Thanks, I actually had just figured it out. "config -d was what I was
looking for. I found it confusing that config --help didn't list it.
Then even more strange that config -h shows a different set of options.
Then I looked in the script at what -d does (just setting a PREFIX
variable as far I can see), and it didn't look like it even did
anything. But it worked anyhow. Still no idea why "file" said it
wasn't stripped. nm would even show the symbols there. But gdb was
saying there was "no line number information". Maybe that's an
additional part of the information.
And I did config -d both when building the canister and openssl itself.
Thanks
On 10/19/2012 08:47 AM, Thomas Francis, Jr. wrote:
Generally speaking, you shouldn't be trying to do that. :) However,
I've found it useful on occasion when trying to determine why FIPS
mode didn't work (usually to find out why fipsld.pl failed for a given
set of non-C code). In order to do this, you have to build
fipscanister.o with debug symbols, which means you cannot follow the
FIPS build instructions, so you can't use this one for any production
purposes if you need FIPS mode. You can't change any of the code
inside fipscanister.o anyway, so that shouldn't be a big deal; you're
probably doing this either to fix a bug outside the FIPS boundary, or
to just learn more about how it works, right?
In order to do this, you generally have to follow the rules for
building the fips canister from scratch, except that you first modify
the Configure script to add the appropriate compiler option for
generating debug symbols for your build (since you mention linux, I'm
guessing it'll be "-g". Don't be surprised if this takes a couple of
tries to get it right -- there are a couple of misleading sections in
that script. Just watch the output carefully, and abort as soon as
you see a compile line go by that doesn't include that option.
*From:*[email protected]
[mailto:[email protected]] *On Behalf Of *Davy Durham
*Sent:* Thursday, October 18, 2012 12:31 PM
*To:* [email protected]
*Subject:* Help debugging openssl in fips mode.
Hi,
On linux, with gdb, I'm trying to trace into openssl while it's going
into FIPS mode. I've built the canister and then the openssl tree
(which includes the openssl cmd line utility).
Here's the output I'm getting:
*$ export OPENSSL_FIPS=1*
*$ gdb openssl*
GNU gdb 6.6-5.1bgr ()
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as ""...
Using host libthread_db library "/lib/tls/libthread_db.so.1".
*(gdb) break FIPS_mode_set*
Function "FIPS_mode_set" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (FIPS_mode_set) pending.
(gdb) r
Starting program: /usr/bin/openssl
Breakpoint 2 at 0x777efee0
Pending breakpoint "FIPS_mode_set" resolved
*Breakpoint 2, 0x777efee0 in FIPS_mode_set () from
/usr/lib/libcrypto.so.0.9.8*
*(gdb) step**
Single stepping until exit from function FIPS_mode_set, *
which has no line number information.
0x77753567 in __i686.get_pc_thunk.bx () from /usr/lib/libcrypto.so.0.9.8
(gdb) step
Single stepping until exit from function __i686.get_pc_thunk.bx,
which has no line number information.
0x777efeec in FIPS_mode_set () from /usr/lib/libcrypto.so.0.9.8
(gdb) step
Single stepping until exit from function FIPS_mode_set,
which has no line number information.
main (Argc=1, Argv=0x7fe146c4) at openssl.c:245
As you can see, after I hit the break point, and try to step into it,
It seems to skip over actually going into the routine.
The file command says that /usr/lib/libcrypto.so.0.9.8 is not stripped:
$ file /usr/lib/libcrypto.so.0.9.8
/usr/lib/libcrypto.so.0.9.8: ELF 32-bit LSB shared object, Intel
80386, version 1 (SYSV), not stripped
And the FIPS canister that was build doesn't appear to be stripped:
$ file fipscanister.o
fipscanister.o: ELF 32-bit LSB relocatable, Intel 80386, version 1
(SYSV), not stripped
And, I don't see anything in the Makefile that pulls in the canister
that is stripping it.
So, I'm a little confused as to why I'm unable to trace into the source..
It there some documentation that explains how to build things for
debugging? Are there some config flags I need to pass?
Thanks. Any help would be appreciated.
