FIPS building scripts does NOT work for iOS >=7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Steve.

Thank you very much for your quick response.

I have tried different approaches to build FIPS module, according to the
testing instructions of iOS 7.1 and iOS 8.1. Unfortunately I failed for all
the FIPS packages for iOS >= 7, i.e., openssl-fips-2.0.8.tar,
openssl-fips-2.0.9.tar, openssl-fips-2.0.10.tar, openssl-fips-2.0.11.tar.

Apple Mac OS has been automatically updated to the new version. I failed to
recover it to the old version.
**************************************************
$ uname -a
Darwin Honeycrisp.local 15.0.0 Darwin Kernel Version 15.0.0: Sat Sep 19
15:53:46 PDT 2015; root:xnu-3247.10.11~1/RELEASE_X86_64 x86_64

$ clang -v
Apple LLVM version 7.0.0 (clang-700.1.76)
Target: x86_64-apple-darwin15.0.0
Thread model: posix

$ ls
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs

iPhoneOS.sdk iPhoneOS6.1.sdk  iPhoneOS7.1.sdk iPhoneOS9.1.sdk
**************************************************


I reports the building issues below:
**************************************************
(1) For iOS 7.1,

http://openssl.com/testing/validation-2.0/platforms/ios-7.1/TestingInstructions-iOS-7.1.pdf

(1a) Correct results in Section 4.3 Compilation of "incore_macho" Utility

$ tar zxf openssl-fips-2.0.8.tar

$ cd openssl-fips-2.0.8

$ tar zxvf ../ios64?incore.tar.gz

$ . ../setenv?reset.sh

$ . ../setenv?darwin?i386.sh

$ ./config

$ make

$ cd iOS

$ make

$ ./incore_macho usage:
./incore_macho [??debug] [?exe|?dso] executable

$ lipo ?info ancore_macho
Non?fat file: iOS/incore_macho is architecture: i386

$cd ..

$ make clean

All the above operations achieve the exactly same results as indicated by
the testing guide.

(1b) the errors appear in Section  4.4 Cross? compilation of FIPS module

$ . ../setenv-reset.sh

$ . ../setenv-ios-11.sh

$ ./config

$ make

ld: building for iOS simulator, but linking against dylib built for OSX,
file '/usr/lib/libSystem.dylib' for architecture i386
clang: error: linker command failed with exit code 1 (use -v to see
invocation)


(2) I met the same failures for the other 3 FIPS packages  2.0.9 -- 2.0.11

I have noticed that 2.0.10 and 2.0.11 have included iOS folders. Thus we do
NOT need to extract ios64incore.tar,gz

**************************************************************

If I run the following shell script in a separate folder, I can build
OpenSSL generate module successfully. The built OpenSSL library works well
for iOS 9 device.

https://github.com/x2on/OpenSSL-for-iPhone/blob/master/build-libssl.sh


I have tried many approaches from the Internet, for example,

https://github.com/GotoHack/iOS-openSSL-FIPS

http://stackoverflow.com/questions/1211854/xcode-conditional-build-settings-based-on-architecture-device-arm-vs-simulat

http://stackoverflow.com/questions/6293298/llvm-gcc-4-2-error

I still can not solve the issues.

***************************************************************

I have used Beyond compare 4 to check the difference between
openssl-1.0.2f/config (or Configure) and openssl-fips-2.0.11/config (or
Configure). I do NOT know how to modify the setenv-ios-11.sh to generate
OpenSSL FIPS module for iOS >=8 under the new Mac OS available from Apple
website.

Would you shed some light on how to modify the building script for iOS >=8?
Thank you very much.

With best regards,

Winston Hong


On Thu, Feb 4, 2016 at 5:35 PM, Steve Marquess <marquess at openssl.com> wrote:

> On 02/04/2016 05:31 PM, Steve Marquess wrote:
> > On 02/04/2016 03:19 PM, Yang Hong wrote:
> >> Hello folks.
> >>
> >>
> >> I follow the latest User Guide 2.0 to build iOS the FIPS Object Module
> >> and FIPS Capable library for iOS devices (*/E.2 Apple iOS Support /*page
> >> 131)
> >>
> >>
> >> https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
> >>
> >>
> >> I got two errors below.
> >>
> >> ************************************************************
> >>
> >> ...
> >
> > No iOS 7 or greater platforms have been tested yet, so this is no
> > surprise. The FIPS 140-2 validation won't apply for untested versions of
> > iOS anyway.
> >
> > If/when we test more iOS versions we'll make changes as appropriate.
>
> ... and I spoke (typed) too fast. The User Guide discussion of iOS is
> way out of date. You'll find some relevant info for iOS 7.1, and 8.1 at:
>
>   http://openssl.com/testing/validation-2.0/platforms/ios-7.1/
>   http://openssl.com/testing/validation-2.0/platforms/ios-8.1/
>
> I'll get around to updating the User Guide one of these days...
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Validation Services, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160208/9d92560c/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux