Hi Steve, Thanks for all the help -- I think I've things sorted out now.
Here are some of the issues I've had cross-compiling for Android. Just some feedback -- maybe they'll help someone running into the same. 1) Building as shared libraries is straightforward, but they give versioned libraries (i.e. libcrypto.so.1.0.0). Unfortunately, the Android packaging system only takes shared libraries ending with .so. And just changing the name doesn't work, as during the linking phase, other libraries use the internal library name which also has the version number. So, on loading the library, it thinks there is a mismatch. As we cannot modify the build (to maintain FIPS validation), there are only hacky-type solutions -- such as changing filename at runtime. As another user suggested, it would be helpful if version numbers could be put in front of the .so (i.e. libcrypto.1.0.0.so). 2) Building as static libraries requires using fipsld while linking to get the HMAC fingerprints. I originally wanted to just wrap the 2 static libraries into a one shared library with everything. I was using the -Wl,--whole-archive flags to get everything, which works fine using normal gcc. But with fipsld, it complains about multiple definitions (of items in fipscanister.o). You can specify --allow-multiple-definition to get past these warning, but then it will not get the right fingerprints. It will fail fingerprint test on FIPS_mode_set(1). 3) I modified my builds to accommodate building with static libraries. So I've now got the appropriate Makefile which calls to fipsld during linking into the JNI shared library. This works fine, but is some work, as the normal Android ndk-build system will not support things like defining CC. So you either need to hack the ndk-build files, or build it externally from the normal ndk-build system (as a prebuilt library). 4) In fipsld (line 116) calls "ar" to remove fipscanister.o. This is a native-host call, and fails on MacOS building for Android. [This does work fine on Linux building for Android however.] This really should be calling the cross-compile "ar", and not the host version. *** I can modify the fipsld script on MacOS to make this work, but will this invalidate the FIPS validation??? *** Thanks to you and others for all the hard work putting out this great tool. And a big thanks for all of the quick responses and support. Regards, AJ ----- Original Message ----- From: Dr. Stephen Henson <st...@openssl.org> To: openssl-users@openssl.org Cc: Sent: Friday, July 20, 2012 4:22 PM Subject: Re: FIPS 2.0: fipsld on cross-compile On Fri, Jul 20, 2012, AJ wrote: > OK, that worked -- built my library using fipsld. However, on running, I am > STILL getting fingerprint validation failure when calling FIPS_mode_set(1). > > 1552985864:error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:229: > > Any good ideas on how to debug why? > Do you get this error with the openssl utility entering FIPS mode using the commands I mentioned in a previous message? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
