OpenWrt Forum Archive

Topic: Intended way to update OpenSSL

The content of this topic has been archived on 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Dear All,

I'm using "Chaos Calmer 15.05.1" together with OpenVPN and OpenSSL (opkg openvpn-openssl).

Due to the fact that many critical security issues have been fixed in OpenSSL recently, I'd like to update my OpenWRT installation.

I tried to find out the "intended way" to do that, but I wasn't successful.

Can someone please tell me how to update OpenSSL (in my setup) to the latest version?


I already found changeset 49295 (see below) which seem to cover that issue. But when I tried "opkg update / opkg list-upgradable" no new package showed up.

Do I just  have to wait a little bit longer? Where can I see, when the new package will be released?
Do I have to compile and upgrade the package manually?
Do I have to install the latest build of 15.05.01?
Do I  have to install the latest trunk build?

I'm only interested in the "intended way"... of course, there might be several ways, but what is the "security design" of OpenWRT?

Thank you in advance
oil_lamp


Changeset 49295
---
" openssl: Update to version 1.0.2h

Bump to the latest version, fixes several security issues:

    CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176 "
---

oil_lamp wrote:

Do I just  have to wait a little bit longer? Where can I see, when the new package will be released?
Do I have to compile and upgrade the package manually?
Do I have to install the latest build of 15.05.01?
Do I  have to install the latest trunk build?

Waiting is good. Probably ~9 months.
No.
There is no 'latest'.
Depends on the urgency.

Thank you Max.

So it looks lile there is no easy and user-friendly way to upgrade OpenSSL.

Does someone else know an intended way to upgrade OpenSSL?

How would you upgrade OpenSSL anyway?

Thanks, oil_lamp, for bringing this topic up.

I'm also interested in updating/fixing this library.

There is a way to do it - it requires to have one's own build environmet.
Then one will be able to "pull" this patch and obtain the fixed version of OpenSSL.

Right now I'm studying the OpenWrt documentation for the exact instructions...

Hi booBot,

thank you for that hint. I will also have a look at the build environment - however it sounds like a lot of effort.

Therefore I will try to understand the new/fixed vulnerabilities in more detail. As the effort to fix them is higher than expected, it makes sense to spend additional time and investigate, what the impact on my environment would be.

I still want to believe that if there is a really serious security issue, someone from the OpenWRT team would fix it (call me dreamer wink)

Kind Regards
oil_lamp

Yes, it IS difficult (for me as a novice) to patch OpenSSL to the current release level.

In the download section for the trunk (the "snapshot") they've published the current version already.

I'll try that file right now...

As shown here I just edited the package/libs/openssl/Makefile:
PKG_VERSION to 1.0.2h
and
PKG_MD5SUM to the new value.

Then I've re-run make PROFILE=my_hardware_profile_name - and the patched libopenssl was created.

I hope this is how to do it properly.
Will report if it does not break my asterisk v1.8....

Yes, my asterisk v1.8 works fine with this update.

Congratualtions! Maybe you can share your experience with your own version after a while?
E.g. can you still download packages from the opkg repository, does it contain all elements of the standarf package?

I also made progress with my investigations.

OpenSSL 1.0.2h fixes two "high" vulnerabilities (https://www.openssl.org/news/secadv/20160503.txt).

1. CVE-2016-2108
Result: The standard OpenSSL version (1.0.2g) in CC15.05.1 is not affected.

The issue is based on the combination of two bugs.
The first bug is fixed in 1.0.2.g (perhaps in an earlier version, I haven't checked)

This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released
as part of the June 11th 2015 security releases

Furthermore the advisory says:

This vulnerability is a combination of two bugs, neither of which
individually has security impact.

2. CVE-2016-2107
Result: Not sure yet

a) It only affects chipsets which support AES-NI >> I try to find out if my router supports it >> not that easy
b) As far as I understand, the attacker needs to send data to OpenSSL and needs to interpret the response. In my case, I think I have an environment, where the attacker doesn't get the response because of another security mechanism >> not easy to find out

Disclaimer:
I'm not a security expert, I just try my best to come to the right conclusions

If there is someone who can add something to my theories I would appreciate that very much.

Regards
oil_lamp

oil_lamp, the compiled result looks exactly the way all official OpenWrt modules do: libopenssl_1.0.2h-1_ramips_24kec.ipk, it is installable from a local folder (opkg install /tmp/libopenssl_1.0.2h-1_ramips_24kec.ipk).
So, I think it IS the way to get patched/fixed components as soon as they are published by their authors - without an unneeded delay.

I've asked on another forum - they say it is possible to get non-kernel modules directly from trunk.

i've tried to install the trunk openssl but it broke my libc so i was forced to reinstall the firmware (major issue) because CC used uClibc and trunk uses musl so i've compiled my own openssl and openvpn.
if you need the brcm47xx_mips74k CC version you can find it here:
- libopenssl_1.0.2h-1_brcm47xx.ipk
- openvpn-openssl_2.3.11-5_brcm47xx.ipk

Thank you all for your comments.

I'm new to openWrt so I'd like to sum it up:


1. BooBot: you created your own build environment which is
- specific to your hardware
- able to compile versions of single packages (no need to reinstall the whole software)
- self-compiled packages can be installed via standard opkg (with link to local file as described in comment 11)

2. BooBot: in order the compile the new version of a single package, you modified a config file "Makefile" and ran the compile process as described in comment 7

3. @tmo26 if I read your comment 10 right, you did the modifaction BooBot mentioned in the "official" OpenWrt build environment.
- Is that just to see, how the modification looks like or will your change result in an updated package version somewhere in "https://downloads.openwrt.org/chaos_cal … ages/base/" i.e. I don't have to create my own build environment
- If yes, when will that happen... I've read something about a build-bot. But is this bot still running for Chaos Calmer?

4. @maurer, thank you for providing the files already. I appreciate that very much. However, in this case of "security software" I just want to use my own files or files from the official repository. Please don't get me wrong, it's my paranoia...

Kind Regards
oil_lamp

oil_lamp, Yes to both your questions.
Apart from the initial effort to set up the BuildRoot - the rest seems to be fairly easy.
I my case - the initial preparation was a very lengthy process - I'm building on the EeePC 701 laptop, so it was almost 18 hours to get the BuildRoot working.

Thanks to your finding of the changeset #49295 it was almost trivial to update the OpenSSL.
And yes, I'm building my own firmwares for my router.
smile

Hi All,

in the meantime, I created my own buildroot environment and compiled openssl (library and utils). Thank you booBot, tmo26 and maurer for the inspiration! :-)

@maurer, could you please explain, how you changed to makefile etc. to create openvpn-openssl_2.3.11-5_brcm47xx.ipk?

Did you just changed the version and the MD5 hash in the chaos calmer's makefile or did you do something else?

Thank you in advance
oil_lamp

Hi All,

in the meantime, I created my own openssl and openvpn packets.

My own openssl works fine, the openvpn version didn't work when I tried to connect with the smartphone app. Windows/Linux worked

Here's a short abstract what I did:

openssl (objective: upgrade to 1.0.2h-1):
just replaced the entries in the makefile according to tmo26's comment #7 and started the make process
Did that for the application and the library. Installed both packages.

openvpn (objective: upgrade to 2.3.10):
1. did all the changes in the makefile between chaos calmer 15.05.1 and Trunk except the change of the path variable "IPROUTE=/usr/sbin/ip" as I assumed that this is the result of another change in a different package which I did not implement.
2. deleted all files in the patches directory and replaced them by the files from trunk (I compared them, seemed reasonable to me)

In the end, the package was compiled without errors and I was able to install it.
All connections peer worked except my android app. It says something like "epki issue" and "unknown alias" during the connection setup process.

Anyway, the main objective was openssl and that's replaced now.

Kind Regards
oil_lamp

The discussion might have continued from here.