Add SPDM version checks

Fix #3483.

Signed-off-by: Steven Bellock <[email protected]>

Author: steven-bellock

library/spdm_responder_lib/libspdm_rsp_encap_response.c

@@ -1,6 +1,6 @@
 /**
  *  Copyright Notice:
- *  Copyright 2021-2025 DMTF. All rights reserved.
+ *  Copyright 2021-2026 DMTF. All rights reserved.
  *  License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md
  **/
 
@@ -290,6 +290,18 @@ libspdm_return_t libspdm_get_response_encapsulated_request(
             spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
             SPDM_GET_ENCAPSULATED_REQUEST, response_size, response);
     }
+
+    if (request_size < sizeof(spdm_get_encapsulated_request_request_t)) {
+        return libspdm_generate_error_response(spdm_context,
+                                               SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                                               response_size, response);
+    }
+    if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
+        return libspdm_generate_error_response(spdm_context,
+                                               SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
+                                               response_size, response);
+    }
+
     if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_PROCESSING_ENCAP) {
         if (spdm_context->response_state == LIBSPDM_RESPONSE_STATE_NORMAL) {
             if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) {
@@ -327,12 +339,6 @@ libspdm_return_t libspdm_get_response_encapsulated_request(
         }
     }
 
-    if (request_size < sizeof(spdm_get_encapsulated_request_request_t)) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_INVALID_REQUEST, 0,
-                                               response_size, response);
-    }
-
     libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
                                                   spdm_request->header.request_response_code);
 
@@ -394,6 +400,7 @@ libspdm_return_t libspdm_get_response_encapsulated_response_ack(
             spdm_context, SPDM_ERROR_CODE_UNSUPPORTED_REQUEST,
             SPDM_DELIVER_ENCAPSULATED_RESPONSE, response_size, response);
     }
+
     if (spdm_context->response_state != LIBSPDM_RESPONSE_STATE_PROCESSING_ENCAP) {
         if (spdm_context->response_state == LIBSPDM_RESPONSE_STATE_NORMAL) {
             return libspdm_generate_error_response(
@@ -411,6 +418,11 @@ libspdm_return_t libspdm_get_response_encapsulated_response_ack(
                                                SPDM_ERROR_CODE_INVALID_REQUEST, 0,
                                                response_size, response);
     }
+    if (spdm_request->header.spdm_version != libspdm_get_connection_version(spdm_context)) {
+        return libspdm_generate_error_response(spdm_context,
+                                               SPDM_ERROR_CODE_VERSION_MISMATCH, 0,
+                                               response_size, response);
+    }
 
     spdm_request_size = request_size;
 

unit_test/test_spdm_responder/encapsulated_request.c

@@ -439,8 +439,8 @@ static void rsp_encapsulated_request_case7(void **State)
 
     response_size = sizeof(response);
     status = libspdm_get_response_encapsulated_request(spdm_context,
-                                                       m_libspdm_encapsulated_request_t1_size,
-                                                       &m_libspdm_encapsulated_request_t1,
+                                                       m_libspdm_encapsulated_request_t2_size,
+                                                       &m_libspdm_encapsulated_request_t2,
                                                        &response_size,
                                                        response);