Commit Graph

72 Commits

Author SHA1 Message Date
Denys Vlasenko
d4681c7293 tls: simplify hmac_begin()
function                                             old     new   delta
hmac_begin                                           196     158     -38

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-26 10:33:23 +01:00
Denys Vlasenko
ca7cdd4b03 tls: add support for 8 more cipher ids - all tested to work
function                                             old     new   delta
tls_handshake                                       2059    2116     +57
static.ciphers                                         -      30     +30
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 1/0 up/down: 87/0)               Total: 87 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-26 00:17:10 +01:00
Denys Vlasenko
838b88c044 tls: fix comments
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 18:52:47 +01:00
Denys Vlasenko
330d7f53f7 tls: add a comment on expanding list of supported ciphers
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 17:27:48 +01:00
Denys Vlasenko
a6192f347f tls: do not leak RSA key
function                                             old     new   delta
tls_handshake                                       1957    2059    +102

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 16:17:26 +01:00
Denys Vlasenko
eb53d01be5 tls: code shrink
function                                             old     new   delta
xwrite_and_update_handshake_hash                      81      80      -1
tls_handshake                                       1987    1957     -30

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 14:45:55 +01:00
Denys Vlasenko
a33b008240 tls: code shrink
function                                             old     new   delta
tls_handshake                                       1993    1987      -6

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 14:28:32 +01:00
Denys Vlasenko
be5ca42e8d tls: code shrink
function                                             old     new   delta
aesgcm_GHASH                                         223     196     -27

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 14:03:59 +01:00
Denys Vlasenko
ab3c5e4c44 tls: actually fill in CIPHER_ID3 value in hello message
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-25 00:53:19 +01:00
Denys Vlasenko
d2923b3d23 tls: fix is.gd again, fix AES-CBC using decrypt key instead of encrypt
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-24 21:26:20 +01:00
Denys Vlasenko
03569bc50f tls: speed up xor'ing of aligned 16-byte buffers
function                                             old     new   delta
xorbuf_aligned_AES_BLOCK_SIZE                          -      23     +23
xwrite_encrypted                                     585     580      -5
aesgcm_GHASH                                         233     228      -5
GMULT                                                192     187      -5
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 0/3 up/down: 23/-15)              Total: 8 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-24 14:08:29 +01:00
Denys Vlasenko
941440cf16 tls: in AES-GCM decoding, avoid memmove
function                                             old     new   delta
xorbuf3                                                -      36     +36
xorbuf                                                24      12     -12
tls_xread_record                                     656     634     -22
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 0/2 up/down: 36/-34)              Total: 2 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-24 13:51:46 +01:00
Denys Vlasenko
624066f0cc tls: make tls_get_random() FAST_FUNC
function                                             old     new   delta
tls_handshake                                       1977    1985      +8
tls_get_random                                        32      28      -4
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/1 up/down: 8/-4)                Total: 4 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-23 19:24:57 +01:00
Denys Vlasenko
219c9d4b5d tls: code shrink
function                                             old     new   delta
xwrite_encrypted                                     599     585     -14

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-23 18:48:20 +01:00
Denys Vlasenko
ecc9090cfc tls: simplify aesgcm_GHASH()
function                                             old     new   delta
xwrite_encrypted                                     604     599      -5
FlattenSzInBits                                       52       -     -52
aesgcm_GHASH                                         395     262    -133
------------------------------------------------------------------------------
(add/remove: 0/1 grow/shrink: 0/2 up/down: 0/-190)           Total: -190 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-23 18:31:26 +01:00
Denys Vlasenko
5e4236d226 tls: in AES-CBC code, do not set key for every record - do it once
function                                             old     new   delta
aes_setkey                                            16     212    +196
tls_handshake                                       1941    1977     +36
aes_encrypt_1                                        382     396     +14
xwrite_encrypted                                     605     604      -1
tls_xread_record                                     659     656      -3
aes_encrypt_one_block                                 65      59      -6
aes_cbc_encrypt                                      172     121     -51
aesgcm_setkey                                         58       -     -58
aes_cbc_decrypt                                      958     881     -77
KeyExpansion                                         188       -    -188
------------------------------------------------------------------------------
(add/remove: 0/2 grow/shrink: 3/5 up/down: 246/-384)         Total: -138 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-23 18:02:44 +01:00
Denys Vlasenko
83e5c627e1 tls: add support for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher
function                                             old     new   delta
xwrite_encrypted                                     209     605    +396
GHASH                                                  -     395    +395
aes_encrypt_1                                          -     382    +382
GMULT                                                  -     192    +192
tls_xread_record                                     489     659    +170
aes_encrypt_one_block                                  -      65     +65
aesgcm_setkey                                          -      58     +58
FlattenSzInBits                                        -      52     +52
tls_handshake                                       1890    1941     +51
xwrite_and_update_handshake_hash                      46      81     +35
xorbuf                                                 -      24     +24
aes_setkey                                             -      16     +16
psRsaEncryptPub                                      413     421      +8
stty_main                                           1221    1227      +6
ssl_client_main                                      138     143      +5
next_token                                           841     845      +4
spawn_ssl_client                                     218     219      +1
volume_id_probe_hfs_hfsplus                          564     563      -1
read_package_field                                   232     230      -2
i2cdetect_main                                       674     672      -2
fail_hunk                                            139     136      -3
parse_expr                                           891     883      -8
curve25519                                           802     793      -9
aes_cbc_decrypt                                      971     958     -13
xwrite_handshake_record                               43       -     -43
aes_cbc_encrypt                                      644     172    -472
------------------------------------------------------------------------------
(add/remove: 9/1 grow/shrink: 9/8 up/down: 1860/-553)        Total: 1307 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-23 17:48:07 +01:00
Denys Vlasenko
4e46b98a45 tls: add comment, no code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-18 19:50:24 +01:00
Denys Vlasenko
d5a0405a6f tls: code shrink
function                                             old     new   delta
tls_get_zeroed_outbuf                                  -      28     +28
static.empty_client_cert                               7       -      -7
tls_handshake                                       1930    1890     -40
------------------------------------------------------------------------------
(add/remove: 1/1 grow/shrink: 0/1 up/down: 28/-47)            Total: -19 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-13 11:58:53 +01:00
Denys Vlasenko
de7b5bb59a tls: tidy up recently added ECDSA code
function                                             old     new   delta
tls_handshake                                       1935    1930      -5
static.OID_ECDSA_KEY_ALG                              21      11     -10
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-15)             Total: -15 bytes
   text	   data	    bss	    dec	    hex	filename
 950036	    477	   7296	 957809	  e9d71	busybox_old
 950048	    477	   7296	 957821	  e9d7d	busybox_unstripped

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-13 11:44:32 +01:00
Denys Vlasenko
bddb6545a9 tls: add support for ECDHE-ECDSA-AES-128-CBC-SHA and x25519 curve
function                                             old     new   delta
curve25519                                             -     835    +835
tls_handshake                                       1619    1935    +316
xc_diffadd                                             -     230    +230
fe_mul__distinct                                       -     149    +149
lm_sub                                                 -     103    +103
lm_add                                                 -      82     +82
fe_mul_c                                               -      74     +74
fe_select                                              -      45     +45
static.f25519_one                                      -      32     +32
static.basepoint9                                      -      32     +32
static.OID_ECDSA_KEY_ALG                               -      21     +21
static.OID_RSA_KEY_ALG                                 -      13     +13
static.supported_groups                                -       8      +8
static.empty_client_cert                               -       7      +7
der_binary_to_pstm                                    40      42      +2
static.expected                                       13       -     -13
------------------------------------------------------------------------------
(add/remove: 14/1 grow/shrink: 2/0 up/down: 1949/-13)        Total: 1936 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-13 02:17:54 +01:00
Denys Vlasenko
084bac472b tls: code shrink
function                                             old     new   delta
tls_handshake                                       1643    1619     -24

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-05 00:19:15 +01:00
Denys Vlasenko
5df3b12241 tls: reorder a few more cipher ids
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-04 21:25:41 +01:00
Denys Vlasenko
b29d045581 tls: move TLS_AES_128_GCM_SHA256 definition up
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-04 21:18:29 +01:00
Denys Vlasenko
9b0ce4d608 tls: add more cipher ids, no code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-11-04 20:53:54 +01:00
Ivan Abrea
5cb4f9081f tls: fix to handle X.509 v1 certificates correctly
The syntax of public key certificates can be found in RFC 5280 section
4.1. The relevant part of the syntax is the following:

  TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    ... remaining fields omitted ...
  }

The version field has a default value of v1. RFC 5280 section 4.1.2.1
says the following:

  If only basic fields are present, the version SHOULD be 1 (the value
  is omitted from the certificate as the default value); however, the
  version MAY be 2 or 3.

To help detect if the version field is present or not, the type of the
version field has an explicit tag of [0]. Due to this tag, if the
version field is present, its encoding will have an identifier octet
that is distinct from that of the serialNumber field.

ITU-T X.690 specifies how a value of such a type should be encoded with
DER. There is a PDF of X.690 freely available from ITU-T. X.690 section
8.1.2 specifies the format of identifier octets which is the first
component of every encoded value. Identifier octets encode the tag of a
type. Bits 8 and 7 encode the tag class. Bit 6 will be 0 if the encoding
is primitive and 1 if the encoding is constructed. Bits 5 to 1 encode
the tag number.

X.690 section 8.14 specifies what the identifier octet should be for
explicitly tagged types. Section 8.14.3 says if implicit tagging is not
used, then the encoding shall be constructed. The version field uses
explicit tagging and not implicit tagging, so its encoding will be
constructed. This means bit 6 of the identifier octet should be 1.

X.690 section 8.14 and Annex A provide examples. Note from their
examples that the notation for tags could look like [APPLICATION 2]
where both the tag class and tag number are given. For this example, the
tag class is 1 (application) and the tag number is 2. For notation like
[0] where the tag class is omitted and only the tag number is given, the
tag class will be context-specific.

Putting this all together, the identifier octet for the DER encoding of
the version field should have a tag class of 2 (context-specific), bit 6
as 1 (constructed), and a tag number of 0.

Signed-off-by: Ivan Abrea <ivan@algosolutions.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-06-24 20:05:24 +02:00
Denys Vlasenko
a48eadbc22 tls: remove redundant floor prevention
function                                             old     new   delta
tls_xread_record                                     499     489     -10

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-02-14 17:37:41 +01:00
Denys Vlasenko
403f2999f9 wget: initial support for ftps://
function                                             old     new   delta
spawn_ssl_client                                       -     185    +185
parse_url                                            409     461     +52
packed_usage                                       32259   32278     +19
tls_run_copy_loop                                    293     306     +13
ssl_client_main                                      128     138     +10
showmode                                             330     338      +8
P_FTPS                                                 -       5      +5
filter_datapoints                                    177     179      +2
deflate                                              907     905      -2
decode_one_format                                    723     716      -7
wget_main                                           2591    2440    -151
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 6/3 up/down: 294/-160)          Total: 134 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-02-06 15:15:08 +01:00
Denys Vlasenko
98066662aa tls: fix hash calculations if client cert is requested and sent
Symptoms: connecting to
    openssl s_server -cert vsftpd.pem -port 990 -debug -cipher AES128-SHA
works, but with "-verify 1" option added it does not.

function                                             old     new   delta
tls_xread_record                                     474     499     +25
tls_handshake                                       1582    1607     +25
bad_record_die                                        98     110     +12
tls_run_copy_loop                                    282     293     +11
tls_xread_handshake_block                             58      51      -7
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 4/1 up/down: 73/-7)              Total: 66 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-02-06 13:33:00 +01:00
Denys Vlasenko
558aae1a33 tls: use capped SNI len everywhere
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-07-04 16:52:45 +02:00
Denys Vlasenko
5d561ef634 tls: do not compile in TLS_RSA_WITH_NULL_SHA256 code if unreachable
function                                             old     new   delta
tls_handshake                                       1595    1588      -7
xwrite_encrypted                                     244     209     -35

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-04-04 01:41:15 +02:00
Denys Vlasenko
229d3c467d tls: avoid using int16 in pstm code
function                                             old     new   delta
pstm_div                                            1472    1522     +50
psRsaEncryptPub                                      403     413     +10
pstm_2expt                                            91      96      +5
pstm_clear                                            68      72      +4
pstm_init                                             39      42      +3
pstm_unsigned_bin_size                                36      37      +1
pstm_montgomery_reduce                               398     399      +1
pstm_init_size                                        45      46      +1
pstm_zero                                             39      38      -1
pstm_set                                              35      34      -1
pstm_read_unsigned_bin                               112     109      -3
pstm_mulmod                                          123     120      -3
pstm_mod                                             116     113      -3
pstm_cmp                                              57      54      -3
pstm_sub                                             107     102      -5
pstm_to_unsigned_bin                                 157     151      -6
pstm_clamp                                            63      57      -6
pstm_add                                             116     108      -8
pstm_grow                                             81      72      -9
pstm_count_bits                                       57      48      -9
pstm_init_copy                                        84      72     -12
pstm_cmp_mag                                          93      78     -15
pstm_sqr_comba                                       567     551     -16
pstm_montgomery_calc_normalization                   158     140     -18
pstm_copy                                            115      92     -23
pstm_lshd                                            133     109     -24
pstm_mul_comba                                       525     500     -25
pstm_mul_d                                           251     224     -27
s_pstm_sub                                           256     228     -28
s_pstm_add                                           370     337     -33
pstm_div_2d                                          444     409     -35
pstm_mul_2                                           195     156     -39
pstm_rshd                                            154     104     -50
pstm_mul_2d                                          247     186     -61
pstm_exptmod                                        1524    1463     -61
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 8/27 up/down: 75/-524)         Total: -449 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-04-03 21:53:29 +02:00
Denys Vlasenko
636c3b627c tls: merge sha1 and sha256 hmac functions
function                                             old     new   delta
hmac_begin                                             -     196    +196
hmac_sha256                                           61      68      +7
hmac                                                 250      87    -163
hmac_sha256_begin                                    190       -    -190
------------------------------------------------------------------------------
(add/remove: 1/1 grow/shrink: 1/1 up/down: 203/-353)         Total: -150 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-04-03 17:43:44 +02:00
Denys Vlasenko
0ec4d08ea3 tls: covert i/o loop from using select() to poll()
function                                             old     new   delta
tls_run_copy_loop                                    377     282     -95

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-16 16:51:18 +01:00
Denys Vlasenko
c31b54fd81 tls: fold AES CBC en/decryption into single functions
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-04 16:23:49 +01:00
Denys Vlasenko
5b05d9db29 wget/tls: session_id of zero length is ok (arxiv.org responds with such)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-03 18:23:52 +01:00
Denys Vlasenko
89193f985b tls: can download kernels now :)
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24 18:08:07 +01:00
Denys Vlasenko
1500b3a50d tls: if got CERTIFICATE_REQUEST, send an empty CERTIFICATE
wolfssl test server is not satisfied by an empty one,
but some real servers might be.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24 17:06:10 +01:00
Denys Vlasenko
49ecee098d tls: add 2nd cipher_id, TLS_RSA_WITH_AES_128_CBC_SHA, so far it doesn't work
Good news that TLS_RSA_WITH_AES_256_CBC_SHA256 still works with new code ;)

This change adds inevitable extension to have different sized hashes and AES key sizes.
In libbb, md5_end() and shaX_end() are extended to return result size instead of void -
this helps *a lot* in tls (the cost is ~5 bytes per _end() function).

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24 16:00:54 +01:00
Denys Vlasenko
7a18b9502a tls: reorder tls_handshake_data fields for smaller size, tweak comments
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23 16:37:04 +01:00
Denys Vlasenko
b5bf1913d3 tls: send EMPTY_RENEGOTIATION_INFO_SCSV in our client hello
Hoped this can make cdn.kernel.org to like us more. Nope.
While at it, made error reporting more useful.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23 16:12:17 +01:00
Denys Vlasenko
9492da7e63 tls: set TLS_DEBUG to 0; placate a gcc indentation warning
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23 01:15:13 +01:00
Denys Vlasenko
9a647c326a separate TLS code into a library, use in in wget
A new applet, ssl_client, is the TLS debug thing now.
It doubles as wget's NOMMU helper.
In MMU mode, wget still forks, but then directly calls TLS code,
without execing.

This can also be applied to sendmail/popmail (SMTPS / SMTP+starttls support)
and nc --ssl (ncat, nmap's nc clone, has such option).

function                                             old     new   delta
tls_handshake                                          -    1691   +1691
tls_run_copy_loop                                      -     443    +443
ssl_client_main                                        -     128    +128
packed_usage                                       30978   31007     +29
wget_main                                           2508    2535     +27
applet_names                                        2553    2560      +7
...
xwrite_encrypted                                     360     342     -18
tls_main                                            2127       -   -2127
------------------------------------------------------------------------------
(add/remove: 4/1 grow/shrink: 13/8 up/down: 2351/-2195)       Total: 156 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23 01:08:16 +01:00
Denys Vlasenko
f6e20724d4 tls: reorder tls_state fields for smaller offsets
function                                             old     new   delta
xwrite_encrypted                                     363     360      -3
xwrite_and_update_handshake_hash                     117     114      -3
tls_xread_handshake_block                             72      69      -3
tls_error_die                                        211     202      -9
tls_get_outbuf                                        64      49     -15
tls_main                                            2163    2127     -36
tls_xread_record                                     702     639     -63
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/7 up/down: 0/-132)           Total: -132 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21 02:08:34 +01:00
Denys Vlasenko
dd2577f21a tls: send SNI in the client hello
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 22:48:41 +01:00
Denys Vlasenko
0af5265180 tls: check size on "MAC-only, no crypt" code path too
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 21:23:10 +01:00
Denys Vlasenko
54b927d78b tls: AES decrypt does one unnecessary memmove
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 21:19:38 +01:00
Denys Vlasenko
3916139ac4 tls: make input buffer grow as needed
As it turns out, it goes only up to "inbuf_size:4608"
for kernel.org - fixed 18kb buffer was x4 larger than necessary.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 20:27:06 +01:00
Denys Vlasenko
38972a8df1 tls: improve i/o loop
With tls_has_buffered_record(), entire kernel.org response
is printed at once, without 6 second pause to see its delayed EOF.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 19:11:14 +01:00
Denys Vlasenko
e7863f394e tls: was psAesDecrypt'ing one block too many, trashing buffered data
For the first time

printf "GET / HTTP/1.1\r\nHost: kernel.org\r\n\r\n" | ./busybox tls kernel.org

successfully reads entire server response and TLS shutdown.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20 18:04:04 +01:00