What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:
$ openssl list --providers -provider fips -provider base
Matt
On 24/05/2024 15:48, murugesh pitchaiah wrote:
Thanks Neil for your response. Please find more details below.
Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
the 'activate=1' line. Then try to programmatically load FIPS provider.
Here are the details steps.
Once the device boots up , The device has fipsmoudle.cnfpresent in
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We
have edited openssl.cnf file as mentioned below:
|.include /usr/local/ssl/fipsmodule.cnf|
|[openssl_init]|
|providers = provider_sect|
|
|
|[provider_sect]|
|fips = fips_sect|
|base = base_sect|
|
|
|[base_sect]|
|activate = 1|
We executed below command to install which also
generates/updates fipsmodule.cnf file
openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf
The above command successfully executed and updated install-status to
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Then we removed the line "activate = 1" from fipsmodule.cnf file. After
this we triggered the programatically load fips code, which caused the
error:
>/*80D1CD65667F0000:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid /
>/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>/*80D1CD65667F0000:error:1C8000D8:Provider /
>/routines:OSSL_provider_init_int:self test post /
>/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>/*80D1CD65667F0000:error:078C0105:common libcrypto /
>/routines:provider_init:init /
>/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
>/*Error loading FIPS provider.*/
Please share if we are missing something. Thanks in advance.
Regards,
Murugesh
On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman@xxxxxxxxxxx
<mailto:nhorman@xxxxxxxxxxx>> wrote:
I assume that, after building the openssl library you ran openssl
fipsinstall? i.e. you're not just using a previously generated
fipsmodule.cnf file? The above errors initially seem like self
tests failed on the fips provider load, suggesting that the
module-mac or install-mac is incorrect in your config
'Neil
On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
<murugesh.pitchaiah@xxxxxxxxx <mailto:murugesh.pitchaiah@xxxxxxxxx>>
wrote:
Hi,
Need your help on using openssl fips provider
programmatically with openssl 3.0.9.
Error seen:
*80D1CD65667F0000:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F0000:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F0000:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*
*
*
Steps:
Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>
#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
More info:
/usr/bin # openssl version -d
OPENSSLDIR: "/usr/lib/ssl-3"
/exos/bin # openssl version -a
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
built on: Tue May 30 12:31:57 2023 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: x86_64-poky-linux-gcc -m64
-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat
-Wformat-security -Werror=format-security
--sysroot=recipe-sysroot -O2 -pipe -g
-feliminate-unused-debug-types -fmacro-prefix-map=
-fdebug-prefix-map=
-fdebug-prefix-map=
-fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
-DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl-3"
ENGINESDIR: "/usr/lib/engines-3"
MODULESDIR: "/usr/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: N/A
Attached the openssl and fips conf.
Could you guys please check and share what is missing here? Any
help would be appreciated.
Thanks,
Murugesh
