On 7/18/10 12:27 PM, Stephen Henson via RT wrote:
[philipp_s...@redfish-solutions.com - Sun Jul 18 19:02:04 2010]:
The problem here is that the intermediate binaries like
./fips_standalone_sha1 are being built with the target compiler, not
the host compiler.
I had submitted a patch a year and a half ago to fix this issue, but
for whatever reason it's been languishing.
That was addressed some time ago as part of the cross compilation
support for FIPS builds. Let me know of any problems.
When did this patch get applied? I see it's in 0.9.8n
Which "appropriate patch" are you talking about?
Historically the problem with FIPS builds was that you needed to execute
target binaries in order to embed the appropriate signature (the fipsld
script did that). That was fine if the host and target were compatible
but choked if they weren't.
We couldn't change that without modifying the validated module source
and that is not allowed without permission.
An update to the validation (a change letter) now means cross
compilation is supported for FIPS builds. The "appropriate patch" is
something that adds cross compilation functionality to the validated
module. It is at:
http://www.openssl.org/source/openssl-fips-1.2.crossbuild.diff.gz
Steve.
Did a bump to 0.9.8n and ran into a separate issue: we need to explicitly pass
various flags to CC and LD, but there's no easy way to do that. So added the
following patch.
--- openssl-0.9.8n/Configure.orig2 2010-07-18 11:57:13.000000000 -0600
+++ openssl-0.9.8n/Configure 2010-07-18 12:25:57.000000000 -0600
@@ -841,6 +841,14 @@ PROCESS_ARGS:
{
$flags.=$_." ";
}
+ elsif (/^--cflags=(.*)$/)
+ {
+ $flags=$1." ";
+ }
+ elsif (/^--ldflags=(.*)$/)
+ {
+ $lflags=$1." ";
+ }
elsif (/^--prefix=(.*)$/)
{
$prefix=$1;
