1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato Toastman's Releases

Discussion in 'Tomato Firmware' started by Toastman, Dec 18, 2011.

  1. Spyros

    Spyros LI Guru Member


    I think i fixed it with

    Code:
    dhcp-range=::1, ::FFFF:FFFF, constructor:br*, ra-names, 64, infinite
    in dnsmasq custom config

    The default value is


    Code:
    dhcp-range=::1, ::FFFF:FFFF, constructor:br*, ra-names, 64, 12h
    and for some odd reason is restarting dnsmasq when lease time reaches the half time needed to expire (6 hours in my case).

    Now logs look like this


    Will further monitor if it really works and if there are any complications. Right now dual stack works fine, actually i did all the procedure remotely with IPv6, will check after a few hours if dnsmasq restarts again or if there are any problems with IPv6.

    edit: it appears that wasn't the problem, still dnsmasq restarts every 6 hours
     
    Last edited: Apr 7, 2014
  2. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Man, I can't believe how far I've fallen behind on this thread / project!

    Toastman, just FYI I've been running v1.28.7483 USB VPN since it came out and it's been running like a champ! I was thinking of upgrading to the latest release, but man I would hate to have to reconfigure everything on my router! So many static DHCP entries to enter, OpenVPN to reconfigure, etc, etc...

    Not to mention I would loose this:
    Uptime: 342 days, 07:57:30

    I guess if it ain't broke.... lol... Seriously though one of these days I need to update so I can finally setup IPv6...

    One question though, I can run the non-USB version on my WNR3500L, correct? I will just loose the USB menu options? I don't use USB and would rather have a JFFS partition to store the OpenVPN files.
     
  3. Nick G Rhodes

    Nick G Rhodes Networkin' Nut Member

    Yes the non-USB version works fine, its what I ran for many years on my 3500L (V1), retired it yesterday !
     
  4. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Son of a biscuit... I just upgraded but it doesn't have the JFFS menu!!! ARGH... And after I just entered like 30 static dhcp entries!

    And I did a google search, apparently I made a comment in 2011 about JFFS missing in non-usb versions... LMAO... *sigh*

    Now I remember why I had to compile my own version so I could strip out just enough to get some free JFFS space to store my OpenVPN config files and other stuff because the 3500L has just a little less space than similar routers... *grumble*
     
    c4flash likes this.
  5. Grimson

    Grimson Networkin' Nut Member

    Why don't you just attach an USB thumb drive, that way you get much more space.
     
  6. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I thought about that, but it would just be a waste of space... I only use the JFFS partition to backup the bandwidth logs and store the certs/keys for OpenVPN... I supposed I could try to put the OpenVPN stuff in NVRAM and backup the logs remotely... But for some reason I think I recall it eating up a LOT of NVRAM...

    It's just the principle of the matter... Hehe... Not a huge deal I can compile my own and remove a few things to make it all work out. It's been a few years since I've done it last but I'm sure it will come back to me.

    I reverted back to my old build and restored the settings in the mean time...
     
  7. bestcow

    bestcow Networkin' Nut Member

    @Toastman
    Thanks to your effort!!!

    I am using your latest build(released on 24.Feb.2014) on ASUS RT-N16. Just a question, every time I enabled/disabled the "B/W Limiter" in QOS section, the WAN connection always needs to disconnected and reconnected again.

    In the coming future for your new build, is it possible to keep the WAN connection alive when user enabling/disabling "B/W Limiter"? As this is not so convenience, at least for me.

    Again, thanks to your great effort on development of Tomato, I know you are busy but it would be much appreciated to have your advice on this.
     
  8. though

    though Network Guru Member

  9. bestcow

    bestcow Networkin' Nut Member

  10. FlashSWT

    FlashSWT LI Guru Member

    Came here tonight specifically to see if we are effected to the Heartbleed bug. Anyone have a definitive answer?
     
  11. Mangix

    Mangix Networkin' Nut Member

    Unless you use OpenVPN or HTTPS Remote Management, no.
     
  12. blah123

    blah123 Reformed Router Member

    If you use HTTPS for local or remote management you would be affected.
     
  13. FlashSWT

    FlashSWT LI Guru Member

    Anything specific those of us using OpenVPN need to do (besides stop using it for now) to secure it or is this something we just need to wait for the next release from Toastman?
     
  14. BikeHelmet

    BikeHelmet Networkin' Nut Member

  15. rhester72

    rhester72 Network Guru Member

  16. BikeHelmet

    BikeHelmet Networkin' Nut Member

    No way to modify that for OpenVPN's ports?
     
  17. rhester72

    rhester72 Network Guru Member

    It's not just a port issue. The u32 match is protocol-dependent and focuses entirely on TLS in a SSL context. OpenVPN doesn't work that way.

    Rodney
     
  18. BikeHelmet

    BikeHelmet Networkin' Nut Member

    I know the match string was specific to HTTPS. I was just hoping there was a way to modify it.

    Looks like we need a firmware update ASAP, then.
     
    wistlo likes this.
  19. Morac

    Morac Network Guru Member

    If you have a mountable filesystem (/jffs or USB), you can replace the insecure OpenVPN with a secure one. See lancethepants's post.

    For remote management I SSH into the router and tunnel over that. I'm not sure if SSH is vulnerable or not though.
     
  20. rhester72

    rhester72 Network Guru Member

    SSH does not have the vulnerability - it is limited to HTTPS, (Open)VPN, and SMTP TLS.

    Rodney
     
  21. Mangix

    Mangix Networkin' Nut Member

    local is not a problem. If someone has local access to your network, you've got bigger problems.
     
  22. Morac

    Morac Network Guru Member

    Is Toastman still around? He hasn't posted anything since Feb 21.
     
  23. though

    though Network Guru Member

    im sure he is around. most people have normal lives, jobs, families, etc.
     
  24. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I'm pretty sure these people aren't going after residential routers or even small vpn links... Exploits like this are always about the money, exploiting SSL on large sites like Amazon or similar... 1 hour's worth of sales at Amazon probably would equal a year's worth of data collection for smaller sites...
     
  25. koitsu

    koitsu Network Guru Member

    Are the delays caused by firmware authors (Shibby, Victek, Toastman) needing appropriate backported patches for OpenSSL (rather than deal with the trouble/pain of upgrading between versions)? If so, I can probably write those up later tonight; the official patches are not very large and only affect 2 or 3 files, otherwise can just use -DOPENSSL_NO_HEARTBEATS (would need to make sure it exists in all said versions though, it might not).
     
  26. Lothsahn

    Lothsahn Addicted to LI Member

    I'm sure they're busy--they're not getting paid to do this.

    That being said, I will do my best to checkout Toastman's sources this weekend and try to rebuild his distribution with OpenSSL 1.0.1g. I'll also try to include the OFB ciphers unless that bloats the size of the distribution too much.

    A word of warning: For a citizens of many countries, redistributing Tomato & Openssl hits export restrictions with regards to strong crypto.
     
  27. Mangix

    Mangix Networkin' Nut Member

    just adding -DOPENSSL_NO_HEARTBEATS to the makefile is enough.

    btw why OFB? OFB is slow and there's no real benefit.
     
  28. Lothsahn

    Lothsahn Addicted to LI Member

    I did some more reading, and it appears you're right. OpenVPN recommends CBC:
    http://security.stackexchange.com/questions/25971/openvpn-why-cbc-mode-is-recommended

    My original motivations were transaction malleability attacks against CBC. I hope that they've accounted for or are not affected by these, or they would not recommend CBC. Also, for the truly paranoid, Blowfish is not the best algorithm--you should use AES. Also, if you transfer gigabytes of data, you should avoid Blowfish, because its 64-bit blocksize could be an issue.

    Note: If you do use OFB, you have to be careful to ensure the IV is random on every transmission by setting --rand-iv, and that you use OpenVPN 1.1.0+
    http://openvpn.net/archive/openvpn-users/2002-04/msg00000.html

    If you use CBC, you don't have to worry about this.

    I'll probably leave out OFB & CFB afterall, since it's not recommended and would add size. Keep in mind that OpenVPN also recommends Blowfish, which is not the most secure cipher these days:
    http://en.wikipedia.org/wiki/Blowfish_(cipher)#Weakness_and_successors
     
    Last edited: Apr 11, 2014
  29. Mangix

    Mangix Networkin' Nut Member

    I hope you realize that all of this is totally pointless. The differences between the standard modes of operation are mainly ones of speed. You can't really do attacks on them as the traffic is authenticated with HMAC.

    The ideal is CTR mode for its speed and simplicity(it's just an XOR) and has the added benefit of being provably secure with TLS's way of authenticating(MAC then Encrypt).

    But whatever. It doesn't really matter. Just use standard stuff.

    As for blowfish, it's faster than AES. Nice when throughput is important. Unless someone has a lot of computing resources, it's safe to use.
     
  30. Lothsahn

    Lothsahn Addicted to LI Member

    Actually, I didn't. I'm really trying to learn about which are recommended and why, and what compromises can be made security vs speed. Thank you for that very useful information. I originally had put "I'm no cryptography expert" in my first post, but it appears I accidentally removed it during editing.

    Unfortunately, at the current time, I don't believe CTR is supported by OpenVPN... it's certainly not in Tomato. Are you aware of it being supported?
     
  31. Mangix

    Mangix Networkin' Nut Member

    OpenSSL supports the mode itself but SSL/TLS does not which also implies OpenVPN. It doesn't really matter though.
     
  32. Lothsahn

    Lothsahn Addicted to LI Member

    I'm working on compiling OpenSSL. There were a few modifications (in addition to disabling a lot of ciphers, etc--probably for space) to the source to support compilation.

    Tomato currently uses 1.0.1c, which is vulnerable to more than just Heartbleed[1]. I'm working on the source to fix heartbleed, and then I'll look to report those back upstream to OpenSSL as well so we don't have this problem going forward.

    If Toastman, Shibby, Merlin, or RAF are working on this, please let me know at Lothsahn at yahoo--don't want to duplicate effort. Hopefully will be done by tomorrow, depending on the number of changes.

    Also, Toastman, if you're around, I see a git tag for 503.6, but not 503.7. Could you create that tag?

    [1] https://www.openssl.org/news/secadv_20130205.txt

    [Edit]: Built successfully. Tested (briefly) and working. Going to read about how to check things into Git and figure out where I can post this stuff without exceeding my bandwidth allotment. :) Still have some optimization to do, as build sizes are 200k larger, and I had to make some other changes, but at least it's not vulnerable to heartbleed.

    If anyone can help me with git checkin, please send me a message. Thanks!
     
    Last edited: Apr 13, 2014
    Jorge NerĂ­n likes this.
  33. Morac

    Morac Network Guru Member

    I started to see crashes in dnsmasq yesterday so I finally upgraded to 1.28.7503.7 and I'm still seeing crashes. I've seen other posts about this, usually from Comcast users, so it's probably IPV6 related and Comcast did something with their DHCP servers in my area this past week as they went offline and I got a new IP address.
    http://www.linksysinfo.org/index.php?threads/dnsmasq-periodically-restarting.69887/

    Anyone have any idea why this is happening or some way I can debug what's causing the restart?

    Also after I upgraded, two of my WiFi (both iOS) device's IPV6 leases were showing up under the Device List along with the IPV4 leases (i.e. 2 entries). After dnsmasq crashed and restarted the IPV6 entries disappeared.
     
  34. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I'm starting to recompile my own, but when I do a:

    git checkout Toastman-1.28.7503.7

    It says it can't find it? *sigh*

    I did a checkout of 7483.3 which worked fine and am working off of that for now since I'm currently running 7483...

    First couple things I'm going to do are update OpenSSL & OpenVPN and go from there... Then its stripping some stuff out so I can have a JFFS partition on my WNR3500L...
     
  35. BikeHelmet

    BikeHelmet Networkin' Nut Member

  36. Lothsahn

    Lothsahn Addicted to LI Member

    BikeHelmet,

    Thanks for the patch. My personal preferred approach would be to use the latest OpenSSL vs patching the existing one. The existing one has a number of security vulnerabilities.

    Hopefully RAF, Toastman, or Shibby get ahold of me soon so I can checkin the fixes. :)
     
  37. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I just patched the latest openssl against the current shibby diff's, everything went smooth... the aes-mips.pl diff isn't needed as it was already updated in the new version.

    http://repo.or.cz/w/tomato.git/commitdiff/12052105b251ce517b3d77f48bb38b6c9d43877b

    Compiling right now, we'll see if it builds or not! LOL...

    I haven't even looked into the diffs for OpenVPN yet, pretty good list of changes from 2.3.0 to 2.3.3
     
  38. Lothsahn

    Lothsahn Addicted to LI Member

  39. EOC_Jason

    EOC_Jason Networkin' Nut Member

    The changes in the aes-mips.pl has been updated in the latest source as I mentioned above. (It's prepending private_AES... to various lines). However they never added the linux-mipsel line in the configure file.

    Doesn't look like OpenVPN has too much patched, just a few bits to the make & configure and such, everything else is stock... Going to patch it up and see if I can get it to compile in...

    I had almost one year uptime on my router running 7483, it would of been longer but we lost power for like a day when the power company was replacing a bunch of power poles...
     
  40. Morac

    Morac Network Guru Member

  41. mscrivo

    mscrivo Reformed Router Member

    Sadly 1.28.7504 is still vulnerable. I just tested it.
     
  42. Spyros

    Spyros LI Guru Member

    openssl version
    OpenSSL 1.0.1c 10 May 2012

    .......maybe it's not final
     
  43. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Did you just check the version number, or did you test it on one of those websites? There is a patch which some people are applying to the older versions to fix the heartbeat bug. I don't see the big deal though, using the latest version and patching against Shibby's diff's went smoothly for me.

    EDIT - I thought I had a working build but openvpn keep crashing on me... *grumble*
     
    Last edited: Apr 14, 2014
  44. Spyros

    Spyros LI Guru Member

    Tested and was vulnerable, now i tested a beta provided by shibby and all is fine.
     
  45. Morac

    Morac Network Guru Member

    Shibby released a version that contains openssl version 1.0.1g. Hopefully Toastman will release a new version soon that does the same.
     
  46. Lothsahn

    Lothsahn Addicted to LI Member

    EOC_Jason:

    Could you reach out to me at my email at Lothsahn at yahoo or Skype? I need help committing in git, but I've got a working stable build ready to go for people who need it until Toastman is available to do his release. Not experiencing any crashing issues like you are.
     
  47. Toastman

    Toastman Super Moderator Staff Member Member

    April 13 2014 - 1.28.0504 and variants

    - dnsmasq updated to v2.69, thanks Simon
    - typo fixed in vpn client, thanks Shadowken
    - quick fix for heartbleed bug from Easy Tomato! Thanks guys...

    Some of the issues reported in recent posts will be fixed by the upgrade of dnsmasq.

    WARNING - DHCP IS DISABLED BY DEFAULT. DON'T FORGET
    TO TURN IT ON IF YOU NEED IT.
    .
     
    Elfew and Fredrik like this.
  48. Toastman

    Toastman Super Moderator Staff Member Member

    @Lothsahn, see my PM.

    this build is patched, thanks to the Easy Tomato guys, but it would be better to use the latest openssl.
     
  49. gs44

    gs44 Networkin' Nut Member

    Hello Toastman!!!!

    Got your latest 7504 flashed into my E3000 and proud to report 1st early tests... no heartbleed bugs and IPV6 is functioning perfectly with my ISP's new IPV6 support.. No more HE Tunnel needed now... lol will obviously monitor and report back should any issues show there ugly faces....

    As always Thanks Toastman and all that keep Tomato alive!!!!!
     
  50. Toastman

    Toastman Super Moderator Staff Member Member

  51. maleadt

    maleadt Networkin' Nut Member

    Thanks for the effort, but are you sure openssl is properly patched? I'm still seeing the heartbleed vulnerability, for example with this small script:
    Code:
    $ perl check-ssl-heartbleed.pl my_router
    ...ssl received type=22 ver=0x301 ht=0x2 size=77
    ...ssl received type=22 ver=0x301 ht=0xb size=1034
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    ...ssl received type=24 ver=301 size=16384
    BAD! got 16384 bytes back instead of 3 (vulnerable)
    This is on 1.28.0504 MIPSR2Toastman-RT-N K26 USB VPN, downloaded earlier today.

    EDIT: extracting some 100 MBs of memory through heartbleed I haven't managed to extract the key, but I've (repeatedly) seen parts of the certificate bleed through, so I'm guessing memory is still exposed.
     
    Last edited: Apr 15, 2014
  52. Spyros

    Spyros LI Guru Member

    Dnsmasq restarting issue is still there on new version :(

     
  53. gs44

    gs44 Networkin' Nut Member


    Strange, not seeing anything like that in my logs
     
  54. Elfew

    Elfew LI Guru Member

    Shibby added new openssl version into his new version...you can merge it
     
  55. Spyros

    Spyros LI Guru Member

    Maybe you don't have IPv6 enabled? Im on PPPoE with dual stack IPv4/IPv6 using /56 prefix delegation.
     
  56. gs44

    gs44 Networkin' Nut Member


    lol about 3 or 4 posts up I mentioned IPV6 was working perfectly for me...and still is...

    However your ISP provider is not the same as mine. Mine is not PPPoE and not /56 so Dnsmasq must not be playing well with your ISP provider/setup
     
  57. Twincam

    Twincam Serious Server Member

    Hello Toastman,


    Firstly, thanks for the rapid patch. I assume that most people (#2544 and myself included) would expect to see a different version number (1.0.1g) when entering "openssl version" (in the "System" menu) after the 7504 update. I still see "OpenSSL 1.0.1c 10 May 2012".

    As for the test sites, I tried this one but I'm not certain what to enter. Is it just my ddns name or ddnsname:1194 (UDP OpenVPN server port)? If I use the former, I think I'm actually targeting my NAS (because without the "certificate" checkbox checked on the web page, I see the LAN address of that). The latter test results in a "probably safe" message (which I guess is the patch working). Confused, I am! Thanks (if you have time).

    Cheers, Neil.
     
    Last edited: Apr 16, 2014
  58. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    It's a patched build of OpenSSL 1.0.1c not a new version. According to your test the patch was successful. :)
     
    koitsu likes this.
  59. Twincam

    Twincam Serious Server Member

    Thanks very much for the confirmation. I should have checked my results on 7503 before I updated! :oops:
     
    Last edited: Apr 16, 2014
  60. maleadt

    maleadt Networkin' Nut Member

    Did you see what I reported some posts up? As far as I can test, the patched version _still_ leaks memory.

    And Twincan's report is not valid: he used some test site on his VPN server, while (as far as I know) none of these test sites actually implement the OpenVPN TLS protocol. Most of them only do HTTPS. The script I linked in my report also supports STARTTLS, more specifically FTP, SMTP, POP and IMAP, but no OpenVPN.
     
    Last edited: Apr 16, 2014
  61. maleadt

    maleadt Networkin' Nut Member

    And some more confirmation: when running httpd under valgrind (3.8.0 from Entware, 3.8.1 seems broken) with --malloc-fill=42, the forged heartbeat response is filled with 0x42:
    Code:
    BAD! got 16384 bytes back instead of 3 (vulnerable)
    02 40 00 41 03 01 53 4e 38 38 c0 bf 9e 40 54 ea  .@.A..SN88...@T.
    01 5b 8e 6a 9a d9 63 83 88 99 51 9b 7c d8 3d 4a  .[.j..c...Q.|.=J
    16 e6 7e b5 d8 a8 00 00 18 c0 09 c0 0a c0 13 c0  ..~.............
    14 00 32 00 38 00 2f 00 35 00 13 00 0a 00 05 00  ..2.8./.5.......
    ff 01 00 00 00 42 42 42 42 42 42 42 42 42 42 42  .....BBBBBBBBBBB
    42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
    ... repeated 1018 times ...
    
    I redownloaded to be sure, but this is definitely on 1.28.0504:
    Code:
    $ md5sum tomato-K26USB-NVRAM64K-1.28.0504MIPSR2Toastman-RT-N-VPN*.trx
    7c3ecda8146b42956dae7c41184fd6dd  tomato-K26USB-NVRAM64K-1.28.0504MIPSR2Toastman-RT-N-VPN(1).trx
    7c3ecda8146b42956dae7c41184fd6dd  tomato-K26USB-NVRAM64K-1.28.0504MIPSR2Toastman-RT-N-VPN.trx
    # uname -a
    Linux my_router 2.6.22.19 #20 Mon Apr 14 07:52:06 ICT 2014 mips GNU/Linux
     
    Last edited: Apr 16, 2014
  62. Twincam

    Twincam Serious Server Member

    Hi maleadt,

    I did see that; it's what grabbed my attention. As my main concern is my embedded OpenVPN server, maybe none of this applies to me. How would I run your script correctly? I'm no linux expert (not by a long way!) but if I can help by running your script on my router, I'd be glad to. Please advise where I'd run it. I have SSH access and/or know how to use the Tomato Web UI (but you would still have tell me exactly "how"). Thanks. :)

    Also. perhaps someone else can advise a/the correct/preferred method for "Heartbleed vulnerability testing with Toastman Tomato OpenVPN"?

    Cheers, Neil.
     
  63. maleadt

    maleadt Networkin' Nut Member

    Twincam,

    The linked script is not mine, and does not support OpenVPN TLS (only HTTPS and some STARTTLS based protocols). However, searching with Google a bit more, it seems that there _is_ a PoC for OpenVPN already, see this script. Download it, execute it with python2 passing your VPN's FQDN as a parameter, and you'll see the following output:
    Code:
    $ python2 heartbleed_test_openvpn.py my_router
    my_router|VULNERABLE
    0000  18 03 01 10 13 02 10 00 48 65 61 72 74 62 6C 65  ........Heartble
    0010  65 64 20 74 65 73 74 20 70 61 79 6C 6F 61 64 E2  ed test payload.
    0020  0B 9E 38 34 EC 3D 66 2B 9C D5 63 00 00 68 C0 14  ..84.=f+..c..h..
    0030  C0 0A C0 22 C0 21 00 39 00 38 00 88 00 87 C0 0F  ...".!.9.8......
    0040  C0 05 00 35 00 84 C0 12 C0 08 C0 1C C0 1B 00 16  ...5............
    0050  00 13 C0 0D C0 03 00 0A C0 13 C0 09 C0 1F C0 1E  ................
    0060  00 33 00 32  .3.2
     
  64. Spyros

    Spyros LI Guru Member

    lol yeah you're right, after 8 hours of sleeping i can see your posts lol

    Damn and there is no hint why this is happening...Any more options i can look for, deeper in the config files? Like dnsmasq.conf etc?
     
  65. Twincam

    Twincam Serious Server Member

    Wow, that was quick and looks perfect (udp, port etc.). I would have struggled forming the correct specific search argument! Thanks. Errr .... it will take me a while because I'll have to install python (via Optware). Hopefully I'll get there later.
     
  66. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I got bored last night so I made a VM running Ubuntu to try and compile the latest Toastman firmware... Soooooooooooooo much smoother than CentOS which would throw tons of errors... I only wish I tried this sooner! LOL...

    Anyhow... this morning I took the latest 1.28.7504 build, swapped out with OpenSSL 1.0.1g w/Shibby patches (I mentioned above somewhere)... Also updated OpenVPN to 2.3.3... compiled.... SUCCESS! :)

    I made me a little custom image that is the VPN build minus the media server (I don't use it and I would rather have the space for a JFFS partition). I'll recompile a full VPN image in just a few and post a link later for anyone that wants it.
     
  67. Morac

    Morac Network Guru Member

    I recently started getting the same Dnsmasq restart issue with Comcast. It restarts every 30 minutes. I have no dnsmasq.conf changes and I'm running DHCPv6 with Prefix Delegation and a prefix of 64 which is different that what you are using.

    The restarts appear to have stopped as of 12:23 AM this morning. I have no idea why as I didn't do anything on my end.
     
    Last edited: Apr 16, 2014
  68. Morac

    Morac Network Guru Member

    I think this would be preferable considering it looks like the Easy Tomato doesn't work apparently.
     
  69. Mangix

    Mangix Networkin' Nut Member

    I still don't understand why the devs have not just added -DOPENSSL_NO_HEARTBEATS to the Makefile. Google already does this for Google Chrome and have been doing so for quite a while(since Android 4.2)
     
  70. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Okay, I uploaded a couple builds if anyone wants them. This is Toastman's 7504 VPN that has been updated with the latest OpenSSL 1.0.1g and OpenVPN 2.3.3, and I removed some of the excess themes & associated images (to make enough space for JFFS on a WNR3500L)... There is also a second build that is the same as above, without the "Media Server" included... That takes a lot of space and is something I don't use and gives me plenty of JFFS space for other stuff...

    http://www.rabel.org/tomato/

    Enjoy...

    Thanks Toastman for all your hard work too... :)
     
    Toink likes this.
  71. RMerlin

    RMerlin Network Guru Member

    That would make the code non-exploitable, however that would leave the exploitable code inside the library. Which means a few months down the road, someone might enable the heartbeat option, having forgotten about the vulnerability still being there.

    It`s about fixing the vulnerability, versus just sweeping it under the rug. Both works, but the first is safer.
     
    Toastman and koitsu like this.
  72. Twincam

    Twincam Serious Server Member

    Hi maleadt,

    I installed python ("Optware" version 2.5-1) on the router, succeeded in creating the script (using vi) and making it executable but keep getting a syntax error (line #91) when I run it. As I don't know python, I'm stuck. I was intending to test using this before and after upgrading to EOC_Jason's fixed "Toastman" build (thanks very much to him too) but I can't. Thanks anyway.

    Unless, of course, I install python on my "Windows 7" Laptop and try it there .... I am going to try that tomorrow! Please don't think I'm an idiot as I already know I am. Why didn't I think of this sooner as I (now) realise that's what you meant? The script can be run from a machine that is remote to the router (and is not actually the router!) .... time for bed, I think. :eek:
     
    Last edited: Apr 17, 2014
  73. DJF - EasyTomato

    DJF - EasyTomato Serious Server Member

    Can you post the patch for the openssl 1.0.1g upgrade and OpenVPN 2.3.3? Apologies if you have already, but I didn't see them.
     
  74. DJF - EasyTomato

    DJF - EasyTomato Serious Server Member


    What is the command you're using with that script? I tested a non-patched version of Toastman and then compiled my own with the patch.

    ***BEFORE***
    easydev@debian /mnt/fast_storage/EasyTomato/release/src/router/openssl
    $ perl ~/check-ssl-heartbleed.pl 192.168.1.1:https
    ...ssl received type=22 ver=0x301 ht=0x2 size=77
    ...ssl received type=22 ver=0x301 ht=0xb size=444
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    ...ssl received type=24 ver=301 size=16384
    BAD! got 16384 bytes back instead of 3 (vulnerable)

    ***AFTER***
    easydev@debian /mnt/fast_storage/EasyTomato/release/src/router/openssl
    $ perl ~/check-ssl-heartbleed.pl 192.168.1.1:https
    ...ssl received type=22 ver=0x301 ht=0x2 size=77
    ...ssl received type=22 ver=0x301 ht=0xb size=444
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    no reply(eof) - probably not vulnerable
     
  75. DJF - EasyTomato

    DJF - EasyTomato Serious Server Member

    Annnnnd just flashed Toastman's released build and got this:
    easydev@debian /mnt/fast_storage/EasyTomato/release/src/router/openssl
    $ perl ~/check-ssl-heartbleed.pl 192.168.1.1:https
    ...ssl received type=22 ver=0x301 ht=0x2 size=77
    ...ssl received type=22 ver=0x301 ht=0xb size=444
    ...ssl received type=22 ver=0x301 ht=0xe size=0
    ...send heartbeat#1
    ...ssl received type=24 ver=301 size=16384
    BAD! got 16384 bytes back instead of 3 (vulnerable)

    Looks like a potential build issue.
     
  76. maleadt

    maleadt Networkin' Nut Member

    I only tried Python 2.6 and 2.7, so maybe there's an Python 2.5 incompatibility. That said, you better download the script directly to avoid typo's or other corruptions when pasting in your editor (you can install 'wget' using optware). If you want to try it on windows, just download some portable Python distribution.

    After installing valgrind (if you're using Entware, manually install this package rather than using the current one, which seems broken). Afterwards, use the following commands to start up the webserver:
    Code:
    # service httpd stop
    # cd /www
    # valgrind --malloc-fill=42 httpd -d
    Note that you should not pay too much attention to the memory errors valgrind reports here (or rather, the lack thereof), because as far as I understand OpenSSL wraps allocator calls and manages its own memory pool.

    Now on your host, use the check-ssl-heartbeat script with the -s/--show parameter, which'll show you the received heartbeat contents:
    Code:
    perl check-ssl-heartbleed.pl -s my_router
    This'll reveal those 0x42 bytes in most of the heatbeat response, indicating memory (currently unitialized but if properly placed -- by issuing more requests or varying request size to end up in a different place of the heap -- possibly containing sensitive key information) is leaking.
     
  77. li am

    li am Network Newbie Member

  78. maleadt

    maleadt Networkin' Nut Member

    For a quick and dirty fix, download EOC_Jason's images, extract using firmware-mod-kit, copy libssl and libcypto over to your router, bind mount on top of the existing libraries in /usr/lib and restart httpd and vpnserver1 if applicable.
     
  79. EOC_Jason

    EOC_Jason Networkin' Nut Member

    I just patched the latest openssl against the current shibby diff's, everything went smooth... the aes-mips.pl diff isn't needed as it was already updated in the new version.

    http://repo.or.cz/w/tomato.git/commitdiff/12052105b251ce517b3d77f48bb38b6c9d43877b

    As for OpenVPN 2.3.3, I just deleted the old openvpn directory, downloaded & extracted the latest .tar.gz into a new openvpn directory... No patching / adjustments are needed in any of those files, the tweaks are all in the main makefile to get 2.3.x to build...

    P.S. I'm sure someone will notice and ask eventually... The build version on the "About" page will give an incorrect number. When I was doing the make I did V1=1.28.7504 instead of just V1=7504... I'll uploaded some "corrected" files in a bit... Functionality won't be any different.
     
  80. Lothsahn

    Lothsahn Addicted to LI Member

    I've provided Toastman and RAF with the instructions to make 1.0.1g correctly. Shibby's also got it (independent of my work), so a fixed version should be out shortly.
     
  81. Twincam

    Twincam Serious Server Member

    Hi maleadt,

    I succeeded in running the python script on Windows - I used "Portable Python 2.7.5.1" (on a USB stick) as you reccommended, However, I only get a result with my LAN IP. If I use my DDNS name, the script hangs. Is this indicative of a problem or just because of my router configuration? Intriguingly, I still get a syntax error (line 91) if I run the same script using the Optware version (weird!). Thanks (again).
     
    Last edited: Apr 17, 2014
  82. thunderforce

    thunderforce Networkin' Nut Member

    Excuse me for the following unrelated question about Toastman builds: If I understand this correctly, the std build has everything that the the Mini and MiniIPV6 builds do not?
    • Mini - no USB, no CIFS, no Zebra
    • MiniIPV6 - no USB, no CIFS, no Zebra + IPv6
    • Std - normal build
    Anyway, keep up the good work, Toastman!
     
  83. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Probably best to read over the Makefile and figure out what is & isn't included... It's gotten to be quite the hodgepodge of features...

    http://repo.or.cz/w/tomato.git/blob/08230f783b7679ed4c9048e9b1a646e9b85f17c5:/release/src/Makefile
     
  84. maleadt

    maleadt Networkin' Nut Member

    Probably because of your router configuration, OpenVPN shouldn't behave differently if the packets originate from an external address rather than an internal one. Actually, even if you're addressing your WAN IP Tomato shouldn't these route externally, so routing-wise it shouldn't make a difference as well. What remains is the firewall configuration.
     
  85. Toastman

    Toastman Super Moderator Staff Member Member

    OK, there seems to be some sort of issue with my implementation of the EasyTomato fix. Although, when I tested it here, I got good results.

    I've used Lothsahn's code to update to 1.0.1g and will upload it shortly as 1.28.7504.1 etc.
     
  86. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Just FYI, I've been running OpenVPN 2.3.3 for the past week or so with no problems. It was a drop-in replacement for the current OpenVPN in the build (I believe 2.3.0).

    Thanks again for all your hard work!
     
  87. Lothsahn

    Lothsahn Addicted to LI Member

    EOC_Jason:

    I'm going to build OpenVPN 2.3.3 as well as some additional fixes for OpenSSL, which I'll provide to Toastman as well. The major problem with my current build is increased size, although performance is down a bit as well. I will work on addressing both of these, but I basically only have time free on weekends. I'll look at your git patches as well for reference.

    Lothsahn
     
  88. Toastman

    Toastman Super Moderator Staff Member Member

    Currently uploading 7401.1 - I will push source to git afterwards (I think I forgot to do it). Some people may like to wait for the OpenVPN stuff too.

    Thanks guys!
     
  89. Morac

    Morac Network Guru Member

    So is OpenVPN in 2401.1 still vulnerable since it wasn't updated?

    On a related note, I've been seeing a number of recent connection attempts on the OpenVPN port in the logs, which OpenVPN 2.3.3 (using static compiled version) is reporting as a potential attack, so it looks like exploit kits out their are now scanning for vulnerable VPN servers.
     
  90. Lothsahn

    Lothsahn Addicted to LI Member

    So is OpenVPN in 2401.1 still vulnerable since it wasn't updated?

    No. OpenVPN is vulnerable to Heartbleed because it uses OpenSSL as its underlying encryption layer. Once OpenSSL is updated to 1.0.1g (latest), OpenVPN would not be vulnerable to Heartbleed. However, if there were other (non-OpenSSL) vulnerabilities in OpenVPN, those have not yet been fixed.

    Keep in mind, there were other vulnerabilities also affecting OpenSSL 1.0.1c beyond Heartbleed:
    http://www.openssl.org/news/secadv_20130205.txt

    These have also been addressed by the update.
     
  91. RMerlin

    RMerlin Network Guru Member

    The main reason why OpenVPN 2.3.3 was rushed out is for Win32 users, which use a statically linked openssl library. Win32 users needed a compiled build of OpenVPN that used the fixed version of openssl.

    For source-based users (such as firmware developers), there is no security fixes in the OpenVPN code itself - it's all in OpenSSL.
     
  92. Toink

    Toink Network Guru Member

    Thank you Toastman and Lothsahn :)

    I think I would have to settle for something with less feature. The tomato-E3000USB-NVRAM60K-1.28.0504.1MIPSR2Toastman-RT-N-VLAN-VPN-NOCAT.bin, is to big for the E3000

    Too Big.png
     
  93. brueggma

    brueggma Networkin' Nut Member

    Anyone having problems with httpd after the update to 1.28.0504.1?: tomato-E2000USB-NVRAM60K-1.28.0504.1MIPSR2Toastman-RT-N-VLAN-Ext.bin?

    root@wirelessbridge:/tmp/home/root# ls -ltra /etc/cert.pem
    -rw-r--r-- 1 root root 660 Apr 18 16:13 /etc/cert.pem
    root@wirelessbridge:/tmp/home/root# httpd -d
    718570928:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718570928:error:20074002:lib(32):func(116):reason(2):NA:0:
    718570928:error:140AD002:lib(20):func(173):reason(2):NA:0:
    718570928:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718570928:error:20074002:lib(32):func(116):reason(2):NA:0:
    718570928:error:140AD002:lib(20):func(173):reason(2):NA:0:
    root@wirelessbridge:/tmp/home/root# ls -ltra /etc/cert.pem
    ls: /etc/cert.pem: No such file or directory
     
  94. HunterZ

    HunterZ LI Guru Member

    What's this about in the 0504.1 changelog?
     
  95. nmalinoski

    nmalinoski Serious Server Member

    I'm hoping for a K24 solution; would be nice to have a WRT54G/L build with patched OpenSSL/OpenVPN.
     
  96. Lothsahn

    Lothsahn Addicted to LI Member

    The latest toastman WRT54GL build has OpenSSL 1.0.0, which is not affected by heartbleed. That being said, it would be very nice to have a new build for the WRT54GL, and I asked Toastman about this. One of the problems is there's very little room--the 4MB Flash is very limiting.
     
  97. Lothsahn

    Lothsahn Addicted to LI Member

    Changed the build target to linux-generic32 instead of linux-mipsel.
    This undoes the performance improvements by JYAvenard. See benchmarks
    for performance impact (roughly 15-20% for most operations).


    This means that we've undone the current Openssl patches to get it to build and work stable. I'm currently working on re-applying those patches and bringing down the build size.

    The patch is this one:
    http://openssl.6102.n7.nabble.com/MIPS-linux-support-patch-td37137.html

    Most operations are 15-20% slower, but one operation is 50% slower. Unless you're using an openssl enabled torrent client (which isn't in Toastman's firmware), or you're REALLY heavily loading the VPN, I don't think you'll notice.

    The main problem with the build is that it's 200K larger, and I'm working on fixing it. Toink noticed this, and I'm in the process of dealing with it. If you have a RT-N66U like me, it's not a big deal... but on a WRT54GL or similar, that would be a showstopper.

    I can say that I've yet to see any hiccups or problems on my routers over the last few days, and my first goal was stability. Now I'm working on optimization, and finally on upgrading OpenVPN.

    Lothsahn
     
  98. comet.berkeley

    comet.berkeley Addicted to LI Member

    Yes, I'm having the exact same problem with tomato-K26USB-1.28.7504.1MIPSR2Toastman-RT-Std.trx

    http works, but https does not. And I get the same error messages about /etc/cert.pem after configuring https:

    #cd /www
    #httpd -d

    718426240:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718426240:error:20074002:lib(32):func(116):reason(2):NA:0:
    718426240:error:140AD002:lib(20):func(173):reason(2):NA:0:
    718426240:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718426240:error:20074002:lib(32):func(116):reason(2):NA:0:
    718426240:error:140AD002:lib(20):func(173):reason(2):NA:0:
     
  99. HunterZ

    HunterZ LI Guru Member

    I'm not certain, but it looks like maybe Shibby may have a new K24 build?
     
  100. Pepperman

    Pepperman Network Newbie Member

    Same problem with build tomato-K26USB-1.28.0504.1MIPSR2Toastman-RT-N-VLAN-VPN.trx.

    Code:
    718575024:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718575024:error:20074002:lib(32):func(116):reason(2):NA:0:
    718575024:error:140AD002:lib(20):func(173):reason(2):NA:0:
    718575024:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/cert.pem','r')
    718575024:error:20074002:lib(32):func(116):reason(2):NA:0:
    718575024:error:140AD002:lib(20):func(173):reason(2):NA:0:
     

Share This Page