Hi everyone, I am working on a project to cross compile FIPS capable openssl library for iOS and Android on a Mac OS computer. I found some place of openssl need to be modified to successfully compile the code, here are the changes I did and hope it can help others. The FIPS module I am using is 2.0.1, the openssl library is 1.0.1c.
1. Build FIPS capable openssl for Android as a dynamic link library (.so file). There are multiple definition errors when cross compile openssl for Android on Mac OS as mentioned here http://www.mail-archive.com/openssl-users@openssl.org/msg68046.html by AJ. To solve this issue, fipsld need to be modified to use a cross compile "ar" command instead of native "ar" command, line 116 to 119 in fipsld should be changed: from: if ar d "${FIPSLD_LIBCRYPTO}" fipscanister.o; then (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || : trap 'ar r "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}"; (ranlib "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :; to: if ${AR% r} d "${FIPSLD_LIBCRYPTO}" fipscanister.o ; then (${RANLIB} "${FIPSLD_LIBCRYPTO}") 2>/dev/null || : trap '${AR} "${FIPSLD_LIBCRYPTO}" "${CANISTER_O}"; (${RANLIB} "${FIPSLD_LIBCRYPTO}") 2>/dev/null || :; After this change, the libraries (libcrypto.so.1.0.0 and libssl.so.1.0.0) and the application openssl can be generated without any issue. I tested openssl command on simulator in FIPS mode no issue. 2. Build FIPS capable openssl for iOS as a static library. There are no error to compile code for the library libcrypto.a and libssl.a, but there is an error when compile openssl application as Vinay mentioned here: http://www.mail-archive.com/openssl-users@openssl.org/msg68647.html. It is due to fipsld invoke incore_macho without proper argument (should be with -exe or -dso). To fix this, and minimize the change in fipsld, I did following change: i). set FIPS_SIG like this: export FIPS_SIG="`pwd`/iOS/incore_macho -exe" ii). remove the double quote surrounding ${FIPS_SIG}, that is change line 132 and 180 from: "${FIPS_SIG}" "${TARGET}" to: ${FIPS_SIG} "${TARGET}" 3. Support iPhone simulator and new armv7s chipset. Original incore_macho does not generate signature correctly for iPhone simulator, and it also does not support new "armv7s" architecture. Fix will require a modification of incore_macho.c file: i). change the definition of cpu_adjustment from: static cpu_adjust_t cpu_adjustment[] = { /* values come from direct measurement using a test application */ { CPU_TYPE_I386, CPU_SUBTYPE_MULTIPLE, 0, 0 }, /* subtype is 3 for lion */ #if OPENSSL_VERSION_NUMBER >= 0x10000000L { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7, -8, -8 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6, -8, -8 }, #else { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7, 1, 1 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6, 1, 1 }, #endif { CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_ALL, 0, 0 }, { CPU_TYPE_ANY, 0, 0, 0 } }; to: static cpu_adjust_t cpu_adjustment[] = { /* values come from direct measurement using a test application */ { CPU_TYPE_I386, CPU_SUBTYPE_MULTIPLE, -16, -16 }, /* subtype is 3 for lion */ #ifndef CPU_SUBTYPE_ARM_V7S #define CPU_SUBTYPE_ARM_V7S ((cpu_subtype_t) 11) #endif #if OPENSSL_VERSION_NUMBER >= 0x10000000L { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7S, -8, -8 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7, -8, -8 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6, -8, -8 }, #else { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7S, 1, 1 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V7, 1, 1 }, { CPU_TYPE_ARM, CPU_SUBTYPE_ARM_V6, 1, 1 }, #endif { CPU_TYPE_X86_64, CPU_SUBTYPE_X86_64_ALL, 0, 0 }, { CPU_TYPE_ANY, 0, 0, 0 } }; For iPhone simulator to work, the INCORE_ADJUST should be set to -16. A new entry for armv7s is added that is just a copy of armv7. ii). Add a new case after line 254: case CPU_SUBTYPE_ARM_V7S: rval = "armv7s"; break; After these changes, I was able to build openssl for simulator and armv7s.