<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
This does not mean we wouldn't be interested in having better iOS
support if someone was willing to contribute.<br>
<br>
<br>
Paul Dale<br>
<br>
<br>
<div class="moz-cite-prefix">On 3/2/22 5:38 pm, <a class="moz-txt-link-abbreviated" href="mailto:pauli@openssl.org">pauli@openssl.org</a>
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:617a8122-2eb8-a8f8-b1d0-d4bfeaffa0a1@openssl.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
The FIPS provider will likely not work with iOS as it currently
stands.<br>
<br>
The development team are not up to speed on iOS and not much
effort was put into supporting it (or Android for the same
reason). We didn't even get remotely close to having code signed.<br>
<br>
<br>
Paul Dale<br>
<br>
<br>
<div class="moz-cite-prefix">On 27/1/22 4:41 am, Kevin Millson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DB6PR1001MB12242EEDF76CD5DF9D8D4E69F1209@DB6PR1001MB1224.EURPRD10.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal">Hello All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Has anyone tried using the FIPS provider
on iOS and got it uploaded and successfully reviewed by
Apple?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Apple won't let you just put the
'fips.dylib' in your app's bundle so we've wrapped it in a
iOS Framework Bundle, which solves some of the problems. But
Apple are scanning the dylib's mach-o header and finding the
type bit field set to 'bundle' rather than 'execute' and
rejecting it. I think they might also be looking for
particular load commands in the header and not finding them
either. I guess changes to the FIPS build process are
required to effect any change to the file header?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Framework Bundle must be signed, as
every iOS executable must be, so this has to be done before
the FIPS Configuration is created via FIPS Install. If you
try to perform these operations in the reverse order, i.e.
create configuration and then sign, then the values within
the configuration won't match the calculated values when the
FIPS Provider subsequently loads and runs. I haven't
examined the implementation of FIPS Install but I suspect
it's not just examining the mach-o segment with the
executable code in it and is instead detecting any change,
i.e. also header changes as a result of iOS signing.
Currently we create configurations for all our signing
scenarios and then ensure individual FIPS frameworks are not
re-signed at any point subsequently. Sign for App Store
Distribution remains troublesome though and what if Apple
re-sign the app and consequently the FIPS framework? Failure
to load the FIPS Provider would then result.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So we're unsure how OpenSSL 3 FIPS can be
deployed within iOS apps from the Apple App Store. Would be
great to hear whether anyone else has got this working and
through an Apple app review.<o:p></o:p></p>
</div>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>