[openssl-users] FIPS building scripts does NOT work for iOS >=7

Steve Marquess marquess at openssl.com
Tue Feb 9 14:13:03 UTC 2016

On 02/08/2016 10:11 PM, Yang Hong wrote:
> Hello Steve.
> Thank you very much for your quick response.
> I have tried different approaches to build FIPS module, according to the
> testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for
> all the FIPS packages for iOS >= 7, i.e., openssl-fips-2.0.8.tar,
> openssl-fips-2.0.9.tar, openssl-fips-2.0.10.tar, openssl-fips-2.0.11.tar. 
> Apple Mac OS has been automatically updated to the new version. I failed
> to recover it to the old version.

Yeah, that's one of the problems with FIPS testing for OS X. We almost
always have to tweak the build process for new OS X and/or Xcode versions.

The build process we used and documented for the formal validation
testing can only be expected to work for exactly the same version of OS
X and Xcode we used. That ties with WinCE/EC as the most fragile and
challenging of FIPS platforms to build for.

> ...<snip>...
> I still can not solve the issues.
> ***************************************************************
> I have used Beyond compare 4 to check the difference between
> openssl-1.0.2f/config (or Configure) and openssl-fips-2.0.11/config (or
> Configure). I do NOT know how to modify the setenv-ios-11.sh to generate
> OpenSSL FIPS module for iOS >=8 under the new Mac OS available from
> Apple website. 
> Would you shed some light on how to modify the building script for iOS
>>=8? Thank you very much.

Unfortunately I can't; I've let our Apple developer subscription lapse
and can't justify spending time on this until/if we hear from a new OS X
or iOS platform sponsor (which probably will happen eventually). Even
when I do work on such testing I usually have to call on my smarter
colleagues for assistance.

There are others who may be able to help, for instance Jeff Walton.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list