From fb997dc62fb94e9a13da6e6cbb472cc7face79c9 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Sat, 9 May 2020 18:24:48 +0300 Subject: [PATCH] Set OpenSSL version in CFBundleShortVersionString Some vulnerability analysis tools look at this 'marketing version' string to determine the version of OpenSSL library. Keep the actual version there to make the tools happy. Otherwise they tend to treat OpenSSL 1.0 to be massively vulnerable. Since we don't have access to OPENSSL_VERSION from build-libssl.sh, extract the version from OpenSSL header files. --- assets/AppleTV/Info.plist | 2 +- assets/MacOSX/Info.plist | 2 +- assets/WatchOS/Info.plist | 2 +- assets/iPhone/Info.plist | 2 +- create-openssl-framework.sh | 22 ++++++++++++++++++++++ 5 files changed, 26 insertions(+), 4 deletions(-) diff --git a/assets/AppleTV/Info.plist b/assets/AppleTV/Info.plist index bb6bd7a..0cd9882 100755 --- a/assets/AppleTV/Info.plist +++ b/assets/AppleTV/Info.plist @@ -15,7 +15,7 @@ CFBundlePackageType FMWK CFBundleShortVersionString - 1.0 + $(OPENSSL_VERSION) CFBundleVersion 1 MinimumOSVersion diff --git a/assets/MacOSX/Info.plist b/assets/MacOSX/Info.plist index bb6bd7a..0cd9882 100755 --- a/assets/MacOSX/Info.plist +++ b/assets/MacOSX/Info.plist @@ -15,7 +15,7 @@ CFBundlePackageType FMWK CFBundleShortVersionString - 1.0 + $(OPENSSL_VERSION) CFBundleVersion 1 MinimumOSVersion diff --git a/assets/WatchOS/Info.plist b/assets/WatchOS/Info.plist index bb6bd7a..0cd9882 100755 --- a/assets/WatchOS/Info.plist +++ b/assets/WatchOS/Info.plist @@ -15,7 +15,7 @@ CFBundlePackageType FMWK CFBundleShortVersionString - 1.0 + $(OPENSSL_VERSION) CFBundleVersion 1 MinimumOSVersion diff --git a/assets/iPhone/Info.plist b/assets/iPhone/Info.plist index bb6bd7a..0cd9882 100755 --- a/assets/iPhone/Info.plist +++ b/assets/iPhone/Info.plist @@ -15,7 +15,7 @@ CFBundlePackageType FMWK CFBundleShortVersionString - 1.0 + $(OPENSSL_VERSION) CFBundleVersion 1 MinimumOSVersion diff --git a/create-openssl-framework.sh b/create-openssl-framework.sh index 0fafd9f..35c63ee 100755 --- a/create-openssl-framework.sh +++ b/create-openssl-framework.sh @@ -78,6 +78,24 @@ function get_min_sdk() { set -o pipefail } +# Read OpenSSL version from opensslv.h file. +# +# In modern OpenSSL releases the version line looks like this: +# +# # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020" +# +# But for older versions with FIPS module it may look like this: +# +# # ifdef OPENSSL_FIPS +# # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2u-fips 20 Dec 2019" +# # else +# # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2u 20 Dec 2019" +# # endif +function get_openssl_version() { + local opensslv=$1 + awk '/define OPENSSL_VERSION_TEXT/ && !/-fips/ {print $5}' "$opensslv" +} + if [ $FWTYPE == "dynamic" ]; then DEVELOPER=`xcode-select -print-path` FW_EXEC_NAME="${FWNAME}.framework/${FWNAME}" @@ -158,7 +176,9 @@ if [ $FWTYPE == "dynamic" ]; then cp -r include/$FWNAME/* $FWDIR/Headers/ cp -L assets/$SYS/Info.plist $FWDIR/Info.plist MIN_SDK_VERSION=$(get_min_sdk "$FWDIR/$FWNAME") + OPENSSL_VERSION=$(get_openssl_version "$FWDIR/Headers/opensslv.h") sed -e "s/\\\$(MIN_SDK_VERSION)/$MIN_SDK_VERSION/g" \ + -e "s/\\\$(OPENSSL_VERSION)/$OPENSSL_VERSION/g" \ -i '' "$FWDIR/Info.plist" echo "Created $FWDIR" check_bitcode $FWDIR @@ -180,7 +200,9 @@ else cp -r include/$FWNAME/* $FWDIR/Headers/ cp -L assets/$SYS/Info.plist $FWDIR/Info.plist MIN_SDK_VERSION=$(get_min_sdk "$FWDIR/$FWNAME") + OPENSSL_VERSION=$(get_openssl_version "$FWDIR/Headers/opensslv.h") sed -e "s/\\\$(MIN_SDK_VERSION)/$MIN_SDK_VERSION/g" \ + -e "s/\\\$(OPENSSL_VERSION)/$OPENSSL_VERSION/g" \ -i '' "$FWDIR/Info.plist" echo "Created $FWDIR" check_bitcode $FWDIR