Commit Graph

1212 Commits (3f5b4ba6a55b8028274bf5bcee748a556caf3cc9)

Author SHA1 Message Date
Michael Brown 1844aacc83 [uri] Retain original encodings for path, query, and fragment fields
iPXE decodes any percent-encoded characters during the URI parsing
stage, thereby allowing protocol implementations to consume the raw
field values directly without further decoding.

When reconstructing a URI string for use in an HTTP request line, the
percent-encoding is currently reapplied in a reversible way: we
guarantee that our reconstructed URI string could be decoded to give
the same raw field values.

This technically violates RFC3986, which states that "URIs that differ
in the replacement of a reserved character with its corresponding
percent-encoded octet are not equivalent".  Experiments show that
several HTTP server applications will attach meaning to the choice of
whether or not a particular character was percent-encoded, even when
the percent-encoding is unnecessary from the perspective of parsing
the URI into its component fields.

Fix by storing the originally encoded substrings for the path, query,
and fragment fields and using these original encoded versions when
reconstructing a URI string.  The path field is also stored as a
decoded string, for use by protocols such as TFTP that communicate
using raw strings rather than URI-encoded strings.  All other fields
(such as the username and password) continue to be stored only in
their decoded versions since nothing ever needs to know the originally
encoded versions of these fields.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-11-12 09:58:29 +00:00
Michael Brown 2690f73096 [uri] Make URI schemes case-insensitive
RFC 3986 section 3.1 defines URI schemes as case-insensitive (though
the canonical form is always lowercase).

Use strcasecmp() rather than strcmp() to allow for case insensitivity
in URI schemes.

Requested-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-07-01 16:32:46 +01:00
Michael Brown 9b6ad2d888 [peerdist] Assume that most recently discovered peer can be reused
The peer discovery time has a significant impact on the overall
PeerDist download speed, since each block requires an individual
discovery attempt.  In most cases, a peer that responds for block N
will turn out to also respond for block N+1.

Assume that the most recently discovered peer (for any block) probably
has a copy of the next block to be discovered, thereby allowing the
peer download attempt to begin immediately.

In the case that this assumption is incorrect, the existing error
recovery path will allow for fallback to newly discovered peers (or to
the origin server).

Suggested-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Tested-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-06-22 09:45:21 +01:00
Michael Brown 78749542fc [netdevice] Ensure driver transmit() and poll() will not be re-entered
When CONSOLE_SYSLOG is used, a DBG() from within a network device
driver may cause its transmit() or poll() methods to be unexpectedly
re-entered.  Since these methods are not intended to be re-entrant,
this can lead to undefined behaviour.

Add an explicit re-entrancy guard to both methods.  Note that this
must operate at a per-netdevice level, since there are legitimate
circumstances under which the netdev_tx() or netdev_poll() functions
may be re-entered (e.g. when using VLAN devices).

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-04-10 16:53:52 +01:00
Michael Brown 1192edf394 [dhcp] Handle DHCPNAK by returning to discovery state
Handle a DHCPNAK by returning to the discovery state to allow iPXE to
attempt to obtain a replacement IPv4 address.

Reuse the existing logic for deferring discovery when the link is
blocked: this avoids hammering a misconfigured DHCP server with a
non-stop stream of requests and allows the DHCP process to eventually
time out and fail.

Originally-implemented-by: Blake Rouse <blake.rouse@canonical.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-03-11 16:04:19 +00:00
Michael Brown 3a58400121 [dns] Reduce debug verbosity for DNS server list
The DNS server list is currently printed as a debug message whenever
settings are applied.  This can result in some very noisy debug logs
when a script makes extensive use of settings.

Move the DNS server list debug messages to DBGLVL_EXTRA.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-03-02 20:03:21 +00:00
Christian Iversen b9de7e6eda [infiniband] Require drivers to specify the number of ports
Require drivers to report the total number of Infiniband ports.  This
is necessary to report the correct number of ports on devices with
dynamic port types.

For example, dual-port Mellanox cards configured for (eth, ib) would
be rejected by the subnet manager, because they report using "port 2,
out of 1".

Signed-off-by: Christian Iversen <ci@iversenit.dk>
2021-01-27 01:15:35 +00:00
Michael Brown 8ef22d819b [tftp] Allow for profiling of client and server turnaround times
Provide some visibility into the turnaround times on both client and
server sides as perceived by iPXE, to assist in debugging inexplicably
slow TFTP transfers.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-01-22 21:05:07 +00:00
Michael Brown 3a9621a6fb [ipv6] Defer router discovery timeout while link is blocked
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-01-19 14:15:56 +00:00
Michael Brown 9c2e8bad11 [eap] Treat an EAP Request-Identity as indicating a blocked link
A switch port using 802.1x authentication will send EAP
Request-Identity packets once the physical link is up, and will not be
forwarding packets until the port identity has been established.

We do not currently support 802.1x authentication.  However, a
reasonably common configuration involves using a preset list of
permitted MAC addresses, with the "authentication" taking place
between the switch and a RADIUS server.  In this configuration, the
end device does not need to perform any authentication step, but does
need to be prepared for the switch port to fail to forward packets for
a substantial time after physical link-up.  This exactly matches the
"blocked link" semantics already used when detecting a non-forwarding
switch port via LACP or STP.

Treat a received EAP Request-Identity as indicating a blocked link.
Unlike LACP or STP, there is no way to determine the expected time
until the next EAP packet and so we must choose a fixed timeout.

Erroneously assuming that the link is blocked is relatively harmless
since we will still attempt to transmit and receive data even over a
link that is marked as blocked, and so the net effect is merely to
prolong DHCP attempts.  In contrast, erroneously assuming that the
link is unblocked will potentially cause DHCP to time out and give up,
resulting in a failed boot.

The default EAP Request-Identity interval in Cisco switches (where
this is most likely to be encountered in practice) is 30 seconds, so
choose 45 seconds as a timeout that is likely to avoid gaps during
which we falsely assume that the link is unblocked.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-01-19 13:01:46 +00:00
Michael Brown 274ad69012 [eapol] Replace EAPoL code
Replace the GPL2+-only EAPoL code (currently used only for WPA) with
new code licensed under GPL2+-or-UBDL.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-01-19 13:01:43 +00:00
Michael Brown 8606204595 [dhcp] Continue transmitting DHCPDISCOVER while link is blocked
Continue to transmit DHCPDISCOVER while waiting for a blocked link, in
order to support mechanisms such as Cisco MAC Authentication Bypass
that require repeated transmission attempts in order to trigger the
action that will result in the link becoming unblocked.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-01-19 12:21:28 +00:00
Michael Brown f43a8f8b9f [crypto] Allow private key to be specified as a TLS connection parameter
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-15 16:54:06 +00:00
Michael Brown 6a8664d9ec [tls] Include root of trust within definition of TLS session
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-15 16:28:33 +00:00
Michael Brown 3475f9162b [x509] Make root of trust a reference-counted structure
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-09 16:45:50 +00:00
Michael Brown 39f5293492 [x509] Record root of trust used when validating a certificate
Record the root of trust used at the point that a certificate is
validated, redefine validation as checking a certificate against a
specific root of trust, and pass an explicit root of trust when
creating a TLS connection.

This allows a custom TLS connection to be used with a custom root of
trust, without causing any validated certificates to be treated as
valid for normal purposes.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-08 15:04:28 +00:00
Michael Brown be47c2c72c [http] Hide HTTP transport-layer filter implementation details
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-08 15:04:28 +00:00
Michael Brown 25b53afa5b [tls] Allow provision of a client certificate chain
Use the existing certificate store to automatically append any
available issuing certificates to the selected client certificate.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-07 13:53:48 +00:00
Michael Brown 2b6b02ee7e [tls] Use intf_insert() to add TLS to an interface
Restructure the use of add_tls() to insert a TLS filter onto an
existing interface.  This allows for the possibility of using
add_tls() to start TLS on an existing connection (as used in several
protocols which will negotiate the choice to use TLS before the
ClientHello is sent).

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-12-07 13:51:46 +00:00
Michael Brown a2e5cf1a3f [netdevice] Fix misleading comment on netdev_rx()
Unlike netdev_rx_err(), there is no valid circumstance under which
netdev_rx() may be called with a null I/O buffer, since a call to
netdev_rx() represents the successful reception of a packet.  Fix the
code comment to reflect this.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-11-29 11:25:40 +00:00
Michael Brown 9ff61ab28d [netdevice] Do not attempt to unmap a null I/O buffer
netdev_tx_err() may be called with a null I/O buffer (e.g. to record a
transmit error with no associated buffer).  Avoid a potential null
pointer dereference in the DMA unmapping code path.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-11-29 11:25:40 +00:00
Michael Brown 8d337ecdae [dma] Move I/O buffer DMA operations to iobuf.h
Include a potential DMA mapping within the definition of an I/O
buffer, and move all I/O buffer DMA mapping functions from dma.h to
iobuf.h.  This avoids the need for drivers to maintain a separate list
of DMA mappings for each I/O buffer that they may handle.

Network device drivers typically do not keep track of transmit I/O
buffers, since the network device core already maintains a transmit
queue.  Drivers will typically call netdev_tx_complete_next() to
complete a transmission without first obtaining the relevant I/O
buffer pointer (and will rely on the network device core automatically
cancelling any pending transmissions when the device is closed).

To allow this driver design approach to be retained, update the
netdev_tx_complete() family of functions to automatically perform the
DMA unmapping operation if required.  For symmetry, also update the
netdev_rx() family of functions to behave the same way.

As a further convenience for drivers, allow the network device core to
automatically perform DMA mapping on the transmit datapath before
calling the driver's transmit() method.  This avoids the need to
introduce a mapping error handling code path into the typically
error-free transmit methods.

With these changes, the modifications required to update a typical
network device driver to use the new DMA API are fairly minimal:

- Allocate and free descriptor rings and similar coherent structures
  using dma_alloc()/dma_free() rather than malloc_phys()/free_phys()

- Allocate and free receive buffers using alloc_rx_iob()/free_rx_iob()
  rather than alloc_iob()/free_iob()

- Calculate DMA addresses using dma() or iob_dma() rather than
  virt_to_bus()

- Set a 64-bit DMA mask if needed using dma_set_mask_64bit() and
  thereafter eliminate checks on DMA address ranges

- Either record the DMA device in netdev->dma, or call iob_map_tx() as
  part of the transmit() method

- Ensure that debug messages use virt_to_phys() when displaying
  "hardware" addresses

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-11-28 20:26:28 +00:00
Michael Brown a2e44077cd [infiniband] Allow SRP device to be described using an EFI device path
The UEFI specification provides a partial definition of an Infiniband
device path structure.  Use this structure to construct what may be a
plausible path containing at least some of the information required to
identify an SRP target device.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-23 15:34:35 +01:00
Michael Brown bf051a76ee [fcp] Allow Fibre Channel device to be described using an EFI device path
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-22 14:16:55 +01:00
Michael Brown e6f9054d13 [iscsi] Allow iSCSI device to be described using an EFI device path
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-20 15:05:37 +01:00
Michael Brown 04cb17de50 [aoe] Allow AoE device to be described using an EFI device path
There is no standard defined for AoE device paths in the UEFI
specification, and it seems unlikely that any standard will be adopted
in future.

Choose to construct an AoE device path using a concatenation of the
network device path and a SATA device path, treating the AoE major and
minor numbers as the HBA port number and port multiplier port number
respectively.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-19 14:45:49 +01:00
Michael Brown b50ad5f09a [http] Allow HTTP connection to be described using an EFI device path
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-19 13:07:40 +01:00
Michael Brown 6ccd5239b1 [ipv6] Reduce time spent waiting for router discovery
Now that IPv6 is enabled by default for UEFI builds, it is important
that iPXE does not delay unnecessarily in the (still relatively
common) case of a network that lacks IPv6 routers.

Apply the timeout values used for neighbour discovery to the router
discovery process.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-14 14:57:27 +01:00
Michael Brown 388d657080 [lacp] Ignore (and do not echo) trailing padding on received packets
The LACP responder reuses the received I/O buffer to construct the
response LACP (or marker) packet.  Any received padding will therefore
be unintentionally included within the response.

Truncate the received I/O buffer to the expected length (which is
already defined in a way to allow for future protocol expansion)
before reusing it to construct the response.

Reported-by: Tore Anderson <tore@fud.no>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-14 14:18:49 +01:00
Michael Brown 3d43789914 [lacp] Detect and ignore erroneously looped back LACP packets
Some external drivers (observed with the UEFI NII driver provided by
an HPE-branded Mellanox ConnectX-3 Pro) seem to cause LACP packets
transmitted by iPXE to be looped back as received packets.  Since
iPXE's trivial LACP responder will send one response per received
packet, this results in an immediate LACP packet storm.

Detect looped back LACP packets (based on the received LACP actor MAC
address), and refuse to respond to such packets.

Reported-by: Tore Anderson <tore@fud.no>
Tested-by: Tore Anderson <tore@fud.no>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-14 13:36:17 +01:00
Michael Brown ee2dc525b4 [wpa] Fix erroneous debug message in wpa_derive_ptk
Split debug message since eth_ntoa() uses a static result buffer.

Originally-fixed-by: Michael Bazzinotti <bazz@bazz1.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-07-21 15:34:39 +01:00
Michael Brown 366206517e [dns] Use all configured DNS servers
When no response is obtained from the first configured DNS server,
fall back to attempting the other configured servers.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-07-15 19:10:30 +01:00
Michael Brown a95a2eafc5 [xfer] Remove address family from definition of a socket opener
All implemented socket openers provide definitions for both IPv4 and
IPv6 using exactly the same opener method.  Simplify the logic by
omitting the address family from the definition.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-07-15 18:46:58 +01:00
Michael Brown 2dac11eb1d [tls] Allow a minimum TLS protocol version to be specified
The supported ciphers and digest algorithms may already be specified
via config/crypto.h.  Extend this to allow a minimum TLS protocol
version to be specified.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-06-12 21:40:33 +01:00
Michael Brown e3ca211071 [iscsi] Eliminate variable-length stack allocation in URI parsing
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 23:47:06 +00:00
Michael Brown e2e29e7ae3 [iscsi] Eliminate variable-length stack allocations in CHAP handlers
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 23:19:55 +00:00
Michael Brown 0a74321915 [slam] Allow for the possibility of IPv6 multicast addresses
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 22:02:25 +00:00
Michael Brown c5306bcfa5 [slam] Eliminate variable-length stack allocation
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 21:55:59 +00:00
Michael Brown 6248ac396a [infiniband] Eliminate variable-length stack allocation
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 21:42:35 +00:00
Michael Brown c625681ca1 [tftp] Eliminate unnecessary variable-length stack allocation
Eliminate an unnecessary variable-length stack allocation and memory
copy by allowing TFTP option processors to modify the option string
in-place.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-02-16 20:08:20 +00:00
Michael Brown a2d3bedf1f [peerdist] Allow for the use of a hosted cache server
Allow a PeerDist hosted cache server to be specified via the
${peerhost} setting, e.g.:

  # Use 192.168.0.1 as hosted cache server
  set peerhost 192.168.0.1

Note that this simply treats the hosted cache server as a permanently
discovered peer for all segments.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-12-15 23:29:44 +00:00
Michael Brown 53af9905e0 [peerdist] Allow PeerDist to be globally enabled or disabled
Allow the use of PeerDist content encoding to be enabled or disabled
via the ${peerdist} setting, e.g.:

  # Disable PeerDist
  set peerdist 0

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-12-13 14:44:22 +00:00
Michael Brown f1e6efa40b [ethernet] Avoid false positive Coverity warning
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-08-17 17:30:09 +01:00
Michael Brown fd96acb7de [tls] Add missing call to tls_tx_resume() when restarting negotiation
The restart of negotiation triggered by a HelloRequest currently does
not call tls_tx_resume() and so may end up leaving the connection in
an idle state in which the pending ClientHello is never sent.

Fix by calling tls_tx_resume() as part of tls_restart(), since the
call to tls_tx_resume() logically belongs alongside the code that sets
bits in tls->tx_pending.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-08-16 22:51:14 +01:00
Michael Brown d8a1958ba5 [peerdist] Limit number of concurrent raw block downloads
Raw block downloads are expensive if the origin server uses HTTPS,
since each concurrent download will require local TLS resources
(including potentially large received encrypted data buffers).

Raw block downloads may also be prohibitively slow to initiate when
the origin server is using HTTPS and client certificates.  Origin
servers for PeerDist downloads are likely to be running IIS, which has
a bug that breaks session resumption and requires each connection to
go through the full client certificate verification.

Limit the total number of concurrent raw block downloads to ameliorate
these problems.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-08-16 22:19:50 +01:00
Michael Brown 02b26de963 [peerdist] Start block download timers from within opener methods
Move the responsibility for starting the block download timers from
peerblk_expired() to peerblk_raw_open() and peerblk_retrieval_open(),
in preparation for adding the ability to defer calls to
peerblk_raw_open() via a block download queue.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-08-16 22:19:50 +01:00
Michael Brown fe680c8228 [vlan] Provide vlan_netdev_rx() and vlan_netdev_rx_err()
The Hermon driver uses vlan_find() to identify the appropriate VLAN
device for packets that are received with the VLAN tag already
stripped out by the hardware.  Generalise this capability and expose
it for use by other network card drivers.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-04-27 20:25:00 +01:00
Michael Brown f6b2bf9507 [tcp] Display "connecting" status until connection is established
Provide increased visibility into the progress of TCP connections by
displaying an explicit "connecting" status message while waiting for
the TCP handshake to complete.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-03-10 17:29:06 +00:00
Michael Brown 7b63c1275f [tls] Display validator messages only while validation is in progress
Allow the cipherstream to report progress status messages during
connection establishment.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-03-10 17:27:33 +00:00
Michael Brown b28ccfc725 [tls] Display cross-certificate and OCSP status messages
TLS connections will almost always create background connections to
perform cross-signed certificate downloads and OCSP checks.  There is
currently no direct visibility into which checks are taking place,
which makes troubleshooting difficult in the absence of either a
packet capture or a debug build.

Use the job progress message buffer to report the current cross-signed
certificate download or OCSP status check, where applicable.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2019-03-07 15:23:19 +00:00