Hi Kory, I am cross-compiling. Here is the command line from the "perl configdta.pm --dump" command. I'm using an existing openssl 3. 0 recipe which I just modified with enable-fips. perl ../openssl-3.0.0/Configure disable-devcryptoeng enable-fips --prefix=/usr --openssldir=/usr/lib/ssl-3 --libdir=/usr/lib linux-armv4 The output of openssl version -a is as follows. OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021) built on: Tue Sep 7 11:46:32 2021 UTC platform: linux-armv4 options: bn(64,32) compiler: arm-poky-linux-gnueabi-gcc -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a7 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/usr/lib/ssl-3" ENGINESDIR: "/usr/lib/engines-3" MODULESDIR: "/usr/lib/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_armcap=0x1 thanks, Susan -------------------------------------------- Message: 2 Date: Tue, 9 Nov 2021 14:32:19 -0800 From: Kory Hamzeh <kory@xxxxxxxxxxxx> To: openssl-users@xxxxxxxxxxx Subject: Re: Openssl 3.0 fipsinstall fails in yocto linux environment Message-ID: <A74C84CA-8DB3-4DF9-997B-FD89FDADA932@xxxxxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hi Susan, How did you run Configure? Are you cross compiling? Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there or use a Configure option if you want to install it somewhere else. Kory > On Nov 9, 2021, at 2:21 PM, Susan Tremel <susan.tremel@xxxxxxxxxxxx> wrote: > > I?ve successfully built and installed openssl 3.0 and the fips.so module in my yocto build environment. My goal is to make the FIPs module the default provider for all applications so I modified my openssl.cnf file to match the docs like the following. > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > fips = fips_sect > base = base_sect > > [base_sect] > activate = 1 > > After boot, I check the installed providers with ?openssl list ?providers? and see only the base provider. I then try to install the FIPS module with the following. > > openssl fipsinstall ?module /usr/lib/ossl-modules/fips.so ?out /usr/lib/ssl-3/fipsmodule.cnf > > and I get the error output: > Unable to get MAC of type HMAC > INSTALL FAILED > 1020F876:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp _fetch.c:346:Global default library context, Algorithm (HMAC : 0), Properties (<null>) > > When I replace the base provider with the default provider, leaving the fips module like the following > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > default = default_sect > fips = fips_sect > > [default_sect] > activate = 1 > > I see only the default provider installed after I boot and when I try to manually install the FIPS module with the above command I get the following. > Failed to load FIPS module > INSTALL FAILED > 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.0/providers/fips/self_test.c:261: > 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706: > 1080F176:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips > > From this state, if I copy the ossl-modules directory to a different location like /usr/lib/ssl-3/ and try to manually install the FIPS module with > > openssl fipsinstall ?module /usr/lib/ssl-3/ossl-modules/fips.so ?out /usr/lib/ssl-3/fipsmodule.cnf > > it successful installs with the following output and I see both the fips and default providers installed. > HMAC : (Module_Integrity) : Pass > SHA1 : (KAT_Digest) : Pass > SHA2 : (KAT_Digest) : Pass > SHA3 : (KAT_Digest) : Pass > TDES : (KAT_Cipher) : Pass > AES_GCM : (KAT_Cipher) : Pass > AES_ECB_Decrypt : (KAT_Cipher) : Pass > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass > Pass > ECDSA : (PCT_Signature) : Pass > ECDSA : (PCT_Signature) : Pass > DSA : (PCT_Signature) : Pass > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass > TLS13_KDF_EXPAND : (KAT_KDF) : Pass > TLS12_PRF : (KAT_KDF) : Pass > PBKDF2 : (KAT_KDF) : Pass > SSHKDF : (KAT_KDF) : Pass > KBKDF : (KAT_KDF) : Pass > HKDF : (KAT_KDF) : Pass > SSKDF : (KAT_KDF) : Pass > X963KDF : (KAT_KDF) : Pass > X942KDF : (KAT_KDF) : Pass > HASH : (DRBG) : Pass > CTR : (DRBG) : Pass > HMAC : (DRBG) : Pass > DH : (KAT_KA) : Pass > ECDH : (KAT_KA) : Pass > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > INSTALL PASSED > > I need to get the FIPS module to install without needing the default provider. It seems like the FIPS module is trying to install and getting stuck in a bad state, but I could use some help debugging this. > > Thanks for any help you can provide. > Susan -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211109/b5cd5f 1e/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users@xxxxxxxxxxx https://mta.openssl.org/mailman/listinfo/openssl-users ------------------------------ End of openssl-users Digest, Vol 84, Issue 18 *********************************************
