To achieve FIPS compliance, many enterprises rely on OpenSSL 1.X-compatible libraries, even though these versions have reached end of life (EOL). The latest OpenSSL releases (3.x) bring significant architectural changes and streamlined FIPS support. However, migrating to OpenSSL 3.x often requires extensive codebase modifications, particularly in critical areas like encryption. For enterprises with complex codebases or legacy systems, such changes introduce potential risks and demand rigorous testing, making immediate migration challenging. As a result, many organizations are opting to continue using OpenSSL 1.x, despite its EOL status.
On iOS, supporting FIPS-compliant OpenSSL 1.x presents unique challenges. The FIPS library is typically statically linked, and the application is cross-compiled, which requires embedding the FIPS module runtime signature into the application.
Here are several important guidelines to maintain FIPS Compliance with OpenSSL 1.x on iOS:
- Include fips_premain.c in the application source code
The FIPS module uses internal validation logic to ensure that the runtime-loaded image signature matches the value calculated at linkage time. fips_premain.c contains the logic to print the expected value during linkage. Ensure this file is included in your application source.
- Ensure proper embedding of the expected FIPS module signature in the application
If your application, when compiled with fips_premain.c, only prints the expected FIPS module signature and exits (e.g., f1022ef5682e5d708ee5921e13f3051bbbb1a8c0), this usually indicates that the expected value was not embedded correctly into the application. Here are two methods to embed the signature properly:
-
- Manual update in fips_premain.c: Change the expected HMAC signature value in fips_premain.c to match the one printed in the console. For example:
#define HMAC_SHA1_SIG "f1022ef5682e5d708ee5921e13f3051bbbb1a8c0"
-
- Using the incore_macho tool: Run the incore_macho tool with the path to the application executable. This tool embeds the expected signature directly into the app executable. Note that you can run the incore_macho binary on macOS with an application compiled for an iOS device or simulator.
- Statically link libcrypto.a with FIPS support
The FIPS-compliant libcrypto.a library should be statically linked with the application. To validate this, run the following command:
nm <ios_app> | grep FIPS_rodata_start
By following these steps, you can ensure that your iOS application maintains FIPS compliance while using OpenSSL 1.X.