summaryrefslogtreecommitdiffstats
path: root/src/net
Commit message (Collapse)AuthorAgeFilesLines
...
* [mii] Remove unused functionalityMichael Brown2012-04-181-147/+0Star
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tftp] Allow builds without TFTP supportMichael Brown2012-04-171-8/+0Star
| | | | | | | Allow TFTP to be configured out by moving the next-server setting definition (which is used by autoboot.c) from tftp.c to settings.c. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Fix wrong memset in function tls_clear_cipherStefan Weil2012-04-101-1/+1
| | | | | | | | | | sizeof(cipherspec) is obviously wrong in this context, because it will only zero the first 4 or 8 bytes (cipherspec is a pointer). This problem was reported by cppcheck. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [syslog] Add basic support for encrypted syslog via TLSMichael Brown2012-04-101-0/+275
| | | | | | | Encrypted syslog seems not yet to be standardised, but is supported by some existing syslog servers. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [http] Disambiguate the various error causesMichael Brown2012-03-271-13/+45
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [syslog] Pass internal syslog() priority through to syslog consoleMichael Brown2012-03-261-2/+21
| | | | | | | Use a private ANSI escape sequence to convey the priority of an internal syslog() message through to the syslog server. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [console] Do not share ANSI escape context between lineconsole usersMichael Brown2012-03-261-0/+8
| | | | | | | | An ANSI escape sequence context cannot be shared between multiple users. Make the ANSI escape sequence context part of the line console definition and provide individual contexts for each user. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [console] Exclude text-based UI output from logfile-based consolesMichael Brown2012-03-261-1/+1
| | | | | | | | The output from text-based user interfaces such as the "config" command is not generally meaningful for logfile-based consoles such as syslog and vmconsole. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [console] Allow usage to be defined independently for each consoleMichael Brown2012-03-261-0/+8
| | | | | | | | | | | | | | | | | | | | | Add the concept of a "console usage", such as "standard output" or "debug messages". Allow usages to be associated with each console independently. For example, to send debugging output via the serial port, while preventing it from appearing on the local console: #define CONSOLE_SERIAL CONSOLE_USAGE_ALL #define CONSOLE_PCBIOS ( CONSOLE_USAGE_ALL & ~CONSOLE_USAGE_DEBUG ) If no usages are explicitly specified, then a default set of usages will be applied. For example: #define CONSOLE_SERIAL will have the same affect as #define CONSOLE_SERIAL CONSOLE_USAGE_ALL Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Differentiate "untrusted root" and "incomplete chain" error casesMichael Brown2012-03-221-5/+5
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add previous certificate in chain as a parameter to parse_next()Michael Brown2012-03-221-1/+4
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Support sending a client certificateMichael Brown2012-03-201-13/+237
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Treat handshake digest algorithm as a session parameterMichael Brown2012-03-201-39/+24Star
| | | | | | | | | Simplify code by recording the active handshake digest algorithm as a session parameter. (Note that we must still accumulate digests for all supported algorithms, since we don't know which digest will eventually be used until we receive the Server Hello.) Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Use hybrid MD5+SHA1 algorithmMichael Brown2012-03-201-13/+66
| | | | | | | | TLSv1.1 and earlier use a hybrid of MD5 and SHA-1 to generate digests over the handshake messages. Formalise this as a separate digest algorithm "md5+sha1". Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Check certificate validity period against current date and timeMichael Brown2012-03-201-1/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Include current time within the client random bytesMichael Brown2012-03-201-1/+2
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Validate server certificateMichael Brown2012-03-191-36/+93
| | | | | | | | | | Validate the server certificate against the trusted root certificate store. The server must provide a complete certificate chain, up to and including the trusted root certificate that is embedded into iPXE. Note that the date and time are not yet validated. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Add full X.509 certificate parsingMichael Brown2012-03-191-10/+12
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Use iPXE native RSA algorithmMichael Brown2012-03-181-37/+51
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [802.11] Use rbg_generate() for secure random numbersMichael Brown2012-03-131-1/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Use const to mark incoming data being processedMichael Brown2012-03-131-26/+28
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Upgrade AES and RSA code to upstream axTLS version 1.4.5Michael Brown2012-03-091-1/+1
| | | | | | | | | All axTLS files are now vanilla versions of the upstream axTLS files, with one minor exception: the unused "ctx" parameter of bi_int_divide() has been marked with "__unused" to avoid a compilation error. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Formalise the definition of a TLS cipher suiteMichael Brown2012-03-061-81/+114
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Support (and prefer) SHA-256 variants of existing cipher suitesMichael Brown2012-03-051-3/+15
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Support TLS version 1.2Michael Brown2012-03-051-35/+72
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [802.11] Avoid using struct md5_ctx directlyMichael Brown2012-03-051-4/+4
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [802.11] Add missing #include <byteswap.h>Michael Brown2012-03-041-0/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Send empty Certificate record if requested by serverMichael Brown2012-03-031-0/+57
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Verify the contents of the Finished recordMichael Brown2012-03-031-3/+24
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Allow transmitted records to be scheduled independentlyMichael Brown2012-03-031-83/+29Star
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Add support for Server Name Indication (SNI)Michael Brown2012-03-032-4/+31
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Support TLS version 1.1Michael Brown2012-03-031-16/+28
| | | | | | | | Advertise support for TLS version 1.1, and be prepared to downgrade to TLS version 1.0. Tested against Apache with mod_gnutls, using the GnuTLSPriorities directive to force specific protocol versions. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [arp] Maintain an ARP transmission queueMichael Brown2012-03-032-147/+351
| | | | | | | | Allow packet transmission to be deferred pending successful ARP resolution. This avoids the time spent waiting for a higher-level protocol (e.g. TCP or TFTP) to attempt retransmission. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [undi] Allow underlying PXE stack to construct link-layer headerMichael Brown2012-03-021-7/+6Star
| | | | | | | | | | | | | | Some PXE stacks (observed with a QLogic 8242) will always try to prepend a link-layer header, even if the caller uses P_UNKNOWN to indicate that the link-layer header has already been filled in. This results in an invalid packet being transmitted. Work around these faulty PXE stacks where possible by stripping the existing link-layer header and allowing the PXE stack to (re)construct the link-layer header itself. Originally-fixed-by: Buck Huppmann <buckh@pobox.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [iscsi] Send any padding inline with the data segmentMichael Brown2012-03-011-28/+9Star
| | | | | | | | | | | | | Some iSCSI targets respond to a PDU before receiving the padding bytes. If the target responds quickly enough, this can cause iPXE to start processing a new TX PDU before the padding bytes have been sent, which results in a protocol violation. Fix by always transmitting the padding bytes along with the data segment. Originally-fixed-by: Shyam Iyer <shyam_iyer@dell.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [http] Recognise status code 303 as validJason Lunz2012-03-011-0/+1
| | | | | | | | As RFC 2616 10.3.4 explains, a 303 status is the proper HTTP 1.1 behavior for what most HTTP 1.0 clients did with code 302. Signed-off-by: Jason Lunz <lunz@acm.org> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [syslog] Separate out generic line-based console functionalityMichael Brown2012-02-291-36/+8Star
| | | | | | | Abstract out the generic line-handling portions of the syslog putchar() routine, to allow use by other console types. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [syslog] Disable console when no syslog server is definedMichael Brown2012-02-291-7/+5Star
| | | | | | | | Explicitly disable the syslog console when no syslog server is defined, rather than (ab)using the socket family address as an equivalent console-enabled flag. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [http] Allow for HTTPS-only buildsMichael Brown2012-02-282-858/+888
| | | | | | | | Separate out the core HTTP functionality (which is shared by both HTTP and HTTPS) from the provision of the "http://" URI opener. This allows for builds that support only "https://" URIs. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Use ANS X9.82 Approved RBG as source of random data for TLSMichael Brown2012-02-211-9/+35
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [802.11] Add missing #include <string.h>Michael Brown2012-02-213-0/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [udp] Propagate transmission errors to UDP interface usersMichael Brown2012-02-201-4/+3Star
| | | | | Suggested-by: Simon Rowe <simon.rowe@eu.citrix.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [dns] Allow trailing dots in DNS namesMichael Brown2012-01-111-9/+15
| | | | | Reported-by: Christian Hesse <list@eworm.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [dhcp] Add PXE-mandated DHCP options [128,135] to parameter request listMichael Brown2011-12-061-0/+1
| | | | | | | | The PXE specification requires us to request DHCP options 128 to 135 inclusive, although these have no defined purpose. Suggested-by: Ralf Buettner <rab@bootix.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [iscsi] Fail immediately if target rejects any of our parametersMichael Brown2011-12-051-12/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | Some iSCSI targets (observed with stgt) can be configured to reject connections that do not use header or data digests, and will respond with "HeaderDigest=Reject" and/or "DataDigest=Reject", while still allowing the connection to proceed to the full feature phase. According to a strict reading of RFC3720, we are perfectly safe to ignore these "Reject" messages: upon such a rejection "the negotiated key is left at its current value (or default if no value was set)". Since the default value for both HeaderDigest and DataDigest is "None", then the only viable conclusion to be drawn is that the value resulting from "Reject" is still "None". Unfortunately, stgt doesn't seem to agree with this interpretation of events, causing us to eventually report an unhelpful "connection timed out" message to the user when we don't get any response to our first PDU in full feature phase. Fix by detecting any rejected parameters and immediately reporting an error, which at least gives the user some insight as to what the real problem may be. Reported-by: Michal Suchanek <hramrach@centrum.cz> Tested-by: Michal Suchanek <hramrach@centrum.cz> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [infiniband] Reset port state after closing deviceMichael Brown2011-11-151-0/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [infiniband] Open device prior to creating SMI and GSI queue pairsMichael Brown2011-11-151-9/+9
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [infiniband] Poll event queues only for devices that are openMichael Brown2011-11-151-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [netdevice] Allow driver to preinitialise the link-layer addressMichael Brown2011-10-281-2/+22
| | | | | | | | | | | | | Drivers are currently expected to initialise only the hardware address, with the link-layer protocol code taking care of converting this into a valid link-layer address. Some drivers (e.g. undinet) can legitimately determine both the hardware and link-layer addresses, which may differ. Allow for this situation by checking to see if the link-layer address is empty before initialising it from the hardware address. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [list] Tidy up naming convention for list_contains() and friendsMichael Brown2011-10-142-2/+2
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2026-02-28 15:21:43 +0100