On 05/05/2023 08:27, Johnson Wang (王舜樸) via openssl-users wrote:
fips = OSSL_PROVIDER_load(NULL, "fips_sect");
This looks odd. You should just be loading "fips" not "fips_sect".
Matt
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
Thanks,
Johnson
*From:*openssl-users <openssl-users-bounces@xxxxxxxxxxx> *On Behalf Of
*pauli@xxxxxxxxxxx
*Sent:* Friday, May 5, 2023 11:23 AM
*To:* openssl-users@xxxxxxxxxxx
*Subject:* [EXTERNAL] Re: The provider fips can't be loaded on openssl3.0.8
***CAUTION:*The e-mail below is from an external source. Please exercise
caution before opening attachments, clicking links, or following
guidance.**
My initial guess would be that the configuration file isn't being found
by your application.
Have you set OPENSSL_CONF?
What about OPENSSL_CONF_INCLUDE?
Useful places to look are the FIPS module
<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the
config <https://www.openssl.org/docs/man3.0/man5/config.html> documentation.
Pauli
On 5/5/2023 12:28 pm, Johnson Wang (王舜樸) via openssl-users wrote:
Hi,
Environment: Debian buster
After installing openssl and running fipsinstall, I tried to execute
"openssl list -providers". The log didn't print provider fips.
And, I went to try the test code as below. It printed "Failed to
load FIPS provider".
Test code:
#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
Test command:
openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.8
status: active
Complete steps:
1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl
--libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib
no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
2. make depend
3. make
4. make install
5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
/usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
6. Modify openssl.cnf
7. Run openssl list -providers
openssl.cnf:
I have added the setting:
openssl_conf = openssl_init
config_diagnostics = 1
.include /usr/lib/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
fipsmodule.cnf:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac =
C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B
install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Some test result:
openssl version -a
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
built on: Tue May 2 07:20:31 2023 UTC
platform: linux-armv4
options: bn(64,32)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3
-DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x0
openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
/usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
Could you please help to check whether I have wrong steps?
Thanks,
Johnson
-The information contained in this message may be confidential and
proprietary to American Megatrends (AMI). This communication is
intended to be read only by the individual or entity to whom it is
addressed or by their designee. If the reader of this message is not
the intended recipient, you are on notice that any distribution of
this message, in any form, is strictly prohibited. Please promptly
notify the sender by reply e-mail or by telephone at 770-246-8600,
and then delete or destroy all copies of the transmission.
-The information contained in this message may be confidential and
proprietary to American Megatrends (AMI). This communication is intended
to be read only by the individual or entity to whom it is addressed or
by their designee. If the reader of this message is not the intended
recipient, you are on notice that any distribution of this message, in
any form, is strictly prohibited. Please promptly notify the sender by
reply e-mail or by telephone at 770-246-8600, and then delete or destroy
all copies of the transmission.
