robin.thoni/ipxe - git rthoni.com

Author	SHA1	Message	Date
Alexander Chernyakhovsky	151e4d9bfa	[ocsp] Handle OCSP responses that don't provide certificates Certificate authorities are not required to send the certificate used to sign the OCSP response if the response is signed by the original issuer. Modified-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Michael Brown <mcb30@ipxe.org>	11 years ago
Michael Brown	7667536527	[uri] Refactor URI parsing and formatting Add support for parsing of URIs containing literal IPv6 addresses (e.g. "http://[fe80::69ff:fe50:5845%25net0]/boot.ipxe"). Duplicate URIs by directly copying the relevant fields, rather than by formatting and reparsing a URI string. This relaxes the requirements on the URI formatting code and allows it to focus on generating human-readable URIs (e.g. by not escaping ':' characters within literal IPv6 addresses). As a side-effect, this allows relative URIs containing parameter lists (e.g. "../boot.php##params") to function as expected. Add validity check for FTP paths to ensure that only printable characters are accepted (since FTP is a human-readable line-based protocol with no support for character escaping). Construct TFTP next-server+filename URIs directly, rather than parsing a constructed "tftp://..." string, Add self-tests for URI functions. Signed-off-by: Michael Brown <mcb30@ipxe.org>	11 years ago
Michael Brown	0036fdd5c5	[crypto] Accept OCSP responses containing multiple certificates RFC2560 mandates that a valid OCSP response will contain exactly one relevant certificate. However, some OCSP responders include extraneous certificates. iPXE currently assumes that the first certificate in the OCSP response is the relevant certificate; OCSP checks will therefore fail if the responder includes the extraneous certificates before the relevant certificate. Fix by using the responder ID to identify the relevant certificate. Reported-by: Christian Stroehmeier <stroemi@mail.uni-paderborn.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 years ago
Michael Brown	e42bc3aa37	[libc] Use __einfo() tuple as first argument to EUNIQ() Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 years ago
Michael Brown	4010890a39	[crypto] Allow an error margin on X.509 certificate validity periods iPXE has no concept of the local time zone, mainly because there is no viable way to obtain time zone information in the absence of local state. This causes potential problems with newly-issued certificates and certificates that are about to expire. Avoid such problems by allowing an error margin of around 12 hours on certificate validity periods, similar to the error margin already allowed for OCSP response timestamps. Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 years ago
Michael Brown	944e023def	[crypto] Construct OCSP check URI Signed-off-by: Michael Brown <mcb30@ipxe.org>	13 years ago
Michael Brown	57de8b6272	[crypto] Fix margin of error for OCSP checks Signed-off-by: Michael Brown <mcb30@ipxe.org>	13 years ago
Michael Brown	b278094902	[crypto] Return a NULL OCSP check if construction fails Signed-off-by: Michael Brown <mcb30@ipxe.org>	13 years ago
Michael Brown	39ac285a8a	[crypto] Add framework for OCSP Add support for constructing OCSP queries and parsing OCSP responses. (There is no support yet for actually issuing an OCSP query via an HTTP POST.) Signed-off-by: Michael Brown <mcb30@ipxe.org>	13 years ago

9 Commits (151e4d9bfaaaa520d5eb3547d676e6b209d2bd45)