[ipxe-devel] ECDHE_RSA cipher suites

LAU, ALOYSIUS al070e at att.com
Fri Aug 17 14:12:19 UTC 2018 

Pardon me for posting long email...

The servers that we deploy in-house use the TLS_ECDHE_RSA_WITH_?_? cipher suites.  I'm adding these news cipher suites to the iPXE.  This email post is to describe the approach I am taking to implement the new cipher suites in iPXE and solicit comments from the experts in this mailing group on the approach I'm taking.

These e are the main RFCs referenced - rfc5246, rfc4492, rfc5288, rfc5289

In the src/include/ipxe/tls.h header file, the new ECDHE_RSA cipher suites are defined.

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index b1e702e..ab1226a 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -83,6 +83,13 @@ struct tls_header {
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003c
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003d
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xc027
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xc028
+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xc02f
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xc030
+
/* TLS hash algorithm identifiers */
#define TLS_MD5_ALGORITHM 1
#define TLS_SHA1_ALGORITHM 2

These .c files are added to define new ECDHE_RSA cipher suites and they are located in the src/crypto/mishmash directory.

src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c
src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c
src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c
src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c
src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c

I look at the src/crypto/mishmash/rsa_aes_cbc_sha256.c file and mirror the ecdhe_rsa*.c files accordingly to build up the ECDHE_RSA cipher suites.  The tls_cipher_suite is instantiated for each ECHED_RSA cipher suite with their member fields populated with the correct functions.  If this approach sound reasonable to you, I will post the high level implementation details for the rest of the code here.

$ cat src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha1.c
. . .
#include <byteswap.h>
#include <ipxe/ecc.h>
#include <ipxe/rsa.h>
#include <ipxe/aes.h>
#include <ipxe/sha1.h>
#include <ipxe/tls.h>

/** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_128_cbc_sha __tls_cipher_suite(05) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ),
        .key_len = ( 128 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_cbc_algorithm,
        .digest = &sha1_algorithm,
};

/** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_256_cbc_sha __tls_cipher_suite(06) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ),
        .key_len = ( 256 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_cbc_algorithm,
        .digest = &sha1_algorithm,
};

$ cat src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha256.c
. . .
#include <byteswap.h>
#include <ipxe/ecc.h>
#include <ipxe/rsa.h>
#include <ipxe/aes.h>
#include <ipxe/sha256.h>
#include <ipxe/tls.h>

/** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_128_cbc_sha256 __tls_cipher_suite(07) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ),
        .key_len = ( 128 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_cbc_algorithm,
        .digest = &sha256_algorithm,
};

$ cat src/crypto/mishmash/ecdhe_rsa_aes_cbc_sha384.c
. . .
#include <byteswap.h>
#include <ipxe/ecc.h>
#include <ipxe/rsa.h>
#include <ipxe/aes.h>
#include <ipxe/sha384.h>
#include <ipxe/tls.h>

/** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_256_cbc_sha384 __tls_cipher_suite(08) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ),
        .key_len = ( 256 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_cbc_algorithm,
        .digest = &sha384_algorithm,
};

$ cat src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha256.c
. . .
#include <byteswap.h>
#include <ipxe/ecc.h>
#include <ipxe/rsa.h>
#include <ipxe/aes.h>
#include <ipxe/gcm.h>
#include <ipxe/sha256.h>
#include <ipxe/tls.h>

/** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_128_gcm_sha256 __tls_cipher_suite(09) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ),
        .key_len = ( 128 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_gcm_algorithm,
        .digest = &sha256_algorithm,
};

$ cat src/crypto/mishmash/ecdhe_rsa_aes_gcm_sha384.c
. . .
#include <byteswap.h>
#include <ipxe/ecc.h>
#include <ipxe/rsa.h>
#include <ipxe/aes.h>
#include <ipxe/gcm.h>
#include <ipxe/sha384.h>
#include <ipxe/tls.h>

/** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite */
struct tls_cipher_suite tls_ecdhe_rsa_with_aes_256_gcm_sha384 __tls_cipher_suite(10) = {
        .code = htons ( TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ),
        .key_len = ( 256 / 8 ),
        .pubkey = &ecdhe_rsa_algorithm,
        .cipher = &aes_gcm_algorithm,
        .digest = &sha384_algorithm,
};

The new tests are added in the src/tests directory.

Thanks,
Al Lau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20180817/40b2b558/attachment.htm>

More information about the ipxe-devel mailing list