#maemo-leste on 2022-04-23 — irc logs at libera.irclog.whitequark.org

2021-05-25 03:59 parazyd changed the topic of #maemo-leste to: Maemo Leste is in alpha: https://maemo-leste.github.io | ML: https://lists.dyne.org/lurker/list/maemo-leste.en.html | Latest status: http://tny.im/osz | Wiki: https://leste.maemo.org | IRC: https://libera.irclog.whitequark.org/maemo-leste/ ; https://maedevu.maemo.org/irc.txt

00:23 xmn has joined #maemo-leste

00:30 jk__00 has quit [Quit: Leaving]

00:43 Pali has quit [Ping timeout: 246 seconds]

01:08 Daanct12 has joined #maemo-leste

04:26 Daanct12 has quit [Remote host closed the connection]

04:54 macros_ has quit [Ping timeout: 240 seconds]

04:55 ikmaak has quit [Ping timeout: 260 seconds]

04:56 macros_ has joined #maemo-leste

04:57 ikmaak has joined #maemo-leste

05:02 joerg has quit [Ping timeout: 272 seconds]

05:03 joerg has joined #maemo-leste

05:12 <Wizzup> freemangordon: what is the offending version?

05:48 _whitelogger has joined #maemo-leste

06:12 <freemangordon> Wizzup: 1.1.1n-0+deb10u1

06:48 xmn has quit [Ping timeout: 240 seconds]

07:14 <Wizzup> freemangordon: ok

07:16 <freemangordon> building openssl on PP ATM

07:16 <freemangordon> will debug that

07:20 <Wizzup> ok

07:20 <Wizzup> maybe we can just check the changelog?

07:20 <Wizzup> is it certs or openssl patches?

07:22 <freemangordon> it is openssl, not certs

07:22 <freemangordon> I suspect this https://github.com/openssl/openssl/commit/8979ffee95043baffa51887b1d43d9b07f9fae1b

07:23 <freemangordon> or this https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_srvr.c#L2572

07:24 <freemangordon> but better debug it

07:24 <freemangordon> also, it is weird that we hit the bug on arm only

07:34 yanu_ has joined #maemo-leste

07:34 yanu_ has quit [Client Quit]

07:35 <Wizzup> right

07:53 <freemangordon> Wizzup: here https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/statem/statem_clnt.c#L2340

07:56 <freemangordon> tls1_get_legacy_sigalg (whatever it is) fails

07:57 uvos has joined #maemo-leste

08:12 elastic_dog has quit [Ping timeout: 248 seconds]

09:38 Pali has joined #maemo-leste

10:24 pimmeldrian is now known as meldrian

10:25 vagag has joined #maemo-leste

10:27 elastic_dog has joined #maemo-leste

11:06 elastic_dog has quit [Ping timeout: 250 seconds]

11:17 elastic_dog has joined #maemo-leste

11:17 <freemangordon> Wizzup: ssl_get_security_level_bits returns 112 on ARM64 and 80 on amd64

11:21 <freemangordon> Wizzup: on ARM SSL_get_security_level returns 2, on x86 - 1

11:21 <freemangordon> any clue why?

11:51 <norayr> very interesting

11:53 <freemangordon> it seems the actual bug is in x86 lib, it seems to ignore /etc/ssl/openssl.cnf

11:55 <norayr> since we use debian's ssl, didn't anyone noticed already that this version causes problems?

11:56 <freemangordon> well, it was pushed 2 weeks ago

11:56 <freemangordon> also, I am still not sure the problem is in openssl itself

12:09 <Wizzup> freemangordon: hrm, we might need to file that with debian

12:09 <freemangordon> ok, I am officially confused: fopen("/usr/lib/ssl/openssl.cnf", "rb"); fails with errno==13 in my VM

12:10 <Wizzup> eaccess

12:10 <freemangordon> yes

12:10 <Wizzup> what are the privs of hte full path

12:10 <freemangordon> but I can cat that file with no issue

12:10 <Wizzup> e.g. /usr/lib/ssl

12:10 <freemangordon> fine:

12:10 <Wizzup> world executable?

12:10 <freemangordon> lrwxrwxrwx 1 root root 20 Mar 18 20:41 /usr/lib/ssl/openssl.cnf -> /etc/ssl/openssl.cnf

12:10 <Wizzup> what about /etc/ssl/openssl.cnf ?

12:10 <freemangordon> -rw-r--r-- 1 root root 11118 Oct 12 2019 /etc/ssl/openssl.cnf

12:11 <freemangordon> exactly the same on pinephone

12:11 <freemangordon> besides the date

12:11 <freemangordon> -rw-r--r-- 1 root root 11118 Aug 24 2021 /etc/ssl/openssl.cnf

12:11 <Wizzup> what about /etc/ssl?

12:11 <freemangordon> this is pinephone

12:11 <Wizzup> the dir

12:12 <freemangordon> mhm

12:12 <freemangordon> drwxr-xr-x 4 root root 4096 Apr 15 12:29 .

12:12 <freemangordon> in VM

12:12 <freemangordon> drwxr-xr-x 4 root root 4096 Apr 22 12:00 .

12:12 <freemangordon> in PP

12:12 <Wizzup> you can also do ls -lshd /etc/ssl fwiw

12:13 <Wizzup> ok

12:13 <Wizzup> I need to go and get my lost bag (with the n900 serial!)

12:13 <Wizzup> bbl

12:13 <freemangordon> ok

12:13 <freemangordon> PP: 4.0K drwxr-xr-x 4 root root 4.0K Apr 22 12:00 /etc/ssl

12:13 <freemangordon> VM: 4.0K drwxr-xr-x 4 root root 4.0K Apr 15 12:29 /etc/ssl

12:13 <freemangordon> the same

12:14 <freemangordon> maybe FS issue

12:14 <Wizzup> seems very weird

12:14 <freemangordon> mhm

12:19 <freemangordon> this is crazy!!!

12:57 <freemangordon> strace: openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = -1 EACCES (Permission denied)

13:21 <freemangordon> ok, getting even more strange - if I run telepathy-gabble through valgrind on VM, I can recreate the issue

13:21 <freemangordon> WTF is going on?

13:28 <freemangordon> umm: [ 2258.304349] EXT4-fs error (device sda1): ext4_lookup:1619: inode #303423: comm find: iget: checksum invalid

13:36 <freemangordon> ugh:

13:36 <freemangordon> audit: type=1400 audit(1650720903.508:17): apparmor="DENIED" operation="open" profile="/usr/lib/telepathy/telepathy-*" name="/etc/ssl/openssl.cnf" pid=3925 comm="telepathy-gabbl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

13:44 <freemangordon> ok, for some reason I have apparmor installed and it prevents access to openssl.cnf

14:04 <sixwheeledbeast> aa-logprof ?

14:04 <freemangordon> apt-get remove --purge apparmor :)

14:07 <norayr> folks, i booted leste on droid, and got info about april update.

14:07 <norayr> at the end of the text it recommends to remove old zram cotfiguration

14:08 <norayr> with rc-update del zram atd then on the same line, rm /etc/init.d/zram

14:23 <norayr> So i was wondering (btw now i write from leste's pidgin) should i run those probably o separate lines, and if i do, wouldn't it just remove the serice startup script?

14:24 <norayr> But wasn't the intention to run the init script?

14:24 <norayr> Oh, i mean to run on startup

14:32 joerg has quit [Read error: Connection reset by peer]

14:33 joerg has joined #maemo-leste

14:34 <norayr> other question is, i noticed that the boot option was mentioned which allows droid to charge.

14:34 <norayr> isn't it in boot loader? and that bootloader is separate from leste image.

14:34 <norayr> so leste image update won't reveal that option for me right?

14:35 <Wizzup> freemangordon: hm, we should look into that problem @ apparmor

14:35 <Wizzup> freemangordon: I think we want to suppor tapparmor

14:35 <Wizzup> freemangordon: sorry I thought have thought of it being apparmor before

14:35 <Wizzup> it's always the MAC once DAC ought to work

14:58 arno11 has joined #maemo-leste

14:58 arno11 has left #maemo-leste [#maemo-leste]

15:20 xmn has joined #maemo-leste

16:10 <freemangordon> Wizzup: still, now I have 'fixed' my VM to behave like PP I will investigate why ssl upgrade broke it

16:17 Twig has joined #maemo-leste

16:31 Livio has joined #maemo-leste

16:40 * enyc meows :O

16:41 <enyc> I'm wondering if n900 usb get damaged with these bypassing of the micro-usb protection-circuit etc going stroight over to the 2 pins under board

17:10 norly has quit [Quit: Leaving.]

17:11 norly has joined #maemo-leste

17:22 <freemangordon> Wizzup: most-probably this https://www.mail-archive.com/openssl-commits@openssl.org/msg33055.html

17:22 <freemangordon> https://github.com/openssl/openssl/pull/15818

17:40 avoidr has joined #maemo-leste

18:09 wunderwungiel[m] has joined #maemo-leste

18:09 <wunderwungiel[m]> Hello

18:13 [TheBug] has quit [Changing host]

18:13 [TheBug] has joined #maemo-leste

18:14 <freemangordon> Wizzup: this is the one https://github.com/openssl/openssl/commit/b0031e5dc2c8c99a6c04bc7625aa00d3d20a59a5

18:15 <freemangordon> but, TBH I am not sure the commit is wrong

18:16 <freemangordon> but my openssl-fu is not the best around :)

18:34 <freemangordon> ok, so telepathy-gabble (wocky) wants to do tls1.0, which is disabled by policy

18:34 <freemangordon> enabling tls1.0 is not very good idea IMO

18:38 <sicelo> enyc: maybe #maemo. I think it can get damaged, yes. That said ... i did exactly that bypass on my old n900 back in 2015 ... still perfectly fine today (only non-working modem, which is unrelated)

19:28 <Wizzup> got the n900 serial module back :)

19:28 <Wizzup> freemangordon: why does wocky only do 1.0 ?

19:35 <Wizzup> freemangordon: I think I fixed this in some other pkgs that I forward ported

19:35 <Wizzup> it's a bug to request only 1.0

19:35 <freemangordon> agree

19:35 <freemangordon> so I changed it to request 1.2

19:36 <freemangordon> (for 1.3 google presents some strange certificate)

19:36 <freemangordon> Wizzup: will push the fix in a minute

19:37 <Wizzup> what is strange about it, and yes at least 1.2 is ok, 1.3 would be better

19:37 <Wizzup> is it ecc?

19:37 <freemangordon> hmm?

19:37 <freemangordon> ecc?

19:38 <Wizzup> ed25519 or similar elyptic curve crypto

19:38 <freemangordon> ah

19:38 <freemangordon> no idea

19:38 <freemangordon> sec

19:44 <freemangordon> Wizzup: https://github.com/maemo-leste-upstream-forks/telepathy-gabble/blob/maemo/beowulf-devel/debian/patches/use-tls-v12.patch

19:46 <Wizzup> lgtm, let's look at tls 1.3 eventually though

19:47 <freemangordon> the issue with 1.3 is that google serves some unknown certificate

19:47 <freemangordon> see this https://marc.info/?l=openjdk-security-dev&m=155009277220921&w=2

19:48 <freemangordon> "00 90 76 89 18 E9 33 93 A0" is the serial

19:48 <Wizzup> imho that warrants a google specific workaround

19:48 <freemangordon> exactly like in the thread

19:48 <freemangordon> well, what is wrong with tls1.2?

19:48 <Wizzup> the same as pinning to 1.0

19:48 <Wizzup> better to just use default openssl ctx

19:49 <freemangordon> I agree in principle, but don;t really want to waste any more time on that now

19:49 <Wizzup> sure

19:50 <Wizzup> maybe we can make an issue

19:50 <freemangordon> better make an issue upstream

19:50 <Wizzup> righty

19:51 <freemangordon> going afk, night!

19:51 <Wizzup> gn

19:51 vagag has left #maemo-leste [Error from remote client]

20:06 Twig has quit [Ping timeout: 240 seconds]

22:06 elastic_dog has quit [Ping timeout: 248 seconds]

22:06 belcher has quit [Ping timeout: 240 seconds]

22:08 elastic_dog has joined #maemo-leste

22:09 belcher has joined #maemo-leste

22:23 Pali has quit [Ping timeout: 240 seconds]

22:39 Pali has joined #maemo-leste

23:49 uvos has quit [Ping timeout: 272 seconds]