Cross compiling openssl-fips-1.2 for arm-linux

2010-01-12 Thread Jim . Rowe 
I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a debian-based linux filesystem. Build system is an x86-Knoppix machine. I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User Manual and Security Policy. After setting $CROSS_COMPILE and $HOSTCC as needed, I am running into a problem during the build where fipsld is trying to generate a signature. Here's the error:make[2]: Entering directory`/hda1/softw-local/uadmas/openssl/openssl-build/openssl-fips-1.2'fips/fipsld: line 121: fips/../fips/fips_premain_dso: cannot execute binaryfileThe file openssl-fips-1.2/fips/fipsld was patched with the following snippet to allow cross-compiling: # generate signature...! if [ -z "${FIPS_SIG}" ]; then! SIG=`"${THERE}/fips/fips_premain_dso" "${TARGET}"`! else! SIG=`"${FIPS_SIG}" -dso "${TARGET}"`! fiNow I'm pretty sure that fips_premain_dso is the wrong path because it is built for the ARM target. I'm having trouble figuring out what $FIPS_SIG should be set to? Do I build an x86 version of fips_premain_dso and point $FIPS_SIG to it? Thanks,Jim/*Jim Rowe*/__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Cross compiling openssl-fips-1.2 for arm-linux

2010-01-12 Thread Jim . Rowe 
I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a 
debian-based linux filesystem. Build system is an x86-Knoppix machine. 

I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User 
Manual and Security Policy. 

After setting $CROSS_COMPILE and $HOSTCC as needed, I am running into a 
problem during the build where fipsld is trying to generate a signature. 

Here's the error:
make[2]: Entering directory
`/hda1/softw-local/uadmas/openssl/openssl-build/openssl-fips-1.2'
fips/fipsld: line 121: fips/../fips/fips_premain_dso: cannot execute 
binary
file



The following section of  openssl-fips-1.2/fips/fipsld was patched when I 
applied the openssl-fips-1.2.crossbuild.patch:

# generate signature...
!   if [ -z ${FIPS_SIG} ]; then
!   SIG=`${THERE}/fips/fips_premain_dso ${TARGET}`
!   else
!   SIG=`${FIPS_SIG} -dso ${TARGET}`
!   fi

Now I'm pretty sure that fips_premain_dso is the wrong path because it is 
built for the ARM target. I'm having trouble figuring out what $FIPS_SIG 
should be set to? Do I build an x86 version of fips_premain_dso and point 
$FIPS_SIG to it? 

Thanks,
Jim Rowe
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Cross compiling openssl-fips-1.2 for arm-linux

2010-01-12 Thread Dr. Stephen Henson 
On Tue, Jan 12, 2010, jim.r...@sncorp.com wrote:

 I'm trying to build openssl-fips-1.2 for an Arm XSCALE 255 running a 
 debian-based linux filesystem. Build system is an x86-Knoppix machine. 
 
 I've applied the openssl-fips-1.2.crossbuild.patch as advised in the User 
 Manual and Security Policy. 
 
 After setting $CROSS_COMPILE and $HOSTCC as needed, I am running into a 
 problem during the build where fipsld is trying to generate a signature. 
 
 Here's the error:
 make[2]: Entering directory
 `/hda1/softw-local/uadmas/openssl/openssl-build/openssl-fips-1.2'
 fips/fipsld: line 121: fips/../fips/fips_premain_dso: cannot execute 
 binary
 file
 
 
 
 The following section of  openssl-fips-1.2/fips/fipsld was patched when I 
 applied the openssl-fips-1.2.crossbuild.patch:
 
 # generate signature...
 !   if [ -z ${FIPS_SIG} ]; then
 !   SIG=`${THERE}/fips/fips_premain_dso ${TARGET}`
 !   else
 !   SIG=`${FIPS_SIG} -dso ${TARGET}`
 !   fi
 
 Now I'm pretty sure that fips_premain_dso is the wrong path because it is 
 built for the ARM target. I'm having trouble figuring out what $FIPS_SIG 
 should be set to? Do I build an x86 version of fips_premain_dso and point 
 $FIPS_SIG to it? 
 

During a normal build (i.e. not cross compiling) OpenSSL would initially run
the executable or run fips_dso against a shared library. This would output the
signature to standard output and that signature would be used to relink the
target.

When cross compiling this can't be done because you need to run an executable
on the target system to get the signature. So fips_dso is correct but it just
can't be run on the host.

You have two options here.

One is to write a script that copies the files to the target system, executes
them and then returns the signature. The script should be set in the
environment variable FIPS_SIG and usage is:

$FIPS_SIG -dso target_share_library
$FIPS_SIG -exe target_exectutable

Since that process will vary from one system to another we can't write a
general solution for OpenSSL.

The other is to download the incore script from:

http://www.openssl.org/docs/fips/incore.gz

This attempts to do everything on the host system. It should work but during
testing the offset value did need changing sometimes. If you get signature
errors on the target system that's the most likely cause.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org