3

Trying to build openssl-fips-2.0 with NDK, before I was lucky found this link and did it easily. https://github.com/guardianproject/openssl-android

Now trying to do the same thing against thew latest openssl-fips-2.0, got source from here: http://opensslfoundation.com/testing/validation-2.0/

Do I have to follow the document about cross-compilation to make a build? And easier approach?

Thanks in advance

brewphone
  • 1,316
  • 4
  • 24
  • 32
  • "Trying to build openssl-fips-2.0 with NDK, before I was lucky found this link and did it easily. https://github.com/guardianproject/openssl-android" - That deviates from the OpenSSL FIPS Security Policy, so the resulting FIPS Object Module *is not* validated. – jww Jul 02 '13 at 18:10
  • Did you follow this https://wiki.openssl.org/index.php/FIPS_Library_and_Android ? If so, were you successful? – garnet Dec 06 '17 at 15:53

4 Answers4

7

How to build OpenSSL FIPS 2.0 on Mac OS X 10.7 with android-ndk-r8

  1. Install JDK, android-sdk, android-ndk

  2. Install GCC on Mac

    Xcode\Preferences\Components\Command Line Tools\install.

  3. Setup environment for build:

    $ANDROID_NDK_HOME is my android-ndk folder
export ANDROID_NDK=$ANDROID_NDK_HOME
export FIPS_SIG=$PWD/util/incore
export PATH="$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin":$PATH
export MACHINE=armv7l
export RELEASE=2.6.32.GMU
export SYSTEM=android
export ARCH=arm
export CROSS_COMPILE="arm-linux-androideabi-"
export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" 
export HOSTCC=gcc

  4. build fips openssl module:

    gunzip -c openssl-fips-2.0.tar.gz | tar xf -
cd openssl-fips-2.0/
./config
make
make install # copy files to /usr/local/ssl/

  5. build fips capable openssl library (.a)

    gunzip -c openssl-1.0.1c.tar.gz | tar xf -
cd openssl-1.0.1c/
./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ 
make depend
make

There you go.

michaelb958--GoFundMonica
  • 4,617
  • 7
  • 31
  • 35
brewphone
  • 1,316
  • 4
  • 24
  • 32
  • How can I modify this to make it produce armv6 binary? If I change machine to armv6 or armv6l then ./config fails saying its unknown – T.Leavy May 10 '13 at 23:40
  • FIPS compliance not supported on ARMv6. Its supported on ARMv7 and x86 – Alok Kulkarni Jun 24 '13 at 13:41
  • Check http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m6/index.jsp?topic=%2Fcom.ibm.worklight.help.doc%2Fadmin%2Fc_using_FIPS_140-2_support.html . refer section just above the diagram – Alok Kulkarni Jun 24 '13 at 14:02
  • I'm trying to build using the *openssl-1.0.1f* version and am getting an error. Any ideas? /Users/scoleman/android-ndk-r9d/toolchains/arm-linux-androideabi-4.6/prebuilt/darwin-x86_64/bin/../lib/gcc/arm-linux-androideabi/4.6/../../../../arm-linux-androideabi/bin/ld: ../libcrypto.a(ec2_smpl.o): in function EC_GF2m_simple_method:ec2_smpl.c(.text+0x0): error: undefined reference to 'fips_ec_gf2m_simple_method' collect2: ld returned 1 exit status make[2]: *** [link_app.] Error 1 make[1]: *** [openssl] Error 2 make: *** [build_apps] Error 1 – scoleman2272 Mar 06 '14 at 23:32
  • Found the solution at http://wiki.openssl.org/index.php/Compilation_and_Installation: If you are configuring the FIPS Capable Library with only prime curves (openssl-fips-ecp-2.0.5.tar.gz), then you must configure with no-ec2m: – scoleman2272 Mar 12 '14 at 15:40
0

Why? If you have to modify the build scripts, the resulting module won't be FIPS compliant, and you most certainly need to modify to build on Android.

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Thank you Nikolay. As you said, I am looking for instructions or any existing open source project, that leads me to build openssl-fips-2.0 with NDK and output .so for me to use. Searched a lot and did find any. – brewphone Jun 19 '12 at 13:35
  • Again, why do you want to do this? If you can't claim the resulting binary is FIPS-compliant, you might as well use the regular binary. Also, unless you are only using OpenSSL, you need to get the whole Android crypto stack to be FIPS compliant for the while system to considered secure under whatever regulations you are trying to satisfy. – Nikolay Elenkov Jun 19 '12 at 14:03
  • Thanks again Nikolay. I understood all your statements on FIPS-compliant. I don't want to modify any build script from openssl, just want to have a FIPS-compliant libcrypto.so with canister for android. I spent a lot of times trying to build one but couldn't get through. Is there any prebuilt one at somewhere? Thanks. – brewphone Jun 22 '12 at 19:04
  • @brewphone I wanted to do the same. I need libcrypto.so and libssl.so for my android project. Any success how to get .so fips compatible on Android? I tried what u mentioned in below comments but not able to get the .so files. – Harshawardhan Jun 06 '13 at 13:00
0

Thank you Nikolay and brewphone . It would have been great If I found your post earlier. I have managed to build fips-openssl for my phone.I had to add a little awk snippet in the fipsld script to get it working.(openssl-fips-1.2.3)

brewphone, I have the libcrypto.a and libssl.a from the build and I statically link them to create a library for my application. Is that the best way to do it?

Thanks!

feverDream
  • 283
  • 2
  • 16
  • It's better to use libcyrpto.so instead of the .a. Because you need to replace the gcc linker(ld) in makefile with fipsld as per fips openssl user manual. Using libcrypto.so fully obey FIPS rule. Just use – brewphone Jul 20 '12 at 14:53
  • It's better to use the .so instead of the .a. Because otherwise you need to replace the gcc linker(ld) in makefile with fipsld as per fips openssl user manual. It's tough, I didn't get through, got failure in FIPS_set_mode(1). Using .so fully obeys FIPS rule. Just use ./config fips shared --with-fipsdir=xxxxx to create openssl so files. It's MUCH easier!! – brewphone Jul 20 '12 at 14:59
  • 1
    @brewphone, Thanks.I have tried using the shared libraries that I build namely, libcrypto.so.1.0.0 and libssl.so.1.0.0. After this I try to build them as Prebuilt shared libraries using a separate Android.mk for each of them. Then, I link them with my sources. I ran into two problems with this approach. Firstly, android build system wouldn't take shared libraries that end with versions. So I renamed them. Obviously when I load these libraries using the "System.loadLibrary" call its not able to find the library as Its still looking for libcrypto.so.1.0.0. I am using fips-2.0 and openssl-1.0.1 – feverDream Jul 20 '12 at 15:18
  • The gcc soname inside the so is "libcrypto.1.0.0", this is common in Linux world so you don't want to change it. Create a symbolic link named "libcrypto.so" pointing to the real libcrypto.so.1.0.0 for the build. Use System.load("libcrypto.so.1.0.0") instead of System.loadLibrary(). – brewphone Jul 27 '12 at 15:45
0

f anyone else runs into the same problem I did, the key to getting this to work as described above by brewphone (thanks btw for your insight) is to package the un-stripped libs as content and then copy them to the apps data folder after which the System.load("/data/data/myapp/files/libcrypto.so.1.0.0") and System.load("/data/data/myapp/files/libssl.so.1.0.0") did the trick.

Interestingly, just changing the makefiles to put the version number before the .so extension caused the fingerprint to fail even though the fips stuff was not touched.

brewphone, if you managed to do this another way, please let me know :)

j0k
  • 22,600
  • 28
  • 79
  • 90
Jari Niskala
  • 13
  • 1
  • 5