Yes, I think that's a reasonable solution. The new test was added together with the bugfix as a regression test. Disabling it would bring you back to the earlier state without any further regression.
Cheers, Emilia On Thu, Oct 16, 2014 at 5:37 PM, Russell Selph <[email protected]> wrote: > Thanks. We're going ahead with patching 0.9.8zc to ignore this test. I'm > not sure if it's the "right" solution, but given that 0.9.8 is EOL, and > therefore FIPS 1.2.4 is VERY unlikely to ever be updated, would it be > reasonable to have 0.9.8 disable this test when doing a FIPS build? > > I only ask this because our customers are not generally comfortable with > statements like "You can't have FIPS any more," or "It passes all the tests > but one." I'd be happy to put together the patch to accomplish this, if it > could be incorporated into the trunk for 0.9.8. > > Thanks again for you help! > > -russ > > On Oct 16, 2014, at 8:29 AM, Dr. Stephen Henson <[email protected]> wrote: > > On Wed, Oct 15, 2014, Russell Selph wrote: > > > Apologies if this is a duplicate post. I tried first via Google Groups, > but > > apparently it's read-only. ;-) > > > > Has anyone else built 0.9.8zc with FIPS 1.2.4? I've been unable to get a > > build that passes the 'make test' phase. I'm using build scripts that > > worked for 0.9.8.zb. (More details on the scripts below.) This is > > happening on Linux RHEL5 (gcc 4.1.2), Mac OS X 10.9.5 (Xcode 6.0.1), as > well > > as Windows 7 (VS 2010). > > > > Off hand, it seems like this kind of failure could be accounted for by > > something fundamental, such as an incompatible API change in libcrypto, > or a > > word size mismatch between the FIPS and the libssl builds. I'm about to > > start digging through the diffs to get a handle on this, but I was > wondering > > if I'm alone in having this problem. Any information about experiences > > positive or negative would be very helpful. > > > > The cause is a sanity check in exptest that x ** 0 mod 1 == 0. > > The BN library in OpenSSL itself was fixed to cover this case but the FIPS > capable OpenSSL uses the BN library in the 1.2.x FIPS module which can't be > fixed. See commit: > > 45d129511ff0b43be9a4271133c9ee22658ff07e > > This doesn't affect the normal operation of the FIPS modules so it can be > ignored. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
