IOS Simulator getting FIPS signature mismatch when compiling FIPS/Openssl Solution on OS-x

Question

I'm trying to get a OpenSSL/FIPS build forking on the IOS simulator. Every combination I've tried gives wither compile/link errors, or when it does build I get a FIPS signature mismatch (and I've tried many, many permutations of scripts and combinations of settings).

Here's the latest configuration I'm using: Tool Set: XCODE V 5 .1 SDK Version 7.1

For the FIPS module I'm using a script based on Appendix E of the Users Manual For the OpenSSL build I'm using a script based on https://github.com/x2on/OpenSSL-for-iPhone

FIPS module build script:

gunzip openssl-fips-2.0.1.tar.gz
tar xf openssl-fips-2.0.1.tar

. setenv-reset.sh
. setenv-darwin-i386.sh

gunzip ios-incore-2.0.1.tar.gz
tar xf ios-incore-2.0.1.tar

cd openssl-fips-2.0.1
./config fipscanisterbuild

make
cd ios
make

cp ./incore_macho /usr/local/bin

cd ..

make clean
rm -f *.dylib

. ../setenv-reset.sh
. ../setenv-ios-11.sh


./config fipscanisterbuild
 make
make install


Here are the Enviornment Variables
=========================
MACHINE =  i386
RELEASE = 
SYSTEM =  iphoneos
BUILD =  build
CROSS_TOP =  /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer
CROSS_SDK =  iPhoneSimulator7.1.sdk
BUILD_TOOLS = 
CC = 
CROSS_TYPE =  Simulator
CROSS_CHAIN = 
C_INCLUDE_PATH = 
CPLUS_INCLUDE_PATH = 
HOSTCC =  /usr/bin/cc
HOSTCFLAGS =  -arch i386
CROSS_COMPILE =  /Users/scoleman/dev/IOSFipsBuilds/iosFIPSUsersManual/dev925/openssl-fips-2.0.1/iOS/
FIPS_SIG =  /Users/scoleman/dev/IOSFipsBuilds/iosFIPSUsersManual/dev925/openssl-fips-2.0.1/iOS/incore_macho
IOS_TARGET =  darwin-iphoneos-cross
IOS_INSTALLDIR =  /usr/local/ssl/Release-iphoneos
CONFIG_OPTIONS =  no-asm no-shared --openssldir=/usr/local/ssl/Release-iphoneos
CROSS_ARCH = 
CROSS_DEVELOPER =  /Applications//Xcode.app/Contents/Developer
CROSS_SYSROOT = 
IOS_TARGET =

Openssl module build script

VERSION="1.0.1i"                                                          #
SDKVERSION=`xcrun -sdk iphoneos --show-sdk-version`                       #

# Don't change anything under this line!                                  #


CURRENTPATH=`pwd`
//ARCHS="i386 x86_64 armv7 armv7s arm64"
ARCHS="i386"
DEVELOPER=`xcode-select -print-path`

mkdir -p "${CURRENTPATH}/src"
mkdir -p "${CURRENTPATH}/bin"
mkdir -p "${CURRENTPATH}/lib"

tar zxf openssl-${VERSION}.tar.gz -C "${CURRENTPATH}/src"
cd "${CURRENTPATH}/src/openssl-${VERSION}"


for ARCH in ${ARCHS}
do
    if [[ "${ARCH}" == "i386" || "${ARCH}" == "x86_64" ]];
    then
        PLATFORM="iPhoneSimulator"
    else
        sed -ie "s!static volatile sig_atomic_t intr_signal;!static volatile intr_signal;!" "crypto/ui/ui_openssl.c"
        PLATFORM="iPhoneOS"
    fi

    export CROSS_TOP="${DEVELOPER}/Platforms/${PLATFORM}.platform/Developer"
    export CROSS_SDK="${PLATFORM}${SDKVERSION}.sdk"
    export BUILD_TOOLS="${DEVELOPER}"

    export CC="${BUILD_TOOLS}/usr/bin/gcc -arch ${ARCH}"
    mkdir -p "${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk"
    LOG="${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk/build-openssl-${VERSION}.log"

    set +e
    if [[ "$VERSION" =~ 1.0.0. ]]; then
        ./Configure BSD-generic32 --openssldir="${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk" > "${LOG}" 2>&1
    elif [ "${ARCH}" == "x86_64" ]; then
        ./Configure darwin64-x86_64-cc --openssldir="${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk" > "${LOG}" 2>&1
    else
            # - original line:  ./Configure iphoneos-cross --openssldir="${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk" > "${LOG}" 2>&1
        ## this line was changed to add fips --with-fipsdir=/usr/local/ssl/Release-iphoneos
        ./Configure iphoneos-cross --openssldir="${CURRENTPATH}/bin/${PLATFORM}${SDKVERSION}-${ARCH}.sdk" fips --with-fipsdir=/usr/local/ssl/Release-iphoneos > "${LOG}" 2>&1

    fi

    if [ $? != 0 ];
    then 
        echo "Problem while configure - Please check ${LOG}"
        exit 1
    fi

    # add -isysroot to CC=
    sed -ie "s!^CFLAG=!CFLAG=-isysroot ${CROSS_TOP}/SDKs/${CROSS_SDK} -miphoneos-version-min=7.0 !" "Makefile"


    echo "PLATFORM = $PLATFORM"
    echo "CROSS_TOP = $CROSS_TOP"
    echo "CROSS_SDK = $CROSS_SDK"
    echo "BUILD_TOOLS = $BUILD_TOOLS"
    echo "-isysroot ${CROSS_TOP}/SDKs/${CROSS_SDK}"
    echo "CC = $CC"




        make >> "${LOG}" 2>&1


    set -e
    make install >> "${LOG}" 2>&1
    make clean >> "${LOG}" 2>&1
done

echo "Build library..."
lipo -create ${CURRENTPATH}/bin/iPhoneSimulator${SDKVERSION}-i386.sdk/lib/libssl.a  -output ${CURRENTPATH}/lib/libssl.a

lipo -create ${CURRENTPATH}/bin/iPhoneSimulator${SDKVERSION}-i386.sdk/lib/libcrypto.a  -output ${CURRENTPATH}/lib/libcrypto.a

mkdir -p ${CURRENTPATH}/include
cp -R ${CURRENTPATH}/bin/iPhoneSimulator${SDKVERSION}-i386.sdk/include/openssl ${CURRENTPATH}/include/
echo "Building done."
echo "Cleaning up..."
rm -rf ${CURRENTPATH}/src/openssl-${VERSION}
echo "Done."



Here are the Environment Variables:
--------------------------
PLATFORM = iPhoneSimulator
CROSS_TOP = /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer
CROSS_SDK = iPhoneSimulator7.1.sdk
BUILD_TOOLS = /Applications/Xcode.app/Contents/Developer
-isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator7.1.sdk
CC = /Applications/Xcode.app/Contents/Developer/usr/bin/gcc -arch i386

jww · Answer 1 · 2015-01-04T07:41:45.410

I'm trying to get a OpenSSL/FIPS build forking on the IOS simulator. Every combination I've tried gives wither compile/link errors, or when it does build I get a FIPS signature mismatch (and I've tried many, many permutations of scripts and combinations of settings).

It looks like your're missing a step. Where is the invocation of incore_macho on the resulting binary? Here, "resulting binary" is the executable from your app.

In the OpenSSL sample, there is a custom build step called Embed Fingerprint under the Taget's Build Phases (its not available at the Project level). You can find the sample in the OpenSSL User Guide 2.0 for the FIPS Object Module, Appendix E.2. The screenshot is reproduced below:

enter image description here

You might also find this useful. Its an updated incore_macho that include support for dylibs (for jail broken devices) and ARM64. I'm pretty sure it includes ARMv7s support.

Sorry to ask a dumb question. Does the modification of the incore_macho invalidate the Fips compliance? Based on the "Support Platform" in Fips User guid2.0 I can only see ARMv7 is validated. — Summer, Jul 24 '15 at 13:36

IOS Simulator getting FIPS signature mismatch when compiling FIPS/Openssl Solution on OS-x

FIPS module build script:

Openssl module build script

1 Answers1