fipsinstall fails without the default provider enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The openssl fipsinstall command fails if the default provider is not enabled. Is it expected or is it a bug?

openssl.cnf:
  ...
  [openssl_init]
  providers = provider_sect

  [provider_sect]
  base = base_sect

  [base_sect]
  activate = 1
  ...

LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl fipsinstall -module /usr/local/lib64/ossl-modules/fips.so
  Unable to get MAC of type HMAC
  INSTALL FAILED
00A19AFCB27F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:317:Global default library context, Algorithm (HMAC : 0), Properties (<null>)

(tested on linux-x86_64 configuration, changeset 5317b6ee1fc3db20de5976fbb46cc49a45c0768a)

With the configuration "only fips+base provider" (according to https://www.openssl.org/docs/manmaster/man7/fips_module.html) it is not possible to make an update - it is necessary to enable the default provider, call fipsinstall and disable the default provider again. Of course, this can be done, but it is annoying

The openssl-fipsinstall indicates that this behavior is expected:
  ...
For normal usage the base configuration file should use the default provider when generating the fips configuration file.
  ...

thanks,
- jenda



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux