diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-04-04 01:41:15 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-04-04 01:41:15 +0200 |
| commit | 5d561ef6349b4b6e1d12ad6638acb46abf1eeca6 (patch) | |
| tree | 6b257d8408f6ed30da743f1662e16f50fef9b1bf | |
| parent | 229d3c467d20bb776edbbb29517df84f09e1e46f (diff) | |
| download | busybox-w32-5d561ef6349b4b6e1d12ad6638acb46abf1eeca6.tar.gz busybox-w32-5d561ef6349b4b6e1d12ad6638acb46abf1eeca6.tar.bz2 busybox-w32-5d561ef6349b4b6e1d12ad6638acb46abf1eeca6.zip | |
tls: do not compile in TLS_RSA_WITH_NULL_SHA256 code if unreachable
function old new delta
tls_handshake 1595 1588 -7
xwrite_encrypted 244 209 -35
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/tls.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/networking/tls.c b/networking/tls.c index 590c04ad9..db518bf90 100644 --- a/networking/tls.c +++ b/networking/tls.c | |||
| @@ -39,7 +39,7 @@ | |||
| 39 | 39 | ||
| 40 | // works against "openssl s_server -cipher NULL" | 40 | // works against "openssl s_server -cipher NULL" |
| 41 | // and against wolfssl-3.9.10-stable/examples/server/server.c: | 41 | // and against wolfssl-3.9.10-stable/examples/server/server.c: |
| 42 | //#define CIPHER_ID TLS_RSA_WITH_NULL_SHA256 // for testing (does everything except encrypting) | 42 | //#define CIPHER_ID1 TLS_RSA_WITH_NULL_SHA256 // for testing (does everything except encrypting) |
| 43 | 43 | ||
| 44 | // works against wolfssl-3.9.10-stable/examples/server/server.c | 44 | // works against wolfssl-3.9.10-stable/examples/server/server.c |
| 45 | // works for kernel.org | 45 | // works for kernel.org |
| @@ -565,8 +565,11 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type) | |||
| 565 | uint8_t padding_length; | 565 | uint8_t padding_length; |
| 566 | 566 | ||
| 567 | xhdr = (void*)(buf - RECHDR_LEN); | 567 | xhdr = (void*)(buf - RECHDR_LEN); |
| 568 | if (tls->cipher_id != TLS_RSA_WITH_NULL_SHA256) | 568 | if (CIPHER_ID1 != TLS_RSA_WITH_NULL_SHA256 /* if "no encryption" can't be selected */ |
| 569 | || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256 /* or if it wasn't selected */ | ||
| 570 | ) { | ||
| 569 | xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCKSIZE); /* place for IV */ | 571 | xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCKSIZE); /* place for IV */ |
| 572 | } | ||
| 570 | 573 | ||
| 571 | xhdr->type = type; | 574 | xhdr->type = type; |
| 572 | xhdr->proto_maj = TLS_MAJ; | 575 | xhdr->proto_maj = TLS_MAJ; |
| @@ -620,7 +623,9 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type) | |||
| 620 | // -------- ----------- ---------- -------------- | 623 | // -------- ----------- ---------- -------------- |
| 621 | // SHA HMAC-SHA1 20 20 | 624 | // SHA HMAC-SHA1 20 20 |
| 622 | // SHA256 HMAC-SHA256 32 32 | 625 | // SHA256 HMAC-SHA256 32 32 |
| 623 | if (tls->cipher_id == TLS_RSA_WITH_NULL_SHA256) { | 626 | if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256 |
| 627 | && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256 | ||
| 628 | ) { | ||
| 624 | /* No encryption, only signing */ | 629 | /* No encryption, only signing */ |
| 625 | xhdr->len16_hi = size >> 8; | 630 | xhdr->len16_hi = size >> 8; |
| 626 | xhdr->len16_lo = size & 0xff; | 631 | xhdr->len16_lo = size & 0xff; |
| @@ -1666,9 +1671,11 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni) | |||
| 1666 | if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) | 1671 | if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) |
| 1667 | bad_record_die(tls, "switch to encrypted traffic", len); | 1672 | bad_record_die(tls, "switch to encrypted traffic", len); |
| 1668 | dbg("<< CHANGE_CIPHER_SPEC\n"); | 1673 | dbg("<< CHANGE_CIPHER_SPEC\n"); |
| 1669 | if (tls->cipher_id == TLS_RSA_WITH_NULL_SHA256) | 1674 | if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256 |
| 1675 | && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256 | ||
| 1676 | ) { | ||
| 1670 | tls->min_encrypted_len_on_read = tls->MAC_size; | 1677 | tls->min_encrypted_len_on_read = tls->MAC_size; |
| 1671 | else { | 1678 | } else { |
| 1672 | unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCKSIZE-1) / AES_BLOCKSIZE; | 1679 | unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCKSIZE-1) / AES_BLOCKSIZE; |
| 1673 | /* all incoming packets now should be encrypted and have | 1680 | /* all incoming packets now should be encrypted and have |
| 1674 | * at least IV + (MAC padded to blocksize): | 1681 | * at least IV + (MAC padded to blocksize): |