[crypto] Add OID-identified algorithms for AES ciphers

Extend the definition of an ASN.1 OID-identified algorithm to include
a potential cipher suite, and add identifiers for AES-CBC and AES-GCM.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

5 files changed, 196 insertions, 0 deletions

diff --git a/src/config/config_crypto.c b/src/config/config_crypto.c
index 5211224ab..f118a9709 100644
--- a/src/config/config_crypto.c
+++ b/src/config/config_crypto.c
@@ -88,6 +88,16 @@ REQUIRE_OBJECT ( oid_sha512_256 );
 REQUIRE_OBJECT ( oid_x25519 );
 #endif
 
+/* AES-CBC */
+#if defined ( CRYPTO_CIPHER_AES_CBC )
+REQUIRE_OBJECT ( oid_aes_cbc );
+#endif
+
+/* AES-GCM */
+#if defined ( CRYPTO_CIPHER_AES_GCM )
+REQUIRE_OBJECT ( oid_aes_gcm );
+#endif
+
 /* RSA and MD5 */
 #if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_MD5 )
 REQUIRE_OBJECT ( rsa_md5 );
diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c
index e66da45b9..0e5b1a9dd 100644
--- a/src/crypto/asn1.c
+++ b/src/crypto/asn1.c
@@ -592,6 +592,32 @@ int asn1_digest_algorithm ( const struct asn1_cursor *cursor,
 }
 
 /**
+ * Parse ASN.1 OID-identified cipher algorithm
+ *
+ * @v cursor		ASN.1 object cursor
+ * @ret algorithm	Algorithm
+ * @ret rc		Return status code
+ */
+int asn1_cipher_algorithm ( const struct asn1_cursor *cursor,
+			    struct asn1_algorithm **algorithm ) {
+	int rc;
+
+	/* Parse algorithm */
+	if ( ( rc = asn1_algorithm ( cursor, algorithm ) ) != 0 )
+		return rc;
+
+	/* Check algorithm has a cipher */
+	if ( ! (*algorithm)->cipher ) {
+		DBGC ( cursor, "ASN1 %p algorithm %s is not a cipher "
+		       "algorithm:\n", cursor, (*algorithm)->name );
+		DBGC_HDA ( cursor, 0, cursor->data, cursor->len );
+		return -ENOTTY_ALGORITHM;
+	}
+
+	return 0;
+}
+
+/**
  * Parse ASN.1 OID-identified signature algorithm
  *
  * @v cursor		ASN.1 object cursor
diff --git a/src/crypto/mishmash/oid_aes_cbc.c b/src/crypto/mishmash/oid_aes_cbc.c
new file mode 100644
index 000000000..0a7951c63
--- /dev/null
+++ b/src/crypto/mishmash/oid_aes_cbc.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <ipxe/aes.h>
+#include <ipxe/asn1.h>
+
+/** "aes128-cbc" object identifier */
+static uint8_t oid_aes_128_cbc[] = { ASN1_OID_AES128_CBC };
+
+/** "aes192-cbc" object identifier */
+static uint8_t oid_aes_192_cbc[] = { ASN1_OID_AES192_CBC };
+
+/** "aes256-cbc" object identifier */
+static uint8_t oid_aes_256_cbc[] = { ASN1_OID_AES256_CBC };
+
+/** "aes128-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_128_cbc_algorithm __asn1_algorithm = {
+	.name = "aes128-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_128_cbc ),
+};
+
+/** "aes192-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_192_cbc_algorithm __asn1_algorithm = {
+	.name = "aes192-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_192_cbc ),
+};
+
+/** "aes256-cbc" OID-identified algorithm */
+struct asn1_algorithm aes_256_cbc_algorithm __asn1_algorithm = {
+	.name = "aes256-cbc",
+	.cipher = &aes_cbc_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_256_cbc ),
+};
diff --git a/src/crypto/mishmash/oid_aes_gcm.c b/src/crypto/mishmash/oid_aes_gcm.c
new file mode 100644
index 000000000..0f94d5323
--- /dev/null
+++ b/src/crypto/mishmash/oid_aes_gcm.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <ipxe/aes.h>
+#include <ipxe/asn1.h>
+
+/** "aes128-gcm" object identifier */
+static uint8_t oid_aes_128_gcm[] = { ASN1_OID_AES128_GCM };
+
+/** "aes192-gcm" object identifier */
+static uint8_t oid_aes_192_gcm[] = { ASN1_OID_AES192_GCM };
+
+/** "aes256-gcm" object identifier */
+static uint8_t oid_aes_256_gcm[] = { ASN1_OID_AES256_GCM };
+
+/** "aes128-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_128_gcm_algorithm __asn1_algorithm = {
+	.name = "aes128-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_128_gcm ),
+};
+
+/** "aes192-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_192_gcm_algorithm __asn1_algorithm = {
+	.name = "aes192-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_192_gcm ),
+};
+
+/** "aes256-gcm" OID-identified algorithm */
+struct asn1_algorithm aes_256_gcm_algorithm __asn1_algorithm = {
+	.name = "aes256-gcm",
+	.cipher = &aes_gcm_algorithm,
+	.oid = ASN1_CURSOR ( oid_aes_256_gcm ),
+};
diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h
index 1580c8baf..fd7244570 100644
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -192,6 +192,48 @@ struct asn1_builder_header {
 	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 101 ),	\
 	ASN1_OID_SINGLE ( 110 )
 
+/** ASN.1 OID for id-aes128-cbc (2.16.840.1.101.3.4.1.2) */
+#define ASN1_OID_AES128_CBC					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 2 )
+
+/** ASN.1 OID for id-aes128-gcm (2.16.840.1.101.3.4.1.6) */
+#define ASN1_OID_AES128_GCM					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 6 )
+
+/** ASN.1 OID for id-aes192-cbc (2.16.840.1.101.3.4.1.22) */
+#define ASN1_OID_AES192_CBC					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 22 )
+
+/** ASN.1 OID for id-aes192-gcm (2.16.840.1.101.3.4.1.26) */
+#define ASN1_OID_AES192_GCM					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 26 )
+
+/** ASN.1 OID for id-aes256-cbc (2.16.840.1.101.3.4.1.42) */
+#define ASN1_OID_AES256_CBC					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 42 )
+
+/** ASN.1 OID for id-aes256-gcm (2.16.840.1.101.3.4.1.46) */
+#define ASN1_OID_AES256_GCM					\
+	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 101 ),		\
+	ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 46 )
+
 /** ASN.1 OID for id-sha256 (2.16.840.1.101.3.4.2.1) */
 #define ASN1_OID_SHA256						\
 	ASN1_OID_INITIAL ( 2, 16 ), ASN1_OID_DOUBLE ( 840 ),	\
@@ -317,6 +359,8 @@ struct asn1_algorithm {
 	struct pubkey_algorithm *pubkey;
 	/** Digest algorithm (if applicable) */
 	struct digest_algorithm *digest;
+	/** Cipher algorithm (if applicable) */
+	struct cipher_algorithm *cipher;
 	/** Elliptic curve (if applicable) */
 	struct elliptic_curve *curve;
 };
@@ -428,6 +472,8 @@ extern int asn1_pubkey_algorithm ( const struct asn1_cursor *cursor,
 				   struct asn1_algorithm **algorithm );
 extern int asn1_digest_algorithm ( const struct asn1_cursor *cursor,
 				   struct asn1_algorithm **algorithm );
+extern int asn1_cipher_algorithm ( const struct asn1_cursor *cursor,
+				   struct asn1_algorithm **algorithm );
 extern int asn1_signature_algorithm ( const struct asn1_cursor *cursor,
 				      struct asn1_algorithm **algorithm );
 extern int asn1_check_algorithm ( const struct asn1_cursor *cursor,