Invalid ErrorCode in handshake in the clear

[lazineer]

No session required in hanshake in the clear.
But it returns SessionRequired if the requester sends FINISH in session in handshake in the clear.
I think InvalidRequest or UnexpectedRequest would be appropriate.

libspdm/library/spdm_responder_lib/libspdm_rsp_finish.c

Lines 430 to 434 in 238fb80

	/* handshake in clear, then it must not be in a session.*/
	if (spdm_context->last_spdm_request_session_id_valid) {
	if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_12) {
	return libspdm_generate_error_response(
	spdm_context, SPDM_ERROR_CODE_SESSION_REQUIRED, 0, response_size, response);

[steven-bellock]

I guess one of the questions is why is libspdm decrypting anything at all if the session state is still in the handshake phase and HANDSHAKE_IN_THE_CLEAR_CAP is set for both endpoints.

[steven-bellock]

And going even further why do the Request-direction and Responder-direction handshake secrets even exist if HANDSHAKE_IN_THE_CLEAR_CAP is set for both endpoints? Filed https://github.com/DMTF/SPDM-WG/issues/3684 to make that more explicit in the specification.

[jyao1]

agree it is a bug

[steven-bellock]

@steven-bellock to file an issue on (lack of) handshake secret derivation when HANDSHAKE_IN_THE_CLEAR_CAP is set for both endpoints.