feat(openssl): upgrade from 3.0.8 to 3.1.2 (FIPS 140-3 Cert #4985)

- Bump OPENSSL_VERSION default from 3.0.8 to 3.1.2 - Update SHA256 hash for openssl-3.1.2.tar.gz - Update all compliance checks to validate OpenSSL 3.1.x series - Update docs: README, install.md, CLAUDE.md, test READMEs - Previous 3.0.8 had only FIPS 140-2 (Cert #4282); 3.1.2 is the first OpenSSL with full FIPS 140-3 validation (Cert #4985, valid through March 2030)
2026-05-09 12:38:27 -07:00
parent 06429cfdb4
commit 01e26dd717
12 changed files with 19 additions and 19 deletions
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co

 ## Project Overview

-A CMake-based cross-compile pipeline producing FIPS 140-3 compliant OpenSSL 3.0.x + SQLCipher 4.6.x for Android and iOS. Outputs: AAR (Android) and XCFramework (iOS). The FIPS provider is the validated cryptographic boundary; post-build binary mutation (strip, compress, re-sign) invalidates the HMAC integrity check.
+A CMake-based cross-compile pipeline producing FIPS 140-3 compliant OpenSSL 3.1.x + SQLCipher 4.6.x for Android and iOS. Outputs: AAR (Android) and XCFramework (iOS). The FIPS provider is the validated cryptographic boundary; post-build binary mutation (strip, compress, re-sign) invalidates the HMAC integrity check.

 ## Build Commands

@@ -24,7 +24,7 @@ project(fips_sqlcipher
 set(TARGET_PLATFORM "Android" CACHE STRING "Target platform: Android or iOS")
 set_property(CACHE TARGET_PLATFORM PROPERTY STRINGS "Android" "iOS")

-set(OPENSSL_VERSION   "3.0.8"   CACHE STRING "OpenSSL FIPS source version")
+set(OPENSSL_VERSION   "3.1.2"   CACHE STRING "OpenSSL FIPS source version")
 set(SQLCIPHER_VERSION "v4.6.1"  CACHE STRING "SQLCipher release tag")

 option(FIPS_DEVELOPER_MODE "Enable warnings and compile_commands.json for in-project code" OFF)
@@ -1,7 +1,7 @@
 # fips-sqlcipher

 A reproducible cross-compile pipeline that produces **FIPS 140-3 compliant**
-OpenSSL 3.0.x + SQLCipher 4.6.x for **Android** and **iOS**. Output:
+OpenSSL 3.1.x + SQLCipher 4.6.x for **Android** and **iOS**. Output:

 - **Android:** Self-contained AAR with `arm64-v8a` + `x86_64` shared libs,
  FIPS provider module, and runtime config.
@@ -108,7 +108,7 @@ ANDROID_ABI=x86_64 ./build.sh android      # emulator
 | `ANDROID_NDK_ROOT`     | (required)    | Path to NDK r26+                       |
 | `ANDROID_ABI`          | `arm64-v8a`   | `arm64-v8a`, `armeabi-v7a`, `x86_64`, `x86` |
 | `ANDROID_PLATFORM`     | `android-24`  | Minimum Android API level              |
-| `OPENSSL_VERSION`      | `3.0.8`       | FIPS 140-2 Cert #4282 baseline         |
+| `OPENSSL_VERSION`      | `3.1.2`       | FIPS 140-3 Cert #4985 baseline         |
 | `SQLCIPHER_VERSION`    | `v4.6.1`      | SQLCipher git tag                      |
 | `IOS_DEPLOYMENT_TARGET`| `15.0`        | Minimum iOS version                    |
 | `OPENSSL_HOST_BIN`     | (unset)       | Host openssl for in-tree fipsinstall   |
@@ -25,7 +25,7 @@
 # Optional (with defaults):
 #   ANDROID_ABI             arm64-v8a
 #   ANDROID_PLATFORM        android-24
-#   OPENSSL_VERSION         3.0.8
+#   OPENSSL_VERSION         3.1.2
 #   SQLCIPHER_VERSION       v4.6.1
 #   IOS_DEPLOYMENT_TARGET   15.0
 #   CMAKE_TOOLCHAIN_FILE    $ANDROID_NDK_ROOT/build/cmake/android.toolchain.cmake
@@ -76,7 +76,7 @@ doctor
 # ---------------------------------------------------------------------------
 # Shared inputs
 # ---------------------------------------------------------------------------
-: "${OPENSSL_VERSION:=3.0.8}"
+: "${OPENSSL_VERSION:=3.1.2}"
 : "${SQLCIPHER_VERSION:=v4.6.1}"
 : "${OPENSSL_HOST_BIN:=}"
 : "${BUILD_TYPE:=Release}"
@@ -1,7 +1,7 @@
 # ---------------------------------------------------------------------------
 # BuildOpenSSL.cmake
 #
-# Cross-compile OpenSSL 3.0.x with enable-fips for the Android NDK.
+# Cross-compile OpenSSL 3.1.x with enable-fips for the Android NDK.
 #
 # Requires (set by parent before include):
 #   ANDROID_NDK, ANDROID_ABI, ANDROID_PLATFORM,
@@ -1,7 +1,7 @@
 # ---------------------------------------------------------------------------
 # BuildOpenSSL_iOS.cmake
 #
-# Cross-compile OpenSSL 3.0.x with enable-fips for iOS (device + simulator).
+# Cross-compile OpenSSL 3.1.x with enable-fips for iOS (device + simulator).
 # Produces STATIC libraries (App Store prohibits dlopen of arbitrary dylibs).
 # FIPS integrity enforced via incore HMAC mechanism.
 #
@@ -16,9 +16,9 @@ set(OPENSSL_SRC_URL
  "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"
  CACHE STRING "OpenSSL source tarball URL")

-if(OPENSSL_VERSION STREQUAL "3.0.8")
+if(OPENSSL_VERSION STREQUAL "3.1.2")
  set(_default_openssl_hash
-    "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e")
+    "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539")
 else()
  set(_default_openssl_hash "")
 endif()
@@ -1,6 +1,6 @@
 # FIPS SQLCipher — Integration Guide

-FIPS 140-3 compliant SQLCipher with OpenSSL 3.0.8 for Android and iOS.
+FIPS 140-3 compliant SQLCipher with OpenSSL 3.1.2 for Android and iOS.

 ---

@@ -214,5 +214,5 @@ assert(FIPSSQLCipher.selfTest()) // POST/KAT re-run passes?

 ## Versions

- OpenSSL 3.0.8 (FIPS 140-3 validated), SQLCipher v4.6.1
+- OpenSSL 3.1.2 (FIPS 140-3 validated, CMVP Cert #4985), SQLCipher v4.6.1
 - Android: API 24+, iOS: 17.0+
@@ -24,9 +24,9 @@ fun runComplianceSuite(filesDir: String): List<ComplianceCheck> {
            val ok = FipsNative.hmacIntegrity()
            ok to if (ok) "module integrity verified" else "HMAC mismatch — module corrupted"
        },
-        check("OpenSSL Version", "Must be FIPS 140-3 validated 3.0.x series") {
+        check("OpenSSL Version", "Must be FIPS 140-3 validated 3.1.x series") {
            val v = FipsNative.opensslVersion()
-            v.startsWith("OpenSSL 3.0.") to v
+            v.startsWith("OpenSSL 3.1.") to v
        },
        check("DB Write/Read", "SQLCipher encrypted round-trip via FIPS crypto") {
            java.io.File(dbPath).delete()
@@ -36,10 +36,10 @@ func runComplianceSuite() -> [ComplianceCheck] {
        },
        check(
            name: "OpenSSL Version",
-            description: "Must be FIPS 140-3 validated 3.0.x series"
+            description: "Must be FIPS 140-3 validated 3.1.x series"
        ) {
            let version = String(cString: OpenSSL_version(0))
-            let valid = version.hasPrefix("OpenSSL 3.0.")
+            let valid = version.hasPrefix("OpenSSL 3.1.")
            return (valid, version)
        },
        check(
@@ -45,7 +45,7 @@ Or open `tests/android-fips/` as a project in Android Studio Hedgehog+.
 | ---------------------- | ---------------------------------------------------------------- |
 | FIPS Provider          | `OSSL_PROVIDER_available(NULL, "fips") == 1`                     |
 | Self-Test (KAT)        | `OSSL_PROVIDER_self_test(fips_provider) == 1`                    |
-| OpenSSL Version        | `OpenSSL_version(OPENSSL_VERSION)` is in the `OpenSSL 3.0.x` line|
+| OpenSSL Version        | `OpenSSL_version(OPENSSL_VERSION)` is in the `OpenSSL 3.1.x` line|
 | Encrypted DB Write/Read| Native `sqlite3_open` -> `sqlite3_key` -> insert -> select round-trip |
 | Passphrase Rotation    | `sqlite3_rekey` succeeds and the new key opens the database     |
 | Wrong-Key Rejection    | An incorrect passphrase fails to read `sqlite_master`            |
@@ -29,10 +29,10 @@ class ComplianceSuite(private val context: Context) {
        },
        check(
            "OpenSSL Version",
-            "Must be in FIPS 140-3 validated 3.0.x series",
+            "Must be in FIPS 140-3 validated 3.1.x series",
        ) {
            val v = Native.opensslVersion()
-            v.startsWith("OpenSSL 3.0.") to v
+            v.startsWith("OpenSSL 3.1.") to v
        },
        check(
            "Encrypted DB Write/Read",