emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14,524 Commits 1 Branch 0 Tags 33 MiB
7a18b9502a
Commit Graph

14524 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Denys Vlasenko
7a18b9502a tls: reorder tls_handshake_data fields for smaller size, tweak comments 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-23 16:37:04 +01:00
Denys Vlasenko
b5bf1913d3 tls: send EMPTY_RENEGOTIATION_INFO_SCSV in our client hello 
Hoped this can make cdn.kernel.org to like us more. Nope.
While at it, made error reporting more useful.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-23 16:12:17 +01:00
Denys Vlasenko
9492da7e63 tls: set TLS_DEBUG to 0; placate a gcc indentation warning 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-23 01:15:13 +01:00
Denys Vlasenko
9a647c326a separate TLS code into a library, use in in wget 
A new applet, ssl_client, is the TLS debug thing now.
It doubles as wget's NOMMU helper.
In MMU mode, wget still forks, but then directly calls TLS code,
without execing.

This can also be applied to sendmail/popmail (SMTPS / SMTP+starttls support)
and nc --ssl (ncat, nmap's nc clone, has such option).

function                                             old     new   delta
tls_handshake                                          -    1691   +1691
tls_run_copy_loop                                      -     443    +443
ssl_client_main                                        -     128    +128
packed_usage                                       30978   31007     +29
wget_main                                           2508    2535     +27
applet_names                                        2553    2560      +7
...
xwrite_encrypted                                     360     342     -18
tls_main                                            2127       -   -2127
------------------------------------------------------------------------------
(add/remove: 4/1 grow/shrink: 13/8 up/down: 2351/-2195)       Total: 156 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-23 01:08:16 +01:00
Denys Vlasenko
e1f90d13fa ls: -1 should be ignored by -l (and options which imply -l) 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-22 22:02:19 +01:00
Denys Vlasenko
f580baf94a ls: more correct handling of -c, -u 
function                                             old     new   delta
my_stat                                              302     318     +16
packed_usage                                       30977   30969      -8
display_single                                       928     910     -18
sortcmp                                              258     228     -30
ls_main                                              776     732     -44
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/4 up/down: 16/-100)           Total: -84 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-22 19:02:57 +01:00
Denys Vlasenko
194b2ebd2a ls: replace -e with --full-time, add --group-directories-first, delete -K 
-K and -e were non-standard

function                                             old     new   delta
static.ls_longopts                                     9      47     +38
ls_main                                              748     776     +28
display_single                                       901     928     +27
sortcmp                                              254     258      +4
ls_options                                            32      31      -1
opt_flags                                            100      96      -4
packed_usage                                       31032   30977     -55
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 4/3 up/down: 97/-60)             Total: 37 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-22 17:32:20 +01:00
Denys Vlasenko
12389889c0 ip: better --help 
Was:
    Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND]

    ip [OPTIONS] OBJECT [COMMAND]
    where OBJECT := address|route|link|tunnel|neigh|rule
    OPTIONS := -f[amily] inet|inet6|link | -o[neline]

User: instead of repeating list of OBJECTs twice, you could at least
show available COMMANDs...

Now:
    Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND]

    OPTIONS := -f[amily] inet|inet6|link | -o[neline]
    COMMAND :=
    ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
    ip route list|flush|add|del|change|append|replace|test ROUTE
    ip link set IFACE [up|down] [arp on|off] | show [IFACE]
    ip tunnel add|change|del|show [NAME]
        [mode ipip|gre|sit]
        [remote ADDR] [local ADDR] [ttl TTL]
    ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
    ip rule [list] | add|del SELECTOR ACTION

While at it, tweak tc --help too (it stays disabled, thus no effect)

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-21 14:27:07 +01:00
Denys Vlasenko
8908c1d4f5 more ip --help fixes 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-21 03:56:46 +01:00
Denys Vlasenko
f3d705f41b make --help texts smaller 
function                                             old     new   delta
packed_usage                                       31035   30968     -67

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-21 03:46:57 +01:00
Denys Vlasenko
bbc7bee966 make --help texts more uniform 
function                                             old     new   delta
packed_usage                                       31062   31035     -27

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-21 02:49:58 +01:00
Denys Vlasenko
f6e20724d4 tls: reorder tls_state fields for smaller offsets 
function                                             old     new   delta
xwrite_encrypted                                     363     360      -3
xwrite_and_update_handshake_hash                     117     114      -3
tls_xread_handshake_block                             72      69      -3
tls_error_die                                        211     202      -9
tls_get_outbuf                                        64      49     -15
tls_main                                            2163    2127     -36
tls_xread_record                                     702     639     -63
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/7 up/down: 0/-132)           Total: -132 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-21 02:08:34 +01:00
Denys Vlasenko
dd2577f21a tls: send SNI in the client hello 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 22:48:41 +01:00
Denys Vlasenko
0af5265180 tls: check size on "MAC-only, no crypt" code path too 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 21:23:10 +01:00
Denys Vlasenko
54b927d78b tls: AES decrypt does one unnecessary memmove 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 21:19:38 +01:00
Denys Vlasenko
3916139ac4 tls: make input buffer grow as needed 
As it turns out, it goes only up to "inbuf_size:4608"
for kernel.org - fixed 18kb buffer was x4 larger than necessary.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 20:27:06 +01:00
Denys Vlasenko
9731ca7611 password utils: improve --help, make DEFAULT_PASSWD_ALGO visible if CHPASSWD 
Was:
    $ cryptpw --help
    ...
    Print crypt(3) hashed PASSWORD

        -P,--password-fd=N	Read password from fd N
        -m,--method=TYPE	Encryption method
        -S,--salt=SALT

User: "What methods exist? which one os default?"

Now:
    Print crypt(3) hashed PASSWORD

        -P,--password-fd N	Read password from fd N
        -m,--method TYPE	des,md5,sha256/512 (default des)
        -S,--salt SALT

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 19:47:49 +01:00
Denys Vlasenko
38972a8df1 tls: improve i/o loop 
With tls_has_buffered_record(), entire kernel.org response
is printed at once, without 6 second pause to see its delayed EOF.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 19:11:14 +01:00
Denys Vlasenko
e7863f394e tls: was psAesDecrypt'ing one block too many, trashing buffered data 
For the first time

printf "GET / HTTP/1.1\r\nHost: kernel.org\r\n\r\n" | ./busybox tls kernel.org

successfully reads entire server response and TLS shutdown.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 18:04:04 +01:00
Denys Vlasenko
6e511393f9 rdate: time(NULL) is shorter than time(&var) 
function                                             old     new   delta
rdate_main                                           251     246      -5

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 16:07:14 +01:00
Denys Vlasenko
179e88bec9 rdate: make it do something remotely sane, facing 32-bit time overflow 
function                                             old     new   delta
rdate_main                                           251     254      +3
packed_usage                                       31029   31023      -6

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 16:03:48 +01:00
Denys Vlasenko
19e695ebad tls: do not use common_bufsiz 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 14:27:58 +01:00
Denys Vlasenko
a0aae9f714 tls: decode alerts and in particular, EOF alert. 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 14:12:10 +01:00
Denys Vlasenko
abbf17abcc tls: add the i/o loop - largish rework of i/o buffering 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-20 03:15:09 +01:00
Denys Vlasenko
f7806f9d8f tls: fix ROL/ROR x86 optimization 
ALWAYS_INLINE:

function                                             old     new   delta
psAesInitKey                                         825     824      -1
ROR                                                    5       -      -5
setup_mix2                                           148     134     -14
psAesDecryptBlock                                   1184    1139     -45
psAesEncryptBlock                                   1193    1102     -91
------------------------------------------------------------------------------
(add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-156)           Total: -156 bytes

ALWAYS_INLINE + __builtin_constant_p(shift_cnt):

function                                             old     new   delta
ROR                                                    5       -      -5
psAesInitKey                                         825     818      -7
setup_mix2                                           148     123     -25
psAesDecryptBlock                                   1184    1078    -106
psAesEncryptBlock                                   1193    1017    -176
------------------------------------------------------------------------------
(add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-319)           Total: -319 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 16:45:41 +01:00
Denys Vlasenko
432f1ae2ff tls: tested PSTM_X86_64, not enabling it - too large 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 16:32:38 +01:00
Denys Vlasenko
6b1b004845 tls: commented out psPool_t use 
function                                             old     new   delta
psAesEncrypt                                         159     162      +3
der_binary_to_pstm                                    42      40      -2
xwrite_and_hash                                      437     434      -3
xread_tls_block                                      446     443      -3
pstm_div_2d                                          449     444      -5
psAesDecrypt                                         179     174      -5
pstm_init_size                                        52      45      -7
pstm_init                                             46      39      -7
pstm_to_unsigned_bin                                 165     157      -8
tls_main                                            1265    1256      -9
pstm_mulmod                                          132     123      -9
pstm_mod                                             125     116      -9
pstm_init_copy                                        93      84      -9
psAesInitKey                                         840     825     -15
send_client_key_exchange                             362     342     -20
psAesInit                                            103      80     -23
psRsaEncryptPub                                      429     403     -26
psAesDecryptBlock                                   1211    1184     -27
psAesEncryptBlock                                   1223    1193     -30
pstm_exptmod                                        1582    1524     -58
pstm_div                                            1557    1472     -85
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/20 up/down: 3/-360)          Total: -357 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 15:51:00 +01:00
Denys Vlasenko
1bfc4b85a7 ntpd: print result of hostname resolution 
This is particularly useful if hostname resolution is triggered by
host non-reachability: I saw this in real-life, without the message
it is not at all obvious that IP that we use for a specific host
has changed.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 14:42:34 +01:00
Denys Vlasenko
704c606f48 fdisk: add typical values of -H and -S to --help 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 14:29:42 +01:00
Denys Vlasenko
cccf8e735d tls: teach it to decrypt AES256-encrypted data 
This adds decryption only.
There is no MAC verification, code simply throws away MAC.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-19 00:20:45 +01:00
Denys Vlasenko
a9e1866806 tls: trim comments 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-18 21:00:23 +01:00
Denys Vlasenko
b5dfc3dfd6 tls: teach it to send AES256-encrypted data 
>> CLIENT_HELLO
wrote 50 bytes
insize:0 tail:0
got block len:74
got HANDSHAKE
<< SERVER_HELLO
insize:79 tail:0
got block len:2397
got HANDSHAKE
<< CERTIFICATE
key bytes:271, first:0x00
server_rsa_pub_key.size:256
insize:2402 tail:0
got block len:4
got HANDSHAKE
<< SERVER_HELLO_DONE
>> CLIENT_KEY_EXCHANGE
wrote 267 bytes
master secret:c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
client_write_MAC_key:3b0b7e2bab241b629c37eb3a3824f09b39fe71a00876b0c8026dda16ef0d2f82
client_write_key:d36e801470ed2f0a8fc886ac25df57ffbe4265d06e3192122c4ef4df1e32fab2
>> CHANGE_CIPHER_SPEC
from secret: c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
from labelSeed: 636c69656e742066696e6973686564b22e0e6008b8ee218cc02e4a93e4a42b570535f9b57662e262d43b379d125b69
=> digest: a45bfee8ed6507a2a9920d0c
>> FINISHED
before crypt: 5 hdr + 16 data + 32 hash bytes
writing 5 + 16 IV + 64 encrypted bytes, padding_length:0x0f
wrote 85 bytes
insize:9 tail:0
got block len:1
<< CHANGE_CIPHER_SPEC
insize:6 tail:0
got block len:80
< hdr_type:22 ver:3.3 len:80 type:21 len24:9541723 |1591985b...a3da|

The last line is the server's FINISHED response, encrypted.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-18 20:37:24 +01:00
Denys Vlasenko
b7e9ae6e9f tls: added AES code and made it compile. not used yet 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-18 17:20:27 +01:00
Denys Vlasenko
c8ba23bcec tls: massage writing for encryption support; finer-grained debug 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-18 06:45:50 +01:00
Denys Vlasenko
5d1662ea1c tls: address one easy FIXME, tidy up comments 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-17 18:17:27 +01:00
Denys Vlasenko
e69d78c038 tls: process CHANGE_CIPHER_SPEC and FINISHED from server 
Successfully finishes handshake with test servers using NULL-SHA256
cipher.

The "only" thing remaining before there is a chance
this can actually work with real servers is AES encrypt/decrypt.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-17 17:24:11 +01:00
Denys Vlasenko
fe0588df3b tls: rearrange function order, improve comments 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-17 17:04:24 +01:00
Denys Vlasenko
e2cb3b990f tls: make our send_client_finished() pass server check 
sha256 hash should be calculated over incoming handshake packets too!

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-17 16:53:36 +01:00
Denys Vlasenko
9a6897a48a tls: format FINISHED message properly for unencrypted, but sha256 signed mode 
Now it at least looks correct, but unfortunately "openssl s_server"
says my hash is wrong.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-16 23:26:33 +01:00
Denys Vlasenko
4e08a123b0 Assorted warning fixes and added a comment, no code changes 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-16 17:31:05 +01:00
Denys Vlasenko
936e83e694 tls: add sha256 hmac and prf code 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-16 04:25:01 +01:00
Denys Vlasenko
6c73aaff38 cryptpw: support "rounds=NNNNNNN$" thing in salts 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 21:48:31 +01:00
Denys Vlasenko
16e7f697f8 libbb: eliminate redundant variable in sha_crypt 
function                                             old     new   delta
sha_crypt                                           1136    1130      -6

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 20:59:32 +01:00
Denys Vlasenko
b8935d00b0 sha512: use larger constant table only if sha512 is in fact selected 
function                                             old     new   delta
sha_K                                                640     256    -384

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 20:16:27 +01:00
Denys Vlasenko
3f8ecd933a tls: rearrange code, add/improve comments, fix whitespace, no real changes here 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 14:16:51 +01:00
Denys Vlasenko
c5540d61f6 tls: send CHANGE_CIPHER_SPEC 
To "actually implement it" will take more work...

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 02:17:03 +01:00
Denys Vlasenko
f78ad0938b whitespace fix 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 00:18:22 +01:00
Denys Vlasenko
11d0096516 tls: format and send CLIENT_KEY_EXCHANGE 
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4265
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8b217a7:0x30 len:1452 inner_byte @0x8b217ab:0x30
entered der @0x8b217ab:0x30 len:1172 inner_byte @0x8b217af:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8b218b4:0x30 len:418 inner_byte @0x8b218b8:0x30
skipped der 0x30, next byte 0x03
entered der @0x8b218c7:0x03 len:399 inner_byte @0x8b218cb:0x00
key bytes:399, first:0x00
entered der @0x8b218cc:0x30 len:394 inner_byte @0x8b218d0:0x02
binary bytes:385, first:0x00
skipped der 0x02, next byte 0x02
binary bytes:3, first:0x01
server_rsa_pub_key.size:384
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE
insize:9 tail:0
^C

Next step: send CHANGE_CIPHER_SPEC... and actually implement it.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-15 00:12:42 +01:00
Denys Vlasenko
2a17d1fc9b tls: DER length byte 0x81 is actually valid 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-14 22:38:25 +01:00
Denys Vlasenko
b1003f7019 tls: a bit more work 
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4406
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8f7e723:0x30 len:1452 inner_byte @0x8f7e727:0x30
entered der @0x8f7e727:0x30 len:1172 inner_byte @0x8f7e72b:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8f7e830:0x30 len:418 inner_byte @0x8f7e834:0x30
skipped der 0x30, next byte 0x03
entered der @0x8f7e843:0x03 len:399 inner_byte @0x8f7e847:0x00
copying key bytes:399, first:0x00
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE

Now need to teach it to send ClientKeyExchange...

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
 2017-01-14 13:57:16 +01:00