diff --git a/src/config/config_crypto.c b/src/config/config_crypto.c index 724b95d02..c9d04a890 100644 --- a/src/config/config_crypto.c +++ b/src/config/config_crypto.c @@ -99,6 +99,36 @@ REQUIRE_OBJECT ( oid_p256 ); REQUIRE_OBJECT ( oid_p384 ); #endif +/* FFDHE2048 */ +#if defined ( CRYPTO_GROUP_FFDHE2048 ) +REQUIRE_OBJECT ( kex_ffdhe2048 ); +#endif + +/* FFDHE3072 */ +#if defined ( CRYPTO_GROUP_FFDHE3072 ) +REQUIRE_OBJECT ( kex_ffdhe3072 ); +#endif + +/* FFDHE4096 */ +#if defined ( CRYPTO_GROUP_FFDHE4096 ) +REQUIRE_OBJECT ( kex_ffdhe4096 ); +#endif + +/* MODP2048 */ +#if defined ( CRYPTO_GROUP_MODP2048 ) +REQUIRE_OBJECT ( kex_modp2048 ); +#endif + +/* MODP3072 */ +#if defined ( CRYPTO_GROUP_MODP3072 ) +REQUIRE_OBJECT ( kex_modp3072 ); +#endif + +/* MODP4096 */ +#if defined ( CRYPTO_GROUP_MODP4096 ) +REQUIRE_OBJECT ( kex_modp4096 ); +#endif + /* AES-CBC */ #if defined ( CRYPTO_CIPHER_AES_CBC ) REQUIRE_OBJECT ( oid_aes_cbc ); diff --git a/src/config/crypto.h b/src/config/crypto.h index e28ba2777..333f59b87 100644 --- a/src/config/crypto.h +++ b/src/config/crypto.h @@ -70,6 +70,24 @@ FILE_SECBOOT ( PERMITTED ); /** P-384 elliptic curve */ #define CRYPTO_CURVE_P384 +/** FFDHE2048 finite field */ +#define CRYPTO_GROUP_FFDHE2048 + +/** FFDHE3072 finite field */ +#define CRYPTO_GROUP_FFDHE3072 + +/** FFDHE4096 finite field */ +#define CRYPTO_GROUP_FFDHE4096 + +/** MODP2048 finite field */ +#define CRYPTO_GROUP_MODP2048 + +/** MODP3072 finite field */ +#define CRYPTO_GROUP_MODP3072 + +/** MODP4096 finite field */ +#define CRYPTO_GROUP_MODP4096 + /** Margin of error (in seconds) allowed in signed timestamps * * We default to allowing a reasonable margin of error: 12 hours to diff --git a/src/crypto/mishmash/kex_ffdhe2048.c b/src/crypto/mishmash/kex_ffdhe2048.c new file mode 100644 index 000000000..a4cc383b9 --- /dev/null +++ b/src/crypto/mishmash/kex_ffdhe2048.c @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include +#include + +/** FFDHE2048 named group */ +struct tls_named_group tls_ffdhe2048_named_group __tls_named_group ( 03 ) = { + .exchange = &ffdhe2048_algorithm, + .code = htons ( TLS_NAMED_GROUP_FFDHE2048 ), +}; diff --git a/src/crypto/mishmash/kex_ffdhe3072.c b/src/crypto/mishmash/kex_ffdhe3072.c new file mode 100644 index 000000000..894b809ea --- /dev/null +++ b/src/crypto/mishmash/kex_ffdhe3072.c @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include +#include + +/** FFDHE3072 named group */ +struct tls_named_group tls_ffdhe3072_named_group __tls_named_group ( 03 ) = { + .exchange = &ffdhe3072_algorithm, + .code = htons ( TLS_NAMED_GROUP_FFDHE3072 ), +}; diff --git a/src/crypto/mishmash/kex_ffdhe4096.c b/src/crypto/mishmash/kex_ffdhe4096.c new file mode 100644 index 000000000..d34ebbf25 --- /dev/null +++ b/src/crypto/mishmash/kex_ffdhe4096.c @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include +#include + +/** FFDHE4096 named group */ +struct tls_named_group tls_ffdhe4096_named_group __tls_named_group ( 03 ) = { + .exchange = &ffdhe4096_algorithm, + .code = htons ( TLS_NAMED_GROUP_FFDHE4096 ), +}; diff --git a/src/crypto/mishmash/kex_modp2048.c b/src/crypto/mishmash/kex_modp2048.c new file mode 100644 index 000000000..9aa7226b1 --- /dev/null +++ b/src/crypto/mishmash/kex_modp2048.c @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include + +/** MODP2048 anonymous named group */ +struct tls_named_group tls_modp2048_named_group __tls_anon_named_group = { + .exchange = &modp2048_algorithm, +}; diff --git a/src/crypto/mishmash/kex_modp3072.c b/src/crypto/mishmash/kex_modp3072.c new file mode 100644 index 000000000..d67e4084c --- /dev/null +++ b/src/crypto/mishmash/kex_modp3072.c @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include + +/** MODP3072 anonymous named group */ +struct tls_named_group tls_modp3072_named_group __tls_anon_named_group = { + .exchange = &modp3072_algorithm, +}; diff --git a/src/crypto/mishmash/kex_modp4096.c b/src/crypto/mishmash/kex_modp4096.c new file mode 100644 index 000000000..306bc1339 --- /dev/null +++ b/src/crypto/mishmash/kex_modp4096.c @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2026 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +FILE_SECBOOT ( PERMITTED ); + +#include +#include + +/** MODP4096 anonymous named group */ +struct tls_named_group tls_modp4096_named_group __tls_anon_named_group = { + .exchange = &modp4096_algorithm, +}; diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 643c71b24..18e644617 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -146,6 +146,9 @@ struct tls_header { #define TLS_NAMED_GROUP_SECP256R1 23 #define TLS_NAMED_GROUP_SECP384R1 24 #define TLS_NAMED_GROUP_X25519 29 +#define TLS_NAMED_GROUP_FFDHE2048 256 +#define TLS_NAMED_GROUP_FFDHE3072 257 +#define TLS_NAMED_GROUP_FFDHE4096 258 /* TLS signature algorithms extension */ #define TLS_SIGNATURE_ALGORITHMS 13