The provider fips can't be loaded on openssl3.0.8
pauli at openssl.org
pauli at openssl.org
Fri May 5 03:22:35 UTC 2023
My initial guess would be that the configuration file isn't being found
by your application.
Have you set OPENSSL_CONF?
What about OPENSSL_CONF_INCLUDE?
Useful places to look are the FIPS module
<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the
config <https://www.openssl.org/docs/man3.0/man5/config.html> documentation.
Pauli
On 5/5/2023 12:28 pm, Johnson Wang (王舜樸) via openssl-users wrote:
>
> Hi,
>
> Environment: Debian buster
>
> After installing openssl and running fipsinstall, I tried to execute
> "openssl list -providers". The log didn't print provider fips.
>
> And, I went to try the test code as below. It printed "Failed to load
> FIPS provider".
>
> Test code:
>
> #include <openssl/provider.h>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> /* Rest of application */
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
> Test command:
>
> openssl list -providers
>
> Providers:
>
> base
>
> name: OpenSSL Base Provider
>
> version: 3.0.8
>
> status: active
>
> Complete steps:
>
> 1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl
> --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib
> no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
>
> 2. make depend
>
> 3. make
>
> 4. make install
>
> 5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
> /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
>
> 6. Modify openssl.cnf
>
> 7. Run openssl list -providers
>
> openssl.cnf:
>
> I have added the setting:
>
> openssl_conf = openssl_init
>
> config_diagnostics = 1
>
> .include /usr/lib/ssl/fipsmodule.cnf
>
> [openssl_init]
>
> providers = provider_sect
>
> [provider_sect]
>
> fips = fips_sect
>
> base = base_sect
>
> [base_sect]
>
> activate = 1
>
> fipsmodule.cnf:
>
> [fips_sect]
>
> activate = 1
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B
>
> install-mac =
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> Some test result:
>
> openssl version -a
>
> OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
>
> built on: Tue May 2 07:20:31 2023 UTC
>
> platform: linux-armv4
>
> options: bn(64,32)
>
> compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3
> -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl"
>
> ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
>
> MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: OPENSSL_armcap=0x0
>
> openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
> /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
>
> HMAC : (Module_Integrity) : Pass
>
> SHA1 : (KAT_Digest) : Pass
>
> SHA2 : (KAT_Digest) : Pass
>
> SHA3 : (KAT_Digest) : Pass
>
> TDES : (KAT_Cipher) : Pass
>
> AES_GCM : (KAT_Cipher) : Pass
>
> AES_ECB_Decrypt : (KAT_Cipher) : Pass
>
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
>
> Pass
>
> ECDSA : (PCT_Signature) : Pass
>
> ECDSA : (PCT_Signature) : Pass
>
> DSA : (PCT_Signature) : Pass
>
> TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
>
> TLS13_KDF_EXPAND : (KAT_KDF) : Pass
>
> TLS12_PRF : (KAT_KDF) : Pass
>
> PBKDF2 : (KAT_KDF) : Pass
>
> SSHKDF : (KAT_KDF) : Pass
>
> KBKDF : (KAT_KDF) : Pass
>
> HKDF : (KAT_KDF) : Pass
>
> SSKDF : (KAT_KDF) : Pass
>
> X963KDF : (KAT_KDF) : Pass
>
> X942KDF : (KAT_KDF) : Pass
>
> HASH : (DRBG) : Pass
>
> CTR : (DRBG) : Pass
>
> HMAC : (DRBG) : Pass
>
> DH : (KAT_KA) : Pass
>
> ECDH : (KAT_KA) : Pass
>
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
>
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>
> INSTALL PASSED
>
> Could you please help to check whether I have wrong steps?
>
> Thanks,
>
> Johnson
>
> -The information contained in this message may be confidential and
> proprietary to American Megatrends (AMI). This communication is
> intended to be read only by the individual or entity to whom it is
> addressed or by their designee. If the reader of this message is not
> the intended recipient, you are on notice that any distribution of
> this message, in any form, is strictly prohibited. Please promptly
> notify the sender by reply e-mail or by telephone at 770-246-8600, and
> then delete or destroy all copies of the transmission.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230505/979d66da/attachment.htm>
More information about the openssl-users
mailing list