On 7/18/10 12:27 PM, Stephen Henson via RT wrote:
>> [philipp_s...@redfish-solutions.com - Sun Jul 18 19:02:04 2010]:
>>
>> The problem here is that the intermediate binaries like
>> ./fips_standalone_sha1 are being built with the target compiler, not
>> the host compiler.
>>
>> I had submitted a patch a year and a half ago to fix this issue, but
>> for whatever reason it's been languishing.
>>
> That was addressed some time ago as part of the cross compilation
> support for FIPS builds. Let me know of any problems.
When did this patch get applied? I see it's in 0.9.8n
>> Which "appropriate patch" are you talking about?
>>
> Historically the problem with FIPS builds was that you needed to execute
> target binaries in order to embed the appropriate signature (the fipsld
> script did that). That was fine if the host and target were compatible
> but choked if they weren't.
>
> We couldn't change that without modifying the validated module source
> and that is not allowed without permission.
>
> An update to the validation (a change letter) now means cross
> compilation is supported for FIPS builds. The "appropriate patch" is
> something that adds cross compilation functionality to the validated
> module. It is at:
>
> http://www.openssl.org/source/openssl-fips-1.2.crossbuild.diff.gz
>
> Steve.
Did a bump to 0.9.8n and ran into a separate issue: we need to explicitly pass
various flags to CC and LD, but there's no easy way to do that. So added the
following patch.
--- openssl-0.9.8n/Configure.orig2 2010-07-18 11:57:13.000000000 -0600
+++ openssl-0.9.8n/Configure 2010-07-18 12:25:57.000000000 -0600
@@ -841,6 +841,14 @@ PROCESS_ARGS:
{
$flags.=$_." ";
}
+ elsif (/^--cflags=(.*)$/)
+ {
+ $flags=$1." ";
+ }
+ elsif (/^--ldflags=(.*)$/)
+ {
+ $lflags=$1." ";
+ }
elsif (/^--prefix=(.*)$/)
{
$prefix=$1;
