aboutsummaryrefslogtreecommitdiff
path: root/src/config/config_crypto.c
AgeCommit message (Collapse)AuthorFilesLines
2024-01-31[tls] Add ECDHE cipher suitesMichael Brown1-0/+30
Add ECDHE variants of the existing cipher suites, and lower the priority of the non-ECDHE variants. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2024-01-30[tls] Make key exchange algorithms selectable via build configurationMichael Brown1-8/+32
Allow the choice of key exchange algorithms to be controlled via build configuration options in config/crypto.h, as is already done for the choices of public-key algorithms, cipher algorithms, and digest algorithms. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2024-01-30[crypto] Add X25519 OID-identified algorithm and TLS named curveMichael Brown1-0/+5
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2022-11-10[tls] Add GCM cipher suitesMichael Brown1-0/+12
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-06-16[crypto] Allow algorithms to be included without being OID-identifiableMichael Brown1-0/+50
There are many ways in which the object for a cryptographic algorithm may be included, even if not explicitly enabled in config/crypto.h. For example: the MD5 algorithm is required by TLSv1.1 or earlier, by iSCSI CHAP authentication, by HTTP digest authentication, and by NTLM authentication. In the current implementation, inclusion of an algorithm for any reason will result in the algorithm's ASN.1 object identifier being included in the "asn1_algorithms" table, which consequently allows the algorithm to be used for any ASN1-identified purpose. For example: if the MD5 algorithm is included in order to support HTTP digest authentication, then iPXE would accept a (validly signed) TLS certificate using an MD5 digest. Split the ASN.1 object identifiers into separate files that are required only if explicitly enabled in config/crypto.h. This allows an algorithm to be omitted from the "asn1_algorithms" table even if the algorithm implementation is dragged in for some other purpose. The end result is that only the algorithms that are explicitly enabled in config/crypto.h can be used for ASN1-identified purposes such as signature verification. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2015-08-02[crypto] Support SHA-{224,384,512} in X.509 certificatesMichael Brown1-0/+76
Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in X.509 certificates, and allow the choice of public-key, cipher, and digest algorithms to be configured at build time via config/crypto.h. Originally-implemented-by: Tufan Karadere <tufank@gmail.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
generated by cgit v1.1 at 2024-07-17 09:34:14 +0000