Thanks. We're going ahead with patching 0.9.8zc to ignore this test. I'm not sure if it's the "right" solution, but given that 0.9.8 is EOL, and therefore FIPS 1.2.4 is VERY unlikely to ever be updated, would it be reasonable to have 0.9.8 disable this test when doing a FIPS build?
I only ask this because our customers are not generally comfortable with statements like "You can't have FIPS any more," or "It passes all the tests but one." I'd be happy to put together the patch to accomplish this, if it could be incorporated into the trunk for 0.9.8. Thanks again for you help! -russ On Oct 16, 2014, at 8:29 AM, Dr. Stephen Henson <[email protected]> wrote: On Wed, Oct 15, 2014, Russell Selph wrote: > Apologies if this is a duplicate post. I tried first via Google Groups, but > apparently it's read-only. ;-) > > Has anyone else built 0.9.8zc with FIPS 1.2.4? I've been unable to get a > build that passes the 'make test' phase. I'm using build scripts that > worked for 0.9.8.zb. (More details on the scripts below.) This is > happening on Linux RHEL5 (gcc 4.1.2), Mac OS X 10.9.5 (Xcode 6.0.1), as well > as Windows 7 (VS 2010). > > Off hand, it seems like this kind of failure could be accounted for by > something fundamental, such as an incompatible API change in libcrypto, or a > word size mismatch between the FIPS and the libssl builds. I'm about to > start digging through the diffs to get a handle on this, but I was wondering > if I'm alone in having this problem. Any information about experiences > positive or negative would be very helpful. > The cause is a sanity check in exptest that x ** 0 mod 1 == 0. The BN library in OpenSSL itself was fixed to cover this case but the FIPS capable OpenSSL uses the BN library in the 1.2.x FIPS module which can't be fixed. See commit: 45d129511ff0b43be9a4271133c9ee22658ff07e This doesn't affect the normal operation of the FIPS modules so it can be ignored. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
