On Sun, Jul 22, 2012, AJ wrote: > Hi Steve, > > Thanks for all the help -- I think I've things sorted out now. > > Here are some of the issues I've had cross-compiling for Android. Just some > feedback -- maybe they'll help someone running into the same. > > 1) Building as shared libraries is straightforward, but they give versioned > libraries (i.e. libcrypto.so.1.0.0). Unfortunately, the Android packaging > system only takes shared libraries ending with .so. And just changing the > name doesn't work, as during the linking phase, other libraries use the > internal library name which also has the version number. So, on loading the > library, it thinks there is a mismatch. > As we cannot modify the build (to maintain FIPS validation), there are only > hacky-type solutions -- such as changing filename at runtime. As another > user suggested, it would be helpful if version numbers could be put in front > of the .so (i.e. libcrypto.1.0.0.so). > > 2) Building as static libraries requires using fipsld while linking to get > the HMAC fingerprints. I originally wanted to just wrap the 2 static > libraries into a one shared library with everything. I was using the > -Wl,--whole-archive flags to get everything, which works fine using normal > gcc. But with fipsld, it complains about multiple definitions (of items in > fipscanister.o). You can specify --allow-multiple-definition to get past > these warning, but then it will not get the right fingerprints. It will fail > fingerprint test on FIPS_mode_set(1). > > 3) I modified my builds to accommodate building with static libraries. So > I've now got the appropriate Makefile which calls to fipsld during linking > into the JNI shared library. This works fine, but is some work, as the > normal Android ndk-build system will not support things like defining CC. So > you either need to hack the ndk-build files, or build it externally from the > normal ndk-build system (as a prebuilt library). > > 4) In fipsld (line 116) calls "ar" to remove fipscanister.o. This is a > native-host call, and fails on MacOS building for Android. [This does work > fine on Linux building for Android however.] This really should be calling > the cross-compile "ar", and not the host version. > *** I can modify the fipsld script on MacOS to make this work, but will this > invalidate the FIPS validation??? *** > > Thanks to you and others for all the hard work putting out this great tool. > > And a big thanks for all of the quick responses and support. >
You can modify the FIPS capable OpenSSL and the fipsld script and still be validated. The FIPS capable OpenSSL is an "application" that uses the validated module so it can be modified. The fipsld script is used to build applications and as long as it follows the procedure in the security policy it can also be modified. The part you CANNOT CHANGE is the procedure used to build fipscanister.o so you could not for example modify any of the commands used or the sources it is built from. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
