Diversion Error message during curl send of stats...

[dev_null]

This may/may not be Diversion-only, but I updated my AC66U_B1 to the 386.1B1 yesterday. I did not get my diversion stats overnight so I checked the log and during curl send of the weekly stats I'm gettting an error 'WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better'.

I checked for updates to entware and force-updated Diversion, checked my credentials, etc. There is only one report of this message on the forum, and it was for yazfi. This doesn't appear to affect other add-ons (or even the performance of Diversion).

I re-entered my email credentials and this error also appears when I pick the option to change my PW. It seems to be a OpenSSL issue. Anyone else seeing this?

EDIT: This was a dirty flash from 384.19. If there is no obvious fix then I will do a reset as next step.

 

[thelonelycoder]

Thanks for reporting. This error comes with the newer openssl version 1.1.1h that ships with this beta Asuswrt-Merlin firmware.
Unfortunately, the new openssl binary will not decrypt the existing email password correctly even if the error message is suppressed.

I'm looking into how to handle that. Stay tuned for an update.

 

[dev_null]

... the new openssl binary will not decrypt the existing email password correctly even if the error message is suppressed...

FWIW, I re-entered the PW and it *does* run successfully even though it complains at the time of the PW set. Just re-ran from the cli to confirm it still works following the PW re-set.

The log is below.

Spoiler: Error log

/opt/share/diversion/log/stats.div.log has this content:

START FILE, --- lines are not part of file
---------------------------------------------------
Mon, 07 Dec 2020 15:56:59 -0500
compiling stats
start Diversion Statistics, updating Ad-Blocking stats
creating filtering lists
begin of stats computing
assembling "The top 10 noisiest name clients"
assembling "Top 10 domains for top 10 clients"
client stats compiled, preserving client lists for next run
stats compiling complete, using these parameters: email attachment delete
sending email with stats as/in: attachment
curl output follows:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15934 0 0 100 15934 0 5678 0:00:02 0:00:02 --:--:-- 5985

compiled router stats, sent to email
deleted stats file
stats successfully compiled
end of stats.div.log
---------------------------------------------------
END FILE

 

[elorimer]

I saw the same problem and the same solution. Scripts generate the same warning message about a deprecated key derivation. In my case this was a gmail app password. I re-entered it through diversion and it then worked. My other scripts that use the same email.conf also started working with the same warning.

I added the additional switch "-pbkdf2" to lines 1729, 1778 and 1842 of functions.div, reentered the password and the warnings went away. I made the same change to my email script and those warnings went away too.

The default number of iterations used by pbkdf2 is 10,000. I have seen mention of increasing this to 100,000, so I changed the same lines to include "-iter 100000" and that worked fine with no noticeable performance change.

 

[thelonelycoder]

I saw the same problem and the same solution. Scripts generate the same warning message about a deprecated key derivation. In my case this was a gmail app password. I re-entered it through diversion and it then worked. My other scripts that use the same email.conf also started working with the same warning.

I added the additional switch "-pbkdf2" to lines 1729, 1778 and 1842 of functions.div, reentered the password and the warnings went away. I made the same change to my email script and those warnings went away too.

The default number of iterations used by pbkdf2 is 10,000. I have seen mention of increasing this to 100,000, so I changed the same lines to include "-iter 100000" and that worked fine with no noticeable performance change.

I only added the OpenSSL -pbkdf2 switch in my development code. Since this is not strictly about strong encryption of the password in Diversion but merely a function I added so that passwords can contain any character users come up with - without an escape hell to make it work in shell scripts.

Be prepared to enter your password again whenever the next Diversion update comes out to make it work since you added "-iter 100000".
My code is as follows for OpenSSL 1.1.1x routers:

/usr/sbin/openssl aes-256-cbc -pbkdf2

Note that all email functions also will have to decrypt the password with the same switches, so make sure your backups and stats are indeed sent to you with your changes.
The following files contain this code: backup.div, functions.div, stats.div, update.div and update-notification. They may or may not be present, depending on communication settings set in c.
Note that the file update-notification is located at /jffs/scripts.

 

[elorimer]

Be prepared to enter your password again whenever the next Diversion update comes out to make it work since you added "-iter 100000".

I'm going to change it back. I can foresee needing to make the change in all the files on a future update and not having the foggiest remembrance.

 

[thelonelycoder]

I can foresee needing to make the change in all the files on a future update and not having the foggiest remembrance.

That appears to be a good choice, the change, not the foggy memory

 

[L&LD]

Great sleuthing gents!

And what I got out of it most was " whenever the next Diversion update comes out ".

I can hardly wait for 'whenever'!

 

[thelonelycoder]

Great sleuthing gents!

And what I got out of it most was " whenever the next Diversion update comes out ".

I can hardly wait for 'whenever'!

Whenever is when I either give up on adding more features or when I'm finally satisfied with the result. Whichever comes first

 

[L&LD]

Having the pleasure of knowing you and your work for so many years now, I am confident that any user will be satisfied with whatever is available to be offered, now, even if it is an Alpha 0.0001 build in your eyes (and, which I know you wouldn't release in a million years).

Now, this Christmas eve, all I'll be dreaming about will be the tasty treats coming down the lane called amtm, Diversion, and who knows what else!

Thank you @thelonelycoder! Wishing you all the best this holiday season.

 

[thelonelycoder]

Now, this Christmas eve, all I'll be dreaming about will be the tasty treats coming down the lane called amtm, Diversion, and who knows what else!

I sincerely hope that other good things are on your mind or in your dreams during this festive finale of an otherwise wasted and fckd up year for the human population on this planet

 

[L&LD]

Oh yes, other things will be on my mind when I'm awake. And I'll be grateful for all I have in this crazy, upside-down year.

But the heart, not my head, controls the dreams... and I've been mistakenly believing until just a short while ago (RMerlin corrected me) that 386.1 would be bringing a new amtm and other scripts/gifts for a while now.

 

[Jack Yaz]

Thanks for reporting. This error comes with the newer openssl version 1.1.1h that ships with this beta Asuswrt-Merlin firmware.
Unfortunately, the new openssl binary will not decrypt the existing email password correctly even if the error message is suppressed.

I'm looking into how to handle that. Stay tuned for an update.

I might be wrong, but does this work for you pre-Diversion update? (and other users?)

echo "$(/usr/sbin/openssl aes-256-cbc -d -md md5 -in /opt/share/diversion/.conf/emailpw.enc -pass pass:ditbabot,isoi)"

Shameless use of stackoverflow as to why this works: https://stackoverflow.com/a/39641378

 

[thelonelycoder]

I might be wrong, but does this work for you pre-Diversion update? (and other users?)

It does indeed, good find!