[ipxe-devel] SHA-384

[Michael Brown]

On 19/05/15 19:47, Tufan Karadere wrote:
> I've been trying to enable HTTPS support and I noticed that it wasn't
> working for the certificates with sha384WithRSAEncryption until I added
> the object identifiers (attached the diff).
>
> Documentation (http://ipxe.org/crypto) doesn't list it as supported but
> git logs looked like otherwise.
>
> So I wanted to ask about the 'official' status for SHA-384, SHA-512 and
> SHA-224 support.

The underlying digest algorithms were implemented recently as part of a 
project to add BranchCache support, so the crypto code is there.

They're not linked in by default for reasons of code size.  We should 
probably have settings in config/crypto.h to select the algorithms to be 
supported.  This is made slightly more complex by the way that 
cryptographic algorithm identifiers tend to be conflated at the protocol 
level in subtly differing ways (c.f. ASN1_OID_SHA384WITHRSAENCRYPTION vs 
TLS_RSA_WITH_AES_128_CBC_SHA384, for example).

 From the usability point of view we'd probably want something like:

   #define CONFIG_PUBKEY_RSA
   #define CONFIG_DIGEST_SHA384
   #define CONFIG_CIPHER_AES

which would explicitly cause rsa.o, sha384.o and aes.o to be included, 
and then have an as-yet-undefined simple but magic mechanism to ensure 
that ASN1_OID_SHA384WITHRSAENCRYPTION et al get included (since both 
sha384.o and rsa.o are present).

The alternative would be to require the user to manually coordinate 
configuration options such as

   #define CONFIG_ASN1_OID_SHA256WITHRSAENCRYPTION
   #define CONFIG_ASN1_OID_SHA384WITHRSAENCRYPTION
   #define CONFIG_ASN1_OID_SHA512WITHRSAENCRYPTION
   #define CONFIG_TLS_RSA_WITH_AES_128_CBC_SHA256
   #define CONFIG_TLS_RSA_WITH_AES_128_CBC_SHA384
   #define CONFIG_TLS_RSA_WITH_AES_128_CBC_SHA512
   #define CONFIG_TLS_RSA_WITH_AES_256_CBC_SHA256
   #define CONFIG_TLS_RSA_WITH_AES_256_CBC_SHA384
   #define CONFIG_TLS_RSA_WITH_AES_256_CBC_SHA512

but that looks really ugly.

Michael