FIPS Module Checksum is null in OpenSSL 3.0

Eshelman, Robert Michael (54440) JR CTR USN NIWC ATLANTIC SC (USA) robert.m.eshelman2.ctr at us.navy.mil
Wed Dec 15 14:43:54 UTC 2021


Good Morning,


I am having an issue with the FIPS Module in an OpenSSL 3.0 build. Below are the build steps and the issues that I am seeing. Sorry for the length but I am trying to provide all of the relevant details in hopes that the solution to this issue will be easily identifiable.

First, we are using ZLib 1.2.11. This is the default build for a windows machine so the tarball is extracted to the zlib directory and then we run “nmake -f win32/Makefile.msc”.



Second, we are using OpenSSL 3.0.0. After extracting the tarball to the OpenSSL directory, we are running the following configuration:

perl Configure VC-WIN32 zlib-dynamic --with-zlib-include=<ZLIB_INCLUDE_DIR> --with-zlib-lib=<ZLIB_LIB_DIR> enable-fips enable-static-engine enable-capieng -DOPENSSL_CAPIENG_DIALOG

Followed by the default “nmake”. For the install step, I have tried both the default “nmake install” and I am currently using “nmake DESTDIR=<OPENSSL_INSTALL_DIR> install” to mimic the file structure after an install would have been done on the current machine.



Once the install is completed, I am running the openssl fips-install command:

Openssl fipsinstall –out “<OPENSSL_INSTALL_DIR>\Program Files (x86)\Common Files\SSL\fipsmodule.cnf” –module “<OPENSSL_INSTALL_DIR>\Program Files (x86)\OpenSSL\lib\ossl-modules\fips.dll”



At this point, all of the self-tests pass and the configure file is updated successfully. I also have to go into openssl.cnf and uncomment the following lines:



# For FIPS

# Optionally include a file that is generated by the OpenSSL fipsinstall

# application. This file contains configuration data required by the OpenSSL

# fips provider. It contains a named section e.g. [fips_sect] which is

# referenced from the [provider_sect] below.

# Refer to the OpenSSL security policy for more information.

.include fipsmodule.cnf

…

[provider_sect]

default = default_sect

# The fips section name should match the section name inside the

# included fipsmodule.cnf.

fips = fips_sect



I am using this as part of stunnel so I am doing a stunnel build following this step. Once stunnel is built, I am running stunnel to create a connection but it fails on trying to initialize the FIPS module. Here is the error stack that I am getting:



[!] error queue: crypto\provider_core.c:903: error:078C0105:common libcrypto routines::init fail

[!] error queue: providers\fips\fipsprov.c:706: error:1C8000D8:Provider routines::self test post failure

[!] error queue: providers\fips\self_test.c:387: error:1C8000E0:Provider routines::fips module entering error state

[!] FIPS PROVIDER: providers\fips\self_test.c:289: error:1C8000D5:Provider routines::missing config data



Tracing through this, I have found that the check on line 288 in the self_test.c is failing because the module_checksum_data is null in the ST object. What I am failing to understand is why the module checksum keeps coming back null. To me, it seems that I am overlooking a small step somewhere and can’t see it. Any help here would be greatly appreciated.



Thank you very much,
Bob Eshelman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211215/73652c9e/attachment.htm>


More information about the openssl-users mailing list