![]() |
N900, CSSU and OpenSSL
In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this? Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open) |
Re: N900, CSSU and OpenSSL
http://www.symantec.com/connect/blog...ter-heartbleed
It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998 |
Re: N900, CSSU and OpenSSL
Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?
|
Re: N900, CSSU and OpenSSL
|
Re: N900, CSSU and OpenSSL
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.
|
Re: N900, CSSU and OpenSSL
Quote:
More a small dedicated group of devs contribute to it as a team. |
Re: N900, CSSU and OpenSSL
Community is not just ask and receive.
Everyone can contribute, maybe with small things, but the concept of community starts from this. No one owns, everyone contributes to make it better |
Re: N900, CSSU and OpenSSL
Quote:
Point me to the patch that fixes that CVE and I'll see what I can do EDIT: "Pointing" is raising a bug on BMO, place a link to bug here |
Re: N900, CSSU and OpenSSL
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time. For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn. ref: http://www.openssl.org/news/secadv_20140605.txt So also CVE 2014 0195/221/3470 affect the N900's openssl current version. After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting.. |
Re: N900, CSSU and OpenSSL
Quote:
So, if someone finds the relevant patches/commits, I'll backport them in CSSU |
Re: N900, CSSU and OpenSSL
@freemangordon
also remaining inside 0.9.8 branch? After 0.9.8n most part of changes are fixes and a few new api. Are you sure we could break something with 0.9.8za? https://www.openssl.org/news/openssl-notes.html http://git.openssl.org/gitweb/?p=ope...s/heads/master http://upstream-tracker.org/versions/openssl.html |
Re: N900, CSSU and OpenSSL
http://upstream-tracker.org/compat_r..._Risk_Problems
we have CVE-2010-0742 fix included in CSSU, so the version is effectively 0.9.8o Sure, someone can check if the above change affects maemo, but I'd consider that it breaks the ABI until shown some evidence of the opposite. Which might not be possible if we have closed source binaries using openssl EDIT: IMO the sane way is to find all the stuff like https://www.openssl.org/news/secadv_20101116.txt and include those patches in CSSU openssl |
Re: N900, CSSU and OpenSSL
1 Attachment(s)
Is this helpful?
https://privatepaste.com/81efcde966 |
Re: N900, CSSU and OpenSSL
definitely useful, thanks sixwheeledbeast!
/j |
Re: N900, CSSU and OpenSSL
Things I can find that link to libssl or libcrypto and are closed source:
as-daemon (part of the stuff for talking to Microsoft email servers) browser.launch (main browser binary) eapd (WiFi security daemon) intellisyncd (part of nokia messaging) libconnui_iapsettings.so.0 (related to WiFi security) libflashplayer.so (Flash player plugin) libiap_dialog_gtc_challenge.so (related to WiFi security) libiap_dialog_mschap_challenge.so (related to WiFi security) libiap_dialog_private_key_pw.so (related to WiFi security) libiap_dialog_server_cert.so (related to WiFi security) libiap_dialog_wps.so (related to WiFi security) libiap_wizzard_wlan.so (related to WiFi security) libinternetsettings.so (internet settings control panel) libshareonovi.so (handles sharing to OVI) libsync4j.so.3 (syncml stuff) location-proxy (handles GPS SUPL and network related stuff) osso-backup.launch (backup tool) ota-settings (handles internet settings sent over-the-air) signond (single-sign-on daemon) syncd (part of maesync, whatever that is) Identifying which of these binaries call potentially-broken functions (i.e. those who's ABI may have changed between the 0.9.8n we have now and the latest 0.9.8za release) should be possible if someone can come up with a list of all such functions. Some of these binaries may only use bits of openssl that haven't changed between 0.9.8n and 0.9.8za (e.g. crypto stuff like AES or SHA or HMAC) and some may be things we dont need anymore (e.g. nokiamessaging). Some may link to the libraries but not actually import any functions from them. |
Re: N900, CSSU and OpenSSL
Also things may not be incompatible based on my reading of the openssl stuff.
For example the changes to data types in 0.9.8p listed as being in dtls1.h and ssl3.h only affect the SSL structure which (per my reading of the SSL documentation) is a notionally-opaque structure anyway, never accessed directly only created via SSL_new and accessed via other SSL_xxx functions. |
Re: N900, CSSU and OpenSSL
Quote:
Too bad that going above 0.9.8n breaks ABI compatibility. I would have thought that updates within a major/minor version wouldn't have done so, but apparently it might? Might just need to be tested after reading above... Throw libssl 0.9.8za into CSSU dev and have some folks test it out? If it doesn't blow up everything, push it into Testing and await bug reports... that's what Testing is for right? Seems like an easier route than backporting all the patches to 0.9.8n if we don't really need to do so. Edit: thought I would try it... so I compiled 0.9.8za and running it on my device now, and will test for a couple of days. Edit2: no problems with HAM, Opera or MicroB. |
Re: N900, CSSU and OpenSSL
I encountered no problems with anything running 0.9.8za, and decided to thumb compile libssl, libcrypto and openssl so am running those now on my device without issue. (Seems like the possible ABI issue may be not relevant.)
I've tested: Certman Opera Microb HAM FAM nmap anything else specifically I should test? |
Re: N900, CSSU and OpenSSL
Maybe the answer is to go straight to the horses mouth and ask if 0.9.8za has any ABI-breaking changes vs 0.9.8n.
|
Re: N900, CSSU and OpenSSL
What do we think about 0.9.8za?
Is it likely to be stable or is still best to backport them? |
Re: N900, CSSU and OpenSSL
Completely stable on my device, no issues.
It would be nice to get it into CSSU-T for larger group testing... ? |
Re: N900, CSSU and OpenSSL
Quote:
|
Re: N900, CSSU and OpenSSL
I think someone with more package-fu will have to get this into cssu-devel. All I did was download the openssl 0.9.8za source and compile it, no patching of existing versions or anything exotic. Is there more involved than a cssu-devel maintainer doing the same thing? (I guess what I'm asking is, is there any reason to not just go with the upstream 0.9.8za version?)
Packaging up a system package like this for cssu is a bit beyond my knowledge at the moment. :( |
Re: N900, CSSU and OpenSSL
Quote:
I have never used git but is it possible to merge this into a new branch on cssu openssl git? https://github.com/openssl/openssl/t...L_0_9_8-stable Looks like they are preparing for 0.9.8zb from some of the notes there. |
Re: N900, CSSU and OpenSSL
this page can be usefull: http://upstream-tracker.org/versions/openssl.html
|
Re: N900, CSSU and OpenSSL
Going straight to the source (OpenSSL dev team) and finding out if 0.9.8n and 0.9.8za are ABI compatible or not seems the best way to be sure.
|
Re: N900, CSSU and OpenSSL
ok, so http://www.cncmods.net/files/openssl.diff is a diff between the 0.9.8n stock tarball from openssl and the 0.9.8n-1+maemo4+0m5 version Fremantle is currently using. What is needed is for someone to take 0.9.8zc (current 0.9.8 version) and figure out which, if any, of the changes in that diff file need to be made to it. I dont know enough about openssl (or perl for that matter, referencing all those .pl files in the diff) do that.
Once that's been done, someone can put the results in https://gitorious.org/community-ssu/openssl and from there into CSSU. |
Re: N900, CSSU and OpenSSL
seems the whole patch is just about J-PAKE in a test frame, and a zillion of shebang lines changed from
#!/usr/local/perl to #!perl or similar. wasn't able to spot any relevant difference, maybe due to the lots of noise in the diff. Also it's inverted (+++ vs ---) which doesn't help reading it. |
Re: N900, CSSU and OpenSSL
Quote:
|
Re: N900, CSSU and OpenSSL
I have no idea if the (Nokia-specific) changes in that .diff file matter or not, hence why I posted it here so someone who knows more than I do can figure that out.
|
Re: N900, CSSU and OpenSSL
I still think that just compiling the latest version, having someone who has the ability packaging it up in CSSU dev/testing and having some people test it out is easier (and better) than having someone try to understand what the openssl code is doing, all the patches, etc...
Unless through testing something is discovered that just doesn't work properly, of course. |
Re: N900, CSSU and OpenSSL
Yes lets just take 0.9.8zc and stick it in CSSU and see what happens.
|
Re: N900, CSSU and OpenSSL
+1
tenchar |
Re: N900, CSSU and OpenSSL
Would be great
Quote:
|
Re: N900, CSSU and OpenSSL
It sounds like ssl3 needs to be disabled at compiled time so that is always an option with the old 0.9.8n.
It doesn't sound like 0.9.8zc will add tls1.1 or tls1.2 |
Re: N900, CSSU and OpenSSL
feel free to test http://46.249.74.23/openssl/ , if device boots with those, I might upload packages to cssu-devel
|
Re: N900, CSSU and OpenSSL
So far reboot, https, modest, openvpn, supl and also a few closed bins are working fine.
Testers are welcome. |
Re: N900, CSSU and OpenSSL
A quick heads up. We'll need a new build come Thursday due to a new high severity defect. It's not yet clear if the original Maemo OpenSSL build is vulnerable but it's highly likely that 0.9.8ze is.
http://www.mail-archive.com/openssl-.../msg00169.html |
Re: N900, CSSU and OpenSSL
Quote:
|
Re: N900, CSSU and OpenSSL
Seriously, no one here is interested in testing an updated openssl package?
|
All times are GMT. The time now is 01:08. |
vBulletin® Version 3.8.8