fipscanister with assembly language optimization and non-SSE2 capable processors?

Tue, 18 Dec 2012 20:24:33 -0800 

Hello:

Is it not possible to build a FIPS-capable OpenSSL with assembly language 
optimization enabled in the fipscanister that works under non-SSE2 capable 
processors?

On SUSE Linux Enterprise Server 10, I have built the fipscanister with assembly 
language optimization enabled as follows:

        ./config fipscanisterbuild

Next I built a FIPS-capable OpenSSL using this fipscanister.

And then I built a simple application that just calls FIPS_mode_set(1) to 
enable FIPS mode.

When I run that app on a system with a processor that lacks support for the 
SSE2 instruction set, I get the following error:

        SSL: 
0:755466380:fips.c:319:0:error:2D07808C:lib(45):func(120):reason(140)

But when I build the fipcanister *without* assembly language optimization 
enabled as follows:

./config fipscanisterbuild no-asm

The same app works fine and FIPS mode can be enabled.

Per code inspection of the OpenSSL sources, it appears like the following code 
is the one that prevents FIPS enabling (in fips/fips.c):

#ifdef OPENSSL_IA32_SSE2
    {
    extern unsigned int OPENSSL_ia32cap_P[2];
    if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
        {
        FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
        fips_selftest_fail = 1;
        ret = 0;
        goto end;
        }
    OPENSSL_ia32cap_P[0] |= (1<<28);    /* set "shared cache"   */
    OPENSSL_ia32cap_P[1] &= ~(1<<(60-32));  /* clear AVX        */
    }
#endif

And BTW, building the FIPS-capble OpenSSL with the no-sse2 option as follows 
does not fix the issue:

        ./config fips --prefix=$FIPSDIR no-sse2 no-idea no-mdc2 no-rc5 shared

The problem is with the fipscanister itself.  It needs to be built with 
assembly language optimization disabled in order to get into FIPS mode under 
non-SSE2 processors.

So how to build a FIPS-capable OpenSSL with assembly language optimization 
enabled in the fipscanister that works under non-SSE2 capable processors?

Is that not possible?

Thanks,

Bill


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to