Hi,
Environment: Debian buster
After installing openssl and running fipsinstall, I tried to execute "openssl list -providers". The log didn't print provider fips.
And, I went to try the test code as below. It printed "Failed to load FIPS provider".
Test code:
#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
Test command:
openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.8
status: active
Complete steps:
1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
2. make depend
3. make
4. make install
5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
6. Modify openssl.cnf
7. Run openssl list -providers
openssl.cnf:
I have added the setting:
openssl_conf = openssl_init
config_diagnostics = 1
.include /usr/lib/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
fipsmodule.cnf:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Some test result:
openssl version -a
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
built on: Tue May 2 07:20:31 2023 UTC
platform: linux-armv4
options: bn(64,32)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x0
openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
Could you please help to check whether I have wrong steps?
Thanks,
Johnson
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual
or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail
or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
