Set OpenSSL version in CFBundleShortVersionString

Some vulnerability analysis tools look at this 'marketing version'
string to determine the version of OpenSSL library. Keep the actual
version there to make the tools happy. Otherwise they tend to treat
OpenSSL 1.0 to be massively vulnerable.

Since we don't have access to OPENSSL_VERSION from build-libssl.sh,
extract the version from OpenSSL header files.
This commit is contained in:
Alexei Lozovsky 2020-05-09 18:24:48 +03:00
parent 5d14c91074
commit fb997dc62f
5 changed files with 26 additions and 4 deletions

View File

@ -15,7 +15,7 @@
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<string>$(OPENSSL_VERSION)</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>MinimumOSVersion</key>

View File

@ -15,7 +15,7 @@
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<string>$(OPENSSL_VERSION)</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>MinimumOSVersion</key>

View File

@ -15,7 +15,7 @@
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<string>$(OPENSSL_VERSION)</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>MinimumOSVersion</key>

View File

@ -15,7 +15,7 @@
<key>CFBundlePackageType</key>
<string>FMWK</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<string>$(OPENSSL_VERSION)</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>MinimumOSVersion</key>

View File

@ -78,6 +78,24 @@ function get_min_sdk() {
set -o pipefail
}
# Read OpenSSL version from opensslv.h file.
#
# In modern OpenSSL releases the version line looks like this:
#
# # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
#
# But for older versions with FIPS module it may look like this:
#
# # ifdef OPENSSL_FIPS
# # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2u-fips 20 Dec 2019"
# # else
# # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2u 20 Dec 2019"
# # endif
function get_openssl_version() {
local opensslv=$1
awk '/define OPENSSL_VERSION_TEXT/ && !/-fips/ {print $5}' "$opensslv"
}
if [ $FWTYPE == "dynamic" ]; then
DEVELOPER=`xcode-select -print-path`
FW_EXEC_NAME="${FWNAME}.framework/${FWNAME}"
@ -158,7 +176,9 @@ if [ $FWTYPE == "dynamic" ]; then
cp -r include/$FWNAME/* $FWDIR/Headers/
cp -L assets/$SYS/Info.plist $FWDIR/Info.plist
MIN_SDK_VERSION=$(get_min_sdk "$FWDIR/$FWNAME")
OPENSSL_VERSION=$(get_openssl_version "$FWDIR/Headers/opensslv.h")
sed -e "s/\\\$(MIN_SDK_VERSION)/$MIN_SDK_VERSION/g" \
-e "s/\\\$(OPENSSL_VERSION)/$OPENSSL_VERSION/g" \
-i '' "$FWDIR/Info.plist"
echo "Created $FWDIR"
check_bitcode $FWDIR
@ -180,7 +200,9 @@ else
cp -r include/$FWNAME/* $FWDIR/Headers/
cp -L assets/$SYS/Info.plist $FWDIR/Info.plist
MIN_SDK_VERSION=$(get_min_sdk "$FWDIR/$FWNAME")
OPENSSL_VERSION=$(get_openssl_version "$FWDIR/Headers/opensslv.h")
sed -e "s/\\\$(MIN_SDK_VERSION)/$MIN_SDK_VERSION/g" \
-e "s/\\\$(OPENSSL_VERSION)/$OPENSSL_VERSION/g" \
-i '' "$FWDIR/Info.plist"
echo "Created $FWDIR"
check_bitcode $FWDIR