Re: [OpenWrt-Devel] openwrt-devel Digest, Vol 103, Issue 58

[Alive4Ever]

On Monday, July 14, 2014 12:00:01 PM openwrt-devel-requ...@lists.openwrt.org
wrote:
> The OpenWrt developers are proud to announce the first release
> candidate of OpenWrt Barrier Breaker.
Glad to know that Barrier Breaker will be ready to rock.
Would it possible to include my ticket #17028 here? I think it's necessary to
add support for newer 3g dongle.
Thanks.


0x00F488559C96A6F74E9C34DF118F08AA3FB5E957.asc
Description: application/pgp-keys


signature.asc
Description: This is a digitally signed message part.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] [package] dropbear: updated to version 2014.64

[Alive4Ever]

Integrate latest dropbear release to base system (2014.64)

diff --git a/package/network/services/dropbear/Makefile
b/package/network/services/dropbear/Makefile
index b2bd8cc..d1f0cff 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dropbear
-PKG_VERSION:=2014.63
+PKG_VERSION:=2014.64
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd
+PKG_MD5SUM:=c9c92f0bf622e6395462a906727d830f

 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE
libtommath/LICENSE

Signed-off-by: Alif Ahmad 
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Compilation errors on Ubuntu 14.04 64-bit.

[Alive4Ever]

I can't compile current Openwrt on Ubuntu 14.04 64bit.
Latest commit from git log is

commit f99433ba8bb4777a868b955d8e33d7d9e29b5065
Author: blogic 
Date:   Sun Aug 3 11:13:58 2014 +

firmware-utils: made mkdir615h1 work for all Senao-
produced devices as mksen

Signed-off-by: Forest Crossman 

My compilation target is TL-MR3220.
The command I use is

time make -j3 V=s 2>&1 | tee /tmp/openwrt-makelog.txt

Here is the most notable error.

/bin/bash: i686-linux-gnu-ar: command not found
make[7]: *** [libpatch.a] Error 127
make[7]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/patch-2.7.
1/lib'

/usr/bin/ld: i386 architecture of input file 
`.libs/liblzma_la-crc32_x86.o' is incompatible with 
i386:x86-64 output
/usr/bin/ld: i386 architecture of input file 
`.libs/liblzma_la-crc64_x86.o' is incompatible with 
i386:x86-64 output
collect2: error: ld returned 1 exit status
make[8]: *** [liblzma.la] Error 1
make[8]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5/src/liblzma'
make[7]: *** [all-recursive] Error 1
make[7]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5/src/liblzma'
make[6]: *** [all-recursive] Error 1
make[6]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5/src'
make[5]: *** [all-recursive] Error 1
make[5]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5'
make[4]: *** [all] Error 2
make[4]: Leaving directory 
`/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5'
make[3]: *** 
[/home/alif/OpenWrt/openwrt/build_dir/host/xz-5.0.5/.built] 
Error 2
make[3]: Leaving directory 
`/home/alif/OpenWrt/openwrt/tools/xz'
make[2]: *** [tools/xz/compile] Error 2
make[2]: Leaving directory `/home/alif/OpenWrt/openwrt'
make[1]: *** [/home/alif/OpenWrt/openwrt/staging_dir/target-
mips_34kc_uClibc-0.9.33.2/stamp/.tools_install_yynyynynynyyynnnyyynyyynnn]
 
Error 2
make[1]: Leaving directory `/home/alif/OpenWrt/openwrt'
make: *** [world] Error 2

I've removed the -j3 flags from make command, but I get the 
same error.
Anyone has an idea how to solve these build errors?
Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] [package] dropbear: updated to version 2014.64

[Alive4Ever]

Some included patch series are broken and cannot be applied 
automatically for version 2014.64. Manual work is needed for 
these patches to apply cleanly.
 110-change_user.patch
 130-ssh_ignore_o_and_x_args.patch
 140-disable_assert.patch
This patch will fix them all to apply cleanly to version 
2014.64

diff --git a/package/network/services/dropbear/Makefile 
b/package/network/services/dropbear/Makefile
index b2bd8cc..d1f0cff 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2014.63
+PKG_VERSION:=2014.64
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd
+PKG_MD5SUM:=c9c92f0bf622e6395462a906727d830f
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE 
libtommath/LICENSE
diff --git a/package/network/services/dropbear/patches/110-
change_user.patch 
b/package/network/services/dropbear/patches/110-
change_user.patch
index 48228ea..15cf6bc 100644
--- a/package/network/services/dropbear/patches/110-
change_user.patch
+++ b/package/network/services/dropbear/patches/110-
change_user.patch
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -889,12 +889,12 @@ static void execchild(void *user_data) 
{
+@@ -899,12 +899,12 @@ static void execchild(void *user_data) 
{
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
  
diff --git a/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch 
b/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
index 6de652b..0a5e8ba 100644
--- a/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
+++ b/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
@@ -1,6 +1,6 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -309,6 +309,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -312,6 +312,10 @@ void cli_getopts(int argc, char ** argv)
debug_trace = 1;
break;
  #endif
@@ -11,10 +11,10 @@
case 'F':
case 'e':
  #ifndef ENABLE_USER_ALGO_LIST
-@@ -322,7 +326,6 @@ void cli_getopts(int argc, char ** argv)
- #ifndef ENABLE_CLI_LOCALTCPFWD
-   case 'L':
- #endif
+@@ -329,7 +333,6 @@ void cli_getopts(int argc, char ** argv)
+   print_version();
+   exit(EXIT_SUCCESS);
+   break;
 -  case 'o':
case 'b':
next = &dummy;
diff --git a/package/network/services/dropbear/patches/140-
disable_assert.patch 
b/package/network/services/dropbear/patches/140-
disable_assert.patch
index edc7547..0717228 100644
--- a/package/network/services/dropbear/patches/140-
disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-
disable_assert.patch
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */



Signed-off-by: Alif Ahmad 
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] [package] dropbear: updated to version 2014.64

[Alive4Ever]

It seems that my mua is using word wrap and destroying the 
patch.
Here is unwrapped patch to fix failed hunks.

Signed-off-by: Alif Ahmad 

diff --git a/package/network/services/dropbear/Makefile 
b/package/network/services/dropbear/Makefile
index b2bd8cc..d1f0cff 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2014.63
+PKG_VERSION:=2014.64
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd
+PKG_MD5SUM:=c9c92f0bf622e6395462a906727d830f
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE 
libtommath/LICENSE
diff --git a/package/network/services/dropbear/patches/110-
change_user.patch 
b/package/network/services/dropbear/patches/110-
change_user.patch
index 48228ea..15cf6bc 100644
--- a/package/network/services/dropbear/patches/110-
change_user.patch
+++ b/package/network/services/dropbear/patches/110-
change_user.patch
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -889,12 +889,12 @@ static void execchild(void *user_data) 
{
+@@ -899,12 +899,12 @@ static void execchild(void *user_data) 
{
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
  
diff --git a/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch 
b/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
index 6de652b..0a5e8ba 100644
--- a/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
+++ b/package/network/services/dropbear/patches/130-
ssh_ignore_o_and_x_args.patch
@@ -1,6 +1,6 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -309,6 +309,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -312,6 +312,10 @@ void cli_getopts(int argc, char ** argv)
debug_trace = 1;
break;
  #endif
@@ -11,10 +11,10 @@
case 'F':
case 'e':
  #ifndef ENABLE_USER_ALGO_LIST
-@@ -322,7 +326,6 @@ void cli_getopts(int argc, char ** argv)
- #ifndef ENABLE_CLI_LOCALTCPFWD
-   case 'L':
- #endif
+@@ -329,7 +333,6 @@ void cli_getopts(int argc, char ** argv)
+   print_version();
+   exit(EXIT_SUCCESS);
+   break;
 -  case 'o':
case 'b':
next = &dummy;
diff --git a/package/network/services/dropbear/patches/140-
disable_assert.patch 
b/package/network/services/dropbear/patches/140-
disable_assert.patch
index edc7547..0717228 100644
--- a/package/network/services/dropbear/patches/140-
disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-
disable_assert.patch
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Picocom should be re-included in packages.

[Alive4Ever]

On latest Openwrt commits, picocom is missing. Formerly, picocom 
was available on Utilities/Terminal section of menuconfig.

I think picocom should be re-included, because it's very handy 
and usable for serial diagnostics, especially on systems with 
only 4 MB of flash, such as TL MR3220.

Compared to minicom, picocom is smaller (62K vs 22K). Screen is 
more powerful but it's too large for 4 MB flash.

Please consider to re-include picocom in the packages.

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Request for including xz-utils in the packages

[Alive4Ever]

I've been navigating through the package list and I did not 
find xz-utils in the packages section.

Since xz archives are gaining popularity, it would be better 
to package xz-utils and xz-embedded for Openwrt. They should be 
available under menuconfig on Utilities/Compression.

Busybox has xz configuration, but it just decompress since it 
is based on xz-embedded.

Please consider packaging xz-utils for Openwrt.
Thanks.

XZ Utils: 
XZ Embedded: 
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Including git revision commit hash and svn revision id on release announcement.

[Alive4Ever]

Hello developers.

Probably you are annoyed by people asking which revision is Barrier Breaker
RC3 or similar, because they want to be able to compile the specific release
theirselves.

To address this issue, I think it would be better to add git revision commit
hash for each Openwrt release announcement. So that, if someone already has a
trunk repository, no need to hassle with cloning repository again just for
applying that relase.  Users will be able to go to specific release just by
issuing git revert  or git reset  in their
local git repository.

I hope next release announcement will include git commit hash and svn revision
number for more convenience.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [Bug: Busybox 1.22.1] false return 0 instead of 1 with '--help' switch.

[Alive4ever]

I'm using an embedded system with busybox v1.22.1, running Openwrt Chaos 
Chalmer r42321, mips24k AR9330

When I call 'busybox false --help', the return status is zero. I think it has 
nothing todo with openwrt, because it's the output of busybox, not the problem 
on openwrt performance. I feel it's strange, because GNU coreutils false binary 
gives return status 1, even when invoked with '--help' switch. I also notice 
that Ubuntu busybox false, which is version 1.21.1 performs the same behaviour 
as GNU coreutils.

Since /bin/false is linked to busybox and configured to disable login for 
daemon users, it will pose s security hole if this zero return status is 
exploited. I mark this as bug  because busybox false doesn't return 'false'.

Is this behaviour intended with busybox false implementation?

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [Bug: Busybox 1.22.1] false return 0 instead of 1 with '--help' switch.

[Alive4ever]

I'm using an embedded system with busybox v1.22.1, running Openwrt Chaos 
Chalmer r42321, mips24k AR9330

When I call 'busybox false --help', the return status is zero. I think it has 
nothing todo with openwrt, because it's the output of busybox, not the problem 
on openwrt performance. I feel it's strange, because GNU coreutils false binary 
gives return status 1, even when invoked with '--help' switch. I also notice 
that Ubuntu busybox false, which is version 1.21.1 performs the same behaviour 
as GNU coreutils.

Since /bin/false is linked to busybox and configured to disable login for 
daemon users, it will pose s security hole if this zero return status is 
exploited. I mark this as bug  because busybox false doesn't return 'false'.

Is this behaviour intended with busybox false implementation?

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [Bug: Busybox 1.22.1] false return 0 instead of 1 with '--help' switch.

[Alive4Ever]

On Friday, August 29, 2014 02:08:56 PM Bastian Bittorf wrote:
> * Alive4ever  [29.08.2014 14:03]:
> > I'm using an embedded system with busybox v1.22.1, running Openwrt Chaos 
> > Chalmer r42321, mips24k AR9330
> > 
> > When I call 'busybox false --help', the return status is zero. I think it 
> > has nothing todo with openwrt, because it's the output of busybox, not the 
> > problem on openwrt performance. I feel it's strange, because GNU coreutils 
> > false binary gives return status 1, even when invoked with '--help' switch. 
> > I also notice that Ubuntu busybox false, which is version 1.21.1 performs 
> > the same behaviour as GNU coreutils.
> > 
> 
> i cannot see a bug here on OpenWrt:
> 
> root@box:~ busybox false --help
> BusyBox v1.22.1 (2014-08-28 18:55:30 EDT) multi-call binary.
> 
> Usage: false 
> 
> Return an exit code of FALSE (1)
> 
> root@box:~ echo $?
> 0
> root@box:~ false --help
> root@box:~ echo $?
> 1
> root@box:~ false bla
> root@box:~ echo $?
> 1
> 
> bye, bastian

Hi bastian,
If you are just typing false on openwrt shell, it uses false in the 
built in shell.

root@OpenWrt:~# type false
false is a shell builtin
root@OpenWrt:~# false --help
root@OpenWrt:~# echo $?
1
root@OpenWrt:~#

There is no problem with ash built in false. The problem is busybox 
false applet.
To invoke busybox false, either call '/bin/false' or '/bin/busybox false'

root@OpenWrt:~# /bin/false --help ; echo $?
BusyBox v1.22.1 (2014-08-28 15:20:07 WIB) multi-call binary.

Usage: false 

Return an exit code of FALSE (1)

0

root@OpenWrt:~# busybox false --help ; echo $?
BusyBox v1.22.1 (2014-08-28 15:20:07 WIB) multi-call binary.

Usage: false 

Return an exit code of FALSE (1)

0

That's the unexpected behavior from busybox false applet.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH][package] dropbear: enable sha2-based hmac by default.

[Alive4Ever]

Dropbear should support sha2-based message authentication.
This patch will enable hmac-sha2-256 and hmac-sha2-512.


--- a/options.h
+++ b/options.h
@@ -128,8 +128,8 @@ much traffic. */
  * which are not the standard form. */
 #define DROPBEAR_SHA1_HMAC
 /*#define DROPBEAR_SHA1_96_HMAC*/
-/*#define DROPBEAR_SHA2_256_HMAC*/
-/*#define DROPBEAR_SHA2_512_HMAC*/
+#define DROPBEAR_SHA2_256_HMAC
+#define DROPBEAR_SHA2_512_HMAC
 #define DROPBEAR_MD5_HMAC
 
 /* You can also disable integrity. Don't bother disabling this if you're

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH][package] dropbear: enable sha2-based hmac by default.

[Alive4Ever]

> Whats the size increase due to that?
> 
> ~ Jow

Here is a brief comparison about binary and package size
Tested on AR9330, mips, TL MR3220v2

Before applying sha2-hmac patch
root@OpenWrt:~# du -sh $(which dropbear)
161.5K  /usr/sbin/dropbear

After applying sha2-hmac patch
root@OpenWrt:~# du -sh $(which dropbear)
165.5K  /usr/sbin/dropbear

It's about 4K binary size increase.

debug information
ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v
...
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-512 none
debug1: kex: client->server aes128-ctr hmac-sha2-512 none
...

Package size compared to downloaded trunk
84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk
81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk
It's about 3K package size increase.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Unable to compile libnl-tiny [stdio.h not found]

[Alive4Ever]

Hello openwrt devs!

Since I moved the openwrt build directory to another partition on
another external hard-drive, I'm unable to compile openwrt. Everytime I
run openwrt build process, the following error occurs and compilation
stopped prematurely.

Here is the error message produced by `make V=s`

```
mips-openwrt-linux-uclibc-gcc -Wall -c -o nl.o -Iinclude -Os -pipe
-mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves
-fhonour-copts -Wno-error=unused-b
ut-set-variable -msoft-float -mips16 -minterlink-mips16 -fpic nl.c
In file included from nl.c:84:0:
include/netlink-local.h:16:19: fatal error: stdio.h: No such file or
directory
 #include 
   ^
compilation terminated.
make[4]: *** [nl.o] Error 1
```

For your information, the old openwrt build directory is on
~/OpenWrt/openwrt, which is located in the same partition as / (root
fs) which is /dev/sda3

The new openwrt build directory is on
/media/username/developer/home/project/openwrt on /dev/sdb2 

I've tried deleting all files, then restoring the openwrt working
directory with `git checkout master origin/master`. I've updated the
feeds directory with `./script/feeds update -a` and installed the feeds
with `./script/feeds install -a`. I've done `make clean`, `make
distclean`, `make defconfig`, and `make menuconfig` several times, but
none of the effort gives a hope.

Your advices and suggestions are appreciated.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] Unable to compile libnl-tiny [stdio.h not found]

[Alive4Ever]

On Wednesday, October 08, 2014 07:02:33 PM Felix Fietkau wrote:
> Try running make dirclean and rebuild.

Thanks. I'll try this workaround.
I'll check if this will fix the problem.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.

[Alive4Ever]

On Friday, October 03, 2014 01:55:29 PM Weedy wrote:
> Based off failed ciphers/macs
> no matching cipher found: client rijndael-...@lysator.liu.se server
> aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc
> no matching mac found: client hmac-ripemd160-...@openssh.com server
> hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5
> 
> for cipher in 3des-cbc 3des-ctr aes128-cbc aes256-cbc aes128-ctr
> aes256-ctr; do for mac in hmac-md5 hmac-sha1 hmac-sha2-256
> hmac-sha2-512; do echo ""; echo "cipher: $cipher"; echo "mac: $mac"; for
> bah in 1 2 3; do dd if=/dev/zero bs=1M count=25 | ssh -c "$cipher" -m
> "$mac" -o "Compression no" r...@openwrt.lan 'time cat - >/dev/null';
> echo ""; sleep 2; done; done; done
> 
> OpenSSH_6.6.1 connecting to TP-Link 4300, time to transfer 26MiB of junk
> to null. Best of three, my router is in use and not idle.
> 
> 3des-cbc
> +-+--+--+--+--+
> |time\hmac|md5   |   sha1   |  sha256  |  sha512  |
> +-+--+--+--+--+
> | real| 0m27.65s | 0m27.98s | 0m29.47s | 0m31.93s |
> | user| 0m 0.05s | 0m 0.04s | 0m 0.02s | 0m 0.04s |
> | sys | 0m 0.25s | 0m 0.22s | 0m 0.24s | 0m 0.22s |
> +-+--+--+--+--+
> 
> aes128-cbc
> +-+--+--+--+--+
> |time\hmac|md5   |   sha1   |  sha256  |  sha512  |
> +-+--+--+--+--+
> | real| 0m12.07s | 0m12.62s | 0m13.61s | 0m16.05s |
> | user| 0m 0.02s | 0m 0.03s | 0m 0.00s | 0m 0.02s |
> | sys | 0m 0.27s | 0m 0.23s | 0m 0.21s | 0m 0.22s |
> +-+--+--+--+--+
> 
> aes256-cbc
> +-+--+--+--+--+
> |time\hmac|md5   |   sha1   |  sha256  |  sha512  |
> +-+--+--+--+--+
> | real| 0m13.32s | 0m13.61s | 0m14.97s | 0m17.71s |
> | user| 0m 0.02s | 0m 0.03s | 0m 0.03s | 0m 0.03s |
> | sys | 0m 0.27s | 0m 0.23s | 0m 0.22s | 0m 0.28s |
> +-+--+--+--+--+
> 
> aes128-ctr
> +-+--+--+--+--+
> |time\hmac|md5   |   sha1   |  sha256  |  sha512  |
> +-+--+--+--+--+
> | real| 0m12.64s | 0m12.80s | 0m13.74s | 0m16.19s |
> | user| 0m 0.04s | 0m 0.02s | 0m 0.02s | 0m 0.01s |
> | sys | 0m 0.18s | 0m 0.24s | 0m 0.17s | 0m 0.23s |
> +-+--+--+--+--+
> 
> aes256-ctr
> +-+--+--+--+--+
> |time\hmac|md5   |   sha1   |  sha256  |  sha512  |
> +-+--+--+--+--+
> | real| 0m13.40s | 0m13.84s | 0m15.20s | 0m18.11s |
> | user| 0m 0.01s | 0m 0.03s | 0m 0.02s | 0m 0.00s |
> | sys | 0m 0.17s | 0m 0.16s | 0m 0.18s | 0m 0.24s |
> +-+--+--+--+--+
> 
> 
> We should dump 3des-* and pick up arcfour*

Thanks for performing cipher speed test in addition with hmac test.
I realize that there is no need to enable stronger hash function for
hmac. The md5 collision attacks and 'predicted' sha1 collision attacks
are just affecting `pure` digest function. There is no known attack
affecting hmac-md5 or hmac-sha1, because hmac is not as simple as
digest. It's an advanced operation to verify deciphered message,
operating blocks by blocks repeatedly. It's sure hard to perform
collision attack on hmac, because the underlying layer is already
encrypted, for example by aes128-ctr cipher.

Currently, there is no formal advice to enable stronger digest for hmac.
The well known OpenSSH is still using hmac-md5 as default message
authentication algorithm, although it has added support for sha2-based
hmac since 5.9. To be specified, OpenSSH is using
hmac-md5-...@openssh.com - a special extension added by OpenSSH to add
more security to hmac-md5 - if the server supports it.

IETF says that hmac-md5 isn't broken, although the md5 hash function is
considered weak to collision attacks.

https://www.ietf.org/mail-archive/web/cfrg/current/msg01202.html

There is no need to rush. I know that when the time comes, OpenWrt
developers will enable hmac-sha2 by default. Maybe years from now, or
when the dropbear upstream enables hmac-sha2 by default.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] cyassl is causing build errors

[Alive4Ever]

I've experienced many build errors on bb-14.07 because of cyassl.

For your information, cyassl can't be downloaded directly from its
official site. There is a form that needs to be filled before Wolfssl
allows downloading of cyassl-3.2.0.zip. Any attemt to download cyassl
directly will cause redirection to html download form here.

http://wolfssl.com/yaSSL/download/downloadForm.php

To simplify the download process, I suggest preparing pre-downloaded
cyassl source on OpenWrt mirror and modifying PKG_SOURCE_URL accordingly
and removing http://www.yassl.com from PKG_SOURCE_URL.

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] cyassl is causing build errors (Alive4Ever)

[Alive4Ever]

On Monday, October 13, 2014 09:49:15 AM openwrt-devel-requ...@lists.openwrt.org 
wrote:
> Message: 4
> Date: Mon, 13 Oct 2014 14:20:07 +0700
> From: Alive4Ever 
> To: OpenWrt Development List 
> Subject: [OpenWrt-Devel] cyassl is causing build errors
> Message-ID: 
> Content-Type: text/plain; charset="us-ascii"
> 
> I've experienced many build errors on bb-14.07 because of cyassl.
> 
> For your information, cyassl can't be downloaded directly from its
> official site. There is a form that needs to be filled before Wolfssl
> allows downloading of cyassl-3.2.0.zip. Any attemt to download cyassl
> directly will cause redirection to html download form here.
> 
> http://wolfssl.com/yaSSL/download/downloadForm.php
> 
> To simplify the download process, I suggest preparing pre-downloaded
> cyassl source on OpenWrt mirror and modifying PKG_SOURCE_URL accordingly
> and removing http://www.yassl.com from PKG_SOURCE_URL.
> 
> Thanks.

I tested with another internet connection and found that direct download
from http://www.yassl.com worked fine.

It seems that the culprit for redirection form is `transparent proxy`
operated by my ISP. Direct connection to http://www.yassl.com without
any `transparent proxy` middleman works fine.

Although that's the cause of my problem, I still suggest to provide
another mirror for cyassl in case main cyassl mirror prevents direct
downloading for users behind `transparent proxy`.

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Consider enabling HTTPS for wiki.openwrt.org

[Alive4Ever]

I'm unable to access http://wiki.openwrt.org. It seems that the wiki
site is down.

Is there any maintenance to the wiki?

If it's because of maintenance, I suggest to implement tls over http
(https) to secure data integrity. So that, editing and viewing OpenWrt
wiki will be more convenient.

I feel bad when editing OpenWrt wiki without https, because I'm behind a
transparent http proxy. I often get error messages about invalid proxy
requests when I attempt to save my editing work.

My only hope for OpenWrt web admin is to consider https for
wiki.openwrt.org site.

Thanks.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel