.include /usr/local/ssl/fipsmodule.cnf[openssl_init]providers = provider_sect[provider_sect]fips = fips_sectbase = base_sect[base_sect]activate = 1
We executed below command to install which also generates/updates fipsmodule.cnf file
openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /usr/lib/ssl-3/fipsmodule.cnf
The above command successfully executed and updated install-status to fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Then we removed the line "activate = 1" from fipsmodule.cnf file. After this we triggered the programatically load fips code, which caused the error:
> *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid> state:../openssl-3.0.9/providers/fips/self_test.c:262:*> *80D1CD65667F0000:error:1C8000D8:Provider> routines:OSSL_provider_init_int:self test post> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*> *80D1CD65667F0000:error:078C0105:common libcrypto> routines:provider_init:init> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*> *Error loading FIPS provider.*
Please share if we are missing something. Thanks in advance.
Regards,
Murugesh
I assume that, after building the openssl library you ran openssl fipsinstall? i.e. you're not just using a previously generated fipsmodule.cnf file? The above errors initially seem like self tests failed on the fips provider load, suggesting that the module-mac or install-mac is incorrect in your config'NeilOn Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <murugesh.pitchaiah@xxxxxxxxx> wrote:Hi,Need your help on using openssl fips provider programmatically with openssl 3.0.9.Error seen:80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.9/providers/fips/self_test.c:262:80D1CD65667F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:80D1CD65667F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fipsError loading FIPS provider.Steps:Followed the steps @ https://www.openssl.org/docs/man3.0/man7/fips_module.html#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
More info:
/usr/bin # openssl version -d
OPENSSLDIR: "/usr/lib/ssl-3"
/exos/bin # openssl version -a
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
built on: Tue May 30 12:31:57 2023 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: x86_64-poky-linux-gcc -m64 -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl-3"
ENGINESDIR: "/usr/lib/engines-3"
MODULESDIR: "/usr/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: N/A
Attached the openssl and fips conf.
Could you guys please check and share what is missing here? Any help would be appreciated.
Thanks,
Murugesh
