On 24/05/2024 16:57, murugesh pitchaiah wrote:
Thanks Matt for looking into this.
Here is the output:
# openssl list --providers -provider fips -provider base
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
So this suggests that the fips provider is correctly installed and
configured and is able to activate without problems. So its currently
unclear why you can't do this programmatically.
Also please find the fipsmodule.conf file contents before and after
fipsinstall which I missed to attach in previous mail:
before install fipsmodule.cnf is :
Err...so you already had a fips module installed before you ran
fipsinstall, and you are replacing it with a new one?
Where did you put the new fips.so file? Were you overwriting the
previous one?
Matt
After fips install :
[fips_sect]
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Note: Removed the 'activate=1' manually.
Thanks,
Murugesh
On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt@xxxxxxxxxxx
<mailto:matt@xxxxxxxxxxx>> wrote:
What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:
$ openssl list --providers -provider fips -provider base
Matt
On 24/05/2024 15:48, murugesh pitchaiah wrote:
> Thanks Neil for your response. Please find more details below.
>
> Yes we run fipsinstall and then edit the fipsmodule.conf file to
remove
> the 'activate=1' line. Then try to programmatically load FIPS
provider.
> Here are the details steps.
> Once the device boots up , The device has fipsmoudle.cnfpresent in
> /usr/lib/ssl-3 which does not have install_mac and
insatll_status. We
> have edited openssl.cnf file as mentioned below:
>
> |.include /usr/local/ssl/fipsmodule.cnf|
>
> |[openssl_init]|
>
> |providers = provider_sect|
>
> |
> |
>
> |[provider_sect]|
>
> |fips = fips_sect|
>
> |base = base_sect|
>
> |
> |
>
> |[base_sect]|
>
> |activate = 1|
>
> We executed below command to install which also
> generates/updates fipsmodule.cnf file
>
> openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> /usr/lib/ssl-3/fipsmodule.cnf
>
> The above command successfully executed and updated
install-status to
> fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
>
> [fips_sect]
>
> activate = 1
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
>
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
> install-mac =
>
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> Then we removed the line "activate = 1" from fipsmodule.cnf
file. After
> this we triggered the programatically load fips code, which
caused the
> error:
>
> >/*80D1CD65667F0000:error:1C8000D4:Provider
> routines:SELF_TEST_post:invalid /
>
> >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>
> >/*80D1CD65667F0000:error:1C8000D8:Provider /
>
> >/routines:OSSL_provider_init_int:self test post /
>
> >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>
> >/*80D1CD65667F0000:error:078C0105:common libcrypto /
>
> >/routines:provider_init:init /
>
> >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
>
> >/*Error loading FIPS provider.*/
>
>
> Please share if we are missing something. Thanks in advance.
>
>
> Regards,
>
> Murugesh
>
>
>
> On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman@xxxxxxxxxxx
<mailto:nhorman@xxxxxxxxxxx>
> <mailto:nhorman@xxxxxxxxxxx <mailto:nhorman@xxxxxxxxxxx>>> wrote:
>
> I assume that, after building the openssl library you ran openssl
> fipsinstall? i.e. you're not just using a previously generated
> fipsmodule.cnf file? The above errors initially seem like self
> tests failed on the fips provider load, suggesting that the
> module-mac or install-mac is incorrect in your config
> 'Neil
>
> On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> <murugesh.pitchaiah@xxxxxxxxx
<mailto:murugesh.pitchaiah@xxxxxxxxx>
<mailto:murugesh.pitchaiah@xxxxxxxxx
<mailto:murugesh.pitchaiah@xxxxxxxxx>>>
> wrote:
>
> Hi,
>
> Need your help on using openssl fips provider
> programmatically with openssl 3.0.9.
>
> Error seen:
>
> *80D1CD65667F0000:error:1C8000D4:Provider
> routines:SELF_TEST_post:invalid
> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> *80D1CD65667F0000:error:1C8000D8:Provider
> routines:OSSL_provider_init_int:self test post
> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> *80D1CD65667F0000:error:078C0105:common libcrypto
> routines:provider_init:init
>
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> *Error loading FIPS provider.*
>
> *
> *
> Steps:
>
> Followed the steps @
> https://www.openssl.org/docs/man3.0/man7/fips_module.html
<https://www.openssl.org/docs/man3.0/man7/fips_module.html>
>
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>>
>
> #include <openssl/provider.h>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> /* Rest of application */
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
>
> More info:
>
>
> /usr/bin # openssl version -d
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> /exos/bin # openssl version -a
>
> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30
May 2023)
>
> built on: Tue May 30 12:31:57 2023 UTC
>
> platform: linux-x86_64
>
> options: bn(64,64)
>
> compiler: x86_64-poky-linux-gcc -m64
> -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2
-Wformat
> -Wformat-security -Werror=format-security
> --sysroot=recipe-sysroot -O2 -pipe -g
> -feliminate-unused-debug-types -fmacro-prefix-map=
> -fdebug-prefix-map=
> -fdebug-prefix-map=
> -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
> -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> ENGINESDIR: "/usr/lib/engines-3"
>
> MODULESDIR: "/usr/lib/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: N/A
>
>
> Attached the openssl and fips conf.
>
>
> Could you guys please check and share what is missing
here? Any
> help would be appreciated.
>
>
> Thanks,
>
> Murugesh
>
>
