Unable to load the FIPs config file OpenSSL 3.0
Bala Duvvuri
b_duvvuri at yahoo.com
Tue Mar 30 14:29:26 UTC 2021
Hi All,
Can you kindly help me with this error while running the below program that tries to load the configuration which has the FIPs provider?
The program is built on build machine and to be run on linux MIPS platform and below error is seen:
#include <openssl/crypto.h>
main () {
OSSL_LIB_CTX *libctx;
libctx = OSSL_LIB_CTX_new();
OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
ERR_print_errors_fp(stderr);
}
fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
}
ERROR: OSSL_LIB_CTX_load_config()
000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): ./providers/fips.so: cannot open shared object file: No such file or directory
000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_lib.c:162:
000000FFF2406000:error:078C0105:common libcrypto routines:(unknown function):init fail:crypto/provider_core.c:557:name=fips
000000FFF2406000:error:0700006D:configuration file routines:(unknown function):module initialization error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
~ # ls -lrt providers/
-rwxrwxrwx 1 root root 1748513 Mar 30 13:24 fips.so
~ # echo $LD_LIBRARY_PATH
~ #
Steps done:
1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and copy the required binaries on the Linux MIPs box.
2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
~ # cat fipsmod.cnf
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
3>In the build machine, modify the contents of "openssl.cnf" with above output, and build the test program linking with crypto library.
cat openssl-3.0.0-alpha13/apps/openssl.cnf
1 openssl_conf = openssl_init
2
3 [fips_sect]
4 activate = 1
5 install-version = 1
6 conditional-errors = 1
7 security-checks = 1
8 module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
9 install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
10 install-status = INSTALL_SELF_TEST_KATS_RUN
11
12 [openssl_init]
13 providers = provider_sect
14 alg_section = algorithm_sect
15
16 [provider_sect]
17 default = default_sect
18 fips = fips_sect
19
20 [default_sect]
21 activate = 1
22
23 [algorithm_sect]
24 default_properties = fips=yes
4>Copy the openssl.cnf to the Linux box to "/" and also executed "export OPENSSL_CONF=/"
4>Now on executing the test program on Linux box, observing the load error.
Do we need to set any environ variable to get the load working or is any step missing/wrong?
This test program has worked fine on my build machine when I build, fipsinstall and rebuild my test program and run the test on the build machine.
Your input will help me.
Thanks
Bala
More information about the openssl-users
mailing list