Age | Commit message (Collapse) | Author |
|
Good news that TLS_RSA_WITH_AES_256_CBC_SHA256 still works with new code ;)
This change adds inevitable extension to have different sized hashes and AES key sizes.
In libbb, md5_end() and shaX_end() are extended to return result size instead of void -
this helps *a lot* in tls (the cost is ~5 bytes per _end() function).
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Hoped this can make cdn.kernel.org to like us more. Nope.
While at it, made error reporting more useful.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
A new applet, ssl_client, is the TLS debug thing now.
It doubles as wget's NOMMU helper.
In MMU mode, wget still forks, but then directly calls TLS code,
without execing.
This can also be applied to sendmail/popmail (SMTPS / SMTP+starttls support)
and nc --ssl (ncat, nmap's nc clone, has such option).
function old new delta
tls_handshake - 1691 +1691
tls_run_copy_loop - 443 +443
ssl_client_main - 128 +128
packed_usage 30978 31007 +29
wget_main 2508 2535 +27
applet_names 2553 2560 +7
...
xwrite_encrypted 360 342 -18
tls_main 2127 - -2127
------------------------------------------------------------------------------
(add/remove: 4/1 grow/shrink: 13/8 up/down: 2351/-2195) Total: 156 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Was:
Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND]
ip [OPTIONS] OBJECT [COMMAND]
where OBJECT := address|route|link|tunnel|neigh|rule
OPTIONS := -f[amily] inet|inet6|link | -o[neline]
User: instead of repeating list of OBJECTs twice, you could at least
show available COMMANDs...
Now:
Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND]
OPTIONS := -f[amily] inet|inet6|link | -o[neline]
COMMAND :=
ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
ip route list|flush|add|del|change|append|replace|test ROUTE
ip link set IFACE [up|down] [arp on|off] | show [IFACE]
ip tunnel add|change|del|show [NAME]
[mode ipip|gre|sit]
[remote ADDR] [local ADDR] [ttl TTL]
ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
ip rule [list] | add|del SELECTOR ACTION
While at it, tweak tc --help too (it stays disabled, thus no effect)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
packed_usage 31035 30968 -67
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
packed_usage 31062 31035 -27
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
xwrite_encrypted 363 360 -3
xwrite_and_update_handshake_hash 117 114 -3
tls_xread_handshake_block 72 69 -3
tls_error_die 211 202 -9
tls_get_outbuf 64 49 -15
tls_main 2163 2127 -36
tls_xread_record 702 639 -63
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/7 up/down: 0/-132) Total: -132 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
As it turns out, it goes only up to "inbuf_size:4608"
for kernel.org - fixed 18kb buffer was x4 larger than necessary.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
With tls_has_buffered_record(), entire kernel.org response
is printed at once, without 6 second pause to see its delayed EOF.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
For the first time
printf "GET / HTTP/1.1\r\nHost: kernel.org\r\n\r\n" | ./busybox tls kernel.org
successfully reads entire server response and TLS shutdown.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
rdate_main 251 254 +3
packed_usage 31029 31023 -6
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
ALWAYS_INLINE:
function old new delta
psAesInitKey 825 824 -1
ROR 5 - -5
setup_mix2 148 134 -14
psAesDecryptBlock 1184 1139 -45
psAesEncryptBlock 1193 1102 -91
------------------------------------------------------------------------------
(add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-156) Total: -156 bytes
ALWAYS_INLINE + __builtin_constant_p(shift_cnt):
function old new delta
ROR 5 - -5
psAesInitKey 825 818 -7
setup_mix2 148 123 -25
psAesDecryptBlock 1184 1078 -106
psAesEncryptBlock 1193 1017 -176
------------------------------------------------------------------------------
(add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-319) Total: -319 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
psAesEncrypt 159 162 +3
der_binary_to_pstm 42 40 -2
xwrite_and_hash 437 434 -3
xread_tls_block 446 443 -3
pstm_div_2d 449 444 -5
psAesDecrypt 179 174 -5
pstm_init_size 52 45 -7
pstm_init 46 39 -7
pstm_to_unsigned_bin 165 157 -8
tls_main 1265 1256 -9
pstm_mulmod 132 123 -9
pstm_mod 125 116 -9
pstm_init_copy 93 84 -9
psAesInitKey 840 825 -15
send_client_key_exchange 362 342 -20
psAesInit 103 80 -23
psRsaEncryptPub 429 403 -26
psAesDecryptBlock 1211 1184 -27
psAesEncryptBlock 1223 1193 -30
pstm_exptmod 1582 1524 -58
pstm_div 1557 1472 -85
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/20 up/down: 3/-360) Total: -357 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
This is particularly useful if hostname resolution is triggered by
host non-reachability: I saw this in real-life, without the message
it is not at all obvious that IP that we use for a specific host
has changed.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
This adds decryption only.
There is no MAC verification, code simply throws away MAC.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
>> CLIENT_HELLO
wrote 50 bytes
insize:0 tail:0
got block len:74
got HANDSHAKE
<< SERVER_HELLO
insize:79 tail:0
got block len:2397
got HANDSHAKE
<< CERTIFICATE
key bytes:271, first:0x00
server_rsa_pub_key.size:256
insize:2402 tail:0
got block len:4
got HANDSHAKE
<< SERVER_HELLO_DONE
>> CLIENT_KEY_EXCHANGE
wrote 267 bytes
master secret:c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
client_write_MAC_key:3b0b7e2bab241b629c37eb3a3824f09b39fe71a00876b0c8026dda16ef0d2f82
client_write_key:d36e801470ed2f0a8fc886ac25df57ffbe4265d06e3192122c4ef4df1e32fab2
>> CHANGE_CIPHER_SPEC
from secret: c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
from labelSeed: 636c69656e742066696e6973686564b22e0e6008b8ee218cc02e4a93e4a42b570535f9b57662e262d43b379d125b69
=> digest: a45bfee8ed6507a2a9920d0c
>> FINISHED
before crypt: 5 hdr + 16 data + 32 hash bytes
writing 5 + 16 IV + 64 encrypted bytes, padding_length:0x0f
wrote 85 bytes
insize:9 tail:0
got block len:1
<< CHANGE_CIPHER_SPEC
insize:6 tail:0
got block len:80
< hdr_type:22 ver:3.3 len:80 type:21 len24:9541723 |1591985b...a3da|
The last line is the server's FINISHED response, encrypted.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Successfully finishes handshake with test servers using NULL-SHA256
cipher.
The "only" thing remaining before there is a chance
this can actually work with real servers is AES encrypt/decrypt.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
sha256 hash should be calculated over incoming handshake packets too!
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Now it at least looks correct, but unfortunately "openssl s_server"
says my hash is wrong.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
To "actually implement it" will take more work...
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4265
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8b217a7:0x30 len:1452 inner_byte @0x8b217ab:0x30
entered der @0x8b217ab:0x30 len:1172 inner_byte @0x8b217af:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8b218b4:0x30 len:418 inner_byte @0x8b218b8:0x30
skipped der 0x30, next byte 0x03
entered der @0x8b218c7:0x03 len:399 inner_byte @0x8b218cb:0x00
key bytes:399, first:0x00
entered der @0x8b218cc:0x30 len:394 inner_byte @0x8b218d0:0x02
binary bytes:385, first:0x00
skipped der 0x02, next byte 0x02
binary bytes:3, first:0x01
server_rsa_pub_key.size:384
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE
insize:9 tail:0
^C
Next step: send CHANGE_CIPHER_SPEC... and actually implement it.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4406
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8f7e723:0x30 len:1452 inner_byte @0x8f7e727:0x30
entered der @0x8f7e727:0x30 len:1172 inner_byte @0x8f7e72b:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8f7e830:0x30 len:418 inner_byte @0x8f7e834:0x30
skipped der 0x30, next byte 0x03
entered der @0x8f7e843:0x03 len:399 inner_byte @0x8f7e847:0x00
copying key bytes:399, first:0x00
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE
Now need to teach it to send ClientKeyExchange...
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
function old new delta
tls_main - 733 +733
dump - 230 +230
xread_tls_block - 180 +180
get_der_len - 76 +76
enter_der_item - 70 +70
skip_der_item - 56 +56
get24be - 24 +24
tls_error_die - 19 +19
packed_usage 31010 31027 +17
applet_names 2549 2553 +4
applet_main 1472 1476 +4
applet_suid 92 93 +1
applet_install_loc 184 185 +1
------------------------------------------------------------------------------
(add/remove: 9/0 grow/shrink: 5/0 up/down: 1415/0) Total: 1415 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
write(3, "GET / HTTP/1.1\r\nUser-Agent: Wget\r\nConnection: close\r\n\r\n", 74) = 74
shutdown(3, SHUT_WR) = 0
alarm(900) = 900
read(3, "", 1024) = 0
write(2, "wget: error getting response\n", 29) = 29
exit(1)
The peer simply does not return anything. It closes its connection.
Probably it detects wget closing its writing end: shutdown(3, SHUT_WR).
The point it, closing write side of the socket is _valid_ for HTTP.
wget sent the full request, it won't be sending anything more:
it will only receive the response, and that's it.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
No code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Redundant help texts (one which only repeats the description)
are deleted.
Descriptions and help texts are trimmed.
Some config options are moved, even across menus.
No config option _names_ are changed.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
When httpd proxies a request to another server, it first creates
an AF_INET socket, then resolves the server name to a sockaddr,
then connects to it. This fails if the server name resolves to
an IPv6 address.
This patch ensures that the socket is created with the correct
address family (AF_INET6 if the server resolves to an IPv6 address
and AF_INET otherwise).
Signed-off-by: Laurent Bercot <ska-dietlibc@skarnet.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Run the namelookup from the main loop so a misspelled first ntp server
name does not block everything forever.
This fixes the following situation which would block forever:
$ sudo ./busybox ntpd -dn -p foobar -p pool.ntp.org
ntpd: bad address 'foobar'
ntpd: bad address 'foobar'
ntpd: bad address 'foobar'
...
New behavior:
ntpd: bad address 'foobar'
ntpd: sending query to 137.190.2.4
ntpd: reply from 137.190.2.4: offset:-1.009775 delay:0.175550 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x01
ntpd: sending query to 137.190.2.4
ntpd: reply from 137.190.2.4: offset:-1.009605 delay:0.175461 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x03
ntpd: sending query to 137.190.2.4
ntpd: reply from 137.190.2.4: offset:-1.005327 delay:0.167027 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x07
ntpd: sending query to 137.190.2.4
ntpd: bad address 'foobar'
ntpd: reply from 137.190.2.4: offset:-1.046349 delay:0.248705 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x0f
This patch is based on Kaarle Ritvanens work.
http://lists.busybox.net/pipermail/busybox/2016-May/084197.html
function old new delta
ntpd_main 1061 1079 +18
ntp_init 556 560 +4
resolve_peer_hostname 81 75 -6
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/1 up/down: 22/-6) Total: 16 bytes
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
All other applets are listed simply by their name, no reason why
dumpleases doesn't do that.
Group all udhcpd feature options directly after it.
Put "NOT READY" into udhcpc6 item (some users actually tried to use it,
and complained).
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
Commit a8c696bf09d8151323f6e99348c4bc8989f829c8 makes ifup and ifdown
individually selectable, but forgets to update the dependency to
IFUPDOWN_UDHCPC_CMD_OPTIONS, so it is not selectable anymore.
This patch fixes the dependency by checking for IFUP or IFDOWN, instead
of the obsolete IFUPDOWN.
Also, it drops dependency on UDHCPC: udhcpc on the target system
does not have to come from the _same_ binary.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|