Question
OpenSSL 3.0.8 FIPS compliant integration in iOS
I am building OpenSSL 3.0.8 with FIPS for an iOS device. This is my first time undertaking such a task.
Here are the steps I have followed so far:
Downloaded the OpenSSL 3.0.8 source code and configured it to build for iOS with FIPS enabled using the following script:
configure_and_build_openssl() { ARCH=$1 TARGET=$2 SDK_VERSION=$3 SDK_PATH=$4 PREFIX=$5 export CROSS_TOP=$(xcode-select --print-path)/Platforms/${TARGET}.platform/Developer export CROSS_SDK=${TARGET}${SDK_VERSION}.sdk export SDKROOT=${SDK_PATH} export BUILD_TOOLS=$(xcode-select --print-path)/Toolchains/XcodeDefault.xctoolchain export CROSS_COMPILE="${BUILD_TOOLS}/usr/bin/" export CC="cc -isysroot $SDK_PATH -I$SDK_PATH/usr/include -I$SDK_PATH/usr/include/$(basename $BUILD_TOOLS)" export CFLAGS="-isysroot $SDK_PATH -I$SDK_PATH/usr/include -I$SDK_PATH/usr/include/$(basename $BUILD_TOOLS)" export LDFLAGS="-isysroot $SDK_PATH" # Configure and build for the specified architecture ./Configure ${ARCH} enable-fips no-async no-shared no-tests enable-ec_nistp_64_gcc_128 --prefix=$PREFIX --openssldir=$PREFIX make -j$(sysctl -n hw.ncpu) make install make clean }
Updated the
openssl.cnf
file as directed in the OpenSSL FIPS module documentationCopied
libssl.a
andlibcrypto.a
to my project, and placedopenssl.cnf
,fipsmodule.cnf
, andfips.dylib
in my project.Enabled FIPS Mode. I wrote the following code to enable FIPS and check if it is enabled:
BOOL isFIPSModeEnabled() { OSSL_PROVIDER \*fips; OSSL_PROVIDER \*base; fips = OSSL_PROVIDER_load(NULL, "fips"); if (fips == NULL) { printf("Failed to load FIPS provider\n"); ERR_print_errors_fp(stderr); } base = OSSL_PROVIDER_load(NULL, "base"); if (base == NULL) { OSSL_PROVIDER_unload(fips); printf("Failed to load base provider\n"); return false; } if (EVP_default_properties_enable_fips(NULL, 1) == 0) { printf("Failed to enable FIPS mode\n"); OSSL_PROVIDER_unload(base); OSSL_PROVIDER_unload(fips); return false; } if (EVP_default_properties_is_fips_enabled(NULL) == 1) { printf("FIPS mode is enabled\n"); OSSL_PROVIDER_unload(base); OSSL_PROVIDER_unload(fips); return true; } else { printf("FIPS mode is not enabled\n"); OSSL_PROVIDER_unload(base); OSSL_PROVIDER_unload(fips); return false; } }
When I run this code, it prints "FIPS mode is enabled." However, the provider is not loading, and I receive the following error message:
Failed to load FIPS provider
C0BEC7F701000000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:
C0BEC7F701000000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:152:
C0BEC7F701000000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto/provider_core.c:912:name=fips
Why the FIPS provider is not loading? What steps I might be missing or doing incorrectly in this process?