Hi, Environment: Debian buster After installing openssl and running fipsinstall, I tried to execute "openssl list -providers". The log didn't print provider fips.
And, I went to try the test code as below. It printed "Failed to load FIPS provider". Test code: #include <openssl/provider.h> int main(void) { OSSL_PROVIDER *fips; OSSL_PROVIDER *base; fips = OSSL_PROVIDER_load(NULL, "fips"); if (fips == NULL) { printf("Failed to load FIPS provider\n"); exit(EXIT_FAILURE); } base = OSSL_PROVIDER_load(NULL, "base"); if (base == NULL) { OSSL_PROVIDER_unload(fips); printf("Failed to load base provider\n"); exit(EXIT_FAILURE); } /* Rest of application */ OSSL_PROVIDER_unload(base); OSSL_PROVIDER_unload(fips); exit(EXIT_SUCCESS); } Test command: openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.8 status: active Complete steps: 1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips 2. make depend 3. make 4. make install 5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so 6. Modify openssl.cnf 7. Run openssl list -providers openssl.cnf: I have added the setting: openssl_conf = openssl_init config_diagnostics = 1 .include /usr/lib/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 fipsmodule.cnf: [fips_sect] activate = 1 install-version = 1 conditional-errors = 1 security-checks = 1 module-mac = C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11 install-status = INSTALL_SELF_TEST_KATS_RUN Some test result: openssl version -a OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) built on: Tue May 2 07:20:31 2023 UTC platform: linux-armv4 options: bn(64,32) compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/usr/lib/ssl" ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3" MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_armcap=0x0 openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so HMAC : (Module_Integrity) : Pass SHA1 : (KAT_Digest) : Pass SHA2 : (KAT_Digest) : Pass SHA3 : (KAT_Digest) : Pass TDES : (KAT_Cipher) : Pass AES_GCM : (KAT_Cipher) : Pass AES_ECB_Decrypt : (KAT_Cipher) : Pass RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass Pass ECDSA : (PCT_Signature) : Pass ECDSA : (PCT_Signature) : Pass DSA : (PCT_Signature) : Pass TLS13_KDF_EXTRACT : (KAT_KDF) : Pass TLS13_KDF_EXPAND : (KAT_KDF) : Pass TLS12_PRF : (KAT_KDF) : Pass PBKDF2 : (KAT_KDF) : Pass SSHKDF : (KAT_KDF) : Pass KBKDF : (KAT_KDF) : Pass HKDF : (KAT_KDF) : Pass SSKDF : (KAT_KDF) : Pass X963KDF : (KAT_KDF) : Pass X942KDF : (KAT_KDF) : Pass HASH : (DRBG) : Pass CTR : (DRBG) : Pass HMAC : (DRBG) : Pass DH : (KAT_KA) : Pass ECDH : (KAT_KA) : Pass RSA_Encrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass INSTALL PASSED Could you please help to check whether I have wrong steps? Thanks, Johnson |