I’ve successfully built and installed openssl 3.0 and the fips.so module in my yocto build environment. My goal is to make the FIPs module the default provider for all applications so I modified my openssl.cnf file to match the docs like the following. config_diagnostics = 1 openssl_conf = openssl_init .include /usr/lib/ssl-3/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 After boot, I check the installed providers with “openssl list –providers” and see only the base provider. I then try to install the FIPS module with the following. openssl fipsinstall –module /usr/lib/ossl-modules/fips.so –out /usr/lib/ssl-3/fipsmodule.cnf and I get the error output: Unable to get MAC of type HMAC INSTALL FAILED 1020F876:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (HMAC : 0), Properties (<null>) When I replace the base provider with the default provider, leaving the fips module like the following config_diagnostics = 1 openssl_conf = openssl_init .include /usr/lib/ssl-3/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] default = default_sect fips = fips_sect [default_sect] activate = 1 I see only the default provider installed after I boot and when I try to manually install the FIPS module with the above command I get the following. Failed to load FIPS module INSTALL FAILED 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.0/providers/fips/self_test.c:261: 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706: 1080F176:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips From this state, if I copy the ossl-modules directory to a different location like /usr/lib/ssl-3/ and try to manually install the FIPS module with openssl fipsinstall –module /usr/lib/ssl-3/ossl-modules/fips.so –out /usr/lib/ssl-3/fipsmodule.cnf it successful installs with the following output and I see both the fips and default providers installed. HMAC : (Module_Integrity) : Pass SHA1 : (KAT_Digest) : Pass SHA2 : (KAT_Digest) : Pass SHA3 : (KAT_Digest) : Pass TDES : (KAT_Cipher) : Pass AES_GCM : (KAT_Cipher) : Pass AES_ECB_Decrypt : (KAT_Cipher) : Pass RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass Pass ECDSA : (PCT_Signature) : Pass ECDSA : (PCT_Signature) : Pass DSA : (PCT_Signature) : Pass TLS13_KDF_EXTRACT : (KAT_KDF) : Pass TLS13_KDF_EXPAND : (KAT_KDF) : Pass TLS12_PRF : (KAT_KDF) : Pass PBKDF2 : (KAT_KDF) : Pass SSHKDF : (KAT_KDF) : Pass KBKDF : (KAT_KDF) : Pass HKDF : (KAT_KDF) : Pass SSKDF : (KAT_KDF) : Pass X963KDF : (KAT_KDF) : Pass X942KDF : (KAT_KDF) : Pass HASH : (DRBG) : Pass CTR : (DRBG) : Pass HMAC : (DRBG) : Pass DH : (KAT_KA) : Pass ECDH : (KAT_KA) : Pass RSA_Encrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass INSTALL PASSED I need to get the FIPS module to install without needing the default provider. It seems like the FIPS module is trying to install and getting stuck in a bad state, but I could use some help debugging this. Thanks for any help you can provide. Susan |
