Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: BN_DEBUG (was Re: On head of 1.0.1 branch, ecdsatest crashes if openssl is built to be FIPS capable)
7 views
Skip to first unread message
Andy Polyakov
Nov 9, 2012, 10:19:52 AM11/9/12
to
>> When I build with "./Configure debug-linux-x86_64" then the tests all
>> pass. When I build with "./Configure debug-linux-x86_64 fips
>> --with-fipsdir=..." then all tests pass up to ecdsatest:
>>
>> prime239v2: ........ ok
>> prime239v3: ........ ok
>> prime256v1: ........ ok
>> sect163k1: ........ ok
>> sect163r1: ........ ok
>> sect163r2: ........ ok
>> ecdsatest: bn_lib.c:243: BN_clear_free: Assertion `(_bnum2->top == 0) || (_bnum2->d[_bnum2->top - 1] != 0)' failed.
>> sect193r1: make[1]: *** [test_ecdsa] Aborted
>
> Is it just that BN_DEBUG has significant false positives, and I
> shouldn't really be defining it?
As FIPS module is compiled without BN_DEBUG it can and certainly will
confuse code compiled with BN_DEBUG that will call it. This surely is
the explanation for the phenomena and the answer to specific question is
no, you shouldn't define it.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
>> pass. When I build with "./Configure debug-linux-x86_64 fips
>> --with-fipsdir=..." then all tests pass up to ecdsatest:
>>
>> prime239v2: ........ ok
>> prime239v3: ........ ok
>> prime256v1: ........ ok
>> sect163k1: ........ ok
>> sect163r1: ........ ok
>> sect163r2: ........ ok
>> ecdsatest: bn_lib.c:243: BN_clear_free: Assertion `(_bnum2->top == 0) || (_bnum2->d[_bnum2->top - 1] != 0)' failed.
>> sect193r1: make[1]: *** [test_ecdsa] Aborted
>
> Is it just that BN_DEBUG has significant false positives, and I
> shouldn't really be defining it?
As FIPS module is compiled without BN_DEBUG it can and certainly will
confuse code compiled with BN_DEBUG that will call it. This surely is
the explanation for the phenomena and the answer to specific question is
no, you shouldn't define it.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
0 new messages