narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[tls] Support (and prefer) SHA-256 variants of existing cipher suites 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-03-05 15:36:38 +00:00
parent 015c936791
commit 6069b09bfc
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/include/ipxe/tls.h
View File

@ -77,6 +77,8 @@ struct tls_header {
#define TLS_RSA_WITH_NULL_SHA 0x0002 #define TLS_RSA_WITH_NULL_SHA 0x0002
#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002f
#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d
/* TLS extension types */ /* TLS extension types */
#define TLS_SERVER_NAME 0 #define TLS_SERVER_NAME 0

18
src/net/tls.c
View File

@ -513,6 +513,16 @@ static int tls_select_cipher ( struct tls_session *tls,
cipher = &aes_cbc_algorithm; cipher = &aes_cbc_algorithm;
digest = &sha1_algorithm; digest = &sha1_algorithm;
break; break;
case htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 ):
key_len = ( 128 / 8 );
cipher = &aes_cbc_algorithm;
digest = &sha256_algorithm;
break;
case htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 ):
key_len = ( 256 / 8 );
cipher = &aes_cbc_algorithm;
digest = &sha256_algorithm;
break;
default: default:
DBGC ( tls, "TLS %p does not support cipher %04x\n", DBGC ( tls, "TLS %p does not support cipher %04x\n",
tls, ntohs ( cipher_suite ) ); tls, ntohs ( cipher_suite ) );
@ -677,7 +687,7 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
uint8_t random[32]; uint8_t random[32];
uint8_t session_id_len; uint8_t session_id_len;
uint16_t cipher_suite_len; uint16_t cipher_suite_len;
uint16_t cipher_suites[2]; uint16_t cipher_suites[4];
uint8_t compression_methods_len; uint8_t compression_methods_len;
uint8_t compression_methods[1]; uint8_t compression_methods[1];
uint16_t extensions_len; uint16_t extensions_len;
@ -702,8 +712,10 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
hello.version = htons ( tls->version ); hello.version = htons ( tls->version );
memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) ); memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) ); hello.cipher_suite_len = htons ( sizeof ( hello.cipher_suites ) );
hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA ); hello.cipher_suites[0] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA256 );
hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA ); hello.cipher_suites[1] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA256 );
hello.cipher_suites[2] = htons ( TLS_RSA_WITH_AES_256_CBC_SHA );
hello.cipher_suites[3] = htons ( TLS_RSA_WITH_AES_128_CBC_SHA );
hello.compression_methods_len = sizeof ( hello.compression_methods ); hello.compression_methods_len = sizeof ( hello.compression_methods );
hello.extensions_len = htons ( sizeof ( hello.extensions ) ); hello.extensions_len = htons ( sizeof ( hello.extensions ) );
hello.extensions.server_name_type = htons ( TLS_SERVER_NAME ); hello.extensions.server_name_type = htons ( TLS_SERVER_NAME );