[crypto] Support SHA-{224,384,512} in X.509 certificates
Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in X.509 certificates, and allow the choice of public-key, cipher, and digest algorithms to be configured at build time via config/crypto.h. Originally-implemented-by: Tufan Karadere <tufank@gmail.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
parent
93370488ac
commit
b1caa48e4b
|
@ -89,7 +89,7 @@ SRCDIRS += interface/bofm
|
||||||
SRCDIRS += interface/xen
|
SRCDIRS += interface/xen
|
||||||
SRCDIRS += interface/hyperv
|
SRCDIRS += interface/hyperv
|
||||||
SRCDIRS += tests
|
SRCDIRS += tests
|
||||||
SRCDIRS += crypto crypto/axtls crypto/matrixssl
|
SRCDIRS += crypto crypto/mishmash
|
||||||
SRCDIRS += hci hci/commands hci/tui
|
SRCDIRS += hci hci/commands hci/tui
|
||||||
SRCDIRS += hci/mucurses hci/mucurses/widgets
|
SRCDIRS += hci/mucurses hci/mucurses/widgets
|
||||||
SRCDIRS += hci/keymap
|
SRCDIRS += hci/keymap
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
/*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <config/crypto.h>
|
||||||
|
|
||||||
|
/** @file
|
||||||
|
*
|
||||||
|
* Cryptographic configuration
|
||||||
|
*
|
||||||
|
* Cryptographic configuration is slightly messy since we need to drag
|
||||||
|
* in objects based on combinations of build options.
|
||||||
|
*/
|
||||||
|
|
||||||
|
PROVIDE_REQUIRING_SYMBOL();
|
||||||
|
|
||||||
|
/* RSA and MD5 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_MD5 )
|
||||||
|
REQUIRE_OBJECT ( rsa_md5 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA and SHA-1 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA1 )
|
||||||
|
REQUIRE_OBJECT ( rsa_sha1 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA and SHA-224 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA224 )
|
||||||
|
REQUIRE_OBJECT ( rsa_sha224 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA and SHA-256 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA256 )
|
||||||
|
REQUIRE_OBJECT ( rsa_sha256 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA and SHA-384 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA384 )
|
||||||
|
REQUIRE_OBJECT ( rsa_sha384 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA and SHA-512 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA512 )
|
||||||
|
REQUIRE_OBJECT ( rsa_sha512 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA, AES-CBC, and SHA-1 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \
|
||||||
|
defined ( CRYPTO_DIGEST_SHA1 )
|
||||||
|
REQUIRE_OBJECT ( rsa_aes_cbc_sha1 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* RSA, AES-CBC, and SHA-256 */
|
||||||
|
#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \
|
||||||
|
defined ( CRYPTO_DIGEST_SHA256 )
|
||||||
|
REQUIRE_OBJECT ( rsa_aes_cbc_sha256 );
|
||||||
|
#endif
|
|
@ -9,6 +9,39 @@
|
||||||
|
|
||||||
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
/** RSA public-key algorithm */
|
||||||
|
#define CRYPTO_PUBKEY_RSA
|
||||||
|
|
||||||
|
/** AES-CBC block cipher */
|
||||||
|
#define CRYPTO_CIPHER_AES_CBC
|
||||||
|
|
||||||
|
/** MD5 digest algorithm
|
||||||
|
*
|
||||||
|
* Note that use of MD5 is implicit when using TLSv1.1 or earlier.
|
||||||
|
*/
|
||||||
|
#define CRYPTO_DIGEST_MD5
|
||||||
|
|
||||||
|
/** SHA-1 digest algorithm
|
||||||
|
*
|
||||||
|
* Note that use of SHA-1 is implicit when using TLSv1.1 or earlier.
|
||||||
|
*/
|
||||||
|
#define CRYPTO_DIGEST_SHA1
|
||||||
|
|
||||||
|
/** SHA-224 digest algorithm */
|
||||||
|
#define CRYPTO_DIGEST_SHA224
|
||||||
|
|
||||||
|
/** SHA-256 digest algorithm
|
||||||
|
*
|
||||||
|
* Note that use of SHA-256 is implicit when using TLSv1.2.
|
||||||
|
*/
|
||||||
|
#define CRYPTO_DIGEST_SHA256
|
||||||
|
|
||||||
|
/** SHA-384 digest algorithm */
|
||||||
|
#define CRYPTO_DIGEST_SHA384
|
||||||
|
|
||||||
|
/** SHA-512 digest algorithm */
|
||||||
|
#define CRYPTO_DIGEST_SHA512
|
||||||
|
|
||||||
/** Margin of error (in seconds) allowed in signed timestamps
|
/** Margin of error (in seconds) allowed in signed timestamps
|
||||||
*
|
*
|
||||||
* We default to allowing a reasonable margin of error: 12 hours to
|
* We default to allowing a reasonable margin of error: 12 hours to
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <byteswap.h>
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/aes.h>
|
||||||
|
#include <ipxe/sha1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** TLS_RSA_WITH_AES_128_CBC_SHA cipher suite */
|
||||||
|
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
|
||||||
|
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
|
||||||
|
.key_len = ( 128 / 8 ),
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.cipher = &aes_cbc_algorithm,
|
||||||
|
.digest = &sha1_algorithm,
|
||||||
|
};
|
||||||
|
|
||||||
|
/** TLS_RSA_WITH_AES_256_CBC_SHA cipher suite */
|
||||||
|
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = {
|
||||||
|
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
|
||||||
|
.key_len = ( 256 / 8 ),
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.cipher = &aes_cbc_algorithm,
|
||||||
|
.digest = &sha1_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,48 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <byteswap.h>
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/aes.h>
|
||||||
|
#include <ipxe/sha256.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite */
|
||||||
|
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
|
||||||
|
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
|
||||||
|
.key_len = ( 128 / 8 ),
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.cipher = &aes_cbc_algorithm,
|
||||||
|
.digest = &sha256_algorithm,
|
||||||
|
};
|
||||||
|
|
||||||
|
/** TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite */
|
||||||
|
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={
|
||||||
|
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
|
||||||
|
.key_len = ( 256 / 8 ),
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.cipher = &aes_cbc_algorithm,
|
||||||
|
.digest = &sha256_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,51 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/md5.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
|
||||||
|
/** "md5WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_md5_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_MD5WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "md5WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "md5WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &md5_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** MD5 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_md5_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) };
|
||||||
|
|
||||||
|
/** MD5 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &md5_algorithm,
|
||||||
|
.data = rsa_md5_prefix_data,
|
||||||
|
.len = sizeof ( rsa_md5_prefix_data ),
|
||||||
|
};
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/sha1.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** "sha1WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_sha1_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_SHA1WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "sha1WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "sha1WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha1_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** SHA-1 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_sha1_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) };
|
||||||
|
|
||||||
|
/** SHA-1 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &sha1_algorithm,
|
||||||
|
.data = rsa_sha1_prefix_data,
|
||||||
|
.len = sizeof ( rsa_sha1_prefix_data ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** RSA with SHA-1 signature hash algorithm */
|
||||||
|
struct tls_signature_hash_algorithm tls_rsa_sha1 __tls_sig_hash_algorithm = {
|
||||||
|
.code = {
|
||||||
|
.signature = TLS_RSA_ALGORITHM,
|
||||||
|
.hash = TLS_SHA1_ALGORITHM,
|
||||||
|
},
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha1_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/sha256.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** "sha224WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_sha224_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_SHA224WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "sha224WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm sha224_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "sha224WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha224_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_sha224_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** SHA-224 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_sha224_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( SHA224_DIGEST_SIZE, ASN1_OID_SHA224 ) };
|
||||||
|
|
||||||
|
/** SHA-224 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_sha224_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &sha224_algorithm,
|
||||||
|
.data = rsa_sha224_prefix_data,
|
||||||
|
.len = sizeof ( rsa_sha224_prefix_data ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** RSA with SHA-224 signature hash algorithm */
|
||||||
|
struct tls_signature_hash_algorithm tls_rsa_sha224 __tls_sig_hash_algorithm = {
|
||||||
|
.code = {
|
||||||
|
.signature = TLS_RSA_ALGORITHM,
|
||||||
|
.hash = TLS_SHA224_ALGORITHM,
|
||||||
|
},
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha224_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/sha256.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** "sha256WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_sha256_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_SHA256WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "sha256WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "sha256WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha256_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** SHA-256 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_sha256_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) };
|
||||||
|
|
||||||
|
/** SHA-256 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &sha256_algorithm,
|
||||||
|
.data = rsa_sha256_prefix_data,
|
||||||
|
.len = sizeof ( rsa_sha256_prefix_data ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** RSA with SHA-256 signature hash algorithm */
|
||||||
|
struct tls_signature_hash_algorithm tls_rsa_sha256 __tls_sig_hash_algorithm = {
|
||||||
|
.code = {
|
||||||
|
.signature = TLS_RSA_ALGORITHM,
|
||||||
|
.hash = TLS_SHA256_ALGORITHM,
|
||||||
|
},
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha256_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/sha512.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** "sha384WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_sha384_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_SHA384WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "sha384WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm sha384_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "sha384WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha384_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_sha384_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** SHA-384 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_sha384_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( SHA384_DIGEST_SIZE, ASN1_OID_SHA384 ) };
|
||||||
|
|
||||||
|
/** SHA-384 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_sha384_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &sha384_algorithm,
|
||||||
|
.data = rsa_sha384_prefix_data,
|
||||||
|
.len = sizeof ( rsa_sha384_prefix_data ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** RSA with SHA-384 signature hash algorithm */
|
||||||
|
struct tls_signature_hash_algorithm tls_rsa_sha384 __tls_sig_hash_algorithm = {
|
||||||
|
.code = {
|
||||||
|
.signature = TLS_RSA_ALGORITHM,
|
||||||
|
.hash = TLS_SHA384_ALGORITHM,
|
||||||
|
},
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha384_algorithm,
|
||||||
|
};
|
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or
|
||||||
|
* modify it under the terms of the GNU General Public License as
|
||||||
|
* published by the Free Software Foundation; either version 2 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful, but
|
||||||
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
* General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License
|
||||||
|
* along with this program; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
||||||
|
* 02110-1301, USA.
|
||||||
|
*
|
||||||
|
* You can also choose to distribute this program under the terms of
|
||||||
|
* the Unmodified Binary Distribution Licence (as given in the file
|
||||||
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
||||||
|
*/
|
||||||
|
|
||||||
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <ipxe/rsa.h>
|
||||||
|
#include <ipxe/sha512.h>
|
||||||
|
#include <ipxe/asn1.h>
|
||||||
|
#include <ipxe/tls.h>
|
||||||
|
|
||||||
|
/** "sha512WithRSAEncryption" object identifier */
|
||||||
|
static uint8_t oid_sha512_with_rsa_encryption[] =
|
||||||
|
{ ASN1_OID_SHA512WITHRSAENCRYPTION };
|
||||||
|
|
||||||
|
/** "sha512WithRSAEncryption" OID-identified algorithm */
|
||||||
|
struct asn1_algorithm sha512_with_rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
|
.name = "sha512WithRSAEncryption",
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha512_algorithm,
|
||||||
|
.oid = ASN1_OID_CURSOR ( oid_sha512_with_rsa_encryption ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** SHA-512 digestInfo prefix */
|
||||||
|
static const uint8_t rsa_sha512_prefix_data[] =
|
||||||
|
{ RSA_DIGESTINFO_PREFIX ( SHA512_DIGEST_SIZE, ASN1_OID_SHA512 ) };
|
||||||
|
|
||||||
|
/** SHA-512 digestInfo prefix */
|
||||||
|
struct rsa_digestinfo_prefix rsa_sha512_prefix __rsa_digestinfo_prefix = {
|
||||||
|
.digest = &sha512_algorithm,
|
||||||
|
.data = rsa_sha512_prefix_data,
|
||||||
|
.len = sizeof ( rsa_sha512_prefix_data ),
|
||||||
|
};
|
||||||
|
|
||||||
|
/** RSA with SHA-512 signature hash algorithm */
|
||||||
|
struct tls_signature_hash_algorithm tls_rsa_sha512 __tls_sig_hash_algorithm = {
|
||||||
|
.code = {
|
||||||
|
.signature = TLS_RSA_ALGORITHM,
|
||||||
|
.hash = TLS_SHA512_ALGORITHM,
|
||||||
|
},
|
||||||
|
.pubkey = &rsa_algorithm,
|
||||||
|
.digest = &sha512_algorithm,
|
||||||
|
};
|
|
@ -32,9 +32,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
#include <ipxe/crypto.h>
|
#include <ipxe/crypto.h>
|
||||||
#include <ipxe/bigint.h>
|
#include <ipxe/bigint.h>
|
||||||
#include <ipxe/random_nz.h>
|
#include <ipxe/random_nz.h>
|
||||||
#include <ipxe/md5.h>
|
|
||||||
#include <ipxe/sha1.h>
|
|
||||||
#include <ipxe/sha256.h>
|
|
||||||
#include <ipxe/rsa.h>
|
#include <ipxe/rsa.h>
|
||||||
|
|
||||||
/** @file
|
/** @file
|
||||||
|
@ -53,18 +50,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
/** "rsaEncryption" object identifier */
|
/** "rsaEncryption" object identifier */
|
||||||
static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
|
static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
|
||||||
|
|
||||||
/** "md5WithRSAEncryption" object identifier */
|
|
||||||
static uint8_t oid_md5_with_rsa_encryption[] =
|
|
||||||
{ ASN1_OID_MD5WITHRSAENCRYPTION };
|
|
||||||
|
|
||||||
/** "sha1WithRSAEncryption" object identifier */
|
|
||||||
static uint8_t oid_sha1_with_rsa_encryption[] =
|
|
||||||
{ ASN1_OID_SHA1WITHRSAENCRYPTION };
|
|
||||||
|
|
||||||
/** "sha256WithRSAEncryption" object identifier */
|
|
||||||
static uint8_t oid_sha256_with_rsa_encryption[] =
|
|
||||||
{ ASN1_OID_SHA256WITHRSAENCRYPTION };
|
|
||||||
|
|
||||||
/** "rsaEncryption" OID-identified algorithm */
|
/** "rsaEncryption" OID-identified algorithm */
|
||||||
struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
|
struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
.name = "rsaEncryption",
|
.name = "rsaEncryption",
|
||||||
|
@ -73,63 +58,6 @@ struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
|
||||||
.oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
|
.oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
|
||||||
};
|
};
|
||||||
|
|
||||||
/** "md5WithRSAEncryption" OID-identified algorithm */
|
|
||||||
struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = {
|
|
||||||
.name = "md5WithRSAEncryption",
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.digest = &md5_algorithm,
|
|
||||||
.oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/** "sha1WithRSAEncryption" OID-identified algorithm */
|
|
||||||
struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = {
|
|
||||||
.name = "sha1WithRSAEncryption",
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.digest = &sha1_algorithm,
|
|
||||||
.oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/** "sha256WithRSAEncryption" OID-identified algorithm */
|
|
||||||
struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = {
|
|
||||||
.name = "sha256WithRSAEncryption",
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.digest = &sha256_algorithm,
|
|
||||||
.oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/** MD5 digestInfo prefix */
|
|
||||||
static const uint8_t rsa_md5_prefix_data[] =
|
|
||||||
{ RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) };
|
|
||||||
|
|
||||||
/** SHA-1 digestInfo prefix */
|
|
||||||
static const uint8_t rsa_sha1_prefix_data[] =
|
|
||||||
{ RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) };
|
|
||||||
|
|
||||||
/** SHA-256 digestInfo prefix */
|
|
||||||
static const uint8_t rsa_sha256_prefix_data[] =
|
|
||||||
{ RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) };
|
|
||||||
|
|
||||||
/** MD5 digestInfo prefix */
|
|
||||||
struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = {
|
|
||||||
.digest = &md5_algorithm,
|
|
||||||
.data = rsa_md5_prefix_data,
|
|
||||||
.len = sizeof ( rsa_md5_prefix_data ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/** SHA-1 digestInfo prefix */
|
|
||||||
struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = {
|
|
||||||
.digest = &sha1_algorithm,
|
|
||||||
.data = rsa_sha1_prefix_data,
|
|
||||||
.len = sizeof ( rsa_sha1_prefix_data ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/** SHA-256 digestInfo prefix */
|
|
||||||
struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = {
|
|
||||||
.digest = &sha256_algorithm,
|
|
||||||
.data = rsa_sha256_prefix_data,
|
|
||||||
.len = sizeof ( rsa_sha256_prefix_data ),
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Identify RSA prefix
|
* Identify RSA prefix
|
||||||
*
|
*
|
||||||
|
|
|
@ -1771,3 +1771,6 @@ REQUIRING_SYMBOL ( x509_validate );
|
||||||
|
|
||||||
/* Drag in certificate store */
|
/* Drag in certificate store */
|
||||||
REQUIRE_OBJECT ( certstore );
|
REQUIRE_OBJECT ( certstore );
|
||||||
|
|
||||||
|
/* Drag in crypto configuration */
|
||||||
|
REQUIRE_OBJECT ( config_crypto );
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
|
|
||||||
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
|
|
||||||
|
#include <stdarg.h>
|
||||||
#include <ipxe/crypto.h>
|
#include <ipxe/crypto.h>
|
||||||
#include <ipxe/bigint.h>
|
#include <ipxe/bigint.h>
|
||||||
#include <ipxe/asn1.h>
|
#include <ipxe/asn1.h>
|
||||||
|
|
|
@ -20,6 +20,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||||
#include <ipxe/x509.h>
|
#include <ipxe/x509.h>
|
||||||
#include <ipxe/pending.h>
|
#include <ipxe/pending.h>
|
||||||
#include <ipxe/iobuf.h>
|
#include <ipxe/iobuf.h>
|
||||||
|
#include <ipxe/tables.h>
|
||||||
|
|
||||||
/** A TLS header */
|
/** A TLS header */
|
||||||
struct tls_header {
|
struct tls_header {
|
||||||
|
@ -85,7 +86,10 @@ struct tls_header {
|
||||||
/* TLS hash algorithm identifiers */
|
/* TLS hash algorithm identifiers */
|
||||||
#define TLS_MD5_ALGORITHM 1
|
#define TLS_MD5_ALGORITHM 1
|
||||||
#define TLS_SHA1_ALGORITHM 2
|
#define TLS_SHA1_ALGORITHM 2
|
||||||
|
#define TLS_SHA224_ALGORITHM 3
|
||||||
#define TLS_SHA256_ALGORITHM 4
|
#define TLS_SHA256_ALGORITHM 4
|
||||||
|
#define TLS_SHA384_ALGORITHM 5
|
||||||
|
#define TLS_SHA512_ALGORITHM 6
|
||||||
|
|
||||||
/* TLS signature algorithm identifiers */
|
/* TLS signature algorithm identifiers */
|
||||||
#define TLS_RSA_ALGORITHM 1
|
#define TLS_RSA_ALGORITHM 1
|
||||||
|
@ -134,6 +138,14 @@ struct tls_cipher_suite {
|
||||||
uint16_t code;
|
uint16_t code;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/** TLS cipher suite table */
|
||||||
|
#define TLS_CIPHER_SUITES \
|
||||||
|
__table ( struct tls_cipher_suite, "tls_cipher_suites" )
|
||||||
|
|
||||||
|
/** Declare a TLS cipher suite */
|
||||||
|
#define __tls_cipher_suite( pref ) \
|
||||||
|
__table_entry ( TLS_CIPHER_SUITES, pref )
|
||||||
|
|
||||||
/** A TLS cipher specification */
|
/** A TLS cipher specification */
|
||||||
struct tls_cipherspec {
|
struct tls_cipherspec {
|
||||||
/** Cipher suite */
|
/** Cipher suite */
|
||||||
|
@ -168,6 +180,19 @@ struct tls_signature_hash_algorithm {
|
||||||
struct tls_signature_hash_id code;
|
struct tls_signature_hash_id code;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/** TLS signature hash algorithm table
|
||||||
|
*
|
||||||
|
* Note that the default (TLSv1.1 and earlier) algorithm using
|
||||||
|
* MD5+SHA1 is never explicitly specified.
|
||||||
|
*/
|
||||||
|
#define TLS_SIG_HASH_ALGORITHMS \
|
||||||
|
__table ( struct tls_signature_hash_algorithm, \
|
||||||
|
"tls_sig_hash_algorithms" )
|
||||||
|
|
||||||
|
/** Declare a TLS signature hash algorithm */
|
||||||
|
#define __tls_sig_hash_algorithm \
|
||||||
|
__table_entry ( TLS_SIG_HASH_ALGORITHMS, 01 )
|
||||||
|
|
||||||
/** TLS pre-master secret */
|
/** TLS pre-master secret */
|
||||||
struct tls_pre_master_secret {
|
struct tls_pre_master_secret {
|
||||||
/** TLS version */
|
/** TLS version */
|
||||||
|
|
|
@ -666,41 +666,8 @@ struct tls_cipher_suite tls_cipher_suite_null = {
|
||||||
.digest = &digest_null,
|
.digest = &digest_null,
|
||||||
};
|
};
|
||||||
|
|
||||||
/** Supported cipher suites, in order of preference */
|
|
||||||
struct tls_cipher_suite tls_cipher_suites[] = {
|
|
||||||
{
|
|
||||||
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
|
|
||||||
.key_len = ( 256 / 8 ),
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.cipher = &aes_cbc_algorithm,
|
|
||||||
.digest = &sha256_algorithm,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
|
|
||||||
.key_len = ( 128 / 8 ),
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.cipher = &aes_cbc_algorithm,
|
|
||||||
.digest = &sha256_algorithm,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
|
|
||||||
.key_len = ( 256 / 8 ),
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.cipher = &aes_cbc_algorithm,
|
|
||||||
.digest = &sha1_algorithm,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
|
|
||||||
.key_len = ( 128 / 8 ),
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.cipher = &aes_cbc_algorithm,
|
|
||||||
.digest = &sha1_algorithm,
|
|
||||||
},
|
|
||||||
};
|
|
||||||
|
|
||||||
/** Number of supported cipher suites */
|
/** Number of supported cipher suites */
|
||||||
#define TLS_NUM_CIPHER_SUITES \
|
#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
|
||||||
( sizeof ( tls_cipher_suites ) / sizeof ( tls_cipher_suites[0] ) )
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Identify cipher suite
|
* Identify cipher suite
|
||||||
|
@ -711,11 +678,9 @@ struct tls_cipher_suite tls_cipher_suites[] = {
|
||||||
static struct tls_cipher_suite *
|
static struct tls_cipher_suite *
|
||||||
tls_find_cipher_suite ( unsigned int cipher_suite ) {
|
tls_find_cipher_suite ( unsigned int cipher_suite ) {
|
||||||
struct tls_cipher_suite *suite;
|
struct tls_cipher_suite *suite;
|
||||||
unsigned int i;
|
|
||||||
|
|
||||||
/* Identify cipher suite */
|
/* Identify cipher suite */
|
||||||
for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ ) {
|
for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
|
||||||
suite = &tls_cipher_suites[i];
|
|
||||||
if ( suite->code == cipher_suite )
|
if ( suite->code == cipher_suite )
|
||||||
return suite;
|
return suite;
|
||||||
}
|
}
|
||||||
|
@ -848,34 +813,9 @@ static int tls_change_cipher ( struct tls_session *tls,
|
||||||
******************************************************************************
|
******************************************************************************
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/** Supported signature and hash algorithms
|
|
||||||
*
|
|
||||||
* Note that the default (TLSv1.1 and earlier) algorithm using
|
|
||||||
* MD5+SHA1 is never explicitly specified.
|
|
||||||
*/
|
|
||||||
struct tls_signature_hash_algorithm tls_signature_hash_algorithms[] = {
|
|
||||||
{
|
|
||||||
.code = {
|
|
||||||
.signature = TLS_RSA_ALGORITHM,
|
|
||||||
.hash = TLS_SHA1_ALGORITHM,
|
|
||||||
},
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.digest = &sha1_algorithm,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
.code = {
|
|
||||||
.signature = TLS_RSA_ALGORITHM,
|
|
||||||
.hash = TLS_SHA256_ALGORITHM,
|
|
||||||
},
|
|
||||||
.pubkey = &rsa_algorithm,
|
|
||||||
.digest = &sha256_algorithm,
|
|
||||||
},
|
|
||||||
};
|
|
||||||
|
|
||||||
/** Number of supported signature and hash algorithms */
|
/** Number of supported signature and hash algorithms */
|
||||||
#define TLS_NUM_SIG_HASH_ALGORITHMS \
|
#define TLS_NUM_SIG_HASH_ALGORITHMS \
|
||||||
( sizeof ( tls_signature_hash_algorithms ) / \
|
table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
|
||||||
sizeof ( tls_signature_hash_algorithms[0] ) )
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Find TLS signature and hash algorithm
|
* Find TLS signature and hash algorithm
|
||||||
|
@ -888,11 +828,9 @@ static struct tls_signature_hash_algorithm *
|
||||||
tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
|
tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
|
||||||
struct digest_algorithm *digest ) {
|
struct digest_algorithm *digest ) {
|
||||||
struct tls_signature_hash_algorithm *sig_hash;
|
struct tls_signature_hash_algorithm *sig_hash;
|
||||||
unsigned int i;
|
|
||||||
|
|
||||||
/* Identify signature and hash algorithm */
|
/* Identify signature and hash algorithm */
|
||||||
for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) {
|
for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
|
||||||
sig_hash = &tls_signature_hash_algorithms[i];
|
|
||||||
if ( ( sig_hash->pubkey == pubkey ) &&
|
if ( ( sig_hash->pubkey == pubkey ) &&
|
||||||
( sig_hash->digest == digest ) ) {
|
( sig_hash->digest == digest ) ) {
|
||||||
return sig_hash;
|
return sig_hash;
|
||||||
|
@ -1018,6 +956,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
|
||||||
} __attribute__ (( packed )) signature_algorithms;
|
} __attribute__ (( packed )) signature_algorithms;
|
||||||
} __attribute__ (( packed )) extensions;
|
} __attribute__ (( packed )) extensions;
|
||||||
} __attribute__ (( packed )) hello;
|
} __attribute__ (( packed )) hello;
|
||||||
|
struct tls_cipher_suite *suite;
|
||||||
|
struct tls_signature_hash_algorithm *sighash;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
memset ( &hello, 0, sizeof ( hello ) );
|
memset ( &hello, 0, sizeof ( hello ) );
|
||||||
|
@ -1027,8 +967,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
|
||||||
hello.version = htons ( tls->version );
|
hello.version = htons ( tls->version );
|
||||||
memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
|
memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
|
||||||
hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
|
hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
|
||||||
for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ )
|
i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
|
||||||
hello.cipher_suites[i] = tls_cipher_suites[i].code;
|
hello.cipher_suites[i++] = suite->code;
|
||||||
hello.compression_methods_len = sizeof ( hello.compression_methods );
|
hello.compression_methods_len = sizeof ( hello.compression_methods );
|
||||||
hello.extensions_len = htons ( sizeof ( hello.extensions ) );
|
hello.extensions_len = htons ( sizeof ( hello.extensions ) );
|
||||||
hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
|
hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
|
||||||
|
@ -1053,10 +993,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
|
||||||
= htons ( sizeof ( hello.extensions.signature_algorithms ) );
|
= htons ( sizeof ( hello.extensions.signature_algorithms ) );
|
||||||
hello.extensions.signature_algorithms.len
|
hello.extensions.signature_algorithms.len
|
||||||
= htons ( sizeof ( hello.extensions.signature_algorithms.code));
|
= htons ( sizeof ( hello.extensions.signature_algorithms.code));
|
||||||
for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) {
|
i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
|
||||||
hello.extensions.signature_algorithms.code[i]
|
hello.extensions.signature_algorithms.code[i++] = sighash->code;
|
||||||
= tls_signature_hash_algorithms[i].code;
|
|
||||||
}
|
|
||||||
|
|
||||||
return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
|
return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
|
||||||
}
|
}
|
||||||
|
@ -2669,3 +2607,9 @@ int add_tls ( struct interface *xfer, const char *name,
|
||||||
err_alloc:
|
err_alloc:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Drag in objects via add_tls() */
|
||||||
|
REQUIRING_SYMBOL ( add_tls );
|
||||||
|
|
||||||
|
/* Drag in crypto configuration */
|
||||||
|
REQUIRE_OBJECT ( config_crypto );
|
||||||
|
|
Reference in New Issue