Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Building FIPS-capable OpenSSL as a universal binary on Mac OS X

102 views
Skip to first unread message

Bill Durant

unread,
Oct 13, 2010, 4:31:52 PM10/13/10
to
Hello,

Is it possible to build the latest FIPS-capable OpenSSL as a universal
binary on Mac OS X similar to the following?

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.5.8
BuildVersion: 9L30

$ file /usr/lib/libcrypto.dylib
/usr/lib/libcrypto.dylib: Mach-O universal binary with 4 architectures
/usr/lib/libcrypto.dylib (for architecture ppc7400): Mach-O
dynamically linked shared library ppc
/usr/lib/libcrypto.dylib (for architecture ppc64): Mach-O 64-bit
dynamically linked shared library ppc64
/usr/lib/libcrypto.dylib (for architecture i386): Mach-O dynamically
linked shared library i386
/usr/lib/libcrypto.dylib (for architecture x86_64): Mach-O 64-bit
dynamically linked shared library x86_64

$ file /usr/lib/libwrap.a
/usr/lib/libwrap.a: Mach-O universal binary with 4 architectures
/usr/lib/libwrap.a (for architecture ppc): current ar archive random
library
/usr/lib/libwrap.a (for architecture ppc64): current ar archive random
library
/usr/lib/libwrap.a (for architecture i386): current ar archive random
library
/usr/lib/libwrap.a (for architecture x86_64): current ar archive
random library

I am interested in building the static version of the FIPS-capable
OpenSSL as an universal binary.

I would appreciate any clues on how to accomplish this (if it is
possible).

Thank you,

Bill


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Bill Durant

unread,
Oct 13, 2010, 8:22:55 PM10/13/10
to

On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote:

> On 10/13/2010 3:31 PM, Bill Durant wrote:
>>
>> I am interested in building the static version of the FIPS-capable
>> OpenSSL as an universal
>> binary.
>
> Three builds, per spec, of the FIPS canister. No tweaks, no
> exceptions to
> the security policy.
>
> Then it's possible but non-trivial to integrate these three
> components into
> any OpenSSL you would like to invent.

Thanks. That is exactly the approach that I am currently taking (will
use lipo(1) to aggregate the FIPS-capable OpenSSL static libs to see
if that works)...

Bill Durant

unread,
Oct 13, 2010, 8:32:46 PM10/13/10
to
On Oct 13, 2010, at 5:27 PM, William A. Rowe Jr. wrote:

> On 10/13/2010 7:22 PM, Bill Durant wrote:
>>
>> On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote:
>>> On 10/13/2010 3:31 PM, Bill Durant wrote:
>>>>
>>>> I am interested in building the static version of the FIPS-
>>>> capable OpenSSL as an universal
>>>> binary.
>>>
>>> Three builds, per spec, of the FIPS canister. No tweaks, no
>>> exceptions to
>>> the security policy.
>>>
>>> Then it's possible but non-trivial to integrate these three
>>> components into
>>> any OpenSSL you would like to invent.
>>
>> Thanks. That is exactly the approach that I am currently taking
>> (will use lipo(1) to
>> aggregate the FIPS-capable OpenSSL static libs to see if that
>> works)...
>
> That may not be sufficient, can ldfips be modified(?), it's
> certainly needed to link
> static to the fips canister. I'd put your energies into building a
> dylib which would
> give you a smidge more flexibility.

I don't know what ldfips will do. I will have to try it to see.
I think creating universal binaries with dylib will be more straight
forward but I would prefer static libs instead in order to guarantee
that my app will use the correct libcrypto lib (I am trying not to
rely on the dynamic loader to determine which to use -- my lib or the
system's lib).

Thanks,

William A. Rowe Jr.

unread,
Oct 13, 2010, 8:19:00 PM10/13/10
to
On 10/13/2010 3:31 PM, Bill Durant wrote:
>
> I am interested in building the static version of the FIPS-capable OpenSSL as an universal
> binary.

Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to
the security policy.

Then it's possible but non-trivial to integrate these three components into
any OpenSSL you would like to invent.

William A. Rowe Jr.

unread,
Oct 13, 2010, 8:27:16 PM10/13/10
to
On 10/13/2010 7:22 PM, Bill Durant wrote:
>
> On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote:
>> On 10/13/2010 3:31 PM, Bill Durant wrote:
>>>
>>> I am interested in building the static version of the FIPS-capable OpenSSL as an universal
>>> binary.
>>
>> Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to
>> the security policy.
>>
>> Then it's possible but non-trivial to integrate these three components into
>> any OpenSSL you would like to invent.
>
> Thanks. That is exactly the approach that I am currently taking (will use lipo(1) to
> aggregate the FIPS-capable OpenSSL static libs to see if that works)...

That may not be sufficient, can ldfips be modified(?), it's certainly needed to link
static to the fips canister. I'd put your energies into building a dylib which would
give you a smidge more flexibility.

0 new messages