3.5.0

Tag 3.5.0 adds new features:

• SPDM 1.3 GET_KEY_PAIR_INFO.
• SPDM 1.3 SET_KEY_PAIR_INFO.
• SPDM 1.3 SUBSCRIBE_EVENT_TYPE.
• Support PCIE DOE discovery version 2.
• Setup nightly Coverity scanning and fix some issues, such as Dead code after loop, Out-of-bounds array read, unused value.

3.4.0

Tag 3.4.0 adds new features:

• SPDM 1.3 GET_MEASUREMENT_EXTENSION_LOG.
• Support for DSP0277 1.2 - Secured Messages using SPDM.
• Support for MbedTLS 3.0.

3.3.0

Tag 3.3.0 adds GET_SUPPORTED_EVENT_TYPES. Additional SPDM 1.3 messages will be implemented in future releases.

Since tag 3.3.0, libspdm is registered to oss-fuzz (#2593). Several potential buffer overflow issues are fixed, such as CSR, CHUNK_SEND_ACK.

3.2.0

Tag 3.2.0 starts adding SPDM 1.3 support. The existing SPDM commands are updated to support 1.3-defined fields in

• GET_CAPABILITIES / CAPABILITIES
• NEGOTIATE_ALGORITHMS / ALGORITHMS
• GET_DIGESTS / DIGESTS
• GET_CERTIFICATE / CERTIFICATE
• CHALLENGE / CHALLENGE_AUTH
• GET_MEASUREMENTS / MEASUREMENTS
• GET_CSR / CSR
• SET_CERTIFICATE / SET_CERTIFICATE_RSP

Support for new SPDM 1.3 messages, such as GET_ENDPOINT_INFO, GET_SUPPORTED_EVENT_TYPES, GET_MEASUREMENT_EXTENSION_LOG, SUBSCRIBE_EVENT_TYPES, SEND_EVENT, GET_KEY_PAIR_INFO, SET_KEY_PAIR_INFO will be included in subsequent releases.

3.1.1

Tag 3.1.1 fixes two bugs (#2393 and #2395) found in the endianness detection feature that was introduced in 3.1.0. An incorrect endianness may be inferred if the AEAD sequence number or asymmetric signature has the same byte layout when interpreted as a big or little endian value.

3.1.0

Tag 3.1.0 adds new capabilities:

• Support DSP0274 SPDM 1.0/1.1 RSA/ECDSA signature endianness configuration (#2151). The default endianness is big endian.
• Support DSP0277 Secured Message AEAD sequence number endianness configuration (#2166). The default endianness is little endian.

The detail of endianness in libspdm is documented at crypto_endianness.

3.0.0

Tag 3.0.0 adds new features:

• Support for FIPS 140-3 including known-answer-tests (KAT). See fips.
• Raw public keys are now ASN.1 DER encoded. See raw_public_key.
• Support AEAD limit configuration. See aead_limit.
• Support for OpenSSL 3.0.

The API in 3.0.0 is incompatible with the API in 2.3.x release. See changelog, design and user_guide.

This version fixed L1/L2 measurement transcript error handling issue, which is incompatible to previous libspdm version.

The endianness in libspdm is documented at crypto_endianness.

2.3.3

Tag 2.3.3 fixes a security issue - DMTF-2023-0002: Responder can Invoke Undefined Behavior in libspdm Requester. #2068
Please also see GHSA-56h8-4gv5-jf2c.

Tag 2.3.3 fixes an implementation defect present in tags 2.3.2 and previous. #2039. The order of RequesterInfo and OpaqueData in GET_CSR is reversed. While tag 2.3.3 has corrected this defect it means that a tag 2.3.3 endpoint will not be able to send GET_CSR to a tag 2.3.2 and previous endpoint.

This is an SPDM implementation security issue and SPDM specification compliance issue, we suggest the consumers use the tag 2.3.3 for further development and do not use any previous tags.

2.3.2

Tag 2.3.2 fixes a security issue - DMTF-2023-0001: SPDM mutual authentication bypass. #2005
Please also see GHSA-qw76-4v8p-xq9f.

This is an SPDM implementation security issue, we suggest the consumers use the tag 2.3.2 for further development and do not use any previous tags.

2.3.1

Tag 2.3.1 fixes two implementation defects present in tag 2.3.0. #1608. If a Requester sets (CERT_CAP=0, PUB_KEY_ID_CAP=0, KEY_EX_CAP=1) in its GET_CAPABILITIES request, then a 2.3.0 Responder will incorrectly send an InvalidRequest error response to the Requester. Similarly, if a Requester sets (KEY_EX_CAP=0, PSK_CAP=0, MUT_AUTH_CAP=1), then a 2.3.0 Responder will incorrectly send an InvalidRequest error response to the Requester.