On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote:
> On Tue, May 24, 2011, ciphertexto wrote:
>
>> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:
>>>
>>> It can take a long time to execute sometimes as it performs two slow DH
>>> parameter generation operations. Retry it a few times. If it still doesn't
>>> complete try:
>>>
>>> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>>>
>>> Note that the utilities in the 1.2.3 build come from an ancient version of
>>> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
>>> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.
>>
>>
>> fips_test_suite hangs (stayed there for more than 24 hours). So I tried
>> shlib_wrap.sh as you suggest and I got a core dump from openssl.
>>
>> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with
>> 0.9.8r (the most recent version).
>>
>> $ apps/openssl version
>> OpenSSL 0.9.8r-fips 8 Feb 2011
>>
>> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>> Segmentation fault (core dumped)
>>
>> $ otool -c /cores/core.97244 | head -4
>> /cores/core.97244:
>> Argument strings on the stack at: 00007fff5fc00000
>>
>> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl
>>
>> $ gdb apps/openssl /cores/core.97244
>> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC
>> 2011)
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for
>> shared libraries .... done
>>
>> Reading symbols for shared libraries . done
>> Reading symbols for shared libraries .... done
>> #0 0x000000003f61ffff in ?? ()
>> (gdb) bt
>> #0 0x000000003f61ffff in ?? ()
>> Cannot access memory at address 0x3f61ffff
>> #1 0x00000000092ff8bb in ?? ()
>> (gdb) quit
>>
>> So does it look like the 64-bit version of the FIPS-capable OpenSSL on
>> SnowLeopard is officially broken?
>>
>
> I don't have access to that platform so can't say for sure: it could
> conceivably be a compiler bug.
>
> Can you try a debug build of fipscanitsr using 0.9.8r?
>
> NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
> LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as
> some
> messages get cut and pasted into cookbooks as "the right way to do things".
>
> Something like:
>
> ./config -d fipscanisterbuild
> make
Here is what I get with the -d option:
$ ./config -d fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29
15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
This system (debug-darwin-i386-cc) is not supported. See file INSTALL for
details.
And without the -d option, I get the following:
$ ./config fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29
15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: fipcanisterbuild)
Notice that it configures for "darwin-i386-cc" which I believe it is incorrect.
I am thinking that it should configure for "darwin64-x86_64-cc" instead.
And my system details are:
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869
$ sysctl hw | grep 64bit
hw.cpu64bit_capable: 1
$ ioreg -l -p IODeviceTree | grep firmware-abi
| | "firmware-abi" = <"EFI64">
What to do?
Thanks,
Bill
>
> Then try the version command again and see where it crashes and why.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
