*FIPS Library and Android* This document will provide instructions for building the OpenSSL FIPS Object Module and OpenSSL FIPS Capable library for Android devices. The FIPS Object Module provides validated cryptography, and the FIPS Capable Library uses the validated cryptography. As an OpenSSL developer, you will use the library the same as in the past – except you must call FIPS_mode_set to enter FIPS mode and engage the validated cryptography.
The FIPS Object Module, fipscanister.o, is a sequestered container of object code and data built from source code. The sources, object code and data are strictly controlled by the OpenSSL FIPS 140-2 Security Policy. No changes can be made to the procedure for building the FIPS Object Module, and no changes can be made to the sources. If you need to make changes to the FIPS Object Module, you will need to engage the OpenSSL Foundation for a separate validation. The FIPS Capable Library is comprised of libcrypto and libssl. They are the same libraries you have been using for years. The FIPS Capable Library is tolerant of changes to procedures and source code. You are allowed to modify them within reason, as long as the changes do not adversely affect the FIPS Object Module. This guide is intended to be informative and easy to use. In case of discrepancies between this document and the OpenSSL FIPS Security Policy, the Security Policy will prevail. You can download the Security Policy from http://www.openssl.org/docs/fips/. The instructions that follow depend upon a properly configured Android NDK and SDK. The NDK is used to compile programs and link the OpenSSL library; while SDK tools are used to push programs to a device. Be sure ANDROID_NDK_ROOT and ANDROID_SDK_ROOT are set properly, and the SDK's tools and platform-tools are available. Prepare the OpenSSL Sources # From the 'root' directory $ rm -rf openssl-fips-2.0.5/ $ rm -rf openssl-1.0.1e/ $ tar xzf openssl-fips-2.0.5.tar.gz $ tar xzf openssl-1.0.1e.tar.gz $ chmod a+x setenv-android.sh *Build the FIPS Object Module* # From the 'root' directory $ . ./setenv-android.sh $ cd openssl-fips-2.0.5/ $ ./config $ make $ sudo make install # Execute after install $ sudo -E cp $FIPS_SIG /usr/local/ssl/fips-2.0/bin $ sudo -E mv /usr/local/ssl/fips-2.0/ /usr/local/ssl/$ANDROID_API [edit] Build the FIPS Capable Library # From the 'root' directory $ . ./setenv-android.sh $ cd openssl-1.0.1e/ $ perl -pi -e 's/install: all install_docs install_sw/install: install_docs install_sw/g' Makefile.org $ ./config fips shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine --openssldir=/usr/local/ssl/$ANDROID_API \ --with-fipsdir=/usr/local/ssl/$ANDROID_API --with-fipslibdir=/usr/local/ssl/$ANDROID_API/lib/ $ make depend $ make all $ sudo -E make install CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib *OpenSSL FIPS Components* While the Executive Summary provided the whirlwind instructions for building and installing the OpenSSL library, this sections provides detailed instructions. There are six steps to building the FIPS Object Module and FIPS Capable Library for use in various projects, and they are listed below______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
