On Mon, Sep 28, 2015 at 6:40 PM, Spark85 <david.e.ozer...@gmail.com> wrote: > Hi Jeff, > > Thank you for the quick response. I'm not sure I follow what you are > suggesting I do. > > I looked at the source for the classes with OpenSSL, here is what I found.
Not the sources. If you were building OpenSSL from sources, you would just use OpenSSL 1.2d. > ... > Are you suggesting replacing the qualified name for the SSL libraries to a > save version? If so, what should I be doing to test that it doesn't break > my code? No, I'm saying to edit the actual binary provided by whomever. Your IDE or one of the SDK's you are using is providing a down level version of the openssl libraries. You need to identity the name of it because they (the vendor) have to wrap the openssl static libraries (libcrypto.a and libssl.a). They have to wrap it in a shared obect for JNI. If they (the vendor) try to provide the the actual libcypto.so or libssl.so, then you will link to it at compile time. However, at runtime, you will get Zygote's copy of openssl. The link/loader won't load your updated shared objects from the APK because the dependencies "libcrypto.so" and "libssl.so" and the symbols they provide are already satisfied. Once you identify the shared object (just use `strings`), then you can use a stream editor in binary mode to change the OpenSSL version in the compiled binary. For example, see below. Those are the strings you have to change. Hit it with `sed --binary`. "OpenSSL 1.0.2d 9 Jul 2015" is a long string, and it likely won't collide with, for example, processor instructions. But like I said, because of Zygote, its *not* going to be named "libcrypto.so". Jeff $ strings /usr/local/ssl/android-18/lib/libcrypto.so | egrep "([0-1]\.[0-1]\.[0-2])" libcrypto.so.1.0.0 OpenSSL 1.0.2d 9 Jul 2015 MD4 part of OpenSSL 1.0.2d 9 Jul 2015 MD5 part of OpenSSL 1.0.2d 9 Jul 2015 SHA part of OpenSSL 1.0.2d 9 Jul 2015 SHA1 part of OpenSSL 1.0.2d 9 Jul 2015 SHA-256 part of OpenSSL 1.0.2d 9 Jul 2015 SHA-512 part of OpenSSL 1.0.2d 9 Jul 2015 RIPE-MD160 part of OpenSSL 1.0.2d 9 Jul 2015 DES part of OpenSSL 1.0.2d 9 Jul 2015 libdes part of OpenSSL 1.0.2d 9 Jul 2015 !"#$% !"#$%&'()*+,-./0123456789:;<=>?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzAES part of OpenSSL 1.0.2d 9 Jul 2015 RC2 part of OpenSSL 1.0.2d 9 Jul 2015 RC4 part of OpenSSL 1.0.2d 9 Jul 2015 IDEA part of OpenSSL 1.0.2d 9 Jul 2015 :Blowfish part of OpenSSL 1.0.2d 9 Jul 2015 \CAST part of OpenSSL 1.0.2d 9 Jul 2015 OCAMELLIA part of OpenSSL 1.0.2d 9 Jul 2015 Big Number part of OpenSSL 1.0.2d 9 Jul 2015 (1RSA part of OpenSSL 1.0.2d 9 Jul 2015 DSA part of OpenSSL 1.0.2d 9 Jul 2015 ECDSA part of OpenSSL 1.0.2d 9 Jul 2015 Diffie-Hellman part of OpenSSL 1.0.2d 9 Jul 2015 ECDH part of OpenSSL 1.0.2d 9 Jul 2015 Stack part of OpenSSL 1.0.2d 9 Jul 2015 lhash part of OpenSSL 1.0.2d 9 Jul 2015 RAND part of OpenSSL 1.0.2d 9 Jul 2015 EVP part of OpenSSL 1.0.2d 9 Jul 2015 ASN.1 part of OpenSSL 1.0.2d 9 Jul 2015 PEM part of OpenSSL 1.0.2d 9 Jul 2015 X.509 part of OpenSSL 1.0.2d 9 Jul 2015 CONF part of OpenSSL 1.0.2d 9 Jul 2015 CONF_def part of OpenSSL 1.0.2d 9 Jul 2015 TXT_DB part of OpenSSL 1.0.2d 9 Jul 2015 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
