I've been trying to build the latest (1.0.1i) OpenSSL, and I'm having problems
with the self-tests.
The steps I followed were the same steps I used to build a FIPS enabled 1.0.1h.
I built the FIPS object module using the 2.0.6 ecp module without issue. When I
attempt to build the FIPS capable OpenSSL, I did the following and got an error
on the make test:
./config fips shared
make
make test
[...]
SEC2 curve secp160r1 -- Generator:
x = 0x4A96B5688EF573284664698968C38BB913CBFC82
y = 0x23A628553168947D59DCC912042351377AC5FB32
verify degree ... ok
verify group order .... ok
long/negative scalar tests allowing precomputation ...ectest.c:260: ABORT
make[1]: *** [test_ec] Error 1
make[1]: Leaving directory `/usr/src/packages/BUILD/openssl-1.0.i1/test'
make: *** [tests] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.57104 (%build)
Looking into ectest.c (actually, it's "crypto/ec/ectest.c" with a sym-link), I
can see the failure is in the following test code:
[...]
fprintf(stdout, "long/negative scalar tests ");
for (i = 1; i <= 2; i++)
{
const BIGNUM *scalars[6];
const EC_POINT *points[6];
fprintf(stdout, i == 1 ?
"allowing precomputation ... " :
"without precomputation ... ");
if (!BN_set_word(n1, i)) ABORT;
/* If i == 1, P will be the predefined generator for which
* EC_GROUP_precompute_mult has set up precomputation. */
if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) ABORT;
if (!BN_one(n1)) ABORT;
/* n1 = 1 - order */
if (!BN_sub(n1, n1, order)) ABORT;
if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
/* n2 = 1 + order */
if (!BN_add(n2, order, BN_value_one())) ABORT;
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
/* n2 = (1 - order) * (1 + order) = 1 - order^2 */
if (!BN_mul(n2, n1, n2, ctx)) ABORT;
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
/* n2 = order^2 - 1 */
BN_set_negative(n2, 0);
if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
/* Add P to verify the result. */
if (!EC_POINT_add(group, Q, Q, P, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
/* Exercise EC_POINTs_mul, including corner cases. */
scalars[0] = n1; points[0] = Q; /* => infinity */
scalars[1] = n2; points[1] = P; /* => -P */
scalars[2] = n1; points[2] = Q; /* => infinity */
scalars[3] = n2; points[3] = Q; /* => infinity */
scalars[4] = n1; points[4] = P; /* => P */
scalars[5] = n2; points[5] = Q; /* => infinity */
if (!EC_POINTs_mul(group, Q, NULL, 5, points, scalars, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT; <---*** This test is the
error
}
fprintf(stdout, "ok\n");
[...]
It is failing the test pointed out above (which is line 260) that triggers the
abort.
Interestingly enough, there were a number of changes in this area, and the
failing code is part of the new code. Here's the .diff for this file:
diff -rwBN -U3 openssl-1.0.1h/crypto/ec/ectest.c
openssl-1.0.1i/crypto/ec/ectest.c
--- openssl-1.0.1h/crypto/ec/ectest.c 2014-06-05 09:44:33.000000000 +0000
+++ openssl-1.0.1i/crypto/ec/ectest.c 2014-08-06 21:10:56.000000000 +0000
@@ -199,6 +199,7 @@
EC_POINT *P = EC_POINT_new(group);
EC_POINT *Q = EC_POINT_new(group);
BN_CTX *ctx = BN_CTX_new();
+ int i;
n1 = BN_new(); n2 = BN_new(); order = BN_new();
fprintf(stdout, "verify group order ...");
@@ -212,7 +213,20 @@
if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
fprintf(stdout, " ok\n");
- fprintf(stdout, "long/negative scalar tests ... ");
+ fprintf(stdout, "long/negative scalar tests ");
+ for (i = 1; i <= 2; i++)
+ {
+ const BIGNUM *scalars[6];
+ const EC_POINT *points[6];
+
+ fprintf(stdout, i == 1 ?
+ "allowing precomputation ... " :
+ "without precomputation ... ");
+ if (!BN_set_word(n1, i)) ABORT;
+ /* If i == 1, P will be the predefined generator for which
+ * EC_GROUP_precompute_mult has set up precomputation. */
+ if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) ABORT;
+
if (!BN_one(n1)) ABORT;
/* n1 = 1 - order */
if (!BN_sub(n1, n1, order)) ABORT;
@@ -222,11 +237,31 @@
if (!BN_add(n2, order, BN_value_one())) ABORT;
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
- /* n2 = (1 - order) * (1 + order) */
+
+ /* n2 = (1 - order) * (1 + order) = 1 - order^2 */
if (!BN_mul(n2, n1, n2, ctx)) ABORT;
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
+
+ /* n2 = order^2 - 1 */
+ BN_set_negative(n2, 0);
+ if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
+ /* Add P to verify the result. */
+ if (!EC_POINT_add(group, Q, Q, P, ctx)) ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+
+ /* Exercise EC_POINTs_mul, including corner cases. */
+ scalars[0] = n1; points[0] = Q; /* => infinity */
+ scalars[1] = n2; points[1] = P; /* => -P */
+ scalars[2] = n1; points[2] = Q; /* => infinity */
+ scalars[3] = n2; points[3] = Q; /* => infinity */
+ scalars[4] = n1; points[4] = P; /* => P */
+ scalars[5] = n2; points[5] = Q; /* => infinity */
+ if (!EC_POINTs_mul(group, Q, NULL, 5, points, scalars, ctx)) ABORT;
+ if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+ }
fprintf(stdout, "ok\n");
+
EC_POINT_free(P);
EC_POINT_free(Q);
BN_free(n1);
If I remove the updates to ectest.c, the build will complete cleanly.
Again, the FIPS "Canister" code that we are using is the "ecp" version that
does not contain some of the pieces of the Elliptical Curve stuff because of
potential patent issues.
My main question is: Has anyone successfully built a FIPS Enabled version of
-1.0.1i using the "ecp" FIPS canister module on an x86_64 Linux system using
gcc 4.3.4?
