[openssl-users] FIPS building scripts does NOT work for iOS >=7

Yang Hong hongyang99 at gmail.com
Tue Feb 9 03:11:19 UTC 2016 

Hello Steve.

Thank you very much for your quick response.

I have tried different approaches to build FIPS module, according to the
testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for all
the FIPS packages for iOS >= 7, i.e., openssl-fips-2.0.8.tar,
openssl-fips-2.0.9.tar, openssl-fips-2.0.10.tar, openssl-fips-2.0.11.tar.

Apple Mac OS has been automatically updated to the new version. I failed to
recover it to the old version.
**************************************************
$ uname -a
Darwin Honeycrisp.local 15.0.0 Darwin Kernel Version 15.0.0: Sat Sep 19
15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86_64

$ clang -v
Apple LLVM version 7.0.0 (clang-700.1.76)
Target: x86_64-apple-darwin15.0.0
Thread model: posix

$ ls
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs

iPhoneOS.sdk iPhoneOS6.1.sdk  iPhoneOS7.1.sdk iPhoneOS9.1.sdk
**************************************************


I reports the building issues below:
**************************************************
(1) For iOS 7.1,

http://openssl.com/testing/validation-2.0/platforms/ios-7.1/TestingInstructions-iOS-7.1.pdf

(1a) Correct results in Section 4.3 Compilation of "incore_macho" Utility

$ tar zxf openssl-fips-2.0.8.tar

$ cd openssl-fips-2.0.8

$ tar zxvf ../ios64­incore.tar.gz

$ . ../setenv­reset.sh

$ . ../setenv­darwin­i386.sh

$ ./config

$ make

$ cd iOS

$ make

$ ./incore_macho usage:
./incore_macho [­­debug] [­exe|­dso] executable

$ lipo ­info ancore_macho
Non­fat file: iOS/incore_macho is architecture: i386

$cd ..

$ make clean

All the above operations achieve the exactly same results as indicated by
the testing guide.

(1b) the errors appear in Section  4.4 Cross­ compilation of FIPS module

$ . ../setenv-reset.sh

$ . ../setenv-ios-11.sh

$ ./config

$ make

ld: building for iOS simulator, but linking against dylib built for OSX,
file '/usr/lib/libSystem.dylib' for architecture i386
clang: error: linker command failed with exit code 1 (use -v to see
invocation)


(2) I met the same failures for the other 3 FIPS packages  2.0.9 -- 2.0.11

I have noticed that 2.0.10 and 2.0.11 have included iOS folders. Thus we do
NOT need to extract ios64incore.tar,gz

**************************************************************

If I run the following shell script in a separate folder, I can build
OpenSSL generate module successfully. The built OpenSSL library works well
for iOS 9 device.

https://github.com/x2on/OpenSSL-for-iPhone/blob/master/build-libssl.sh


I have tried many approaches from the Internet, for example,

https://github.com/GotoHack/iOS-openSSL-FIPS

http://stackoverflow.com/questions/1211854/xcode-conditional-build-settings-based-on-architecture-device-arm-vs-simulat

http://stackoverflow.com/questions/6293298/llvm-gcc-4-2-error

I still can not solve the issues.

***************************************************************

I have used Beyond compare 4 to check the difference between
openssl-1.0.2f/config (or Configure) and openssl-fips-2.0.11/config (or
Configure). I do NOT know how to modify the setenv-ios-11.sh to generate
OpenSSL FIPS module for iOS >=8 under the new Mac OS available from Apple
website.

Would you shed some light on how to modify the building script for iOS >=8?
Thank you very much.

With best regards,

Winston Hong


On Thu, Feb 4, 2016 at 5:35 PM, Steve Marquess <marquess at openssl.com> wrote:

> On 02/04/2016 05:31 PM, Steve Marquess wrote:
> > On 02/04/2016 03:19 PM, Yang Hong wrote:
> >> Hello folks.
> >>
> >>
> >> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
> >> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Support /*page
> >> 131)
> >>
> >>
> >> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
> >>
> >>
> >> I got two errors below.
> >>
> >> ************************************************************
> >>
> >> ...
> >
> > No iOS 7 or greater platforms have been tested yet, so this is no
> > surprise. The FIPS 140-2 validation won't apply for untested versions of
> > iOS anyway.
> >
> > If/when we test more iOS versions we'll make changes as appropriate.
>
> ... and I spoke (typed) too fast. The User Guide discussion of iOS is
> way out of date. You'll find some relevant info for iOS 7.1, and 8.1 at:
>
>   http://openssl.com/testing/validation-2.0/platforms/ios-7.1/
>   http://openssl.com/testing/validation-2.0/platforms/ios-8.1/
>
> I'll get around to updating the User Guide one of these days...
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160208/9d92560c/attachment-0001.html>

More information about the openssl-users mailing list