Odi's astoundingly incomplete notes

If you want iOS devices to connect to your hostapd AP, then you must not configure SHA256. Unbelievable, Apple! You get offered a choice between two options and you just decide to fail?!?

#wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
wpa_key_mgmt=WPA-PSK


posted on 2014-07-30 22:35 UTC in Code | 0 comments | permalink

Reading up on how to remotely connect to a JMX port, I wonder how one can possibly design such a horrible API. According to that document you need to create an URI string and pass that to the API. The URI string looks like this:

service:jmx:rmi:///jndi/rmi://hostName:portNum/jmxrmi

Utterly unintuitive, error prone and unreadable. And why assemble an URI string, pass it through an underpowered API and then parse that apart in the implementation again? Like somebody deliberately wanted to piss people off.

It could have been as simple as this:

JMXConnectorFactory.connect(host, port);

Because that's all people normally do! Yes, there may be one person in the Universe that wants to exchange the RMI transport with something else. But the API makes everybody pay with that:

MXServiceURL u = new JMXServiceURL(
  "service:jmx:rmi:///jndi/rmi://" + hostName + ":" + portNum +  "/jmxrmi");
  JMXConnector c = JMXConnectorFactory.connect(u);

posted on 2014-07-14 09:59 UTC in Code | 0 comments | permalink

With the latest upower upgrade portage may pull in systemd. If you are like me and think that systemd has grown beyond what it should do and you don't want it, do this:

/etc/portage/package.mask:

sys-apps/systemd

Then replace upower with the compatibility layer:

emerge -C sys-power/upower
emerge -1 sys-power/upower-pm-utils

posted on 2014-06-03 13:25 UTC in Code | 1 comments | permalink

I am building a Linux kernel that is booted via the network with PXE. The machine that runs it has a Broadcom network card that uses the bnx2 driver. That card needs firmware to function, which is normally loaded into the card by udev.

As the kernel boots it obtains an IP via DHCP and mounts its root file system over NFS. For that it needs a working network card and hence the firmware. Of course the firmware can not be on NFS and there is no udev to load it yet. Hence the kernel must load it. If you don't want an initramfs (because it's a PITA to build), you need to build the firmware into the kernel.

The kernel has config options to build firmware blobs into the kernel. They are found under:

 Device Drivers
   Generic Driver Options
     [*] Include in-kernel firmware blobs in kernel binary
     () External firmware blobs to build into the kernel binary
     (/lib/firmware) Firmware blobs root directory

and they map to the .config variables FIRMWARE_IN_KERNEL, EXTRA_FIRMWARE and EXTRA_FIRMWARE_DIR.

EXTRA_FIRMWARE is a space separated list of file names of the firmeware blobs.
EXTRA_FIRMWARE_DIR is a slash terminated directory where those files are.

Now you first need to know which versions of these files are requested by the driver:

# cd drivers/net/ethernet/broadcom/
# grep \\.fw bnx2.c
#define FW_MIPS_FILE_06         "bnx2/bnx2-mips-06-6.2.3.fw"
#define FW_RV2P_FILE_06         "bnx2/bnx2-rv2p-06-6.0.15.fw"
#define FW_MIPS_FILE_09         "bnx2/bnx2-mips-09-6.2.1b.fw"
#define FW_RV2P_FILE_09_Ax      "bnx2/bnx2-rv2p-09ax-6.0.17.fw"
#define FW_RV2P_FILE_09         "bnx2/bnx2-rv2p-09-6.0.17.fw"

So you should list exactly these names in EXTRA_FIRMWARE. To make it extra difficult the kernel itself doesn't even contain these versions:

# ls firmware/bnx2
bnx2-mips-06-6.2.1.fw.ihex   bnx2-rv2p-06-6.0.15.fw.ihex  bnx2-rv2p-09ax-6.0.17.fw.ihex
bnx2-mips-09-6.2.1a.fw.ihex  bnx2-rv2p-09-6.0.17.fw.ihex

But fortunately the firmware is distributed separately and should already be in /lib/firmware. On Gentoo these files are installed by the ebuild sys-kernel/linux-firmware.

# ls /lib/firmware/bnx2
bnx2-mips-06-4.6.16.fw     bnx2-mips-09-5.0.0.j3.fw  bnx2-rv2p-06-6.0.15.fw
bnx2-mips-06-5.0.0.j3.fw   bnx2-mips-09-5.0.0.j9.fw  bnx2-rv2p-09-4.6.15.fw
bnx2-mips-06-5.0.0.j6.fw   bnx2-mips-09-6.0.17.fw    bnx2-rv2p-09-5.0.0.j10.fw
bnx2-mips-06-6.0.15.fw     bnx2-mips-09-6.2.1a.fw    bnx2-rv2p-09-5.0.0.j3.fw
bnx2-mips-06-6.2.1.fw      bnx2-mips-09-6.2.1b.fw    bnx2-rv2p-09-6.0.17.fw
bnx2-mips-06-6.2.3.fw      bnx2-mips-09-6.2.1.fw     bnx2-rv2p-09ax-5.0.0.j10.fw
bnx2-mips-09-4.6.17.fw     bnx2-rv2p-06-4.6.16.fw    bnx2-rv2p-09ax-5.0.0.j3.fw
bnx2-mips-09-5.0.0.j15.fw  bnx2-rv2p-06-5.0.0.j3.fw  bnx2-rv2p-09ax-6.0.17.fw

So you must set EXTRA_FIRMWARE_DIR = /lib/firmware/.

With these options correctly set, such a kernel boots perfectly over PXE.


posted on 2014-05-02 16:56 UTC in Code | 1 comments | permalink

If your Eclipse (Kepler) crashes a lot in KDE it may be due to a bug in the Oxygen GTK theme. Simple solution: set a different theme.

In Gentoo first install more themes with
emerge -av gtk-engines

Then go to KDE's System Settings an chose the Application Appearance App. In the GTK Tab, select the Clearlooks GTK2 theme (and the Default GTK3 theme). I also recommend the font setting Sans Serif 10.

posted on 2014-04-21 11:14 UTC in Code | 3 comments | permalink

export SHELL="/bin/bash"
exec /bin/bash

posted on 2014-03-18 14:38 UTC in Code | 0 comments | permalink

Gentoo recently updated glibc. After that I saw this in Apache's error_log:

/usr/sbin/apache2: relocation error: /lib64/libresolv.so.2: symbol __sendmmsg, version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference

Re-emerge apache to fix it.

posted on 2014-01-30 18:36 UTC in Code | 0 comments | permalink

I just discovered an extremely handy feature of konsole, KDE's primary terminal emulator. cd to a path in konsole and drag'n'drop a file from Dolphin file manager directly into the terminal, and the file will be copied into the current working directory.

posted on 2014-01-22 09:39 UTC in Code | 1 comments | permalink

Gentoo currently has support for Python 2.6, 2.7, 3.2 and 3.3. You only need one of each 2.x and 3.x branch (some ebuild support 2.x only).

So if you currently have:

$ equery l python
 * Searching for python ...
[IP-] [  ] dev-lang/python-2.7.5-r3:2.7
[IP-] [  ] dev-lang/python-3.2.5-r3:3.2
[IP-] [  ] dev-lang/python-3.3.2-r2:3.3

Select 3.3 only:

$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2 *
  [2]   python3.3
$ eselect python set --python3 2
$ eselect python list --python3
Available Python 3 interpreters:
  [1]   python3.2
  [2]   python3.3 *

Rebuild python packages:

$ python-updater

Check what still depends on the unneeded 3.2 slot:

$ qdepends -Q python:3.2
dev-python/pyparsing-2.0.1
dev-python/dbus-python-1.2.0
x11-proto/xcb-proto-1.8-r3

Re-emerge these to eliminate the dependency:

$ emerge -1av pyparsing dbus-python xcb-proto

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] dev-python/pyparsing-2.0.1  USE="-doc -examples" PYTHON_TARGETS="python2_7 python3_3* (-pypy2_0) -python2_6 -python3_2*" 0 kB
[ebuild   R    ] x11-proto/xcb-proto-1.8-r3  ABI_X86="(64) (-32) (-x32)" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB
[ebuild   R    ] dev-python/dbus-python-1.2.0  USE="-doc -examples {-test}" PYTHON_TARGETS="python2_7 python3_3* -python2_6 -python3_2*" 0 kB

Mask python 3.2 in /etc/portage/package.mask:

dev-lang/python:3.2

Now python:3.2 should no longer be required and get removed with

$ emerge --depclean

If it is not offered for removal, remove it manually and then check which packages still pull it in and rebuild those. Repeat the world update and rebuilding the offending python packages until it works:

$ emerge -C python:3.2
$ emerge -uavD world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  NS   #] dev-lang/python-3.2.5-r3:3.2 [2.7.5-r3:2.7, 3.3.2-r2:3.3] USE="ipv6 ncurses readline sqlite ssl threads (wide-unicode) xml -build -doc -examples -gdbm -hardened -tk -wininst" 0 kB

Total: 1 package (1 in new slot), Size of downloads: 0 kB

The following mask changes are necessary to proceed:
 (see "package.unmask" in the portage(5) man page for more details)
# required by dev-python/pycurl-7.19.0-r3[python_targets_python3_2]
# required by app-admin/system-config-printer-common-1.4.3
# required by app-admin/system-config-printer-gnome-1.4.3
# required by kde-base/print-manager-4.11.2
# required by kde-base/kdeutils-meta-4.11.2[cups]
# required by kde-base/kde-meta-4.11.2-r1
# required by @selected
# required by @world (argument)
# /etc/portage/package.mask:
=dev-lang/python-3.2.5-r3
$ emerge -1 pycurl

posted on 2014-01-15 10:15 UTC in Code | 0 comments | permalink

Chosing you SSL cipher suites is one thing. But configuring various services is  another.

Please note that the following algorithms are considered completely broken nowadays: RC4, MD5, 3DES.

OpenLDAP: /etc/openssl/slapd.conf:

TLSCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
TLSProtocolMin 3.1

Apache httpd:

SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLProtocol all -SSLv2 -SSLv3

Courier-Imap: /etc/courier-imap/imapd-ssl

TLS_CIPHER_LIST="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
TLS_PROTOCOL=TLSv1.2

OpenSSH server: /etc/ssh/sshd_config

Protocol 2
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

OpenSSH client: /etc/ssh/ssh_config:

Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Postfix: important only for mandatory TLS, as there is no end-to-end encryption in SMTP anyway. Email to/from your local system may go through many hops that are not under your control. Also there is no authentication between those hosts, so even TLS doesn't protect against man-in-the-middle attacks here (key agreement protocols don't solve that problem).
/etc/postfix/main.cf:

smtpd_tls_eecdh_grade=ultra
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

Openswan:
For protostack=netkey make sure to enable all relevant crypto algorithms in your kernel, for all crypto is done by the kernel and Openswan can only configure what's supported.
To get a list of supported algorithms: ipsec auto --status | less

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048

• Note the different options for IKE and ESP.
• Note the AES GCM/CCM variants for different IV lengths (a,b,c).
• Note the incoherent names for various DH groups (modp2048 for group 14, dh22 for group 22).

The algorithms are configured like so (Openswan documentation is very incomplete!):

        # PHASE 1
        # negothiation mode
        aggrmode=no
        ike=aes-sha2_256;modp2048
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=aes_gcm_c-256-sha2_256;modp2048
        salifetime=8h
        pfs=yes
        auto=ignore

The lenth of the PSKs in /etc/ipsec.secrets is very relevant. The minimum safe size depends on IKE hash, but you can always choose longer keys of course:

• SHA256: 43 bytes
• SHA384: 64 bytes
• SHA512: 86 bytes

posted on 2013-11-25 12:25 UTC in Code | 0 comments | permalink