Build Multiarch OpenSSL on OS X
Asked Answered
I

2

10

I need to build OpenSSL on OS X for 32 and 64 bit architectures. What are the options I need to give to ./Configure so that I get it built for both architectures into same .a file?

Ithyphallic answered 27/8, 2014 at 14:54 Comment(0)
A
27

./Configure so that I get it built for both architectures into same .a file?

You have to be careful with OpenSSL and multiarch libraries because the library is not multiarch safe. That's because each configuration has its own <openssl/opensslconf.h> file, and each platform's BIGNUM is different.

Supplying -arch x86_64 -arch i386 will result in a build failure because of the way OpenSSL's build system forms commands. Also see Getting libcrypto ar error while compiling OpenSSL for Mac.

The same procedure detailed below applies to iOS, too. The only thing that changes is the -arch. For iOS, you will probably use armv7, armv7s, arm64 and i386 (for 32-bit simulator debug) and x86_64 (for 64-bit simulator debug).

There's another not-so-apparent trick required. OpenSSL hard codes some default paths based on --prefix and --openssldir, so you have to build 32-bit for the installation directory, install, and then move it; then build 64-bit for the installation directory, install, and then move it; and then create the fat library in the install directory. Also see How to determine the default location for openssl.cnf?

Finally, do not replace OS X's supplied OpenSSL. OpenSSL 1.0.x and 1.1.x are not binary compatible with the Apple's 0.9.8 version of OpenSSL. Because of incompatibilities, the procedures below uses $HOME/ssl. You can use /usr/local/ssl or any other location that suits your taste.


Before you begin, OpenSSL wiki has a page on Compilation and Installation. There's lots of options to supply to config. Choose the ones that suit your taste. I always use no-ssl2, and usually use no-ssl3, no-comp. On mobile devices I use no-srp, no-psk, no-hw, no-dso and no-engines.


Here are the instructions for building the library. You will configure, build, install and then move for each architecture you are supporting in your multiarch build.

32-bit

make clean && make dclean

KERNEL_BITS=32 ./config no-ssl2 no-ssl3 --prefix=$HOME/ssl
make depend
make
make install_sw

mv $HOME/ssl/include/openssl/opensslconf.h $HOME/ssl/include/openssl/opensslconf-x86.h
mv $HOME/ssl/include/openssl/bn.h $HOME/ssl/include/openssl/bn-x86.h
mv $HOME/ssl/ $HOME/ssl-x86

64-bit

make clean && make dclean

KERNEL_BITS=64 ./config no-ssl2 no-ssl3 --prefix=$HOME/ssl
make depend
make
make install_sw

mv $HOME/ssl/include/openssl/opensslconf.h $HOME/ssl/include/openssl/opensslconf-x64.h
mv $HOME/ssl/include/openssl/bn.h $HOME/ssl/include/openssl/bn-x64.h
mv $HOME/ssl/ $HOME/ssl-x64

Headers

You need to copy one set of headers (it does not matter which), copy opensslconf-x86.h, opensslconf-x64.h bn-x86.h and bn-x64.h, create a new <openssl/opensslconf.h>, create a new <openssl/bn.h>, and finally create the multiarch libraries.

rm -rf $HOME/ssl

mkdir -p $HOME/ssl/bin
mkdir -p $HOME/ssl/include/openssl
mkdir -p $HOME/ssl/lib

cp $HOME/ssl-x86/openssl.cnf $HOME/ssl/openssl.cnf
cp $HOME/ssl-x86/include/openssl/* $HOME/ssl/include/openssl
cp $HOME/ssl-x86/include/openssl/opensslconf-x86.h $HOME/ssl/include/openssl/opensslconf-x86.h
cp $HOME/ssl-x64/include/openssl/opensslconf-x64.h $HOME/ssl/include/openssl/opensslconf-x64.h
cp $HOME/ssl-x86/include/openssl/bn-x86.h $HOME/ssl/include/openssl/bn-x86.h
cp $HOME/ssl-x64/include/openssl/bn-x64.h $HOME/ssl/include/openssl/bn-x64.h

New <opensslconf.h>

If you have not done so, create $HOME/ssl/include/openssl/opensslconf.h. Be sure you use a new header guard (OPENSSL_MULTIARCH_CONF_HEADER):

cat $HOME/ssl/include/openssl/opensslconf.h
#ifndef OPENSSL_MULTIARCH_CONF_HEADER
#define OPENSSL_MULTIARCH_CONF_HEADER

#if __i386 || __i386__
# include "opensslconf-x86.h"
#elif __x86_64 || __x86_64__ || __amd64 || __amd64__
# include "opensslconf-x64.h"
#else
# error Unknown architecture
#endif

#endif /* OPENSSL_MULTIARCH_CONF_HEADER */

New <bn.h>

Create $HOME/ssl/include/openssl/bn.h. Be sure you use a new header guard (OPENSSL_MULTIARCH_BN_HEADER):

cat $HOME/ssl/include/openssl/bn.h
#ifndef OPENSSL_MULTIARCH_BN_HEADER
#define OPENSSL_MULTIARCH_BN_HEADER

#if __i386 || __i386__
# include "bn-x86.h"
#elif __x86_64 || __x86_64__ || __amd64 || __amd64__
# include "bn-x64.h"
#else
# error Unknown architecture
#endif

#endif /* OPENSSL_MULTIARCH_BN_HEADER */

Libraries

At this point, you have a x86 build of the library located at $HOME/ssl-x86 and a x64 build of the library located at $HOME/ssl-x64. You combine them with lipo at $HOME/ssl.

lipo -create $HOME/ssl-x86/lib/libcrypto.a \
             $HOME/ssl-x64/lib/libcrypto.a \
             -output $HOME/ssl/lib/libcrypto.a

lipo -create $HOME/ssl-x86/lib/libssl.a \
             $HOME/ssl-x64/lib/libssl.a \
             -output $HOME/ssl/lib/libssl.a

lipo -create $HOME/ssl-x86/bin/openssl \
             $HOME/ssl-x64/bin/openssl \
             -output $HOME/ssl/bin/openssl

Share Libraries

If you configured with shared, then you need to perform:

lipo -create $HOME/ssl-x86/lib/libcrypto.1.0.0.dylib \
             $HOME/ssl-x64/lib/libcrypto.1.0.0.dylib \
             -output $HOME/ssl/lib/libcrypto.1.0.0.dylib

lipo -create $HOME/ssl-x86/lib/libssl.1.0.0.dylib \
             $HOME/ssl-x64/lib/libssl.1.0.0.dylib \
             -output $HOME/ssl/lib/libssl.1.0.0.dylib

Then, you need to recreate the softlinks:

ln -s $HOME/ssl/lib/libcrypto.dylib $HOME/ssl/lib/libcrypto.1.0.0.dylib
ln -s $HOME/ssl/lib/libssl.dylib $HOME/ssl/lib/libssl.1.0.0.dylib

Finally, test things. Verify the libraries are multiarch:

ls $HOME/ssl/lib/
libcrypto.a libssl.a

lipo -info $HOME/ssl/lib/libcrypto.a 
Architectures in the fat file: $HOME/ssl/lib/libcrypto.a are: i386 x86_64 
lipo -info $HOME/ssl/lib/libssl.a 
Architectures in the fat file: $HOME/ssl/lib/libssl.a are: i386 x86_64

And then a test program:

#include <openssl/opensslconf.h>
#include <openssl/ssl.h>

int main(int argc, char* argv[])
{
  SSL_library_init();
  return 0;
}

And:

$ clang -arch i386 -arch x86_64 -I $HOME/ssl/include test.c -o test.exe -L $HOME/ssl/lib -lssl -lcrypto
$ DYLD_LIBRARY_PATH=$HOME/ssl/lib; ./test.exe 
$

DYLD_LIBRARY_PATH is used in case you built the dynamic libraries on OS X.


If desired, you can delete the non-multiarch installations:

rm -rf $HOME/ssl-x86
rm -rf $HOME/ssl-x64
Almswoman answered 27/8, 2014 at 15:20 Comment(2)
OpenSSL build page now links to this answer. For many years i've been wondering why can't they have headers that match for all platforms instead of that nonsense that they have, like opnessl is special from all other projects.Waldos
Hi, there are some "minor" issued in your solution. The syntax for creating symlinks is ln -s <source> <destination>. I'm sure, this is a typo. The CLANG flags for INCLUDE and Library path must not be space seperated ! So -I<INC> -L<LIB> is the correct syntax.Trula
E
0

Just a followup on this bit :

That's because each configuration has its own <openssl/opensslconf.h> file, and each platform's BIGNUM is different.

OpenSSL 3.2.1 built for macOS x86 and arm, produces identical header files on each platform.

So you can use the headers from either build and discard the other one without issue.

Emptor answered 2/8, 2024 at 0:48 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.