Replace SHA-1 implementation from AXTLS with a dedicated iPXE
implementation which is around 40% smaller. This implementation has
been verified using the existing SHA-1 self-tests (including the NIST
SHA-1 test vectors).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Advertise support for TLS version 1.1, and be prepared to downgrade to
TLS version 1.0. Tested against Apache with mod_gnutls, using the
GnuTLSPriorities directive to force specific protocol versions.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Allow packet transmission to be deferred pending successful ARP
resolution. This avoids the time spent waiting for a higher-level
protocol (e.g. TCP or TFTP) to attempt retransmission.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[undi] Allow underlying PXE stack to construct link-layer header
Some PXE stacks (observed with a QLogic 8242) will always try to
prepend a link-layer header, even if the caller uses P_UNKNOWN to
indicate that the link-layer header has already been filled in. This
results in an invalid packet being transmitted.
Work around these faulty PXE stacks where possible by stripping the
existing link-layer header and allowing the PXE stack to (re)construct
the link-layer header itself.
Originally-fixed-by: Buck Huppmann <buckh@pobox.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[iscsi] Send any padding inline with the data segment
Some iSCSI targets respond to a PDU before receiving the padding
bytes. If the target responds quickly enough, this can cause iPXE to
start processing a new TX PDU before the padding bytes have been sent,
which results in a protocol violation.
Fix by always transmitting the padding bytes along with the data
segment.
Originally-fixed-by: Shyam Iyer <shyam_iyer@dell.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[syslog] Separate out generic line-based console functionality
Abstract out the generic line-handling portions of the syslog
putchar() routine, to allow use by other console types.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Separate out the core HTTP functionality (which is shared by both HTTP
and HTTPS) from the provision of the "http://" URI opener. This
allows for builds that support only "https://" URIs.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[rng] Add get_random_nz() function required by RSA algorithm
RSA requires the generation of random non-zero bytes (i.e. a sequence
of random numbers in the range [0x01,0xff]). ANS X9.82 provides
various Approved methods for converting random bits into random
numbers. The simplest such method is the Simple Discard Method.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[rng] Add ANS X9.82 Approved Source of Entropy Input
ANS X9.82 specifies several Approved Sources of Entropy Input (SEI).
One such SEI uses an entropy source as the Source of Entropy Input,
condensing each entropy source output after each GetEntropy call.
This can be implemented relatively cheaply in iPXE and avoids the need
to allocate potentially very large buffers.
(Note that the terms "entropy source" and "Source of Entropy Input"
are not synonyms within the context of ANS X9.82.)
Use the iPXE API mechanism to allow entropy sources to be selected at
compilation time.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Treat an empty (zeroed) DRBG as invalid. This ensures that a DRBG
that has not yet been instantiated (or that has been uninstantiated)
will refuse to attempt to generate random bits.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[rng] Add ANS X9.82 Approved Hash_df derivation function
ANS X9.82 specifies several Approved derivation functions for use in
distributing entropy throughout a buffer. One such derivation
function is Hash_df, which can be implemented using the existing iPXE
SHA-1 functionality.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
iPXE exposes some extended capabilities via the PXE FILE API to allow
NBPs such as pxelinux to use protocols other than TFTP. Provide an
equivalent interface as a UEFI protocol so that EFI binaries may also
take advantage of iPXE's extended capabilities.
This can be used with a patched version of elilo, for example:
http://comments.gmane.org/gmane.comp.boot-loaders.elilo.general/147
Signed-off-by: Michael Brown <mcb30@ipxe.org>
ANS X9.82 specifies that an Approved DRBG must consist of an Approved
algorithm wrapped inside an envelope which handles entropy gathering,
prediction resistance, automatic reseeding and other housekeeping
tasks.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Cryptographic random number generation requires an entropy source,
which is used as the input to a Deterministic Random Bit Generator
(DRBG).
iPXE does not currently have a suitable entropy source. Provide a
dummy source to allow the DRBG code to be implemented.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
ANS X9.82 specifies several Approved algorithms for use in a
Deterministic Random Bit Generator (DRBG). One such algorithm is
HMAC_DRBG, which can be implemented using the existing iPXE SHA-1 and
HMAC functionality. This algorithm provides a maximum security
strength of 128 bits.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[image] Eliminate the register_and_xxx_image() functions
All users of imgdownload() require registration of the image, so make
registration an integral part of imgdownload() itself and simplify the
"action" parameter to be one of image_select(), image_exec() et al.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[test] Add a basic infrastructure for running self-tests
This self-test mechanism is inspired by Perl's Test::Simple and
similar modules. The aim is to encourage the use of self-tests by
making it as easy as possible to create self-test code
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[dhcp] Use a random DHCP transaction identifier (xid)
iPXE currently uses the last four bytes of the MAC address as the DHCP
transaction identifier. Reduce the probability of collisions by
generating a random transaction identifier.
Originally-implemented-by: Amos Kong <akong@redhat.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
TCP currently neglects to allow sufficient space for its own headers
when allocating I/O buffers. This problem is masked by the fact that
the maximum link-layer header size (802.11) is substantially larger
than the common Ethernet link-layer header.
Fix by allowing sufficient space for any TCP headers, as well as the
network-layer and link-layer headers.
Reported-by: Scott K Logan <logans@cottsay.net>
Debugged-by: Scott K Logan <logans@cottsay.net>
Tested-by: Scott K Logan <logans@cottsay.net>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[tls] Accept certificates without a version number
The version field of an X.509 certificate appears to be optional.
Reported-by: Sebastiano Manusia <Sebastiano.Manusia@chuv.ch>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[netdevice] Allow link layer to report broadcast/multicast packets via pull()
Allow the link layer to directly report whether or not a packet is
multicast or broadcast at the time of calling pull(), rather than
relying on heuristics to determine this at a later stage.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Some processes execute only once, and exist solely in order to defer
execution until after the relevant instantiator method has returned.
Such processes do not need to be automatically rescheduled when
executing.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[process] Pass containing object pointer to process step() methods
Give the step() method a pointer to the containing object, rather than
a pointer to the process. This is consistent with the operation of
interface methods, and allows a single function to serve as both an
interface method and a process step() method.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
[netdevice] Allow non-completion TX errors to be recorded
Allow TX errors to be recorded against a network device even when the
packet didn't make it as far as netdev_tx().
Inspired-by: Dominik Russenberger <dominik.russenberger@terreactive.ch>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Expose the multiple-SAN-drive capability of the iPXE core via the iPXE
command line by adding commands to hook and unhook additional drives.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Michael Brown