80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.9/providers/fips/self_test.c:262:80D1CD65667F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:80D1CD65667F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fipsError loading FIPS provider.
#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
Thanks Matt for looking into this.Here is the output:# openssl list --providers -provider fips -provider base
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
Also please find the fipsmodule.conf file contents before and after fipsinstall which I missed to attach in previous mail:
before install fipsmodule.cnf is :
# cat /usr/lib/ssl-3/fipsmodule.cnf
[fips_sect]
activate = 1
conditional-errors = 1
security-checks = 1
module-mac = F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69
After fips install :
[fips_sect]
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Note: Removed the 'activate=1' manually.
Thanks,
Murugesh
On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt@xxxxxxxxxxx> wrote:What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:
$ openssl list --providers -provider fips -provider base
Matt
On 24/05/2024 15:48, murugesh pitchaiah wrote:
> Thanks Neil for your response. Please find more details below.
>
> Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
> the 'activate=1' line. Then try to programmatically load FIPS provider.
> Here are the details steps.
> Once the device boots up , The device has fipsmoudle.cnfpresent in
> /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
> have edited openssl.cnf file as mentioned below:
>
> |.include /usr/local/ssl/fipsmodule.cnf|
>
> |[openssl_init]|
>
> |providers = provider_sect|
>
> |
> |
>
> |[provider_sect]|
>
> |fips = fips_sect|
>
> |base = base_sect|
>
> |
> |
>
> |[base_sect]|
>
> |activate = 1|
>
> We executed below command to install which also
> generates/updates fipsmodule.cnf file
>
> openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> /usr/lib/ssl-3/fipsmodule.cnf
>
> The above command successfully executed and updated install-status to
> fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
>
> [fips_sect]
>
> activate = 1
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
> install-mac =
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> Then we removed the line "activate = 1" from fipsmodule.cnf file. After
> this we triggered the programatically load fips code, which caused the
> error:
>
> >/*80D1CD65667F0000:error:1C8000D4:Provider
> routines:SELF_TEST_post:invalid /
>
> >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>
> >/*80D1CD65667F0000:error:1C8000D8:Provider /
>
> >/routines:OSSL_provider_init_int:self test post /
>
> >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>
> >/*80D1CD65667F0000:error:078C0105:common libcrypto /
>
> >/routines:provider_init:init /
>
> >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
>
> >/*Error loading FIPS provider.*/
>
>
> Please share if we are missing something. Thanks in advance.
>
>
> Regards,
>
> Murugesh
>
>
>
> On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman@xxxxxxxxxxx
> <mailto:nhorman@xxxxxxxxxxx>> wrote:
>
> I assume that, after building the openssl library you ran openssl
> fipsinstall? i.e. you're not just using a previously generated
> fipsmodule.cnf file? The above errors initially seem like self
> tests failed on the fips provider load, suggesting that the
> module-mac or install-mac is incorrect in your config
> 'Neil
>
> On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> <murugesh.pitchaiah@xxxxxxxxx <mailto:murugesh.pitchaiah@xxxxxxxxx>>
> wrote:
>
> Hi,
>
> Need your help on using openssl fips provider
> programmatically with openssl 3.0.9.
>
> Error seen:
>
> *80D1CD65667F0000:error:1C8000D4:Provider
> routines:SELF_TEST_post:invalid
> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> *80D1CD65667F0000:error:1C8000D8:Provider
> routines:OSSL_provider_init_int:self test post
> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> *80D1CD65667F0000:error:078C0105:common libcrypto
> routines:provider_init:init
> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> *Error loading FIPS provider.*
>
> *
> *
> Steps:
>
> Followed the steps @
> https://www.openssl.org/docs/man3.0/man7/fips_module.html
> <https://nam12.safelinks.protection.outlook.com/?url="">>
>
> #include <openssl/provider.h>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> /* Rest of application */
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
>
> More info:
>
>
> /usr/bin # openssl version -d
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> /exos/bin # openssl version -a
>
> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>
> built on: Tue May 30 12:31:57 2023 UTC
>
> platform: linux-x86_64
>
> options: bn(64,64)
>
> compiler: x86_64-poky-linux-gcc -m64
> -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat
> -Wformat-security -Werror=format-security
> --sysroot=recipe-sysroot -O2 -pipe -g
> -feliminate-unused-debug-types -fmacro-prefix-map=
> -fdebug-prefix-map=
> -fdebug-prefix-map=
> -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
> -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> ENGINESDIR: "/usr/lib/engines-3"
>
> MODULESDIR: "/usr/lib/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: N/A
>
>
> Attached the openssl and fips conf.
>
>
> Could you guys please check and share what is missing here? Any
> help would be appreciated.
>
>
> Thanks,
>
> Murugesh
>
>