RE: FIPS-capable curl: Solaris 9 - fingerprint does not match

Welling, Conrad Gerhart Tue, 23 Sep 2008 13:54:31 -0700

Joshi:
A cursory look at your output indicates that gcc doesn't recognize two options 
being used, namely -qnostdinc and -qnolm.  When I execute "gcc -v --help" using 
gcc version 3.4.6, I find ...
 
  -nostdinc                   Do not search standard system include directories
 
and no entry for -qnolm.  If your project configuration is appropriate, then it 
appears that your version of gcc may not be.
 
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joshi chandran
Sent: Monday, September 22, 2008 11:43 PM
To: openssl-users@openssl.org
Subject: Re: FIPS-capable curl: Solaris 9 - fingerprint does not match



when i am using make CC=fipsld FIPSLD_CC=gcc , i am getting error message 

   if test ! -z ""; then  /.../ 
austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/ode_tools/power/usr/bin/perl 
./fixprogs ssh_prng_cmds ;  fi
        (cd openbsd-compat && make)
        /gsa/ausgsa/projects/o/openssh/fipsssl/lib/fipsld -g -qnostdinc -qnolm 
-I. -I.. -I. -I./.. -I/gsa/ausgsa/projects/o/openssh/fipsssl/include 
-I/gsa/ausgsa/projects/o/openssh/zlib-1.2.3 -I 
/gsa/ausgsa/projects/k/kerberos/build/krb514/current/export/rios_aix_4/usr/include
 -I/.../ 
austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/export/power/usr/include/ 
-I/.../ 
austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/export/power/usr/include/sys 
-I/gsa/ausgsa/projects/o/openssh/include -DHAVE_CONFIG_H -c bsd-arc4random.c
gcc: unrecognized option `-qnostdinc'
gcc: unrecognized option `-qnolm'
         (E) Message system initialization, unable to open catalogs: xlCfe.cat, 
/usr/ccs/lib/exe/default_msg/xlCfe.cat.
1506-005: (E) Error in message set 12, unable to retrieve message 173.
1506-005: (E) Error in message set 12, unable to retrieve message 155.
1506-005: (E) Error in message set 12, unable to retrieve message 173.
1506-005: (E) Error in message set 12, unable to retrieve message 297.
1506-005: (E) Error in message set 12, unable to retrieve message 312.
make: The error code from the last command is 1.

Can u please  help me 

Thanks
Joshi


On Tue, Sep 23, 2008 at 5:31 AM, Welling, Conrad Gerhart < [EMAIL PROTECTED]> 
wrote:


Dr. Henson:

Thanks for your quick response and your patience.  Sometimes I have a way of 
trying to make things so much harder than they need to be.  I reread page 33 of 
the OFOM User Guide ...

"The fipsld command requires that the CC and/or FIPSLD_CC environment variables 
be set, with the latter taking precedence. These variables allow a typical 
Makefile to be used without modification by specifying a command of the form

       make CC=fipsld FIPSLD_CC=gcc

where fipsld is invoked by make in lieu of the original compiler and linker 
(gcc in this
example), and in turn invokes that compiler where appropriate."

So, I stopped trying to edit the curl Makefiles and, instead, actually tried 
doing exactly what Steve Marquess says to do in the OFOM User Guide (along with 
copying fipsld into the necessary curl source directories and telling make 
where to find openssl).  Of course, my FIPS-capable curl built successfully.

Thanks again.


-----Original Message-----
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Monday, September 22, 2008 3:44 AM
To: openssl-users@openssl.org
Subject: Re: FIPS-capable curl: Solaris 9 - fingerprint does not match


On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote:

> Back to square 2 out of 3:
>
> Platform:
> SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10
> gcc (GCC) 3.4.6
> GNU ld version 2.17
> GNU ar 2.17
>
> 1. Built fips-1.1.2 successfully
>
> 2. Built openssl-0.9.7m successfully with ...
> ./Configure solaris-sparcv9-gcc27 fips 
> --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/
>
> (also tried with -shared, but no successful build)
>
> 3. Built modded curl executable, adding a --fips-mode option, using ...
> ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp 
> --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet 
> --with-ca-path=../x.dcerts --disable-ldap
>
> When curl executable is run from command-line with --fips-mode, get ...
> SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS 
> routines:FIPS_check_dso:fingerprint does not match
>
> I've read all "fips solaris" forum messages + others ... I thought I had this 
> down, but ...
> a little guidance would be appreciated.
>

You need to link the application using the "fipsld" script. That will
correctly obtain and embed the correct signature in the target.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                     openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                     openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]





-- 
Regards 
Joshi Chandran

RE: FIPS-capable curl: Solaris 9 - fingerprint does not match

Reply via email to