Re: Need help on self test post failure - programmatically load FIPS provider

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I assume that, after building the openssl library you ran openssl fipsinstall?  i.e. you're not just using a previously generated fipsmodule.cnf file?  The above errors initially seem like self tests failed on the fips provider load, suggesting that the module-mac or install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <murugesh.pitchaiah@xxxxxxxxx> wrote:
Hi,

Need your help on using openssl fips provider programmatically with openssl 3.0.9.

Error seen:

80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.9/providers/fips/self_test.c:262:
80D1CD65667F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:
80D1CD65667F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips
Error loading FIPS provider.

Steps:

Followed the steps @ https://www.openssl.org/docs/man3.0/man7/fips_module.html

#include <openssl/provider.h>

 

int main(void)

{

    OSSL_PROVIDER *fips;

    OSSL_PROVIDER *base;

 

    fips = OSSL_PROVIDER_load(NULL, "fips");

    if (fips == NULL) {

        printf("Failed to load FIPS provider\n");

        exit(EXIT_FAILURE);

    }

    base = OSSL_PROVIDER_load(NULL, "base");

    if (base == NULL) {

        OSSL_PROVIDER_unload(fips);

        printf("Failed to load base provider\n");

        exit(EXIT_FAILURE);

    }

 

    /* Rest of application */

 

    OSSL_PROVIDER_unload(base);

    OSSL_PROVIDER_unload(fips);

    exit(EXIT_SUCCESS);

}


More info:


/usr/bin # openssl version -d

OPENSSLDIR: "/usr/lib/ssl-3"

/exos/bin # openssl version -a

OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

built on: Tue May 30 12:31:57 2023 UTC

platform: linux-x86_64

options:  bn(64,64)

compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=                      -fdebug-prefix-map=  -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG

OPENSSLDIR: "/usr/lib/ssl-3"

ENGINESDIR: "/usr/lib/engines-3"

MODULESDIR: "/usr/lib/ossl-modules"

Seeding source: os-specific

CPUINFO: N/A


Attached the openssl and fips conf.


Could you guys please check and share what is missing here? Any help would be appreciated.


Thanks,

Murugesh



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux