On Tue, May 24, 2011, ciphertexto wrote: > On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: > > > > It can take a long time to execute sometimes as it performs two slow DH > > parameter generation operations. Retry it a few times. If it still doesn't > > complete try: > > > > OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a > > > > Note that the utilities in the 1.2.3 build come from an ancient version of > > OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable > > OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. > > > fips_test_suite hangs (stayed there for more than 24 hours). So I tried > shlib_wrap.sh as you suggest and I got a core dump from openssl. > > I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with > 0.9.8r (the most recent version). > > $ apps/openssl version > OpenSSL 0.9.8r-fips 8 Feb 2011 > > $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a > Segmentation fault (core dumped) > > $ otool -c /cores/core.97244 | head -4 > /cores/core.97244: > Argument strings on the stack at: 00007fff5fc00000 > > /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl > > $ gdb apps/openssl /cores/core.97244 > GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC > 2011) > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared > libraries .... done > > Reading symbols for shared libraries . done > Reading symbols for shared libraries .... done > #0 0x000000003f61ffff in ?? () > (gdb) bt > #0 0x000000003f61ffff in ?? () > Cannot access memory at address 0x3f61ffff > #1 0x00000000092ff8bb in ?? () > (gdb) quit > > So does it look like the 64-bit version of the FIPS-capable OpenSSL on > SnowLeopard is officially broken? >
I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as "the right way to do things". Something like: ./config -d fipscanisterbuild make Then try the version command again and see where it crashes and why. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org