[openssl-dev] [openssl.org #3689] Bug report - OpenSSL 0.9.8ze with FIPS canister 1.2.4 big number test failure

Neitzert, Greg A via RT rt at openssl.org
Thu Feb 5 15:08:59 UTC 2015 

Summary: 'big number library' test fails during 'make test' phase of OpenSSL 0.9.8ze build when built with the FIPS canister.

NOTE:  I am not sure if this would qualify for support since 0.9.8 is in an end of life mode, but I am submitting in case it is, or at least a bug entry could be made if it won't be fixed.

Version: OpenSSL 0.9.8ze (also reproducible on 0.9.8zb, zc, zd) when built with FIPS canister inclusion.
Does NOT occur on OpenSSL 0.9.8za.

NOTE:  Problem ONLY occurs if you build the FIPS canister and build OpenSSL with the 'fips' and '-with-fipslibdir' option.  Problem does NOT occur if you build OpenSSL without the FIPS canister.  Note that the FIPS canister continues to build with no issues.  The failing build is the openssl 0.9.8ze build when FIPS canister is flagged for inclusion.

Operating system: SLES 11 SP1, SLES 11 SP3, RedHat Linux 6.5 (all x86_64)

Problem:
During the 'make test' phase of the build, the following error is generated:
starting big number library test, could take a while...
test BN_add
test BN_sub
test BN_lshift1
test BN_lshift (fixed)
test BN_lshift
test BN_rshift1
test BN_rshift
test BN_sqr
Square test failed: BN_sqr and BN_mul produce different results!
make[1]: *** [test_bn] Error 1

This error occurs on all of the operating systems listed above, using any version of OpenSSL 0.9.8 greater than 0.9.8za.
If you build with the same source without the 'fips' and '-with-fipslibdir' flags to 'config', the build including the 'make test' is successful.

The following are the configuration flags used for the build:

./config threads shared no-rc5 no-idea enable-camellia zlib fips no-ec --with-fipslibdir=/tmp/openssl-fips-1.2/build/BUILD/fips-1.2/openssl-fips-1.2.4/fips/ --prefix=/usr/local/ssl/fips-1.0 --libdir=lib --openssldir=/usr/local/ssl/fips-1.0 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -m64 -mtune=generic -std=gnu99 -Wa,--noexecstack -fomit-frame-pointer -DTERMIO -DPURIFY -DSSL_FORBID_ENULL -D_GNU_SOURCE -Wall -fstack-protector

NOTE:  The following option was also included in my generated config on SLES 11:
--param=ssp-buffer-size=4

This parameter did not work on RedHat and was omitted from the ./config phase.

The FIPS 1.2.4 canister was built prior to the OpenSSL build as required.
This has worked with all previous levels of OpenSSL through OpenSSL 0.9.8za.

Thanks,
Greg Neitzert
Unisys Corp







Greg Neitzert  |  Software Engineer |  Middleware Development | ESC | TCIS

Unisys | Home Based | Sioux Falls, SD 57106 USA | NET 279-9662 | 612-486-9662    [Description: cid:image001.gif at 01CAF35C.09F4CF20] <http://www.youtube.com/theunisyschannel>  [Description: cid:image002.gif at 01CAF35C.09F4CF20] <http://www.facebook.com/unisyscorp>  [Description: cid:image003.gif at 01CAF35C.09F4CF20] <http://www.linkedin.com/companies/unisys>  [Description: cid:image004.gif at 01CAF35C.09F4CF20] <http://www.twitter.com/unisyscorp>  [Description: cid:image005.gif at 01CAF35C.09F4CF20] <http://www.unisys.com/>


[cid:image008.gif at 01CD10E5.82765240]


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1192 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0005.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 759 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 1188 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0007.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 1195 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0008.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 731 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.gif
Type: image/gif
Size: 2511 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150205/06a7601b/attachment-0009.gif>

More information about the openssl-dev mailing list