N900, CSSU and OpenSSL
 

In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients
Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this?

Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open)

Re: N900, CSSU and OpenSSL
 

http://www.symantec.com/connect/blog...ter-heartbleed

It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za

I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998

Re: N900, CSSU and OpenSSL
 

Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?

Re: N900, CSSU and OpenSSL
 

http://maemo.org/packages/view/libssl0.9.8/
http://maemo.org/packages/view/openssl/

Re: N900, CSSU and OpenSSL
 

Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

Re: N900, CSSU and OpenSSL
 

I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.

Re: N900, CSSU and OpenSSL
 

Community is not just ask and receive.

Everyone can contribute, maybe with small things, but the concept of community starts from this.

No one owns, everyone contributes to make it better

Re: N900, CSSU and OpenSSL
 

The only option we have is to backport the needed patches, otherwise we'll break the ABI.

Point me to the patch that fixes that CVE and I'll see what I can do

EDIT:
"Pointing" is raising a bug on BMO, place a link to bug here

Re: N900, CSSU and OpenSSL
 

@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.
For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn.
ref: http://www.openssl.org/news/secadv_20140605.txt
So also CVE 2014 0195/221/3470 affect the N900's openssl current version.

After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting..

Re: N900, CSSU and OpenSSL
 

No, as it will break the ABI, the version in CSSU is the latest that don't break it.

So, if someone finds the relevant patches/commits, I'll backport them in CSSU

Re: N900, CSSU and OpenSSL
 

@freemangordon
also remaining inside 0.9.8 branch?

After 0.9.8n most part of changes are fixes and a few new api.
Are you sure we could break something with 0.9.8za?

https://www.openssl.org/news/openssl-notes.html
http://git.openssl.org/gitweb/?p=ope...s/heads/master
http://upstream-tracker.org/versions/openssl.html

Re: N900, CSSU and OpenSSL
 

http://upstream-tracker.org/compat_r..._Risk_Problems

we have CVE-2010-0742 fix included in CSSU, so the version is effectively 0.9.8o

Sure, someone can check if the above change affects maemo, but I'd consider that it breaks the ABI until shown some evidence of the opposite. Which might not be possible if we have closed source binaries using openssl

EDIT:
IMO the sane way is to find all the stuff like https://www.openssl.org/news/secadv_20101116.txt and include those patches in CSSU openssl

Re: N900, CSSU and OpenSSL
 

Is this helpful?
https://privatepaste.com/81efcde966

Re: N900, CSSU and OpenSSL
 

definitely useful, thanks sixwheeledbeast!
/j

Re: N900, CSSU and OpenSSL
 

Things I can find that link to libssl or libcrypto and are closed source:
as-daemon (part of the stuff for talking to Microsoft email servers)
browser.launch (main browser binary)
eapd (WiFi security daemon)
intellisyncd (part of nokia messaging)
libconnui_iapsettings.so.0 (related to WiFi security)
libflashplayer.so (Flash player plugin)
libiap_dialog_gtc_challenge.so (related to WiFi security)
libiap_dialog_mschap_challenge.so (related to WiFi security)
libiap_dialog_private_key_pw.so (related to WiFi security)
libiap_dialog_server_cert.so (related to WiFi security)
libiap_dialog_wps.so (related to WiFi security)
libiap_wizzard_wlan.so (related to WiFi security)
libinternetsettings.so (internet settings control panel)
libshareonovi.so (handles sharing to OVI)
libsync4j.so.3 (syncml stuff)
location-proxy (handles GPS SUPL and network related stuff)
osso-backup.launch (backup tool)
ota-settings (handles internet settings sent over-the-air)
signond (single-sign-on daemon)
syncd (part of maesync, whatever that is)

Identifying which of these binaries call potentially-broken functions (i.e. those who's ABI may have changed between the 0.9.8n we have now and the latest 0.9.8za release) should be possible if someone can come up with a list of all such functions.

Some of these binaries may only use bits of openssl that haven't changed between 0.9.8n and 0.9.8za (e.g. crypto stuff like AES or SHA or HMAC) and some may be things we dont need anymore (e.g. nokiamessaging). Some may link to the libraries but not actually import any functions from them.

Re: N900, CSSU and OpenSSL
 

Also things may not be incompatible based on my reading of the openssl stuff.

For example the changes to data types in 0.9.8p listed as being in dtls1.h and ssl3.h only affect the SSL structure which (per my reading of the SSL documentation) is a notionally-opaque structure anyway, never accessed directly only created via SSL_new and accessed via other SSL_xxx functions.

Re: N900, CSSU and OpenSSL
 

A bit off-topic, but what I meant by "own" is that a small group/team decides what goes in CSSU and what doesn't. Things like libssl updates a no-brainer of course.

Too bad that going above 0.9.8n breaks ABI compatibility. I would have thought that updates within a major/minor version wouldn't have done so, but apparently it might? Might just need to be tested after reading above... Throw libssl 0.9.8za into CSSU dev and have some folks test it out? If it doesn't blow up everything, push it into Testing and await bug reports... that's what Testing is for right?

Seems like an easier route than backporting all the patches to 0.9.8n if we don't really need to do so.

Edit: thought I would try it... so I compiled 0.9.8za and running it on my device now, and will test for a couple of days.

Edit2: no problems with HAM, Opera or MicroB.

Re: N900, CSSU and OpenSSL
 

I encountered no problems with anything running 0.9.8za, and decided to thumb compile libssl, libcrypto and openssl so am running those now on my device without issue. (Seems like the possible ABI issue may be not relevant.)

I've tested:
Certman
Opera
Microb
HAM
FAM
nmap

anything else specifically I should test?

Re: N900, CSSU and OpenSSL
 

Maybe the answer is to go straight to the horses mouth and ask if 0.9.8za has any ABI-breaking changes vs 0.9.8n.

Re: N900, CSSU and OpenSSL
 

What do we think about 0.9.8za?
Is it likely to be stable or is still best to backport them?

Re: N900, CSSU and OpenSSL
 

Completely stable on my device, no issues.

It would be nice to get it into CSSU-T for larger group testing... ?

Re: N900, CSSU and OpenSSL
 

It should enter cssu-devel first, please either send(somehow) a patch series against https://gitorious.org/community-ssu/...13c16d60245c8: or clone that repo, merge (keeping the commits) and do a merge request, so 1. it could be reviewed (if possible) 2. someone with access to upload it in cssu-devel

Re: N900, CSSU and OpenSSL
 

I think someone with more package-fu will have to get this into cssu-devel. All I did was download the openssl 0.9.8za source and compile it, no patching of existing versions or anything exotic. Is there more involved than a cssu-devel maintainer doing the same thing? (I guess what I'm asking is, is there any reason to not just go with the upstream 0.9.8za version?)

Packaging up a system package like this for cssu is a bit beyond my knowledge at the moment. :(

Re: N900, CSSU and OpenSSL
 

This is why. If there are bugs (which is possible looking at the ABI compatibility) it would be nice to be able to have the code in git to fix.

I have never used git but is it possible to merge this into a new branch on cssu openssl git?

https://github.com/openssl/openssl/t...L_0_9_8-stable

Looks like they are preparing for 0.9.8zb from some of the notes there.

Re: N900, CSSU and OpenSSL
 

this page can be usefull: http://upstream-tracker.org/versions/openssl.html

Re: N900, CSSU and OpenSSL
 

Going straight to the source (OpenSSL dev team) and finding out if 0.9.8n and 0.9.8za are ABI compatible or not seems the best way to be sure.

Re: N900, CSSU and OpenSSL
 

ok, so http://www.cncmods.net/files/openssl.diff is a diff between the 0.9.8n stock tarball from openssl and the 0.9.8n-1+maemo4+0m5 version Fremantle is currently using. What is needed is for someone to take 0.9.8zc (current 0.9.8 version) and figure out which, if any, of the changes in that diff file need to be made to it. I dont know enough about openssl (or perl for that matter, referencing all those .pl files in the diff) do that.

Once that's been done, someone can put the results in https://gitorious.org/community-ssu/openssl and from there into CSSU.

Re: N900, CSSU and OpenSSL
 

seems the whole patch is just about J-PAKE in a test frame, and a zillion of shebang lines changed from
#!/usr/local/perl
to
#!perl
or similar.
wasn't able to spot any relevant difference, maybe due to the lots of noise in the diff. Also it's inverted (+++ vs ---) which doesn't help reading it.

Re: N900, CSSU and OpenSSL
 

Is there really any reason not to just run the current version? I've been running 0.9.8za on my device for months with no ill effects. Are there "special patches" that were created just for the n900?

Re: N900, CSSU and OpenSSL
 

I have no idea if the (Nokia-specific) changes in that .diff file matter or not, hence why I posted it here so someone who knows more than I do can figure that out.

Re: N900, CSSU and OpenSSL
 

I still think that just compiling the latest version, having someone who has the ability packaging it up in CSSU dev/testing and having some people test it out is easier (and better) than having someone try to understand what the openssl code is doing, all the patches, etc...

Unless through testing something is discovered that just doesn't work properly, of course.

Re: N900, CSSU and OpenSSL
 

Yes lets just take 0.9.8zc and stick it in CSSU and see what happens.

Re: N900, CSSU and OpenSSL
 

+1

tenchar

Re: N900, CSSU and OpenSSL
 

Would be great

Re: N900, CSSU and OpenSSL
 

It sounds like ssl3 needs to be disabled at compiled time so that is always an option with the old 0.9.8n.

It doesn't sound like 0.9.8zc will add tls1.1 or tls1.2

Re: N900, CSSU and OpenSSL
 

feel free to test http://46.249.74.23/openssl/ , if device boots with those, I might upload packages to cssu-devel

Re: N900, CSSU and OpenSSL
 

So far reboot, https, modest, openvpn, supl and also a few closed bins are working fine.

Testers are welcome.

Re: N900, CSSU and OpenSSL
 

A quick heads up. We'll need a new build come Thursday due to a new high severity defect. It's not yet clear if the original Maemo OpenSSL build is vulnerable but it's highly likely that 0.9.8ze is.

http://www.mail-archive.com/openssl-.../msg00169.html

Re: N900, CSSU and OpenSSL
 

I will wait for that release before pushing it into cssu-devel

Re: N900, CSSU and OpenSSL
 

Seriously, no one here is interested in testing an updated openssl package?