Re: Need help on self test post failure - programmatically load FIPS provider

[murugesh pitchaiah <murugesh.pitchaiah@xxxxxxxxx>]

Thanks Matt for looking into this. 

Here is the output:

 # openssl list --providers -provider fips -provider base

Providers:

  base

    name: OpenSSL Base Provider

    version: 3.0.9

    status: active

  fips

    name: OpenSSL FIPS Provider

    version: 3.0.9

    status: active

Also please find the fipsmodule.conf file contents before and after fipsinstall which I missed to attach in previous mail:

before install fipsmodule.cnf is :

 # cat /usr/lib/ssl-3/fipsmodule.cnf

[fips_sect]

activate = 1

conditional-errors = 1

security-checks = 1

module-mac = F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69

After fips install :

 [fips_sect]

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac = 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Note: Removed the 'activate=1' manually.

Thanks,

Murugesh

On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:

What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:

$ openssl list --providers -provider fips -provider base


Matt

On 24/05/2024 15:48, murugesh pitchaiah wrote:
> Thanks Neil for your response. Please find more details below.
>
> Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
> the 'activate=1' line. Then try to programmatically load FIPS provider.
> Here are the details steps.
> Once the device boots up , The device has fipsmoudle.cnfpresent in
> /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
> have edited openssl.cnf file as mentioned below:
>
>     |.include /usr/local/ssl/fipsmodule.cnf|
>
>     |[openssl_init]|
>
>     |providers = provider_sect|
>
>     |
>     |
>
>     |[provider_sect]|
>
>     |fips = fips_sect|
>
>     |base = base_sect|
>
>     |
>     |
>
>     |[base_sect]|
>
>     |activate = 1|
>
> We executed below command to install which also
> generates/updates fipsmodule.cnf file
>
>       openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
>     /usr/lib/ssl-3/fipsmodule.cnf
>
>   The above command successfully executed and updated install-status to
> fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
>
>     [fips_sect]
>
>     activate = 1
>
>     install-version = 1
>
>     conditional-errors = 1
>
>     security-checks = 1
>
>     module-mac =
>     5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
>     install-mac =
>     41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
>     install-status = INSTALL_SELF_TEST_KATS_RUN
>
> Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
> this we triggered the programatically load fips code, which caused the
> error:
>
>     >/*80D1CD65667F0000:error:1C8000D4:Provider
>     routines:SELF_TEST_post:invalid /
>
>     >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>
>     >/*80D1CD65667F0000:error:1C8000D8:Provider /
>
>     >/routines:OSSL_provider_init_int:self test post /
>
>     >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>
>     >/*80D1CD65667F0000:error:078C0105:common libcrypto /
>
>     >/routines:provider_init:init /
>
>     >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
>
>     >/*Error loading FIPS provider.*/
>
>
> Please share if we are missing something. Thanks in advance.
>
>
> Regards,
>
> Murugesh
>
>
>
> On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman@xxxxxxxxxxx
> <mailto:nhorman@xxxxxxxxxxx>> wrote:
>
>     I assume that, after building the openssl library you ran openssl
>     fipsinstall?  i.e. you're not just using a previously generated
>     fipsmodule.cnf file?  The above errors initially seem like self
>     tests failed on the fips provider load, suggesting that the
>     module-mac or install-mac is incorrect in your config
>     'Neil
>
>     On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
>     <murugesh.pitchaiah@xxxxxxxxx <mailto:murugesh.pitchaiah@xxxxxxxxx>>
>     wrote:
>
>         Hi,
>
>         Need your help on using openssl fips provider
>         programmatically with openssl 3.0.9.
>
>         Error seen:
>
>             *80D1CD65667F0000:error:1C8000D4:Provider
>             routines:SELF_TEST_post:invalid
>             state:../openssl-3.0.9/providers/fips/self_test.c:262:*
>             *80D1CD65667F0000:error:1C8000D8:Provider
>             routines:OSSL_provider_init_int:self test post
>             failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
>             *80D1CD65667F0000:error:078C0105:common libcrypto
>             routines:provider_init:init
>             fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
>             *Error loading FIPS provider.*
>
>         *
>         *
>         Steps:
>
>         Followed the steps @
>         https://www.openssl.org/docs/man3.0/man7/fips_module.html
>         <https://nam12.safelinks.protection.outlook.com/?url="">>
>
>             #include <openssl/provider.h>
>
>             int main(void)
>
>             {
>
>                  OSSL_PROVIDER *fips;
>
>                  OSSL_PROVIDER *base;
>
>                  fips = OSSL_PROVIDER_load(NULL, "fips");
>
>                  if (fips == NULL) {
>
>                      printf("Failed to load FIPS provider\n");
>
>                      exit(EXIT_FAILURE);
>
>                  }
>
>                  base = OSSL_PROVIDER_load(NULL, "base");
>
>                  if (base == NULL) {
>
>                      OSSL_PROVIDER_unload(fips);
>
>                      printf("Failed to load base provider\n");
>
>                      exit(EXIT_FAILURE);
>
>                  }
>
>                  /* Rest of application */
>
>                  OSSL_PROVIDER_unload(base);
>
>                  OSSL_PROVIDER_unload(fips);
>
>                  exit(EXIT_SUCCESS);
>
>             }
>
>
>         More info:
>
>
>             /usr/bin # openssl version -d
>
>             OPENSSLDIR: "/usr/lib/ssl-3"
>
>             /exos/bin # openssl version -a
>
>             OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>
>             built on: Tue May 30 12:31:57 2023 UTC
>
>             platform: linux-x86_64
>
>             options:  bn(64,64)
>
>             compiler: x86_64-poky-linux-gcc  -m64
>             -fstack-protector-strong  -O2 -D_FORTIFY_SOURCE=2 -Wformat
>             -Wformat-security -Werror=format-security
>             --sysroot=recipe-sysroot -O2 -pipe -g
>             -feliminate-unused-debug-types -fmacro-prefix-map=         
>                         -fdebug-prefix-map=                   
>               -fdebug-prefix-map=                   
>               -fdebug-prefix-map=  -DOPENSSL_USE_NODELETE -DL_ENDIAN
>             -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
>
>             OPENSSLDIR: "/usr/lib/ssl-3"
>
>             ENGINESDIR: "/usr/lib/engines-3"
>
>             MODULESDIR: "/usr/lib/ossl-modules"
>
>             Seeding source: os-specific
>
>             CPUINFO: N/A
>
>
>         Attached the openssl and fips conf.
>
>
>         Could you guys please check and share what is missing here? Any
>         help would be appreciated.
>
>
>         Thanks,
>
>         Murugesh
>
>