RE: Building openssl fips 2.0 shared without version for Android

Fri, 09 Nov 2012 10:29:20 -0800 

Very good point, I agree.  The advantage of the shared object is I don't
need to sign the entire application again (fipsld). I wrote a very simple
jni wrapper for the FIPS_mode_set function that can be called anywhere
within the application. 

#include <openssl/crypto.h>
#include <jni.h>
#include <jni_log.h>
#include <string.h>

void Java_com_mycompany_util_setFipsModeEnabled(JNIEnv* env, jobject
javaThis, jboolean isEnabled) {
    LOGD("in set Fips enabled");
    if (isEnabled) {
        if(FIPS_mode_set(1)) {
            LOGD("FIPS mode enabled");
        }else {
            LOGE("Error in enabling FIPS mode");
            ERR_load_crypto_strings();
            ERR_print_errors_fp(stderr);
            exit(1);
        }
    }else{
       LOGD("FIPS mode is not enabled");
    }
}

To your point I did it as you suggested with iOS. I  have it working both
ways. I was just curious/asking why the versioning is only done in the Linux
build.

Thanks for the response
Ken

-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of Andy Polyakov
Sent: Friday, November 09, 2012 7:06 AM
To: [email protected]
Subject: Re: Building openssl fips 2.0 shared without version for Android

Ken Montagna wrote:
> I have built android on windows, iOS, and android successfully, but 
> with android I had to do a workaround for the versioning using this link:
> 
> http://stackoverflow.com/questions/12269563/using-openssl-fips-2-0-sha
> red-libraries-in-android
> 
>  
> 
> Is there an environment variable or switch I can pass to config to 
> accomplish this?

This is not answer to question, but another question.

There is one thing I fail to understand. Is it correctly understood that we
are talking about Java application and that you can't call OpenSSL functions
directly from VM? That you have to interface OpenSSL and your Java code
through JNI layer that follows specific naming and argument passing
convention? And if this is the case, wouldn't it be more appropriate to
embed libcrypto.a into your JNI shared library instead?
You'd have to collect the .a libraries from shared OpenSSL build (so that
code is compiled as position-independent), you'd have to link your JNI with
fipsld, but you wouldn't have to fight with System.load [and handle SD card
swaps]...

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to