How to update OpenSSL version in CSipSimple?

Question

I am using CSipSimple code for my application. But unfortunately, Google Playstore has raised a warning: You are using a vulnerable version of OpenSSL

I want to update the OpenSSL version from existing code.

Here is some reference which I have followed. CSipSimple-OpenSSL But I am stuck at step 5 there are no such command

m: command not found

Am I following incorrect steps? If any one have already done with this, then please help me or provide some steps/link.

Any help would be really appreciated

Answer 1

In case someone encounters the problem of using vulnerable version of OpenSSL in one of the native libraries, I add some more details and instructions for the @Nonos solution. This tutorial is for CSipSimple but building OpenSSL static libraries is a more generic solution.

I recommend the second solution as adding a static OpenSSL library is more simple solution.

Preconditions: Android NDK need to be configured first.

1. First of all, download the OpenSSL compatible version (> 1.0.2f/1.0.1r).
2. Download two scripts from this link. In case someone wonders what they do: They build the OpenSSL library for every android build (armeabi, x86, mips, etc...)
3. Modify setenv-android-mod.sh -> line 18 with the ndk version
4. Modify setenv-android-mod.sh -> line 40 with the Android API version
5. Modify build-all-arch.sh -> line 7 with the folder name of the OpenSSL library (in my case it was openssl-1.0.1t)
6. After successful build, inside the folder dist the libraries will be present
7. Put those folders inside csipsimple/CSipSimple-trunk/CSipSimple/jni/openssl/lib
8. Put header files from openssl-1.0.1{version}/include to csipsimple/CSipSimple-trunk/CSipSimple/jni/openssl/include. Be aware, that some of the header files are symlinks to other files.
9. Compile CSipSimple. Be aware, that OpenSSL and CSipSimple must be compiled with the same Android API version.

Should build successfully after making steps.

Answer 2

mm is for make module, this is available within the Android source project build, so you will need to set up a build environment, within the modules provided is the OpenSSL on Android platform (from which the readme file you're referencing is taken) . Setting up a build environment will take at least a day or two by itself so I wouldn't recommend it unless you already have it for a different reason.. Additionally, Android dropped support for OpenSSL in their latest release and are using BoringSSL. To my knowledge, the best way to achieve what you want here, is to cross compile and build OpenSSL from source following the guidelines on the open ssl wiki, creating .a files and statically referencing them in your app. This is also the recommended way in order to avoid referencing system libraries on N and later versions.

EDIT: To add the libraries to my project as prebuilt static libraries, I created an openssl folder under my jni directory containing lib/ (which contain the .a files for the architectures I support), include/ which has the necessary includes (you can find that under the openssl version you downloaded) and Android.mk which has the following:

include $(CLEAR_VARS) 
LOCAL_MODULE := libssl
LOCAL_SRC_FILES := lib/$(TARGET_ARCH_ABI)/libssl.a
include $(PREBUILT_STATIC_LIBRARY)
include $(CLEAR_VARS)
LOCAL_MODULE := libcrypto
LOCAL_SRC_FILES := lib/$(TARGET_ARCH_ABI)/libcrypto.a
include $(PREBUILT_STATIC_LIBRARY)

Then, to use the library within another jni module I added the following to its Android.mk file:

LOCAL_C_INCLUDES := $(LOCAL_PATH)/../openssl/include
LOCAL_STATIC_LIBRARIES := libssl libcrypto

This is also similar to what's been done here, except that it's not recommended to use .a files provided by non-openssl source.