Hi Jeff,
Thank you for the quick response. I'm not sure I follow what you are
suggesting I do.
I looked at the source for the classes with OpenSSL, here is what I found.
ProviderInstaller:
public class ProviderInstaller {
private static final GoogleApiAvailability zzacJ = GoogleApiAvailability.
getInstance();
private static final Object zzpy = new Object();
private static Method zzaUV = null;
public static final String PROVIDER_NAME = "GmsCore_OpenSSL";
public ProviderInstaller() {
}
OkHttpPlatform
private static Platform findPlatform() {
// Attempt to find Android 2.3+ APIs.
try {
try {
Class.forName("com.android.org.conscrypt.OpenSSLSocketImpl");
} catch (ClassNotFoundException e) {
// Older platform before being unbundled.
Class.forName("org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl");
}
OptionalMethod<Socket> setUseSessionTickets
= new OptionalMethod<>(null, "setUseSessionTickets", boolean.class);
OptionalMethod<Socket> setHostname
= new OptionalMethod<>(null, "setHostname", String.class);
Method trafficStatsTagSocket = null;
Method trafficStatsUntagSocket = null;
OptionalMethod<Socket> getAlpnSelectedProtocol = null;
OptionalMethod<Socket> setAlpnProtocols = null;
PRINGFixes.java
private static void applyOpenSSLFix() throws SecurityException {
if ((Build.VERSION.SDK_INT < VERSION_CODE_JELLY_BEAN)
|| (Build.VERSION.SDK_INT > VERSION_CODE_JELLY_BEAN_MR2)) {
// No need to apply the fix
return;
}
try {
// Mix in the device- and invocation-specific seed.
Class.forName("org.apache.harmony.xnet.provider.jsse.NativeCrypto")
.getMethod("RAND_seed", byte[].class)
.invoke(null, generateSeed());
// Mix output of Linux PRNG into OpenSSL's PRNG
int bytesRead = (Integer) Class.forName(
"org.apache.harmony.xnet.provider.jsse.NativeCrypto")
.getMethod("RAND_load_file", String.class, long.class)
.invoke(null, "/dev/urandom", 1024);
if (bytesRead != 1024) {
throw new IOException(
"Unexpected number of bytes read from Linux PRNG: "
+ bytesRead);
}
} catch (Exception e) {
throw new SecurityException("Failed to seed OpenSSL PRNG", e);
}
}
Are you suggesting replacing the qualified name for the SSL libraries to a
save version? If so, what should I be doing to test that it doesn't break
my code?
David
On Monday, September 28, 2015 at 4:33:05 PM UTC-4, Jeffrey Walton wrote:
>
> > Binary file ./com/google/android/gms/security/ProviderInstaller.class
> > matches
> >
> > Binary file ./com/squareup/okhttp/internal/Platform.class matches
> >
> > Binary file ./cz/msebera/android/httpclient/extras/PRNGFixes.class
> matches
> >
> >
> > Yet, I still can't find from here what version of OpenSSL these classes
> are
> > running. Any recommendations on what to do next?
>
> The AOSP script is not intelligent. It only performs string compares.
> It flagged a couple of my native libs because I was using libcrypto
> rather than the offending libssl.
>
> If its an option, just edit the strings in the initialized data
> section. Whether its an option depends on whether you are using
> vulnerable functions.
>
> Its OK to edit the strings because the security boundary is the
> APK/Android app, and the native library is within the boundary. Once
> the APK verifies, the system deems everything OK. It cannot tell the
> strings have been modified in the native shared object because there's
> no signature over it.
>
> Jeff
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
