[tls] Add ECDHE cipher suites

Add ECDHE variants of the existing cipher suites, and lower the
priority of the non-ECDHE variants.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/config/config_crypto.c

@@ -165,3 +165,33 @@ REQUIRE_OBJECT ( dhe_rsa_aes_gcm_sha256 );
     defined ( CRYPTO_CIPHER_AES_GCM ) && defined ( CRYPTO_DIGEST_SHA384 )
 REQUIRE_OBJECT ( dhe_rsa_aes_gcm_sha384 );
 #endif
+
+/* ECDHE, RSA, AES-CBC, and SHA-1 */
+#if defined ( CRYPTO_EXCHANGE_ECDHE ) && defined ( CRYPTO_PUBKEY_RSA ) && \
+    defined ( CRYPTO_CIPHER_AES_CBC ) && defined ( CRYPTO_DIGEST_SHA1 )
+REQUIRE_OBJECT ( ecdhe_rsa_aes_cbc_sha1 );
+#endif
+
+/* ECDHE, RSA, AES-CBC, and SHA-256 */
+#if defined ( CRYPTO_EXCHANGE_ECDHE ) && defined ( CRYPTO_PUBKEY_RSA ) && \
+    defined ( CRYPTO_CIPHER_AES_CBC ) && defined ( CRYPTO_DIGEST_SHA256 )
+REQUIRE_OBJECT ( ecdhe_rsa_aes_cbc_sha256 );
+#endif
+
+/* ECDHE, RSA, AES-CBC, and SHA-384 */
+#if defined ( CRYPTO_EXCHANGE_ECDHE ) && defined ( CRYPTO_PUBKEY_RSA ) && \
+    defined ( CRYPTO_CIPHER_AES_CBC ) && defined ( CRYPTO_DIGEST_SHA384 )
+REQUIRE_OBJECT ( ecdhe_rsa_aes_cbc_sha384 );
+#endif
+
+/* ECDHE, RSA, AES-GCM, and SHA-256 */
+#if defined ( CRYPTO_EXCHANGE_ECDHE ) && defined ( CRYPTO_PUBKEY_RSA ) && \
+    defined ( CRYPTO_CIPHER_AES_GCM ) && defined ( CRYPTO_DIGEST_SHA256 )
+REQUIRE_OBJECT ( ecdhe_rsa_aes_gcm_sha256 );
+#endif
+
+/* ECDHE, RSA, AES-GCM, and SHA-384 */
+#if defined ( CRYPTO_EXCHANGE_ECDHE ) && defined ( CRYPTO_PUBKEY_RSA ) && \
+    defined ( CRYPTO_CIPHER_AES_GCM ) && defined ( CRYPTO_DIGEST_SHA384 )
+REQUIRE_OBJECT ( ecdhe_rsa_aes_gcm_sha384 );
+#endif

src/config/crypto.h

@@ -18,6 +18,9 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 /** DHE key exchange algorithm */
 #define CRYPTO_EXCHANGE_DHE
 
+/** ECDHE key exchange algorithm */
+#define CRYPTO_EXCHANGE_ECDHE
+
 /** RSA public-key algorithm */
 #define CRYPTO_PUBKEY_RSA