[openssl-users] FIPS building scripts does NOT work for iOS >=7
Yang Hong
hongyang99 at gmail.com
Tue Feb 9 03:11:19 UTC 2016
Hello Steve.
Thank you very much for your quick response.
I have tried different approaches to build FIPS module, according to the
testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for all
the FIPS packages for iOS >= 7, i.e., openssl-fips-2.0.8.tar,
openssl-fips-2.0.9.tar, openssl-fips-2.0.10.tar, openssl-fips-2.0.11.tar.
Apple Mac OS has been automatically updated to the new version. I failed to
recover it to the old version.
**************************************************
$ uname -a
Darwin Honeycrisp.local 15.0.0 Darwin Kernel Version 15.0.0: Sat Sep 19
15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86_64
$ clang -v
Apple LLVM version 7.0.0 (clang-700.1.76)
Target: x86_64-apple-darwin15.0.0
Thread model: posix
$ ls
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs
iPhoneOS.sdk iPhoneOS6.1.sdk iPhoneOS7.1.sdk iPhoneOS9.1.sdk
**************************************************
I reports the building issues below:
**************************************************
(1) For iOS 7.1,
http://openssl.com/testing/validation-2.0/platforms/ios-7.1/TestingInstructions-iOS-7.1.pdf
(1a) Correct results in Section 4.3 Compilation of "incore_macho" Utility
$ tar zxf openssl-fips-2.0.8.tar
$ cd openssl-fips-2.0.8
$ tar zxvf ../ios64incore.tar.gz
$ . ../setenvreset.sh
$ . ../setenvdarwini386.sh
$ ./config
$ make
$ cd iOS
$ make
$ ./incore_macho usage:
./incore_macho [debug] [exe|dso] executable
$ lipo info ancore_macho
Nonfat file: iOS/incore_macho is architecture: i386
$cd ..
$ make clean
All the above operations achieve the exactly same results as indicated by
the testing guide.
(1b) the errors appear in Section 4.4 Cross compilation of FIPS module
$ . ../setenv-reset.sh
$ . ../setenv-ios-11.sh
$ ./config
$ make
ld: building for iOS simulator, but linking against dylib built for OSX,
file '/usr/lib/libSystem.dylib' for architecture i386
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
(2) I met the same failures for the other 3 FIPS packages 2.0.9 -- 2.0.11
I have noticed that 2.0.10 and 2.0.11 have included iOS folders. Thus we do
NOT need to extract ios64incore.tar,gz
**************************************************************
If I run the following shell script in a separate folder, I can build
OpenSSL generate module successfully. The built OpenSSL library works well
for iOS 9 device.
https://github.com/x2on/OpenSSL-for-iPhone/blob/master/build-libssl.sh
I have tried many approaches from the Internet, for example,
https://github.com/GotoHack/iOS-openSSL-FIPS
http://stackoverflow.com/questions/1211854/xcode-conditional-build-settings-based-on-architecture-device-arm-vs-simulat
http://stackoverflow.com/questions/6293298/llvm-gcc-4-2-error
I still can not solve the issues.
***************************************************************
I have used Beyond compare 4 to check the difference between
openssl-1.0.2f/config (or Configure) and openssl-fips-2.0.11/config (or
Configure). I do NOT know how to modify the setenv-ios-11.sh to generate
OpenSSL FIPS module for iOS >=8 under the new Mac OS available from Apple
website.
Would you shed some light on how to modify the building script for iOS >=8?
Thank you very much.
With best regards,
Winston Hong
On Thu, Feb 4, 2016 at 5:35 PM, Steve Marquess <marquess at openssl.com> wrote:
> On 02/04/2016 05:31 PM, Steve Marquess wrote:
> > On 02/04/2016 03:19 PM, Yang Hong wrote:
> >> Hello folks.
> >>
> >>
> >> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
> >> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Support /*page
> >> 131)
> >>
> >>
> >> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
> >>
> >>
> >> I got two errors below.
> >>
> >> ************************************************************
> >>
> >> ...
> >
> > No iOS 7 or greater platforms have been tested yet, so this is no
> > surprise. The FIPS 140-2 validation won't apply for untested versions of
> > iOS anyway.
> >
> > If/when we test more iOS versions we'll make changes as appropriate.
>
> ... and I spoke (typed) too fast. The User Guide discussion of iOS is
> way out of date. You'll find some relevant info for iOS 7.1, and 8.1 at:
>
> http://openssl.com/testing/validation-2.0/platforms/ios-7.1/
> http://openssl.com/testing/validation-2.0/platforms/ios-8.1/
>
> I'll get around to updating the User Guide one of these days...
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160208/9d92560c/attachment-0001.html>
More information about the openssl-users
mailing list