diff options
author | Michael Brown | 2015-08-02 17:54:24 +0200 |
---|---|---|
committer | Michael Brown | 2015-08-02 17:54:24 +0200 |
commit | b1caa48e4bb3f15e7eb749e0c3470436ebff3435 (patch) | |
tree | 8ce3bbef596e98c102585672186f3e586dd1c27e /src | |
parent | [crypto] Add ASN.1 OIDs for sha{224,384,512}WithRsaEncryption (diff) | |
download | ipxe-b1caa48e4bb3f15e7eb749e0c3470436ebff3435.tar.gz ipxe-b1caa48e4bb3f15e7eb749e0c3470436ebff3435.tar.xz ipxe-b1caa48e4bb3f15e7eb749e0c3470436ebff3435.zip |
[crypto] Support SHA-{224,384,512} in X.509 certificates
Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in
X.509 certificates, and allow the choice of public-key, cipher, and
digest algorithms to be configured at build time via config/crypto.h.
Originally-implemented-by: Tufan Karadere <tufank@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/Makefile | 2 | ||||
-rw-r--r-- | src/config/config_crypto.c | 76 | ||||
-rw-r--r-- | src/config/crypto.h | 33 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_aes_cbc_sha1.c | 48 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_aes_cbc_sha256.c | 48 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_md5.c | 51 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_sha1.c | 62 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_sha224.c | 62 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_sha256.c | 62 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_sha384.c | 62 | ||||
-rw-r--r-- | src/crypto/mishmash/rsa_sha512.c | 62 | ||||
-rw-r--r-- | src/crypto/rsa.c | 72 | ||||
-rw-r--r-- | src/crypto/x509.c | 3 | ||||
-rw-r--r-- | src/include/ipxe/rsa.h | 1 | ||||
-rw-r--r-- | src/include/ipxe/tls.h | 25 | ||||
-rw-r--r-- | src/net/tls.c | 90 |
16 files changed, 613 insertions, 146 deletions
diff --git a/src/Makefile b/src/Makefile index cf9cfd23..2a9cc9e8 100644 --- a/src/Makefile +++ b/src/Makefile @@ -89,7 +89,7 @@ SRCDIRS += interface/bofm SRCDIRS += interface/xen SRCDIRS += interface/hyperv SRCDIRS += tests -SRCDIRS += crypto crypto/axtls crypto/matrixssl +SRCDIRS += crypto crypto/mishmash SRCDIRS += hci hci/commands hci/tui SRCDIRS += hci/mucurses hci/mucurses/widgets SRCDIRS += hci/keymap diff --git a/src/config/config_crypto.c b/src/config/config_crypto.c new file mode 100644 index 00000000..1e125d8a --- /dev/null +++ b/src/config/config_crypto.c @@ -0,0 +1,76 @@ +/* + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <config/crypto.h> + +/** @file + * + * Cryptographic configuration + * + * Cryptographic configuration is slightly messy since we need to drag + * in objects based on combinations of build options. + */ + +PROVIDE_REQUIRING_SYMBOL(); + +/* RSA and MD5 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_MD5 ) +REQUIRE_OBJECT ( rsa_md5 ); +#endif + +/* RSA and SHA-1 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA1 ) +REQUIRE_OBJECT ( rsa_sha1 ); +#endif + +/* RSA and SHA-224 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA224 ) +REQUIRE_OBJECT ( rsa_sha224 ); +#endif + +/* RSA and SHA-256 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA256 ) +REQUIRE_OBJECT ( rsa_sha256 ); +#endif + +/* RSA and SHA-384 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA384 ) +REQUIRE_OBJECT ( rsa_sha384 ); +#endif + +/* RSA and SHA-512 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA512 ) +REQUIRE_OBJECT ( rsa_sha512 ); +#endif + +/* RSA, AES-CBC, and SHA-1 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \ + defined ( CRYPTO_DIGEST_SHA1 ) +REQUIRE_OBJECT ( rsa_aes_cbc_sha1 ); +#endif + +/* RSA, AES-CBC, and SHA-256 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \ + defined ( CRYPTO_DIGEST_SHA256 ) +REQUIRE_OBJECT ( rsa_aes_cbc_sha256 ); +#endif diff --git a/src/config/crypto.h b/src/config/crypto.h index 9e1f8b2f..bccfc04b 100644 --- a/src/config/crypto.h +++ b/src/config/crypto.h @@ -9,6 +9,39 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +/** RSA public-key algorithm */ +#define CRYPTO_PUBKEY_RSA + +/** AES-CBC block cipher */ +#define CRYPTO_CIPHER_AES_CBC + +/** MD5 digest algorithm + * + * Note that use of MD5 is implicit when using TLSv1.1 or earlier. + */ +#define CRYPTO_DIGEST_MD5 + +/** SHA-1 digest algorithm + * + * Note that use of SHA-1 is implicit when using TLSv1.1 or earlier. + */ +#define CRYPTO_DIGEST_SHA1 + +/** SHA-224 digest algorithm */ +#define CRYPTO_DIGEST_SHA224 + +/** SHA-256 digest algorithm + * + * Note that use of SHA-256 is implicit when using TLSv1.2. + */ +#define CRYPTO_DIGEST_SHA256 + +/** SHA-384 digest algorithm */ +#define CRYPTO_DIGEST_SHA384 + +/** SHA-512 digest algorithm */ +#define CRYPTO_DIGEST_SHA512 + /** Margin of error (in seconds) allowed in signed timestamps * * We default to allowing a reasonable margin of error: 12 hours to diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha1.c b/src/crypto/mishmash/rsa_aes_cbc_sha1.c new file mode 100644 index 00000000..06722c0e --- /dev/null +++ b/src/crypto/mishmash/rsa_aes_cbc_sha1.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <byteswap.h> +#include <ipxe/rsa.h> +#include <ipxe/aes.h> +#include <ipxe/sha1.h> +#include <ipxe/tls.h> + +/** TLS_RSA_WITH_AES_128_CBC_SHA cipher suite */ +struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = { + .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ), + .key_len = ( 128 / 8 ), + .pubkey = &rsa_algorithm, + .cipher = &aes_cbc_algorithm, + .digest = &sha1_algorithm, +}; + +/** TLS_RSA_WITH_AES_256_CBC_SHA cipher suite */ +struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = { + .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ), + .key_len = ( 256 / 8 ), + .pubkey = &rsa_algorithm, + .cipher = &aes_cbc_algorithm, + .digest = &sha1_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha256.c b/src/crypto/mishmash/rsa_aes_cbc_sha256.c new file mode 100644 index 00000000..c609eace --- /dev/null +++ b/src/crypto/mishmash/rsa_aes_cbc_sha256.c @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <byteswap.h> +#include <ipxe/rsa.h> +#include <ipxe/aes.h> +#include <ipxe/sha256.h> +#include <ipxe/tls.h> + +/** TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite */ +struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={ + .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ), + .key_len = ( 128 / 8 ), + .pubkey = &rsa_algorithm, + .cipher = &aes_cbc_algorithm, + .digest = &sha256_algorithm, +}; + +/** TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite */ +struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={ + .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ), + .key_len = ( 256 / 8 ), + .pubkey = &rsa_algorithm, + .cipher = &aes_cbc_algorithm, + .digest = &sha256_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_md5.c b/src/crypto/mishmash/rsa_md5.c new file mode 100644 index 00000000..ac828ac1 --- /dev/null +++ b/src/crypto/mishmash/rsa_md5.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/md5.h> +#include <ipxe/asn1.h> + +/** "md5WithRSAEncryption" object identifier */ +static uint8_t oid_md5_with_rsa_encryption[] = + { ASN1_OID_MD5WITHRSAENCRYPTION }; + +/** "md5WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "md5WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &md5_algorithm, + .oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ), +}; + +/** MD5 digestInfo prefix */ +static const uint8_t rsa_md5_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) }; + +/** MD5 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = { + .digest = &md5_algorithm, + .data = rsa_md5_prefix_data, + .len = sizeof ( rsa_md5_prefix_data ), +}; diff --git a/src/crypto/mishmash/rsa_sha1.c b/src/crypto/mishmash/rsa_sha1.c new file mode 100644 index 00000000..39424bf2 --- /dev/null +++ b/src/crypto/mishmash/rsa_sha1.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/sha1.h> +#include <ipxe/asn1.h> +#include <ipxe/tls.h> + +/** "sha1WithRSAEncryption" object identifier */ +static uint8_t oid_sha1_with_rsa_encryption[] = + { ASN1_OID_SHA1WITHRSAENCRYPTION }; + +/** "sha1WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "sha1WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &sha1_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ), +}; + +/** SHA-1 digestInfo prefix */ +static const uint8_t rsa_sha1_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) }; + +/** SHA-1 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = { + .digest = &sha1_algorithm, + .data = rsa_sha1_prefix_data, + .len = sizeof ( rsa_sha1_prefix_data ), +}; + +/** RSA with SHA-1 signature hash algorithm */ +struct tls_signature_hash_algorithm tls_rsa_sha1 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA1_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha1_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_sha224.c b/src/crypto/mishmash/rsa_sha224.c new file mode 100644 index 00000000..5e8755aa --- /dev/null +++ b/src/crypto/mishmash/rsa_sha224.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/sha256.h> +#include <ipxe/asn1.h> +#include <ipxe/tls.h> + +/** "sha224WithRSAEncryption" object identifier */ +static uint8_t oid_sha224_with_rsa_encryption[] = + { ASN1_OID_SHA224WITHRSAENCRYPTION }; + +/** "sha224WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm sha224_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "sha224WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &sha224_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha224_with_rsa_encryption ), +}; + +/** SHA-224 digestInfo prefix */ +static const uint8_t rsa_sha224_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( SHA224_DIGEST_SIZE, ASN1_OID_SHA224 ) }; + +/** SHA-224 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_sha224_prefix __rsa_digestinfo_prefix = { + .digest = &sha224_algorithm, + .data = rsa_sha224_prefix_data, + .len = sizeof ( rsa_sha224_prefix_data ), +}; + +/** RSA with SHA-224 signature hash algorithm */ +struct tls_signature_hash_algorithm tls_rsa_sha224 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA224_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha224_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_sha256.c b/src/crypto/mishmash/rsa_sha256.c new file mode 100644 index 00000000..b44af5f1 --- /dev/null +++ b/src/crypto/mishmash/rsa_sha256.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/sha256.h> +#include <ipxe/asn1.h> +#include <ipxe/tls.h> + +/** "sha256WithRSAEncryption" object identifier */ +static uint8_t oid_sha256_with_rsa_encryption[] = + { ASN1_OID_SHA256WITHRSAENCRYPTION }; + +/** "sha256WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "sha256WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &sha256_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ), +}; + +/** SHA-256 digestInfo prefix */ +static const uint8_t rsa_sha256_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) }; + +/** SHA-256 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = { + .digest = &sha256_algorithm, + .data = rsa_sha256_prefix_data, + .len = sizeof ( rsa_sha256_prefix_data ), +}; + +/** RSA with SHA-256 signature hash algorithm */ +struct tls_signature_hash_algorithm tls_rsa_sha256 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA256_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha256_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_sha384.c b/src/crypto/mishmash/rsa_sha384.c new file mode 100644 index 00000000..af22a2bf --- /dev/null +++ b/src/crypto/mishmash/rsa_sha384.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/sha512.h> +#include <ipxe/asn1.h> +#include <ipxe/tls.h> + +/** "sha384WithRSAEncryption" object identifier */ +static uint8_t oid_sha384_with_rsa_encryption[] = + { ASN1_OID_SHA384WITHRSAENCRYPTION }; + +/** "sha384WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm sha384_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "sha384WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &sha384_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha384_with_rsa_encryption ), +}; + +/** SHA-384 digestInfo prefix */ +static const uint8_t rsa_sha384_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( SHA384_DIGEST_SIZE, ASN1_OID_SHA384 ) }; + +/** SHA-384 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_sha384_prefix __rsa_digestinfo_prefix = { + .digest = &sha384_algorithm, + .data = rsa_sha384_prefix_data, + .len = sizeof ( rsa_sha384_prefix_data ), +}; + +/** RSA with SHA-384 signature hash algorithm */ +struct tls_signature_hash_algorithm tls_rsa_sha384 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA384_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha384_algorithm, +}; diff --git a/src/crypto/mishmash/rsa_sha512.c b/src/crypto/mishmash/rsa_sha512.c new file mode 100644 index 00000000..29ee1549 --- /dev/null +++ b/src/crypto/mishmash/rsa_sha512.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/rsa.h> +#include <ipxe/sha512.h> +#include <ipxe/asn1.h> +#include <ipxe/tls.h> + +/** "sha512WithRSAEncryption" object identifier */ +static uint8_t oid_sha512_with_rsa_encryption[] = + { ASN1_OID_SHA512WITHRSAENCRYPTION }; + +/** "sha512WithRSAEncryption" OID-identified algorithm */ +struct asn1_algorithm sha512_with_rsa_encryption_algorithm __asn1_algorithm = { + .name = "sha512WithRSAEncryption", + .pubkey = &rsa_algorithm, + .digest = &sha512_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha512_with_rsa_encryption ), +}; + +/** SHA-512 digestInfo prefix */ +static const uint8_t rsa_sha512_prefix_data[] = + { RSA_DIGESTINFO_PREFIX ( SHA512_DIGEST_SIZE, ASN1_OID_SHA512 ) }; + +/** SHA-512 digestInfo prefix */ +struct rsa_digestinfo_prefix rsa_sha512_prefix __rsa_digestinfo_prefix = { + .digest = &sha512_algorithm, + .data = rsa_sha512_prefix_data, + .len = sizeof ( rsa_sha512_prefix_data ), +}; + +/** RSA with SHA-512 signature hash algorithm */ +struct tls_signature_hash_algorithm tls_rsa_sha512 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_RSA_ALGORITHM, + .hash = TLS_SHA512_ALGORITHM, + }, + .pubkey = &rsa_algorithm, + .digest = &sha512_algorithm, +}; diff --git a/src/crypto/rsa.c b/src/crypto/rsa.c index 747f4470..36109280 100644 --- a/src/crypto/rsa.c +++ b/src/crypto/rsa.c @@ -32,9 +32,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/crypto.h> #include <ipxe/bigint.h> #include <ipxe/random_nz.h> -#include <ipxe/md5.h> -#include <ipxe/sha1.h> -#include <ipxe/sha256.h> #include <ipxe/rsa.h> /** @file @@ -53,18 +50,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); /** "rsaEncryption" object identifier */ static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION }; -/** "md5WithRSAEncryption" object identifier */ -static uint8_t oid_md5_with_rsa_encryption[] = - { ASN1_OID_MD5WITHRSAENCRYPTION }; - -/** "sha1WithRSAEncryption" object identifier */ -static uint8_t oid_sha1_with_rsa_encryption[] = - { ASN1_OID_SHA1WITHRSAENCRYPTION }; - -/** "sha256WithRSAEncryption" object identifier */ -static uint8_t oid_sha256_with_rsa_encryption[] = - { ASN1_OID_SHA256WITHRSAENCRYPTION }; - /** "rsaEncryption" OID-identified algorithm */ struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = { .name = "rsaEncryption", @@ -73,63 +58,6 @@ struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = { .oid = ASN1_OID_CURSOR ( oid_rsa_encryption ), }; -/** "md5WithRSAEncryption" OID-identified algorithm */ -struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = { - .name = "md5WithRSAEncryption", - .pubkey = &rsa_algorithm, - .digest = &md5_algorithm, - .oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ), -}; - -/** "sha1WithRSAEncryption" OID-identified algorithm */ -struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = { - .name = "sha1WithRSAEncryption", - .pubkey = &rsa_algorithm, - .digest = &sha1_algorithm, - .oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ), -}; - -/** "sha256WithRSAEncryption" OID-identified algorithm */ -struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = { - .name = "sha256WithRSAEncryption", - .pubkey = &rsa_algorithm, - .digest = &sha256_algorithm, - .oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ), -}; - -/** MD5 digestInfo prefix */ -static const uint8_t rsa_md5_prefix_data[] = - { RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) }; - -/** SHA-1 digestInfo prefix */ -static const uint8_t rsa_sha1_prefix_data[] = - { RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) }; - -/** SHA-256 digestInfo prefix */ -static const uint8_t rsa_sha256_prefix_data[] = - { RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) }; - -/** MD5 digestInfo prefix */ -struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = { - .digest = &md5_algorithm, - .data = rsa_md5_prefix_data, - .len = sizeof ( rsa_md5_prefix_data ), -}; - -/** SHA-1 digestInfo prefix */ -struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = { - .digest = &sha1_algorithm, - .data = rsa_sha1_prefix_data, - .len = sizeof ( rsa_sha1_prefix_data ), -}; - -/** SHA-256 digestInfo prefix */ -struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = { - .digest = &sha256_algorithm, - .data = rsa_sha256_prefix_data, - .len = sizeof ( rsa_sha256_prefix_data ), -}; - /** * Identify RSA prefix * diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 00eb226e..43a4ca17 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1771,3 +1771,6 @@ REQUIRING_SYMBOL ( x509_validate ); /* Drag in certificate store */ REQUIRE_OBJECT ( certstore ); + +/* Drag in crypto configuration */ +REQUIRE_OBJECT ( config_crypto ); diff --git a/src/include/ipxe/rsa.h b/src/include/ipxe/rsa.h index 5fe7ec4d..d947eec7 100644 --- a/src/include/ipxe/rsa.h +++ b/src/include/ipxe/rsa.h @@ -8,6 +8,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +#include <stdarg.h> #include <ipxe/crypto.h> #include <ipxe/bigint.h> #include <ipxe/asn1.h> diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 7c500749..7d982c32 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -20,6 +20,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/x509.h> #include <ipxe/pending.h> #include <ipxe/iobuf.h> +#include <ipxe/tables.h> /** A TLS header */ struct tls_header { @@ -85,7 +86,10 @@ struct tls_header { /* TLS hash algorithm identifiers */ #define TLS_MD5_ALGORITHM 1 #define TLS_SHA1_ALGORITHM 2 +#define TLS_SHA224_ALGORITHM 3 #define TLS_SHA256_ALGORITHM 4 +#define TLS_SHA384_ALGORITHM 5 +#define TLS_SHA512_ALGORITHM 6 /* TLS signature algorithm identifiers */ #define TLS_RSA_ALGORITHM 1 @@ -134,6 +138,14 @@ struct tls_cipher_suite { uint16_t code; }; +/** TLS cipher suite table */ +#define TLS_CIPHER_SUITES \ + __table ( struct tls_cipher_suite, "tls_cipher_suites" ) + +/** Declare a TLS cipher suite */ +#define __tls_cipher_suite( pref ) \ + __table_entry ( TLS_CIPHER_SUITES, pref ) + /** A TLS cipher specification */ struct tls_cipherspec { /** Cipher suite */ @@ -168,6 +180,19 @@ struct tls_signature_hash_algorithm { struct tls_signature_hash_id code; }; +/** TLS signature hash algorithm table + * + * Note that the default (TLSv1.1 and earlier) algorithm using + * MD5+SHA1 is never explicitly specified. + */ +#define TLS_SIG_HASH_ALGORITHMS \ + __table ( struct tls_signature_hash_algorithm, \ + "tls_sig_hash_algorithms" ) + +/** Declare a TLS signature hash algorithm */ +#define __tls_sig_hash_algorithm \ + __table_entry ( TLS_SIG_HASH_ALGORITHMS, 01 ) + /** TLS pre-master secret */ struct tls_pre_master_secret { /** TLS version */ diff --git a/src/net/tls.c b/src/net/tls.c index 79aa5d97..db01fb29 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -666,41 +666,8 @@ struct tls_cipher_suite tls_cipher_suite_null = { .digest = &digest_null, }; -/** Supported cipher suites, in order of preference */ -struct tls_cipher_suite tls_cipher_suites[] = { - { - .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ), - .key_len = ( 256 / 8 ), - .pubkey = &rsa_algorithm, - .cipher = &aes_cbc_algorithm, - .digest = &sha256_algorithm, - }, - { - .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ), - .key_len = ( 128 / 8 ), - .pubkey = &rsa_algorithm, - .cipher = &aes_cbc_algorithm, - .digest = &sha256_algorithm, - }, - { - .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ), - .key_len = ( 256 / 8 ), - .pubkey = &rsa_algorithm, - .cipher = &aes_cbc_algorithm, - .digest = &sha1_algorithm, - }, - { - .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ), - .key_len = ( 128 / 8 ), - .pubkey = &rsa_algorithm, - .cipher = &aes_cbc_algorithm, - .digest = &sha1_algorithm, - }, -}; - /** Number of supported cipher suites */ -#define TLS_NUM_CIPHER_SUITES \ - ( sizeof ( tls_cipher_suites ) / sizeof ( tls_cipher_suites[0] ) ) +#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES ) /** * Identify cipher suite @@ -711,11 +678,9 @@ struct tls_cipher_suite tls_cipher_suites[] = { static struct tls_cipher_suite * tls_find_cipher_suite ( unsigned int cipher_suite ) { struct tls_cipher_suite *suite; - unsigned int i; /* Identify cipher suite */ - for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ ) { - suite = &tls_cipher_suites[i]; + for_each_table_entry ( suite, TLS_CIPHER_SUITES ) { if ( suite->code == cipher_suite ) return suite; } @@ -848,34 +813,9 @@ static int tls_change_cipher ( struct tls_session *tls, ****************************************************************************** */ -/** Supported signature and hash algorithms - * - * Note that the default (TLSv1.1 and earlier) algorithm using - * MD5+SHA1 is never explicitly specified. - */ -struct tls_signature_hash_algorithm tls_signature_hash_algorithms[] = { - { - .code = { - .signature = TLS_RSA_ALGORITHM, - .hash = TLS_SHA1_ALGORITHM, - }, - .pubkey = &rsa_algorithm, - .digest = &sha1_algorithm, - }, - { - .code = { - .signature = TLS_RSA_ALGORITHM, - .hash = TLS_SHA256_ALGORITHM, - }, - .pubkey = &rsa_algorithm, - .digest = &sha256_algorithm, - }, -}; - /** Number of supported signature and hash algorithms */ -#define TLS_NUM_SIG_HASH_ALGORITHMS \ - ( sizeof ( tls_signature_hash_algorithms ) / \ - sizeof ( tls_signature_hash_algorithms[0] ) ) +#define TLS_NUM_SIG_HASH_ALGORITHMS \ + table_num_entries ( TLS_SIG_HASH_ALGORITHMS ) /** * Find TLS signature and hash algorithm @@ -888,11 +828,9 @@ static struct tls_signature_hash_algorithm * tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey, struct digest_algorithm *digest ) { struct tls_signature_hash_algorithm *sig_hash; - unsigned int i; /* Identify signature and hash algorithm */ - for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) { - sig_hash = &tls_signature_hash_algorithms[i]; + for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) { if ( ( sig_hash->pubkey == pubkey ) && ( sig_hash->digest == digest ) ) { return sig_hash; @@ -1018,6 +956,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) { } __attribute__ (( packed )) signature_algorithms; } __attribute__ (( packed )) extensions; } __attribute__ (( packed )) hello; + struct tls_cipher_suite *suite; + struct tls_signature_hash_algorithm *sighash; unsigned int i; memset ( &hello, 0, sizeof ( hello ) ); @@ -1027,8 +967,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) { hello.version = htons ( tls->version ); memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) ); hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) ); - for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ ) - hello.cipher_suites[i] = tls_cipher_suites[i].code; + i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES ) + hello.cipher_suites[i++] = suite->code; hello.compression_methods_len = sizeof ( hello.compression_methods ); hello.extensions_len = htons ( sizeof ( hello.extensions ) ); hello.extensions.server_name_type = htons ( TLS_SERVER_NAME ); @@ -1053,10 +993,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) { = htons ( sizeof ( hello.extensions.signature_algorithms ) ); hello.extensions.signature_algorithms.len = htons ( sizeof ( hello.extensions.signature_algorithms.code)); - for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) { - hello.extensions.signature_algorithms.code[i] - = tls_signature_hash_algorithms[i].code; - } + i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS ) + hello.extensions.signature_algorithms.code[i++] = sighash->code; return tls_send_handshake ( tls, &hello, sizeof ( hello ) ); } @@ -2669,3 +2607,9 @@ int add_tls ( struct interface *xfer, const char *name, err_alloc: return rc; } + +/* Drag in objects via add_tls() */ +REQUIRING_SYMBOL ( add_tls ); + +/* Drag in crypto configuration */ +REQUIRE_OBJECT ( config_crypto ); |