diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index b32fd865..7c500749 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -101,6 +101,9 @@ struct tls_header { #define TLS_MAX_FRAGMENT_LENGTH_2048 3 #define TLS_MAX_FRAGMENT_LENGTH_4096 4 +/* TLS signature algorithms extension */ +#define TLS_SIGNATURE_ALGORITHMS 13 + /** TLS RX state machine state */ enum tls_rx_state { TLS_RX_HEADER = 0, diff --git a/src/net/tls.c b/src/net/tls.c index 58e958b0..79aa5d97 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -854,6 +854,14 @@ static int tls_change_cipher ( struct tls_session *tls, * MD5+SHA1 is never explicitly specified. */ struct tls_signature_hash_algorithm tls_signature_hash_algorithms[] = { + { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA1_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha1_algorithm, + }, { .code = { .signature = TLS_RSA_ALGORITHM, @@ -1001,6 +1009,13 @@ static int tls_send_client_hello ( struct tls_session *tls ) { struct { uint8_t max; } __attribute__ (( packed )) max_fragment_length; + uint16_t signature_algorithms_type; + uint16_t signature_algorithms_len; + struct { + uint16_t len; + struct tls_signature_hash_id + code[TLS_NUM_SIG_HASH_ALGORITHMS]; + } __attribute__ (( packed )) signature_algorithms; } __attribute__ (( packed )) extensions; } __attribute__ (( packed )) hello; unsigned int i; @@ -1032,6 +1047,16 @@ static int tls_send_client_hello ( struct tls_session *tls ) { = htons ( sizeof ( hello.extensions.max_fragment_length ) ); hello.extensions.max_fragment_length.max = TLS_MAX_FRAGMENT_LENGTH_4096; + hello.extensions.signature_algorithms_type + = htons ( TLS_SIGNATURE_ALGORITHMS ); + hello.extensions.signature_algorithms_len + = htons ( sizeof ( hello.extensions.signature_algorithms ) ); + hello.extensions.signature_algorithms.len + = htons ( sizeof ( hello.extensions.signature_algorithms.code)); + for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) { + hello.extensions.signature_algorithms.code[i] + = tls_signature_hash_algorithms[i].code; + } return tls_send_handshake ( tls, &hello, sizeof ( hello ) ); }