Unable to load the FIPs config file OpenSSL 3.0
Dr Paul Dale
pauli at openssl.org
Wed Mar 31 00:16:52 UTC 2021
Our general suggestion is to keep the FIPS configuration in it's own
file and include that -- this helps when updating.
Does a full path to the providers directory help?
Could you try a build with debugging symbols so it's possible to see
what's going on better?
Set a breakpoint on OSSL_PROVIDER_load() and see what's happening?
Pauli
On 31/3/21 12:29 am, Bala Duvvuri via openssl-users wrote:
> Hi All,
>
> Can you kindly help me with this error while running the below program that tries to load the configuration which has the FIPs provider?
>
> The program is built on build machine and to be run on linux MIPS platform and below error is seen:
>
> #include <openssl/crypto.h>
> main () {
> OSSL_LIB_CTX *libctx;
> libctx = OSSL_LIB_CTX_new();
> OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
> if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
> fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
> ERR_print_errors_fp(stderr);
> }
> fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
> }
>
> ERROR: OSSL_LIB_CTX_load_config()
> 000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): ./providers/fips.so: cannot open shared object file: No such file or directory
> 000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_lib.c:162:
> 000000FFF2406000:error:078C0105:common libcrypto routines:(unknown function):init fail:crypto/provider_core.c:557:name=fips
> 000000FFF2406000:error:0700006D:configuration file routines:(unknown function):module initialization error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect retcode=-1
> Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
>
> ~ # ls -lrt providers/
> -rwxrwxrwx 1 root root 1748513 Mar 30 13:24 fips.so
>
> ~ # echo $LD_LIBRARY_PATH
> ~ #
>
> Steps done:
> 1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and copy the required binaries on the Linux MIPs box.
> 2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
> HMAC : (Module_Integrity) : Pass
> SHA1 : (KAT_Digest) : Pass
> SHA2 : (KAT_Digest) : Pass
> SHA3 : (KAT_Digest) : Pass
> TDES : (KAT_Cipher) : Pass
> AES_GCM : (KAT_Cipher) : Pass
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> Pass
> ECDSA : (KAT_Signature) : Pass
> DSA : (KAT_Signature) : Pass
> TLS12_PRF : (KAT_KDF) : Pass
> PBKDF2 : (KAT_KDF) : Pass
> SSHKDF : (KAT_KDF) : Pass
> KBKDF : (KAT_KDF) : Pass
> HKDF : (KAT_KDF) : Pass
> SSKDF : (KAT_KDF) : Pass
> X963KDF : (KAT_KDF) : Pass
> X942KDF : (KAT_KDF) : Pass
> HASH : (DRBG) : Pass
> CTR : (DRBG) : Pass
> HMAC : (DRBG) : Pass
> DH : (KAT_KA) : Pass
> ECDH : (KAT_KA) : Pass
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> INSTALL PASSED
>
> ~ # cat fipsmod.cnf
> [fips_sect]
> activate = 1
> install-version = 1
> conditional-errors = 1
> security-checks = 1
> module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
> install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> 3>In the build machine, modify the contents of "openssl.cnf" with above output, and build the test program linking with crypto library.
>
> cat openssl-3.0.0-alpha13/apps/openssl.cnf
> 1 openssl_conf = openssl_init
> 2
> 3 [fips_sect]
> 4 activate = 1
> 5 install-version = 1
> 6 conditional-errors = 1
> 7 security-checks = 1
> 8 module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
> 9 install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> 10 install-status = INSTALL_SELF_TEST_KATS_RUN
> 11
> 12 [openssl_init]
> 13 providers = provider_sect
> 14 alg_section = algorithm_sect
> 15
> 16 [provider_sect]
> 17 default = default_sect
> 18 fips = fips_sect
> 19
> 20 [default_sect]
> 21 activate = 1
> 22
> 23 [algorithm_sect]
> 24 default_properties = fips=yes
>
> 4>Copy the openssl.cnf to the Linux box to "/" and also executed "export OPENSSL_CONF=/"
>
> 4>Now on executing the test program on Linux box, observing the load error.
>
> Do we need to set any environ variable to get the load working or is any step missing/wrong?
>
> This test program has worked fine on my build machine when I build, fipsinstall and rebuild my test program and run the test on the build machine.
>
> Your input will help me.
>
> Thanks
> Bala
>
More information about the openssl-users
mailing list