Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Bill Durant
Hello,

Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?

I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.

But fips_shatest and the openssl command are core dumping when I do a 'make test'

For example:

./config fipscanisterbuild
make
make test (fips_shatest and openssl core dump at this step)

No such core dumps occur when I build the 32-bit version of the fipscanister under Mac OS X 10.5.8 (Leopard).

Furthermore, FIPS_mode_set() core dumps in EVP_SignFinal() with a 64-bit version of a FIPS-capable OpenSSL built with this fiscanister, on Mac OS X 10.6.7.

I get the same results with openssl-fips-1.2.2 and when building the fipscanister with the no-asm option (tried with both openssl-fips-1.2.2 and openssl-fips-1.2.3).

So it is looking like it is not possible to build a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7.

Does anyone have any input on this?  Is there some magic that I am missing to make this work?

Here is a sample build that shows the problem:

$ uname -a
Darwin cactus 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869

$ sysctl hw | grep 64bit
hw.cpu64bit_capable: 1

$ ioreg -l -p IODeviceTree | grep firmware-abi
    | |   "firmware-abi" = <"EFI64">

$ ls -aldt /cores/*
ls: /cores/*: No such file or directory

$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
file size               (blocks, -f) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 256
pipe size            (512 bytes, -p) 1
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 266
virtual memory          (kbytes, -v) unlimited

$ curl -L -O http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0 3682k    0 12746    0     0   8785      0  0:07:09  0:00:01  0:07:08 12024
  6 3682k    6  227k    0     0   100k      0  0:00:36  0:00:02  0:00:34  121k
 16 3682k   16  595k    0     0   188k      0  0:00:19  0:00:03  0:00:16  215k
 27 3682k   27 1024k    0     0   246k      0  0:00:14  0:00:04  0:00:10  272k
 41 3682k   41 1513k    0     0   291k      0  0:00:12  0:00:05  0:00:07  315k
 47 3682k   47 1740k    0     0   279k      0  0:00:13  0:00:06  0:00:07  361k
 53 3682k   53 1965k    0     0   273k      0  0:00:13  0:00:07  0:00:06  353k
 57 3682k   57 2112k    0     0   255k      0  0:00:14  0:00:08  0:00:06  296k
 69 3682k   69 2569k    0     0   279k      0  0:00:13  0:00:09  0:00:04  307k
 79 3682k   79 2916k    0     0   285k      0  0:00:12  0:00:10  0:00:02  279k
 86 3682k   86 3192k    0     0   269k      0  0:00:13  0:00:11  0:00:02  259k
 91 3682k   91 3376k    0     0   275k      0  0:00:13  0:00:12  0:00:01  279k
 95 3682k   95 3502k    0     0   265k      0  0:00:13  0:00:13 --:--:--  282k
 96 3682k   96 3553k    0     0   246k      0  0:00:14  0:00:14 --:--:--  188k
 99 3682k   99 3673k    0     0   241k      0  0:00:15  0:00:15 --:--:--  151k
100 3682k  100 3682k    0     0   238k      0  0:00:15  0:00:15 --:--:--  134k

$ gunzip -c openssl-fips-1.2.3.tar.gz | tar xf -

$ cd openssl-fips-1.2.3

$ ./config fipscanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
Configuring for darwin-i386-cc
Configuring for darwin-i386-cc
    no-asm          [forced]   OPENSSL_NO_ASM
    no-camellia     [default]  OPENSSL_NO_CAMELLIA (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-mdc2         [default]  OPENSSL_NO_MDC2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-seed         [default]  OPENSSL_NO_SEED (skip dir)
    no-sse2         [forced]  
    no-zlib         [default]
    no-zlib-dynamic [default]
IsMK1MF=0
CC            =cc
CFLAG         =-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common
EX_LIBS       =
CPUID_OBJ     =
BN_ASM        =bn_asm.o
DES_ENC       =des_enc.o fcrypt_b.o
AES_ASM_OBJ   =aes_core.o aes_cbc.o
BF_ENC        =bf_enc.o
CAST_ENC      =c_enc.o
RC4_ENC       =rc4_enc.o
RC5_ENC       =rc5_enc.o
MD5_OBJ_ASM   =
SHA1_OBJ_ASM  =
RMD160_OBJ_ASM=
PROCESSOR     =386
RANLIB        =/usr/bin/ranlib
ARFLAGS       =
PERL          =/usr/bin/perl
THIRTY_TWO_BIT mode
DES_UNROLL used
BN_LLONG mode
RC4 uses uchar
RC4_CHUNK is unsigned long
BF_PTR used
e_os2.h => include/openssl/e_os2.h
making links in crypto...
crypto.h => ../include/openssl/crypto.h
tmdiff.h => ../include/openssl/tmdiff.h
opensslv.h => ../include/openssl/opensslv.h
opensslconf.h => ../include/openssl/opensslconf.h
ebcdic.h => ../include/openssl/ebcdic.h
symhacks.h => ../include/openssl/symhacks.h
ossl_typ.h => ../include/openssl/ossl_typ.h
making links in crypto/objects...
objects.h => ../../include/openssl/objects.h
obj_mac.h => ../../include/openssl/obj_mac.h
making links in crypto/md2...
md2.h => ../../include/openssl/md2.h
md2test.c => ../../test/md2test.c
making links in crypto/md4...
md4.h => ../../include/openssl/md4.h
md4test.c => ../../test/md4test.c
md4.c => ../../apps/md4.c
making links in crypto/md5...
md5.h => ../../include/openssl/md5.h
md5test.c => ../../test/md5test.c
making links in crypto/sha...
sha.h => ../../include/openssl/sha.h
shatest.c => ../../test/shatest.c
sha1test.c => ../../test/sha1test.c
sha256t.c => ../../test/sha256t.c
sha512t.c => ../../test/sha512t.c
making links in crypto/hmac...
hmac.h => ../../include/openssl/hmac.h
hmactest.c => ../../test/hmactest.c
making links in crypto/ripemd...
ripemd.h => ../../include/openssl/ripemd.h
rmdtest.c => ../../test/rmdtest.c
making links in crypto/des...
des.h => ../../include/openssl/des.h
des_old.h => ../../include/openssl/des_old.h
destest.c => ../../test/destest.c
making links in crypto/aes...
aes.h => ../../include/openssl/aes.h
making links in crypto/rc2...
rc2.h => ../../include/openssl/rc2.h
rc2test.c => ../../test/rc2test.c
making links in crypto/rc4...
rc4.h => ../../include/openssl/rc4.h
rc4test.c => ../../test/rc4test.c
making links in crypto/idea...
idea.h => ../../include/openssl/idea.h
ideatest.c => ../../test/ideatest.c
making links in crypto/bf...
blowfish.h => ../../include/openssl/blowfish.h
bftest.c => ../../test/bftest.c
making links in crypto/cast...
cast.h => ../../include/openssl/cast.h
casttest.c => ../../test/casttest.c
making links in crypto/bn...
bn.h => ../../include/openssl/bn.h
bntest.c => ../../test/bntest.c
exptest.c => ../../test/exptest.c
making links in crypto/ec...
ec.h => ../../include/openssl/ec.h
ectest.c => ../../test/ectest.c
making links in crypto/rsa...
rsa.h => ../../include/openssl/rsa.h
rsa_test.c => ../../test/rsa_test.c
making links in crypto/dsa...
dsa.h => ../../include/openssl/dsa.h
dsatest.c => ../../test/dsatest.c
making links in crypto/ecdsa...
ecdsa.h => ../../include/openssl/ecdsa.h
ecdsatest.c => ../../test/ecdsatest.c
making links in crypto/dh...
dh.h => ../../include/openssl/dh.h
dhtest.c => ../../test/dhtest.c
making links in crypto/ecdh...
ecdh.h => ../../include/openssl/ecdh.h
ecdhtest.c => ../../test/ecdhtest.c
making links in crypto/dso...
dso.h => ../../include/openssl/dso.h
making links in crypto/engine...
engine.h => ../../include/openssl/engine.h
enginetest.c => ../../test/enginetest.c
making links in crypto/buffer...
buffer.h => ../../include/openssl/buffer.h
making links in crypto/bio...
bio.h => ../../include/openssl/bio.h
making links in crypto/stack...
stack.h => ../../include/openssl/stack.h
safestack.h => ../../include/openssl/safestack.h
making links in crypto/lhash...
lhash.h => ../../include/openssl/lhash.h
making links in crypto/rand...
rand.h => ../../include/openssl/rand.h
randtest.c => ../../test/randtest.c
making links in crypto/err...
err.h => ../../include/openssl/err.h
making links in crypto/evp...
evp.h => ../../include/openssl/evp.h
evp_test.c => ../../test/evp_test.c
cp evptests.txt ../../test
making links in crypto/asn1...
asn1.h => ../../include/openssl/asn1.h
asn1_mac.h => ../../include/openssl/asn1_mac.h
asn1t.h => ../../include/openssl/asn1t.h
making links in crypto/pem...
pem.h => ../../include/openssl/pem.h
pem2.h => ../../include/openssl/pem2.h
making links in crypto/x509...
x509.h => ../../include/openssl/x509.h
x509_vfy.h => ../../include/openssl/x509_vfy.h
making links in crypto/x509v3...
x509v3.h => ../../include/openssl/x509v3.h
making links in crypto/conf...
conf.h => ../../include/openssl/conf.h
conf_api.h => ../../include/openssl/conf_api.h
making links in crypto/txt_db...
txt_db.h => ../../include/openssl/txt_db.h
making links in crypto/pkcs7...
pkcs7.h => ../../include/openssl/pkcs7.h
making links in crypto/pkcs12...
pkcs12.h => ../../include/openssl/pkcs12.h
making links in crypto/comp...
comp.h => ../../include/openssl/comp.h
making links in crypto/ocsp...
ocsp.h => ../../include/openssl/ocsp.h
making links in crypto/ui...
ui.h => ../../include/openssl/ui.h
ui_compat.h => ../../include/openssl/ui_compat.h
making links in crypto/krb5...
krb5_asn.h => ../../include/openssl/krb5_asn.h
making links in crypto/store...
store.h => ../../include/openssl/store.h
making links in crypto/pqueue...
pqueue.h => ../../include/openssl/pqueue.h
pq_compat.h => ../../include/openssl/pq_compat.h
making links in fips...
fips.h => ../include/openssl/fips.h
fips_test_suite.c => ../test/fips_test_suite.c
making links in fips/sha...
fips_shatest.c => ../../test/fips_shatest.c
cp SHAmix.req SHAmix.fax ../../test
making links in fips/rand...
fips_rand.h => ../../include/openssl/fips_rand.h
fips_randtest.c => ../../test/fips_randtest.c
fips_rngvs.c => ../../test/fips_rngvs.c
making links in fips/des...
fips_desmovs.c => ../../test/fips_desmovs.c
making links in fips/aes...
fips_aesavs.c => ../../test/fips_aesavs.c
fips_aes_data => ../../test/fips_aes_data
making links in fips/dsa...
fips_dsatest.c => ../../test/fips_dsatest.c
fips_dssvs.c => ../../test/fips_dssvs.c
making links in fips/rsa...
fips_rsavtest.c => ../../test/fips_rsavtest.c
fips_rsastest.c => ../../test/fips_rsastest.c
fips_rsagtest.c => ../../test/fips_rsagtest.c
making links in fips/dh...
making links in fips/hmac...
fips_hmactest.c => ../../test/fips_hmactest.c
making links in ssl...
ssl.h => ../include/openssl/ssl.h
ssl2.h => ../include/openssl/ssl2.h
ssl3.h => ../include/openssl/ssl3.h
ssl23.h => ../include/openssl/ssl23.h
tls1.h => ../include/openssl/tls1.h
dtls1.h => ../include/openssl/dtls1.h
kssl.h => ../include/openssl/kssl.h
ssltest.c => ../test/ssltest.c
making links in engines...
make[1]: Nothing to be done for `links'.
making links in apps...
make[1]: Nothing to be done for `links'.
making links in test...
make[1]: Nothing to be done for `links'.
making links in tools...
make[1]: Nothing to be done for `links'.
generating dummy tests (if needed)...
make[1]: Nothing to be done for `generate'.

Configured for darwin-i386-cc.

WARNING: OpenSSL has been configured to generate a fipscanister.o object module.
That compiled module is NOT FIPS 140-2 validated or suitable for use in
satisfying a requirement for the use of FIPS 140-2 validated cryptography
UNLESS the requirements of the Security Policy are followed exactly (see
http://openssl.org/docs/fips/ or http://csrc.nist.gov/cryptval/).


=====> Build the FIPS canister
$ make
if [ -n "libcrypto" ]; then \
                EXCL_OBJ='aes_core.o aes_cbc.o bn_asm.o des_enc.o fcrypt_b.o   ../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o ../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o ../crypto/bn/bn_mul.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o
fips_test_suite.c:580: warning: format not a string literal and no format arguments
( :; LIBDEPS="${LIBDEPS:--Wl,-search_paths_first ../fips/fipscanister.o }"; LDCMD="${LDCMD:-../fips/fipsld}"; LDFLAGS="${LDFLAGS:--fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}"; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null 2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=fips_test_suite} fips_test_suite.o ${LIBDEPS} )  
...
...
<snip>
...
...
../fips/fips_premain.c: In function 'FINGERPRINT_premain':
../fips/fips_premain.c:94: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:109: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:115: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c: In function 'FINGERPRINT_premain':
../fips/fips_premain.c:94: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:109: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:115: warning: incompatible implicit declaration of built-in function '_exit'
cc -I.. -I../include  -I../fips -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common   -c -o dummytest.o dummytest.c
( :; LIBDEPS="${LIBDEPS:--Wl,-search_paths_first -L.. -lssl -L.. -lcrypto  }"; LDCMD="${LDCMD:-cc}"; LDFLAGS="${LDFLAGS:--fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}"; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null 2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=dummytest} dummytest.o ${LIBDEPS} )
making all in tools...
make[1]: Nothing to be done for `all'.

=====> Run the FIPS tests
$ make test
Doing certs
aol1.pem => .0
WARNING: Skipping duplicate certificate aol2.pem
WARNING: Skipping duplicate certificate aoltw1.pem
WARNING: Skipping duplicate certificate aoltw2.pem
WARNING: Skipping duplicate certificate argena.pem
WARNING: Skipping duplicate certificate argeng.pem
WARNING: Skipping duplicate certificate eng1.pem
WARNING: Skipping duplicate certificate eng2.pem
WARNING: Skipping duplicate certificate eng3.pem
WARNING: Skipping duplicate certificate eng4.pem
...
...
<snip>
...
...
< MD = 2cbc07b9b9c819b8fd38d8a614a8a9c3fa7e40ee
make[1]: *** [test_sha] Error 1
make: *** [tests] Error 2

=====> Check that core dumps exist after running the FIPS tests (19 out 20 core dumps are from the openssl command; only one is from fips_shatest)
$ ls -aldt /cores/*
-r--------  1 alicate  admin  284196864 May 21 22:19 /cores/core.6777
-r--------  1 alicate  admin  286203904 May 21 22:19 /cores/core.6701
-r--------  1 alicate  admin  286203904 May 21 22:19 /cores/core.6692
-r--------  1 alicate  admin  286203904 May 21 22:19 /cores/core.6683
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6674
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6664
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6655
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6646
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6637
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6628
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6619
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6610
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6601
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6592
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6583
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6574
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6565
-r--------  1 alicate  admin  286203904 May 21 22:18 /cores/core.6556
-r--------  1 alicate  admin  286208000 May 21 22:17 /cores/core.6547
-r--------  1 alicate  admin  286208000 May 21 22:17 /cores/core.6537

=====> Information about core dump /cores/core.6537?
$ otool -c /cores/core.6537
/cores/core.6537:
Argument strings on the stack at: 00007fff5fc00000
        /Users/alicate/foo/openssl-fips-1.2.3/util/../apps/openssl
        x509
        -hash
        -fingerprint
        -noout
        -in
        aol1.pem
        SHELL=/bin/bash
        TERM=xterm-color
        MAKEFLAGS=
        VERSIONER_PERL_VERSION=5.10.0
        USER=alicate
        LD_LIBRARY_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
        __CF_USER_TEXT_ENCODING=0x1FA:0:0
        LIBPATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
        MAKELEVEL=1
        OPENSSL_DEBUG_MEMORY=on
        MFLAGS=
        mount_authenticator=
        PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/usr/local/ssl/fips-1.0/bin
        PWD=/Users/alicate/foo/openssl-fips-1.2.3/certs
        VERSIONER_PERL_PREFER_32_BIT=no
        HOME=/Users/alicate
        SHLVL=4
        DYLD_LIBRARY_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
        LOGNAME=alicate
        SHLIB_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
        OPENSSL=/Users/alicate/foo/openssl-fips-1.2.3/util/../apps/openssl
        SECURITYSESSIONID=234492

=====> Information about core dump /cores/core.6777?
$ otool -c /cores/core.6777
/cores/core.6777:
Argument strings on the stack at: 00007fff5fc00000
        /Users/alicate/foo/openssl-fips-1.2.3/test/fips_shatest
        ./fips_shatest
        AS=cc
        AR=ar  r
        BF_ENC=bf_enc.o
        ASFLAG=-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common -c
        SHELL=/bin/bash
        SHLIB_TARGET=darwin-shared
        SHARED_LIBS=libcrypto.0.9.8.dylib libssl.0.9.8.dylib
        TERM=xterm-color
        OPENSSLDIR=/usr/local/ssl/fips-1.0
        MAKEFLAGS=
        SHA1_ASM_OBJ=
        MAKEDEPPROG=makedepend
        MD5_ASM_OBJ=
        AES_ASM_OBJ=aes_core.o aes_cbc.o
        PERL=/usr/bin/perl
        MAKEDEPEND=${TOP}/util/domd ${TOP} -MD makedepend
        CAST_ENC=c_enc.o
        INSTALL_PREFIX=
        MAKEOVERRIDES=
        USER=alicate
        LD_LIBRARY_PATH=../util/..:
        EXE_EXT=
        FIPS_EX_OBJ=../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o ../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o ../crypto/bn/bn_mul.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o ../crypto/bn/bn_shift.o ../crypto/bn/bn_sqr.o ../crypto/bn/bn_word.o ../crypto/bn/bn_x931p.o ../crypto/buffer/buf_str.o ../crypto/cryptlib.o ../crypto/des/cfb64ede.o ../crypto/des/cfb64enc.o ../crypto/des/cfb_enc.o ../crypto/des/ecb3_enc.o ../crypto/des/ecb_enc.o ../crypto/des/ofb64ede.o ../crypto/des/ofb64enc.o ../crypto/des/fcrypt.o ../crypto/des/set_key.o ../crypto/dsa/dsa_utl.o ../crypto/dsa/dsa_sign.o ../crypto/dsa/dsa_vrf.o ../crypto/err/err.o ../crypto/evp/digest.o ../crypto/evp/enc_min.o ../crypto/evp/e_aes.o ../crypto/evp/e_des3.o ../crypto/evp/p_sign.o ../crypto/evp/p_verify.o ../crypto/mem_clr.o ../crypto/mem.o ../crypto/rand/md_rand.o ../crypto/rand/rand_egd.o ../crypto/rand/randfile.o ../crypto/rand/rand_lib.o ../crypto/rand/rand_os2.o ../crypto/rand/rand_unix.o ../crypto/rand/rand_win.o ../crypto/rsa/rsa_lib.o ../crypto/rsa/rsa_none.o ../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o ../crypto/rsa/rsa_ssl.o ../crypto/rsa/rsa_x931.o ../crypto/sha/sha1dgst.o ../crypto/sha/sha256.o ../crypto/sha/sha512.o ../crypto/uid.o
        TESTS=alltests
        LIBPATH=../util/..:
        OPENSSL_DEBUG_MEMORY=on
        KRB5_INCLUDES=
        MAKELEVEL=2
        TOP=..
        DES_ENC=des_enc.o fcrypt_b.o
        MFLAGS=-e
        mount_authenticator=
        THIS=tests
        LIBKRB5=
        PATH=../util/..:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
        EX_LIBS=
        BN_ASM=bn_asm.o
        PWD=/Users/alicate/foo/openssl-fips-1.2.3/test
        RMD160_ASM_OBJ=
        MAKEFILE=Makefile
        PROCESSOR=386
        SHLIB_EXT=.0.9.8.dylib
        PLATFORM=darwin-i386-cc
        FIPSLIBDIR=
        SDIRS=objects md2 md4 md5 sha hmac ripemd des aes rc2 rc4 idea bf cast bn ec rsa dsa ecdsa dh ecdh dso engine buffer bio stack lhash rand err evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 store pqueue
        FIPSCANISTERINTERNAL=y
        HOME=/Users/alicate
        SHLVL=4
        PEX_LIBS=-Wl,-search_paths_first
        LIBRPATH=/usr/local/ssl/fips-1.0/lib
        DYLD_LIBRARY_PATH=../util/..:
        CFLAG=-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common
        SHARED_LDFLAGS=-dynamiclib
        LOGNAME=alicate
        RC5_ENC=rc5_enc.o
        SHLIB_PATH=../util/..:
        RANLIB=/usr/bin/ranlib
        DEPFLAG=-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED
        CC=cc
        RC4_ENC=rc4_enc.o
        FIPSCANLIB=libcrypto
        SECURITYSESSIONID=234492
        INSTALLTOP=/usr/local/ssl/fips-1.0
        CPUID_OBJ=

$ file test/fips_shatest
test/fips_shatest: Mach-O 64-bit executable x86_64

$ file apps/openssl
apps/openssl: Mach-O 64-bit executable x86_64

Thanks,

Bill








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Dr. Stephen Henson
On Sun, May 22, 2011, Bill Durant wrote:

> Hello,
>
> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
>
> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>
> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>
> For example:
>
> ./config fipscanisterbuild
> make
> make test (fips_shatest and openssl core dump at this step)
>

Does fips_test_suite run OK?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Bill Durant
On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:

> On Sun, May 22, 2011, Bill Durant wrote:
>
>> Hello,
>>
>> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
>>
>> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>>
>> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>>
>> For example:
>>
>> ./config fipscanisterbuild
>> make
>> make test (fips_shatest and openssl core dump at this step)
>>
>
> Does fips_test_suite run OK?


I ran fips_test_suite and it has been pegged for almost two hours on the following:

=====
$ ./fips_test_suite
        FIPS-mode test application

1. Non-Approved cryptographic operation test...
=====

The CPU is at 100% on fips_test_suite.  It does not get past that.  

Any ideas?

Thanks,

Bill

>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Jeffrey Walton-3
On Tue, May 24, 2011 at 12:05 AM, ciphertexto <[hidden email]> wrote:

> On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
>> On Sun, May 22, 2011, Bill Durant wrote:
>>
>>> Hello,
>>>
>>> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
>>>
>>> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>>>
>>> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>>>
>>> For example:
>>>
>>> ./config fipscanisterbuild
>>> make
>>> make test (fips_shatest and openssl core dump at this step)
>>>
>>
>> Does fips_test_suite run OK?
>
> [SNIP]

Not for me with 10.6.7 (from About the Mac) on a Core 2 Duo.

jeffrey@newton~/openssl-fips-1.2$ uname -a
Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16
PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386

../util/shlib_wrap.sh ./sha512t
Testing SHA-512 ... passed.
Testing SHA-384 ... passed.
if [ -n "libcrypto" ]; then \
          ../util/shlib_wrap.sh ./fips_shatest < SHAmix.req | diff -w SHAmix.fax - ; \
        fi
1,129d0
< [L = 64]
<
< Len = 16
< Msg = 98a1
< MD = 74d78642f70ca830bec75fc60a585917e388cfa4cd1d23daab1c4d9ff1010cac3e67275df64db5a6a7c7d0fda24f1fc3eb272678a7c8becff6743ee812129078
<
...
< Len = 13976
< Msg = 07a6372c863c7d7c6764e4f05addbbe161762735dfd2d23bf268e2d603cd28de9c369ac379390473e1d3fa7e37af1178cca54fa0f782dfbe68070952b93462ea46c640d43ffe71f5fba42df98f4c48ada0d8aca8753e0731508bc15dff283178ae5c10a6ff132eca5dde63a78d3ac94685152897828eb25a55fdf140fd33fd4e7b03f283e201a1baae8986d25603fb0b2566aab345fb48031d648144dddc2e3556c0ceb1104f348d96ae7dc0152e45c625d21b46e70c31f250c858aec4ab2cf5e79d8c79b0854e0abf5330b9f044113d306161968f4ad6f0973160c9dc296056d5a11523ea2b56fbce8387070fccc639ec1c65ec663b9dc49aa880dc4ddd3020c9d44ff7e8cab6266e436af19b4ecb82010a0f8f9469ef380034a02e3f50051a6a3f233dcfe9d553459dc1bebc538ae0183448c9405c351271dea808d908480e61e9793cca111b4cfb9874b799626a1bd9a0f6e0929ad51b97ad81b2438f5fc255db3a3dfec9f0d8393c6b245b03d3faeb58021db3ad391b17a91174a66db4feef1b4c889699bcbea7928f4d29be2d47f76455c8cb1dc7da9cda41962a28ad8cd7b39965b809e7c7eca1c6792c1ce1c8a4cad6290170e91fcc49fa5ff64ab433b4aa081c8da2d9bbb072f9f18ca455469b946c877e3006b34ffd2219335b30ba2e0980f43cebfb629d0b11fe70dff28883ca012c6ae4855fcefea20a08e189eaeed7eb36ed6db3835976f4e60053205805727c5eec15d0e9f155637a9e66268b9c1c302bcaae6ae88cbb8cf1668a487cc996c4662c4a4e195f094cb31c717165e0e13718f8388957dfe0bf69c70cd0bd763dc38c530b67b9c12244fcab8bd13f602de848a2937699f9ef77944e5f22e3b470601789e1838fbea9359c733aaee2c7082b02ee459b7684ef9bbc200da4b62d368351f5520a65ffa506dc9b097117bb7ae88d04d85fb525e91327689ec0fe86971480c0e864012b1e9f044c7d80a4e48c07320dd4292086e4c71d4c98dd826a9bfced112bfa2beb1ce85cad204451ec45703931bf637d4fe89fe8f485620b7f4b21e011a232ade7a8c92be77925e878ae0bea9723749528fe83cf89ecb9616dae6ca0e8d5754ec6c92abb21108c2f33cdc18c6887c430b72c5b193356494cddccc577bd4c2cd53188f352846edff0c2ac7869cb74bb16a77c0f0f194a7a9477ae15abb890bd0bcfeb0c39381a87f1d05319c7e971c10e9ef687f96450b400e25b4285032892b849fd5db8649cedfb03c88defea063ee144a1ab1f3bf05f59c7db364dc39c11a446c3ce16307d78d50315ba29f5bb9a57438564c8c7b3e367cd37d74b2375a4966f47489dc5448f4979428abd32193d3840aa983d3020a9f29d760fc7493ab2576c90b1934b799c1d0d55e4f2caa78f4ce61930c79dc017c2dea0c5085d73a3b0e4a6f341e9a5061a6658af11e5edf95bdad915ac3619969e39bee15788a8de667f92f4efc84f35082d52d562aa74e12cc7f22d3425b58f5056d74afcf162cd44e65b9ee510ff91af094c3d2d42c3b088536d62a98f1c689edcf3ea3fc228d711c109d76ae83d82d6a34dcfbad563cf3726519b519fd48b51741aa86720836494b7a589c778927047a25d73508adaa401e9a6c0767a675e31c5556cbe35fadc9671359b45e985c3c8af84113989b299ae4474b85e4b5d4b0578ab1e8a2915a8df97c4f52a639fe32272cb91bbfb721505dec46d51383cb8973425a714245c2e37d0577fbe0d66381d9239db1f08a380cf609dc699698e0fada2caeda44d58d766c4f8214b10642b80b8d7d8add7cc41d47108ab7d07dab71069a2d982cc900b331caec317942122158bac6eac9175c2dcba0c04443aa9188832b553f5ca8c336880824d6bc02486a2b4c086665d276aafe3b1b93729829adca50c44466fd5b5cb977aa78fbcf5c0f0da1b09216468a11493ffb39efdeda5d669ae92bee2f2fb250aa1b9cbb11c36c7a6c6dd26cdc3cfd572ffd8c1dd72a13c27a327a34c6b6b3d80fc6c67c72152eec0c8ecbdc1bd5cb829b811e7f29af6d786f4e93dd4c96fdda295a6aa258d7b2fcf291c2d68e0b1866032475964ec0c6f2fa8c2d6a3936ecb187350def4e818507bf157c0e9b33406be7660605af14cccc9c799b4e051d0d0899e53495bb8931a6e2984bc6dbe4e02ec8b4642fc2f1cb5fd5a5520b48cfcb49e1f9533838753554dd98b6a1b8a67409279df477330e5f37367e06247ca5c3ffefd00e693dcc0c9c30754121c9ee88a574915b9e77c104fd2f921c2c096573951407ba9b440423d76bdc6fc978237a6e302cede7f99038ec31500884775556941f1edc30e3a417b0e02cb6fb5bfbe5cdfacf4006411287bedc565fb06f1be987416407dc852254934df4ab59edce476f3506e65be6ce6ddf91038642291fb8e92ba5b1f0b105670905a2c14796110bac6f52455b430a47b8eff61
< MD = 1adccf11e5b7ce2a3ddf71e920138c8647ad699c
<
< Len = 48824
< Msg = cd8490c93613bdf1f284b94b330f6d6f45a39c651d2a160b340e2eb696fc6d1c35e88872845190d141c669de92a97daa5433b1d7b0b899fdef2ce74b8fe72a7296a5b5be26d1dc86520367c730c7400c2fa06f91ab4c48a7bf4ae35a5b9acd5296c4fdf7451b0ad9cc439b4e34f11e5d7ef2bdda376f8dd34d6f092b219dc085dd4c4a6308b8808f588eedbbc7af7f64e83182fc7ca7cf4741a341060a7969d31445834c982fa8739ded4555108acbea1666a83da17f77cc42ee73323eb53203e3b790f81c08e94c44678b6538096ab7b09916e6cf7ceb2af85987f8e4d982dff1ab59b0bdccaae1f405a73366b5c5935dd0b43e2d2894290ceb66a0246dc02de728c5bba30255fb56ce8107c3144246c5156a8fe40ada9126adf67227fa56b66c37be63f532516211ca012977b04a97916f201f1baa2629eda520b51508ab4229df2ceedce406dece0110e0a911464f69e7be38fb91deba0addcdb3161d2799c628f5a57fa1dc37357c947681bd9c36f4832c20ac466c0c245de3b250c33282ea1a02d007f03b34ed427631283eb614db4d521f555136e7e42b4cfbee8134c63dbe3bb79b5a8b9f9f5b9f5ac61cfab1c54d197f1e3ba613f251eed616df952d691b88a16466343ef2d0f63882ddd2d55b8a6786308b2257f5d7b38af166bd7f1339d2d8899c9eda8fa86215850ba547450c267eb3c9147d96c38161a69d1584e521ffa23384313a1debcd37f72ddad02adb3cadce7ee34b7c1f42a15d0d030487daf9488aa7562845a11ee7ffccdb38b300935caa31f78a4ff3dd93403cf0c6a16ca611b58c736aafd33d6dc56f0f47878211d26f6ab801b9453a7f74b44593dae0f047ddbbf2c902891111729edec44f69a05944b18e7a601f41ad24fd6833da3dbe3029bd390de7c9841b2ee2b079b2bd2737518fe1bbec88da64769dc36e4a8bf716c219b2fe059d7dd220c1ed2c59878db5bf8b198e0689edee921ebc0cd2d3853fcf57c363050ce58071c5fda6ebcfbc1bb62e9eb956286291a108bdd4191c4ff47900d6068e1ea26b487649af119b9bb15dfed804836f2196cbe12d8fc86e3d7ce89b52ad49dc9ddbce5b370f73f512bedd853039366612453733740586d1372143b09f21dd4dbe1a2bfc308db8e4098c5e4b0c1e16141ee50e85fafefc4e2529b3c7252af37aee6f86e19df28871686107d7d57dcc812bc077602642d2ecefdd5f694b8f336913210793e4068da2178600b1f41cffb5221c9b4b6298afb47e85701d7b1a44241679d8996f916c81ff437261cfc358b9ec42a2ce16ca3bacb8690d6c1d91cfb3e0bf1e7ba45bd01606df856fd03c7e946f7ab371a89e1fde86d05fdd97bd7b1c583b04c2ed2b5f6815a460645e4e1b4e950bf6bd81dd0352d1048df85266f1696534aff5b1cbc17f15d82cc8e0c0d4f0453f9439094f8e0f7f4bc045b654d9a2f1f44a9c57019f63ecc41021c05b5380675cb56ea8bb691d79ee204d2c4edacde3c1fb3f4996a11d84b035f965e74009e2ab80e2c7ea3c84a834d4971a1e9cf423e4ea67ee526eb3c3e4c2d7372c4290a0741e1fcca5ae4cf36705abe98ac81e98a5419baefcaf3093a7e0449ef1021f88ffb7ad21b2677e41cdda12025b06542c4b2564f15e0b99db43b7c7020028bd829372122cd910227cb07c53cb58fd9dc620c0491f3e2bf883fe6ee8cb1f5b73767977d857e4513e8b5612f6ae4b56014e6a3ad2a065b65472212e2f611743484cfaef860999d1dc5608c58412fab888ad72bb87dd9b55b692f31e252daf8944ec5c02a5a9c23903c50dbd845f2fcc3bc9806af13ca7b025cabe675195b1d56f3fe7d7bca12530bcc0af217efcb03a218bdb6f9726536ea902c8303b02e3ced22be59753588b5f0e2f3419fa5345a942dbcdf3010465384a225ba26cdd0f1d74999c69f336bb6d01fae5cf81cbb8c1a7a29c1eb83ca6b51113bde56b8cfb6a5d72557622a37f039d090a689accd02b57c691174338de8e05bb3620c079705c969c58e56b079dc9eb44eb0fcebe548f5a31f4072a5ed56a2f03107bf40a359b2601eddf53cade66f294cfeaa40a0d94b9c90d15f61852f295d3911f8ea914d015885c8c64540a83badf0021a416c3e37b78236a2ecd1fce4114033416bdd3a36c18ec13250ee9c74c0fc4dd564b3d24a825802d5ae402a53bacace115ae3bbb329be79d1e5e42dbaf0a6446431145fe49b86a8703c7c41f8985d54f12e314c16ff89351d8addf66ebba2783f2d1a11965182aa0b0dd2de53586c5a695c6265c2b173958da648611090557bdebf11a1e042f089fe98e049f4796c60d26be38356fe020d9ace9008410d53a1bb7db78b52ee44bac364213f5c59f1eac4e3314f3423b92fdd7a6156608111ac6ddf58385ec1f3df12061208db98816ac948d803fad10d5ece2018c60faa13de5e5a9033745c824932e53f4122a39f635813545c1b74732cd55642f19ed6deca1585ebf7242c849bde981572a2199066e9c912b2068c8f1c8b936c43ae95c6e22bd7b80dfea05f495d751107da5928e806d0af905c87b5a0795df146af6580d8f9c6a0e2645686d43822ce9b4be0bd5937c097917e048b5af71c7e7521d490f107e9231ee5bd9fbf0727ba87774ed24cd52f471ffb71849ebd55605996515bdcfe95bb1df3541e7c42da4166dd01ec3597634aa6455d15fe14af435e8d7a55ff1682d55a2da867ae63d11fb3fd987fa5d7032ecefc35d3fb9570940e779e13da18070e6df5292f97f2a281f9598101102c955fe4808a2319c85fdef3d55b19e05bb8c2d3da64bafb67a53491513a24f6f0804aa162c8a7db25b38089373fecc45a0eaef65dd9be3b4b7f9436a5423fdcdb5a9b60138fc6a2261225390d9ae0d8ab7f0f7ffff69dca06881d33a637d634358abebb333df41151f239add91abaafc89070cb2159ce3a31655c22e4696c9fa7a7211d1251d4bb21ea4a321a3dbebc29d97f526251e40e548dcd7ed07587719a266f006179dcd22e50b3705152817057b097b043ad63b8d867edc20aea9b4c959ef4ff70f47128cfcc21e31f17978ecacc366f459ac1cc459a3976e4173ca322675f84f18036119ec2f204c3fb554a0b72f7e9d8c882ab147b3d280ca9dff7b9160b1b437b901f03cbc05fe05c6f44824b48aa8da52ae7dda1653fd500f9ccd221843cf76513b3b74d094f14d93a00d7cb954bc4cf2f04f9a35e38edcb1e84f62057647dcb3571f1dd296ca1e049f1746a8a282e85138500e7649db756b2d2ad88f11c471c89dc6be2cd43481013b8d0ae83da2b855cea7be424f8b2325b1850d1fdef03e765458df4513d57c72ba9751e1edc3c4e7f97e3202bb46eec7be89871ba3704aa6c6fc08851e551a3f655fa1fb798d12f003faf31c56b6df399a5dd0ed29ef9e4139dbc254bc5d6051840a859eabaaad56324588fae881fd638d2b70fb3813402df61d941ab495588e5fc3823249bf9a03cf877902394f512de118edaf98843a5445e9073fcfa409df3db0221f1c77e2dd21e74f9e10c9e180dc4ed17010eb949c6d67a22bd5337b2c68f9eccdec778ece728e91353696b742c8f5a3a569f054efb8c1ed478ee9b75e26c768a5816aa6bd08a4c72e745fdb5deb34ecb86b3a84346c1c70f9c16fc45bc0421f0da2f630912d5079f390cc53b78e343310de722b53d2a3b4aa386caa0d7e91986e19c3363426ba30eb5284293af81d00158a3f5233327b40c3b989725ba7dd5b31ac7abf8d3e0b737e843065cd7316dc2f374a00bed4cf9caa0d6e232c854df1bc24c3d484bc6bcb14ec770d5745474dc6ac3b3ddbffc551c9fcc2c56a5e0ae17948457c01e701bf1554022bc2b7d9dd42b2b91172fd85e6874d2d61fc7b3bb3cee2a9bfec09f6d7e98279c6f511f4140b116c856c1438e34bca59fdca2409f025b896a52d68719bf93e82e7d89bbf798991fda0af8d06d17f39eba4bca09c1fe594b537ad4c9b94ab52c895539d639425f9146b24b016368a638e5bba391bc8763cae7c52ff9c496884f1d84e5e08ed451358ecb3c4919dd410e82cac35ae744078287c05c89b42999ea6b8b127d40d53a5722d45139e8bc507a11e7add7fa9ab12cc40afeec008a4668e3e6440f27bb5780936c0e3668ac51262390c79b3f21fd041cf36ba3522f3a552714ff188bfd554c60d0e7d11213cf7d3864a5175d4047c2f3284741f18ec22995a5b82bf62190151bc1529c6d9927f9b0c1dacebd9c2dc406f7f64a973f9a70cff6e3abeebeb46514bbf2ead382f7262d46bd43d88c1b91a9011d1f8ba81fa536a7162aee2b2ec6fc0f2d6efc87b98d2e41e0f946969da659c21053775ece415a34d42b6cfd5bc52259867b411dfb991461ca618052309ca9c96468c2da12dfab0e822ff3bbe7ba281982a239ac19c47024fe1f0e3550cf0975add1f680a9dac9b2c4ab0aed4f409ddda6765eb8a0a9d1e9d07458c69ac8195541219b18efcd06c0001f2ae7fee2d404666a18ca3cb3aa4f0623e86c5b1229f6c2ca28d951111294b91edc52730b6b2c46e000672a7c89b2f38045bd3e37dbb8a75e18687a514dcf740c87a34834d3c3cc8aadf6166ec0c42d2be92f90a3af49633ff23cd80848ceb57ac550eaf9ae496bdc6a2d7cf50fe107895b4a1ed014f78af24eccd6a07420f1dc0df1e7c44b4ba937dd43cab9c798371b148325578d61931766af02b45054bdc2d9fcab2f4b49092f6fff7c27886820739d6140a4a905f0020249e8ae8dd87da1a1e7b1851eb01045aaa72dc8a2bf68055e7aed41d85336648a3405195d2ab61b0e29a770461f32fd05e14c17d72c5252f026a7b9abe7ea9176d3c46f6ed9fb716758d97b41e4f5d81a24538f763d83eecafafc668422612b40cfc32b3354b24755fbe400a2bfed494fe6d0ba0051713b776e67e2f1915e94708e6dc74b398f2f526933aad8fe7dc32faf40022606aebb6e0756b994c3176fae7640ee06d6c67bd54764c4752f1bf831f43e0227cba101174c5554ce26400f333dd8e9f6db1cdf670ce407d7d06c3aef4c0724b62edc8f1ba3e04f0e394d15a73b9255abb4d6ac70303dcf9160d32dc02d4804219ed5c7e3b48402e58ab2f58305f9bb95d2a8759947de96328ed5234cfe7d0b2a9a014df7e4cd0ae48906315f139b8635d2e6bd4aba32e62b8906cdfe5622c411bf0373d0cb07d17bb2bb5b83eae4401c243605fd1df759fd0ddc704ccab5a9776c40fbf6bde0f11b9646c699f26063a9550ac228c9884c277bcadcc0a2c225dc203e28e253c4e464b23d2529d09c7b7dd3c984667372472b615645f294c4e3b0797f9d1c234015b78502d98bfc04f1fa2f16cf3e7221d5794d035e4b172a4d84e679cb1c82df2fb49d3c6668eb1661bed56705096c2371a19d668832808eedd9e5b1256c18fe7ccc494e5e29145d453c553ec86fb7f3a634d0d45661875f2f1005ba5e734c1a976f37cd23450e4606e32d027bc9ec2edd9395e14b2082179bd7b4f9b8caa2d00a2de71d48553f7d4153cb56a1b08f11925e4b11c9281744ae9171f3d6faa3ab3f88c5c34fd23e4f6efeceafdcbc07686ef56efa62c0ad62f1cdcb4d3b5bc508c1f05263bc347158fa5495828f34eb7fcde98fefaa82bafeefed3f4a58968d751c051b52e0047f066de5be533bc3b1e439ab1c8602f6c67503803c8fa113737cb8279f358dbacdf45432b7a654d0e1122cca93420e956661d7275181c75b0d9c20e84c7007dfc49f27bc00007cf4ffa631c892981fd70141d532fcd51de5c23fe0b7a186d0dc296362f235d61698740cc315891cc9342da17843bcde274c17e462263d0e8b4832dd9075a7bbb443d4b26b41e534ad5551ed5ada102175e695363fb48d6b99ac978a3aa6f405d87f983384ce35740e930491d75675337c5dc081e3d301228e61bde5cc169968e5b4350cca2b085f9f75cc4b88497a78cd0a0073d90246c7dc102c7cbf3516498e8a41aa85d8cc5bc285ff66e8338e85ca83fb6889e2bccff52059bb9e92e92c155a349952680ffd0a3c346061a53fdf074417fc90c4d1af7c2acc3ee4b080752cbc9455ba5931b7e910f1e4af0efce905d2cc9c685923ead387fa532c0e8ad92719c76c281cd010e1acce500ae1443838b8afb48af032069dd07aa4df0d56bcb70a64592633699c8658102f1fbca441325e27f1732a7a973d8cb3a0684d72943ef6f1892f2d7ccf39bb6dfe5801ab98653bdbcfbb787bf125253be2624f6cf44177d588bd7b780d9e3f4e3a4e50b8a253fa21abce6a94b9073289c76773b46140f5a6e46b9de9ec066c176f5d1a69f380e1901216617363362d13ebb26ad74fb008ec08841550ff14ca800a1ecf2e007ebaad9f4e0d9664448d60ac0d8544243129fb81c1723b9b4bc2ee971dff736d9fcde0afbfbf5c50a4cc06a4c363998326c17bdc9e2508651dedd9a2a52bd87f8693cfcff60753acf9716c526e8635f12377e36564ae55d0fdb3c7997ec4dbdaa5b4d18c7b660acd95060831795da7d299a5a8d8cf9e92537dbd3ef7f56aebe38fa97c41da6bf0572a0270be7e5a7dcc0be3529339464c811052b65a938e874ea6da469c7d8992ce0aff1c75e82d1621ecb967213c65f2de582cb41de3804c507ddfc708ef3f6096ba4491e431160f98de806d0f334e03cfb7a3bece601099bd971253f3aa0df845da8b478603d5d88533d0cab9c89f2dd9a1404cf8939ffdda652a94093865a85fce2bc3d7babcff7b9f3306bd76b9af80c78ad518f89ee73b7a710da604e72f4927be8d65d06be2e0732fa786a83e27597cfbed9bf98df445499e0746b9f2cb9659ac0a9cef433148521f33b1d78d13c8441c0d1e20fd93ac450a3787a2292bcbd68cd1f961d34937be9a21abaf26f361bf53aa0c095e53c51f3e04d567eabe6e40d96a17c2bcc9230b18f7e079bc549a314b4ae21d30a3341aa205bc75c7f1d21b0a49549c300faeda243d0ce18da5e66c5b663cd705005dd9fea0a9564174abb797d64c58fdab1fae44576d514b75eaa31c9278b15bf9b6df7c6c2873d7a56fb91ab77b83761a09f9e1ddae535622fb87f7462256a60dd39dd3ceb6690b0272920b635ea639daf24f95462c523e5bbd8d8407c61163ab38877d5edfa04c2a78d4d240523ba97c7d01c71783f8748e85164b4dd08c25506a4ed18300b42b7bc6e417f512ae456ceec2ffc83190991a06d4a58ede215babcd3688e1d61f1975016244e80c88ae2aec05c7eeb1c50caca72b3b415b6b870bf5e10bd1ac3ba6b4acb1d1afac554444d94c97e171005fa4ea9c651bb4e527ff58d0c2f90fb453a92d6546a26e9e98395b09e8471bdcf2a145aacb649708cf048a7856ce8cf390c107ff2c66efbf2a76c5b041860ea576103cd8c6b25e50eca9ff6a2fa88083fe9ac0d1fb639c516b9bcdf23c34c6145a705498ff9b9747f15e1c08c63da6efeda4eca02c3f00dfec06c82220c9de840040118dde76be788daf84e6a2f44c81fe6defcc474f99c51c4648d297cbc48f081e0809dbda505d020cbe865e430e0491644ec8c52bd3ab8ce8c4862990f49fe2588caf804ce9500ef42d5a50c057c257168e283e4a4aedbe4ccfaf3eeffb212f9e23d15434d60bf4f455f512e2b655aff3225d1b217c261110cec0400f54dd303d6231d028c2eb649bccc91d30a6391c88bff9d447c3cf35a3467be5957e0ea4d4dc237c9f2c68ce48f658f820a3d72d559b60f233ce538c92cb148808e34fedf2d648c21e7f2ea29a77270c393bda42d869351d6c085d965dc12cbfd0311b8bf604f4391d378781eea3b5f1e0da9d0d8f8de88e56fe47d362cd46f591d3ec0f7cccb85a21f21ddcd4107821ce0ca9ddf99dfdfd9b0c9cd45053e5b1b4385bd8f5b227ada31b5c23e9420014474e8b4494fde7c38edfe70994d97b8cbdfac588df49a49c472fcce78cccc051f31cbbc1e0422878d8d490f3aee28adf1587c38fb7e7d1be54abeaa83cf54b633803a5e669ff4295df8735231ce39631616bd05e0e31117c722c2fd6787003b0bc7fe422a089c89329544e085d71102c1813769450a9f66f160d1702cdb17bd2c6fdf0f722762d193ce83623eeffab17b01b10a31db6e2feb6eb3abdbb2e36320e1a56e44e48d26090afa7f65003a98cbfef590ac3ec89b3eb230557cf6aa566e841806aa2767b21bb26fe001f11ae039e0c9a4bf1bf3d271960f16158eb5bd9ebf0080abd8369d512cab2d1aaae2b14d0ff6ee705a38fb0c801a98b0624cc138fc24834fdf430f33e1760db913da3290f34415c9e3df3e97da1780545ab68ac5a24db89f24d62f4a399728e4144a8c89f47ac2d29e30c49b0bcf790a5e3d3fcd1943c6a28f37251d9dd827a69579e6c17b629c927473b5a07b0a29d9562708d6c8ce576109ad1a3473ffb2047eb069beeec24c114bef392c929038c92abd0e6a19b610e27881361824d57008b7373d0ab76379570ded76c9b8284fe2c247791073c29b2fc6fca05019220ab92856892d3c0dcc6da0b597fe559c162d060d71513ebca050d9638164b9ae271fba5575ade787ec5aee8fc253d1b234b1df561db3e36ac64b9b0100dd6b407043537b2b141f
< MD = 2cbc07b9b9c819b8fd38d8a614a8a9c3fa7e40ee
make[1]: *** [test_sha] Error 1
make: *** [tests] Error 2
jeffrey@newton~/openssl-fips-1.2$
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Dr. Stephen Henson
In reply to this post by Bill Durant
On Mon, May 23, 2011, ciphertexto wrote:

> On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
> > On Sun, May 22, 2011, Bill Durant wrote:
> >
> >> Hello,
> >>
> >> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
> >>
> >> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
> >>
> >> But fips_shatest and the openssl command are core dumping when I do a 'make test'
> >>
> >> For example:
> >>
> >> ./config fipscanisterbuild
> >> make
> >> make test (fips_shatest and openssl core dump at this step)
> >>
> >
> > Does fips_test_suite run OK?
>
>
> I ran fips_test_suite and it has been pegged for almost two hours on the following:
>
> =====
> $ ./fips_test_suite
> FIPS-mode test application
>
> 1. Non-Approved cryptographic operation test...
> =====
>
> The CPU is at 100% on fips_test_suite.  It does not get past that.  
>
> Any ideas?
>

It can take a long time to execute sometimes as it performs two slow DH
parameter generation operations. Retry it a few times. If it still doesn't
complete try:

OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a

Note that the utilities in the 1.2.3 build come from an ancient version of
OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Bill Durant
On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:

> On Mon, May 23, 2011, ciphertexto wrote:
>
>> On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
>>> On Sun, May 22, 2011, Bill Durant wrote:
>>>
>>>> Hello,
>>>>
>>>> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
>>>>
>>>> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>>>>
>>>> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>>>>
>>>> For example:
>>>>
>>>> ./config fipscanisterbuild
>>>> make
>>>> make test (fips_shatest and openssl core dump at this step)
>>>>
>>>
>>> Does fips_test_suite run OK?
>>
>>
>> I ran fips_test_suite and it has been pegged for almost two hours on the following:
>>
>> =====
>> $ ./fips_test_suite
>> FIPS-mode test application
>>
>> 1. Non-Approved cryptographic operation test...
>> =====
>>
>> The CPU is at 100% on fips_test_suite.  It does not get past that.  
>>
>> Any ideas?
>>
>
> It can take a long time to execute sometimes as it performs two slow DH
> parameter generation operations. Retry it a few times. If it still doesn't
> complete try:
>
> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>
> Note that the utilities in the 1.2.3 build come from an ancient version of
> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.


fips_test_suite hangs (stayed there for more than 24 hours).  So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.

I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).

$ apps/openssl version
OpenSSL 0.9.8r-fips 8 Feb 2011

$ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
Segmentation fault (core dumped)

$ otool -c /cores/core.97244 | head -4
/cores/core.97244:
Argument strings on the stack at: 00007fff5fc00000
        /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl

$ gdb apps/openssl /cores/core.97244
GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done

Reading symbols for shared libraries . done
Reading symbols for shared libraries .... done
#0  0x000000003f61ffff in ?? ()
(gdb) bt
#0  0x000000003f61ffff in ?? ()
Cannot access memory at address 0x3f61ffff
#1  0x00000000092ff8bb in ?? ()
(gdb) quit

So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?

Thanks,

Bill

>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Dr. Stephen Henson
On Tue, May 24, 2011, ciphertexto wrote:

> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:
> >
> > It can take a long time to execute sometimes as it performs two slow DH
> > parameter generation operations. Retry it a few times. If it still doesn't
> > complete try:
> >
> > OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
> >
> > Note that the utilities in the 1.2.3 build come from an ancient version of
> > OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
> > OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.
>
>
> fips_test_suite hangs (stayed there for more than 24 hours).  So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.
>
> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).
>
> $ apps/openssl version
> OpenSSL 0.9.8r-fips 8 Feb 2011
>
> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
> Segmentation fault (core dumped)
>
> $ otool -c /cores/core.97244 | head -4
> /cores/core.97244:
> Argument strings on the stack at: 00007fff5fc00000
> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl
>
> $ gdb apps/openssl /cores/core.97244
> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done
>
> Reading symbols for shared libraries . done
> Reading symbols for shared libraries .... done
> #0  0x000000003f61ffff in ?? ()
> (gdb) bt
> #0  0x000000003f61ffff in ?? ()
> Cannot access memory at address 0x3f61ffff
> #1  0x00000000092ff8bb in ?? ()
> (gdb) quit
>
> So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?
>

I don't have access to that platform so can't say for sure: it could
conceivably be a compiler bug.

Can you try a debug build of fipscanitsr using 0.9.8r?

NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some
messages get cut and pasted into cookbooks as "the right way to do things".

Something like:

./config -d fipscanisterbuild
make

Then try the version command again and see where it crashes and why.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Bill Durant
On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote:

> On Tue, May 24, 2011, ciphertexto wrote:
>
>> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:
>>>
>>> It can take a long time to execute sometimes as it performs two slow DH
>>> parameter generation operations. Retry it a few times. If it still doesn't
>>> complete try:
>>>
>>> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>>>
>>> Note that the utilities in the 1.2.3 build come from an ancient version of
>>> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
>>> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.
>>
>>
>> fips_test_suite hangs (stayed there for more than 24 hours).  So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.
>>
>> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).
>>
>> $ apps/openssl version
>> OpenSSL 0.9.8r-fips 8 Feb 2011
>>
>> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>> Segmentation fault (core dumped)
>>
>> $ otool -c /cores/core.97244 | head -4
>> /cores/core.97244:
>> Argument strings on the stack at: 00007fff5fc00000
>> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl
>>
>> $ gdb apps/openssl /cores/core.97244
>> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
>> Copyright 2004 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done
>>
>> Reading symbols for shared libraries . done
>> Reading symbols for shared libraries .... done
>> #0  0x000000003f61ffff in ?? ()
>> (gdb) bt
>> #0  0x000000003f61ffff in ?? ()
>> Cannot access memory at address 0x3f61ffff
>> #1  0x00000000092ff8bb in ?? ()
>> (gdb) quit
>>
>> So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?
>>
>
> I don't have access to that platform so can't say for sure: it could
> conceivably be a compiler bug.
>
> Can you try a debug build of fipscanitsr using 0.9.8r?
>
> NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
> LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some
> messages get cut and pasted into cookbooks as "the right way to do things".
>
> Something like:
>
> ./config -d fipscanisterbuild
> make


Here is what I get with the -d option:

$ ./config -d fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details.

And without the -d option, I get the following:

$ ./config fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: fipcanisterbuild)

Notice that it configures for "darwin-i386-cc" which I believe it is incorrect.  I am thinking that it should configure for "darwin64-x86_64-cc" instead.

And my system details are:

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869

$ sysctl hw | grep 64bit
hw.cpu64bit_capable: 1

$  ioreg -l -p IODeviceTree | grep firmware-abi
    | |   "firmware-abi" = <"EFI64">

What to do?

Thanks,

Bill

>
> Then try the version command again and see where it crashes and why.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Dr. Stephen Henson
On Tue, May 24, 2011, Bill Durant wrote:

> On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote:
> > On Tue, May 24, 2011, ciphertexto wrote:
> >
> >> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:
> >>>
> >>> It can take a long time to execute sometimes as it performs two slow DH
> >>> parameter generation operations. Retry it a few times. If it still doesn't
> >>> complete try:
> >>>
> >>> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
> >>>
> >>> Note that the utilities in the 1.2.3 build come from an ancient version of
> >>> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
> >>> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.
> >>
> >>
> >> fips_test_suite hangs (stayed there for more than 24 hours).  So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.
> >>
> >> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).
> >>
> >> $ apps/openssl version
> >> OpenSSL 0.9.8r-fips 8 Feb 2011
> >>
> >> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
> >> Segmentation fault (core dumped)
> >>
> >> $ otool -c /cores/core.97244 | head -4
> >> /cores/core.97244:
> >> Argument strings on the stack at: 00007fff5fc00000
> >> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl
> >>
> >> $ gdb apps/openssl /cores/core.97244
> >> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
> >> Copyright 2004 Free Software Foundation, Inc.
> >> GDB is free software, covered by the GNU General Public License, and you are
> >> welcome to change it and/or distribute copies of it under certain conditions.
> >> Type "show copying" to see the conditions.
> >> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> >> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done
> >>
> >> Reading symbols for shared libraries . done
> >> Reading symbols for shared libraries .... done
> >> #0  0x000000003f61ffff in ?? ()
> >> (gdb) bt
> >> #0  0x000000003f61ffff in ?? ()
> >> Cannot access memory at address 0x3f61ffff
> >> #1  0x00000000092ff8bb in ?? ()
> >> (gdb) quit
> >>
> >> So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?
> >>
> >
> > I don't have access to that platform so can't say for sure: it could
> > conceivably be a compiler bug.
> >
> > Can you try a debug build of fipscanitsr using 0.9.8r?
> >
> > NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
> > LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some
> > messages get cut and pasted into cookbooks as "the right way to do things".
> >
> > Something like:
> >
> > ./config -d fipscanisterbuild
> > make
>
>
> Here is what I get with the -d option:
>
> $ ./config -d fipcanisterbuild
> Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
> This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details.
>
> And without the -d option, I get the following:
>
> $ ./config fipcanisterbuild
> Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
> Configuring for darwin-i386-cc
> target already defined - darwin-i386-cc (offending arg: fipcanisterbuild)
>
> Notice that it configures for "darwin-i386-cc" which I believe it is
> incorrect.  I am thinking that it should configure for "darwin64-x86_64-cc"
> instead.
>

Ah that explains it. There is no darwin64-x86_64-cc target for the validated
tarball so it isn't supported. It is possible to add new platforms via a
change letter but so far no one has been interested in including that one.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Bill Durant
On May 24, 2011, at 5:42 PM, Dr. Stephen Henson wrote:

> On Tue, May 24, 2011, Bill Durant wrote:
>
>> On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote:
>>> On Tue, May 24, 2011, ciphertexto wrote:
>>>
>>>> On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote:
>>>>>
>>>>> It can take a long time to execute sometimes as it performs two slow DH
>>>>> parameter generation operations. Retry it a few times. If it still doesn't
>>>>> complete try:
>>>>>
>>>>> OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>>>>>
>>>>> Note that the utilities in the 1.2.3 build come from an ancient version of
>>>>> OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
>>>>> OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.
>>>>
>>>>
>>>> fips_test_suite hangs (stayed there for more than 24 hours).  So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.
>>>>
>>>> I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).
>>>>
>>>> $ apps/openssl version
>>>> OpenSSL 0.9.8r-fips 8 Feb 2011
>>>>
>>>> $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
>>>> Segmentation fault (core dumped)
>>>>
>>>> $ otool -c /cores/core.97244 | head -4
>>>> /cores/core.97244:
>>>> Argument strings on the stack at: 00007fff5fc00000
>>>> /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl
>>>>
>>>> $ gdb apps/openssl /cores/core.97244
>>>> GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
>>>> Copyright 2004 Free Software Foundation, Inc.
>>>> GDB is free software, covered by the GNU General Public License, and you are
>>>> welcome to change it and/or distribute copies of it under certain conditions.
>>>> Type "show copying" to see the conditions.
>>>> There is absolutely no warranty for GDB.  Type "show warranty" for details.
>>>> This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done
>>>>
>>>> Reading symbols for shared libraries . done
>>>> Reading symbols for shared libraries .... done
>>>> #0  0x000000003f61ffff in ?? ()
>>>> (gdb) bt
>>>> #0  0x000000003f61ffff in ?? ()
>>>> Cannot access memory at address 0x3f61ffff
>>>> #1  0x00000000092ff8bb in ?? ()
>>>> (gdb) quit
>>>>
>>>> So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?
>>>>
>>>
>>> I don't have access to that platform so can't say for sure: it could
>>> conceivably be a compiler bug.
>>>
>>> Can you try a debug build of fipscanitsr using 0.9.8r?
>>>
>>> NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
>>> LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some
>>> messages get cut and pasted into cookbooks as "the right way to do things".
>>>
>>> Something like:
>>>
>>> ./config -d fipscanisterbuild
>>> make
>>
>>
>> Here is what I get with the -d option:
>>
>> $ ./config -d fipcanisterbuild
>> Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
>> This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details.
>>
>> And without the -d option, I get the following:
>>
>> $ ./config fipcanisterbuild
>> Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
>> Configuring for darwin-i386-cc
>> target already defined - darwin-i386-cc (offending arg: fipcanisterbuild)
>>
>> Notice that it configures for "darwin-i386-cc" which I believe it is
>> incorrect.  I am thinking that it should configure for "darwin64-x86_64-cc"
>> instead.
>>
>
> Ah that explains it. There is no darwin64-x86_64-cc target for the validated
> tarball so it isn't supported. It is possible to add new platforms via a
> change letter but so far no one has been interested in including that one.


What is the procedure for a change letter?  How do I  make the request to add darwin64-x86_64-cc in the validated tarball?

Thanks,

Bill


>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

Steve Marquess-3
On 05/24/2011 08:58 PM, Bill Durant wrote:

> ...
>> Ah that explains it. There is no darwin64-x86_64-cc target for the validated
>> tarball so it isn't supported. It is possible to add new platforms via a
>> change letter but so far no one has been interested in including that one.
>
> What is the procedure for a change letter?  How do I  make the request to add darwin64-x86_64-cc in the validated tarball?
>
> Thanks,
>
> Bill

Change letters are performed by the "vendor of record" which in this
case (certificate #1051) is the Open Source Software Institute (OSSI).
OSF has a close working relationship with OSSI and we manage the change
letter process for them.  The cost varies depending on the platform(s)
and nature of the change but is in the ballpark of US$10K for one
uncomplicated platform.  One big appeal of the change letter mod process
is that results can usually be obtained in weeks instead of the many
months needed for a new validation.

My contact info is below if you want more info.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]