[crypto] Support SHA-{224,384,512} in X.509 certificates

Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in X.509 certificates, and allow the choice of public-key, cipher, and digest algorithms to be configured at build time via config/crypto.h. Originally-implemented-by: Tufan Karadere <tufank@gmail.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-02-08 05:48:46 +03:00 · 2015-08-02 16:54:24 +01:00
parent 93370488ac
commit b1caa48e4b
16 changed files with 613 additions and 146 deletions
--- a/src/include/ipxe/rsa.h
+++ b/src/include/ipxe/rsa.h
@@ -8,6 +8,7 @@

 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

+#include <stdarg.h>
 #include <ipxe/crypto.h>
 #include <ipxe/bigint.h>
 #include <ipxe/asn1.h>
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -20,6 +20,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/x509.h>
 #include <ipxe/pending.h>
 #include <ipxe/iobuf.h>
+#include <ipxe/tables.h>

 /** A TLS header */
 struct tls_header {
@@ -85,7 +86,10 @@ struct tls_header {
 /* TLS hash algorithm identifiers */
 #define TLS_MD5_ALGORITHM 1
 #define TLS_SHA1_ALGORITHM 2
+#define TLS_SHA224_ALGORITHM 3
 #define TLS_SHA256_ALGORITHM 4
+#define TLS_SHA384_ALGORITHM 5
+#define TLS_SHA512_ALGORITHM 6

 /* TLS signature algorithm identifiers */
 #define TLS_RSA_ALGORITHM 1
@@ -134,6 +138,14 @@ struct tls_cipher_suite {
 	uint16_t code;
 };

+/** TLS cipher suite table */
+#define TLS_CIPHER_SUITES						\
+	__table ( struct tls_cipher_suite, "tls_cipher_suites" )
+
+/** Declare a TLS cipher suite */
+#define __tls_cipher_suite( pref )					\
+	__table_entry ( TLS_CIPHER_SUITES, pref )
+
 /** A TLS cipher specification */
 struct tls_cipherspec {
 	/** Cipher suite */
@@ -168,6 +180,19 @@ struct tls_signature_hash_algorithm {
 	struct tls_signature_hash_id code;
 };

+/** TLS signature hash algorithm table
+ *
+ * Note that the default (TLSv1.1 and earlier) algorithm using
+ * MD5+SHA1 is never explicitly specified.
+ */
+#define TLS_SIG_HASH_ALGORITHMS						\
+	__table ( struct tls_signature_hash_algorithm,			\
+		  "tls_sig_hash_algorithms" )
+
+/** Declare a TLS signature hash algorithm */
+#define __tls_sig_hash_algorithm					\
+	__table_entry ( TLS_SIG_HASH_ALGORITHMS, 01 )
+
 /** TLS pre-master secret */
 struct tls_pre_master_secret {
 	/** TLS version */