Question

OpenSSL 3.0.8 FIPS compliant integration in iOS

I am building OpenSSL 3.0.8 with FIPS for an iOS device. This is my first time undertaking such a task.

Here are the steps I have followed so far:

  1. Downloaded the OpenSSL 3.0.8 source code and configured it to build for iOS with FIPS enabled using the following script:

    configure_and_build_openssl() {
        ARCH=$1
        TARGET=$2
        SDK_VERSION=$3
        SDK_PATH=$4
        PREFIX=$5
    
        export CROSS_TOP=$(xcode-select --print-path)/Platforms/${TARGET}.platform/Developer
        export CROSS_SDK=${TARGET}${SDK_VERSION}.sdk
        export SDKROOT=${SDK_PATH}
        export BUILD_TOOLS=$(xcode-select --print-path)/Toolchains/XcodeDefault.xctoolchain
        export CROSS_COMPILE="${BUILD_TOOLS}/usr/bin/"
    
        export CC="cc -isysroot $SDK_PATH -I$SDK_PATH/usr/include -I$SDK_PATH/usr/include/$(basename $BUILD_TOOLS)"
        export CFLAGS="-isysroot $SDK_PATH -I$SDK_PATH/usr/include -I$SDK_PATH/usr/include/$(basename $BUILD_TOOLS)"
        export LDFLAGS="-isysroot $SDK_PATH"
    
        # Configure and build for the specified architecture
        ./Configure ${ARCH} enable-fips no-async no-shared no-tests enable-ec_nistp_64_gcc_128 --prefix=$PREFIX --openssldir=$PREFIX
        make -j$(sysctl -n hw.ncpu)
        make install
        make clean
    }
    
  2. Updated the openssl.cnf file as directed in the OpenSSL FIPS module documentation

  3. Copied libssl.a and libcrypto.a to my project, and placed openssl.cnf, fipsmodule.cnf, and fips.dylib in my project.

  4. Enabled FIPS Mode. I wrote the following code to enable FIPS and check if it is enabled:

    BOOL isFIPSModeEnabled() {
        OSSL_PROVIDER \*fips;
        OSSL_PROVIDER \*base;
    
        fips = OSSL_PROVIDER_load(NULL, "fips");
        if (fips == NULL) {
            printf("Failed to load FIPS provider\n");
            ERR_print_errors_fp(stderr);
        }
    
        base = OSSL_PROVIDER_load(NULL, "base");
        if (base == NULL) {
            OSSL_PROVIDER_unload(fips);
            printf("Failed to load base provider\n");
            return false;
        }
    
        if (EVP_default_properties_enable_fips(NULL, 1) == 0) {
            printf("Failed to enable FIPS mode\n");
            OSSL_PROVIDER_unload(base);
            OSSL_PROVIDER_unload(fips);
            return false;
        }
    
        if (EVP_default_properties_is_fips_enabled(NULL) == 1) {
            printf("FIPS mode is enabled\n");
            OSSL_PROVIDER_unload(base);
            OSSL_PROVIDER_unload(fips);
            return true;
        } else {
            printf("FIPS mode is not enabled\n");
            OSSL_PROVIDER_unload(base);
            OSSL_PROVIDER_unload(fips);
            return false;
        }
    }
    

When I run this code, it prints "FIPS mode is enabled." However, the provider is not loading, and I receive the following error message:

Failed to load FIPS provider

C0BEC7F701000000:error:12800067:DSO support routines:dlfcn_load:could not load the shared                                      library:crypto/dso/dso_dlfcn.c:118:
C0BEC7F701000000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
C0BEC7F701000000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto/provider_core.c:912:name=fips

Why the FIPS provider is not loading? What steps I might be missing or doing incorrectly in this process?

 3  69  3
1 Jan 1970

Solution

 0

Can you can use the OPENSSL_CONFIG environment variable to give the path of the openssl.cnf and OPENSSL_MODULES to give the fips.dylib to ur ios app ? Xcode has a section of environments that can be passed to the app

2024-07-09
Dby