sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-14 16:01:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

[tls] Add key exchange mechanism to definition of cipher suite

Browse Source 
Allow for the key exchange mechanism to vary depending upon the
selected cipher suite.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2022-10-11 13:54:34 +01:00
parent 80c45c5c71
commit ea33ea33c0
4 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/crypto/mishmash/rsa_aes_cbc_sha1.c
View File

@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = { struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ), .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ),
.key_len = ( 128 / 8 ), .key_len = ( 128 / 8 ),
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm, .pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm, .cipher = &aes_cbc_algorithm,
.digest = &sha1_algorithm, .digest = &sha1_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha __tls_cipher_suite (03) = {
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = { struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha __tls_cipher_suite (04) = {
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ), .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ),
.key_len = ( 256 / 8 ), .key_len = ( 256 / 8 ),
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm, .pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm, .cipher = &aes_cbc_algorithm,
.digest = &sha1_algorithm, .digest = &sha1_algorithm,

2
src/crypto/mishmash/rsa_aes_cbc_sha256.c
View File

@@ -33,6 +33,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
.code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ), .code = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ),
.key_len = ( 128 / 8 ), .key_len = ( 128 / 8 ),
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm, .pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm, .cipher = &aes_cbc_algorithm,
.digest = &sha256_algorithm, .digest = &sha256_algorithm,
@@ -42,6 +43,7 @@ struct tls_cipher_suite tls_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(01)={
struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={ struct tls_cipher_suite tls_rsa_with_aes_256_cbc_sha256 __tls_cipher_suite(02)={
.code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ), .code = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ),
.key_len = ( 256 / 8 ), .key_len = ( 256 / 8 ),
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &rsa_algorithm, .pubkey = &rsa_algorithm,
.cipher = &aes_cbc_algorithm, .cipher = &aes_cbc_algorithm,
.digest = &sha256_algorithm, .digest = &sha256_algorithm,

19
src/include/ipxe/tls.h
View File

@@ -23,6 +23,8 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
#include <ipxe/iobuf.h> #include <ipxe/iobuf.h>
#include <ipxe/tables.h> #include <ipxe/tables.h>
struct tls_connection;
/** A TLS header */ /** A TLS header */
struct tls_header { struct tls_header {
/** Content type /** Content type
@@ -143,8 +145,23 @@ enum tls_tx_pending {
TLS_TX_FINISHED = 0x0020, TLS_TX_FINISHED = 0x0020,
}; };
/** A TLS key exchange algorithm */
struct tls_key_exchange_algorithm {
/** Algorithm name */
const char *name;
/**
* Transmit Client Key Exchange record
*
* @v tls TLS connection
* @ret rc Return status code
*/
int ( * exchange ) ( struct tls_connection *tls );
};
/** A TLS cipher suite */ /** A TLS cipher suite */
struct tls_cipher_suite { struct tls_cipher_suite {
/** Key exchange algorithm */
struct tls_key_exchange_algorithm *exchange;
/** Public-key encryption algorithm */ /** Public-key encryption algorithm */
struct pubkey_algorithm *pubkey; struct pubkey_algorithm *pubkey;
/** Bulk encryption cipher algorithm */ /** Bulk encryption cipher algorithm */
@@ -385,6 +402,8 @@ struct tls_connection {
/** RX I/O buffer alignment */ /** RX I/O buffer alignment */
#define TLS_RX_ALIGN 16 #define TLS_RX_ALIGN 16
extern struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm;
extern int add_tls ( struct interface *xfer, const char *name, extern int add_tls ( struct interface *xfer, const char *name,
struct x509_root *root, struct private_key *key ); struct x509_root *root, struct private_key *key );

28
src/net/tls.c
View File

@@ -734,6 +734,7 @@ static int tls_generate_keys ( struct tls_connection *tls ) {
/** Null cipher suite */ /** Null cipher suite */
struct tls_cipher_suite tls_cipher_suite_null = { struct tls_cipher_suite tls_cipher_suite_null = {
.exchange = &tls_pubkey_exchange_algorithm,
.pubkey = &pubkey_null, .pubkey = &pubkey_null,
.cipher = &cipher_null, .cipher = &cipher_null,
.digest = &digest_null, .digest = &digest_null,
@@ -849,7 +850,8 @@ static int tls_select_cipher ( struct tls_connection *tls,
suite ) ) != 0 ) suite ) ) != 0 )
return rc; return rc;
DBGC ( tls, "TLS %p selected %s-%s-%d-%s\n", tls, suite->pubkey->name, DBGC ( tls, "TLS %p selected %s-%s-%s-%d-%s\n", tls,
suite->exchange->name, suite->pubkey->name,
suite->cipher->name, ( suite->key_len * 8 ), suite->cipher->name, ( suite->key_len * 8 ),
suite->digest->name ); suite->digest->name );
@@ -1205,12 +1207,12 @@ static int tls_send_certificate ( struct tls_connection *tls ) {
} }
/** /**
* Transmit Client Key Exchange record * Transmit Client Key Exchange record using public key exchange
* *
* @v tls TLS connection * @v tls TLS connection
* @ret rc Return status code * @ret rc Return status code
*/ */
static int tls_send_client_key_exchange ( struct tls_connection *tls ) { static int tls_send_client_key_exchange_pubkey ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending; struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey; struct pubkey_algorithm *pubkey = cipherspec->suite->pubkey;
size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx ); size_t max_len = pubkey_max_len ( pubkey, cipherspec->pubkey_ctx );
@@ -1269,6 +1271,26 @@ static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
( sizeof ( key_xchg ) - unused ) ); ( sizeof ( key_xchg ) - unused ) );
} }
/** Public key exchange algorithm */
struct tls_key_exchange_algorithm tls_pubkey_exchange_algorithm = {
.name = "pubkey",
.exchange = tls_send_client_key_exchange_pubkey,
};
/**
* Transmit Client Key Exchange record
*
* @v tls TLS connection
* @ret rc Return status code
*/
static int tls_send_client_key_exchange ( struct tls_connection *tls ) {
struct tls_cipherspec *cipherspec = &tls->tx_cipherspec_pending;
struct tls_cipher_suite *suite = cipherspec->suite;
/* Transmit Client Key Exchange record via key exchange algorithm */
return suite->exchange->exchange ( tls );
}
/** /**
* Transmit Certificate Verify record * Transmit Certificate Verify record
* *