maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   Full guide to stock S/W on N900 that is using OpenSSL (https://talk.maemo.org/showthread.php?t=96288)

jonwil 2015-12-27 10:53
Full guide to stock S/W on N900 that is using OpenSSL
 
This thread is going to document all the software on a stock N900 root filesystem (what you get if you unpack the FIASCO image and then mount the UBIFS, i.e. no optification or anything else done to the system) that talks to openssl.
Firstly I will list all the binaries that link to openssl along with the packages they belong to and whether those packages are open or closed.

Then I will list (for each closed binary) which openssl functions it appears to be calling/talking to.

The intent is to provide the information necessary to allow a newer OpenSSL version (e.g. OpenSSL 1.0.2 or LibreSSL) to be installed via CSSU as well as some clues as to the likely security risks caused by the remaining talks-to-openssl closed binaries (that risk is determined by a combination of which openssl functions they use and where, if anywhere, they are talking to in the outside world)

List of binaries using openssl and which packages they are in:
as-daemon (as-daemon-0, closed source)
b64 (maemosec-certman-tools, open source)
browser.launch (tablet-browser-ui, closed source)
cmcli (maemosec-certman-tools, open source)
eapd (osso-wlan-security, closed source)
intellisyncd (nokiamessaging, closed source and obsolete)
libclinkc.so.0.0.0 (clinkc0, open source)
libconnui_iapsettings.so.0.0.0 (connui-iapsettings, closed source)
libcurl.so.4.1.0 (libcurl3, open source)
libflashplayer.so (adobe-flashplayer, closed source)
libiap_dialog_gtc_challenge.so (connui-conndlgs-wlan, open source)
libiap_dialog_mschap_change.so (connui-conndlgs-wlan, closed source)
libiap_dialog_private_key_pw.so (connui-conndlgs-wlan, open source)
libiap_dialog_server_cert.so (connui-conndlgs-wlan, open source)
libiap_dialog_wps.so (connui-conndlgs-wlan, closed source)
libiap_wizard_wlan.so (connui-iapsettings-wlan, closed source)
libinternetsettings.so (connui-iapsettings, closed source)
liblomesa.so.0.0.0 (liblomesa0, closed source)
libloudmouth-1.so.0.1.0 (libloudmouth1-0, open source)
libmaemosec.so.0.0.0 (libmaemosec0, open source)
libmaemosec_certman.so.0.0.0 (libmaemosec-certman0, open source)
libmaemosec_certman_applet.so (maemosec-certman-applet, open source)
libmaemosec_certman_dialogs.so.0.0.0 (maemosec-certman-applet, open source)
libmicrob-eal.so.0.0.0 (microb-eal, open source)
libQtNetwork.so.4.7.0 (libqt4-network, open source)
libshareonovi.so (sharing-service-ovi, closed source and obsolete)
libsofia-sip-ua-glib.so.3.0.0 (libsofia-sip-ua-glib3, open source)
libsofia-sip-ua.so.0.6.0 (libsofia-sip-ua0, open source)
libsync4j.so.3.0.0 (funambol-cpp-api, closed source)
location-proxy (location-proxy, closed source)
maemosec_certman_service (maemosec-certman-applet, open source)
nsscfg (maemosec-certman-tools, open source)
osso-backup.launch (osso-backup, closed source)
ota-settings (ota-settings, closed source)
signond (signond0, closed source)
sscli (maemosec-certman-tools, open source)
syncd (maesync-backend, closed source)
xmlpp (maemosec-certman-tools, open source)
Xorg (xserver-xorg-core, open source)

jonwil 2015-12-27 10:56
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
Ok so ignoring the open source binaries above (which we can port to something newer easily) and the obsolete nokiamessaging/ovi stuff (which we can remove easily enough without breaking things) the list of closed source targets using openssl is:
as-daemon
browser.launch
eapd
libconnui_iapsettings.so.0.0.0
libflashplayer.so
libiap_dialog_mschap_change.so
libiap_dialog_wps.so
libiap_wizard_wlan.so
libinternetsettings.so
liblomesa.so.0.0.0
libsync4j.so.3.0.0
location-proxy
osso-backup.launch
ota-settings
signond
syncd

Now to go through and see which openssl functions each binary calls.

jonwil 2015-12-27 11:37
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
list of binaries and which symbols in libssl or libcrypto they appear to link to:

as-daemon
ASN1_INTEGER_to_BN
ASN1_STRING_to_UTF8
BN_bn2hex
BN_free
CRYPTO_free
CRYPTO_malloc
EVP_sha1
OBJ_obj2nid
sk_find
sk_num
sk_value
SSL_CTX_get_ex_data
SSL_CTX_set_cert_verify_callback
SSL_CTX_set_client_cert_cb
SSL_CTX_set_ex_data
SSL_get_client_CA_list
SSL_get_SSL_CTX
X509_digest
X509_dup
X509_free
X509_get_issuer_name
X509_get_serialNumber
X509_get_subject_name
X509_NAME_oneline
X509_STORE_add_cert
X509_STORE_CTX_free
X509_STORE_CTX_init
X509_STORE_CTX_new
X509_STORE_free
X509_STORE_new
X509_verify_cert
X509_verify_cert_error_string

browser.launch
X509_free
X509_get_subject_name
X509_NAME_get_text_by_NID

eapd
AES_decrypt
AES_encrypt
AES_set_decrypt_key
AES_set_encrypt_key
BN_bin2bn
BN_bn2bin
BN_clear_free
BN_num_bits
CRYPTO_cleanup_all_ex_data
d2i_DSAPrivateKey
d2i_DSAPublicKey
d2i_RSAPrivateKey
d2i_RSAPublicKey
d2i_X509
d2i_X509_fp
DES_decrypt3
DES_encrypt3
DES_set_key_unchecked
DH_check
DH_compute_key
DH_free
DH_generate_key
DH_new
DSA_free
DSA_sign
DSA_size
DSA_verify
ENGINE_by_id
ENGINE_ctrl_cmd
ENGINE_ctrl_cmd_string
ENGINE_finish
ENGINE_free
ENGINE_init
ENGINE_load_builtin_engines
ENGINE_load_private_key
ENGINE_set_default
ERR_free_strings
ERR_get_error
ERR_print_errors_fp
ERR_remove_state
EVP_cleanup
EVP_PKEY_free
EVP_PKEY_type
i2d_PrivateKey
i2d_PublicKey
i2d_X509
MD4_Final
MD4_Init
MD4_Update
MD5_Final
MD5_Init
MD5_Update
OBJ_sn2nid
OPENSSL_add_all_algorithms_noconf
PEM_read_X509
RAND_bytes
RAND_seed
RC4
RC4_set_key
RSA_free
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt
RSA_sign
RSA_size
RSA_verify
SHA1_Final
SHA1_Init
SHA1_Update
SHA256_Final
SHA256_Init
SHA256_Update
sk_new_null
sk_num
sk_pop_free
sk_push
sk_value
SSL_library_init
UI_OpenSSL
X509_dup
X509_free
X509_get_pubkey
X509_get_subject_name
X509_NAME_get_text_by_NID
X509_STORE_add_cert
X509_STORE_CTX_free
X509_STORE_CTX_get_error
X509_STORE_CTX_init
X509_STORE_CTX_new
X509_STORE_free
X509_STORE_new
X509_verify_cert
X509_verify_cert_error_string
X509v3_get_ext
X509v3_get_ext_by_NID

libconnui_iapsettings.so.0.0.0
ASN1_STRING_to_UTF8
CRYPTO_free
X509_get_subject_name
X509_NAME_ENTRY_get_data
X509_NAME_get_entry
X509_NAME_get_index_by_NID

libflashplayer.so (links to libcrypto dynamically via dlopen/dlsym)
SSLeay_version
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
BIO_new_mem_buf
BIO_new
BIO_free
BIO_s_mem
BIO_new_file
d2i_X509_bio
X509_STORE_new
X509_STORE_free
X509_STORE_add_cert
X509_free
BIO_ctrl
d2i_PKCS7_bio
PKCS7_verify
PKCS7_free

libiap_dialog_mschap_change.so
none (doesn't actually use any functions from openssl even though it links to the libs)

libiap_dialog_wps.so
none (doesn't actually use any functions from openssl even though it links to the libs)

libiap_wizard_wlan.so
none (doesn't actually use any functions from openssl even though it links to the libs)

libinternetsettings.so
none (doesn't actually use any functions from openssl even though it links to the libs)

liblomesa.so.0.0.0
none (doesn't actually use any functions from openssl even though it links to the libs)

libsync4j.so.3.0.0
none (doesn't actually use any functions from openssl even though it links to the libs)

location-proxy
ASN1_STRING_data
ASN1_STRING_length
BIO_ctrl
BIO_free
BIO_new
BIO_read
BIO_s_connect
BIO_test_flags
BIO_write
ERR_error_string
ERR_free_strings
ERR_get_error
ERR_reason_error_string
GENERAL_NAMES_free
sk_num
sk_value
SSL_connect
SSL_CTX_ctrl
SSL_CTX_free
SSL_CTX_new
SSL_CTX_set_cert_store
SSL_CTX_set_verify
SSL_free
SSL_get_error
SSL_get_peer_certificate
SSL_get_verify_result
SSL_library_init
SSL_load_error_strings
SSL_new
SSL_read
SSL_set_bio
SSL_shutdown
SSL_write
TLSv1_method
X509_free
X509_get_ext_d2i
X509_get_subject_name
X509_NAME_get_text_by_NID

osso-backup.launch
AES_decrypt
AES_encrypt
AES_set_decrypt_key
AES_set_encrypt_key
SHA1

ota-settings
EVP_sha1
HMAC
HMAC_CTX_cleanup
HMAC_CTX_init

signond
AES_ctr128_encrypt
AES_encrypt
AES_set_encrypt_key
EVP_aes_256_cbc
EVP_aes_256_ecb
EVP_CIPHER_CTX_cleanup
EVP_CIPHER_CTX_init
EVP_DecryptFinal
EVP_DecryptInit
EVP_DecryptUpdate
EVP_EncryptFinal
EVP_EncryptInit
EVP_EncryptUpdate
OPENSSL_cleanse
RAND_bytes
RAND_seed
RAND_status
SHA256
SHA256_Final
SHA256_Init
SHA256_Update

syncd
none (doesn't actually use any functions from openssl even though it links to the libs)

jonwil 2015-12-27 11:47
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
Now we just need someone who knows more about openssl to assess these and figure how risky these are (based on the functions they call and what the binaries do)

Android_808 2015-12-27 12:05
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
So if we go for latest versions (presuming our gcc/libc etc are supported), i guess we could just list missing/changed api calls and find a way (patch, compat library or something) to make them available?

the thing immediately standing out to me, from latest news articles, are the sha1 related functions. with major browsers removing support is it something that you want kicking around? same could be said for any other deprecated encryption models.

jonwil 2015-12-27 13:09
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
In regards to SHA1, its use in SSL/TLS certificates is what is being depreciated. The other uses of SHA1 (e.g. in eapd or osso-backup) aren't an issue (they are either not using SHA1 in a way that is a security risk or are only using it in code to support old protocols and stuff and if you use newer more secure protocols its not an issue)

In terms of browser stuff we need to:
1.Ensure that the root certificates in https://github.com/community-ssu/maemo-security-certman are up-to-date
2.Bring in a newer OpenSSL version that supports all the latest features and crypto (making sure to deal with any maemo-specific patches)
3.Bring in a newer NSS version that supports all the latest features and crypto (making sure to deal with any maemo-specific patches)
4.Update microb-engine to use the new NSS and to use the right security settings and other things
5.Update QT to use the new OpenSSL and to use the right security settings and other things
6.Update libcurl to use the new OpenSSL and to use the right security settings and other things (if its possible to bring in a newer upstream curl and remain ABI compatible, lets do that)
and 7.If there are any APIs in libcurl that relate to using the right security settings and things, figure out who is using them and fix things somehow so the right security settings are being picked.

jonwil 2016-05-09 13:41
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
I have done some more research on this.

The following closed-source binaries link to libssl.so.0.9.8:as-daemon
browser.launch
eapd
intellisyncd
libconnui_iapsettings.so.0.0.0
libiap_dialog_gtc_challenge.so
libiap_dialog_mschap_change.so
libiap_dialog_private_key_pw.so
libiap_dialog_server_cert.so
libiap_dialog_wps.so
libiap_wizard_wlan.so
libinternetsettings.so
liblomesa.so.0.0.0
libshareonovi.so
libsync4j.so.3.0.0
location-proxy
osso-backup.launch
ota-settings
signond
syncd

The following binaries actually call functions in libssl.so.0.9.8:
as-daemon calls
SSL_CTX_get_ex_data
SSL_CTX_set_cert_verify_callback
SSL_CTX_set_client_cert_cb
SSL_CTX_set_ex_data
SSL_get_SSL_CTX
SSL_get_client_CA_list

eapd calls
SSL_library_init

intellisyncd calls
SSL_CTX_free
SSL_CTX_new
SSL_connect
SSL_free
SSL_get_error
SSL_library_init
SSL_load_error_strings
SSL_new
SSL_read
SSL_set_bio
SSL_write
SSLv3_method

location-proxy calls
SSL_CTX_ctrl
SSL_CTX_free
SSL_CTX_new
SSL_CTX_set_cert_store
SSL_CTX_set_verify
SSL_connect
SSL_free
SSL_get_error
SSL_get_peer_certificate
SSL_get_verify_result
SSL_library_init
SSL_load_error_strings
SSL_new
SSL_read
SSL_set_bio
SSL_shutdown
SSL_write
TLSv1_method

The following closed-source binaries link to libcrypto.so.0.9.8
as-daemon
browser.launch
eapd
intellisyncd
libconnui_iapsettings.so.0.0.0
libiap_dialog_gtc_challenge.so
libiap_dialog_mschap_change.so
libiap_dialog_private_key_pw.so
libiap_dialog_server_cert.so
libiap_dialog_wps.so
libiap_wizard_wlan.so
libinternetsettings.so
libsync4j.so.3.0.0
location-proxy
osso-backup.launch
ota-settings
signond
syncd

The following binaries actually call functions in libcrypto.so.0.9.8:
as-daemon calls
ASN1_INTEGER_to_BN
ASN1_STRING_to_UTF8
BN_bn2hex
BN_free
CRYPTO_free
CRYPTO_malloc
EVP_sha1
OBJ_obj2nid
X509_NAME_oneline
X509_STORE_CTX_free
X509_STORE_CTX_init
X509_STORE_CTX_new
X509_STORE_add_cert
X509_STORE_free
X509_STORE_new
X509_digest
X509_dup
X509_free
X509_get_issuer_name
X509_get_serialNumber
X509_get_subject_name
X509_verify_cert
X509_verify_cert_error_string
sk_find
sk_num
sk_value

browser.launch calls
X509_NAME_get_text_by_NID
X509_free
X509_get_subject_name

eapd calls
AES_decrypt
AES_encrypt
AES_set_decrypt_key
AES_set_encrypt_key
BN_bin2bn
BN_bn2bin
BN_clear_free
BN_num_bits
CRYPTO_cleanup_all_ex_data
DES_decrypt3
DES_encrypt3
DES_set_key_unchecked
DH_check
DH_compute_key
DH_free
DH_generate_key
DH_new
DSA_free
DSA_sign
DSA_size
DSA_verify
ENGINE_by_id
ENGINE_ctrl_cmd
ENGINE_ctrl_cmd_string
ENGINE_finish
ENGINE_free
ENGINE_init
ENGINE_load_builtin_engines
ENGINE_load_private_key
ENGINE_set_default
ERR_free_strings
ERR_get_error
ERR_print_errors_fp
ERR_remove_state
EVP_PKEY_free
EVP_PKEY_type
EVP_cleanup
MD4_Final
MD4_Init
MD4_Update
MD5_Final
MD5_Init
MD5_Update
OBJ_sn2nid
OPENSSL_add_all_algorithms_noconf
PEM_read_X509
RAND_bytes
RAND_seed
RC4
RC4_set_key
RSA_free
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt
RSA_sign
RSA_size
RSA_verify
SHA1_Final
SHA1_Init
SHA1_Update
SHA256_Final
SHA256_Init
SHA256_Update
UI_OpenSSL
X509_NAME_get_text_by_NID
X509_STORE_CTX_free
X509_STORE_CTX_get_error
X509_STORE_CTX_init
X509_STORE_CTX_new
X509_STORE_add_cert
X509_STORE_free
X509_STORE_new
X509_dup
X509_free
X509_get_pubkey
X509_get_subject_name
X509_verify_cert
X509_verify_cert_error_string
X509v3_get_ext
X509v3_get_ext_by_NID
d2i_DSAPrivateKey
d2i_DSAPublicKey
d2i_RSAPrivateKey
d2i_RSAPublicKey
d2i_X509
d2i_X509_fp
i2d_PrivateKey
i2d_PublicKey
i2d_X509
sk_new_null
sk_num
sk_pop_free
sk_push
sk_value

intellisyncd calls
BIO_new_socket

libconnui_iapsettings.so.0.0.0 calls
ASN1_STRING_to_UTF8
CRYPTO_free
X509_NAME_ENTRY_get_data
X509_NAME_get_entry
X509_NAME_get_index_by_NID
X509_get_subject_name

libshareonovi.so calls
EVP_sha1
HMAC_CTX_cleanup
HMAC_Final
HMAC_Init
HMAC_Update

location-proxy calls
ASN1_STRING_data
ASN1_STRING_length
BIO_ctrl
BIO_free
BIO_new
BIO_read
BIO_s_connect
BIO_test_flags
BIO_write
ERR_error_string
ERR_free_strings
ERR_get_error
ERR_reason_error_string
GENERAL_NAMES_free
X509_NAME_get_text_by_NID
X509_free
X509_get_ext_d2i
X509_get_subject_name
sk_num
sk_value

osso-backup calls
AES_decrypt
AES_encrypt
AES_set_decrypt_key
AES_set_encrypt_key
SHA1

ota-settings calls
EVP_sha1
HMAC
HMAC_CTX_cleanup
HMAC_CTX_init

signond calls
AES_ctr128_encrypt
AES_encrypt
AES_set_encrypt_key
EVP_CIPHER_CTX_cleanup
EVP_CIPHER_CTX_init
EVP_DecryptFinal
EVP_DecryptInit
EVP_DecryptUpdate
EVP_EncryptFinal
EVP_EncryptInit
EVP_EncryptUpdate
EVP_aes_256_cbc
EVP_aes_256_ecb
OPENSSL_cleanse
RAND_bytes
RAND_seed
RAND_status
SHA256
SHA256_Final
SHA256_Init
SHA256_Update

libflashplayer.so also links to libcrypto but via dlopen. It uses dlopen to open libcrypto.so, libcrypto.so.2 and libcrypto.so.0 and it uses dlsym to try and access the following functions:
SSLeay_version
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
BIO_new_mem_buf
BIO_new
BIO_free
BIO_s_mem
BIO_new_file
d2i_X509_bio
X509_STORE_new
X509_STORE_free
X509_STORE_add_cert
X509_free
BIO_ctrl
d2i_PKCS7_bio
PKCS7_verify
PKCS7_free

The following open source packages link to libssl or libcrypto or both:
clinkc
curl
loudmouth
maemo-security-certman
maemo-security-certman-applet
qt4-x11
sofia-sip
microb-eal
xorg-server

jonwil 2016-05-09 14:07
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
The way forward from where I sit is to:
1.Get latest OpenSSL (or libressl or whatever makes sense) running on Maemo Fremantle and into CSSU.
2.Recompile clinkc, curl, loudmouth, maemo-security-certman, maemo-security-certman-applet, qt4-x11, sofia-sip, microb-eal and xorg-server against the new OpenSSL and get those into CSSU.
3.For the nokiamessaging package (intellisyncd binary) and sharing-service-ovi package (libshareonovi.so binary), modify CSSU so it uninstalls these packages (these are obsolete and unless something has changed, the back-ends that made these work are no longer online so it should be safe to remove them).
4.For the remaining packages that are closed source and actually call functions in libssl/libcrypto, identify if their use of libssl/libcrypto is risky or not and if its considered "risky", figure out how to deal with it
5.For the packages that link to libssl/libcrypto but dont actually call any functions in them, do nothing (since its not a security risk in those cases)
and 6.Enjoy the benefits of all the latest openssl security fixes straight from the openssl team whilst keeping those few pieces of the system that actually call functions in libssl/libcrypto working.

jonwil 2016-05-09 14:14
Re: Full guide to stock S/W on N900 that is using OpenSSL
 
Of course none of this does a thing about NSS or microb (the upgrading of which is a whole different kettle of fish and is much harder)


All times are GMT. The time now is 04:14.

vBulletin® Version 3.8.8