Commit Graph

2531 Commits

Author SHA1 Message Date
Denys Vlasenko
b5dfc3dfd6 tls: teach it to send AES256-encrypted data
>> CLIENT_HELLO
wrote 50 bytes
insize:0 tail:0
got block len:74
got HANDSHAKE
<< SERVER_HELLO
insize:79 tail:0
got block len:2397
got HANDSHAKE
<< CERTIFICATE
key bytes:271, first:0x00
server_rsa_pub_key.size:256
insize:2402 tail:0
got block len:4
got HANDSHAKE
<< SERVER_HELLO_DONE
>> CLIENT_KEY_EXCHANGE
wrote 267 bytes
master secret:c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
client_write_MAC_key:3b0b7e2bab241b629c37eb3a3824f09b39fe71a00876b0c8026dda16ef0d2f82
client_write_key:d36e801470ed2f0a8fc886ac25df57ffbe4265d06e3192122c4ef4df1e32fab2
>> CHANGE_CIPHER_SPEC
from secret: c51df5b1e3b3f57373cdd8ea28e8ce562059636cf9f585d0b89c7f4bacec97e674d7b91f93e7b500cb64637f240c3b78
from labelSeed: 636c69656e742066696e6973686564b22e0e6008b8ee218cc02e4a93e4a42b570535f9b57662e262d43b379d125b69
=> digest: a45bfee8ed6507a2a9920d0c
>> FINISHED
before crypt: 5 hdr + 16 data + 32 hash bytes
writing 5 + 16 IV + 64 encrypted bytes, padding_length:0x0f
wrote 85 bytes
insize:9 tail:0
got block len:1
<< CHANGE_CIPHER_SPEC
insize:6 tail:0
got block len:80
< hdr_type:22 ver:3.3 len:80 type:21 len24:9541723 |1591985b...a3da|

The last line is the server's FINISHED response, encrypted.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-18 20:37:24 +01:00
Denys Vlasenko
b7e9ae6e9f tls: added AES code and made it compile. not used yet
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-18 17:20:27 +01:00
Denys Vlasenko
c8ba23bcec tls: massage writing for encryption support; finer-grained debug
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-18 06:45:50 +01:00
Denys Vlasenko
5d1662ea1c tls: address one easy FIXME, tidy up comments
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-17 18:17:27 +01:00
Denys Vlasenko
e69d78c038 tls: process CHANGE_CIPHER_SPEC and FINISHED from server
Successfully finishes handshake with test servers using NULL-SHA256
cipher.

The "only" thing remaining before there is a chance
this can actually work with real servers is AES encrypt/decrypt.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-17 17:24:11 +01:00
Denys Vlasenko
fe0588df3b tls: rearrange function order, improve comments
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-17 17:04:24 +01:00
Denys Vlasenko
e2cb3b990f tls: make our send_client_finished() pass server check
sha256 hash should be calculated over incoming handshake packets too!

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-17 16:53:36 +01:00
Denys Vlasenko
9a6897a48a tls: format FINISHED message properly for unencrypted, but sha256 signed mode
Now it at least looks correct, but unfortunately "openssl s_server"
says my hash is wrong.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-16 23:26:33 +01:00
Denys Vlasenko
4e08a123b0 Assorted warning fixes and added a comment, no code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-16 17:31:05 +01:00
Denys Vlasenko
936e83e694 tls: add sha256 hmac and prf code
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-16 04:25:01 +01:00
Denys Vlasenko
3f8ecd933a tls: rearrange code, add/improve comments, fix whitespace, no real changes here
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-15 14:16:51 +01:00
Denys Vlasenko
c5540d61f6 tls: send CHANGE_CIPHER_SPEC
To "actually implement it" will take more work...

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-15 02:17:03 +01:00
Denys Vlasenko
f78ad0938b whitespace fix
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-15 00:18:22 +01:00
Denys Vlasenko
11d0096516 tls: format and send CLIENT_KEY_EXCHANGE
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4265
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8b217a7:0x30 len:1452 inner_byte @0x8b217ab:0x30
entered der @0x8b217ab:0x30 len:1172 inner_byte @0x8b217af:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8b218b4:0x30 len:418 inner_byte @0x8b218b8:0x30
skipped der 0x30, next byte 0x03
entered der @0x8b218c7:0x03 len:399 inner_byte @0x8b218cb:0x00
key bytes:399, first:0x00
entered der @0x8b218cc:0x30 len:394 inner_byte @0x8b218d0:0x02
binary bytes:385, first:0x00
skipped der 0x02, next byte 0x02
binary bytes:3, first:0x01
server_rsa_pub_key.size:384
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE
insize:9 tail:0
^C

Next step: send CHANGE_CIPHER_SPEC... and actually implement it.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-15 00:12:42 +01:00
Denys Vlasenko
2a17d1fc9b tls: DER length byte 0x81 is actually valid
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-14 22:38:25 +01:00
Denys Vlasenko
b1003f7019 tls: a bit more work
$ ./busybox tls kernel.org
insize:0 tail:0
got block len:74
got HANDSHAKE
got SERVER_HELLO
insize:79 tail:4406
got block len:4392
got HANDSHAKE
got CERTIFICATE
entered der @0x8f7e723:0x30 len:1452 inner_byte @0x8f7e727:0x30
entered der @0x8f7e727:0x30 len:1172 inner_byte @0x8f7e72b:0xa0
skipped der 0xa0, next byte 0x02
skipped der 0x02, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
skipped der 0x30, next byte 0x30
entered der @0x8f7e830:0x30 len:418 inner_byte @0x8f7e834:0x30
skipped der 0x30, next byte 0x03
entered der @0x8f7e843:0x03 len:399 inner_byte @0x8f7e847:0x00
copying key bytes:399, first:0x00
insize:4397 tail:9
got block len:4
got SERVER_HELLO_DONE

Now need to teach it to send ClientKeyExchange...

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-14 13:57:16 +01:00
Denys Vlasenko
ceff6b0ea9 tls: work-in-progress TLS1.2 test applet
function                                             old     new   delta
tls_main                                               -     733    +733
dump                                                   -     230    +230
xread_tls_block                                        -     180    +180
get_der_len                                            -      76     +76
enter_der_item                                         -      70     +70
skip_der_item                                          -      56     +56
get24be                                                -      24     +24
tls_error_die                                          -      19     +19
packed_usage                                       31010   31027     +17
applet_names                                        2549    2553      +4
applet_main                                         1472    1476      +4
applet_suid                                           92      93      +1
applet_install_loc                                   184     185      +1
------------------------------------------------------------------------------
(add/remove: 9/0 grow/shrink: 5/0 up/down: 1415/0)           Total: 1415 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-14 12:49:32 +01:00
Denys Vlasenko
a6f8651911 wget: fix for brain-damaged HTTP servers. Closes 9471
write(3, "GET / HTTP/1.1\r\nUser-Agent: Wget\r\nConnection: close\r\n\r\n", 74) = 74
shutdown(3, SHUT_WR)    = 0
alarm(900)              = 900
read(3, "", 1024)       = 0
write(2, "wget: error getting response\n", 29) = 29
exit(1)

The peer simply does not return anything. It closes its connection.

Probably it detects wget closing its writing end: shutdown(3, SHUT_WR).

The point it, closing write side of the socket is _valid_ for HTTP.
wget sent the full request, it won't be sending anything more:
it will only receive the response, and that's it.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-11 20:16:45 +01:00
Denys Vlasenko
ed15dde60a Move FEATURE_AUTOWIDTH config option to two applets which use it
No code changes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-11 16:35:52 +01:00
Denys Vlasenko
f560422fa0 Big cleanup in config help and description
Redundant help texts (one which only repeats the description)
are deleted.

Descriptions and help texts are trimmed.

Some config options are moved, even across menus.

No config option _names_ are changed.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-10 14:58:54 +01:00
Laurent Bercot
0ef478f01b httpd: fix address family for reverse proxy client socket
When httpd proxies a request to another server, it first creates
an AF_INET socket, then resolves the server name to a sockaddr,
then connects to it. This fails if the server name resolves to
an IPv6 address.

This patch ensures that the socket is created with the correct
address family (AF_INET6 if the server resolves to an IPv6 address
and AF_INET otherwise).

Signed-off-by: Laurent Bercot <ska-dietlibc@skarnet.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-08 15:14:38 +01:00
Natanael Copa
b62ea34afe ntpd: improve postponed hostname resolution
Run the namelookup from the main loop so a misspelled first ntp server
name does not block everything forever.

This fixes the following situation which would block forever:
  $ sudo ./busybox ntpd -dn -p foobar  -p pool.ntp.org
  ntpd: bad address 'foobar'
  ntpd: bad address 'foobar'
  ntpd: bad address 'foobar'
  ...

New behavior:
  ntpd: bad address 'foobar'
  ntpd: sending query to 137.190.2.4
  ntpd: reply from 137.190.2.4: offset:-1.009775 delay:0.175550 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x01
  ntpd: sending query to 137.190.2.4
  ntpd: reply from 137.190.2.4: offset:-1.009605 delay:0.175461 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x03
  ntpd: sending query to 137.190.2.4
  ntpd: reply from 137.190.2.4: offset:-1.005327 delay:0.167027 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x07
  ntpd: sending query to 137.190.2.4
  ntpd: bad address 'foobar'
  ntpd: reply from 137.190.2.4: offset:-1.046349 delay:0.248705 status:0x24 strat:1 refid:0x00535047 rootdelay:0.000000 reach:0x0f

This patch is based on Kaarle Ritvanens work.
http://lists.busybox.net/pipermail/busybox/2016-May/084197.html

function                                             old     new   delta
ntpd_main                                           1061    1079     +18
ntp_init                                             556     560      +4
resolve_peer_hostname                                 81      75      -6
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/1 up/down: 22/-6)              Total: 16 bytes

Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-06 16:21:09 +01:00
Denys Vlasenko
c6137ba510 udhcp: tweak config order and menu item names
All other applets are listed simply by their name, no reason why
dumpleases doesn't do that.

Group all udhcpd feature options directly after it.

Put "NOT READY" into udhcpc6 item (some users actually tried to use it,
and complained).

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-04 12:13:38 +01:00
Jörg Krause
c6725b0af6 Fix dependency for IFUPDOWN_UDHCPC_CMD_OPTIONS
Commit a8c696bf09 makes ifup and ifdown
individually selectable, but forgets to update the dependency to
IFUPDOWN_UDHCPC_CMD_OPTIONS, so it is not selectable anymore.

This patch fixes the dependency by checking for IFUP or IFDOWN, instead
of the obsolete IFUPDOWN.

Also, it drops dependency on UDHCPC: udhcpc on the target system
does not have to come from the _same_ binary.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-03 12:29:52 +01:00
Denys Vlasenko
7890035452 tcpudp: define SO_ORIGINAL_DST directly, not via include
musl does not like including linux/netfilter_ipv4.h
(enum / #define collision in two headers, resulting in "3 = 3"
type situation in enum definition).

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-02 10:46:08 +01:00
Denys Vlasenko
100aea8486 Remove FEATURE_IFUPDOWN_IP_BUILTIN and FEATURE_IFUPDOWN_IFCONFIG_BUILTIN
They merely enable ip or ifconfig/route. There is already a way to do this
on the same menuconfig page.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-23 15:20:16 +01:00
Denys Vlasenko
9cc3d3ab21 fix breakage found by mass one-applet builds
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-23 02:42:26 +01:00
Denys Vlasenko
7c5dea399b ip: make ip aliases individually selectable
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-22 22:30:13 +01:00
Denys Vlasenko
5d27cb3640 Make POST upload example script easier to use
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-22 15:33:11 +01:00
Denys Vlasenko
4acd393eba Update information on building httpd and wget helpers
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-22 15:13:37 +01:00
Lukasz Nowak
b42107f215 libiproute: handle table ids larger than 255
Linux kernel, starting from 2.6.19 allows ip table ids to have 32-bit values.
In order to preserve compatibility, the old 8-bit field: rtm_table is still
in use when table id is lower than 256.

Add support for the 32-bit table id (RTA_TABLE attribute) in:
- ip route print
- ip route modify
- ip rule print
- ip rule modify

Add printing of table ids to ip route.

Changes are compatible with the mainline iproute2 utilities.

These changes are required for compatibility with ConnMan, which by default
uses table ids greater than 255.

function                                             old     new   delta
print_route                                         1588    1637     +49
do_iproute                                          2187    2222     +35
do_iprule                                            955     987     +32
print_rule                                           617     630     +13
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 4/0 up/down: 129/0)             Total: 129 bytes

Signed-off-by: Lukasz Nowak <lnowak@tycoint.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-12-18 18:56:49 +01:00
Denys Vlasenko
1d3a04a3a4 Code style fixes, no code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-28 01:22:57 +01:00
Denys Vlasenko
f7683cdf83 Convert all udhcp applets to "new style" applet definitions
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 18:54:59 +01:00
Denys Vlasenko
29e2c45a5b tc: consolidate its disabled bits
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 09:51:33 +01:00
Denys Vlasenko
8342397801 Make ping6 and traceroute6 selectable independently from ping/traceroute
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 09:25:57 +01:00
Denys Vlasenko
6bfab0c49f ipneigh: add this shortcur similar to other "ip <CMD>" shortcuts
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 09:18:05 +01:00
Denys Vlasenko
3148e0c05b Rename FEATURE_FTP_WRITE and FEATURE_FTP_AUTHENTICATION to *_FTPD_*
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 09:07:44 +01:00
Denys Vlasenko
47367e1d50 Convert all networking/* applets to "new style" applet definitions
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-23 09:05:14 +01:00
Denys Vlasenko
9f8eb1ee76 httpd: explain why we use sprintf and why it should be fine
While at it, fix a pathological case where it is not fine:
-r REALM with some 8-kbyte long REALM would overflow the buffer.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-22 02:23:35 +01:00
Denys Vlasenko
a8c696bf09 Make ifup and ifdown individually selectable.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-14 18:31:07 +01:00
Denys Vlasenko
67fd2f2858 dnsdomainname: split it from "hostname", make it independently selectable
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-11-13 22:35:10 +01:00
Denys Vlasenko
f11c6989ba udhcpc: check read of overload option data byte to be within packet
function                                             old     new   delta
udhcp_get_option                                     220     225      +5

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-25 14:26:36 +02:00
Brian Foley
f9beeb22e2 udhcpc: check read of option length byte to be within packet
function                                             old     new   delta
udhcp_get_option                                     215     220      +5
udhcp_run_script                                     802     803      +1

Signed-off-by: Brian Foley <bpfoley@google.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-25 14:20:55 +02:00
Denys Vlasenko
662634b829 telnetd: ifdef out a buggy error handling code path
Here, not handling the error is would just eat one input 0xff char.
Correct handling would need even more corner case handling,
as-is buggy handling corrupts the buffer.
Since we just been told by kernel that pty is ready,
EAGAIN should not be happening here anyway.

function                                             old     new   delta
telnetd_main                                        1798    1785     -13

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-13 16:17:06 +02:00
Denys Vlasenko
57727d478d telnet: code shrink
put_iac2(w,c) is mostly used with constants, fold them into one arg

function                                             old     new   delta
put_iac2_merged                                        -      46     +46
telnet_main                                         1603    1583     -20
con_escape                                           285     257     -28
put_iac2                                              50       -     -50
------------------------------------------------------------------------------
(add/remove: 1/1 grow/shrink: 0/2 up/down: 46/-98)            Total: -52 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 20:42:58 +02:00
Denys Vlasenko
26d88d6bbd telnetd: add another handshake example in comments, no code changes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 20:09:22 +02:00
Denys Vlasenko
b6d421b635 telnetd: treat all 2-byte IACs in 240..249 range as NOPs.
A bit of future-proofing. Some of them can stand just being ignored.

function                                             old     new   delta
telnetd_main                                        1791    1798      +7

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 19:41:33 +02:00
Denys Vlasenko
122c47ac02 telnetd: fix corner case of input processing of 0xff bytes
I managed to reproduce the bug, with some difficulty.

function                                             old     new   delta
telnetd_main                                        1780    1791     +11

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 19:13:46 +02:00
Denys Vlasenko
0190c41bb2 telnetd: fix a corner case where CRLF->CR translation can misbehave
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 17:36:57 +02:00
Denys Vlasenko
2a54b3e86e telnetd: fix handling of short writes to pty
If a write to pty is short, remove_iacs() can be run on a buffer repeatedly.
This, for example, can eat 0xff chars (IACs, in telnet terms).

Rework the logic to handle IACs in a special "write to pty" function.

function                                             old     new   delta
telnetd_main                                        1662    1750     +88

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2016-10-12 14:54:10 +02:00