After reading the user guide and finding some more information I was
able to get a full build but now my problem seems to be that the
signatures don't match. I am using the fips-pi app to verify. Here are
the steps I have taken to make things work under iOS 7 SDK.
1. I updated the setenv-ios-11.sh file to reflect an iOS 7 environment:
export CROSS_TYPE=OS
cross_arch="-armv7"
CROSS_DEVELOPER=`xcode-select -print-path`"
# CROSS_TOP is the top of the development tools tree
export
CROSS_TOP="$CROSS_DEVELOPER/Platforms/iPhone$CROSS_TYPE.platform/Developer"
# CROSS_CHAIN is the location of the actual compiler tools
export
CROSS_CHAIN="$CROSS_DEVELOPER/Toolchains/XcodeDefault.xctoolchain/usr/bin/"
# CROSS_SDK is the SDK version being used - adjust as appropriate
for i in 7.1 7.0 6.1 6.0 5.1 5.0 4.3 do
do
if [ -d "$CROSS_TOP/SDKs/iPhone"$CROSS_TYPE""$i".sdk" ]; then
SDKVER=$i
break
fi
done
export CROSS_SDK=iPhone"$CROSS_TYPE""$SDKVER".sdk
#
# fips/sha/Makefile uses HOSTCC for building fips_standalone_sha1
#
export HOSTCC=/usr/bin/clang
export HOSTCFLAGS="-arch i386"
# CROSS_COMPILE is the prefix for the tools - in this case the scripts
# which invoke the tools with the correct options for 'fat' binary handling
export CROSS_COMPILE=$CROSS_CHAIN
# FIPS_SIG is the tool for determining the incore fingerprint
export FIPS_SIG=/usr/local/bin/incore_macho
export IOS_TARGET=darwin-iphoneos-cross
export IOS_INSTALLDIR=/usr/local/ssl/Release-iphoneos
cross_type=`echo $CROSS_TYPE | tr '[A-Z]' '[a-z]'`
MACHINE=`echo "$cross_arch" | sed -e 's/^-//'`
SYSTEM="iphoneos"
BUILD="build"
export MACHINE
export SYSTEM
export BUILD
export CONFIG_OPTIONS="no-shared --openssldir=$IOS_INSTALLDIR"
2. Followed the instructions to use the setenv-darwin-i386.sh file to
build incore_macho and installed it in /usr/local/bin
3. Deleted the FIPS module folder and recreated it / called
setenv-reset and setenv-ios-11 as per instructions
4. Ran sed -i ""
's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g'
Configure to force the use of clang since llvm-gcc no longer exists in
iOS 7 SDK
5. ./configure
make
sudo make install
No errors happen
6. move to openssl folder and setenv-reset / setenv-ios-11 again
7. Ran http://wiki.openssl.org/index.php/Compilation_and_Installation
instructions
OLD_LANG=$LANG
unset LANG
sed -i ""
's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g'
Configure
sed -i "" 's/CC= cc/CC= clang/g' Makefile.org
sed -i "" 's/CFLAG= -O/CFLAG= -Os/g' Makefile.org
sed -i "" 's/MAKEDEPPROG=makedepend/MAKEDEPPROG=$(CC) -M/g' Makefile.org
export LANG=$OLD_LANG
8. ./config fips -no-shared -no-hw -no-engines
--with-fipsdir=/usr/local/ssl/Release-iphoneos
make depend (for some reason this fails even though the sed
MAKEDEPPROG instruction above was specifically designed to fix issues
with clang I believe)
making depend in crypto...
clang: error: no such file or directory: '-DOPENSSL_THREADS'
clang: error: no such file or directory: '-D_REENTRANT'
clang: error: no such file or directory: '-DDSO_DLFCN'
clang: error: no such file or directory: '-DHAVE_DLFCN_H'
clang: error: no such file or directory: '-arch'
clang: error: no such file or directory: 'armv7'
clang: error: no such file or directory: '-Os'
make all
sudo make install
9. No errors on make or make install ... I then point the FIPS-pi demo
to the correct library / headers and make sure to replace the
fips_premain.c file that came bundled with FIPS-pi app with the one I
had in my FIPS module install.
10. The app fails to have matching signatures and can't enable FIPS mode.
I followed a similar procedure on the iOS 6 SDK last year using
llvm-gcc and had no issues. It became necessary for me to upgrade and
now I'm having these confusing issues.
On Fri, Mar 21, 2014 at 8:28 PM, Jeffrey Walton <[email protected]> wrote:
> On Fri, Mar 21, 2014 at 8:06 PM, Thomas Leavy <[email protected]> wrote:
>> Is there any way to accomplish building OpenSSL FIPS under the iOS 7 sdk?
>>
> See the OpenSSL FIPS User Guide, Appendix E.2.
> http://www.openssl.org/docs/fips/UserGuide-2.0.pdf.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
