aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMichael Brown <mcb30@ipxe.org>2022-10-11 13:54:34 +0100
committerMichael Brown <mcb30@ipxe.org>2022-10-11 14:37:12 +0100
commitea33ea33c0d77b853c39d7b0e8c54f1a6f56b6bc (patch)
treec36d42e2c31a03ffe03bb0a646a2c0e075082abf /src
parent80c45c5c71af76e4313c37528d29aa485b247073 (diff)
downloadipxe-ea33ea33c0d77b853c39d7b0e8c54f1a6f56b6bc.zip
ipxe-ea33ea33c0d77b853c39d7b0e8c54f1a6f56b6bc.tar.gz
ipxe-ea33ea33c0d77b853c39d7b0e8c54f1a6f56b6bc.tar.bz2
[tls] Add key exchange mechanism to definition of cipher suite
Allow for the key exchange mechanism to vary depending upon the selected cipher suite. Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src')
-rw-r--r--src/crypto/mishmash/rsa_aes_cbc_sha1.c2
-rw-r--r--src/crypto/mishmash/rsa_aes_cbc_sha256.c2
-rw-r--r--src/include/ipxe/tls.h19
-rw-r--r--src/net/tls.c28
4 files changed, 48 insertions, 3 deletions
diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha1.c b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
index 06722c0..04b4ce2 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha1.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha1.c
@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
.key_len = ( 128 / 8 ),
+ .exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm,
.digest = &sha1_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = {
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
.key_len = ( 256 / 8 ),
+ .exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm,
.digest = &sha1_algorithm,
diff --git a/src/crypto/mishmash/rsa_aes_cbc_sha256.c b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
index c609eac..1021f76 100644
--- a/src/crypto/mishmash/rsa_aes_cbc_sha256.c
+++ b/src/crypto/mishmash/rsa_aes_cbc_sha256.c
@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
.key_len = ( 128 / 8 ),
+ .exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm,
.digest = &sha256_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
.key_len = ( 256 / 8 ),
+ .exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm,
.digest = &sha256_algorithm,
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 672cfbd..80cdd12 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -23,6 +23,8 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
#include <ipxe/iobuf.h>
#include <ipxe/tables.h>
+struct tls_connection;
+
/** A TLS header */
struct tls_header {
/** Content type
@@ -143,8 +145,23 @@ enum tls_tx_pending {
TLS_TX_FINISHED = 0x0020,
};
+/** A TLS key exchange algorithm */
+struct tls_key_exchange_algorithm {
+ /** Algorithm name */
+ const char *name;
+ /**
+ * Transmit Client Key Exchange record
+ *
+ * @v tls TLS connection
+ * @ret rc Return status code
+ */
+ int ( * exchange ) ( struct tls_connection *tls );
+};
+
/** A TLS cipher suite */
struct tls_cipher_suite {
+ /** Key exchange algorithm */
+ struct tls_key_exchange_algorithm *exchange;
/** Public-key encryption algorithm */
struct pubkey_algorithm *pubkey;
/** Bulk encryption cipher algorithm */
@@ -385,6 +402,8 @@ struct tls_connection {
/** RX I/O buffer alignment */
#define TLS_RX_ALIGN 16
+extern struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm;
+
extern int add_tls ( struct interface *xfer, const char *name,
struct x509_root *root, struct private_key *key );
diff --git a/src/net/tls.c b/src/net/tls.c
index a1ffcac..b209e0d 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -734,6 +734,7 @@ static int tls_generate_keys ( struct tls_connection *tls ) {
/** Null cipher suite */
struct tls_cipher_suite tls_cipher_suite_null = {
+ .exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &pubkey_null,
.cipher = &cipher_null,
.digest = &digest_null,
@@ -849,7 +850,8 @@ static int tls_select_cipher ( struct tls_connection *tls,
suite ) ) != 0 )
return rc;
- DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, suite->pubkey->name,
+ DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
+ suite->exchange->name, suite->pubkey->name,
suite->cipher->name, ( suite->key_len * 8 ),
suite->digest->name );
@@ -1205,12 +1207,12 @@ static int tls_send_certificate ( struct tls_connection *tls ) {
}
/**
- * Transmit Client Key Exchange record
+ * Transmit Client Key Exchange record using public key exchange
*
* @v tls TLS connection
* @ret rc Return status code
*/
-static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
+static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
@@ -1269,6 +1271,26 @@ static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
( sizeof ( key_xchg ) - unused ) );
}
+/** Public key exchange algorithm */
+struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
+ .name = "pubkey",
+ .exchange = tls_send_client_key_exchange_pubkey,
+};
+
+/**
+ * Transmit Client Key Exchange record
+ *
+ * @v tls TLS connection
+ * @ret rc Return status code
+ */
+static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
+ struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
+ struct tls_cipher_suite *suite = cipherspec->suite;
+
+ /* Transmit Client Key Exchange record via key exchange algorithm */
+ return suite->exchange->exchange ( tls );
+}
+
/**
* Transmit Certificate Verify record
*