(Top posting because some other posters did so). Please note the following problems with the so naming defaults in version 1.0.2a: 1. On Android, developers are (or were until recently) officially told *not* to rely on the system copy of OpenSSL, since it is not part of the official API. Thus packaging your own copy or relying on the botched version of Java JCE implemented on top of the system OpenSSL are the only officially supported options. 2. On many systems that install OpenSSL 1.0.1 (any patch level) as libcrypto.so.1.0.0, installing OpenSSL 1.0.2a as libcrypto.so.1.0.0 will instantly break system software linked against the 1.0.1 under the same ABI name. So much for binary compatibility. Thus for Android, you would want to link it as libcom_yourdomain_yourapp_crypto.so (file name must match lib*.so for theapk to unpack correctly), or as a static PIC library, making the system think it has nothing to do with any well-known or other app's copy of OpenSSL. Be sure to release new versions of your app whenever an OpenSSL security update affects something you actually use from the library. For parallel installation of OpenSSL 1.0.2a and the OS supplied OpenSSL 1.0.1 (with patches equivalent to the latest release), modify SHLIB_VERSION_NUMBER from 1.0.0 to 1.0.2 in the folliwing files from the tarball: crypto/opensslv.h Makefile Makefile.bak I have pasted the patch I use at the end of this mail (nothing cryptographic, soI think I can post that without extra red tape). On 22/04/2015 16:26, John Foley wrote: > Are you packaging libcrypto.so into the APK yourself? The Android OS > comes with it's own resident copy of libcrypto. You can leverage this > from your app without having to package libcrypto into your > application. This assumes the version of libcrypto that comes with > Android meets your needs. Given the various flavors of Android out in > the wild, this may limit what your application can do with libcrypto. > > If you're packaging libcrypto into your APK, one problem I've seen in > Android is the System.LoadLibrary() call will use the host resident copy > of libcrypto instead of the one packaged in the APK. One way to get > around this is to hack the linker step in the OpenSSL makefile to rename > libcrypto to something different. You'll need to make sure the -soname > option on the linker step is consistent with whatever you name the > library. For instance, you can name it libcryptoX.so, and pass in this > same name to the -soname option. Confirm that it works using objdump to > view the ELF header. The soname will be in the ELF header. Then > package libcryptoX.so into your APK and use this name with the > System.LoadLibrary() call. > > > > On 04/22/2015 09:41 AM, Shanku Roy wrote: >> Am cross compiling the FIPS enabled version for Android; In Android, some apps are having trouble loading their bundled libcrypto library when the binary is named as *.so.1.0.0 instead of libcrypto.so as platform library. >> >> >> ----- Original Message ----- >> From: Viktor Dukhovni <openssl-users at dukhovni.org> >> To: openssl-users at openssl.org >> Cc: >> Sent: Tuesday, April 21, 2015 11:47 PM >> Subject: Re: [openssl-users] Building libcrypto/libssl without symbolic link >> >> On Wed, Apr 22, 2015 at 12:12:45AM +0000, Shanku Roy wrote: >>> lrw-r--r-- root root 2015-04-10 02:33 libcrypto.so -> libcrypto.so.1.0.0 >>> -rw-r--r-- root root 1988088 2015-04-10 02:27 libcrypto.so.1.0.0 >>> >>> Is there any configure option in OpenSSL build scripts to not generate >>> the symbolic links and rather generate actual binary as >>> libcrypto.so/libssl.so from the build process like following: >> The library "soname" is part of the ABI. What platform are you >> building for where it would not be appropriate to encode the ABI >> compatibility name into the library name? (Beware of long lines in this patch) =================== Cut here =================== diff -Naur openssl-1.0.2a.orig/crypto/opensslv.h openssl-1.0.2a/crypto/opensslv.h --- openssl-1.0.2a.orig/crypto/opensslv.h 2015-03-19 14:31:16.000000000 +0100 +++ openssl-1.0.2a/crypto/opensslv.h 2015-03-22 23:10:15.000000000 +0100 @@ -88,7 +88,7 @@ * should only keep the versions that are binary compatible with the current. */ # define SHLIB_VERSION_HISTORY "" -# define SHLIB_VERSION_NUMBER "1.0.0" +# define SHLIB_VERSION_NUMBER "1.0.2" #ifdef __cplusplus diff -Naur openssl-1.0.2a.orig/Makefile openssl-1.0.2a/Makefile --- openssl-1.0.2a.orig/Makefile 2015-03-19 14:31:16.000000000 +0100 +++ openssl-1.0.2a/Makefile 2015-03-22 23:06:50.000000000 +0100 @@ -7,10 +7,10 @@ VERSION=1.0.2a MAJOR=1 MINOR=0.2 -SHLIB_VERSION_NUMBER=1.0.0 +SHLIB_VERSION_NUMBER=1.0.2 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=1 -SHLIB_MINOR=0.0 +SHLIB_MINOR=0.2 SHLIB_EXT= PLATFORM=dist OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-store no-unit-test no-zlib no-zlib-dynamic static-engine diff -Naur openssl-1.0.2a.orig/Makefile.bak openssl-1.0.2a/Makefile.bak --- openssl-1.0.2a.orig/Makefile.bak 2015-03-19 14:30:59.000000000 +0100 +++ openssl-1.0.2a/Makefile.bak 2015-03-22 23:07:01.000000000 +0100 @@ -7,10 +7,10 @@ VERSION=1.0.2a-dev MAJOR=1 MINOR=0.2 -SHLIB_VERSION_NUMBER=1.0.0 +SHLIB_VERSION_NUMBER=1.0.2 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=1 -SHLIB_MINOR=0.0 +SHLIB_MINOR=0.2 SHLIB_EXT= PLATFORM=gcc OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-store no-unit-test no-zlib no-zlib-dynamic static-engine =================== Cut here =================== Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
