later ENCAP_CAP is undeprecated. Since
+         * UpdateVersionNumber must be ignored when checking interoperability libspdm will check
+         * if ENCAP_CAP or MUT_AUTH_CAP is set. */
+        const bool is_req_encap_cap_supported = libspdm_is_capabilities_flag_supported(
+            spdm_context, spdm_context->local_context.is_requester,
+            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP, 0);
+        const bool is_req_mut_auth_cap_supported = libspdm_is_capabilities_flag_supported(
+            spdm_context, spdm_context->local_context.is_requester,
+            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP, 0);
+        const bool is_rsp_encap_cap_supported = libspdm_is_capabilities_flag_supported(
+            spdm_context, spdm_context->local_context.is_requester,
+            0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCAP_CAP);
+        const bool is_rsp_mut_auth_cap_supported = libspdm_is_capabilities_flag_supported(
+            spdm_context, spdm_context->local_context.is_requester,
+            0, SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP);
+
+        return ((is_req_encap_cap_supported || is_req_mut_auth_cap_supported) &&
+                (is_rsp_encap_cap_supported || is_rsp_mut_auth_cap_supported));
+    } else {
+        /* For SPDM 1.1 and 1.3 and later only check ENCAP_CAP. */
+        return libspdm_is_capabilities_flag_supported(
+            spdm_context, spdm_context->local_context.is_requester,
+            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP,
+            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCAP_CAP);
+    }
+}
+
 /**
  * Register SPDM device input/output functions.
  *

diff --git a/library/spdm_requester_lib/libspdm_req_encap_request.c b/library/spdm_requester_lib/libspdm_req_encap_request.c
@@ -140,14 +140,7 @@ libspdm_return_t libspdm_encapsulated_request(libspdm_context_t *spdm_context,
     spdm_get_digest_request_t *get_digests;
     #endif /* LIBSPDM_ENABLE_CAPABILITY_CERT_CAP*/
 
-    if (libspdm_get_connection_version(spdm_context) < SPDM_MESSAGE_VERSION_11) {
-        return LIBSPDM_STATUS_UNSUPPORTED_CAP;
-    }
-
-    if (!libspdm_is_capabilities_flag_supported(
-            spdm_context, true,
-            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP,
-            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCAP_CAP)) {
+    if (!libspdm_is_encap_supported(spdm_context)) {
         return LIBSPDM_STATUS_UNSUPPORTED_CAP;
     }
 

diff --git a/library/spdm_responder_lib/libspdm_rsp_encap_response.c b/library/spdm_responder_lib/libspdm_rsp_encap_response.c
@@ -229,10 +229,7 @@ libspdm_return_t libspdm_get_response_encapsulated_request(
                                                response_size, response);
     }
 
-    if (!libspdm_is_capabilities_flag_supported(
-            spdm_context, false,
-            SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP,
-            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCAP_CAP)) {
+    if (!libspdm_is_encap_supported(spdm_context)) {
         return libspdm_generate_error_response(
             spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
             SPDM_GET_ENCAPSULATED_REQUEST, response_size, response);