[git commit] tls: do not compile in TLS_RSA_WITH_NULL_SHA256 code if unreachable

Denys Vlasenko vda.linux at googlemail.com
Mon Apr 3 23:41:15 UTC 2017


commit: https://git.busybox.net/busybox/commit/?id=5d561ef6349b4b6e1d12ad6638acb46abf1eeca6
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

function                                             old     new   delta
tls_handshake                                       1595    1588      -7
xwrite_encrypted                                     244     209     -35

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 networking/tls.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/networking/tls.c b/networking/tls.c
index 590c04a..db518bf 100644
--- a/networking/tls.c
+++ b/networking/tls.c
@@ -39,7 +39,7 @@
 
 // works against "openssl s_server -cipher NULL"
 // and against wolfssl-3.9.10-stable/examples/server/server.c:
-//#define CIPHER_ID TLS_RSA_WITH_NULL_SHA256 // for testing (does everything except encrypting)
+//#define CIPHER_ID1 TLS_RSA_WITH_NULL_SHA256 // for testing (does everything except encrypting)
 
 // works against wolfssl-3.9.10-stable/examples/server/server.c
 // works for kernel.org
@@ -565,8 +565,11 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
 	uint8_t padding_length;
 
 	xhdr = (void*)(buf - RECHDR_LEN);
-	if (tls->cipher_id != TLS_RSA_WITH_NULL_SHA256)
+	if (CIPHER_ID1 != TLS_RSA_WITH_NULL_SHA256 /* if "no encryption" can't be selected */
+	 || tls->cipher_id != TLS_RSA_WITH_NULL_SHA256 /* or if it wasn't selected */
+	) {
 		xhdr = (void*)(buf - RECHDR_LEN - AES_BLOCKSIZE); /* place for IV */
+	}
 
 	xhdr->type = type;
 	xhdr->proto_maj = TLS_MAJ;
@@ -620,7 +623,9 @@ static void xwrite_encrypted(tls_state_t *tls, unsigned size, unsigned type)
 	// --------  -----------  ----------  --------------
 	// SHA       HMAC-SHA1       20            20
 	// SHA256    HMAC-SHA256     32            32
-	if (tls->cipher_id == TLS_RSA_WITH_NULL_SHA256) {
+	if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256
+	 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
+	) {
 		/* No encryption, only signing */
 		xhdr->len16_hi = size >> 8;
 		xhdr->len16_lo = size & 0xff;
@@ -1666,9 +1671,11 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
 	if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
 		bad_record_die(tls, "switch to encrypted traffic", len);
 	dbg("<< CHANGE_CIPHER_SPEC\n");
-	if (tls->cipher_id == TLS_RSA_WITH_NULL_SHA256)
+	if (CIPHER_ID1 == TLS_RSA_WITH_NULL_SHA256
+	 && tls->cipher_id == TLS_RSA_WITH_NULL_SHA256
+	) {
 		tls->min_encrypted_len_on_read = tls->MAC_size;
-	else {
+	} else {
 		unsigned mac_blocks = (unsigned)(tls->MAC_size + AES_BLOCKSIZE-1) / AES_BLOCKSIZE;
 		/* all incoming packets now should be encrypted and have
 		 * at least IV + (MAC padded to blocksize):


More information about the busybox-cvs mailing list