Suggested roadmap for updating OpenSSL on Fremantle

[ceene]

Hi there,

Quote:

1.Get the latest OpenSSL (or LibreSSL) building and working properly on Fremantle (including all the newest algorithms and features and protocols as well as correct debian packaging, optimization flags etc for Fremantle)

I've managed to download debian's sid latest openssl (1.0.2e) and have backported its debian/ directory so this package now builds on scratchbox. I've succesfully installed generated libssl1.0.2 .deb package on N900 and it passes the tests openssl includes. Note that these tests result in a segmentation fault when run on scratchbox, it's probably a fault of qemu.

So we've got now a really good start.

Changes I've made are available on https://github.com/agamez/maemo-openssl-1.0.2 This work is not finished but it's a start.

I've found original openssl 0.9.8n-1 source used by debian on top of which maemo built its own library here https://launchpad.net/debian/+source/openssl/0.9.8n-1 so we can check which differences are between what is on maemo and upstream.

Best regards!

EDIT: I can't see any relevant difference between debian's original source code and that on maemo (apt-get source openssl=different_versions_on_repos...). I am almost completely sure that the only differences are in packaging, but there are no new patches. For a library like openssl that would be, in fact, a very very bad idea, so even if there are some differences, changes are they are for bad instead of for benefit of the security of the system.

[ginggs]

Quote:

Originally Posted by jonwil

Anyone know where I can get source code to debian OpenSSL 0.9.8n-1 (the version Maemo Fremantle OpenSSL is based on)?

http://snapshot.debian.org/package/openssl/0.9.8n-1/

[jonwil]

I have taken Debian OpenSSL 0.9.8n-1 source from http://snapshot.debian.org/package/openssl/0.9.8n-1/ and Maemo OpenSSL 0.9.8n-1+maemo4+0m5 source from http://repository.maemo.org/pool/mae...ree/o/openssl/. I have renamed the patches in the Debian source to match the names in the Maemo source.

The diff of the resulting folders is attached to this post:

The following changes exist in the Maemo tree vs the Debian tree:
1.Change PERL path in Configure
2.Remove Makefile (its automatically generated from Makefile.org)
3.Change PERL path in a bunch of PERL scripts
4.Remove apps/CA.pl (its automatically generated from apps/CA.pl.in)
5.Add a commented out #ifdef to crypto/ec/ectest.c
6.Comment out an #ifdef in crypto/o_init.c
7.Remove crypto/opensslconf.h and its symlink include/openssl/opensslconf.h (its automatically generated from crypto/opensslconf.h.in)
8.Added various entries to debian/changelog
9.Changed debian/compat from 3 to 5
10.Added a debian/debian.tar.gz file containing an unknown changelog/compat/rules file
11.Change debian/libssl0.9.8.postinst to use sh instead of bash
12.Add headers to various patches
13.Rename the patches (and add an 00list file instead of the series file)
14.Add a new patch 20_load-cert.dpatch
15.Add a new patch 21_configure-cflags.dpatch
16.Add a new patch 22_openssl-psk-0.9.8n-lib.dpatch
17.Add a new patch 23_openssl-psk-0.9.8n-test.dpatch
18.Add a new patch 24_openssl-psk-0.9.8n-doc.dpatch
20.Remove patch kfreebsd-pipe.patch
21.Remove patch rc4-amd64.patch
22.Add lines to debian/rules for include /usr/share/dpatch/dpatch.make, build: patch-stamp build-stamp and clean: unpatch
23.Add include/openssl/cms.h symlink to crypto/cms/cms.h
24.Add include/openssl/jpake.h symlink to crypto/jpake/jpake.h
25.Add a commented out #ifdef to test/ectest.c
26.Make a bunch of changes to test/jpaketest.c
27.Remove tools/c_rehash (its automatically generated from tools/c_rehash.in)

Now we need to figure out the following:
1.Whether any of the above changes (the 5 Nokia patches or the changes made directly to the source code) are still necessary for our OpenSSL 1.0.2e port
2.Whether there is anything removed from OpenSSL (stock or Debian) between 0.9.8n and 1.0.2e that we need on Maemo
and 3.Whether there is anything added to OpenSSL (stock or Debian) between 0.9.8n and 1.0.2e that we dont need on Maemo (i.e. that we need to remove for Maemo)

I suspect there is likely to be nothing satisfying #2 and #3 above (and that its not even worth looking)

[Android_808]

Is this of any use to you: http://abi-laboratory.pro/tracker/timeline/openssl/

[ginggs]

Quote:

Originally Posted by jonwil

8.Added various entries to debian/changelog

This looks like Nokia forked at Debian version 0.9.8g-10 and then merged at 0.9.8g-13, 0.9.8g-15 and 0.9.8n-1.

Are there older Nokia versions available anywhere?
(Edit: I see openssl_0.9.8g-15maemo4 in the maemo5.0 pool, it might be worth examining a diff there too)

Quote:

Originally Posted by jonwil

9.Changed debian/compat from 3 to 5

Could be a mistake in the Debian packaging. I think this should have been bumped when converting to source format 3.0 (quilt).

Quote:

Originally Posted by jonwil

10.Added a debian/debian.tar.gz file containing an unknown changelog/compat/rules file

Could be a mistake in the Nokia packaging.

Quote:

Originally Posted by jonwil

12.Add headers to various patches
13.Rename the patches (and add an 00list file instead of the series file)
22.Add lines to debian/rules for include /usr/share/dpatch/dpatch.make, build: patch-stamp build-stamp and clean: unpatch

This looks like Debian converted to source format 3.0 (quilt) after the fork and then Nokia reverted to source format 1.0 for the merge.

The Maemo builders have been able to cope with source format 3.0 (quilt) for some years now.

[ginggs]

Debian converted to source format 3.0 (quilt) in 0.9.8m-1:

Code:

openssl (0.9.8m-1) unstable; urgency=low

  * New upstream version
  ...
  * Switch to 3.0 (quilt) source package.

I can't see any explicit mention of bumping the compat level to 5, only a bump to level 9 in 2013:

Code:

openssl (1.0.1e-4) unstable; urgency=low
  ...
  * change to debhelper compat level 9:

[bencoh]

Quote:

Originally Posted by jonwil

14.Add a new patch 20_load-cert.dpatch

This one really seems to be maemo specific, but I'm not even sure it's relevant in Maemo5, since I can't find libcst on my device (or in SDK).
See http://maemo-developers.maemo.narkiv...libcst-sources for more info on libcst.

If it tries to dlopen (!) a library that is no longer available, I think we can safely drop it...

Quote:

Originally Posted by jonwil

16.Add a new patch 22_openssl-psk-0.9.8n-lib.dpatch
17.Add a new patch 23_openssl-psk-0.9.8n-test.dpatch
18.Add a new patch 24_openssl-psk-0.9.8n-doc.dpatch

Those have been upstreamed.
See openssl commit ddac1974 and openssl-1.0.0 release changelog.

[pali]

libcst was renamed to libmaemosec, see:

https://github.com/community-ssu/mae...ddc9521c847ced

[bencoh]

Quote:

Originally Posted by pali

libcst was renamed to libmaemosec, see:

https://github.com/community-ssu/mae...ddc9521c847ced

Ah, thanks.
Looks like they didn't bother updating the openssl package though... and I don't see how this dlopen() could work the way it is

[pali]

Looks like that function is not in fremantle version. Something from diablo or bora. I suggest to drop that patch.