New issue
Advanced search Search tips

Issue 649672 link

Starred by 3 users

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature


Sign in to add a comment

Upgrade to OpenSSL 1.1.0f

Project Member Reported by mnissler@chromium.org, Sep 23 2016

Issue description

OpenSSL version 1.1.0 was released a while back as the first release on a new stable branch. We should upgrade Chrome OS to the latest version on that branch, which is 1.1.0a at the time of writing this.
 
So I've looked into this a bit:

* A somewhat working ebuild for openssl-1.1.0a is uploaded here: https://chromium-review.googlesource.com/389211
* The SHA-1 cert blacklisting patch we carry locally needs to be ported, which I haven't done yet.
* Note that the above ebuild requests 1.0.0 api compatibility
* Even with the compatibility flags enabled, a lot of stuff depending on openssl fails to build due to them cleaning up their API surface.
* Note that gentoo bugzilla is tracking this issue here (listing failing packages): https://bugs.gentoo.org/show_bug.cgi?id=592438
* Ditto for debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827061

I'll see whether I can get a list of problematic packages we're using.

I'm afraid the conclusion for now is that we can't do much unless we're willing to start tackling package breakages ourselves. Given that openssl 1.0.2 is still supported, I feel inclined to give this some more time.
Here's a quick list of results from an attempt to rebuild reverse dependencies for openssl for the cyan board.

The following packages succeeded (I didn't test whether they actually work!):

chromeos-base/chaps-0.0.1-r1578
chromeos-base/libchrome-395517-r3
chromeos-base/libscrypt-1.1.6-r12
chromeos-base/memento_softwareupdate-0.0.1-r72
chromeos-base/pepper-flash-23.0.0.179-r1
chromeos-base/root-certificates-0.0.1-r3
chromeos-base/update_engine-0.0.3-r2055
dev-libs/libevent-2.0.22
dev-util/imgdiff-0.0.1-r2
net-dialup/ppp-2.4.6-r7
net-misc/curl-7.49.1
net-misc/dhcp-4.2.2-r3
net-misc/iputils-20121221-r2
net-misc/wget-1.18-r1   <- I applied a patch from upstream to get this building
net-print/hplip-3.16.3

The following packages failed to build:

app-crypt/tpm-tools-1.3.8-r2
app-crypt/trousers-0.3.3-r60
chromeos-base/cryptohome-0.0.1-r1363
chromeos-base/easy-unlock-crypto-0.0.1-r13
chromeos-base/libbrillo-0.0.1-r177
chromeos-base/vboot_reference-1.0-r1261
dev-lang/python-2.7.10
dev-libs/engine_pkcs11-0.1.8-r1
dev-libs/libp11-0.2.8-r3
dev-libs/opencryptoki-2.2.8-r24
dev-libs/opensc-0.12.2-r1
dev-libs/pkcs11-helper-1.07
dev-python/m2crypto-0.22.3-r4
dev-util/android-tools-5.1.1_p13
dev-vcs/git-2.6.6
net-analyzer/tcpdump-4.5.1-r1
net-misc/openssh-7.3_p1-r1
net-misc/openvpn-2.3.2-r2
net-misc/socat-1.7.3.1
net-misc/strongswan-5.0.2-r19
net-misc/tlsdate-0.0.5-r44
net-wireless/hostapd-2.5-r34
net-wireless/wpa_supplicant-2.5-r34

Note the 4 failing chromeos-base packages, which are definitely on our plate to fix up.
Cc: drinkcat@chromium.org
Summary: Upgrade to OpenSSL 1.1.0f (was: Upgrade to OpenSSL 1.1.0a)
We would like to have support for x25519 for hammerd, which I believe is only supported on openssl >=1.1.0.

Maybe now is a good time to revisit this? I don't expect this work to be much easier, sadly...
Boringssl has x25519 support, so maybe that's an alternative? In the long run, we'd like to migrate the Chrome OS platform code to boringssl anyways.
Blockedon: 733186
Blockedon: 733187
Blockedon: 733188
Blockedon: 733190
Blockedon: 734489
Blockedon: 734494
Blockedon: 734499
Blockedon: 734885
Blockedon: 735342

Comment 15 Deleted

I was finally able to get a set of local patches such that all sdk packages build and I can successfully ./setup_board and start ./build_packages.  This results in the following failures (on an amd64 board, soraka):

$ ./build_packages --board=soraka

Packages failed:
	app-crypt/mit-krb5-1.14.4
	chromeos-base/chromeos-ec-0.0.1-r3949
	chromeos-base/dev-install-0.0.1-r923
	chromeos-base/factory-0.2.0-r361
	chromeos-base/factory-mini-0.0.1-r433
	chromeos-base/libbrillo-0.0.1-r660
	chromeos-base/vboot_reference-1.0-r1364
	dev-python/btsocket-0.0.1-r12
	net-wireless/crda-1.1.1-r6

Blockedon: 735782
Blockedon: 736313
Blockedon: 736322
Blockedon: 736583
Blockedon: 737445
Blockedon: 737464
Blockedon: 737913
Blockedon: 737942
Blockedon: 737954
Blockedon: 738114
Blockedon: 738288
Blockedon: 738816
Blockedon: 738857
Blockedon: 739116
Blockedon: 739357
Blockedon: 739369
Blockedon: 739688
Blockedon: 739692
Blockedon: 740096
Blockedon: 740158
Blockedon: 740333
Blockedon: 747810
Blockedon: -747810
Blockedon: 754455
Blockedon: 754473
Blockedon: 756508
Small milestone today - I was able to build and boot an openssl-1.1 system for samus!  I'll clean up the patch sets and upload them shortly.
But...  cryptohomed has a crash loop and ssh doesn't work ;).  Debugging...
Owner: ----
Status: Available (was: Started)
I'm not actively working on this, nor planning to any time soon, so un-assigning myself.


Do we need any security fixes in this version?
OpenSSL is still maintaining security fixes in the 1.0 series, so we don't need to upgrade to the 1.1 series for that
Cc: menghuan@chromium.org

Sign in to add a comment