Thanks Steve,

Following the FIPS_incore_fingerprint() gave a good insight about the
data that is taken for calculating the digest. After dumping the data
once in the target I was able to adjust the offset. But still I see
binary content is slightly differed in the executable before loading and
the content in the memory

For eg the objdump information in the openssl lib before loading

000e4100 <FIPS_text_start>:
   e4100:       4b ff ff ec     b       e40ec <instruction_pointer>

000e4104 <fips_set_mode>:
   e4104:       7d 80 00 26     mfcr    r12
   e4108:       94 21 ff e8     stwu    r1,-24(r1)
   e410c:       7c 08 02 a6     mflr    r0
   e4110:       93 e1 00 14     stw     r31,20(r1)
   e4114:       7c 7f 1b 78     mr      r31,r3
   e4118:       93 a1 00 0c     stw     r29,12(r1)
   e411c:       90 01 00 1c     stw     r0,28(r1)
   e4120:       91 81 00 08     stw     r12,8(r1)
   e4124:       48 00 00 01     bl      e4124 <fips_set_mode+0x20>
   e4128:       7c 7d 1b 78     mr      r29,r3
   e412c:       48 00 00 01     bl      e412c <fips_set_mode+0x28>
   e4130:       2f 83 00 00     cmpwi   cr7,r3,0
   e4134:       2e 1d 00 00     cmpwi   cr4,r29,0
   e4138:       41 9e 00 14     beq-    cr7,e414c <fips_set_mode+0x48>
   e413c:       41 92 00 38     beq-    cr4,e4174 <fips_set_mode+0x70>
   e4140:       3d 20 00 00     lis     r9,0
   e4144:       93 e9 00 00     stw     r31,0(r9)
   e4148:       41 92 00 24     beq-    cr4,e416c <fips_set_mode+0x68>
   e414c:       80 01 00 1c     lwz     r0,28(r1)
   e4150:       81 81 00 08     lwz     r12,8(r1)
   .
   .
   .

Whereas the objdump from the memory

              FIPS_text_start:
0x9f1700  4bffffec    b           0x9f16ec # instruction_pointer
              fips_set_mode:
0x9f1704  7d800026    mfcr        r12
0x9f1708  9421ffe8    stwu        r1,-24(r1)
0x9f170c  7c0802a6    mfspr       r0,LR
0x9f1710  93e10014    stw         r31,20(r1)
0x9f1714  7c7f1b78    or          r31,r3,r3
0x9f1718  93a1000c    stw         r29,12(r1)
0x9f171c  9001001c    stw         r0,28(r1)
0x9f1720  91810008    stw         r12,8(r1)
0x9f1724  480008e5    bl          0x9f2008 # fips_is_owning_thread
value = 10426152 = 0x9f1728 = fips_set_mode + 0x24
Working: [Kernel]->l
0x9f1728  7c7d1b78    or          r29,r3,r3
0x9f172c  480008d1    bl          0x9f1ffc # fips_is_started
0x9f1730  2f830000    cmpi        crf7,0,r3,0x0 # 0
0x9f1734  2e1d0000    cmpi        crf4,0,r29,0x0 # 0
0x9f1738  419e0014    bc          0xc,30, 0x9f174c # 0x009f174c
0x9f173c  41920038    bc          0xc,18, 0x9f1774 # 0x009f1774
0x9f1740  3d200e86    lis         r9,0xe86 # 3718
0x9f1744  93e9ce40    stw         r31,-12736(r9)
0x9f1748  41920024    bc          0xc,18, 0x9f176c # 0x009f176c
0x9f174c  8001001c    lwz         r0,0x1c(r1) # 28
value = 10426192 = 0x9f1750 = fips_set_mode + 0x4c
Working: [Kernel]->l
0x9f1750  81810008    lwz         r12,0x8(r1) # 8


The branching instructions and the offset to store the return address
from the r31 are changed while loading in to memory, thus the resulting
digest in both case are different. I guess this is normal when the ELF
are relocated after loading or do I miss any option while compiling.

I would appreciate any help/clue on this

Thanks
John Paul


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 13, 2010 9:59 PM
To: [email protected]
Subject: Re: Incore.gz different signature from target machine

On Wed, Oct 13, 2010, [email protected] wrote:

> I got the FIPS openssl integrated with my application. Unfortunately I

> had to stick to build environment which is on sun solaris and my
> target machine is a powerpc embedded system.  Until now I had to
> create the application in solaris machine execute in the target, after

> getting the hmac signature recompiled the fips_premain.c with that
> signature. After checking Dr.Steve's post I tried using incore.gz on
my application.
> Somehow the signatures are different
>
> I noticed that the 'file format'  of the object I have is "elf32-big"
> which is not handled in the script. I assume the INCORE_ADJUST should
> be
> -8 for that type of format too. I added that code but still it returns

> a different signature that does not match with the generated signature

> from the target.
>
> Any values I should check between the script's result on the host
> machine vs code loaded in the target to make it match ?
>

There are several ways to do this. One is to not embed a signature and
call the executable on the target: it should then output the expected
signature. You can then tweak the offset so the two match.

Alternatively check out the code in FIPS_incore_fingerprint(). You can
write a simple program to dump the data that OpenSSL fingerprints, then
modify the script to dump the same data for its external fingerprint.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email. 

www.wipro.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to