New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Builtin OpenSSL is outdated #2780
Comments
Marking it as a bug as we are therefore likely exposed to all the security vulnerabilities announced since 1.0.1h. See e.g.: Note that there is also a 1.0.2 branch now, with 1.0.2d being the latest release (July 2015). Maintaining a built-in dependency such as OpenSSL will always be a pain though if we try to ensure that security vulnerabilities are patched in a timely manner (especially if we need to provide patch releases of past versions to address those issues). It could be of course that many of those vulnerabilities are not exposed to Godot's API, but that's still bad press after the recent press exposure of things like heartbleed. |
argh updating openssl and getting it to compile on every single platform is On Fri, Nov 13, 2015 at 8:35 AM, Rémi Verschelde notifications@github.com
|
let's wait to see how progress go with mbedtls |
well, seems progress with mbedtls stalled, and will not accept a PR using libcurl so I will have to tackle this myself in 2.1 |
You can try to get changes you do to the openssl source code merged upstream, that way you don't have to repeat them every time you update. Also note that the Openssl 1.0.1 line will cease to be supported with security updates on Dec 31 this year, so best to switch to 1.0.2: https://www.openssl.org/policies/releasestrat.html |
Please use git submodules against https://github.com/openssl/openssl On Sat, Mar 5, 2016 at 7:10 AM, est31 notifications@github.com wrote:
|
But again, I think dynamic solution would be preferred for distros. The On Sat, Mar 5, 2016 at 7:29 AM, Sergey Lapin slapinid@gmail.com wrote:
|
That's the case already. If you don't specify |
Is there any progress for this issue? I have a Godot game in Google Play and I was sent an email by Google Play that the OpenSSL version, which I assume Godot uses, is vulnerable to the Logjam attack. Google Play has a deadline for APKs with this version of OpenSSL set for July 2016, therefore all current Godot APKs are affected by this issue. Is it possible to compile without OpenSSL as a temporary fix until OpenSSL is upgraded? |
You can compile the templates with |
Apparently all Google Play Developers are getting a notification that their Godot games are vulnerable to logjam attacks and CVE-2015-3194. While this is likely not true per se (OpenSSL is vulnerable, but I don't think the very small usage we're making of it exposes the mentioned vulnerabilities, though I haven't checked myself), we need to fix this ASAP to silence those warnings. |
I've had a very quick look at updating our builtin version to 1.0.1s (current version in the 1.0.1 branch that we are on right now), it does not seem to build out of the box as I get this error:
I also seem to get conflicts between the system-wide headers and the ones in builtin_openssl2 when trying to build with I'd be glad if someone feeling confident about it would give it a go ;) |
Looks like the error comes from this file: [https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/crypto/arm_arch.h] |
check the openssl config file (it's somewhere inside the openssl dir), this On Fri, Apr 1, 2016 at 6:41 AM, beocat notifications@github.com wrote:
|
@akien-mga perhaps try to make a diff or something to the official release tarball the currently used openssl comes from, then you know which modifications happened, and you perhaps have a base on which to get it work again. |
Yeah that's a good idea, I'll have a look at it over the week-end. |
Sadly the git history is not really useful as the openssl customizations have often been done in huge commits together with other stuff, so it's difficult to update the current version in a way that Godot can work with out of the box. Here's the history for whoever is interested:
Basically the 1.0.1h version was imported, with the main header for each crypto component split from |
@reduz Is there a practical reason for moving those headers to |
@reduz I haven't forgotten about the mbedTLS route. I actually have it working in a clunky fashion, but 2 other important projects sidetracked me from finishing. I finished one of those projects and the other is almost done. |
@akien-mga Have you got an answer on why the the headers have been moved to openssl folder? I agree that it makes the maintenance harder. It would be nice to know what the thought behind this moving-of-files was. |
yeah i agree that it would be much better using mbedtls (but not in-tree) or maintaining a patchset (for windows, since all linux distros (and probably mac) already ship openssl) against latest openssl release tarball. |
the "fix" is only temporal (until the next CVE) - so it does not really solve the issue. |
Reopening this as it needs more discussion. @rofl0r made a good point. Also, it's not building on Windows, so that's one more problem. |
I don't know whether this is clear to everybody, but the commit adds lots of windows blobs. This might also be the reason for windows builds failing. They should be removed. Its just weird that this wasn't catched by the gitignore. I've done a There are no differing files, only files which exist in one directory, but not in the other. The object files are obviously wrong, I don't know about the other stuff. But for example why add |
What Windows blobs? Are you sure they're not from your own compilation of the windows template? I don't have any such blob:
|
Thanks for checking that it's the same contents as the upstream tarball, I trust @mrezai's contributions but double-checking is never a bad idea, especially for sensitive drivers like openssl :) |
Here's @est31's list of differences with the windows compiled files and Makefiles removed: http://pastebin.com/rYunpGmy |
Ah yeah, may be my own artifact. |
OpenSSL 1.0.2h will be released on May 3rd: https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html @mrezai If you're around to handle the update in the following days, it would be awesome. Then I'll prepare a 2.0.3 release to, among other bug fixes, reenable openssl support. |
@akien-mga I'll update :) |
The version of the builtin openssl is 1.0.1h, which fortunately isn't affected by heartbleed anymore, but still outdated. The most recent version is
1.0.1p
.For the longer term, I think that it would be great if openssl could be updated to the most recent version for every stable release of godot.
The text was updated successfully, but these errors were encountered: