Переглянути джерело

[crypto] Support SHA-{224,384,512} in X.509 certificates

Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in
X.509 certificates, and allow the choice of public-key, cipher, and
digest algorithms to be configured at build time via config/crypto.h.

Originally-implemented-by: Tufan Karadere <tufank@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 9 роки тому
джерело
коміт
b1caa48e4b

+ 1
- 1
src/Makefile Переглянути файл

@@ -89,7 +89,7 @@ SRCDIRS		+= interface/bofm
89 89
 SRCDIRS		+= interface/xen
90 90
 SRCDIRS		+= interface/hyperv
91 91
 SRCDIRS		+= tests
92
-SRCDIRS		+= crypto crypto/axtls crypto/matrixssl
92
+SRCDIRS		+= crypto crypto/mishmash
93 93
 SRCDIRS		+= hci hci/commands hci/tui
94 94
 SRCDIRS		+= hci/mucurses hci/mucurses/widgets
95 95
 SRCDIRS		+= hci/keymap

+ 76
- 0
src/config/config_crypto.c Переглянути файл

@@ -0,0 +1,76 @@
1
+/*
2
+ * This program is free software; you can redistribute it and/or
3
+ * modify it under the terms of the GNU General Public License as
4
+ * published by the Free Software Foundation; either version 2 of the
5
+ * License, or (at your option) any later version.
6
+ *
7
+ * This program is distributed in the hope that it will be useful, but
8
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
9
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
10
+ * General Public License for more details.
11
+ *
12
+ * You should have received a copy of the GNU General Public License
13
+ * along with this program; if not, write to the Free Software
14
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
+ * 02110-1301, USA.
16
+ *
17
+ * You can also choose to distribute this program under the terms of
18
+ * the Unmodified Binary Distribution Licence (as given in the file
19
+ * COPYING.UBDL), provided that you have satisfied its requirements.
20
+ */
21
+
22
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
23
+
24
+#include <config/crypto.h>
25
+
26
+/** @file
27
+ *
28
+ * Cryptographic configuration
29
+ *
30
+ * Cryptographic configuration is slightly messy since we need to drag
31
+ * in objects based on combinations of build options.
32
+ */
33
+
34
+PROVIDE_REQUIRING_SYMBOL();
35
+
36
+/* RSA and MD5 */
37
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_MD5 )
38
+REQUIRE_OBJECT ( rsa_md5 );
39
+#endif
40
+
41
+/* RSA and SHA-1 */
42
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA1 )
43
+REQUIRE_OBJECT ( rsa_sha1 );
44
+#endif
45
+
46
+/* RSA and SHA-224 */
47
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA224 )
48
+REQUIRE_OBJECT ( rsa_sha224 );
49
+#endif
50
+
51
+/* RSA and SHA-256 */
52
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA256 )
53
+REQUIRE_OBJECT ( rsa_sha256 );
54
+#endif
55
+
56
+/* RSA and SHA-384 */
57
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA384 )
58
+REQUIRE_OBJECT ( rsa_sha384 );
59
+#endif
60
+
61
+/* RSA and SHA-512 */
62
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA512 )
63
+REQUIRE_OBJECT ( rsa_sha512 );
64
+#endif
65
+
66
+/* RSA, AES-CBC, and SHA-1 */
67
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \
68
+    defined ( CRYPTO_DIGEST_SHA1 )
69
+REQUIRE_OBJECT ( rsa_aes_cbc_sha1 );
70
+#endif
71
+
72
+/* RSA, AES-CBC, and SHA-256 */
73
+#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \
74
+    defined ( CRYPTO_DIGEST_SHA256 )
75
+REQUIRE_OBJECT ( rsa_aes_cbc_sha256 );
76
+#endif

+ 33
- 0
src/config/crypto.h Переглянути файл

@@ -9,6 +9,39 @@
9 9
 
10 10
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11 11
 
12
+/** RSA public-key algorithm */
13
+#define CRYPTO_PUBKEY_RSA
14
+
15
+/** AES-CBC block cipher */
16
+#define CRYPTO_CIPHER_AES_CBC
17
+
18
+/** MD5 digest algorithm
19
+ *
20
+ * Note that use of MD5 is implicit when using TLSv1.1 or earlier.
21
+ */
22
+#define CRYPTO_DIGEST_MD5
23
+
24
+/** SHA-1 digest algorithm
25
+ *
26
+ * Note that use of SHA-1 is implicit when using TLSv1.1 or earlier.
27
+ */
28
+#define CRYPTO_DIGEST_SHA1
29
+
30
+/** SHA-224 digest algorithm */
31
+#define CRYPTO_DIGEST_SHA224
32
+
33
+/** SHA-256 digest algorithm
34
+ *
35
+ * Note that use of SHA-256 is implicit when using TLSv1.2.
36
+ */
37
+#define CRYPTO_DIGEST_SHA256
38
+
39
+/** SHA-384 digest algorithm */
40
+#define CRYPTO_DIGEST_SHA384
41
+
42
+/** SHA-512 digest algorithm */
43
+#define CRYPTO_DIGEST_SHA512
44
+
12 45
 /** Margin of error (in seconds) allowed in signed timestamps
13 46
  *
14 47
  * We default to allowing a reasonable margin of error: 12 hours to

+ 48
- 0
src/crypto/mishmash/rsa_aes_cbc_sha1.c Переглянути файл

@@ -0,0 +1,48 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <byteswap.h>
27
+#include <ipxe/rsa.h>
28
+#include <ipxe/aes.h>
29
+#include <ipxe/sha1.h>
30
+#include <ipxe/tls.h>
31
+
32
+/** TLS_RSA_WITH_AES_128_CBC_SHA cipher suite */
33
+struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
34
+	.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
35
+	.key_len = ( 128 / 8 ),
36
+	.pubkey = &rsa_algorithm,
37
+	.cipher = &aes_cbc_algorithm,
38
+	.digest = &sha1_algorithm,
39
+};
40
+
41
+/** TLS_RSA_WITH_AES_256_CBC_SHA cipher suite */
42
+struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = {
43
+	.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
44
+	.key_len = ( 256 / 8 ),
45
+	.pubkey = &rsa_algorithm,
46
+	.cipher = &aes_cbc_algorithm,
47
+	.digest = &sha1_algorithm,
48
+};

+ 48
- 0
src/crypto/mishmash/rsa_aes_cbc_sha256.c Переглянути файл

@@ -0,0 +1,48 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <byteswap.h>
27
+#include <ipxe/rsa.h>
28
+#include <ipxe/aes.h>
29
+#include <ipxe/sha256.h>
30
+#include <ipxe/tls.h>
31
+
32
+/** TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite */
33
+struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
34
+	.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
35
+	.key_len = ( 128 / 8 ),
36
+	.pubkey = &rsa_algorithm,
37
+	.cipher = &aes_cbc_algorithm,
38
+	.digest = &sha256_algorithm,
39
+};
40
+
41
+/** TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite */
42
+struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={
43
+	.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
44
+	.key_len = ( 256 / 8 ),
45
+	.pubkey = &rsa_algorithm,
46
+	.cipher = &aes_cbc_algorithm,
47
+	.digest = &sha256_algorithm,
48
+};

+ 51
- 0
src/crypto/mishmash/rsa_md5.c Переглянути файл

@@ -0,0 +1,51 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/md5.h>
28
+#include <ipxe/asn1.h>
29
+
30
+/** "md5WithRSAEncryption" object identifier */
31
+static uint8_t oid_md5_with_rsa_encryption[] =
32
+	{ ASN1_OID_MD5WITHRSAENCRYPTION };
33
+
34
+/** "md5WithRSAEncryption" OID-identified algorithm */
35
+struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = {
36
+	.name = "md5WithRSAEncryption",
37
+	.pubkey = &rsa_algorithm,
38
+	.digest = &md5_algorithm,
39
+	.oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ),
40
+};
41
+
42
+/** MD5 digestInfo prefix */
43
+static const uint8_t rsa_md5_prefix_data[] =
44
+	{ RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) };
45
+
46
+/** MD5 digestInfo prefix */
47
+struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = {
48
+	.digest = &md5_algorithm,
49
+	.data = rsa_md5_prefix_data,
50
+	.len = sizeof ( rsa_md5_prefix_data ),
51
+};

+ 62
- 0
src/crypto/mishmash/rsa_sha1.c Переглянути файл

@@ -0,0 +1,62 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/sha1.h>
28
+#include <ipxe/asn1.h>
29
+#include <ipxe/tls.h>
30
+
31
+/** "sha1WithRSAEncryption" object identifier */
32
+static uint8_t oid_sha1_with_rsa_encryption[] =
33
+	{ ASN1_OID_SHA1WITHRSAENCRYPTION };
34
+
35
+/** "sha1WithRSAEncryption" OID-identified algorithm */
36
+struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = {
37
+	.name = "sha1WithRSAEncryption",
38
+	.pubkey = &rsa_algorithm,
39
+	.digest = &sha1_algorithm,
40
+	.oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ),
41
+};
42
+
43
+/** SHA-1 digestInfo prefix */
44
+static const uint8_t rsa_sha1_prefix_data[] =
45
+	{ RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) };
46
+
47
+/** SHA-1 digestInfo prefix */
48
+struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = {
49
+	.digest = &sha1_algorithm,
50
+	.data = rsa_sha1_prefix_data,
51
+	.len = sizeof ( rsa_sha1_prefix_data ),
52
+};
53
+
54
+/** RSA with SHA-1 signature hash algorithm */
55
+struct tls_signature_hash_algorithm tls_rsa_sha1 __tls_sig_hash_algorithm = {
56
+	.code = {
57
+		.signature = TLS_RSA_ALGORITHM,
58
+		.hash = TLS_SHA1_ALGORITHM,
59
+	},
60
+	.pubkey = &rsa_algorithm,
61
+	.digest = &sha1_algorithm,
62
+};

+ 62
- 0
src/crypto/mishmash/rsa_sha224.c Переглянути файл

@@ -0,0 +1,62 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/sha256.h>
28
+#include <ipxe/asn1.h>
29
+#include <ipxe/tls.h>
30
+
31
+/** "sha224WithRSAEncryption" object identifier */
32
+static uint8_t oid_sha224_with_rsa_encryption[] =
33
+	{ ASN1_OID_SHA224WITHRSAENCRYPTION };
34
+
35
+/** "sha224WithRSAEncryption" OID-identified algorithm */
36
+struct asn1_algorithm sha224_with_rsa_encryption_algorithm __asn1_algorithm = {
37
+	.name = "sha224WithRSAEncryption",
38
+	.pubkey = &rsa_algorithm,
39
+	.digest = &sha224_algorithm,
40
+	.oid = ASN1_OID_CURSOR ( oid_sha224_with_rsa_encryption ),
41
+};
42
+
43
+/** SHA-224 digestInfo prefix */
44
+static const uint8_t rsa_sha224_prefix_data[] =
45
+	{ RSA_DIGESTINFO_PREFIX ( SHA224_DIGEST_SIZE, ASN1_OID_SHA224 ) };
46
+
47
+/** SHA-224 digestInfo prefix */
48
+struct rsa_digestinfo_prefix rsa_sha224_prefix __rsa_digestinfo_prefix = {
49
+	.digest = &sha224_algorithm,
50
+	.data = rsa_sha224_prefix_data,
51
+	.len = sizeof ( rsa_sha224_prefix_data ),
52
+};
53
+
54
+/** RSA with SHA-224 signature hash algorithm */
55
+struct tls_signature_hash_algorithm tls_rsa_sha224 __tls_sig_hash_algorithm = {
56
+	.code = {
57
+		.signature = TLS_RSA_ALGORITHM,
58
+		.hash = TLS_SHA224_ALGORITHM,
59
+	},
60
+	.pubkey = &rsa_algorithm,
61
+	.digest = &sha224_algorithm,
62
+};

+ 62
- 0
src/crypto/mishmash/rsa_sha256.c Переглянути файл

@@ -0,0 +1,62 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/sha256.h>
28
+#include <ipxe/asn1.h>
29
+#include <ipxe/tls.h>
30
+
31
+/** "sha256WithRSAEncryption" object identifier */
32
+static uint8_t oid_sha256_with_rsa_encryption[] =
33
+	{ ASN1_OID_SHA256WITHRSAENCRYPTION };
34
+
35
+/** "sha256WithRSAEncryption" OID-identified algorithm */
36
+struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = {
37
+	.name = "sha256WithRSAEncryption",
38
+	.pubkey = &rsa_algorithm,
39
+	.digest = &sha256_algorithm,
40
+	.oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ),
41
+};
42
+
43
+/** SHA-256 digestInfo prefix */
44
+static const uint8_t rsa_sha256_prefix_data[] =
45
+	{ RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) };
46
+
47
+/** SHA-256 digestInfo prefix */
48
+struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = {
49
+	.digest = &sha256_algorithm,
50
+	.data = rsa_sha256_prefix_data,
51
+	.len = sizeof ( rsa_sha256_prefix_data ),
52
+};
53
+
54
+/** RSA with SHA-256 signature hash algorithm */
55
+struct tls_signature_hash_algorithm tls_rsa_sha256 __tls_sig_hash_algorithm = {
56
+	.code = {
57
+		.signature = TLS_RSA_ALGORITHM,
58
+		.hash = TLS_SHA256_ALGORITHM,
59
+	},
60
+	.pubkey = &rsa_algorithm,
61
+	.digest = &sha256_algorithm,
62
+};

+ 62
- 0
src/crypto/mishmash/rsa_sha384.c Переглянути файл

@@ -0,0 +1,62 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/sha512.h>
28
+#include <ipxe/asn1.h>
29
+#include <ipxe/tls.h>
30
+
31
+/** "sha384WithRSAEncryption" object identifier */
32
+static uint8_t oid_sha384_with_rsa_encryption[] =
33
+	{ ASN1_OID_SHA384WITHRSAENCRYPTION };
34
+
35
+/** "sha384WithRSAEncryption" OID-identified algorithm */
36
+struct asn1_algorithm sha384_with_rsa_encryption_algorithm __asn1_algorithm = {
37
+	.name = "sha384WithRSAEncryption",
38
+	.pubkey = &rsa_algorithm,
39
+	.digest = &sha384_algorithm,
40
+	.oid = ASN1_OID_CURSOR ( oid_sha384_with_rsa_encryption ),
41
+};
42
+
43
+/** SHA-384 digestInfo prefix */
44
+static const uint8_t rsa_sha384_prefix_data[] =
45
+	{ RSA_DIGESTINFO_PREFIX ( SHA384_DIGEST_SIZE, ASN1_OID_SHA384 ) };
46
+
47
+/** SHA-384 digestInfo prefix */
48
+struct rsa_digestinfo_prefix rsa_sha384_prefix __rsa_digestinfo_prefix = {
49
+	.digest = &sha384_algorithm,
50
+	.data = rsa_sha384_prefix_data,
51
+	.len = sizeof ( rsa_sha384_prefix_data ),
52
+};
53
+
54
+/** RSA with SHA-384 signature hash algorithm */
55
+struct tls_signature_hash_algorithm tls_rsa_sha384 __tls_sig_hash_algorithm = {
56
+	.code = {
57
+		.signature = TLS_RSA_ALGORITHM,
58
+		.hash = TLS_SHA384_ALGORITHM,
59
+	},
60
+	.pubkey = &rsa_algorithm,
61
+	.digest = &sha384_algorithm,
62
+};

+ 62
- 0
src/crypto/mishmash/rsa_sha512.c Переглянути файл

@@ -0,0 +1,62 @@
1
+/*
2
+ * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or (at your option) any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <ipxe/rsa.h>
27
+#include <ipxe/sha512.h>
28
+#include <ipxe/asn1.h>
29
+#include <ipxe/tls.h>
30
+
31
+/** "sha512WithRSAEncryption" object identifier */
32
+static uint8_t oid_sha512_with_rsa_encryption[] =
33
+	{ ASN1_OID_SHA512WITHRSAENCRYPTION };
34
+
35
+/** "sha512WithRSAEncryption" OID-identified algorithm */
36
+struct asn1_algorithm sha512_with_rsa_encryption_algorithm __asn1_algorithm = {
37
+	.name = "sha512WithRSAEncryption",
38
+	.pubkey = &rsa_algorithm,
39
+	.digest = &sha512_algorithm,
40
+	.oid = ASN1_OID_CURSOR ( oid_sha512_with_rsa_encryption ),
41
+};
42
+
43
+/** SHA-512 digestInfo prefix */
44
+static const uint8_t rsa_sha512_prefix_data[] =
45
+	{ RSA_DIGESTINFO_PREFIX ( SHA512_DIGEST_SIZE, ASN1_OID_SHA512 ) };
46
+
47
+/** SHA-512 digestInfo prefix */
48
+struct rsa_digestinfo_prefix rsa_sha512_prefix __rsa_digestinfo_prefix = {
49
+	.digest = &sha512_algorithm,
50
+	.data = rsa_sha512_prefix_data,
51
+	.len = sizeof ( rsa_sha512_prefix_data ),
52
+};
53
+
54
+/** RSA with SHA-512 signature hash algorithm */
55
+struct tls_signature_hash_algorithm tls_rsa_sha512 __tls_sig_hash_algorithm = {
56
+	.code = {
57
+		.signature = TLS_RSA_ALGORITHM,
58
+		.hash = TLS_SHA512_ALGORITHM,
59
+	},
60
+	.pubkey = &rsa_algorithm,
61
+	.digest = &sha512_algorithm,
62
+};

+ 0
- 72
src/crypto/rsa.c Переглянути файл

@@ -32,9 +32,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
32 32
 #include <ipxe/crypto.h>
33 33
 #include <ipxe/bigint.h>
34 34
 #include <ipxe/random_nz.h>
35
-#include <ipxe/md5.h>
36
-#include <ipxe/sha1.h>
37
-#include <ipxe/sha256.h>
38 35
 #include <ipxe/rsa.h>
39 36
 
40 37
 /** @file
@@ -53,18 +50,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
53 50
 /** "rsaEncryption" object identifier */
54 51
 static uint8_t oid_rsa_encryption[] = { ASN1_OID_RSAENCRYPTION };
55 52
 
56
-/** "md5WithRSAEncryption" object identifier */
57
-static uint8_t oid_md5_with_rsa_encryption[] =
58
-	{ ASN1_OID_MD5WITHRSAENCRYPTION };
59
-
60
-/** "sha1WithRSAEncryption" object identifier */
61
-static uint8_t oid_sha1_with_rsa_encryption[] =
62
-	{ ASN1_OID_SHA1WITHRSAENCRYPTION };
63
-
64
-/** "sha256WithRSAEncryption" object identifier */
65
-static uint8_t oid_sha256_with_rsa_encryption[] =
66
-	{ ASN1_OID_SHA256WITHRSAENCRYPTION };
67
-
68 53
 /** "rsaEncryption" OID-identified algorithm */
69 54
 struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
70 55
 	.name = "rsaEncryption",
@@ -73,63 +58,6 @@ struct asn1_algorithm rsa_encryption_algorithm __asn1_algorithm = {
73 58
 	.oid = ASN1_OID_CURSOR ( oid_rsa_encryption ),
74 59
 };
75 60
 
76
-/** "md5WithRSAEncryption" OID-identified algorithm */
77
-struct asn1_algorithm md5_with_rsa_encryption_algorithm __asn1_algorithm = {
78
-	.name = "md5WithRSAEncryption",
79
-	.pubkey = &rsa_algorithm,
80
-	.digest = &md5_algorithm,
81
-	.oid = ASN1_OID_CURSOR ( oid_md5_with_rsa_encryption ),
82
-};
83
-
84
-/** "sha1WithRSAEncryption" OID-identified algorithm */
85
-struct asn1_algorithm sha1_with_rsa_encryption_algorithm __asn1_algorithm = {
86
-	.name = "sha1WithRSAEncryption",
87
-	.pubkey = &rsa_algorithm,
88
-	.digest = &sha1_algorithm,
89
-	.oid = ASN1_OID_CURSOR ( oid_sha1_with_rsa_encryption ),
90
-};
91
-
92
-/** "sha256WithRSAEncryption" OID-identified algorithm */
93
-struct asn1_algorithm sha256_with_rsa_encryption_algorithm __asn1_algorithm = {
94
-	.name = "sha256WithRSAEncryption",
95
-	.pubkey = &rsa_algorithm,
96
-	.digest = &sha256_algorithm,
97
-	.oid = ASN1_OID_CURSOR ( oid_sha256_with_rsa_encryption ),
98
-};
99
-
100
-/** MD5 digestInfo prefix */
101
-static const uint8_t rsa_md5_prefix_data[] =
102
-	{ RSA_DIGESTINFO_PREFIX ( MD5_DIGEST_SIZE, ASN1_OID_MD5 ) };
103
-
104
-/** SHA-1 digestInfo prefix */
105
-static const uint8_t rsa_sha1_prefix_data[] =
106
-	{ RSA_DIGESTINFO_PREFIX ( SHA1_DIGEST_SIZE, ASN1_OID_SHA1 ) };
107
-
108
-/** SHA-256 digestInfo prefix */
109
-static const uint8_t rsa_sha256_prefix_data[] =
110
-	{ RSA_DIGESTINFO_PREFIX ( SHA256_DIGEST_SIZE, ASN1_OID_SHA256 ) };
111
-
112
-/** MD5 digestInfo prefix */
113
-struct rsa_digestinfo_prefix rsa_md5_prefix __rsa_digestinfo_prefix = {
114
-	.digest = &md5_algorithm,
115
-	.data = rsa_md5_prefix_data,
116
-	.len = sizeof ( rsa_md5_prefix_data ),
117
-};
118
-
119
-/** SHA-1 digestInfo prefix */
120
-struct rsa_digestinfo_prefix rsa_sha1_prefix __rsa_digestinfo_prefix = {
121
-	.digest = &sha1_algorithm,
122
-	.data = rsa_sha1_prefix_data,
123
-	.len = sizeof ( rsa_sha1_prefix_data ),
124
-};
125
-
126
-/** SHA-256 digestInfo prefix */
127
-struct rsa_digestinfo_prefix rsa_sha256_prefix __rsa_digestinfo_prefix = {
128
-	.digest = &sha256_algorithm,
129
-	.data = rsa_sha256_prefix_data,
130
-	.len = sizeof ( rsa_sha256_prefix_data ),
131
-};
132
-
133 61
 /**
134 62
  * Identify RSA prefix
135 63
  *

+ 3
- 0
src/crypto/x509.c Переглянути файл

@@ -1771,3 +1771,6 @@ REQUIRING_SYMBOL ( x509_validate );
1771 1771
 
1772 1772
 /* Drag in certificate store */
1773 1773
 REQUIRE_OBJECT ( certstore );
1774
+
1775
+/* Drag in crypto configuration */
1776
+REQUIRE_OBJECT ( config_crypto );

+ 1
- 0
src/include/ipxe/rsa.h Переглянути файл

@@ -8,6 +8,7 @@
8 8
 
9 9
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
10 10
 
11
+#include <stdarg.h>
11 12
 #include <ipxe/crypto.h>
12 13
 #include <ipxe/bigint.h>
13 14
 #include <ipxe/asn1.h>

+ 25
- 0
src/include/ipxe/tls.h Переглянути файл

@@ -20,6 +20,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
20 20
 #include <ipxe/x509.h>
21 21
 #include <ipxe/pending.h>
22 22
 #include <ipxe/iobuf.h>
23
+#include <ipxe/tables.h>
23 24
 
24 25
 /** A TLS header */
25 26
 struct tls_header {
@@ -85,7 +86,10 @@ struct tls_header {
85 86
 /* TLS hash algorithm identifiers */
86 87
 #define TLS_MD5_ALGORITHM 1
87 88
 #define TLS_SHA1_ALGORITHM 2
89
+#define TLS_SHA224_ALGORITHM 3
88 90
 #define TLS_SHA256_ALGORITHM 4
91
+#define TLS_SHA384_ALGORITHM 5
92
+#define TLS_SHA512_ALGORITHM 6
89 93
 
90 94
 /* TLS signature algorithm identifiers */
91 95
 #define TLS_RSA_ALGORITHM 1
@@ -134,6 +138,14 @@ struct tls_cipher_suite {
134 138
 	uint16_t code;
135 139
 };
136 140
 
141
+/** TLS cipher suite table */
142
+#define TLS_CIPHER_SUITES						\
143
+	__table ( struct tls_cipher_suite, "tls_cipher_suites" )
144
+
145
+/** Declare a TLS cipher suite */
146
+#define __tls_cipher_suite( pref )					\
147
+	__table_entry ( TLS_CIPHER_SUITES, pref )
148
+
137 149
 /** A TLS cipher specification */
138 150
 struct tls_cipherspec {
139 151
 	/** Cipher suite */
@@ -168,6 +180,19 @@ struct tls_signature_hash_algorithm {
168 180
 	struct tls_signature_hash_id code;
169 181
 };
170 182
 
183
+/** TLS signature hash algorithm table
184
+ *
185
+ * Note that the default (TLSv1.1 and earlier) algorithm using
186
+ * MD5+SHA1 is never explicitly specified.
187
+ */
188
+#define TLS_SIG_HASH_ALGORITHMS						\
189
+	__table ( struct tls_signature_hash_algorithm,			\
190
+		  "tls_sig_hash_algorithms" )
191
+
192
+/** Declare a TLS signature hash algorithm */
193
+#define __tls_sig_hash_algorithm					\
194
+	__table_entry ( TLS_SIG_HASH_ALGORITHMS, 01 )
195
+
171 196
 /** TLS pre-master secret */
172 197
 struct tls_pre_master_secret {
173 198
 	/** TLS version */

+ 17
- 73
src/net/tls.c Переглянути файл

@@ -666,41 +666,8 @@ struct tls_cipher_suite tls_cipher_suite_null = {
666 666
 	.digest = &digest_null,
667 667
 };
668 668
 
669
-/** Supported cipher suites, in order of preference */
670
-struct tls_cipher_suite tls_cipher_suites[] = {
671
-	{
672
-		.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
673
-		.key_len = ( 256 / 8 ),
674
-		.pubkey = &rsa_algorithm,
675
-		.cipher = &aes_cbc_algorithm,
676
-		.digest = &sha256_algorithm,
677
-	},
678
-	{
679
-		.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
680
-		.key_len = ( 128 / 8 ),
681
-		.pubkey = &rsa_algorithm,
682
-		.cipher = &aes_cbc_algorithm,
683
-		.digest = &sha256_algorithm,
684
-	},
685
-	{
686
-		.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
687
-		.key_len = ( 256 / 8 ),
688
-		.pubkey = &rsa_algorithm,
689
-		.cipher = &aes_cbc_algorithm,
690
-		.digest = &sha1_algorithm,
691
-	},
692
-	{
693
-		.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
694
-		.key_len = ( 128 / 8 ),
695
-		.pubkey = &rsa_algorithm,
696
-		.cipher = &aes_cbc_algorithm,
697
-		.digest = &sha1_algorithm,
698
-	},
699
-};
700
-
701 669
 /** Number of supported cipher suites */
702
-#define TLS_NUM_CIPHER_SUITES \
703
-	( sizeof ( tls_cipher_suites ) / sizeof ( tls_cipher_suites[0] ) )
670
+#define TLS_NUM_CIPHER_SUITES table_num_entries ( TLS_CIPHER_SUITES )
704 671
 
705 672
 /**
706 673
  * Identify cipher suite
@@ -711,11 +678,9 @@ struct tls_cipher_suite tls_cipher_suites[] = {
711 678
 static struct tls_cipher_suite *
712 679
 tls_find_cipher_suite ( unsigned int cipher_suite ) {
713 680
 	struct tls_cipher_suite *suite;
714
-	unsigned int i;
715 681
 
716 682
 	/* Identify cipher suite */
717
-	for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ ) {
718
-		suite = &tls_cipher_suites[i];
683
+	for_each_table_entry ( suite, TLS_CIPHER_SUITES ) {
719 684
 		if ( suite->code == cipher_suite )
720 685
 			return suite;
721 686
 	}
@@ -848,34 +813,9 @@ static int tls_change_cipher ( struct tls_session *tls,
848 813
  ******************************************************************************
849 814
  */
850 815
 
851
-/** Supported signature and hash algorithms
852
- *
853
- * Note that the default (TLSv1.1 and earlier) algorithm using
854
- * MD5+SHA1 is never explicitly specified.
855
- */
856
-struct tls_signature_hash_algorithm tls_signature_hash_algorithms[] = {
857
-	{
858
-		.code = {
859
-			.signature = TLS_RSA_ALGORITHM,
860
-			.hash = TLS_SHA1_ALGORITHM,
861
-		},
862
-		.pubkey = &rsa_algorithm,
863
-		.digest = &sha1_algorithm,
864
-	},
865
-	{
866
-		.code = {
867
-			.signature = TLS_RSA_ALGORITHM,
868
-			.hash = TLS_SHA256_ALGORITHM,
869
-		},
870
-		.pubkey = &rsa_algorithm,
871
-		.digest = &sha256_algorithm,
872
-	},
873
-};
874
-
875 816
 /** Number of supported signature and hash algorithms */
876
-#define TLS_NUM_SIG_HASH_ALGORITHMS			\
877
-	( sizeof ( tls_signature_hash_algorithms ) /	\
878
-	  sizeof ( tls_signature_hash_algorithms[0] ) )
817
+#define TLS_NUM_SIG_HASH_ALGORITHMS \
818
+	table_num_entries ( TLS_SIG_HASH_ALGORITHMS )
879 819
 
880 820
 /**
881 821
  * Find TLS signature and hash algorithm
@@ -888,11 +828,9 @@ static struct tls_signature_hash_algorithm *
888 828
 tls_signature_hash_algorithm ( struct pubkey_algorithm *pubkey,
889 829
 			       struct digest_algorithm *digest ) {
890 830
 	struct tls_signature_hash_algorithm *sig_hash;
891
-	unsigned int i;
892 831
 
893 832
 	/* Identify signature and hash algorithm */
894
-	for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) {
895
-		sig_hash = &tls_signature_hash_algorithms[i];
833
+	for_each_table_entry ( sig_hash, TLS_SIG_HASH_ALGORITHMS ) {
896 834
 		if ( ( sig_hash->pubkey == pubkey ) &&
897 835
 		     ( sig_hash->digest == digest ) ) {
898 836
 			return sig_hash;
@@ -1018,6 +956,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
1018 956
 			} __attribute__ (( packed )) signature_algorithms;
1019 957
 		} __attribute__ (( packed )) extensions;
1020 958
 	} __attribute__ (( packed )) hello;
959
+	struct tls_cipher_suite *suite;
960
+	struct tls_signature_hash_algorithm *sighash;
1021 961
 	unsigned int i;
1022 962
 
1023 963
 	memset ( &hello, 0, sizeof ( hello ) );
@@ -1027,8 +967,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
1027 967
 	hello.version = htons ( tls->version );
1028 968
 	memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
1029 969
 	hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
1030
-	for ( i = 0 ; i < TLS_NUM_CIPHER_SUITES ; i++ )
1031
-		hello.cipher_suites[i] = tls_cipher_suites[i].code;
970
+	i = 0 ; for_each_table_entry ( suite, TLS_CIPHER_SUITES )
971
+		hello.cipher_suites[i++] = suite->code;
1032 972
 	hello.compression_methods_len = sizeof ( hello.compression_methods );
1033 973
 	hello.extensions_len = htons ( sizeof ( hello.extensions ) );
1034 974
 	hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );
@@ -1053,10 +993,8 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
1053 993
 		= htons ( sizeof ( hello.extensions.signature_algorithms ) );
1054 994
 	hello.extensions.signature_algorithms.len
1055 995
 		= htons ( sizeof ( hello.extensions.signature_algorithms.code));
1056
-	for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) {
1057
-		hello.extensions.signature_algorithms.code[i]
1058
-			= tls_signature_hash_algorithms[i].code;
1059
-	}
996
+	i = 0 ; for_each_table_entry ( sighash, TLS_SIG_HASH_ALGORITHMS )
997
+		hello.extensions.signature_algorithms.code[i++] = sighash->code;
1060 998
 
1061 999
 	return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
1062 1000
 }
@@ -2669,3 +2607,9 @@ int add_tls ( struct interface *xfer, const char *name,
2669 2607
  err_alloc:
2670 2608
 	return rc;
2671 2609
 }
2610
+
2611
+/* Drag in objects via add_tls() */
2612
+REQUIRING_SYMBOL ( add_tls );
2613
+
2614
+/* Drag in crypto configuration */
2615
+REQUIRE_OBJECT ( config_crypto );

Завантаження…
Відмінити
Зберегти