maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   N900, CSSU and OpenSSL (https://talk.maemo.org/showthread.php?t=93296)

jonwil 2014-06-05 22:36

N900, CSSU and OpenSSL
 
In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients
Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this?

Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open)

sixwheeledbeast 2014-06-05 22:48

Re: N900, CSSU and OpenSSL
 
http://www.symantec.com/connect/blog...ter-heartbleed

It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za

I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998

shawnjefferson 2014-06-06 02:36

Re: N900, CSSU and OpenSSL
 
Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?

sixwheeledbeast 2014-06-06 07:09

Re: N900, CSSU and OpenSSL
 
http://maemo.org/packages/view/libssl0.9.8/
http://maemo.org/packages/view/openssl/

shawnjefferson 2014-06-07 05:56

Re: N900, CSSU and OpenSSL
 
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

sixwheeledbeast 2014-06-07 08:29

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by shawnjefferson (Post 1428583)
I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.

xes 2014-06-07 09:13

Re: N900, CSSU and OpenSSL
 
Community is not just ask and receive.

Everyone can contribute, maybe with small things, but the concept of community starts from this.

No one owns, everyone contributes to make it better

freemangordon 2014-06-07 09:26

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by shawnjefferson (Post 1428583)
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

The only option we have is to backport the needed patches, otherwise we'll break the ABI.

Point me to the patch that fixes that CVE and I'll see what I can do

EDIT:
"Pointing" is raising a bug on BMO, place a link to bug here

xes 2014-06-07 12:26

Re: N900, CSSU and OpenSSL
 
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.
For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn.
ref: http://www.openssl.org/news/secadv_20140605.txt
So also CVE 2014 0195/221/3470 affect the N900's openssl current version.

After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting..

freemangordon 2014-06-07 18:41

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by xes (Post 1428606)
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.

No, as it will break the ABI, the version in CSSU is the latest that don't break it.

So, if someone finds the relevant patches/commits, I'll backport them in CSSU

xes 2014-06-07 22:30

Re: N900, CSSU and OpenSSL
 
@freemangordon
also remaining inside 0.9.8 branch?

After 0.9.8n most part of changes are fixes and a few new api.
Are you sure we could break something with 0.9.8za?

https://www.openssl.org/news/openssl-notes.html
http://git.openssl.org/gitweb/?p=ope...s/heads/master
http://upstream-tracker.org/versions/openssl.html

freemangordon 2014-06-08 07:05

Re: N900, CSSU and OpenSSL
 
http://upstream-tracker.org/compat_r..._Risk_Problems

we have CVE-2010-0742 fix included in CSSU, so the version is effectively 0.9.8o

Sure, someone can check if the above change affects maemo, but I'd consider that it breaks the ABI until shown some evidence of the opposite. Which might not be possible if we have closed source binaries using openssl

EDIT:
IMO the sane way is to find all the stuff like https://www.openssl.org/news/secadv_20101116.txt and include those patches in CSSU openssl

sixwheeledbeast 2014-06-08 09:34

Re: N900, CSSU and OpenSSL
 
1 Attachment(s)
Is this helpful?
https://privatepaste.com/81efcde966

joerg_rw 2014-06-08 11:15

Re: N900, CSSU and OpenSSL
 
definitely useful, thanks sixwheeledbeast!
/j

jonwil 2014-06-09 01:29

Re: N900, CSSU and OpenSSL
 
Things I can find that link to libssl or libcrypto and are closed source:
as-daemon (part of the stuff for talking to Microsoft email servers)
browser.launch (main browser binary)
eapd (WiFi security daemon)
intellisyncd (part of nokia messaging)
libconnui_iapsettings.so.0 (related to WiFi security)
libflashplayer.so (Flash player plugin)
libiap_dialog_gtc_challenge.so (related to WiFi security)
libiap_dialog_mschap_challenge.so (related to WiFi security)
libiap_dialog_private_key_pw.so (related to WiFi security)
libiap_dialog_server_cert.so (related to WiFi security)
libiap_dialog_wps.so (related to WiFi security)
libiap_wizzard_wlan.so (related to WiFi security)
libinternetsettings.so (internet settings control panel)
libshareonovi.so (handles sharing to OVI)
libsync4j.so.3 (syncml stuff)
location-proxy (handles GPS SUPL and network related stuff)
osso-backup.launch (backup tool)
ota-settings (handles internet settings sent over-the-air)
signond (single-sign-on daemon)
syncd (part of maesync, whatever that is)

Identifying which of these binaries call potentially-broken functions (i.e. those who's ABI may have changed between the 0.9.8n we have now and the latest 0.9.8za release) should be possible if someone can come up with a list of all such functions.

Some of these binaries may only use bits of openssl that haven't changed between 0.9.8n and 0.9.8za (e.g. crypto stuff like AES or SHA or HMAC) and some may be things we dont need anymore (e.g. nokiamessaging). Some may link to the libraries but not actually import any functions from them.

jonwil 2014-06-09 01:40

Re: N900, CSSU and OpenSSL
 
Also things may not be incompatible based on my reading of the openssl stuff.

For example the changes to data types in 0.9.8p listed as being in dtls1.h and ssl3.h only affect the SSL structure which (per my reading of the SSL documentation) is a notionally-opaque structure anyway, never accessed directly only created via SSL_new and accessed via other SSL_xxx functions.

shawnjefferson 2014-06-09 03:53

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by sixwheeledbeast (Post 1428589)
I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.

A bit off-topic, but what I meant by "own" is that a small group/team decides what goes in CSSU and what doesn't. Things like libssl updates a no-brainer of course.

Too bad that going above 0.9.8n breaks ABI compatibility. I would have thought that updates within a major/minor version wouldn't have done so, but apparently it might? Might just need to be tested after reading above... Throw libssl 0.9.8za into CSSU dev and have some folks test it out? If it doesn't blow up everything, push it into Testing and await bug reports... that's what Testing is for right?

Seems like an easier route than backporting all the patches to 0.9.8n if we don't really need to do so.

Edit: thought I would try it... so I compiled 0.9.8za and running it on my device now, and will test for a couple of days.

Edit2: no problems with HAM, Opera or MicroB.

shawnjefferson 2014-06-11 01:53

Re: N900, CSSU and OpenSSL
 
I encountered no problems with anything running 0.9.8za, and decided to thumb compile libssl, libcrypto and openssl so am running those now on my device without issue. (Seems like the possible ABI issue may be not relevant.)

I've tested:
Certman
Opera
Microb
HAM
FAM
nmap

anything else specifically I should test?

jonwil 2014-06-11 05:28

Re: N900, CSSU and OpenSSL
 
Maybe the answer is to go straight to the horses mouth and ask if 0.9.8za has any ABI-breaking changes vs 0.9.8n.

sixwheeledbeast 2014-06-19 16:59

Re: N900, CSSU and OpenSSL
 
What do we think about 0.9.8za?
Is it likely to be stable or is still best to backport them?

shawnjefferson 2014-06-21 19:07

Re: N900, CSSU and OpenSSL
 
Completely stable on my device, no issues.

It would be nice to get it into CSSU-T for larger group testing... ?

freemangordon 2014-06-21 21:03

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by shawnjefferson (Post 1430524)
Completely stable on my device, no issues.

It would be nice to get it into CSSU-T for larger group testing... ?

It should enter cssu-devel first, please either send(somehow) a patch series against https://gitorious.org/community-ssu/...13c16d60245c8: or clone that repo, merge (keeping the commits) and do a merge request, so 1. it could be reviewed (if possible) 2. someone with access to upload it in cssu-devel

shawnjefferson 2014-06-22 03:45

Re: N900, CSSU and OpenSSL
 
I think someone with more package-fu will have to get this into cssu-devel. All I did was download the openssl 0.9.8za source and compile it, no patching of existing versions or anything exotic. Is there more involved than a cssu-devel maintainer doing the same thing? (I guess what I'm asking is, is there any reason to not just go with the upstream 0.9.8za version?)

Packaging up a system package like this for cssu is a bit beyond my knowledge at the moment. :(

sixwheeledbeast 2014-06-22 07:55

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by freemangordon (Post 1430528)
so it could be reviewed (if possible)

This is why. If there are bugs (which is possible looking at the ABI compatibility) it would be nice to be able to have the code in git to fix.

I have never used git but is it possible to merge this into a new branch on cssu openssl git?

https://github.com/openssl/openssl/t...L_0_9_8-stable

Looks like they are preparing for 0.9.8zb from some of the notes there.

pali 2014-06-22 19:53

Re: N900, CSSU and OpenSSL
 
this page can be usefull: http://upstream-tracker.org/versions/openssl.html

jonwil 2014-06-23 13:02

Re: N900, CSSU and OpenSSL
 
Going straight to the source (OpenSSL dev team) and finding out if 0.9.8n and 0.9.8za are ABI compatible or not seems the best way to be sure.

jonwil 2014-10-19 23:12

Re: N900, CSSU and OpenSSL
 
ok, so http://www.cncmods.net/files/openssl.diff is a diff between the 0.9.8n stock tarball from openssl and the 0.9.8n-1+maemo4+0m5 version Fremantle is currently using. What is needed is for someone to take 0.9.8zc (current 0.9.8 version) and figure out which, if any, of the changes in that diff file need to be made to it. I dont know enough about openssl (or perl for that matter, referencing all those .pl files in the diff) do that.

Once that's been done, someone can put the results in https://gitorious.org/community-ssu/openssl and from there into CSSU.

joerg_rw 2014-10-20 07:04

Re: N900, CSSU and OpenSSL
 
seems the whole patch is just about J-PAKE in a test frame, and a zillion of shebang lines changed from
#!/usr/local/perl
to
#!perl
or similar.
wasn't able to spot any relevant difference, maybe due to the lots of noise in the diff. Also it's inverted (+++ vs ---) which doesn't help reading it.

shawnjefferson 2014-10-22 02:37

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by jonwil (Post 1443485)
ok, so http://www.cncmods.net/files/openssl.diff is a diff between the 0.9.8n stock tarball from openssl and the 0.9.8n-1+maemo4+0m5 version Fremantle is currently using. What is needed is for someone to take 0.9.8zc (current 0.9.8 version) and figure out which, if any, of the changes in that diff file need to be made to it. I dont know enough about openssl (or perl for that matter, referencing all those .pl files in the diff) do that.

Once that's been done, someone can put the results in https://gitorious.org/community-ssu/openssl and from there into CSSU.

Is there really any reason not to just run the current version? I've been running 0.9.8za on my device for months with no ill effects. Are there "special patches" that were created just for the n900?

jonwil 2014-10-22 08:54

Re: N900, CSSU and OpenSSL
 
I have no idea if the (Nokia-specific) changes in that .diff file matter or not, hence why I posted it here so someone who knows more than I do can figure that out.

shawnjefferson 2014-10-25 03:22

Re: N900, CSSU and OpenSSL
 
I still think that just compiling the latest version, having someone who has the ability packaging it up in CSSU dev/testing and having some people test it out is easier (and better) than having someone try to understand what the openssl code is doing, all the patches, etc...

Unless through testing something is discovered that just doesn't work properly, of course.

jonwil 2014-10-25 07:52

Re: N900, CSSU and OpenSSL
 
Yes lets just take 0.9.8zc and stick it in CSSU and see what happens.

joerg_rw 2014-10-25 08:48

Re: N900, CSSU and OpenSSL
 
+1

tenchar

Dongle Fongle 2015-03-09 19:29

Re: N900, CSSU and OpenSSL
 
Would be great

Quote:

Originally Posted by jonwil (Post 1444271)
Yes lets just take 0.9.8zc and stick it in CSSU and see what happens.


independent 2015-03-10 19:23

Re: N900, CSSU and OpenSSL
 
It sounds like ssl3 needs to be disabled at compiled time so that is always an option with the old 0.9.8n.

It doesn't sound like 0.9.8zc will add tls1.1 or tls1.2

freemangordon 2015-03-16 21:09

Re: N900, CSSU and OpenSSL
 
feel free to test http://46.249.74.23/openssl/ , if device boots with those, I might upload packages to cssu-devel

xes 2015-03-17 08:47

Re: N900, CSSU and OpenSSL
 
So far reboot, https, modest, openvpn, supl and also a few closed bins are working fine.

Testers are welcome.

wicket 2015-03-17 18:14

Re: N900, CSSU and OpenSSL
 
A quick heads up. We'll need a new build come Thursday due to a new high severity defect. It's not yet clear if the original Maemo OpenSSL build is vulnerable but it's highly likely that 0.9.8ze is.

http://www.mail-archive.com/openssl-.../msg00169.html

freemangordon 2015-03-17 20:39

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by wicket (Post 1464296)
A quick heads up. We'll need a new build come Thursday due to a new high severity defect. It not yet clear if the original Maemo OpenSSL build is vulnerable but it's highly likely that 0.9.8ze is.

http://www.mail-archive.com/openssl-.../msg00169.html

I will wait for that release before pushing it into cssu-devel

xes 2015-03-19 22:39

Re: N900, CSSU and OpenSSL
 
Seriously, no one here is interested in testing an updated openssl package?


All times are GMT. The time now is 01:08.

vBulletin® Version 3.8.8