The Following 27 Users Say Thank You to n9erator For This Useful Post: | ||
|
2021-02-06
, 21:07
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#2
|
|
2021-02-07
, 09:03
|
Posts: 1,293 |
Thanked: 4,319 times |
Joined on Oct 2014
|
#3
|
The Following 3 Users Say Thank You to nieldk For This Useful Post: | ||
|
2021-02-08
, 21:57
|
Posts: 1 |
Thanked: 3 times |
Joined on Feb 2021
|
#4
|
The Following 3 Users Say Thank You to pauloerweber For This Useful Post: | ||
|
2021-03-25
, 15:40
|
Posts: 119 |
Thanked: 217 times |
Joined on Feb 2015
@ Poland
|
#5
|
The Following User Says Thank You to badpixel For This Useful Post: | ||
|
2021-03-27
, 00:22
|
Posts: 6 |
Thanked: 44 times |
Joined on Jul 2020
|
#6
|
--- aegis-certman-common-ca.postinst.old 2012-05-08 06:26:05.000000000 -0500 +++ aegis-certman-common-ca.postinst 2020-06-30 21:16:56.040808550 -0500 @@ -1,12 +1,11 @@ #!/bin/sh -e if [ "$1" = "configure" ]; then + for deletename in /var/lib/aegis/certs/common-ca/*.pem; do + acmcli -C aegis-certman-common-ca::CertCACommonAdd \ + -lc common-ca -r `echo $deletename | sed "s/.*\/\([-0123456789abcdef]*\).*/\\1/"` + done; acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\ -a /usr/share/aegis-certman-common-ca/*.pem - # Remove DigiNotar CA if still in store - if [ -f /var/lib/aegis/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem ] ; then - acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\ - -r 8868bfe08e35c43b386b62f7283b8481c80cd74d - fi chmod 0777 /var/lib/aegis/certs if [ ! -e /usr/lib/ssl/certs ] then
--- certman_main.cpp.old 2012-05-08 06:26:05.000000000 -0500 +++ certman_main.cpp 2020-07-21 21:14:32.432448891 -0500 @@ -436,13 +436,13 @@ #define MAX_TRIES 100 void -make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result) +make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result, string &result_old) { X509* lcert = of_cert; char hash_file_name[32]; string full_name; - long hash; - int i; + long hash[2]; // changed to [0] for new, [1] for old + int i, j; // added counter j AEGIS_DEBUG(1, "%s: make hash to '%s'", __func__, to_certfile); if (NULL == lcert) { @@ -453,12 +453,18 @@ return; } } - hash = X509_subject_name_hash(lcert); + + // changed to array, now getting old hash as well + hash[0] = X509_subject_name_hash(lcert); + hash[1] = X509_subject_name_hash_old(lcert); + if (of_cert != lcert) X509_free(lcert); + + for (j = 0; j < 2; j++) { for (i = 0; i < MAX_TRIES; i++) { - snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash, i); + snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash[j], i); if (!pstore->contains_link(hash_file_name)) break; } @@ -466,7 +472,10 @@ AEGIS_ERROR("%s: %d colliding hash files for '%s'?", __func__, i, to_certfile); } else { - result.assign(hash_file_name); + if (j) result_old.assign(hash_file_name); + else result.assign(hash_file_name); + } + } } @@ -967,14 +976,17 @@ rc = errno; if (0 == rc) { - string hash_name; + string hash_name, hash_name_old; make_hash_filename(cert, mydomain->index, filename.c_str(), - hash_name); + hash_name, hash_name_old); if (!mydomain->index->contains_file(filename.c_str())) { mydomain->index->add_file(filename.c_str()); if ("" != hash_name) mydomain->index->add_link(hash_name.c_str(), filename.c_str()); + if ("" != hash_name_old) + mydomain->index->add_link(hash_name_old.c_str(), + filename.c_str()); if (do_commit) { if (!mydomain->index->commit()) { AEGIS_DEBUG(1, "%s: add of '%s' failed (%s)", __func__,
|
2021-03-27
, 13:16
|
Posts: 28 |
Thanked: 31 times |
Joined on May 2019
@ france
|
#7
|
The Following User Says Thank You to smartblu9 For This Useful Post: | ||
|
2021-03-27
, 13:38
|
Posts: 6 |
Thanked: 44 times |
Joined on Jul 2020
|
#8
|
--- aegis-certman-common-ca.postinst.old 2012-05-08 06:26:05.000000000 -0500 +++ aegis-certman-common-ca.postinst 2020-06-30 21:16:56.040808550 -0500 @@ -1,12 +1,11 @@ #!/bin/sh -e if [ "$1" = "configure" ]; then + for deletename in /var/lib/aegis/certs/common-ca/*.pem; do + acmcli -C aegis-certman-common-ca::CertCACommonAdd \ + -lc common-ca -r `echo $deletename | sed "s/.*\/\([-0123456789abcdef]*\).*/\\1/"` + done; acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\ -a /usr/share/aegis-certman-common-ca/*.pem - # Remove DigiNotar CA if still in store - if [ -f /var/lib/aegis/certs/common-ca/8868bfe08e35c43b386b62f7283b8481c80cd74d.pem ] ; then - acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca\ - -r 8868bfe08e35c43b386b62f7283b8481c80cd74d - fi chmod 0777 /var/lib/aegis/certs if [ ! -e /usr/lib/ssl/certs ] then
--- certman_main.cpp.old 2012-05-08 06:26:05.000000000 -0500 +++ certman_main.cpp 2020-07-21 21:14:32.432448891 -0500 @@ -436,13 +436,13 @@ #define MAX_TRIES 100 void -make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result) +make_hash_filename(X509* of_cert, storage* pstore, const char* to_certfile, string &result, string &result_old) { X509* lcert = of_cert; char hash_file_name[32]; string full_name; - long hash; - int i; + long hash[2]; // changed to [0] for new, [1] for old + int i, j; // added counter j AEGIS_DEBUG(1, "%s: make hash to '%s'", __func__, to_certfile); if (NULL == lcert) { @@ -453,12 +453,18 @@ return; } } - hash = X509_subject_name_hash(lcert); + + // changed to array, now getting old hash as well + hash[0] = X509_subject_name_hash(lcert); + hash[1] = X509_subject_name_hash_old(lcert); + if (of_cert != lcert) X509_free(lcert); + + for (j = 0; j < 2; j++) { for (i = 0; i < MAX_TRIES; i++) { - snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash, i); + snprintf(hash_file_name, sizeof(hash_file_name), "%08lx.%d", hash[j], i); if (!pstore->contains_link(hash_file_name)) break; } @@ -466,7 +472,10 @@ AEGIS_ERROR("%s: %d colliding hash files for '%s'?", __func__, i, to_certfile); } else { - result.assign(hash_file_name); + if (j) result_old.assign(hash_file_name); + else result.assign(hash_file_name); + } + } } @@ -967,14 +976,17 @@ rc = errno; if (0 == rc) { - string hash_name; + string hash_name, hash_name_old; make_hash_filename(cert, mydomain->index, filename.c_str(), - hash_name); + hash_name, hash_name_old); if (!mydomain->index->contains_file(filename.c_str())) { mydomain->index->add_file(filename.c_str()); if ("" != hash_name) mydomain->index->add_link(hash_name.c_str(), filename.c_str()); + if ("" != hash_name_old) + mydomain->index->add_link(hash_name_old.c_str(), + filename.c_str()); if (do_commit) { if (!mydomain->index->commit()) { AEGIS_DEBUG(1, "%s: add of '%s' failed (%s)", __func__,
|
2021-03-27
, 13:47
|
Posts: 6 |
Thanked: 44 times |
Joined on Jul 2020
|
#9
|
Absolutely amazing. Do you think its possible to re use your work on a standard N9 ?
The only partial solution I found for TLS1.2 on N9 is Opera Mini 8. But it's slow and not very well integrated (java midlet...) with harmattan.
NOTE: I'm in open mode with the patched open-mode kernel. It may be possible to do this VERY carefully in closed mode with the aegis-install hack, but I haven't tried again after I failed the first 2 times. I was still figuring it out back then.
I don't have a solid HOWTO built for this yet, as I rebuilt a lot more packages than I probably needed to, and my N9 is my daily driver, so it'll be difficult to experiment with this to trim it down.
I used Scratchbox for all builds.
First, I built OpenSSL 1.0.1t out of Debian Jessie, since I figured it would be easier to do proof of concept on a version closer to the original that was already debianized. There are vulnerabilities in it that you could avoid by using a newer version, but be prepared to do more patching of the open source components that link against it. There are closed packages that link to 0.9.8, so it's not possible to get rid of it completely.
I rebuilt aegis-crypto, and that's where I ran into trouble with closed mode. I hadn't realized that OpenSSL 1 hashes certs differently from 0.9.8, and that I was going to need two sets of symlinks in /etc/ssl/certs for both versions. The moment I installed aegis-crypto, all the code on the system couldn't be verified, since Aegis couldn't find the codesigning certs. It *might* be possible to get this to work closed by doing the next step before this one.
I changed all the CA certificates in aegis-certman to the latest Mozilla certs, patched the source to create both old and new symlinks when new certs are added, and patched the install scripts to delete all preexisting CA certs before installing the new ones (so that everything would get both symlinks).
By this point, I could use OpenSSL from the command line to access TLSv1.2 sites, like Wikipedia.
I then rebuilt a ton of other packages against 1.0.1t until ldd showed that fenix and grob no longer depended on libssl.so.0.9.8, just libssl.so.1.0.0. But they still didn't work. I assumed it was a lost cause, until I discovered that fenix uses libqmf, which uses libqt4-network for SSL.
libqt4-network doesn't seem to depend on OpenSSL, so I started looking at the source, and found that it dlopen()'s it, like a plugin, instead of linking against it. By default, it looks for the version of OpenSSL that was on the system that built it. So I just rebuilt that (yeah, I rebuilt the entirety of Qt4 just for that one .deb. I should've hacked it to just build that, but I didn't have the time, and my build computer did).
Rebooted phone after installing, and it works!
I'll pull out my patches to aegis-certman and post them here in a couple days once I have a chance, along with the list of all other packages I rebuilt against 1.0.1t.
Another related update I tried: I have Firefox (Fennec) 15 installed from openrepos.net, and I dropped in a new build of libnss and libnspr into it. It made a few TLSv1.2 sites work, but there are still many where there's no cipher overlap. I'm not surprised, as this was just a hackish experiment. Nice thing is that Mozilla keeps the ABI of NSS and NSPR so stable.
Another unrelated update I've done is GStreamer to 0.10.36, so I could use plugins-bad-0.10.23, which has Opus. That was hard, and I recently noticed that MMS video transcoding doesn't work anymore. Haven't yet tried to figure out why. If anyone is interested, I'll try to throw together a more detailed explanation. Main thing that gave me trouble was the debianization, not the actual code. If you wanted to just build the new stuff without making .debs and throw it in /usr/local, it might work. The only stuff I really had to do to the code was apply some Nokia-specific camera patches from the 0.10.34 source that came with Harmattan.
Now if only the N9's modem could do LTE...