#63421 closed defect (fixed)

openssl @ 1.1.1l: tests fail when building on 10.11

Reported by: msquire (Mike Squire) Owned by: larryv (Lawrence Velázquez)
Priority: Normal Milestone:
Component: ports Version: 2.7.1
Keywords: elcapitan Cc: neverpanic (Clemens Lang)
Port: openssl


'port test' fails on 10.11, specifically the '05-rand_test.t' test. The port has a patch which includes the relevant CommonCrypto headers in include/crypto/rand.h if the OS version is >= 10.10 with this conditition:


This is enough to make it build without error, but unfortunately the test fails. I managed to fix it by changing the 101000 to 101200 so it doesn't use the CommonCrypto stuff with El Capitan but I don't know if this problem exists with later versions too. It is possible that in fact the test is broken on older versions, but I am afraid I don't know enough about it to be any further help.

Change History (6)

comment:1 Changed 15 months ago by fhgwright (Fred Wright)

It looks like the test failures are unrelated to the patch mentioned above, and not entirely reproducible. I've run the tests 3 times on 10.4-1.13 Intel, as well as once on 10.4-10.5 ppc and on 10.14-10.15 Intel, with the following results:

10.4-10.5 ppc:  Passed once
10.4-10.5 i386:  Passed three times
10.6 i386:  Failed three times
10.6-10.8 x86_64:  Failed three times
10.9-10.11:  Passed three times
10.12 x86_64:  Failed once, passed twice
10.13 x86_64:  Passed three times
10.14-10.15 x86_64:  Passed once

Note the three passes on 10.11 (without any change beyond my own 10.4 fix), as well as the inconsistent behavior on 10.12.

Based on a preliminary look at the logs, it looks like this is related to the test framework rather than the code being tested. I haven't yet tried the previous version to see if this is a new problem.

comment:2 Changed 15 months ago by kencu (Ken)

Your thoroughness is inspiring. What do you see as our safest path forward?

comment:3 Changed 15 months ago by msquire (Mike Squire)

Indeed, kudos for thorough testing!

I did a little bit more investigation myself... It is interesting that it passed for you on 10.11 - I have just tried 10 clean builds and the test always fails for me. If it is relevant, this is a Mid-2009 MacBook Pro, and here is some version information:

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.11.6
BuildVersion:   15G22010
$ xcodebuild -version
Xcode 8.2.1
Build version 8C1002

Running the test in isolation produces these errors:

# ERROR: (int) 'status == 0' failed @ test/drbgtest.c:697
# [11] compared to [0]
# ERROR: (bool) 'test_drbg_reseed_after_fork(master, public, private) == true' failed @ test/drbgtest.c:799
# false

And looking at the offending test it seems the failure is because the child process it forks off is segfaulting.

I hope this helps.

comment:4 Changed 15 months ago by kencu (Ken)

after much waiting, OpenSSL 3.0 has been finally released:


So I suspect that is where most of our openssl efforts will soon be expended.

comment:5 Changed 15 months ago by msquire (Mike Squire)

Nice. I downloaded the 3.0.0 source code and tried to build it to see what would happen. First thing I needed to do was pass the "no-asm" flag to the Configure script because the build bombed out with a whole load of errors when it tried to compile the assembler modules. This made it build without error, but the same test failed as before with 1.1.1l. And apparently for the same reason (segfaulting child processes in the test).

Turns out the changes made by the patch to 1.1.1l are in the upstream 3.0.0 release so to make it build successfully and pass all the tests I needed to do:

make test

comment:6 Changed 14 months ago by fhgwright (Fred Wright)

Resolution: fixed
Status: assignedclosed

In 8f45b17de2814464ad2ab5c0c436cee2f87f61c8/macports-ports (master):

openssl: Fix build on 10.4, RNG on 10.10-10.11

The patch for pre-Yosemite OS versions relied on Availability.h, which
didn't exist in 10.4. This updates the patch by substituting the
ENVIRONMENT... versions of the macros to avoid the need for the
header, as well as eliminating the superfluous defined() checks.

In addition, the RNG from Apple crypto apparently doesn't work
correctly prior to 10.12, so this updates the version threshold for
its use. Because this changes code on 10.10 and 10.11, it includes a
revbump. Dependents should only require revbumps to pick up the fix
if they link statically.

It also renames and adjusts the patch to conform to MacPorts style,
as well as adjusting the comments related to the patch.

Closes: #63421

Built on 10.4-10.5 ppc, 10.4-10.6 i386, and 10.6-10.15 x86_64.
Verified that libcrypto references _CCRandomGenerateBytes in OS
versions >=10.12 and not otherwise.
Tests pass on 10.4-10.5 and 10.9-10.15.
Test framework has preexisting issues on 10.6-10.8.

Note: See TracTickets for help on using tickets.