Issues building openssl for Android

Question

I am following the link here to build Android libraries for openssl:

http://wiki.openssl.org/index.php/Android

Here are my settings in Setenv-Android.sh:

_ANDROID_EABI="arm-linux-androideabi-4.6"
_ANDROID_ARCH=arch-arm
_ANDROID_API="android-16"

The next step is to run the following command:

$ . ./Setenv-Andrhoid.sh

Here is the error I am getting:

Error: FIPS_SIG does not specify incore module. Please edit this script.

There is no mention of how to configure FIPS_SIG in the wiki. Looks like the script is looking for a file or directory called "incore." I searched through my $ANDROID_NDK_ROOT. However, i don't have any "incore" file.

The next command I need to run is the following:

$ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine \
      --openssldir=/usr/local/ssl/$ANDROID_API

Here, is openssldir pointing to absolute /usr/... directory? I am hoping the eventual header and lib files end up in $ANDROID_NDK_ROOT/platform/android-16/arch-arm directory.

Answer 1

Here is the error I am getting:
    Error: FIPS_SIG does not specify incore module. Please edit this script.

Oh, you're right. That has been fixed on the wiki.

I thought there was a comment in the script about "it safe to ignore if...", but it appears there is no comment about it either. Sigh....

The same script is used to build both FIPS Capable and non-FIPS version of the OpenSSL library. Its safe to ignore the FIPS_SIG error if you are not building the FIPS Capable library.

Since your are using OpenSSL and Android, it is safe to ignore. If you were following FIPS Library and Android, then it could not be ignored.

---

Looks like the script is looking for a file or directory called "incore."

For completeness, incore is a script that embeds the HMAC's fingerprint into the program or shared object. The FIPS Object Module will use the embedded HMAC to integrity test itself at startup. Its pretty useless in practice since the key is well known ;)

incore is distributed with openssl-fips-2.0.7.tar.gz and friends. Once you put incore somewhere (the directory tree or, for example, /usr/local/ssl/android-18/bin), you set FIPS_SIG to the filename.

---

$ ./config shared -no-ssl2 -no-ssl3 -no-comp -no-hw -no-engine --openssldir=/usr/local/ssl/$ANDROID_API

Here, is openssldir pointing to absolute /usr/... directory? I am hoping the eventual header and lib files end up in $ANDROID_NDK_ROOT/platform/android-16/arch-arm directory.

--openssldir is the install directory. You should set it to $ANDROID_NDK_ROOT/platform/android-16/arch-arm if that's where you want the library installed.

A little more info: by default, OpenSSL will install itself at /usr/local/ssl. When I build iOS, is use --openssldir=/usr/local/ssl/ios. When I build Android, --openssldir=/usr/local/ssl/android-18 (or android-14, etc).

For example, here's what mine looks like on a Mac Book:

$ ls /usr/local/ssl/
android-14    darwin    macosx-x64
android-18    ios       macosx-x86