feat: x25519 & modern crypto

united-manufacturing-hub · Aug 5, 2024 · 28c7896 · 28c7896
1 parent 7a380a9
commit 28c7896
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 92 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -40,13 +40,13 @@ RUN chmod +x /src/util/genfsimg
 # Copy config files
 COPY config/embed.ipxe /src/embed.ipxe
 COPY config/ipxe.iso /src/ipxe.iso
-COPY config/isrg-root-x2.pem /src/isrg-root-x2.pem
-COPY config/isrgrootx1.pem /src/isrgrootx1.pem
-COPY config/lets-encrypt-r3.pem /src/lets-encrypt-r3.pem
-COPY config/ca.pem /src/ca.pem
+COPY config/*.pem /src/
 COPY config/general.h /src/config/general.h
 COPY config/crypto.h /src/config/crypto.h
 
+# Ensure at least one .pem file was copied
+RUN if [ ! -f /src/*.pem ]; then echo "No .pem files found"; exit 1; fi
+
 WORKDIR /src
 RUN echo "Building dependencies"
 RUN make -j all

diff --git a/compile.sh b/compile.sh
@@ -12,7 +12,7 @@ mkdir -p output
 git submodule update --init --recursive
 
 # Remove existing docker image
-docker rmi unitedmanufacturinghub/ipxe:latest
+docker rmi unitedmanufacturinghub/ipxe:latest || true
 
 # Build new docker image with cache busting
 docker build -t unitedmanufacturinghub/ipxe:latest --build-arg CACHEBUST=$(date +%s) .

diff --git a/config/crypto.h b/config/crypto.h
@@ -12,6 +12,15 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 /** Minimum TLS version */
 #define TLS_VERSION_MIN TLS_VERSION_TLS_1_1
 
+/** Public-key exchange algorithm */
+#define CRYPTO_EXCHANGE_PUBKEY
+
+/** DHE key exchange algorithm */
+#define CRYPTO_EXCHANGE_DHE
+
+/** ECDHE key exchange algorithm */
+#define CRYPTO_EXCHANGE_ECDHE
+
 /** RSA public-key algorithm */
 #define CRYPTO_PUBKEY_RSA
 
@@ -48,6 +57,9 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 /** SHA-512/256 digest algorithm */
 //#define CRYPTO_DIGEST_SHA512_256
 
+/** X25519 elliptic curve */
+#define CRYPTO_CURVE_X25519
+
 /** Margin of error (in seconds) allowed in signed timestamps
  *
  * We default to allowing a reasonable margin of error: 12 hours to
@@ -70,7 +82,8 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  * forced to operate on networks without access to the OCSP servers.
  * Allow the user to explicitly disable the use of OCSP checks.
  */
-/*#define OCSP_CHECK*/
+/* Ferdinand (05.Aug.2024): Leave this disabled, until we have an OCSP server on management.umh.app */
+/* #define OCSP_CHECK */
 #undef OCSP_CHECK
 
 #include <config/named.h>

diff --git a/config/general.h b/config/general.h
@@ -91,6 +91,13 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define	CRYPTO_80211_WPA	/* WPA Personal, authenticating with passphrase */
 #define	CRYPTO_80211_WPA2	/* Add support for stronger WPA cryptography */
 
+/*
+ * 802.1x EAP authentication methods
+ *
+ */
+#define EAP_METHOD_MD5		/* MD5-Challenge port authentication */
+//#define EAP_METHOD_MSCHAPV2	/* MS-CHAPv2 port authentication */
+
 /*
  * Name resolution modules
  *
@@ -120,6 +127,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define	IMAGE_PEM		/* PEM image support */
 #define	IMAGE_ZLIB		/* ZLIB image support */
 #define	IMAGE_GZIP		/* GZIP image support */
+//#define	IMAGE_UCODE		/* Microcode update image support */
 
 /*
  * Command-line commands to include
@@ -137,6 +145,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define DHCP_CMD		/* DHCP management commands */
 #define SANBOOT_CMD		/* SAN boot commands */
 #define MENU_CMD		/* Menu commands */
+#define FORM_CMD		/* Form commands */
 #define LOGIN_CMD		/* Login command */
 #define SYNC_CMD		/* Sync command */
 #define SHELL_CMD		/* Shell command */
@@ -146,21 +155,22 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 //#define LOTEST_CMD		/* Loopback testing commands */
 #define VLAN_CMD		/* VLAN commands */
 //#define PXE_CMD		/* PXE commands */
-//#define REBOOT_CMD		/* Reboot command */
-//#define POWEROFF_CMD		/* Power off command */
+#define REBOOT_CMD		/* Reboot command */
+#define POWEROFF_CMD		/* Power off command */
 //#define IMAGE_TRUST_CMD	/* Image trust management commands */
 #define PCI_CMD		/* PCI commands */
 #define PARAM_CMD		/* Request parameter commands */
-//#define NEIGHBOUR_CMD		/* Neighbour management commands */
+#define NEIGHBOUR_CMD		/* Neighbour management commands */
 #define PING_CMD		/* Ping command */
 #define CONSOLE_CMD		/* Console command */
 #define IPSTAT_CMD		/* IP statistics commands */
 //#define PROFSTAT_CMD		/* Profiling commands */
 #define NTP_CMD		/* NTP commands */
-//#define CERT_CMD		/* Certificate management commands */
+#define CERT_CMD		/* Certificate management commands */
 //#define IMAGE_MEM_CMD		/* Read memory command */
 #define IMAGE_ARCHIVE_CMD	/* Archive image management commands */
-#define CONSOLE_FRAMEBUFFER
+#define SHIM_CMD		/* EFI shim command (or dummy command) */
+#define CONSOLE_FRAMEBUFFER /* Framebuffer console */
 
 /*
  * ROM-specific options
@@ -180,7 +190,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  * Error message tables to include
  *
  */
-#undef	ERRMSG_80211		/* All 802.11 error descriptions (~3.3kb) */
+#define	ERRMSG_80211		/* All 802.11 error descriptions (~3.3kb) */
 
 /*
  * Obscure configuration options
@@ -204,7 +214,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 				 * registers when iPXE traps to it due to
 				 * privileged instructions */
 
-
 #include <config/named.h>
 #include NAMED_CONFIG(general.h)
 #include <config/local/general.h>

diff --git a/config/isrg-root-x2.pem b/config/isrg-root-x2.pem
diff --git a/config/isrgrootx1.pem b/config/isrgrootx1.pem
diff --git a/config/lets-encrypt-r3.pem b/config/lets-encrypt-r3.pem
diff --git a/make.sh b/make.sh
@@ -7,12 +7,36 @@ rm -rf bin-*
 
 # Variables
 EMBED="embed.ipxe"
-CERT_TRUST=(
-    "ca.pem"
-    "isrgrootx1.pem"
-    "lets-encrypt-r3.pem"
+
+cert_urls=(
+  "https://letsencrypt.org/certs/isrgrootx1.pem"
+  "https://letsencrypt.org/certs/isrg-root-x2.pem"
+  "https://letsencrypt.org/certs/2024/e5.pem"
+  "https://letsencrypt.org/certs/2024/e6.pem"
+  "https://letsencrypt.org/certs/2024/e7.pem"
+  "https://letsencrypt.org/certs/2024/e8.pem"
+  "https://letsencrypt.org/certs/2024/e9.pem"
+  "https://letsencrypt.org/certs/2024/r10.pem"
+  "https://letsencrypt.org/certs/2024/r11.pem"
+  "https://letsencrypt.org/certs/2024/r12.pem"
+  "https://letsencrypt.org/certs/2024/r13.pem"
+  "https://letsencrypt.org/certs/2024/r14.pem"
 )
 
+# Download certificates
+for url in "${cert_urls[@]}"; do
+  echo "Downloading $(basename $url)..."
+  wget $url -O "config/$(basename $url)"
+done
+
+echo "All certificates have been downloaded."
+
+# Build CERT_TRUST array, by reading config folder (all .pem files)
+CERT_TRUST=()
+for file in config/*.pem; do
+    CERT_TRUST+=("$file")
+done
+
 # Convert array to comma-separated string
 CERT_TRUST_STR=$(IFS=, ; echo "${CERT_TRUST[*]}")