1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Req: Update openssl

Discussion in 'Tomato Firmware' started by jk_chu, May 4, 2009.

  1. jk_chu

    jk_chu Addicted to LI Member

    Anyway we can get openssl updated from the current version used with tomato (0.9.7d)? I just updated to tomato-vpn and didn't realize it until downloading the source after trying to get dropbear and openvpn working with AES.

    Overall, I like the feel of this custom firmware, it isn't as bulky as DD-WRT, and my router hasn't been bricked(yet) after saving my settings like X-WRT.

  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It's been attempted to update OpenSSL, but nobody's gotten it to work yet. It is in my bucket of to-do items (precisely for the reason you gave - AES), but I haven't been able to spend much time on it.
  3. jk_chu

    jk_chu Addicted to LI Member

    I'd be interested in trying it out, though I have no idea what I need to get this firmware image compiled, what to change around.... Are there any guides/howto's?

    They just released a second beta for 1.0.0, wouldn't that be sweet? :biggrin:
  4. jk_chu

    jk_chu Addicted to LI Member

    To compile as linux-mipsel isn't even an option in openssl anymore, darn :(


    I found a patch which might help:

    Required Patch (MIPS): http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8k-mips_support-1.patch

    Submitted By: Jim Gifford (patches at jg555 dot com)
    Date: 2005-11-22
    Initial Package Version: 0.9.8a
    Origin: Jim Gifford
    Upstream Status: Sent
    Description: Adds Support for MIPS architectures

    Rediffed Against 0.9.8h by William Harrington on 2008-11-15
    Rediffed for 0.9.8k - By Jim Gifford 2009-03-25

    I'm gonna give it a shot later this week.
  5. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Yeah, I've used that patch before and got it to compile fine, but it crashes any time any encryption is performed. It complains about missing __divdi3 and other symbols. It's probably something small to add to the make file to get it to link them in, but I didn't figure it out in the brief time I tinkered with it.

    Good luck!
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just follow the instructions that come along with the Tomato sources. You may not have all the needed packages installed to compile, but you should be able to google any non-obvious error messages to see what you need to install.
    Also be sure that your /bin/sh is symlinked to /bin/bash, not something else (eg /bin/dash). There are a lot of faulty makefiles in the source tree that assume bash functionality is present, but don't properly specify that they need it.
  7. fyellin

    fyellin LI Guru Member

    I also would prefer running AES to Blowfish. But given
    • The widespread use of BF on the network
    • There is no indication that BF has been cracked
    • You can always increase the key size from 128 to 256 or more if you're feeling insecure
    this just seems like a low priority.

    That said. If someone got AES working, I'd switch in a heartbeat. If it's good enough for the NSA. . . .
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    One of the things that has sparked my interest in getting AES working is that, theoretically, we should be able to use the AES hardware present on our routers for the heavy lifting to reduce load on the CPU. It seems like that is a possibility with OCF-Linux.
  9. jk_chu

    jk_chu Addicted to LI Member

    I like really like BF, and AES too. I remember using BF way way back to encrypt my /etc/shadow file since AES wasn't out/widely used at that time. I think it's still a staple in OpenBSD for encrypting everything from files to the encrypted filesystems.

    One last question: How do you test the firmware out before daring to flash it onto a router? Got a vmware image or something?
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Just hope for the best! Seriously, though, if you don't muck with the overall build process (adding a component to router is fine) and it gets through the compile, you're almost certainly okay.
  11. jk_chu

    jk_chu Addicted to LI Member

    It looks like OCF-Linux is dead... There doesn't seem to be any activity there.

Share This Page