Hello Jeffrey:
Thank you for the response.
So FIPS mode enable is supported on non-SSE2 processors *only* with a
fipscanister that is built with the "no-asm" option?
Thanks,
Bill
On Dec 19, 2012, at 1:13 AM, Jeffrey Walton wrote:
> On Tue, Dec 18, 2012 at 11:15 PM, Bill Durant <cipherte...@gmail.com> wrote:
>> Is it not possible to build a FIPS-capable OpenSSL with assembly language
>> optimization enabled in the fipscanister that works under non-SSE2 capable
>> processors?
>>
>> On SUSE Linux Enterprise Server 10, I have built the fipscanister with
>> assembly language optimization enabled as follows:
>>
>> ./config fipscanisterbuild
>>
>> Next I built a FIPS-capable OpenSSL using this fipscanister.
>>
>> And then I built a simple application that just calls FIPS_mode_set(1) to
>> enable FIPS mode.
>>
>> When I run that app on a system with a processor that lacks support for the
>> SSE2 instruction set, I get the following error:
>>
>> SSL:
>> 0:755466380:fips.c:319:0:error:2D07808C:lib(45):func(120):reason(140)
>>
>> But when I build the fipcanister *without* assembly language optimization
>> enabled as follows:
>>
>> ./config fipscanisterbuild no-asm
>>
>> The same app works fine and FIPS mode can be enabled.
>>
>> Per code inspection of the OpenSSL sources, it appears like the following
>> code is the one that prevents FIPS enabling (in fips/fips.c):
>>
>> #ifdef OPENSSL_IA32_SSE2
>> {
>> extern unsigned int OPENSSL_ia32cap_P[2];
>> if ((OPENSSL_ia32cap_P[0] & (1<<25|1<<26)) != (1<<25|1<<26))
>> {
>> FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM);
>> fips_selftest_fail = 1;
>> ret = 0;
>> goto end;
>> }
>> OPENSSL_ia32cap_P[0] |= (1<<28); /* set "shared cache" */
>> OPENSSL_ia32cap_P[1] &= ~(1<<(60-32)); /* clear AVX */
>> }
>> #endif
>>
>> And BTW, building the FIPS-capble OpenSSL with the no-sse2 option as follows
>> does not fix the issue:
>>
>> ./config fips --prefix=$FIPSDIR no-sse2 no-idea no-mdc2 no-rc5 shared
>>
>> The problem is with the fipscanister itself. It needs to be built with
>> assembly language optimization disabled in order to get into FIPS mode under
>> non-SSE2 processors.
>>
>> So how to build a FIPS-capable OpenSSL with assembly language optimization
>> enabled in the fipscanister that works under non-SSE2 capable processors?
>>
>> Is that not possible?
> No (first question); Yes (second question) (if I count questions
> correctly). From the User Guide 2.0 (page 24-25):
>
> Note that for x86 there are three possible optimization levels:
>
> 1. No optimization (plain C)
> 2. SSE2 optimization
> 3. AES-NI+PCLMULQDQ+SSSE3 optimization
>
> Note that other theoretically possible combinations (e.g. AES-NI only,
> or SSE3 only) are not enabled individually15, so that a processor
> which does not support all three of AES-NI, PCLMULQDQ, and SSSE3 will
> fall back to using only SSE2 optimization.
>
> Jeff
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
