[tls] Report supported signature algorithms in ClientHello

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index b32fd86516fe3cbeac483bc40c09f7a75ade8c2b..7c5007494081aa7d3a5bb3e55d99e44d411f6b3e 100644 (file)
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -101,6 +101,9 @@ struct tls_header {
 #define TLS_MAX_FRAGMENT_LENGTH_2048 3
 #define TLS_MAX_FRAGMENT_LENGTH_4096 4
 
+/* TLS signature algorithms extension */
+#define TLS_SIGNATURE_ALGORITHMS 13
+
 /** TLS RX state machine state */
 enum tls_rx_state {
        TLS_RX_HEADER = 0,

diff --git a/src/net/tls.c b/src/net/tls.c
index 58e958b09abe83f1c2b8195aa9481ec4c9157650..79aa5d97f332a2827f3e48b8ae8de552ad7f0c64 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -854,6 +854,14 @@ static int tls_change_cipher ( struct tls_session *tls,
  * MD5+SHA1 is never explicitly specified.
  */
 struct tls_signature_hash_algorithm tls_signature_hash_algorithms[] = {
+       {
+               .code = {
+                       .signature = TLS_RSA_ALGORITHM,
+                       .hash = TLS_SHA1_ALGORITHM,
+               },
+               .pubkey = &rsa_algorithm,
+               .digest = &sha1_algorithm,
+       },
        {
                .code = {
                        .signature = TLS_RSA_ALGORITHM,
@@ -1001,6 +1009,13 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
                        struct {
                                uint8_t max;
                        } __attribute__ (( packed )) max_fragment_length;
+                       uint16_t signature_algorithms_type;
+                       uint16_t signature_algorithms_len;
+                       struct {
+                               uint16_t len;
+                               struct tls_signature_hash_id
+                                       code[TLS_NUM_SIG_HASH_ALGORITHMS];
+                       } __attribute__ (( packed )) signature_algorithms;
                } __attribute__ (( packed )) extensions;
        } __attribute__ (( packed )) hello;
        unsigned int i;
@@ -1032,6 +1047,16 @@ static int tls_send_client_hello ( struct tls_session *tls ) {
                = htons ( sizeof ( hello.extensions.max_fragment_length ) );
        hello.extensions.max_fragment_length.max
                = TLS_MAX_FRAGMENT_LENGTH_4096;
+       hello.extensions.signature_algorithms_type
+               = htons ( TLS_SIGNATURE_ALGORITHMS );
+       hello.extensions.signature_algorithms_len
+               = htons ( sizeof ( hello.extensions.signature_algorithms ) );
+       hello.extensions.signature_algorithms.len
+               = htons ( sizeof ( hello.extensions.signature_algorithms.code));
+       for ( i = 0 ; i < TLS_NUM_SIG_HASH_ALGORITHMS ; i++ ) {
+               hello.extensions.signature_algorithms.code[i]
+                       = tls_signature_hash_algorithms[i].code;
+       }
 
        return tls_send_handshake ( tls, &hello, sizeof ( hello ) );
 }