[openssl-users] POST Integrity test/fingerprint failure on 32-bit MIPS/R3000 with openssl-fips-2.0.5

Rohit Kaushal rohit.kaushal at gmail.com
Tue Jan 6 02:02:21 UTC 2015 

Hello,
I am working on a validation with a FIPS lab including algorithm testing
etc. and not claim any OpenSSL 2.0.5 FIPS certs.
For this, i have made minor changes to the fips-openssl-2.0.5 source
including the fips_test_suite.c file.
This (modified) fips_test_suite binary with fipscanister.o static linkage
runs fine on MIPS.
A cloned binary (my_fips_test_suite) linked via a FIPS capable libcrypto.so
(openssl-1.0.1j) fails.

This behavior is seen when compiled natively on MIPS or via a mipscross
toolchain (mipsisa32-xlr-linux).
The configure env on my (x86) build machine provides the necessary ARCH and
CC so CROSS_COMPILE isn't specified.
The incore allows the binary creation to compute the hmac-sha1 for
fipscanister and fips_premain.

The fipsopenssl objects get installed in /usr/local/ssl/fips-2.0 fine.
The fipscanister.o, fips_premain.c and their .sha1 files are copied to
/myinstall/usr/lib as the fipslibdir path prior to building openssl 1.0.1j.

-------- begin script for fipsopenssl
> cd openssl-fips-2.0.5
> export MACHINE=mips
> export SYSTEM=Linux
> export ARCH=mips
> export CROSS_COMPILE=
> export FIPS_SIG=/mysrc/openssl-fips-2.0.5/util/incore
> export HOSTCC=gcc
> ./config
> make
> make build_tests
> make build_algvs
-------- end script for fipsopenssl

-------- begin script for openssl
   ./config no-asm threads shared fips
   --prefix=/usr --install_prefix=/myinstall \
   --with-fipslibdir=/myinstall/usr/lib/
-------- end script for openssl

-------- begin cross compilation output for fipsopenssl
+ cd /mysrc/openssl-fips-2.0.5
+ export MACHINE=mips
+ MACHINE=mips
+ export SYSTEM=Linux
+ SYSTEM=Linux
+ export ARCH=mips
+ ARCH=mips
+ export CROSS_COMPILE=
+ CROSS_COMPILE=
+ export FIPS_SIG=/mysrc/openssl-fips-2.0.5/util/incore
+ FIPS_SIG=/mysrc/openssl-fips-2.0.5/util/incore
+ export HOSTCC=gcc
+ HOSTCC=gcc
+ /mysrc/openssl-fips-2.0.5/config
Operating system: mips-whatever-linux2
Auto Configuring fipsonly
Configuring for linux-generic32
CC
=/opt/mipscross/crosstool/gcc-3.4.3-glibc-2.3.6/mipsisa32-xlr-linux/bin/mipsisa32-xlr-linux-gcc

CFLAG         =-DOPENSSL_FIPSCANISTER -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DTERMIO -O3
-fomit-frame-
pointer -Wall
------- end cross compilation output for fipsopenssl

------- begin objdump on x86 build machine with MIPS cross compiler
-bash-3.2$ objdump -t fipscanister.o | grep  FIPS_ro
00000000 g     O .rodata        00000010 FIPS_rodata_start
0000ca40 g     O .rodata        00000010 FIPS_rodata_end
-bash-3.2$ objdump -t fipscanister.o | grep  FIPS_text
00000000 l     F .text  00000000 FIPS_text_startX
000578e0 l     F .text  00000000 FIPS_text_endX
00057900 g     F .text  00000000 FIPS_text_end
00000020 g     F .text  00000000 FIPS_text_start
-bash-3.2$ objdump -t libcrypto.so.1.0.1 | grep  FIPS_ro
001c4770 g     O .rodata        00000010              FIPS_rodata_start
001d11b0 g     O .rodata        00000010              FIPS_rodata_end
-bash-3.2$ objdump -t libcrypto.so.1.0.1 | grep  FIPS_text
0004a800 l     F .text  00000000              FIPS_text_startX
000a20e0 l     F .text  00000000              FIPS_text_endX
000a2100 g     F .text  00000000              FIPS_text_end
0004a820 g     F .text  00000000              FIPS_text_start
The .text offset differs by 0x0004a800 b/w libcrypto and fispcanister.o
The .rodata offset differs by 0x001c4770 b/w libcrypto and fispcanister.o

-bash-3.2$ objdump -t fipscanister.o | grep -i FIPS | wc
    776    4654   42131
-bash-3.2$ objdump -t libcrypto.so.1.0.1 | grep -i FIPS | wc
    787    4722   52864
The additional objdump output for libcrypto.so are...
00000000 l    df *ABS*  00000000              o_fips.c
00000000 l    df *ABS*  00000000              fips_ers.c
00200190 l     O .data  000001b0              FIPS_str_reasons
00200340 l     O .data  00000200              FIPS_str_functs
0020b540 l     O .data  00000004              fips_drbg_flags
0020b544 l     O .data  00000004              fips_drbg_type
00000000 l    df *ABS*  00000000              evp_fips.c
001359c4 g     F .text  00000000              RAND_set_fips_drbg_type
0004a6f0 g     F .text  00000000              ERR_load_FIPS_strings
0004a5b8 g     F .text  00000000              FIPS_mode_set
0004a580 g     F .text  00000000              FIPS_mode
001359e4 g     F .text  00000000              RAND_init_fips
0004a580 g     F .text  00000000              FIPS_mode
--------- end objdump on x86 build machine with MIPS cross compiler

--------- begin runtime output on MIPS target
bash>./my_fips_test_suite
1. Non-Approved cryptographic operation test...
                DRBG AES-256-CTR DF test started
                DRBG AES-256-CTR DF test OK
        a. Included algorithm (D-H)......successful
        POST started
                Integrity  test started
                Integrity  test Failed Incorrectly!!
        ...
        POST Failed
2. Automatic power-up self test...Failed!
--------- end runtime output on MIPS target
Happy to provide any details to get some guidance on what to debug or edit
for MIPS configure/incore ?
Thank you.
Best,
rk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20150105/5fea9533/attachment.html>

More information about the openssl-users mailing list