diff options
| author | Michael Brown <mcb30@ipxe.org> | 2020-06-16 17:14:54 +0100 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2020-06-16 17:14:54 +0100 |
| commit | bd7a5e4b9cd9833535b840959892135dfe0ffba7 (patch) | |
| tree | c422bf231259c13f1150d670132731d9b5bf9a88 /src/crypto/mishmash/oid_sha384.c | |
| parent | dc785b0fb6867fd8fb2cacd148150b9115a2547b (diff) | |
| download | ipxe-bd7a5e4b9cd9833535b840959892135dfe0ffba7.tar.gz | |
[crypto] Allow algorithms to be included without being OID-identifiable
There are many ways in which the object for a cryptographic algorithm
may be included, even if not explicitly enabled in config/crypto.h.
For example: the MD5 algorithm is required by TLSv1.1 or earlier, by
iSCSI CHAP authentication, by HTTP digest authentication, and by NTLM
authentication.
In the current implementation, inclusion of an algorithm for any
reason will result in the algorithm's ASN.1 object identifier being
included in the "asn1_algorithms" table, which consequently allows the
algorithm to be used for any ASN1-identified purpose. For example: if
the MD5 algorithm is included in order to support HTTP digest
authentication, then iPXE would accept a (validly signed) TLS
certificate using an MD5 digest.
Split the ASN.1 object identifiers into separate files that are
required only if explicitly enabled in config/crypto.h. This allows
an algorithm to be omitted from the "asn1_algorithms" table even if
the algorithm implementation is dragged in for some other purpose.
The end result is that only the algorithms that are explicitly enabled
in config/crypto.h can be used for ASN1-identified purposes such as
signature verification.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto/mishmash/oid_sha384.c')
| -rw-r--r-- | src/crypto/mishmash/oid_sha384.c | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/crypto/mishmash/oid_sha384.c b/src/crypto/mishmash/oid_sha384.c new file mode 100644 index 000000000..5ba4d60a4 --- /dev/null +++ b/src/crypto/mishmash/oid_sha384.c @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2020 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include <ipxe/sha512.h> +#include <ipxe/asn1.h> + +/** "sha384" object identifier */ +static uint8_t oid_sha384[] = { ASN1_OID_SHA384 }; + +/** "sha384" OID-identified algorithm */ +struct asn1_algorithm oid_sha384_algorithm __asn1_algorithm = { + .name = "sha384", + .digest = &sha384_algorithm, + .oid = ASN1_OID_CURSOR ( oid_sha384 ), +}; |