[openssl-users] OpenSSL 1.0.2 Solaris 32 bit build is broken

John Foley foleyj at cisco.com
Wed Apr 15 20:08:55 UTC 2015


This appears to be a different problem than the crash in SHA.  Since
you're seeing a "bad record mac", it appears the TLS handshake has made
it through the ChangeCipherSpec message.  Do you know which cipher suite
is being negotiated?  If it's AES, it may be worth trying a 3DES cipher
suite.  If the issue is in the AES layer, one of the 3DES cipher suites
should work.

By the way, have you run a 'make test' after building OpenSSL?  Are all
the test suites passing?  If not, which one is failing?



On 04/15/2015 12:26 PM, John Unsworth wrote:
>
> Still exactly the same crash. And even if these assembly code problems
> can be fixed there is still the negotiation error after compiling with
> no-asm.
>
>  
>
> 4280581268:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad
> record mac:s3_pkt.c:1456:SSL alert number 20
>
> 4280581268:error:140790E5:SSL routines:ssl23_write:ssl handshake
> failure:s23_lib.c:177:
>
>  
>
> John.
>
>  
>
> *From:*openssl-users [mailto:openssl-users-bounces at openssl.org] *On
> Behalf Of *John Foley
> *Sent:* 15 April 2015 16:45
> *To:* openssl-users at openssl.org
> *Subject:* Re: [openssl-users] OpenSSL 1.0.2 Solaris 32 bit build is
> broken
>
>  
>
> Looks like the crash is in SHA-512 this time, not SHA-1.  There's a
> separate perl script to generate that assembly code.  Try the 1.0.1
> version of sha512-sparcv9.pl.
>
> The output from your rand command is valid.  You can use the -base64
> option if you want something more readable.
>
>
> On 04/15/2015 11:13 AM, John Unsworth wrote:
>
>     That seems to have fixed the crash.
>
>      
>
>     -bash-3.00$ ./openssl rand 64
>
>     zÔòMÉÜOvá¯@ét†Å­EÙ^±Q!þ\‰b_¨ëYŸÁµiT-&n߇ñ¬“B+Õ9kx©î%hRÈz-bash-3.00$
>
>      
>
>     Not sure about the output though.
>
>      
>
>     However negotiation causes a core:
>
>      
>
>     -bash-3.00$ ./openssl s_client -connect eos.es.cpth.ie:4250
>
>     CONNECTED(00000004)
>
>     depth=0 CN = jusworth-lt4.eu.cp.net
>
>     verify error:num=20:unable to get local issuer certificate
>
>     verify return:1
>
>     depth=0 CN = jusworth-lt4.eu.cp.net
>
>     verify error:num=21:unable to verify the first certificate
>
>     verify return:1
>
>     Segmentation Fault (core dumped)
>
>     -bash-3.00$ pstack core
>
>     core 'core' of 12587:   ./openssl s_client -connect
>     eos.es.cpth.ie:4250
>
>     000ed408 sha512_block_data_order (30e538, 30c050, 71a, 30e588,
>     30c050, 64f98fa7) + 8
>
>     0009fb30 ssl3_digest_cached_records (2f8ae0, 6, 2f8ea0, 14, 100,
>     2f8ea0) + 1cc
>
>     000980ec ssl3_get_certificate_request (2f8ae0, 2f8ea0, 2f8ea0, 10,
>     a42e0, 2f8ae0) + 90
>
>     00093ad8 ssl3_connect (2f8ae0, 0, 1180, 1000, 1130, ffffffff) + 6c0
>
>     000aa2b8 ssl23_get_server_hello (2f8ae0, 16, 3, 3, 2f8ea0, 301638)
>     + 648
>
>     000a9198 ssl23_connect (2f8ae0, 0, 3000, 2b4d64, 2b3d78, 1) + 588
>
>     000aa60c ssl23_write (2f8ae0, 2f0270, 0, 3000, ff247c94, a8c10) + 4c
>
>     0004ee64 s_client_main (0, 0, 1, 2b4d64, 2f8ae0, 2f4280) + 7374
>
>     0001328c do_cmd   (2eb3c8, 3, ffbffad0, 2b4638, 13e64, 2b3d78) + b8
>
>     00012f08 main     (4, ffbffacc, 2eb3c8, 29fc00, 2b3d78, 2b49dc) + 3a4
>
>     00012a08 _start   (0, 0, 0, 0, 0, 2b3d78) + 108
>
>      
>
>     Regards,
>
>     John
>
>      
>
>     *From:*openssl-users [mailto:openssl-users-bounces at openssl.org]
>     *On Behalf Of *John Foley
>     *Sent:* 15 April 2015 15:10
>     *To:* openssl-users at openssl.org <mailto:openssl-users at openssl.org>
>     *Subject:* Re: [openssl-users] OpenSSL 1.0.2 Solaris 32 bit build
>     is broken
>
>      
>
>     How about the ./openssl sha1 command?  Does that bomb too?
>
>     It might be interesting to copy crypto/sha/asm/sha1-sparcv9.pl
>     from the 1.0.1 source into the 1.0.2 source.  Then clean,
>     configure, compile and try again.  There were changes to this file
>     between 1.0.1 and 1.0.2.  Perhaps a bug was introduced.  I'm
>     assuming this script generates the SHA source for your target
>     platform. 
>
>
>
>     On 04/15/2015 09:56 AM, John Unsworth wrote:
>
>         core 'core' of 24243:   ./openssl rand 64
>
>         000e9ce8 sha1_block_data_order (2ec298, 2ec2f4, 4, ffbfe018,
>         ffbfe01c, 44) + 8
>
>         00226160 ssleay_rand_add (ffbfe114, 1, 20, ffbfdfec, 0, 14) + 530
>
>         00227048 RAND_poll (4, ffbfe100, ffbfe120, ffbfe120, 2c0650,
>         2c0644) + 38c
>
>         00226c00 ssleay_rand_status (c734, 0, 2b9f7c, 2c05cc, 2a0e70,
>         13000) + 138
>
>         00065eb4 app_RAND_load_file (ffbfe418, 2d5238, 0, 2800, 0, 1) + 88
>
>         00077cb8 rand_main (0, 0, ff242b30, 0, 0, 0) + 4b8
>
>         0001328c do_cmd   (2eb4e8, 2, ffbffae0, 2b4728, 13e64, 2b3e98)
>         + b8
>
>         00012f08 main     (3, ffbffadc, 2eb4e8, 2a0000, 2b3e98,
>         2b4afc) + 3a4
>
>         00012a08 _start   (0, 0, 0, 0, 0, 2b3e98) + 108
>
>          
>
>         Regards,
>
>         John.
>
>          
>
>         *From:*openssl-users
>         [mailto:openssl-users-bounces at openssl.org] *On Behalf Of *John
>         Foley
>         *Sent:* 15 April 2015 13:31
>         *To:* openssl-users at openssl.org <mailto:openssl-users at openssl.org>
>         *Subject:* Re: [openssl-users] OpenSSL 1.0.2 Solaris 32 bit
>         build is broken
>
>          
>
>         Do you see the same stack trace when simply using the random
>         number generator:
>
>         ./openssl rand 64
>
>         What if you simply use SHA1:
>
>         ./openssl sha1 <somefile>
>
>
>
>
>         On 04/14/2015 12:17 PM, John Unsworth wrote:
>
>             Is no-one interested at all about this problem? Or do I
>             need to send it to another place?
>
>              
>
>             Regards,
>
>             John.
>
>              
>
>             *From:*openssl-users
>             [mailto:openssl-users-bounces at openssl.org] *On Behalf Of
>             *John Unsworth
>             *Sent:* 10 April 2015 14:54
>             *To:* openssl-users at openssl.org
>             <mailto:openssl-users at openssl.org>
>             *Subject:* Re: [openssl-users] OpenSSL 1.0.2 Solaris 32
>             bit build is broken
>
>              
>
>             I have compiled 1.0.1m in the same way and that works fine
>             using asm.
>
>              
>
>             John.
>
>              
>
>             *From:*openssl-users
>             [mailto:openssl-users-bounces at openssl.org] *On Behalf Of
>             *John Unsworth
>             *Sent:* 10 April 2015 12:21
>             *To:* openssl-users at openssl.org
>             <mailto:openssl-users at openssl.org>
>             *Subject:* [openssl-users] OpenSSL 1.0.2 Solaris 32 bit
>             build is broken
>
>              
>
>             I have an application that runs quite happily using
>             OpenSSL 1.0.1h on Solaris 32 bit. I want to upgrade but
>             both 1.0.2 and 1.0.2a cause problems.
>
>              
>
>             1 When building 1.0.2 using
>
>              
>
>             ./Configure solaris-sparcv9-cc no-shared -m32 -xcode=pic32
>             -xldscope=hidden
>
>              
>
>             openssl s_client crashes on start:
>
>              
>
>             -bash-3.00$ ./openssl s_client -connect eos.es.cpth.ie:4250
>
>             Segmentation Fault (core dumped)
>
>             -bash-3.00$ pstack core
>
>             core 'core' of 468:     ./openssl s_client -connect
>             eos.es.cpth.ie:4250
>
>             000e9ce8 sha1_block_data_order (2ed490, 2ed4ec, 4,
>             ffbfebc0, ffbfebc4, 44) + 8
>
>             00226140 ssleay_rand_add (ffbfecbc, 1, 20, ffbfeb94, 0,
>             14) + 530
>
>             00227028 RAND_poll (4, ffbfeca8, ffbfecc8, ffbfecc8,
>             2c0630, 2c0624) + 38c
>
>             00226be0 ssleay_rand_status (c734, 0, 2b9f5c, 2c05ac,
>             2a0e50, 13000) + 138
>
>             00065eb4 app_RAND_load_file (ffbfefc0, 2d5218, 1, 2800, 0,
>             1) + 88
>
>             0004d784 s_client_main (0, c00, 0, c00, 2b4adc, 2f4380) + 5c94
>
>             0001328c do_cmd   (2eb4c8, 3, ffbffa88, 2b4738, 13e64,
>             2b3e78) + b8
>
>             00012f08 main     (4, ffbffa84, 2eb4c8, 2a0000, 2b3e78,
>             2b4adc) + 3a4
>
>             00012a08 _start   (0, 0, 0, 0, 0, 2b3e78) + 108
>
>              
>
>             2 So I then rebuilt adding no-asm flag. It manages to
>             connect but negotiation fails with an error:
>
>              
>
>             4280581268:error:140943FC:SSL
>             routines:ssl3_read_bytes:sslv3 alert bad record
>             mac:s3_pkt.c:1456:SSL alert number 20
>
>             4280581268:error:140790E5:SSL routines:ssl23_write:ssl
>             handshake failure:s23_lib.c:177:
>
>              
>
>             This is against the server that is still running 1.0.1h
>             and can be successfully connected with openssl built with
>             1.0.1h.
>
>              
>
>             Note that the 64 bit build seems to work perfectly.
>             Unfortunately for historical reasons we need to use the 32
>             bit version.
>
>              
>
>             The 32 bit builds that we use on Windows and Linux also
>             work perfectly. Is it something to do with byte order?
>
>              
>
>             Regards,
>
>             John.
>
>              
>
>              
>
>
>
>
>
>
>             _______________________________________________
>
>             openssl-users mailing list
>
>             To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>          
>
>
>
>
>
>         _______________________________________________
>
>         openssl-users mailing list
>
>         To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>      
>
>
>
>
>     _______________________________________________
>
>     openssl-users mailing list
>
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>  
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150415/202de957/attachment-0001.html>


More information about the openssl-users mailing list