capabilities: only return supported tls-groups

tpm2-software · Nov 11, 2023 · ed84bbc · ed84bbc
1 parent d829fe9
commit ed84bbc
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 31 deletions.
diff --git a/src/tpm2-provider-capabilities.c b/src/tpm2-provider-capabilities.c
@@ -6,6 +6,8 @@
 
 #include "tpm2-provider.h"
 
+/* TLS-GROUP */
+
 typedef struct tls_group_constants_st {
     unsigned int group_id;   /* Group ID */
     unsigned int secbits;    /* Bits of security */
@@ -57,27 +59,32 @@ static const TLS_GROUP_CONSTANTS tls_group_list[] = {
         OSSL_PARAM_END \
     }
 
-static const OSSL_PARAM param_tls_group_list[][10] = {
-    TLS_GROUP_ENTRY("secp192r1", "prime192v1", "EC", 0),
-    TLS_GROUP_ENTRY("P-192", "prime192v1", "EC", 0), /* Alias of previous */
-    TLS_GROUP_ENTRY("secp224r1", "secp224r1", "EC", 1),
-    TLS_GROUP_ENTRY("P-224", "secp224r1", "EC", 1), /* Alias of previous */
-    TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 2),
-    TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 2), /* Alias of previous */
-    TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 3),
-    TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 3), /* Alias of previous */
-    TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 4),
-    TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 4), /* Alias of above */
+static struct {
+    TPM2_ECC_CURVE curve;
+    OSSL_PARAM params[10];
+} param_tls_group_list[] = {
+    { TPM2_ECC_NIST_P192, TLS_GROUP_ENTRY("secp192r1", "prime192v1", "EC", 0) },
+    { TPM2_ECC_NIST_P192, TLS_GROUP_ENTRY("P-192", "prime192v1", "EC", 0) },
+    { TPM2_ECC_NIST_P224, TLS_GROUP_ENTRY("secp224r1", "secp224r1", "EC", 1) },
+    { TPM2_ECC_NIST_P224, TLS_GROUP_ENTRY("P-224", "secp224r1", "EC", 1) },
+    { TPM2_ECC_NIST_P256, TLS_GROUP_ENTRY("secp256r1", "prime256v1", "EC", 2) },
+    { TPM2_ECC_NIST_P256, TLS_GROUP_ENTRY("P-256", "prime256v1", "EC", 2) },
+    { TPM2_ECC_NIST_P384, TLS_GROUP_ENTRY("secp384r1", "secp384r1", "EC", 3) },
+    { TPM2_ECC_NIST_P384, TLS_GROUP_ENTRY("P-384", "secp384r1", "EC", 3) },
+    { TPM2_ECC_NIST_P521, TLS_GROUP_ENTRY("secp521r1", "secp521r1", "EC", 4) },
+    { TPM2_ECC_NIST_P521, TLS_GROUP_ENTRY("P-521", "secp521r1", "EC", 4) },
 };
 
 int
-tpm2_get_capability_tls_group(TPM2_PROVIDER_CTX *provctx, OSSL_CALLBACK *cb, void *arg)
+tpm2_tls_group_capability(TPM2_PROVIDER_CTX *provctx, OSSL_CALLBACK *cb, void *arg)
 {
     size_t i;
 
-    for (i = 0; i < NELEMS(param_tls_group_list); i++)
-        if (!cb(param_tls_group_list[i], arg))
+    for (i = 0; i < NELEMS(param_tls_group_list); i++) {
+        if (tpm2_supports_curve(provctx->capability.curves, param_tls_group_list[i].curve)
+                && !cb(param_tls_group_list[i].params, arg))
             return 0;
+    }
 
     return 1;
 }
diff --git a/src/tpm2-provider-core.c b/src/tpm2-provider-core.c
@@ -126,6 +126,19 @@ tpm2_supports_command(const TPMS_CAPABILITY_DATA *caps, TPM2_CC command)
     return 0;
 }
 
+int
+tpm2_supports_curve(const TPMS_CAPABILITY_DATA *caps, TPM2_ECC_CURVE curve)
+{
+    UINT32 index;
+
+    for (index = 0; index < caps->data.eccCurves.count; index++) {
+        if (caps->data.eccCurves.eccCurves[index] == curve)
+            return 1;
+    }
+
+    return 0;
+}
+
 uint16_t
 tpm2_max_nvindex_buffer(const TPMS_CAPABILITY_DATA *caps)
 {

diff --git a/src/tpm2-provider.c b/src/tpm2-provider.c
@@ -329,15 +329,16 @@ tpm2_get_reason_strings(void *provctx)
     return reason_strings;
 }
 
-extern int tpm2_get_capability_tls_group(TPM2_PROVIDER_CTX *provctx, OSSL_CALLBACK *cb, void *arg);
+extern int tpm2_tls_group_capability(TPM2_PROVIDER_CTX *provctx, OSSL_CALLBACK *cb, void *arg);
 
 static int tpm2_get_capabilities(void *provctx, const char *capability,
                                  OSSL_CALLBACK *cb, void *arg)
 {
     TPM2_PROVIDER_CTX *cprov = provctx;
 
+    DBG("PROVIDER GET_CAPABILITIES %s\n", capability);
     if (OPENSSL_strcasecmp(capability, "TLS-GROUP") == 0)
-        return tpm2_get_capability_tls_group(cprov, cb, arg);
+        return tpm2_tls_group_capability(cprov, cb, arg);
 
     return 0;
 }
@@ -367,6 +368,7 @@ tpm2_teardown(void *provctx)
     free(cprov->capability.properties);
     free(cprov->capability.algorithms);
     free(cprov->capability.commands);
+    free(cprov->capability.curves);
     OSSL_LIB_CTX_free(cprov->libctx);
 
     r = Esys_GetTcti(cprov->esys_ctx, &tcti_ctx);
@@ -429,23 +431,16 @@ OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
     r = Esys_Initialize(&cprov->esys_ctx, tcti_ctx, NULL);
     TPM2_CHECK_RC(cprov->core, r, TPM2_ERR_CANNOT_CONNECT, goto err2);
 
-    r = Esys_GetCapability(cprov->esys_ctx,
-                           ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
-                           TPM2_CAP_TPM_PROPERTIES, 0, TPM2_MAX_TPM_PROPERTIES,
-                           NULL, &cprov->capability.properties);
+#define LOAD_CAPABILITY(capname, capcount, capbuf) \
+    r = Esys_GetCapability(cprov->esys_ctx, \
+                           ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, \
+                           capname, 0, capcount, NULL, capbuf); \
     TPM2_CHECK_RC(cprov->core, r, TPM2_ERR_CANNOT_GET_CAPABILITY, goto err3);
 
-    r = Esys_GetCapability(cprov->esys_ctx,
-                           ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
-                           TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
-                           NULL, &cprov->capability.algorithms);
-    TPM2_CHECK_RC(cprov->core, r, TPM2_ERR_CANNOT_GET_CAPABILITY, goto err3);
-
-    r = Esys_GetCapability(cprov->esys_ctx,
-                           ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
-                           TPM2_CAP_COMMANDS, 0, TPM2_MAX_CAP_CC,
-                           NULL, &cprov->capability.commands);
-    TPM2_CHECK_RC(cprov->core, r, TPM2_ERR_CANNOT_GET_CAPABILITY, goto err3);
+    LOAD_CAPABILITY(TPM2_CAP_TPM_PROPERTIES, TPM2_MAX_TPM_PROPERTIES, &cprov->capability.properties)
+    LOAD_CAPABILITY(TPM2_CAP_ALGS, TPM2_MAX_CAP_ALGS, &cprov->capability.algorithms)
+    LOAD_CAPABILITY(TPM2_CAP_COMMANDS, TPM2_MAX_CAP_CC, &cprov->capability.commands)
+    LOAD_CAPABILITY(TPM2_CAP_ECC_CURVES, TPM2_MAX_ECC_CURVES, &cprov->capability.curves)
 
     *out = tpm2_dispatch_table;
     *provctx = cprov;

diff --git a/src/tpm2-provider.h b/src/tpm2-provider.h
@@ -22,6 +22,7 @@ typedef struct {
     TPMS_CAPABILITY_DATA *properties;
     TPMS_CAPABILITY_DATA *algorithms;
     TPMS_CAPABILITY_DATA *commands;
+    TPMS_CAPABILITY_DATA *curves;
 } TPM2_CAPABILITY;
 
 struct tpm2_provider_ctx_st {
@@ -139,6 +140,9 @@ tpm2_supports_algorithm(const TPMS_CAPABILITY_DATA *caps, TPM2_ALG_ID algorithm)
 int
 tpm2_supports_command(const TPMS_CAPABILITY_DATA *caps, TPM2_CC command);
 
+int
+tpm2_supports_curve(const TPMS_CAPABILITY_DATA *caps, TPM2_ECC_CURVE curve);
+
 uint16_t
 tpm2_max_nvindex_buffer(const TPMS_CAPABILITY_DATA *caps);
 

diff --git a/test/list.sh b/test/list.sh
@@ -17,3 +17,6 @@ for command in -providers \
 do
 openssl list $command -provider tpm2 -verbose
 done
+
+# list ssl ciphers
+openssl ciphers -provider tpm2 -provider default -propquery ?provider=tpm2 -s -stdname