In the SPDM 1.4 PSK_FINISH flow, opaque-data handling is only partially implemented. Validation and completeness around opaque-length processing are inconsistent between request and response paths. This creates a protocol-completeness gap and may allow malformed opaque-length patterns to be handled less strictly than intended.
Observed Behavior
Opaque-length processing in PSK_FINISH/PSK_FINISH_RSP is present but not fully hardened for strict 1.4 handling.
Responder behavior is limited to minimal/empty opaque response payload handling, rather than full opaque-data response support.
Validation behavior is not fully symmetric between requester and responder for opaque-length constraints.
Expected Behavior
Full SPDM 1.4-compliant opaque-length handling for PSK_FINISH/PSK_FINISH_RSP.
Explicit and consistent length-bound validation on both requester and responder paths.
Deterministic handling of non-empty opaque-data response paths where supported.
Impact
Protocol completeness gap in a 1.4 session-finalization path.
Potential interoperability issues with peers that use broader valid opaque-data patterns.
Reduced parser robustness under malformed or edge-case opaque-length inputs.
Severity
Medium (functional/compliance hardening; security relevance depends on malformed-input threat model and deployment policy).
Suggested Fix
Add explicit opaque-length upper-bound and structural validation in responder-side request parsing.
Align requester/responder validation symmetry for opaque-length rules.
Implement or explicitly gate non-empty opaque-data response behavior for 1.4.
Add unit tests covering valid/invalid opaque-length boundary scenarios and non-empty opaque response cases.
In the SPDM 1.4 PSK_FINISH flow, opaque-data handling is only partially implemented. Validation and completeness around opaque-length processing are inconsistent between request and response paths. This creates a protocol-completeness gap and may allow malformed opaque-length patterns to be handled less strictly than intended.
Observed Behavior
Opaque-length processing in PSK_FINISH/PSK_FINISH_RSP is present but not fully hardened for strict 1.4 handling.
Responder behavior is limited to minimal/empty opaque response payload handling, rather than full opaque-data response support.
Validation behavior is not fully symmetric between requester and responder for opaque-length constraints.
Expected Behavior
Full SPDM 1.4-compliant opaque-length handling for PSK_FINISH/PSK_FINISH_RSP.
Explicit and consistent length-bound validation on both requester and responder paths.
Deterministic handling of non-empty opaque-data response paths where supported.
Impact
Protocol completeness gap in a 1.4 session-finalization path.
Potential interoperability issues with peers that use broader valid opaque-data patterns.
Reduced parser robustness under malformed or edge-case opaque-length inputs.
Severity
Medium (functional/compliance hardening; security relevance depends on malformed-input threat model and deployment policy).
Suggested Fix
Add explicit opaque-length upper-bound and structural validation in responder-side request parsing.
Align requester/responder validation symmetry for opaque-length rules.
Implement or explicitly gate non-empty opaque-data response behavior for 1.4.
Add unit tests covering valid/invalid opaque-length boundary scenarios and non-empty opaque response cases.