Skip to content

Commit

Permalink
Support using provider with TLS
Browse files Browse the repository at this point in the history 
Support returning TLS-GROUP capabilities for well-known TLS groups
corresponding to ECC groups the provider may support.

Fixes: #62
Signed-off-by: Rob Shearman <[email protected]>
  • Loading branch information
@rshearman @gotthardp
rshearman authored and gotthardp committed Aug 14, 2023
1 parent 5ec8a44 commit c0afc49
Showing 1 changed file with 82 additions and 0 deletions.
82 changes: 82 additions & 0 deletions src/tpm2-provider.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
#include <openssl/params.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/prov_ssl.h>

#include <tss2/tss2_tctildr.h>

Expand Down Expand Up @@ -362,6 +363,86 @@ tpm2_teardown(void *provctx)
OPENSSL_clear_free(cprov, sizeof(TPM2_PROVIDER_CTX));
}

typedef struct tls_group_constants_st {
unsigned int group_id; /* Group ID */
unsigned int secbits; /* Bits of security */
int mintls; /* Minimum TLS version, -1 unsupported */
int maxtls; /* Maximum TLS version (or 0 for undefined) */
int mindtls; /* Minimum DTLS version, -1 unsupported */
int maxdtls; /* Maximum DTLS version (or 0 for undefined) */
} TLS_GROUP_CONSTANTS;

#define TLS_GROUP_ID_secp192r1 19
#define TLS_GROUP_ID_secp224r1 21
#define TLS_GROUP_ID_secp256r1 23
#define TLS_GROUP_ID_secp384r1 24
#define TLS_GROUP_ID_secp521r1 25

static const TLS_GROUP_CONSTANTS tls_group_list[] = {
{ TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
{ TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
{ TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
};

#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \
{ \
OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME, \
tlsname, \
sizeof(tlsname)), \
OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL, \
realname, \
sizeof(realname)), \
OSSL_PARAM_utf8_string(OSSL_CAPABILITY_TLS_GROUP_ALG, \
algorithm, \
sizeof(algorithm)), \
OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_ID, \
(unsigned int *)&tls_group_list[idx].group_id), \
OSSL_PARAM_uint(OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS, \
(unsigned int *)&tls_group_list[idx].secbits), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_TLS, \
(int *)&tls_group_list[idx].mintls), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_TLS, \
(int *)&tls_group_list[idx].maxtls), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS, \
(int *)&tls_group_list[idx].mindtls), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS, \
(int *)&tls_group_list[idx].maxdtls), \
OSSL_PARAM_END \
}

static const OSSL_PARAM param_tls_group_list[][10] = {
TLS_GROUP_ENTRY("secp192r1", "prime192v1", "EC", 0),
TLS_GROUP_ENTRY("P-192", "prime192v1", "EC", 0), /* Alias of previous */
TLS_GROUP_ENTRY("secp224r1", "secp224r1", "EC", 1),
TLS_GROUP_ENTRY("P-224", "secp224r1", "EC", 1), /* Alias of previous */
TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 2),
TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 2), /* Alias of previous */
TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 3),
TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 3), /* Alias of previous */
TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 4),
TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 4), /* Alias of above */
};

static int tpm2_get_capabilities(void *provctx, const char *capability,
OSSL_CALLBACK *cb, void *arg)
{
if (OPENSSL_strcasecmp(capability, "TLS-GROUP") == 0) {
size_t i;

for (i = 0; i < NELEMS(param_tls_group_list); i++)
if (!cb(param_tls_group_list[i], arg))
return 0;

return 1;
}

return 0;
}

static const OSSL_DISPATCH tpm2_dispatch_table[] = {
{ OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))tpm2_gettable_params },
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))tpm2_get_params },
Expand All @@ -370,6 +451,7 @@ static const OSSL_DISPATCH tpm2_dispatch_table[] = {
{ OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, (void (*)(void))tpm2_get_reason_strings },
{ OSSL_FUNC_PROVIDER_SELF_TEST, (void (*)(void))tpm2_self_test },
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))tpm2_teardown },
{ OSSL_FUNC_PROVIDER_GET_CAPABILITIES, (void (*)(void))tpm2_get_capabilities },
{ 0, NULL }
};

Expand Down

0 comments on commit c0afc49

Please sign in to comment.