Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7

564 views
Skip to first unread message

Bill Durant

unread,
May 22, 2011, 3:36:31 AM5/22/11
to
Hello,

Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)?

I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.

But fips_shatest and the openssl command are core dumping when I do a 'make test'

For example:

./config fipscanisterbuild
make
make test (fips_shatest and openssl core dump at this step)

No such core dumps occur when I build the 32-bit version of the fipscanister under Mac OS X 10.5.8 (Leopard).

Furthermore, FIPS_mode_set() core dumps in EVP_SignFinal() with a 64-bit version of a FIPS-capable OpenSSL built with this fiscanister, on Mac OS X 10.6.7.

I get the same results with openssl-fips-1.2.2 and when building the fipscanister with the no-asm option (tried with both openssl-fips-1.2.2 and openssl-fips-1.2.3).

So it is looking like it is not possible to build a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7.

Does anyone have any input on this? Is there some magic that I am missing to make this work?

Here is a sample build that shows the problem:

$ uname -a
Darwin cactus 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869

$ sysctl hw | grep 64bit
hw.cpu64bit_capable: 1

$ ioreg -l -p IODeviceTree | grep firmware-abi
| | "firmware-abi" = <"EFI64">

$ ls -aldt /cores/*
ls: /cores/*: No such file or directory

$ ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 256
pipe size (512 bytes, -p) 1
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 266
virtual memory (kbytes, -v) unlimited

$ curl -L -O http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 3682k 0 12746 0 0 8785 0 0:07:09 0:00:01 0:07:08 12024
6 3682k 6 227k 0 0 100k 0 0:00:36 0:00:02 0:00:34 121k
16 3682k 16 595k 0 0 188k 0 0:00:19 0:00:03 0:00:16 215k
27 3682k 27 1024k 0 0 246k 0 0:00:14 0:00:04 0:00:10 272k
41 3682k 41 1513k 0 0 291k 0 0:00:12 0:00:05 0:00:07 315k
47 3682k 47 1740k 0 0 279k 0 0:00:13 0:00:06 0:00:07 361k
53 3682k 53 1965k 0 0 273k 0 0:00:13 0:00:07 0:00:06 353k
57 3682k 57 2112k 0 0 255k 0 0:00:14 0:00:08 0:00:06 296k
69 3682k 69 2569k 0 0 279k 0 0:00:13 0:00:09 0:00:04 307k
79 3682k 79 2916k 0 0 285k 0 0:00:12 0:00:10 0:00:02 279k
86 3682k 86 3192k 0 0 269k 0 0:00:13 0:00:11 0:00:02 259k
91 3682k 91 3376k 0 0 275k 0 0:00:13 0:00:12 0:00:01 279k
95 3682k 95 3502k 0 0 265k 0 0:00:13 0:00:13 --:--:-- 282k
96 3682k 96 3553k 0 0 246k 0 0:00:14 0:00:14 --:--:-- 188k
99 3682k 99 3673k 0 0 241k 0 0:00:15 0:00:15 --:--:-- 151k
100 3682k 100 3682k 0 0 238k 0 0:00:15 0:00:15 --:--:-- 134k

$ gunzip -c openssl-fips-1.2.3.tar.gz | tar xf -

$ cd openssl-fips-1.2.3

$ ./config fipscanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
Configuring for darwin-i386-cc
Configuring for darwin-i386-cc
no-asm [forced] OPENSSL_NO_ASM
no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-seed [default] OPENSSL_NO_SEED (skip dir)
no-sse2 [forced]
no-zlib [default]
no-zlib-dynamic [default]
IsMK1MF=0
CC =cc
CFLAG =-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common
EX_LIBS =
CPUID_OBJ =
BN_ASM =bn_asm.o
DES_ENC =des_enc.o fcrypt_b.o
AES_ASM_OBJ =aes_core.o aes_cbc.o
BF_ENC =bf_enc.o
CAST_ENC =c_enc.o
RC4_ENC =rc4_enc.o
RC5_ENC =rc5_enc.o
MD5_OBJ_ASM =
SHA1_OBJ_ASM =
RMD160_OBJ_ASM=
PROCESSOR =386
RANLIB =/usr/bin/ranlib
ARFLAGS =
PERL =/usr/bin/perl
THIRTY_TWO_BIT mode
DES_UNROLL used
BN_LLONG mode
RC4 uses uchar
RC4_CHUNK is unsigned long
BF_PTR used
e_os2.h => include/openssl/e_os2.h
making links in crypto...
crypto.h => ../include/openssl/crypto.h
tmdiff.h => ../include/openssl/tmdiff.h
opensslv.h => ../include/openssl/opensslv.h
opensslconf.h => ../include/openssl/opensslconf.h
ebcdic.h => ../include/openssl/ebcdic.h
symhacks.h => ../include/openssl/symhacks.h
ossl_typ.h => ../include/openssl/ossl_typ.h
making links in crypto/objects...
objects.h => ../../include/openssl/objects.h
obj_mac.h => ../../include/openssl/obj_mac.h
making links in crypto/md2...
md2.h => ../../include/openssl/md2.h
md2test.c => ../../test/md2test.c
making links in crypto/md4...
md4.h => ../../include/openssl/md4.h
md4test.c => ../../test/md4test.c
md4.c => ../../apps/md4.c
making links in crypto/md5...
md5.h => ../../include/openssl/md5.h
md5test.c => ../../test/md5test.c
making links in crypto/sha...
sha.h => ../../include/openssl/sha.h
shatest.c => ../../test/shatest.c
sha1test.c => ../../test/sha1test.c
sha256t.c => ../../test/sha256t.c
sha512t.c => ../../test/sha512t.c
making links in crypto/hmac...
hmac.h => ../../include/openssl/hmac.h
hmactest.c => ../../test/hmactest.c
making links in crypto/ripemd...
ripemd.h => ../../include/openssl/ripemd.h
rmdtest.c => ../../test/rmdtest.c
making links in crypto/des...
des.h => ../../include/openssl/des.h
des_old.h => ../../include/openssl/des_old.h
destest.c => ../../test/destest.c
making links in crypto/aes...
aes.h => ../../include/openssl/aes.h
making links in crypto/rc2...
rc2.h => ../../include/openssl/rc2.h
rc2test.c => ../../test/rc2test.c
making links in crypto/rc4...
rc4.h => ../../include/openssl/rc4.h
rc4test.c => ../../test/rc4test.c
making links in crypto/idea...
idea.h => ../../include/openssl/idea.h
ideatest.c => ../../test/ideatest.c
making links in crypto/bf...
blowfish.h => ../../include/openssl/blowfish.h
bftest.c => ../../test/bftest.c
making links in crypto/cast...
cast.h => ../../include/openssl/cast.h
casttest.c => ../../test/casttest.c
making links in crypto/bn...
bn.h => ../../include/openssl/bn.h
bntest.c => ../../test/bntest.c
exptest.c => ../../test/exptest.c
making links in crypto/ec...
ec.h => ../../include/openssl/ec.h
ectest.c => ../../test/ectest.c
making links in crypto/rsa...
rsa.h => ../../include/openssl/rsa.h
rsa_test.c => ../../test/rsa_test.c
making links in crypto/dsa...
dsa.h => ../../include/openssl/dsa.h
dsatest.c => ../../test/dsatest.c
making links in crypto/ecdsa...
ecdsa.h => ../../include/openssl/ecdsa.h
ecdsatest.c => ../../test/ecdsatest.c
making links in crypto/dh...
dh.h => ../../include/openssl/dh.h
dhtest.c => ../../test/dhtest.c
making links in crypto/ecdh...
ecdh.h => ../../include/openssl/ecdh.h
ecdhtest.c => ../../test/ecdhtest.c
making links in crypto/dso...
dso.h => ../../include/openssl/dso.h
making links in crypto/engine...
engine.h => ../../include/openssl/engine.h
enginetest.c => ../../test/enginetest.c
making links in crypto/buffer...
buffer.h => ../../include/openssl/buffer.h
making links in crypto/bio...
bio.h => ../../include/openssl/bio.h
making links in crypto/stack...
stack.h => ../../include/openssl/stack.h
safestack.h => ../../include/openssl/safestack.h
making links in crypto/lhash...
lhash.h => ../../include/openssl/lhash.h
making links in crypto/rand...
rand.h => ../../include/openssl/rand.h
randtest.c => ../../test/randtest.c
making links in crypto/err...
err.h => ../../include/openssl/err.h
making links in crypto/evp...
evp.h => ../../include/openssl/evp.h
evp_test.c => ../../test/evp_test.c
cp evptests.txt ../../test
making links in crypto/asn1...
asn1.h => ../../include/openssl/asn1.h
asn1_mac.h => ../../include/openssl/asn1_mac.h
asn1t.h => ../../include/openssl/asn1t.h
making links in crypto/pem...
pem.h => ../../include/openssl/pem.h
pem2.h => ../../include/openssl/pem2.h
making links in crypto/x509...
x509.h => ../../include/openssl/x509.h
x509_vfy.h => ../../include/openssl/x509_vfy.h
making links in crypto/x509v3...
x509v3.h => ../../include/openssl/x509v3.h
making links in crypto/conf...
conf.h => ../../include/openssl/conf.h
conf_api.h => ../../include/openssl/conf_api.h
making links in crypto/txt_db...
txt_db.h => ../../include/openssl/txt_db.h
making links in crypto/pkcs7...
pkcs7.h => ../../include/openssl/pkcs7.h
making links in crypto/pkcs12...
pkcs12.h => ../../include/openssl/pkcs12.h
making links in crypto/comp...
comp.h => ../../include/openssl/comp.h
making links in crypto/ocsp...
ocsp.h => ../../include/openssl/ocsp.h
making links in crypto/ui...
ui.h => ../../include/openssl/ui.h
ui_compat.h => ../../include/openssl/ui_compat.h
making links in crypto/krb5...
krb5_asn.h => ../../include/openssl/krb5_asn.h
making links in crypto/store...
store.h => ../../include/openssl/store.h
making links in crypto/pqueue...
pqueue.h => ../../include/openssl/pqueue.h
pq_compat.h => ../../include/openssl/pq_compat.h
making links in fips...
fips.h => ../include/openssl/fips.h
fips_test_suite.c => ../test/fips_test_suite.c
making links in fips/sha...
fips_shatest.c => ../../test/fips_shatest.c
cp SHAmix.req SHAmix.fax ../../test
making links in fips/rand...
fips_rand.h => ../../include/openssl/fips_rand.h
fips_randtest.c => ../../test/fips_randtest.c
fips_rngvs.c => ../../test/fips_rngvs.c
making links in fips/des...
fips_desmovs.c => ../../test/fips_desmovs.c
making links in fips/aes...
fips_aesavs.c => ../../test/fips_aesavs.c
fips_aes_data => ../../test/fips_aes_data
making links in fips/dsa...
fips_dsatest.c => ../../test/fips_dsatest.c
fips_dssvs.c => ../../test/fips_dssvs.c
making links in fips/rsa...
fips_rsavtest.c => ../../test/fips_rsavtest.c
fips_rsastest.c => ../../test/fips_rsastest.c
fips_rsagtest.c => ../../test/fips_rsagtest.c
making links in fips/dh...
making links in fips/hmac...
fips_hmactest.c => ../../test/fips_hmactest.c
making links in ssl...
ssl.h => ../include/openssl/ssl.h
ssl2.h => ../include/openssl/ssl2.h
ssl3.h => ../include/openssl/ssl3.h
ssl23.h => ../include/openssl/ssl23.h
tls1.h => ../include/openssl/tls1.h
dtls1.h => ../include/openssl/dtls1.h
kssl.h => ../include/openssl/kssl.h
ssltest.c => ../test/ssltest.c
making links in engines...
make[1]: Nothing to be done for `links'.
making links in apps...
make[1]: Nothing to be done for `links'.
making links in test...
make[1]: Nothing to be done for `links'.
making links in tools...
make[1]: Nothing to be done for `links'.
generating dummy tests (if needed)...
make[1]: Nothing to be done for `generate'.

Configured for darwin-i386-cc.

WARNING: OpenSSL has been configured to generate a fipscanister.o object module.
That compiled module is NOT FIPS 140-2 validated or suitable for use in
satisfying a requirement for the use of FIPS 140-2 validated cryptography
UNLESS the requirements of the Security Policy are followed exactly (see
http://openssl.org/docs/fips/ or http://csrc.nist.gov/cryptval/).


=====> Build the FIPS canister
$ make
if [ -n "libcrypto" ]; then \
EXCL_OBJ='aes_core.o aes_cbc.o bn_asm.o des_enc.o fcrypt_b.o ../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o ../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o ../crypto/bn/bn_mul.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o
fips_test_suite.c:580: warning: format not a string literal and no format arguments
( :; LIBDEPS="${LIBDEPS:--Wl,-search_paths_first ../fips/fipscanister.o }"; LDCMD="${LDCMD:-../fips/fipsld}"; LDFLAGS="${LDFLAGS:--fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}"; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null 2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=fips_test_suite} fips_test_suite.o ${LIBDEPS} )
...
...
<snip>
...
...
../fips/fips_premain.c: In function 'FINGERPRINT_premain':
../fips/fips_premain.c:94: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:109: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:115: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c: In function 'FINGERPRINT_premain':
../fips/fips_premain.c:94: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:109: warning: incompatible implicit declaration of built-in function '_exit'
../fips/fips_premain.c:115: warning: incompatible implicit declaration of built-in function '_exit'
cc -I.. -I../include -I../fips -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common -c -o dummytest.o dummytest.c
( :; LIBDEPS="${LIBDEPS:--Wl,-search_paths_first -L.. -lssl -L.. -lcrypto }"; LDCMD="${LDCMD:-cc}"; LDFLAGS="${LDFLAGS:--fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}"; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null 2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=dummytest} dummytest.o ${LIBDEPS} )
making all in tools...
make[1]: Nothing to be done for `all'.

=====> Run the FIPS tests
$ make test
Doing certs
aol1.pem => .0
WARNING: Skipping duplicate certificate aol2.pem
WARNING: Skipping duplicate certificate aoltw1.pem
WARNING: Skipping duplicate certificate aoltw2.pem
WARNING: Skipping duplicate certificate argena.pem
WARNING: Skipping duplicate certificate argeng.pem
WARNING: Skipping duplicate certificate eng1.pem
WARNING: Skipping duplicate certificate eng2.pem
WARNING: Skipping duplicate certificate eng3.pem
WARNING: Skipping duplicate certificate eng4.pem
...
...
<snip>
...
...
< MD = 2cbc07b9b9c819b8fd38d8a614a8a9c3fa7e40ee
make[1]: *** [test_sha] Error 1
make: *** [tests] Error 2

=====> Check that core dumps exist after running the FIPS tests (19 out 20 core dumps are from the openssl command; only one is from fips_shatest)
$ ls -aldt /cores/*
-r-------- 1 alicate admin 284196864 May 21 22:19 /cores/core.6777
-r-------- 1 alicate admin 286203904 May 21 22:19 /cores/core.6701
-r-------- 1 alicate admin 286203904 May 21 22:19 /cores/core.6692
-r-------- 1 alicate admin 286203904 May 21 22:19 /cores/core.6683
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6674
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6664
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6655
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6646
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6637
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6628
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6619
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6610
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6601
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6592
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6583
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6574
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6565
-r-------- 1 alicate admin 286203904 May 21 22:18 /cores/core.6556
-r-------- 1 alicate admin 286208000 May 21 22:17 /cores/core.6547
-r-------- 1 alicate admin 286208000 May 21 22:17 /cores/core.6537

=====> Information about core dump /cores/core.6537?
$ otool -c /cores/core.6537
/cores/core.6537:
Argument strings on the stack at: 00007fff5fc00000
/Users/alicate/foo/openssl-fips-1.2.3/util/../apps/openssl
x509
-hash
-fingerprint
-noout
-in
aol1.pem
SHELL=/bin/bash
TERM=xterm-color
MAKEFLAGS=
VERSIONER_PERL_VERSION=5.10.0
USER=alicate
LD_LIBRARY_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
__CF_USER_TEXT_ENCODING=0x1FA:0:0
LIBPATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
MAKELEVEL=1
OPENSSL_DEBUG_MEMORY=on
MFLAGS=
mount_authenticator=
PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/usr/local/ssl/fips-1.0/bin
PWD=/Users/alicate/foo/openssl-fips-1.2.3/certs
VERSIONER_PERL_PREFER_32_BIT=no
HOME=/Users/alicate
SHLVL=4
DYLD_LIBRARY_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
LOGNAME=alicate
SHLIB_PATH=/Users/alicate/foo/openssl-fips-1.2.3/util/..:
OPENSSL=/Users/alicate/foo/openssl-fips-1.2.3/util/../apps/openssl
SECURITYSESSIONID=234492

=====> Information about core dump /cores/core.6777?
$ otool -c /cores/core.6777
/cores/core.6777:
Argument strings on the stack at: 00007fff5fc00000
/Users/alicate/foo/openssl-fips-1.2.3/test/fips_shatest
./fips_shatest
AS=cc
AR=ar r
BF_ENC=bf_enc.o
ASFLAG=-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common -c
SHELL=/bin/bash
SHLIB_TARGET=darwin-shared
SHARED_LIBS=libcrypto.0.9.8.dylib libssl.0.9.8.dylib
TERM=xterm-color
OPENSSLDIR=/usr/local/ssl/fips-1.0
MAKEFLAGS=
SHA1_ASM_OBJ=
MAKEDEPPROG=makedepend
MD5_ASM_OBJ=
AES_ASM_OBJ=aes_core.o aes_cbc.o
PERL=/usr/bin/perl
MAKEDEPEND=${TOP}/util/domd ${TOP} -MD makedepend
CAST_ENC=c_enc.o
INSTALL_PREFIX=
MAKEOVERRIDES=
USER=alicate
LD_LIBRARY_PATH=../util/..:
EXE_EXT=
FIPS_EX_OBJ=../crypto/aes/aes_cfb.o ../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o ../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o ../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o ../crypto/bn/bn_mul.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o ../crypto/bn/bn_shift.o ../crypto/bn/bn_sqr.o ../crypto/bn/bn_word.o ../crypto/bn/bn_x931p.o ../crypto/buffer/buf_str.o ../crypto/cryptlib.o ../crypto/des/cfb64ede.o ../crypto/des/cfb64enc.o ../crypto/des/cfb_enc.o ../crypto/des/ecb3_enc.o ../crypto/des/ecb_enc.o ../crypto/des/ofb64ede.o ../crypto/des/ofb64enc.o ../crypto/des/fcrypt.o ../crypto/des/set_key.o ../crypto/dsa/dsa_utl.o ../crypto/dsa/dsa_sign.o ../crypto/dsa/dsa_vrf.o ../crypto/err/err.o ../crypto/evp/digest.o ../crypto/evp/enc_min.o ../crypto/evp/e_aes.o ../crypto/evp/e_des3.o ../crypto/evp/p_sign.o ../crypto/evp/p_verify.o ../crypto/mem_clr.o ../crypto/mem.o ../crypto/rand/md_rand.o ../crypto/rand/rand_egd.o ../crypto/rand/randfile.o ../crypto/rand/rand_lib.o ../crypto/rand/rand_os2.o ../crypto/rand/rand_unix.o ../crypto/rand/rand_win.o ../crypto/rsa/rsa_lib.o ../crypto/rsa/rsa_none.o ../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o ../crypto/rsa/rsa_ssl.o ../crypto/rsa/rsa_x931.o ../crypto/sha/sha1dgst.o ../crypto/sha/sha256.o ../crypto/sha/sha512.o ../crypto/uid.o
TESTS=alltests
LIBPATH=../util/..:
OPENSSL_DEBUG_MEMORY=on
KRB5_INCLUDES=
MAKELEVEL=2
TOP=..
DES_ENC=des_enc.o fcrypt_b.o
MFLAGS=-e
mount_authenticator=
THIS=tests
LIBKRB5=
PATH=../util/..:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
EX_LIBS=
BN_ASM=bn_asm.o
PWD=/Users/alicate/foo/openssl-fips-1.2.3/test
RMD160_ASM_OBJ=
MAKEFILE=Makefile
PROCESSOR=386
SHLIB_EXT=.0.9.8.dylib
PLATFORM=darwin-i386-cc
FIPSLIBDIR=
SDIRS=objects md2 md4 md5 sha hmac ripemd des aes rc2 rc4 idea bf cast bn ec rsa dsa ecdsa dh ecdh dso engine buffer bio stack lhash rand err evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 store pqueue
FIPSCANISTERINTERNAL=y
HOME=/Users/alicate
SHLVL=4
PEX_LIBS=-Wl,-search_paths_first
LIBRPATH=/usr/local/ssl/fips-1.0/lib
DYLD_LIBRARY_PATH=../util/..:
CFLAG=-fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common
SHARED_LDFLAGS=-dynamiclib
LOGNAME=alicate
RC5_ENC=rc5_enc.o
SHLIB_PATH=../util/..:
RANLIB=/usr/bin/ranlib
DEPFLAG=-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED
CC=cc
RC4_ENC=rc4_enc.o
FIPSCANLIB=libcrypto
SECURITYSESSIONID=234492
INSTALLTOP=/usr/local/ssl/fips-1.0
CPUID_OBJ=

$ file test/fips_shatest
test/fips_shatest: Mach-O 64-bit executable x86_64

$ file apps/openssl
apps/openssl: Mach-O 64-bit executable x86_64

Thanks,

Bill


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr. Stephen Henson

unread,
May 23, 2011, 10:20:34 PM5/23/11
to
On Sun, May 22, 2011, Bill Durant wrote:

> Hello,
>
> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)?
>
> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>
> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>
> For example:
>
> ./config fipscanisterbuild
> make
> make test (fips_shatest and openssl core dump at this step)
>

Does fips_test_suite run OK?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

ciphertexto

unread,
May 24, 2011, 12:05:36 AM5/24/11
to
On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
> On Sun, May 22, 2011, Bill Durant wrote:
>
>> Hello,
>>
>> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)?
>>
>> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>>
>> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>>
>> For example:
>>
>> ./config fipscanisterbuild
>> make
>> make test (fips_shatest and openssl core dump at this step)
>>
>
> Does fips_test_suite run OK?


I ran fips_test_suite and it has been pegged for almost two hours on the following:

=====
$ ./fips_test_suite
FIPS-mode test application

1. Non-Approved cryptographic operation test...
=====

The CPU is at 100% on fips_test_suite. It does not get past that.

Any ideas?

Thanks,

Bill

Jeffrey Walton

unread,
May 24, 2011, 1:08:21 AM5/24/11
to
On Tue, May 24, 2011 at 12:05 AM, ciphertexto <ciphe...@gmail.com> wrote:
> On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
>> On Sun, May 22, 2011, Bill Durant wrote:
>>
>>> Hello,
>>>
>>> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL  on Mac OS X 10.6.7 (SnowLeopard)?
>>>
>>> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
>>>
>>> But fips_shatest and the openssl command are core dumping when I do a 'make test'
>>>
>>> For example:
>>>
>>> ./config fipscanisterbuild
>>> make
>>> make test (fips_shatest and openssl core dump at this step)
>>>
>>
>> Does fips_test_suite run OK?
>
> [SNIP]

Not for me with 10.6.7 (from About the Mac) on a Core 2 Duo.

jeffrey@newton~/openssl-fips-1.2$ uname -a
Darwin newton 10.7.0 Darwin Kernel Version 10.7.0: Sat Jan 29 15:17:16


PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 i386

../util/shlib_wrap.sh ./sha512t
Testing SHA-512 ... passed.
Testing SHA-384 ... passed.
if [ -n "libcrypto" ]; then \
../util/shlib_wrap.sh ./fips_shatest < SHAmix.req | diff -w SHAmix.fax - ; \
fi
1,129d0
< [L = 64]
<
< Len = 16
< Msg = 98a1
< MD = 74d78642f70ca830bec75fc60a585917e388cfa4cd1d23daab1c4d9ff1010cac3e67275df64db5a6a7c7d0fda24f1fc3eb272678a7c8becff6743ee812129078
<
...
< Len = 13976
< Msg = 07a6372c863c7d7c6764e4f05addbbe161762735dfd2d23bf268e2d603cd28de9c369ac379390473e1d3fa7e37af1178cca54fa0f782dfbe68070952b93462ea46c640d43ffe71f5fba42df98f4c48ada0d8aca8753e0731508bc15dff283178ae5c10a6ff132eca5dde63a78d3ac94685152897828eb25a55fdf140fd33fd4e7b03f283e201a1baae8986d25603fb0b2566aab345fb48031d648144dddc2e3556c0ceb1104f348d96ae7dc0152e45c625d21b46e70c31f250c858aec4ab2cf5e79d8c79b0854e0abf5330b9f044113d306161968f4ad6f0973160c9dc296056d5a11523ea2b56fbce8387070fccc639ec1c65ec663b9dc49aa880dc4ddd3020c9d44ff7e8cab6266e436af19b4ecb82010a0f8f9469ef380034a02e3f50051a6a3f233dcfe9d553459dc1bebc538ae0183448c9405c351271dea808d908480e61e9793cca111b4cfb9874b799626a1bd9a0f6e0929ad51b97ad81b2438f5fc255db3a3dfec9f0d8393c6b245b03d3faeb58021db3ad391b17a91174a66db4feef1b4c889699bcbea7928f4d29be2d47f76455c8cb1dc7da9cda41962a28ad8cd7b39965b809e7c7eca1c6792c1ce1c8a4cad6290170e91fcc49fa5ff64ab433b4aa081c8da2d9bbb072f9f18ca455469b946c877e3006b34ffd2219335b30ba2e0980f43cebfb629d0b11fe70dff28883ca012c6ae4855fcefea20a08e189eaeed7eb36ed6db3835976f4e60053205805727c5eec15d0e9f155637a9e66268b9c1c302bcaae6ae88cbb8cf1668a487cc996c4662c4a4e195f094cb31c717165e0e13718f8388957dfe0bf69c70cd0bd763dc38c530b67b9c12244fcab8bd13f602de848a2937699f9ef77944e5f22e3b470601789e1838fbea9359c733aaee2c7082b02ee459b7684ef9bbc200da4b62d368351f5520a65ffa506dc9b097117bb7ae88d04d85fb525e91327689ec0fe86971480c0e864012b1e9f044c7d80a4e48c07320dd4292086e4c71d4c98dd826a9bfced112bfa2beb1ce85cad204451ec45703931bf637d4fe89fe8f485620b7f4b21e011a232ade7a8c92be77925e878ae0bea9723749528fe83cf89ecb9616dae6ca0e8d5754ec6c92abb21108c2f33cdc18c6887c430b72c5b193356494cddccc577bd4c2cd53188f352846edff0c2ac7869cb74bb16a77c0f0f194a7a9477ae15abb890bd0bcfeb0c39381a87f1d05319c7e971c10e9ef687f96450b400e25b4285032892b849fd5db8649cedfb03c88defea063ee144a1ab1f3bf05f59c7db364dc39c11a446c3ce16307d78d50315ba29f5bb9a57438564c8c7b3e367cd37d74b2375a4966f47489dc5448f4979428abd32193d3840aa983d3020a9f29d760fc7493ab2576c90b1934b799c1d0d55e4f2caa78f4ce61930c79dc017c2dea0c5085d73a3b0e4a6f341e9a5061a6658af11e5edf95bdad915ac3619969e39bee15788a8de667f92f4efc84f35082d52d562aa74e12cc7f22d3425b58f5056d74afcf162cd44e65b9ee510ff91af094c3d2d42c3b088536d62a98f1c689edcf3ea3fc228d711c109d76ae83d82d6a34dcfbad563cf3726519b519fd48b51741aa86720836494b7a589c778927047a25d73508adaa401e9a6c0767a675e31c5556cbe35fadc9671359b45e985c3c8af84113989b299ae4474b85e4b5d4b0578ab1e8a2915a8df97c4f52a639fe32272cb91bbfb721505dec46d51383cb8973425a714245c2e37d0577fbe0d66381d9239db1f08a380cf609dc699698e0fada2caeda44d58d766c4f8214b10642b80b8d7d8add7cc41d47108ab7d07dab71069a2d982cc900b331caec317942122158bac6eac9175c2dcba0c04443aa9188832b553f5ca8c336880824d6bc02486a2b4c086665d276aafe3b1b93729829adca50c44466fd5b5cb977aa78fbcf5c0f0da1b09216468a11493ffb39efdeda5d669ae92bee2f2fb250aa1b9cbb11c36c7a6c6dd26cdc3cfd572ffd8c1dd72a13c27a327a34c6b6b3d80fc6c67c72152eec0c8ecbdc1bd5cb829b811e7f29af6d786f4e93dd4c96fdda295a6aa258d7b2fcf291c2d68e0b1866032475964ec0c6f2fa8c2d6a3936ecb187350def4e818507bf157c0e9b33406be7660605af14cccc9c799b4e051d0d0899e53495bb8931a6e2984bc6dbe4e02ec8b4642fc2f1cb5fd5a5520b48cfcb49e1f9533838753554dd98b6a1b8a67409279df477330e5f37367e06247ca5c3ffefd00e693dcc0c9c30754121c9ee88a574915b9e77c104fd2f921c2c096573951407ba9b440423d76bdc6fc978237a6e302cede7f99038ec31500884775556941f1edc30e3a417b0e02cb6fb5bfbe5cdfacf4006411287bedc565fb06f1be987416407dc852254934df4ab59edce476f3506e65be6ce6ddf91038642291fb8e92ba5b1f0b105670905a2c14796110bac6f52455b430a47b8eff61
< MD = 1adccf11e5b7ce2a3ddf71e920138c8647ad699c
<
< Len = 48824
< Msg = cd8490c93613bdf1f284b94b330f6d6f45a39c651d2a160b340e2eb696fc6d1c35e88872845190d141c669de92a97daa5433b1d7b0b899fdef2ce74b8fe72a7296a5b5be26d1dc86520367c730c7400c2fa06f91ab4c48a7bf4ae35a5b9acd5296c4fdf7451b0ad9cc439b4e34f11e5d7ef2bdda376f8dd34d6f092b219dc085dd4c4a6308b8808f588eedbbc7af7f64e83182fc7ca7cf4741a341060a7969d31445834c982fa8739ded4555108acbea1666a83da17f77cc42ee73323eb53203e3b790f81c08e94c44678b6538096ab7b09916e6cf7ceb2af85987f8e4d982dff1ab59b0bdccaae1f405a73366b5c5935dd0b43e2d2894290ceb66a0246dc02de728c5bba30255fb56ce8107c3144246c5156a8fe40ada9126adf67227fa56b66c37be63f532516211ca012977b04a97916f201f1baa2629eda520b51508ab4229df2ceedce406dece0110e0a911464f69e7be38fb91deba0addcdb3161d2799c628f5a57fa1dc37357c947681bd9c36f4832c20ac466c0c245de3b250c33282ea1a02d007f03b34ed427631283eb614db4d521f555136e7e42b4cfbee8134c63dbe3bb79b5a8b9f9f5b9f5ac61cfab1c54d197f1e3ba613f251eed616df952d691b88a16466343ef2d0f63882ddd2d55b8a6786308b2257f5d7b38af166bd7f1339d2d8899c9eda8fa86215850ba547450c267eb3c9147d96c38161a69d1584e521ffa23384313a1debcd37f72ddad02adb3cadce7ee34b7c1f42a15d0d030487daf9488aa7562845a11ee7ffccdb38b300935caa31f78a4ff3dd93403cf0c6a16ca611b58c736aafd33d6dc56f0f47878211d26f6ab801b9453a7f74b44593dae0f047ddbbf2c902891111729edec44f69a05944b18e7a601f41ad24fd6833da3dbe3029bd390de7c9841b2ee2b079b2bd2737518fe1bbec88da64769dc36e4a8bf716c219b2fe059d7dd220c1ed2c59878db5bf8b198e0689edee921ebc0cd2d3853fcf57c363050ce58071c5fda6ebcfbc1bb62e9eb956286291a108bdd4191c4ff47900d6068e1ea26b487649af119b9bb15dfed804836f2196cbe12d8fc86e3d7ce89b52ad49dc9ddbce5b370f73f512bedd853039366612453733740586d1372143b09f21dd4dbe1a2bfc308db8e4098c5e4b0c1e16141ee50e85fafefc4e2529b3c7252af37aee6f86e19df28871686107d7d57dcc812bc077602642d2ecefdd5f694b8f336913210793e4068da2178600b1f41cffb5221c9b4b6298afb47e85701d7b1a44241679d8996f916c81ff437261cfc358b9ec42a2ce16ca3bacb8690d6c1d91cfb3e0bf1e7ba45bd01606df856fd03c7e946f7ab371a89e1fde86d05fdd97bd7b1c583b04c2ed2b5f6815a460645e4e1b4e950bf6bd81dd0352d1048df85266f1696534aff5b1cbc17f15d82cc8e0c0d4f0453f9439094f8e0f7f4bc045b654d9a2f1f44a9c57019f63ecc41021c05b5380675cb56ea8bb691d79ee204d2c4edacde3c1fb3f4996a11d84b035f965e74009e2ab80e2c7ea3c84a834d4971a1e9cf423e4ea67ee526eb3c3e4c2d7372c4290a0741e1fcca5ae4cf36705abe98ac81e98a5419baefcaf3093a7e0449ef1021f88ffb7ad21b2677e41cdda12025b06542c4b2564f15e0b99db43b7c7020028bd829372122cd910227cb07c53cb58fd9dc620c0491f3e2bf883fe6ee8cb1f5b73767977d857e4513e8b5612f6ae4b56014e6a3ad2a065b65472212e2f611743484cfaef860999d1dc5608c58412fab888ad72bb87dd9b55b692f31e252daf8944ec5c02a5a9c23903c50dbd845f2fcc3bc9806af13ca7b025cabe675195b1d56f3fe7d7bca12530bcc0af217efcb03a218bdb6f9726536ea902c8303b02e3ced22be59753588b5f0e2f3419fa5345a942dbcdf3010465384a225ba26cdd0f1d74999c69f336bb6d01fae5cf81cbb8c1a7a29c1eb83ca6b51113bde56b8cfb6a5d72557622a37f039d090a689accd02b57c691174338de8e05bb3620c079705c969c58e56b079dc9eb44eb0fcebe548f5a31f4072a5ed56a2f03107bf40a359b2601eddf53cade66f294cfeaa40a0d94b9c90d15f61852f295d3911f8ea914d015885c8c64540a83badf0021a416c3e37b78236a2ecd1fce4114033416bdd3a36c18ec13250ee9c74c0fc4dd564b3d24a825802d5ae402a53bacace115ae3bbb329be79d1e5e42dbaf0a6446431145fe49b86a8703c7c41f8985d54f12e314c16ff89351d8addf66ebba2783f2d1a11965182aa0b0dd2de53586c5a695c6265c2b173958da648611090557bdebf11a1e042f089fe98e049f4796c60d26be38356fe020d9ace9008410d53a1bb7db78b52ee44bac364213f5c59f1eac4e3314f3423b92fdd7a6156608111ac6ddf58385ec1f3df12061208db98816ac948d803fad10d5ece2018c60faa13de5e5a9033745c824932e53f4122a39f635813545c1b74732cd55642f19ed6deca1585ebf7242c849bde981572a2199066e9c912b2068c8f1c8b936c43ae95c6e22bd7b80dfea05f495d751107da5928e806d0af905c87b5a0795df146af6580d8f9c6a0e2645686d43822ce9b4be0bd5937c097917e048b5af71c7e7521d490f107e9231ee5bd9fbf0727ba87774ed24cd52f471ffb71849ebd55605996515bdcfe95bb1df3541e7c42da4166dd01ec3597634aa6455d15fe14af435e8d7a55ff1682d55a2da867ae63d11fb3fd987fa5d7032ecefc35d3fb9570940e779e13da18070e6df5292f97f2a281f9598101102c955fe4808a2319c85fdef3d55b19e05bb8c2d3da64bafb67a53491513a24f6f0804aa162c8a7db25b38089373fecc45a0eaef65dd9be3b4b7f9436a5423fdcdb5a9b60138fc6a2261225390d9ae0d8ab7f0f7ffff69dca06881d33a637d634358abebb333df41151f239add91abaafc89070cb2159ce3a31655c22e4696c9fa7a7211d1251d4bb21ea4a321a3dbebc29d97f526251e40e548dcd7ed07587719a266f006179dcd22e50b3705152817057b097b043ad63b8d867edc20aea9b4c959ef4ff70f47128cfcc21e31f17978ecacc366f459ac1cc459a3976e4173ca322675f84f18036119ec2f204c3fb554a0b72f7e9d8c882ab147b3d280ca9dff7b9160b1b437b901f03cbc05fe05c6f44824b48aa8da52ae7dda1653fd500f9ccd221843cf76513b3b74d094f14d93a00d7cb954bc4cf2f04f9a35e38edcb1e84f62057647dcb3571f1dd296ca1e049f1746a8a282e85138500e7649db756b2d2ad88f11c471c89dc6be2cd43481013b8d0ae83da2b855cea7be424f8b2325b1850d1fdef03e765458df4513d57c72ba9751e1edc3c4e7f97e3202bb46eec7be89871ba3704aa6c6fc08851e551a3f655fa1fb798d12f003faf31c56b6df399a5dd0ed29ef9e4139dbc254bc5d6051840a859eabaaad56324588fae881fd638d2b70fb3813402df61d941ab495588e5fc3823249bf9a03cf877902394f512de118edaf98843a5445e9073fcfa409df3db0221f1c77e2dd21e74f9e10c9e180dc4ed17010eb949c6d67a22bd5337b2c68f9eccdec778ece728e91353696b742c8f5a3a569f054efb8c1ed478ee9b75e26c768a5816aa6bd08a4c72e745fdb5deb34ecb86b3a84346c1c70f9c16fc45bc0421f0da2f630912d5079f390cc53b78e343310de722b53d2a3b4aa386caa0d7e91986e19c3363426ba30eb5284293af81d00158a3f5233327b40c3b989725ba7dd5b31ac7abf8d3e0b737e843065cd7316dc2f374a00bed4cf9caa0d6e232c854df1bc24c3d484bc6bcb14ec770d5745474dc6ac3b3ddbffc551c9fcc2c56a5e0ae17948457c01e701bf1554022bc2b7d9dd42b2b91172fd85e6874d2d61fc7b3bb3cee2a9bfec09f6d7e98279c6f511f4140b116c856c1438e34bca59fdca2409f025b896a52d68719bf93e82e7d89bbf798991fda0af8d06d17f39eba4bca09c1fe594b537ad4c9b94ab52c895539d639425f9146b24b016368a638e5bba391bc8763cae7c52ff9c496884f1d84e5e08ed451358ecb3c4919dd410e82cac35ae744078287c05c89b42999ea6b8b127d40d53a5722d45139e8bc507a11e7add7fa9ab12cc40afeec008a4668e3e6440f27bb5780936c0e3668ac51262390c79b3f21fd041cf36ba3522f3a552714ff188bfd554c60d0e7d11213cf7d3864a5175d4047c2f3284741f18ec22995a5b82bf62190151bc1529c6d9927f9b0c1dacebd9c2dc406f7f64a973f9a70cff6e3abeebeb46514bbf2ead382f7262d46bd43d88c1b91a9011d1f8ba81fa536a7162aee2b2ec6fc0f2d6efc87b98d2e41e0f946969da659c21053775ece415a34d42b6cfd5bc52259867b411dfb991461ca618052309ca9c96468c2da12dfab0e822ff3bbe7ba281982a239ac19c47024fe1f0e3550cf0975add1f680a9dac9b2c4ab0aed4f409ddda6765eb8a0a9d1e9d07458c69ac8195541219b18efcd06c0001f2ae7fee2d404666a18ca3cb3aa4f0623e86c5b1229f6c2ca28d951111294b91edc52730b6b2c46e000672a7c89b2f38045bd3e37dbb8a75e18687a514dcf740c87a34834d3c3cc8aadf6166ec0c42d2be92f90a3af49633ff23cd80848ceb57ac550eaf9ae496bdc6a2d7cf50fe107895b4a1ed014f78af24eccd6a07420f1dc0df1e7c44b4ba937dd43cab9c798371b148325578d61931766af02b45054bdc2d9fcab2f4b49092f6fff7c27886820739d6140a4a905f0020249e8ae8dd87da1a1e7b1851eb01045aaa72dc8a2bf68055e7aed41d85336648a3405195d2ab61b0e29a770461f32fd05e14c17d72c5252f026a7b9abe7ea9176d3c46f6ed9fb716758d97b41e4f5d81a24538f763d83eecafafc668422612b40cfc32b3354b24755fbe400a2bfed494fe6d0ba0051713b776e67e2f1915e94708e6dc74b398f2f526933aad8fe7dc32faf40022606aebb6e0756b994c3176fae7640ee06d6c67bd54764c4752f1bf831f43e0227cba101174c5554ce26400f333dd8e9f6db1cdf670ce407d7d06c3aef4c0724b62edc8f1ba3e04f0e394d15a73b9255abb4d6ac70303dcf9160d32dc02d4804219ed5c7e3b48402e58ab2f58305f9bb95d2a8759947de96328ed5234cfe7d0b2a9a014df7e4cd0ae48906315f139b8635d2e6bd4aba32e62b8906cdfe5622c411bf0373d0cb07d17bb2bb5b83eae4401c243605fd1df759fd0ddc704ccab5a9776c40fbf6bde0f11b9646c699f26063a9550ac228c9884c277bcadcc0a2c225dc203e28e253c4e464b23d2529d09c7b7dd3c984667372472b615645f294c4e3b0797f9d1c234015b78502d98bfc04f1fa2f16cf3e7221d5794d035e4b172a4d84e679cb1c82df2fb49d3c6668eb1661bed56705096c2371a19d668832808eedd9e5b1256c18fe7ccc494e5e29145d453c553ec86fb7f3a634d0d45661875f2f1005ba5e734c1a976f37cd23450e4606e32d027bc9ec2edd9395e14b2082179bd7b4f9b8caa2d00a2de71d48553f7d4153cb56a1b08f11925e4b11c9281744ae9171f3d6faa3ab3f88c5c34fd23e4f6efeceafdcbc07686ef56efa62c0ad62f1cdcb4d3b5bc508c1f05263bc347158fa5495828f34eb7fcde98fefaa82bafeefed3f4a58968d751c051b52e0047f066de5be533bc3b1e439ab1c8602f6c67503803c8fa113737cb8279f358dbacdf45432b7a654d0e1122cca93420e956661d7275181c75b0d9c20e84c7007dfc49f27bc00007cf4ffa631c892981fd70141d532fcd51de5c23fe0b7a186d0dc296362f235d61698740cc315891cc9342da17843bcde274c17e462263d0e8b4832dd9075a7bbb443d4b26b41e534ad5551ed5ada102175e695363fb48d6b99ac978a3aa6f405d87f983384ce35740e930491d75675337c5dc081e3d301228e61bde5cc169968e5b4350cca2b085f9f75cc4b88497a78cd0a0073d90246c7dc102c7cbf3516498e8a41aa85d8cc5bc285ff66e8338e85ca83fb6889e2bccff52059bb9e92e92c155a349952680ffd0a3c346061a53fdf074417fc90c4d1af7c2acc3ee4b080752cbc9455ba5931b7e910f1e4af0efce905d2cc9c685923ead387fa532c0e8ad92719c76c281cd010e1acce500ae1443838b8afb48af032069dd07aa4df0d56bcb70a64592633699c8658102f1fbca441325e27f1732a7a973d8cb3a0684d72943ef6f1892f2d7ccf39bb6dfe5801ab98653bdbcfbb787bf125253be2624f6cf44177d588bd7b780d9e3f4e3a4e50b8a253fa21abce6a94b9073289c76773b46140f5a6e46b9de9ec066c176f5d1a69f380e1901216617363362d13ebb26ad74fb008ec08841550ff14ca800a1ecf2e007ebaad9f4e0d9664448d60ac0d8544243129fb81c1723b9b4bc2ee971dff736d9fcde0afbfbf5c50a4cc06a4c363998326c17bdc9e2508651dedd9a2a52bd87f8693cfcff60753acf9716c526e8635f12377e36564ae55d0fdb3c7997ec4dbdaa5b4d18c7b660acd95060831795da7d299a5a8d8cf9e92537dbd3ef7f56aebe38fa97c41da6bf0572a0270be7e5a7dcc0be3529339464c811052b65a938e874ea6da469c7d8992ce0aff1c75e82d1621ecb967213c65f2de582cb41de3804c507ddfc708ef3f6096ba4491e431160f98de806d0f334e03cfb7a3bece601099bd971253f3aa0df845da8b478603d5d88533d0cab9c89f2dd9a1404cf8939ffdda652a94093865a85fce2bc3d7babcff7b9f3306bd76b9af80c78ad518f89ee73b7a710da604e72f4927be8d65d06be2e0732fa786a83e27597cfbed9bf98df445499e0746b9f2cb9659ac0a9cef433148521f33b1d78d13c8441c0d1e20fd93ac450a3787a2292bcbd68cd1f961d34937be9a21abaf26f361bf53aa0c095e53c51f3e04d567eabe6e40d96a17c2bcc9230b18f7e079bc549a314b4ae21d30a3341aa205bc75c7f1d21b0a49549c300faeda243d0ce18da5e66c5b663cd705005dd9fea0a9564174abb797d64c58fdab1fae44576d514b75eaa31c9278b15bf9b6df7c6c2873d7a56fb91ab77b83761a09f9e1ddae535622fb87f7462256a60dd39dd3ceb6690b0272920b635ea639daf24f95462c523e5bbd8d8407c61163ab38877d5edfa04c2a78d4d240523ba97c7d01c71783f8748e85164b4dd08c25506a4ed18300b42b7bc6e417f512ae456ceec2ffc83190991a06d4a58ede215babcd3688e1d61f1975016244e80c88ae2aec05c7eeb1c50caca72b3b415b6b870bf5e10bd1ac3ba6b4acb1d1afac554444d94c97e171005fa4ea9c651bb4e527ff58d0c2f90fb453a92d6546a26e9e98395b09e8471bdcf2a145aacb649708cf048a7856ce8cf390c107ff2c66efbf2a76c5b041860ea576103cd8c6b25e50eca9ff6a2fa88083fe9ac0d1fb639c516b9bcdf23c34c6145a705498ff9b9747f15e1c08c63da6efeda4eca02c3f00dfec06c82220c9de840040118dde76be788daf84e6a2f44c81fe6defcc474f99c51c4648d297cbc48f081e0809dbda505d020cbe865e430e0491644ec8c52bd3ab8ce8c4862990f49fe2588caf804ce9500ef42d5a50c057c257168e283e4a4aedbe4ccfaf3eeffb212f9e23d15434d60bf4f455f512e2b655aff3225d1b217c261110cec0400f54dd303d6231d028c2eb649bccc91d30a6391c88bff9d447c3cf35a3467be5957e0ea4d4dc237c9f2c68ce48f658f820a3d72d559b60f233ce538c92cb148808e34fedf2d648c21e7f2ea29a77270c393bda42d869351d6c085d965dc12cbfd0311b8bf604f4391d378781eea3b5f1e0da9d0d8f8de88e56fe47d362cd46f591d3ec0f7cccb85a21f21ddcd4107821ce0ca9ddf99dfdfd9b0c9cd45053e5b1b4385bd8f5b227ada31b5c23e9420014474e8b4494fde7c38edfe70994d97b8cbdfac588df49a49c472fcce78cccc051f31cbbc1e0422878d8d490f3aee28adf1587c38fb7e7d1be54abeaa83cf54b633803a5e669ff4295df8735231ce39631616bd05e0e31117c722c2fd6787003b0bc7fe422a089c89329544e085d71102c1813769450a9f66f160d1702cdb17bd2c6fdf0f722762d193ce83623eeffab17b01b10a31db6e2feb6eb3abdbb2e36320e1a56e44e48d26090afa7f65003a98cbfef590ac3ec89b3eb230557cf6aa566e841806aa2767b21bb26fe001f11ae039e0c9a4bf1bf3d271960f16158eb5bd9ebf0080abd8369d512cab2d1aaae2b14d0ff6ee705a38fb0c801a98b0624cc138fc24834fdf430f33e1760db913da3290f34415c9e3df3e97da1780545ab68ac5a24db89f24d62f4a399728e4144a8c89f47ac2d29e30c49b0bcf790a5e3d3fcd1943c6a28f37251d9dd827a69579e6c17b629c927473b5a07b0a29d9562708d6c8ce576109ad1a3473ffb2047eb069beeec24c114bef392c929038c92abd0e6a19b610e27881361824d57008b7373d0ab76379570ded76c9b8284fe2c247791073c29b2fc6fca05019220ab92856892d3c0dcc6da0b597fe559c162d060d71513ebca050d9638164b9ae271fba5575ade787ec5aee8fc253d1b234b1df561db3e36ac64b9b0100dd6b407043537b2b141f


< MD = 2cbc07b9b9c819b8fd38d8a614a8a9c3fa7e40ee
make[1]: *** [test_sha] Error 1
make: *** [tests] Error 2

jeffrey@newton~/openssl-fips-1.2$

Dr. Stephen Henson

unread,
May 24, 2011, 7:18:43 AM5/24/11
to
On Mon, May 23, 2011, ciphertexto wrote:

> On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote:
> > On Sun, May 22, 2011, Bill Durant wrote:
> >
> >> Hello,
> >>
> >> Has anyone been able to build a "working" 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)?
> >>
> >> I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7.
> >>
> >> But fips_shatest and the openssl command are core dumping when I do a 'make test'
> >>
> >> For example:
> >>
> >> ./config fipscanisterbuild
> >> make
> >> make test (fips_shatest and openssl core dump at this step)
> >>
> >
> > Does fips_test_suite run OK?
>
>

> I ran fips_test_suite and it has been pegged for almost two hours on the following:
>
> =====
> $ ./fips_test_suite
> FIPS-mode test application
>
> 1. Non-Approved cryptographic operation test...
> =====
>
> The CPU is at 100% on fips_test_suite. It does not get past that.
>
> Any ideas?
>

It can take a long time to execute sometimes as it performs two slow DH
parameter generation operations. Retry it a few times. If it still doesn't
complete try:

OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a

Note that the utilities in the 1.2.3 build come from an ancient version of
OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable
OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

ciphertexto

unread,
May 24, 2011, 6:34:24 PM5/24/11
to


fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl.

I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version).

$ apps/openssl version
OpenSSL 0.9.8r-fips 8 Feb 2011

$ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a
Segmentation fault (core dumped)

$ otool -c /cores/core.97244 | head -4
/cores/core.97244:


Argument strings on the stack at: 00007fff5fc00000

/Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl

$ gdb apps/openssl /cores/core.97244
GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries .... done

Reading symbols for shared libraries . done
Reading symbols for shared libraries .... done
#0 0x000000003f61ffff in ?? ()
(gdb) bt
#0 0x000000003f61ffff in ?? ()
Cannot access memory at address 0x3f61ffff
#1 0x00000000092ff8bb in ?? ()
(gdb) quit

So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken?

Thanks,

Bill

Dr. Stephen Henson

unread,
May 24, 2011, 6:58:59 PM5/24/11
to

I don't have access to that platform so can't say for sure: it could
conceivably be a compiler bug.

Can you try a debug build of fipscanitsr using 0.9.8r?

NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED
LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some
messages get cut and pasted into cookbooks as "the right way to do things".

Something like:

./config -d fipscanisterbuild
make

Then try the version command again and see where it crashes and why.

Bill Durant

unread,
May 24, 2011, 7:48:46 PM5/24/11
to


Here is what I get with the -d option:

$ ./config -d fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details.

And without the -d option, I get the following:

$ ./config fipcanisterbuild
Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: fipcanisterbuild)

Notice that it configures for "darwin-i386-cc" which I believe it is incorrect. I am thinking that it should configure for "darwin64-x86_64-cc" instead.

And my system details are:

$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.6.7
BuildVersion: 10J869

$ sysctl hw | grep 64bit
hw.cpu64bit_capable: 1

$ ioreg -l -p IODeviceTree | grep firmware-abi
| | "firmware-abi" = <"EFI64">

What to do?

Thanks,

Bill

Dr. Stephen Henson

unread,
May 24, 2011, 8:42:39 PM5/24/11
to

Ah that explains it. There is no darwin64-x86_64-cc target for the validated
tarball so it isn't supported. It is possible to add new platforms via a
change letter but so far no one has been interested in including that one.

Bill Durant

unread,
May 24, 2011, 8:58:25 PM5/24/11
to


What is the procedure for a change letter? How do I make the request to add darwin64-x86_64-cc in the validated tarball?

Thanks,

Bill

Steve Marquess

unread,
May 25, 2011, 1:11:14 PM5/25/11
to
On 05/24/2011 08:58 PM, Bill Durant wrote:
> ...

>> Ah that explains it. There is no darwin64-x86_64-cc target for the validated
>> tarball so it isn't supported. It is possible to add new platforms via a
>> change letter but so far no one has been interested in including that one.
>
> What is the procedure for a change letter? How do I make the request to add darwin64-x86_64-cc in the validated tarball?
>
> Thanks,
>
> Bill

Change letters are performed by the "vendor of record" which in this
case (certificate #1051) is the Open Source Software Institute (OSSI).
OSF has a close working relationship with OSSI and we manage the change
letter process for them. The cost varies depending on the platform(s)
and nature of the change but is in the ballpark of US$10K for one
uncomplicated platform. One big appeal of the change letter mod process
is that results can usually be obtained in weeks instead of the many
months needed for a new validation.

My contact info is below if you want more info.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marq...@opensslfoundation.com

0 new messages