[tls] Add key exchange mechanism to definition of cipher suite

Allow for the key exchange mechanism to vary depending upon the
selected cipher suite.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

4 files changed, 48 insertions, 3 deletions

diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha1.c b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
index 06722c0..04b4ce2 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha1.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
 	.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
 	.key_len = ( 128 / 8 ),
+	.exchange = &tls_pubkey_exchange_algorithm,
 	.pubkey = &rsa_algorithm,
 	.cipher = &aes_cbc_algorithm,
 	.digest = &sha1_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
 struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = {
 	.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
 	.key_len = ( 256 / 8 ),
+	.exchange = &tls_pubkey_exchange_algorithm,
 	.pubkey = &rsa_algorithm,
 	.cipher = &aes_cbc_algorithm,
 	.digest = &sha1_algorithm,
diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha256.c b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
index c609eac..1021f76 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha256.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
 	.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
 	.key_len = ( 128 / 8 ),
+	.exchange = &tls_pubkey_exchange_algorithm,
 	.pubkey = &rsa_algorithm,
 	.cipher = &aes_cbc_algorithm,
 	.digest = &sha256_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
 struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={
 	.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
 	.key_len = ( 256 / 8 ),
+	.exchange = &tls_pubkey_exchange_algorithm,
 	.pubkey = &rsa_algorithm,
 	.cipher = &aes_cbc_algorithm,
 	.digest = &sha256_algorithm,
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 672cfbd..80cdd12 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -23,6 +23,8 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/iobuf.h>
 #include <ipxe/tables.h>
 
+struct tls_connection;
+
 /** A TLS header */
 struct tls_header {
 	/** Content type
@@ -143,8 +145,23 @@ enum tls_tx_pending {
 	TLS_TX_FINISHED = 0x0020,
 };
 
+/** A TLS key exchange algorithm */
+struct tls_key_exchange_algorithm {
+	/** Algorithm name */
+	const char *name;
+	/**
+	 * Transmit Client Key Exchange record
+	 *
+	 * @v tls		TLS connection
+	 * @ret rc		Return status code
+	 */
+	int ( * exchange ) ( struct tls_connection *tls );
+};
+
 /** A TLS cipher suite */
 struct tls_cipher_suite {
+	/** Key exchange algorithm */
+	struct tls_key_exchange_algorithm *exchange;
 	/** Public-key encryption algorithm */
 	struct pubkey_algorithm *pubkey;
 	/** Bulk encryption cipher algorithm */
@@ -385,6 +402,8 @@ struct tls_connection {
 /** RX I/O buffer alignment */
 #define TLS_RX_ALIGN 16
 
+extern struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm;
+
 extern int add_tls ( struct interface *xfer, const char *name,
 		     struct x509_root *root, struct private_key *key );
 
diff --git a/src/net/tls.c b/src/net/tls.c
index a1ffcac..b209e0d 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -734,6 +734,7 @@ static int tls_generate_keys ( struct tls_connection *tls ) {
 
 /** Null cipher suite */
 struct tls_cipher_suite tls_cipher_suite_null = {
+	.exchange = &tls_pubkey_exchange_algorithm,
 	.pubkey = &pubkey_null,
 	.cipher = &cipher_null,
 	.digest = &digest_null,
@@ -849,7 +850,8 @@ static int tls_select_cipher ( struct tls_connection *tls,
 				     suite ) ) != 0 )
 		return rc;
 
-	DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, suite->pubkey->name,
+	DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
+	       suite->exchange->name, suite->pubkey->name,
 	       suite->cipher->name, ( suite->key_len * 8 ),
 	       suite->digest->name );
 
@@ -1205,12 +1207,12 @@ static int tls_send_certificate ( struct tls_connection *tls ) {
 }
 
 /**
- * Transmit Client Key Exchange record
+ * Transmit Client Key Exchange record using public key exchange
  *
  * @v tls		TLS connection
  * @ret rc		Return status code
  */
-static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
+static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
 	struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
 	struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
 	size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
@@ -1269,6 +1271,26 @@ static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
 				    ( sizeof ( key_xchg ) - unused ) );
 }
 
+/** Public key exchange algorithm */
+struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
+	.name = "pubkey",
+	.exchange = tls_send_client_key_exchange_pubkey,
+};
+
+/**
+ * Transmit Client Key Exchange record
+ *
+ * @v tls		TLS connection
+ * @ret rc		Return status code
+ */
+static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
+	struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
+	struct tls_cipher_suite *suite = cipherspec->suite;
+
+	/* Transmit Client Key Exchange record via key exchange algorithm */
+	return suite->exchange->exchange ( tls );
+}
+
 /**
  * Transmit Certificate Verify record
  *