Re: FPSCANISTER build cross compilation problem
Hello, I made gcc as a shell script and passed -mcpu and -Dmalloc=XXX_malloc flags, then fipscanister build succeeds. I then use the fipscanister.o in openssl tree which creates libcrypto.a . Now for our system we need to build a shared object file. So I pass export CC=/opt/bin/arm-linux-gcc; fipsld -shared -o libfips.so $(CFLAGS) It results in error fips_premain_dso: No Such File or directory. According to the fips/Makefile : fips_premain_dso gets build only when I build fips using ./config shared option, which I am not allowed to pass and is not intended usecase also. Kindly help in this regard. Thanking you, -Abhijit On Fri, Mar 8, 2013 at 9:00 PM, Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Thank you all, for your kind responses and your time . I will try the http://opensslfoundation.com/testing/validation-2.0/platforms/ios/setenv-ios.sh approach and see the result. I saw the Configure script which config finally runs. It has provisions of adding some extra flags like -mcpu or include / lib directory for android armv7 platform, so I would still like to believe there could be some way of passing some flags. With Regards, -Abhijit On Fri, Mar 8, 2013 at 7:27 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Mar 08, 2013, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. As some other people have indicated, passing custom CFLAGS is problematical to say the least. Setting environment variables is OK though: there are various environment variables gcc understands which can specify header locations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FPSCANISTER build cross compilation problem
Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. Thanks in Advance, -Abhijit __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FPSCANISTER build cross compilation problem
On 3/8/2013 10:34 AM, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. I don't think you can change the CFLAGS without having to go through the entire many-thousand-dollars-and-lots-of-time official validation process again. But maybe you can get away with using a cross compiler whose default include and library directories point to the cross platform includes and libraries. Try this test to see if your cross compiler is setup to do the right thing by default: $ cat ./hello.c #include stdlib.h #include unistd.h int main(int argc, char**argv) { printf(Hello, World!\n); return 0; } Press Ctrl+D here $ /opt/gccarm-4.1.2/bin/gcc -o hello hello.c If the second command above produces a valid Hello, World for your target platform, the problem is complicated. But if it fails with errors similar to those in the FIPSCANISTER build, then your cross compiler is not correctly configured/installed, and that needs to be fixed first. All that being said, note the following caveats: - Others have reported specific problems with the final checksumming steps for the FIPSCANISTER when cross compiling. However they got a lot further than you before running in to trouble. - What you can and cannot do without that expensive revalidation I mentioned depends on the exact text of the official OpenSSL FIPS documents that were part of the validation of the official FIPSCANISTER, so read them carefully. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FPSCANISTER build cross compilation problem
Hi Jakob, Thank you so much for really fast reply. Our toolchain is built once and then pushed into version version control system. So the based on the repository directory, toolcain could have become inconsistent in this particular context . I'll try building the toolchain. Is it valid FIPS compliant procedure, if I create a shell script naming gcc , which calls the cross compiler passing additional flags ? Also our malloc and free has been renamed to suit custom memory allocator. So if fipscanister.o has reference to malloc and free it will have problem, when linking with final application. How to get around this problem as well ? Thanks, -Abhijit On Fri, Mar 8, 2013 at 3:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 3/8/2013 10:34 AM, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. I don't think you can change the CFLAGS without having to go through the entire many-thousand-dollars-and-lots-of-time official validation process again. But maybe you can get away with using a cross compiler whose default include and library directories point to the cross platform includes and libraries. Try this test to see if your cross compiler is setup to do the right thing by default: $ cat ./hello.c #include stdlib.h #include unistd.h int main(int argc, char**argv) { printf(Hello, World!\n); return 0; } Press Ctrl+D here $ /opt/gccarm-4.1.2/bin/gcc -o hello hello.c If the second command above produces a valid Hello, World for your target platform, the problem is complicated. But if it fails with errors similar to those in the FIPSCANISTER build, then your cross compiler is not correctly configured/installed, and that needs to be fixed first. All that being said, note the following caveats: - Others have reported specific problems with the final checksumming steps for the FIPSCANISTER when cross compiling. However they got a lot further than you before running in to trouble. - What you can and cannot do without that expensive revalidation I mentioned depends on the exact text of the official OpenSSL FIPS documents that were part of the validation of the official FIPSCANISTER, so read them carefully. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FPSCANISTER build cross compilation problem
On 03/08/2013 05:00 AM, Jakob Bohm wrote: On 3/8/2013 10:34 AM, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : ... Please let me know how to pass CFLAGS to the build system or how to resolve above problems. I don't think you can change the CFLAGS without having to go through the entire many-thousand-dollars-and-lots-of-time official validation process again. As with so much of FIPS 140-2 that's a grey area. We sometimes set CFLAGS (or the moral equivalent) in the build environment for the formal Operational Environment testing, e.g.: http://opensslfoundation.com/testing/validation-2.0/platforms/ios/setenv-ios.sh So you could user affirm per the provisions of section G.5 of the Implementation Guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf. On 03/08/2013 05:20 AM, Abhijit Ray Chaudhury wrote: Is it valid FIPS compliant procedure, if I create a shell script naming gcc , which calls the cross compiler passing additional flags ? Same issue. One reason the 2.0 FIPS module (validation certificate #1747) has so many platforms (over 60 now, a record for any validation) is that the sponsors of some of those platforms weren't comfortable with I.G. G.5 user affirmation. So they chose to have their platform(s) of interest formally tested. We are also currently working on another dozen some platforms. Jakob is right about the cost, at least in absolute terms; figure about US$15K and 8-12 weeks. That's expensive compared to free but in relative terms a bargain compared to the commercial alternatives. In some cases user affirmation isn't possible. That happens when the processor architecture and corresponding code path hasn't been formally tested at all. Linux on MIPS, for instance. As the number of formally tested platforms grows those gaps shrink. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FPSCANISTER build cross compilation problem
On Fri, Mar 08, 2013, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. As some other people have indicated, passing custom CFLAGS is problematical to say the least. Setting environment variables is OK though: there are various environment variables gcc understands which can specify header locations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FPSCANISTER build cross compilation problem
Thank you all, for your kind responses and your time . I will try the http://opensslfoundation.com/testing/validation-2.0/platforms/ios/setenv-ios.sh approach and see the result. I saw the Configure script which config finally runs. It has provisions of adding some extra flags like -mcpu or include / lib directory for android armv7 platform, so I would still like to believe there could be some way of passing some flags. With Regards, -Abhijit On Fri, Mar 8, 2013 at 7:27 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Mar 08, 2013, Abhijit Ray Chaudhury wrote: Hello, I am trying to cross compile FIPS compliant openssl module (openssl-fips-ecp-2.0.2.tar.gz) for linux armv4 pratform : I have used following script to setup the environment: === export MACHINE=armv4t export RELEASE=2.6.23 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=/opt/gccarm-4.1.2/bin/ export HOSTCC=/usr/bin/gcc ./config -t Operating system: armv4t-whatever-linux2 Auto Configuring fipsonly Auto Configuring fipsonly Configuring for linux-armv4 /usr/bin/perl ./Configure linux-armv4 -Wa,--noexecstack no-bf no-camellia no-cast no-idea no-md2 no-md5 no-mdc2 no-rc2 no-rc4 no-rc5 no-ripemd no-seed == after config the make fails finding include directories : == In file included from cryptlib.c:117: cryptlib.h:62:20: error: stdlib.h: No such file or directory cryptlib.h:63:20: error: string.h: No such file or directory In file included from cryptlib.h:65, from cryptlib.c:117: ../e_os.h:444:30: error: unistd.h: No such file or directory ../e_os.h:449:29: error: sys/types.h: No such file or directory == also in my platform malloc and free is redefined to XXX_malloc and XXX_free. Please let me know how to pass CFLAGS to the build system or how to resolve above problems. As some other people have indicated, passing custom CFLAGS is problematical to say the least. Setting environment variables is OK though: there are various environment variables gcc understands which can specify header locations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org