Michael Brown [Tue, 20 Mar 2012 04:07:53 +0000 (04:07 +0000)]
[tls] Use hybrid MD5+SHA1 algorithm
TLSv1.1 and earlier use a hybrid of MD5 and SHA-1 to generate digests
over the handshake messages. Formalise this as a separate digest
algorithm "md5+sha1".
Michael Brown [Sun, 18 Mar 2012 20:17:41 +0000 (20:17 +0000)]
[tls] Validate server certificate
Validate the server certificate against the trusted root certificate
store. The server must provide a complete certificate chain, up to
and including the trusted root certificate that is embedded into iPXE.
Note that the date and time are not yet validated.
Michael Brown [Sun, 18 Mar 2012 22:55:29 +0000 (22:55 +0000)]
[build] Allow trusted root certificates to be specified at build time
Allow trusted root certificates to be specified at build time using
the syntax
make TRUST=/path/to/certificate1,/path/to/certificate2,...
The build process uses openssl to calculate the SHA-256 fingerprints
of the specified certificates, and adds them to the root certificate
store in rootcert.c. The certificates can be in any format understood
by openssl.
The certificates may be server certificates or (more usefully) CA
certificates.
If no trusted certificates are specified, then the default "iPXE root
CA" certificate will be used.
Michael Brown [Sun, 18 Mar 2012 20:02:25 +0000 (20:02 +0000)]
[crypto] Force caller to provide temporary storage for modular calculations
bigint_mod_multiply() and bigint_mod_exp() require a fixed amount of
temporary storage for intermediate results. (The amount of temporary
storage required depends upon the size of the integers involved.)
When performing calculations for 4096-bit RSA the amount of temporary
storage space required will exceed 2.5kB, which is too much to
allocate on the stack. Avoid this problem by forcing the caller to
allocate temporary storage.
Michael Brown [Tue, 13 Mar 2012 16:35:21 +0000 (16:35 +0000)]
[crypto] Add big-integer library for RSA calculations
RSA requires modular exponentiation using arbitrarily large integers.
Given the sizes of the modulus and exponent, all required calculations
can be done without any further dynamic storage allocation. The x86
architecture allows for efficient large integer support via inline
assembly using the instructions that take advantage of the carry flag
(e.g. "adcl", "rcrl").
This implemention is approximately 80% smaller than the (more generic)
AXTLS implementation.
Michael Brown [Fri, 9 Mar 2012 15:45:56 +0000 (15:45 +0000)]
[crypto] Upgrade AES and RSA code to upstream axTLS version 1.4.5
All axTLS files are now vanilla versions of the upstream axTLS files,
with one minor exception: the unused "ctx" parameter of
bi_int_divide() has been marked with "__unused" to avoid a compilation
error.
Michael Brown [Tue, 6 Mar 2012 13:42:06 +0000 (13:42 +0000)]
[rng] Choose HMAC_DRBG using SHA-256 as the DRBG algorithm
Both HMAC_DRBG using SHA-1 and HMAC_DRBG using SHA-256 are Approved
algorithms in ANS X9.82 for our chosen security strength of 128 bits.
However, general recommendations (see e.g. NIST SP800-57) are to use a
larger hash function in preference to SHA-1.
Since SHA-256 is required anyway for TLSv1.2 support, there is no code
size penalty for switching HMAC_DRBG to also use SHA-256.
Michael Brown [Mon, 5 Mar 2012 16:21:49 +0000 (16:21 +0000)]
[rng] Use SHA-256 for Hash_df, and validate the hash function strength
ANS X9.82 Part 4 (April 2011 Draft) Section 13.3.4.2 states that "When
using the derivation function based on a hash function, the output
length of the hash function shall meet or exceed the security strength
indicated by the min_entropy parameter in the Get_entropy_input call",
although this criteria is missing from the pseudocode provided in the
same section.
Add a test for this condition, and upgrade from SHA-1 to SHA-256 since
SHA-1 has an output length of 160 bits, which is insufficient for
generating the (128 * 3/2 = 192) bits required when instantiating the
128-bit strength DRBG.
Michael Brown [Sun, 4 Mar 2012 21:41:24 +0000 (21:41 +0000)]
[i386] Use memory address constraints in __bswap_16s() and __bswap_64s()
Minimise code size by forcing the use of memory addresses for
__bswap_16s() and __bswap_64s(). (__bswap_32s() cannot avoid loading the
value into a register.)
Michael Brown [Sun, 4 Mar 2012 15:13:54 +0000 (15:13 +0000)]
[crypto] Replace SHA-1 implementation
Replace SHA-1 implementation from AXTLS with a dedicated iPXE
implementation which is around 40% smaller. This implementation has
been verified using the existing SHA-1 self-tests (including the NIST
SHA-1 test vectors).
Michael Brown [Sun, 4 Mar 2012 15:06:45 +0000 (15:06 +0000)]
[i386] Optimise byte-swapping functions and provide __bswap_{16,32,64}s()
Use the "bswap" instruction to shrink the size of byte-swapping code,
and provide the in-place variants __bswap_{16,32,64}s.
"bswap" is available only on 486 and later processors. (We already
assume the presence of "cpuid" and "rdtsc", which are available only
on Pentium and later processors.)
Michael Brown [Sat, 3 Mar 2012 14:11:46 +0000 (14:11 +0000)]
[tls] Support TLS version 1.1
Advertise support for TLS version 1.1, and be prepared to downgrade to
TLS version 1.0. Tested against Apache with mod_gnutls, using the
GnuTLSPriorities directive to force specific protocol versions.
Michael Brown [Fri, 2 Mar 2012 20:12:10 +0000 (20:12 +0000)]
[arp] Maintain an ARP transmission queue
Allow packet transmission to be deferred pending successful ARP
resolution. This avoids the time spent waiting for a higher-level
protocol (e.g. TCP or TFTP) to attempt retransmission.
Michael Brown [Fri, 2 Mar 2012 18:02:03 +0000 (18:02 +0000)]
[undi] Allow underlying PXE stack to construct link-layer header
Some PXE stacks (observed with a QLogic 8242) will always try to
prepend a link-layer header, even if the caller uses P_UNKNOWN to
indicate that the link-layer header has already been filled in. This
results in an invalid packet being transmitted.
Work around these faulty PXE stacks where possible by stripping the
existing link-layer header and allowing the PXE stack to (re)construct
the link-layer header itself.
Originally-fixed-by: Buck Huppmann <buckh@pobox.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
Michael Brown [Thu, 1 Mar 2012 16:26:38 +0000 (16:26 +0000)]
[iscsi] Send any padding inline with the data segment
Some iSCSI targets respond to a PDU before receiving the padding
bytes. If the target responds quickly enough, this can cause iPXE to
start processing a new TX PDU before the padding bytes have been sent,
which results in a protocol violation.
Fix by always transmitting the padding bytes along with the data
segment.
Originally-fixed-by: Shyam Iyer <shyam_iyer@dell.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
Michael Brown [Tue, 28 Feb 2012 22:27:48 +0000 (22:27 +0000)]
[syslog] Disable console when no syslog server is defined
Explicitly disable the syslog console when no syslog server is
defined, rather than (ab)using the socket family address as an
equivalent console-enabled flag.
Michael Brown [Tue, 28 Feb 2012 14:53:28 +0000 (14:53 +0000)]
[http] Allow for HTTPS-only builds
Separate out the core HTTP functionality (which is shared by both HTTP
and HTTPS) from the provision of the "http://" URI opener. This
allows for builds that support only "https://" URIs.
Michael Brown [Sun, 19 Feb 2012 22:24:42 +0000 (22:24 +0000)]
[rng] Add RTC-based entropy source
The RTC-based entropy source uses the nanosecond-scale CPU TSC to
measure the time between two 1kHz interrupts generated by the CMOS
RTC. In a physical machine these clocks are driven from independent
crystals, resulting in some observable clock drift. In a virtual
machine, the CMOS RTC is typically emulated using host-OS
constructions such as SIGALRM.
Michael Brown [Tue, 21 Feb 2012 12:09:15 +0000 (12:09 +0000)]
[rng] Add get_random_nz() function required by RSA algorithm
RSA requires the generation of random non-zero bytes (i.e. a sequence
of random numbers in the range [0x01,0xff]). ANS X9.82 provides
various Approved methods for converting random bits into random
numbers. The simplest such method is the Simple Discard Method.
Michael Brown [Sun, 19 Feb 2012 22:14:06 +0000 (22:14 +0000)]
[rng] Add ANS X9.82 Approved Source of Entropy Input
ANS X9.82 specifies several Approved Sources of Entropy Input (SEI).
One such SEI uses an entropy source as the Source of Entropy Input,
condensing each entropy source output after each GetEntropy call.
This can be implemented relatively cheaply in iPXE and avoids the need
to allocate potentially very large buffers.
(Note that the terms "entropy source" and "Source of Entropy Input"
are not synonyms within the context of ANS X9.82.)
Use the iPXE API mechanism to allow entropy sources to be selected at
compilation time.
Michael Brown [Mon, 20 Feb 2012 21:24:30 +0000 (21:24 +0000)]
[rng] Record validity within DRBG state
Treat an empty (zeroed) DRBG as invalid. This ensures that a DRBG
that has not yet been instantiated (or that has been uninstantiated)
will refuse to attempt to generate random bits.
Michael Brown [Sun, 19 Feb 2012 14:34:46 +0000 (14:34 +0000)]
[rng] Add NIST self-tests for Hash_df
NIST provides a set of known-answer tests for the Hash_DRBG algorithm,
which includes known answers for the derivation function Hash_df used
as part of Hash_DRBG. Hash_DRBG is not an Approved algorithm for ANS
X9.82, but the known answers for Hash_df (which is part of ANS X9.82)
can still be used as part of the conformance testing for ANS X9.82.
Michael Brown [Sun, 19 Feb 2012 14:31:41 +0000 (14:31 +0000)]
[rng] Add ANS X9.82 Approved Hash_df derivation function
ANS X9.82 specifies several Approved derivation functions for use in
distributing entropy throughout a buffer. One such derivation
function is Hash_df, which can be implemented using the existing iPXE
SHA-1 functionality.
Jarrod Johnson [Mon, 8 Aug 2011 19:54:15 +0000 (15:54 -0400)]
[efi] Add iPXE download protocol
iPXE exposes some extended capabilities via the PXE FILE API to allow
NBPs such as pxelinux to use protocols other than TFTP. Provide an
equivalent interface as a UEFI protocol so that EFI binaries may also
take advantage of iPXE's extended capabilities.
This can be used with a patched version of elilo, for example:
Jarrod Johnson [Sat, 14 Jan 2012 18:18:34 +0000 (13:18 -0500)]
[snpnet] Give up entirely on the transmit queue
Practically speaking, it seems the convention is to only have one
packet pending and not rely upon any mechanism to associate returned
txbuf with txqueue.
projects / thirdparty / ipxe.git / log
