I’m writing to hunt help with constructing OpenSSL 3.0.8 with FIPS for an iOS gadget. That is my first time endeavor such a activity, and I’m encountering some points that I hope get answer from anybody right here.
Listed here are the steps I’ve adopted to this point:
Downloaded OpenSSL 3.0.8:
I downloaded the OpenSSL 3.0.8 supply code and configured it to construct for iOS with FIPS enabled utilizing the next script:
`
configure_and_build_openssl() {
ARCH=$1
TARGET=$2
SDK_VERSION=$3
SDK_PATH=$4
PREFIX=$5
export CROSS_TOP=$(xcode-select --print-path)/Platforms/${TARGET}.platform/Developer
export CROSS_SDK=${TARGET}${SDK_VERSION}.sdk
export SDKROOT=${SDK_PATH}
export BUILD_TOOLS=$(xcode-select --print-path)/Toolchains/XcodeDefault.xctoolchain
export CROSS_COMPILE="${BUILD_TOOLS}/usr/bin/"
export CC="cc -isysroot $SDK_PATH -I$SDK_PATH/usr/embody -I$SDK_PATH/usr/embody/$(basename $BUILD_TOOLS)"
export CFLAGS="-isysroot $SDK_PATH -I$SDK_PATH/usr/embody -I$SDK_PATH/usr/embody/$(basename $BUILD_TOOLS)"
export LDFLAGS="-isysroot $SDK_PATH"
# Configure and construct for the required structure
./Configure ${ARCH} enable-fips no-async no-shared no-tests enable-ec_nistp_64_gcc_128 --prefix=$PREFIX --openssldir=$PREFIX
make -j$(sysctl -n hw.ncpu)
make set up
make clear
}
`
Up to date openssl.cnf:
I up to date the openssl.cnf file as directed within the OpenSSL FIPS module documentation.
openssl
Copied Libraries and Configuration Recordsdata:
I copied libssl.a and libcrypto.a to my challenge, and positioned openssl.cnf, fipsmodule.cnf, and fips.dylib in my challenge.
Enabled FIPS Mode:
I wrote the next code to allow FIPS and examine whether it is enabled:
`
BOOL isFIPSModeEnabled() {
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Did not load FIPS providern");
ERR_print_errors_fp(stderr);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Did not load base providern");
return false;
}
if (EVP_default_properties_enable_fips(NULL, 1) == 0) {
printf("Did not allow FIPS moden");
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
return false;
}
if (EVP_default_properties_is_fips_enabled(NULL) == 1) {
printf("FIPS mode is enabledn");
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
return true;
} else {
printf("FIPS mode will not be enabledn");
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
return false;
}
}
`
After I run this code, it prints “FIPS mode is enabled.” Nevertheless, the supplier will not be loading, and I obtain the next error message:
`
Did not load FIPS supplier
C0BEC7F701000000:error:12800067:DSO help routines:dlfcn_load:couldn't load the shared library:crypto/dso/dso_dlfcn.c:118:
C0BEC7F701000000:error:12800067:DSO help routines:DSO_load:couldn't load the shared library:crypto/dso/dso_lib.c:152:
C0BEC7F701000000:error:07880025:widespread libcrypto routines:provider_init:purpose(524325):crypto/provider_core.c:912:identify=fips`
I might drastically respect your steerage on why the FIPS supplier will not be loading and what steps I may be lacking or doing incorrectly on this course of.