diff options
| author | Michael Brown <mcb30@ipxe.org> | 2022-11-09 14:04:43 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2022-11-09 14:49:42 +0000 |
| commit | 7256a6eb24720adfd30c0307a415e51e9a402059 (patch) | |
| tree | b6ef488a22970b854c3312724b3c690e0c0bff9e /src/include | |
| parent | 51ecc054906eb0b1738c9d5541c7c4dfc15ec5fe (diff) | |
| download | ipxe-7256a6eb24720adfd30c0307a415e51e9a402059.tar.gz | |
[tls] Allow handshake digest algorithm to be specified by cipher suite
All existing cipher suites use SHA-256 as the TLSv1.2 and above
handshake digest algorithm (even when using SHA-1 as the MAC digest
algorithm). Some GCM cipher suites use SHA-384 as the handshake
digest algorithm.
Allow the cipher suite to specify the handshake (and PRF) digest
algorithm to be used for TLSv1.2 and above.
This requires some restructuring to allow for the fact that the
ClientHello message must be included within the handshake digest, even
though the relevant digest algorithm is not yet known at the point
that the ClientHello is sent. Fortunately, the ClientHello may be
reproduced verbatim at the point of receiving the ServerHello, so we
rely on reconstructing (rather than storing) this message.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ipxe/tls.h | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 8796fe931..355814132 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -16,7 +16,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/crypto.h> #include <ipxe/md5.h> #include <ipxe/sha1.h> -#include <ipxe/sha256.h> #include <ipxe/x509.h> #include <ipxe/privkey.h> #include <ipxe/pending.h> @@ -177,6 +176,8 @@ struct tls_cipher_suite { struct cipher_algorithm *cipher; /** MAC digest algorithm */ struct digest_algorithm *digest; + /** Handshake digest algorithm (for TLSv1.2 and above) */ + struct digest_algorithm *handshake; /** Numeric code (in network-endian order) */ uint16_t code; /** Key length */ @@ -346,10 +347,6 @@ struct tls_connection { void *server_key; /** Server Key Exchange record length */ size_t server_key_len; - /** MD5+SHA1 context for handshake verification */ - uint8_t handshake_md5_sha1_ctx[MD5_SHA1_CTX_SIZE]; - /** SHA256 context for handshake verification */ - uint8_t handshake_sha256_ctx[SHA256_CTX_SIZE]; /** Digest algorithm used for handshake verification */ struct digest_algorithm *handshake_digest; /** Digest algorithm context used for handshake verification */ |