On Tue, May 24, 2011, Bill Durant wrote: > On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: > > On Tue, May 24, 2011, ciphertexto wrote: > > > >> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: > >>> > >>> It can take a long time to execute sometimes as it performs two slow DH > >>> parameter generation operations. Retry it a few times. If it still doesn't > >>> complete try: > >>> > >>> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a > >>> > >>> Note that the utilities in the 1.2.3 build come from an ancient version of > >>> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable > >>> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. > >> > >> > >> fips_test_suite hangs (stayed there for more than 24 hours). So I tried > >> shlib_wrap.sh as you suggest and I got a core dump from openssl. > >> > >> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o > >> with 0.9.8r (the most recent version). > >> > >> $ apps/openssl version > >> OpenSSL 0.9.8r-fips 8 Feb 2011 > >> > >> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a > >> Segmentation fault (core dumped) > >> > >> $ otool -c /cores/core.97244 | head -4 > >> /cores/core.97244: > >> Argument strings on the stack at: 00007fff5fc00000 > >> > >> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl > >> > >> $ gdb apps/openssl /cores/core.97244 > >> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC > >> 2011) > >> Copyright 2004 Free Software Foundation, Inc. > >> GDB is free software, covered by the GNU General Public License, and you > >> are > >> welcome to change it and/or distribute copies of it under certain > >> conditions. > >> Type "show copying" to see the conditions. > >> There is absolutely no warranty for GDB. Type "show warranty" for details. > >> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for > >> shared libraries .... done > >> > >> Reading symbols for shared libraries . done > >> Reading symbols for shared libraries .... done > >> #0 0x000000003f61ffff in ?? () > >> (gdb) bt > >> #0 0x000000003f61ffff in ?? () > >> Cannot access memory at address 0x3f61ffff > >> #1 0x00000000092ff8bb in ?? () > >> (gdb) quit > >> > >> So does it look like the 64-bit version of the FIPS-capable OpenSSL on > >> SnowLeopard is officially broken? > >> > > > > I don't have access to that platform so can't say for sure: it could > > conceivably be a compiler bug. > > > > Can you try a debug build of fipscanitsr using 0.9.8r? > > > > NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED > > LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as > > some > > messages get cut and pasted into cookbooks as "the right way to do things". > > > > Something like: > > > > ./config -d fipscanisterbuild > > make > > > Here is what I get with the -d option: > > $ ./config -d fipcanisterbuild > Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 > 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 > This system (debug-darwin-i386-cc) is not supported. See file INSTALL for > details. > > And without the -d option, I get the following: > > $ ./config fipcanisterbuild > Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 > 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 > Configuring for darwin-i386-cc > target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) > > Notice that it configures for "darwin-i386-cc" which I believe it is > incorrect. I am thinking that it should configure for "darwin64-x86_64-cc" > instead. >
Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
