Hi David, Apologies if I missed this in the email thread: Have you tried uploading it to the Dev Console? What's the package name?
- Eric Eric Davis | Android Security | [email protected] | 650.492.4612 On Mon, Sep 28, 2015 at 4:01 PM, Jeffrey Walton <[email protected]> wrote: > On Mon, Sep 28, 2015 at 6:40 PM, Spark85 <[email protected]> > wrote: > > Hi Jeff, > > > > Thank you for the quick response. I'm not sure I follow what you are > > suggesting I do. > > > > I looked at the source for the classes with OpenSSL, here is what I > found. > > Not the sources. If you were building OpenSSL from sources, you would > just use OpenSSL 1.2d. > > > ... > > Are you suggesting replacing the qualified name for the SSL libraries to > a > > save version? If so, what should I be doing to test that it doesn't > break > > my code? > > No, I'm saying to edit the actual binary provided by whomever. Your > IDE or one of the SDK's you are using is providing a down level > version of the openssl libraries. > > You need to identity the name of it because they (the vendor) have to > wrap the openssl static libraries (libcrypto.a and libssl.a). They > have to wrap it in a shared obect for JNI. > > If they (the vendor) try to provide the the actual libcypto.so or > libssl.so, then you will link to it at compile time. However, at > runtime, you will get Zygote's copy of openssl. The link/loader won't > load your updated shared objects from the APK because the dependencies > "libcrypto.so" and "libssl.so" and the symbols they provide are > already satisfied. > > Once you identify the shared object (just use `strings`), then you can > use a stream editor in binary mode to change the OpenSSL version in > the compiled binary. > > For example, see below. Those are the strings you have to change. Hit > it with `sed --binary`. "OpenSSL 1.0.2d 9 Jul 2015" is a long string, > and it likely won't collide with, for example, processor instructions. > > But like I said, because of Zygote, its *not* going to be named > "libcrypto.so". > > Jeff > > $ strings /usr/local/ssl/android-18/lib/libcrypto.so | egrep > "([0-1]\.[0-1]\.[0-2])" > libcrypto.so.1.0.0 > OpenSSL 1.0.2d 9 Jul 2015 > MD4 part of OpenSSL 1.0.2d 9 Jul 2015 > MD5 part of OpenSSL 1.0.2d 9 Jul 2015 > SHA part of OpenSSL 1.0.2d 9 Jul 2015 > SHA1 part of OpenSSL 1.0.2d 9 Jul 2015 > SHA-256 part of OpenSSL 1.0.2d 9 Jul 2015 > SHA-512 part of OpenSSL 1.0.2d 9 Jul 2015 > RIPE-MD160 part of OpenSSL 1.0.2d 9 Jul 2015 > DES part of OpenSSL 1.0.2d 9 Jul 2015 > libdes part of OpenSSL 1.0.2d 9 Jul 2015 > !"#$% > !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzAES > part of OpenSSL 1.0.2d 9 Jul 2015 > RC2 part of OpenSSL 1.0.2d 9 Jul 2015 > RC4 part of OpenSSL 1.0.2d 9 Jul 2015 > IDEA part of OpenSSL 1.0.2d 9 Jul 2015 > :Blowfish part of OpenSSL 1.0.2d 9 Jul 2015 > \CAST part of OpenSSL 1.0.2d 9 Jul 2015 > OCAMELLIA part of OpenSSL 1.0.2d 9 Jul 2015 > Big Number part of OpenSSL 1.0.2d 9 Jul 2015 > (1RSA part of OpenSSL 1.0.2d 9 Jul 2015 > DSA part of OpenSSL 1.0.2d 9 Jul 2015 > ECDSA part of OpenSSL 1.0.2d 9 Jul 2015 > Diffie-Hellman part of OpenSSL 1.0.2d 9 Jul 2015 > ECDH part of OpenSSL 1.0.2d 9 Jul 2015 > Stack part of OpenSSL 1.0.2d 9 Jul 2015 > lhash part of OpenSSL 1.0.2d 9 Jul 2015 > RAND part of OpenSSL 1.0.2d 9 Jul 2015 > EVP part of OpenSSL 1.0.2d 9 Jul 2015 > ASN.1 part of OpenSSL 1.0.2d 9 Jul 2015 > PEM part of OpenSSL 1.0.2d 9 Jul 2015 > X.509 part of OpenSSL 1.0.2d 9 Jul 2015 > CONF part of OpenSSL 1.0.2d 9 Jul 2015 > CONF_def part of OpenSSL 1.0.2d 9 Jul 2015 > TXT_DB part of OpenSSL 1.0.2d 9 Jul 2015 > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
