3

I am using CSipSimple code for my application. But unfortunately, Google Playstore has raised a warning: You are using a vulnerable version of OpenSSL

I want to update the OpenSSL version from existing code.

Here is some reference which I have followed. CSipSimple-OpenSSL But I am stuck at step 5 there are no such command

m: command not found

Am I following incorrect steps? If any one have already done with this, then please help me or provide some steps/link.

Any help would be really appreciated

Asfak Saiyed
  • 303
  • 1
  • 14
  • It looks like the `m` of Step 5 should be the `mm` in Step 6. Or, use the full command, which I believe is `make`. – jww Apr 08 '16 at 15:24
  • I have already tried with both of this commands, for _mm_ its not proper command to build, and for _make_ command target have no make file so it is also not the trick. Any other idea or reference? – Asfak Saiyed Apr 11 '16 at 05:21

2 Answers2

3

mm is for make module, this is available within the Android source project build, so you will need to set up a build environment, within the modules provided is the OpenSSL on Android platform (from which the readme file you're referencing is taken) . Setting up a build environment will take at least a day or two by itself so I wouldn't recommend it unless you already have it for a different reason.. Additionally, Android dropped support for OpenSSL in their latest release and are using BoringSSL. To my knowledge, the best way to achieve what you want here, is to cross compile and build OpenSSL from source following the guidelines on the open ssl wiki, creating .a files and statically referencing them in your app. This is also the recommended way in order to avoid referencing system libraries on N and later versions.

EDIT: To add the libraries to my project as prebuilt static libraries, I created an openssl folder under my jni directory containing lib/ (which contain the .a files for the architectures I support), include/ which has the necessary includes (you can find that under the openssl version you downloaded) and Android.mk which has the following:

include $(CLEAR_VARS) 
LOCAL_MODULE := libssl
LOCAL_SRC_FILES := lib/$(TARGET_ARCH_ABI)/libssl.a
include $(PREBUILT_STATIC_LIBRARY)
include $(CLEAR_VARS)
LOCAL_MODULE := libcrypto
LOCAL_SRC_FILES := lib/$(TARGET_ARCH_ABI)/libcrypto.a
include $(PREBUILT_STATIC_LIBRARY)

Then, to use the library within another jni module I added the following to its Android.mk file:

LOCAL_C_INCLUDES := $(LOCAL_PATH)/../openssl/include
LOCAL_STATIC_LIBRARIES := libssl libcrypto

This is also similar to what's been done here, except that it's not recommended to use .a files provided by non-openssl source.

Nonos
  • 2,450
  • 2
  • 23
  • 34
  • Thanks @Nonos for your precious time and answer. After read all the suggestion from your side. I have tried with [wiki](https://wiki.openssl.org/index.php/Android), And in I am confuse with step **Using OpenSSL in an Application** that how can I generate dynamic .so file and link .a files with them so it will works in my project ? – Asfak Saiyed Apr 20 '16 at 04:59
  • @AsfakSaiyed, I've edited my answer to address your question – Nonos Apr 20 '16 at 17:54
  • I have solved my problem by replacing openssl directory with latest version of openssl from **JNI** and make my project again its updated, and I will update my app to play store very soon if the version accept by Google Play then it works if not then I will try your edited answer as final solution. By the way thanks for the edit. – Asfak Saiyed Apr 26 '16 at 05:04
3

In case someone encounters the problem of using vulnerable version of OpenSSL in one of the native libraries, I add some more details and instructions for the @Nonos solution. This tutorial is for CSipSimple but building OpenSSL static libraries is a more generic solution.

I recommend the second solution as adding a static OpenSSL library is more simple solution.

Preconditions: Android NDK need to be configured first.

  1. First of all, download the OpenSSL compatible version (> 1.0.2f/1.0.1r).
  2. Download two scripts from this link. In case someone wonders what they do: They build the OpenSSL library for every android build (armeabi, x86, mips, etc...)
  3. Modify setenv-android-mod.sh -> line 18 with the ndk version
  4. Modify setenv-android-mod.sh -> line 40 with the Android API version
  5. Modify build-all-arch.sh -> line 7 with the folder name of the OpenSSL library (in my case it was openssl-1.0.1t)
  6. After successful build, inside the folder dist the libraries will be present
  7. Put those folders inside csipsimple/CSipSimple-trunk/CSipSimple/jni/openssl/lib
  8. Put header files from openssl-1.0.1{version}/include to csipsimple/CSipSimple-trunk/CSipSimple/jni/openssl/include. Be aware, that some of the header files are symlinks to other files.
  9. Compile CSipSimple. Be aware, that OpenSSL and CSipSimple must be compiled with the same Android API version.

Should build successfully after making steps.

R. Zagórski
  • 20,020
  • 5
  • 65
  • 90