summaryrefslogtreecommitdiff
path: root/networking
AgeCommit message (Collapse)Author
2017-04-01tls: replace aes encryption/decryption by much smaller oneDenys Vlasenko
The replacement code is ~6 times slower, but drastically decreases size of tls_aes.o: text data bss dec hex filename 8050 0 0 8050 1f72 tls_aes_OLD.o 2461 0 0 2461 99d tls_aes.o function old new delta sbox - 256 +256 rsbox - 256 +256 KeyExpansion - 197 +197 Subword - 66 +66 AddRoundKey - 61 +61 static.Rcon - 10 +10 rcon 40 - -40 setup_mix 80 - -80 setup_mix2 123 - -123 aes_cbc_decrypt 1377 971 -406 aes_cbc_encrypt 1375 644 -731 psAesInit 848 - -848 Te4 1024 - -1024 TE0 1024 - -1024 TD0 1024 - -1024 Td4 1040 - -1040 ------------------------------------------------------------------------------ (add/remove: 6/8 grow/shrink: 0/2 up/down: 846/-6340) Total: -5494 bytes This code is based on public domain "tiny-AES128-C" code. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-03-27udhcp6: move misplaced commentDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-03-27udhcp6: fix releasingDenys Vlasenko
Patch is based on work by tiggerswelt.net. They say: " We wanted udhcpc6 to release its IPv6-Addresses on quit (-R-commandline-option) which turned out to generate once again kind of garbage on the network-link. We tracked this down to two issues: - udhcpc6 uses a variable called "srv6_buf" to send packets to the dhcp6-server, but this variable is never initialized correctly and contained kind of a garbage-address - The address of the dhcp6-server is usually a link-local-address, that requires an interface-index when using connect() on an AF_INET6- socket We added an additional parameter for ifindex to d6_send_kernel_packet() and made d6_recv_raw_packet() to capture the address of the dhcp6-server and forward it to its callee. " Three last patches together: function old new delta d6_read_interface - 454 +454 d6_recv_raw_packet - 283 +283 option_to_env 249 504 +255 .rodata 165226 165371 +145 send_d6_discover 195 237 +42 send_d6_select 118 159 +41 send_d6_renew 173 186 +13 send_d6_release 162 173 +11 opt_req - 10 +10 d6_send_kernel_packet 304 312 +8 opt_fqdn_req - 6 +6 d6_mcast_from_client_config_ifindex 48 51 +3 d6_find_option 63 61 -2 udhcpc6_main 2416 2411 -5 static.d6_recv_raw_packet 266 - -266 ------------------------------------------------------------------------------ (add/remove: 5/1 grow/shrink: 8/2 up/down: 1271/-273) Total: 998 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-03-27udhcp6: fix problems found running against dnsmasqDenys Vlasenko
Patch is based on work by tiggerswelt.net. They say: " But when we tried to use dnsmasq on server-side, udhcpc6 was unable to forward the acquired address to its setup-script although the IPv6-Address had been assigned by the server as we could see via tcpdump. We traced this issue down to a problem on how udhcpc6 parses DHCPv6-Options: When moving to next option, a pointer-address is increased and a length buffer is decreased by the length of the option. The problem is that it is done in this order: option += 4 + option[3]; len_m4 -= 4 + option[3]; But this has to be switched as the length is decreased by the length of the *next* option, not the current one. This affected both - internal checks if a required option is present and the function to expose options to the environment of the setup-script. There was also a bug parsing D6_OPT_STATUS_CODE Options, that made dnsmasq not work as udhcpc6 thought it is receiving a non-positive status-code (because it did not parse the status-code as required in RFC 3315). In addition we introduced basic support for RFC 3646 (OPTION_DNS_SERVERS and OPTION_DOMAIN_LIST) and RFC 4704 (OPTION_CLIENT_FQDN). " Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-03-27udhcp6: read_interface should save link-local ipv6 addressDenys Vlasenko
Patch is based on work by tiggerswelt.net. They say: "Using this patch it was no problem to acquire an IPv6-Address via DHCPv6 using ISC DHCPD6 on server-side." Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-03-24whitespace fixDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-17udhcpc: make sure we do not overflow poll timeoutDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-17nc_bloaty: use poll() instead of select()Denys Vlasenko
function old new delta readwrite 829 715 -114 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-16udhcp: use poll() instead of select()Denys Vlasenko
function old new delta udhcp_sp_read 65 46 -19 udhcp_sp_fd_set 79 54 -25 udhcpd_main 1530 1482 -48 udhcpc_main 2780 2730 -50 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 0/4 up/down: 0/-142) Total: -142 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-16udhcp: do not clobber errno by signal handlerDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-16nc: use poll() instead of select()Denys Vlasenko
function old new delta nc_main 943 866 -77 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-16tls: covert i/o loop from using select() to poll()Denys Vlasenko
function old new delta tls_run_copy_loop 377 282 -95 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-04httpd: use "Content-Length", not "-length"Denys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-04tls: fold AES CBC en/decryption into single functionsDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-02-03wget/tls: session_id of zero length is ok (arxiv.org responds with such)Denys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-30wget: add a big explanation what TLS code implements and what does notDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-29typo in commentDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-29*: add comment about APPLET_ODDNAME formatDenys Vlasenko
It confused me more than once Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-26httpd: defend against attempts to OOM us. Closes 9611Denys Vlasenko
We were strdup'ing "Cookie: foo" every time we saw it. function old new delta handle_incoming_and_exit 2733 2821 +88 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-25ftpd/ls: show directories firstDenys Vlasenko
Old TODO finally done function old new delta ls_main 548 568 +20 packed_usage 31116 31097 -19 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24ftpd: new option -a ANON_USER to allow anonymous loginsAndrey Mozzhuhin
Anonymous ftpd login is useful even when ftpd authentication feature is enabled. Anonymous logins provide simple password-less connection for FTP clients. To allow password-less connection user command line option '-a USER' is added. This option specifies the system user to use when 'anonymous' username is given in USER command. No password is required in this case. function old new delta ftpd_main 2164 2232 +68 packed_usage 31015 31046 +31 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 99/0) Total: 99 bytes Signed-off-by: Andrey Mozzhuhin <amozzhuhin@yandex.ru> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24wget: add support for -S --server-responseDenys Vlasenko
Based on the patch by stephane.billiart@gmail.com function old new delta ftpcmd 87 129 +42 fgets_and_trim 86 119 +33 static.wget_longopts 234 252 +18 packed_usage 31002 31015 +13 wget_main 2535 2540 +5 gethdr 158 163 +5 retrieve_file_data 424 428 +4 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 7/0 up/down: 120/0) Total: 120 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24tls: can download kernels now :)Denys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24tls: if got CERTIFICATE_REQUEST, send an empty CERTIFICATEDenys Vlasenko
wolfssl test server is not satisfied by an empty one, but some real servers might be. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-24tls: add 2nd cipher_id, TLS_RSA_WITH_AES_128_CBC_SHA, so far it doesn't workDenys Vlasenko
Good news that TLS_RSA_WITH_AES_256_CBC_SHA256 still works with new code ;) This change adds inevitable extension to have different sized hashes and AES key sizes. In libbb, md5_end() and shaX_end() are extended to return result size instead of void - this helps *a lot* in tls (the cost is ~5 bytes per _end() function). Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23tls: reorder tls_handshake_data fields for smaller size, tweak commentsDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23tls: send EMPTY_RENEGOTIATION_INFO_SCSV in our client helloDenys Vlasenko
Hoped this can make cdn.kernel.org to like us more. Nope. While at it, made error reporting more useful. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23tls: set TLS_DEBUG to 0; placate a gcc indentation warningDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-23separate TLS code into a library, use in in wgetDenys Vlasenko
A new applet, ssl_client, is the TLS debug thing now. It doubles as wget's NOMMU helper. In MMU mode, wget still forks, but then directly calls TLS code, without execing. This can also be applied to sendmail/popmail (SMTPS / SMTP+starttls support) and nc --ssl (ncat, nmap's nc clone, has such option). function old new delta tls_handshake - 1691 +1691 tls_run_copy_loop - 443 +443 ssl_client_main - 128 +128 packed_usage 30978 31007 +29 wget_main 2508 2535 +27 applet_names 2553 2560 +7 ... xwrite_encrypted 360 342 -18 tls_main 2127 - -2127 ------------------------------------------------------------------------------ (add/remove: 4/1 grow/shrink: 13/8 up/down: 2351/-2195) Total: 156 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21ip: better --helpDenys Vlasenko
Was: Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND] ip [OPTIONS] OBJECT [COMMAND] where OBJECT := address|route|link|tunnel|neigh|rule OPTIONS := -f[amily] inet|inet6|link | -o[neline] User: instead of repeating list of OBJECTs twice, you could at least show available COMMANDs... Now: Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [COMMAND] OPTIONS := -f[amily] inet|inet6|link | -o[neline] COMMAND := ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX] ip route list|flush|add|del|change|append|replace|test ROUTE ip link set IFACE [up|down] [arp on|off] | show [IFACE] ip tunnel add|change|del|show [NAME] [mode ipip|gre|sit] [remote ADDR] [local ADDR] [ttl TTL] ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE] ip rule [list] | add|del SELECTOR ACTION While at it, tweak tc --help too (it stays disabled, thus no effect) Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21more ip --help fixesDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21make --help texts smallerDenys Vlasenko
function old new delta packed_usage 31035 30968 -67 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21make --help texts more uniformDenys Vlasenko
function old new delta packed_usage 31062 31035 -27 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-21tls: reorder tls_state fields for smaller offsetsDenys Vlasenko
function old new delta xwrite_encrypted 363 360 -3 xwrite_and_update_handshake_hash 117 114 -3 tls_xread_handshake_block 72 69 -3 tls_error_die 211 202 -9 tls_get_outbuf 64 49 -15 tls_main 2163 2127 -36 tls_xread_record 702 639 -63 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 0/7 up/down: 0/-132) Total: -132 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: send SNI in the client helloDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: check size on "MAC-only, no crypt" code path tooDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: AES decrypt does one unnecessary memmoveDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: make input buffer grow as neededDenys Vlasenko
As it turns out, it goes only up to "inbuf_size:4608" for kernel.org - fixed 18kb buffer was x4 larger than necessary. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: improve i/o loopDenys Vlasenko
With tls_has_buffered_record(), entire kernel.org response is printed at once, without 6 second pause to see its delayed EOF. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: was psAesDecrypt'ing one block too many, trashing buffered dataDenys Vlasenko
For the first time printf "GET / HTTP/1.1\r\nHost: kernel.org\r\n\r\n" | ./busybox tls kernel.org successfully reads entire server response and TLS shutdown. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20rdate: make it do something remotely sane, facing 32-bit time overflowDenys Vlasenko
function old new delta rdate_main 251 254 +3 packed_usage 31029 31023 -6 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: do not use common_bufsizDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: decode alerts and in particular, EOF alert.Denys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-20tls: add the i/o loop - largish rework of i/o bufferingDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-19tls: fix ROL/ROR x86 optimizationDenys Vlasenko
ALWAYS_INLINE: function old new delta psAesInitKey 825 824 -1 ROR 5 - -5 setup_mix2 148 134 -14 psAesDecryptBlock 1184 1139 -45 psAesEncryptBlock 1193 1102 -91 ------------------------------------------------------------------------------ (add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-156) Total: -156 bytes ALWAYS_INLINE + __builtin_constant_p(shift_cnt): function old new delta ROR 5 - -5 psAesInitKey 825 818 -7 setup_mix2 148 123 -25 psAesDecryptBlock 1184 1078 -106 psAesEncryptBlock 1193 1017 -176 ------------------------------------------------------------------------------ (add/remove: 0/1 grow/shrink: 0/4 up/down: 0/-319) Total: -319 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-19tls: tested PSTM_X86_64, not enabling it - too largeDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-19tls: commented out psPool_t useDenys Vlasenko
function old new delta psAesEncrypt 159 162 +3 der_binary_to_pstm 42 40 -2 xwrite_and_hash 437 434 -3 xread_tls_block 446 443 -3 pstm_div_2d 449 444 -5 psAesDecrypt 179 174 -5 pstm_init_size 52 45 -7 pstm_init 46 39 -7 pstm_to_unsigned_bin 165 157 -8 tls_main 1265 1256 -9 pstm_mulmod 132 123 -9 pstm_mod 125 116 -9 pstm_init_copy 93 84 -9 psAesInitKey 840 825 -15 send_client_key_exchange 362 342 -20 psAesInit 103 80 -23 psRsaEncryptPub 429 403 -26 psAesDecryptBlock 1211 1184 -27 psAesEncryptBlock 1223 1193 -30 pstm_exptmod 1582 1524 -58 pstm_div 1557 1472 -85 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 1/20 up/down: 3/-360) Total: -357 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-19ntpd: print result of hostname resolutionDenys Vlasenko
This is particularly useful if hostname resolution is triggered by host non-reachability: I saw this in real-life, without the message it is not at all obvious that IP that we use for a specific host has changed. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-19tls: teach it to decrypt AES256-encrypted dataDenys Vlasenko
This adds decryption only. There is no MAC verification, code simply throws away MAC. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-18tls: trim commentsDenys Vlasenko
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>