On 26/09/2014 10:11, Catalin Patulea wrote: > What's the motivation for this change? > > On Thu, Sep 25, 2014 at 11:43 AM, Alive <alive4e...@live.com> wrote: >> X-Patchwork-Id: 6322 >> Message-Id: <blu437-smtp18d6698761b98124aca899e4...@phx.gbl> >> >> Is there any chance for my proposed patch to be committed? >> http://patchwork.openwrt.org/patch/6322/ >> >> Here is a brief comparison about binary and package size increase. >> Tested on AR9330, mips, TL MR3220v2 >> >> Before applying sha2-hmac patch >> root@OpenWrt:~# du -sh $(which dropbear) >> 161.5K /usr/sbin/dropbear >> >> After applying sha2-hmac patch >> root@OpenWrt:~# du -sh $(which dropbear) >> 165.5K /usr/sbin/dropbear >> >> It's about 4K binary size increase. >> >> debug information >> ssh root@OpenWrt -o MACs=hmac-sha2-512,hmac-sha2-256 -v >> ... >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-ctr hmac-sha2-512 none >> debug1: kex: client->server aes128-ctr hmac-sha2-512 none >> ... >> >> Package size compared to downloaded trunk >> 84829 Sep 25 02:43 dropbear_2014.65-2_ar71xx.ipk >> 81896 Sep 25 02:13 dropbear_2014.65-2_ar71xx.ipk >> It's about 3K package size increase.
As SHA1 signature hash is about to be obsolete on certificates, it would be better to prepare for next generation hash algorithms. Here are some references. http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know https://www.digicert.com/sha-2-ssl-certificates.htm While CA is encouraging users to upgrade to SHA2-based certificates, it'd be better to assume that SHA1 HMAC will also be obsolete. I know unix philosophy "Don't fix what ain't broken". I think it's better to provide safety measure to prevent disaster instead of waiting the disaster to come and fix it later. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
