Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On 05/24/2011 08:58 PM, Bill Durant wrote: ... Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. What is the procedure for a change letter? How do I make the request to add darwin64-x86_64-cc in the validated tarball? Thanks, Bill Change letters are performed by the vendor of record which in this case (certificate #1051) is the Open Source Software Institute (OSSI). OSF has a close working relationship with OSSI and we manage the change letter process for them. The cost varies depending on the platform(s) and nature of the change but is in the ballpark of US$10K for one uncomplicated platform. One big appeal of the change letter mod process is that results can usually be obtained in weeks instead of the many months needed for a new validation. My contact info is below if you want more info. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Mon, May 23, 2011, ciphertexto wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: On Mon, May 23, 2011, ciphertexto wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Then try the version command again and see where it crashes and why. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. And my system details are: $ sw_vers ProductName:Mac OS X ProductVersion: 10.6.7 BuildVersion: 10J869 $ sysctl hw | grep 64bit hw.cpu64bit_capable: 1 $ ioreg -l -p IODeviceTree | grep firmware-abi | | firmware-abi = EFI64 What to do? Thanks, Bill Then try the version command again and see where it crashes and why. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011, Bill Durant wrote: On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 5:42 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, Bill Durant wrote: On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. What is the procedure for a change letter? How do I make the request to add darwin64-x86_64-cc in the validated tarball? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011 at 12:05 AM, ciphertexto cipherte...@gmail.com wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? [SNIP] Not for me with 10.6.7 (from About the Mac) on a Core 2 Duo. jeffrey@newton~/openssl-fips-1.2$ uname -a Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386 ../util/shlib_wrap.sh ./sha512t Testing SHA-512 ... passed. Testing SHA-384 ... passed. if [ -n libcrypto ]; then \ ../util/shlib_wrap.sh ./fips_shatest SHAmix.req | diff -w SHAmix.fax - ; \ fi 1,129d0 [L = 64] Len = 16 Msg = 98a1 MD = 74d78642f70ca830bec75fc60a585917e388cfa4cd1d23daab1c4d9ff1010cac3e67275df64db5a6a7c7d0fda24f1fc3eb272678a7c8becff6743ee812129078 ... Len = 13976 Msg = 07a6372c863c7d7c6764e4f05addbbe161762735dfd2d23bf268e2d603cd28de9c369ac379390473e1d3fa7e37af1178cca54fa0f782dfbe68070952b93462ea46c640d43ffe71f5fba42df98f4c48ada0d8aca8753e0731508bc15dff283178ae5c10a6ff132eca5dde63a78d3ac94685152897828eb25a55fdf140fd33fd4e7b03f283e201a1baae8986d25603fb0b2566aab345fb48031d648144dddc2e3556c0ceb1104f348d96ae7dc0152e45c625d21b46e70c31f250c858aec4ab2cf5e79d8c79b0854e0abf5330b9f044113d306161968f4ad6f0973160c9dc296056d5a11523ea2b56fbce8387070fccc639ec1c65ec663b9dc49aa880dc4ddd3020c9d44ff7e8cab6266e436af19b4ecb82010a0f8f9469ef380034a02e3f50051a6a3f233dcfe9d553459dc1bebc538ae0183448c9405c351271dea808d908480e61e9793cca111b4cfb9874b799626a1bd9a0f6e0929ad51b97ad81b2438f5fc255db3a3dfec9f0d8393c6b245b03d3faeb58021db3ad391b17a91174a66db4feef1b4c889699bcbea7928f4d29be2d47f76455c8cb1dc7da9cda41962a28ad8cd7b39965b809e7c7eca1c6792c1ce1c8a4cad6290170e91fcc49fa5ff64ab433b4aa081c8da2d9bbb072f9f18ca455469b946c877e3006b34ffd2219335b30ba2e0980f43cebfb629d0b11fe70dff28883ca012c6ae4855fcefea20a08e189eaeed7eb36ed6db3835976f4e60053205805727c5eec15d0e9f155637a9e66268b9c1c302bcaae6ae88cbb8cf1668a487cc996c4662c4a4e195f094cb31c717165e0e13718f8388957dfe0bf69c70cd0bd763dc38c530b67b9c12244fcab8bd13f602de848a2937699f9ef77944e5f22e3b470601789e1838fbea9359c733aaee2c7082b02ee459b7684ef9bbc200da4b62d368351f5520a65ffa506dc9b097117bb7ae88d04d85fb525e91327689ec0fe86971480c0e864012b1e9f044c7d80a4e48c07320dd4292086e4c71d4c98dd826a9bfced112bfa2beb1ce85cad204451ec45703931bf637d4fe89fe8f485620b7f4b21e011a232ade7a8c92be77925e878ae0bea9723749528fe83cf89ecb9616dae6ca0e8d5754ec6c92abb21108c2f33cdc18c6887c430b72c5b193356494cddccc577bd4c2cd53188f352846edff0c2ac7869cb74bb16a77c0f0f194a7a9477ae15abb890bd0bcfeb0c39381a87f1d05319c7e971c10e9ef687f96450b400e25b4285032892b849fd5db8649cedfb03c88defea063ee144a1ab1f3bf05f59c7db364dc39c11a446c3ce16307d78d50315ba29f5bb9a57438564c8c7b3e367cd37d74b2375a4966f47489dc5448f4979428abd32193d3840aa983d3020a9f29d760fc7493ab2576c90b1934b799c1d0d55e4f2caa78f4ce61930c79dc017c2dea0c5085d73a3b0e4a6f341e9a5061a6658af11e5edf95bdad915ac3619969e39bee15788a8de667f92f4efc84f35082d52d562aa74e12cc7f22d3425b58f5056d74afcf162cd44e65b9ee510ff91af094c3d2d42c3b088536d62a98f1c689edcf3ea3fc228d711c109d76ae83d82d6a34dcfbad563cf3726519b519fd48b51741aa86720836494b7a589c778927047a25d73508adaa401e9a6c0767a675e31c5556cbe35fadc9671359b45e985c3c8af84113989b299ae4474b85e4b5d4b0578ab1e8a2915a8df97c4f52a639fe32272cb91bbfb721505dec46d51383cb8973425a714245c2e37d0577fbe0d66381d9239db1f08a380cf609dc699698e0fada2caeda44d58d766c4f8214b10642b80b8d7d8add7cc41d47108ab7d07dab71069a2d982cc900b331caec317942122158bac6eac9175c2dcba0c04443aa9188832b553f5ca8c336880824d6bc02486a2b4c086665d276aafe3b1b93729829adca50c44466fd5b5cb977aa78fbcf5c0f0da1b09216468a11493ffb39efdeda5d669ae92bee2f2fb250aa1b9cbb11c36c7a6c6dd26cdc3cfd572ffd8c1dd72a13c27a327a34c6b6b3d80fc6c67c72152eec0c8ecbdc1bd5cb829b811e7f29af6d786f4e93dd4c96fdda295a6aa258d7b2fcf291c2d68e0b1866032475964ec0c6f2fa8c2d6a3936ecb187350def4e818507bf157c0e9b33406be7660605af149c799b4e051d0d0899e53495bb8931a6e2984bc6dbe4e02ec8b4642fc2f1cb5fd5a5520b48cfcb49e1f9533838753554dd98b6a1b8a67409279df477330e5f37367e06247ca5c3ffefd00e693dcc0c9c30754121c9ee88a574915b9e77c104fd2f921c2c096573951407ba9b440423d76bdc6fc978237a6e302cede7f99038ec31500884775556941f1edc30e3a417b0e02cb6fb5bfbe5cdfacf4006411287bedc565fb06f1be987416407dc852254934df4ab59edce476f3506e65be6ce6ddf91038642291fb8e92ba5b1f0b105670905a2c14796110bac6f52455b430a47b8eff61 MD = 1adccf11e5b7ce2a3ddf71e920138c8647ad699c Len = 48824 Msg =
Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) No such core dumps occur when I build the 32-bit version of the fipscanister under Mac OS X 10.5.8 (Leopard). Furthermore, FIPS_mode_set() core dumps in EVP_SignFinal() with a 64-bit version of a FIPS-capable OpenSSL built with this fiscanister, on Mac OS X 10.6.7. I get the same results with openssl-fips-1.2.2 and when building the fipscanister with the no-asm option (tried with both openssl-fips-1.2.2 and openssl-fips-1.2.3). So it is looking like it is not possible to build a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7. Does anyone have any input on this? Is there some magic that I am missing to make this work? Here is a sample build that shows the problem: $ uname -a Darwin cactus 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386 $ sw_vers ProductName:Mac OS X ProductVersion: 10.6.7 BuildVersion: 10J869 $ sysctl hw | grep 64bit hw.cpu64bit_capable: 1 $ ioreg -l -p IODeviceTree | grep firmware-abi | | firmware-abi = EFI64 $ ls -aldt /cores/* ls: /cores/*: No such file or directory $ ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) unlimited open files (-n) 256 pipe size(512 bytes, -p) 1 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 266 virtual memory (kbytes, -v) unlimited $ curl -L -O http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 3682k0 127460 0 8785 0 0:07:09 0:00:01 0:07:08 12024 6 3682k6 227k0 0 100k 0 0:00:36 0:00:02 0:00:34 121k 16 3682k 16 595k0 0 188k 0 0:00:19 0:00:03 0:00:16 215k 27 3682k 27 1024k0 0 246k 0 0:00:14 0:00:04 0:00:10 272k 41 3682k 41 1513k0 0 291k 0 0:00:12 0:00:05 0:00:07 315k 47 3682k 47 1740k0 0 279k 0 0:00:13 0:00:06 0:00:07 361k 53 3682k 53 1965k0 0 273k 0 0:00:13 0:00:07 0:00:06 353k 57 3682k 57 2112k0 0 255k 0 0:00:14 0:00:08 0:00:06 296k 69 3682k 69 2569k0 0 279k 0 0:00:13 0:00:09 0:00:04 307k 79 3682k 79 2916k0 0 285k 0 0:00:12 0:00:10 0:00:02 279k 86 3682k 86 3192k0 0 269k 0 0:00:13 0:00:11 0:00:02 259k 91 3682k 91 3376k0 0 275k 0 0:00:13 0:00:12 0:00:01 279k 95 3682k 95 3502k0 0 265k 0 0:00:13 0:00:13 --:--:-- 282k 96 3682k 96 3553k0 0 246k 0 0:00:14 0:00:14 --:--:-- 188k 99 3682k 99 3673k0 0 241k 0 0:00:15 0:00:15 --:--:-- 151k 100 3682k 100 3682k0 0 238k 0 0:00:15 0:00:15 --:--:-- 134k $ gunzip -c openssl-fips-1.2.3.tar.gz | tar xf - $ cd openssl-fips-1.2.3 $ ./config fipscanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc Configuring for darwin-i386-cc no-asm [forced] OPENSSL_NO_ASM no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-seed [default] OPENSSL_NO_SEED (skip dir) no-sse2 [forced] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=cc CFLAG =-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common EX_LIBS = CPUID_OBJ = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o AES_ASM_OBJ =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR =386 RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl