The provider fips can't be loaded on openssl3.0.8

Matt Caswell matt at openssl.org
Fri May 5 08:26:23 UTC 2023 


On 05/05/2023 08:27, Johnson Wang (王舜樸) via openssl-users wrote:

>      fips = OSSL_PROVIDER_load(NULL, "fips_sect");

This looks odd. You should just be loading "fips" not "fips_sect".

Matt


> 
>      if (fips == NULL) {
> 
>          printf("Failed to load FIPS provider\n");
> 
>          exit(EXIT_FAILURE);
> 
>      }
> 
>      base = OSSL_PROVIDER_load(NULL, "base");
> 
>      if (base == NULL) {
> 
>          OSSL_PROVIDER_unload(fips);
> 
>          printf("Failed to load base provider\n");
> 
>          exit(EXIT_FAILURE);
> 
>      }
> 
>      /* Rest of application */
> 
>      OSSL_PROVIDER_unload(base);
> 
>      OSSL_PROVIDER_unload(fips);
> 
>      exit(EXIT_SUCCESS);
> 
> }
> 
> Thanks,
> 
> Johnson
> 
> *From:*openssl-users <openssl-users-bounces at openssl.org> *On Behalf Of 
> *pauli at openssl.org
> *Sent:* Friday, May 5, 2023 11:23 AM
> *To:* openssl-users at openssl.org
> *Subject:* [EXTERNAL] Re: The provider fips can't be loaded on openssl3.0.8
> 
> ***CAUTION:*The e-mail below is from an external source. Please exercise 
> caution before opening attachments, clicking links, or following 
> guidance.**
> 
> My initial guess would be that the configuration file isn't being found 
> by your application.
> Have you set OPENSSL_CONF?
> What about OPENSSL_CONF_INCLUDE?
> 
> Useful places to look are the FIPS module 
> <https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the 
> config <https://www.openssl.org/docs/man3.0/man5/config.html> documentation.
> 
> 
> Pauli
> 
> On 5/5/2023 12:28 pm, Johnson Wang (王舜樸) via openssl-users wrote:
> 
>     Hi,
> 
>     Environment: Debian buster
> 
>     After installing openssl and running fipsinstall, I tried to execute
>     "openssl list -providers". The log didn't print provider fips.
> 
>     And, I went to try the test code as below. It printed "Failed to
>     load FIPS provider".
> 
>     Test code:
> 
>     #include <openssl/provider.h>
> 
>     int main(void)
> 
>     {
> 
>          OSSL_PROVIDER *fips;
> 
>          OSSL_PROVIDER *base;
> 
>          fips = OSSL_PROVIDER_load(NULL, "fips");
> 
>          if (fips == NULL) {
> 
>              printf("Failed to load FIPS provider\n");
> 
>              exit(EXIT_FAILURE);
> 
>          }
> 
>          base = OSSL_PROVIDER_load(NULL, "base");
> 
>          if (base == NULL) {
> 
>              OSSL_PROVIDER_unload(fips);
> 
>              printf("Failed to load base provider\n");
> 
>              exit(EXIT_FAILURE);
> 
>          }
> 
>          /* Rest of application */
> 
>          OSSL_PROVIDER_unload(base);
> 
>          OSSL_PROVIDER_unload(fips);
> 
>          exit(EXIT_SUCCESS);
> 
>     }
> 
>     Test command:
> 
>     openssl list -providers
> 
>     Providers:
> 
>        base
> 
>          name: OpenSSL Base Provider
> 
>          version: 3.0.8
> 
>          status: active
> 
>     Complete steps:
> 
>     1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl
>     --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib
>     no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
> 
>     2. make depend
> 
>     3. make
> 
>     4. make install
> 
>     5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
>     /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
> 
>     6. Modify openssl.cnf
> 
>     7. Run openssl list -providers
> 
>     openssl.cnf:
> 
>     I have added the setting:
> 
>     openssl_conf = openssl_init
> 
>     config_diagnostics = 1
> 
>     .include /usr/lib/ssl/fipsmodule.cnf
> 
>     [openssl_init]
> 
>     providers = provider_sect
> 
>     [provider_sect]
> 
>     fips = fips_sect
> 
>     base = base_sect
> 
>     [base_sect]
> 
>     activate = 1
> 
>     fipsmodule.cnf:
> 
>     [fips_sect]
> 
>     activate = 1
> 
>     install-version = 1
> 
>     conditional-errors = 1
> 
>     security-checks = 1
> 
>     module-mac =
>     C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B
> 
>     install-mac =
>     41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> 
>     install-status = INSTALL_SELF_TEST_KATS_RUN
> 
>     Some test result:
> 
>     openssl version -a
> 
>     OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
> 
>     built on: Tue May  2 07:20:31 2023 UTC
> 
>     platform: linux-armv4
> 
>     options:  bn(64,32)
> 
>     compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3
>     -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
> 
>     OPENSSLDIR: "/usr/lib/ssl"
> 
>     ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
> 
>     MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
> 
>     Seeding source: os-specific
> 
>     CPUINFO: OPENSSL_armcap=0x0
> 
>     openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
>     /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
> 
>     HMAC : (Module_Integrity) : Pass
> 
>     SHA1 : (KAT_Digest) : Pass
> 
>     SHA2 : (KAT_Digest) : Pass
> 
>     SHA3 : (KAT_Digest) : Pass
> 
>     TDES : (KAT_Cipher) : Pass
> 
>     AES_GCM : (KAT_Cipher) : Pass
> 
>     AES_ECB_Decrypt : (KAT_Cipher) : Pass
> 
>     RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> 
>     Pass
> 
>     ECDSA : (PCT_Signature) : Pass
> 
>     ECDSA : (PCT_Signature) : Pass
> 
>     DSA : (PCT_Signature) : Pass
> 
>     TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> 
>     TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> 
>     TLS12_PRF : (KAT_KDF) : Pass
> 
>     PBKDF2 : (KAT_KDF) : Pass
> 
>     SSHKDF : (KAT_KDF) : Pass
> 
>     KBKDF : (KAT_KDF) : Pass
> 
>     HKDF : (KAT_KDF) : Pass
> 
>     SSKDF : (KAT_KDF) : Pass
> 
>     X963KDF : (KAT_KDF) : Pass
> 
>     X942KDF : (KAT_KDF) : Pass
> 
>     HASH : (DRBG) : Pass
> 
>     CTR : (DRBG) : Pass
> 
>     HMAC : (DRBG) : Pass
> 
>     DH : (KAT_KA) : Pass
> 
>     ECDH : (KAT_KA) : Pass
> 
>     RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> 
>     RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> 
>     RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> 
>     INSTALL PASSED
> 
>     Could you please help to check whether I have wrong steps?
> 
>     Thanks,
> 
>     Johnson
> 
>     -The information contained in this message may be confidential and
>     proprietary to American Megatrends (AMI). This communication is
>     intended to be read only by the individual or entity to whom it is
>     addressed or by their designee. If the reader of this message is not
>     the intended recipient, you are on notice that any distribution of
>     this message, in any form, is strictly prohibited. Please promptly
>     notify the sender by reply e-mail or by telephone at 770-246-8600,
>     and then delete or destroy all copies of the transmission.
> 
> -The information contained in this message may be confidential and 
> proprietary to American Megatrends (AMI). This communication is intended 
> to be read only by the individual or entity to whom it is addressed or 
> by their designee. If the reader of this message is not the intended 
> recipient, you are on notice that any distribution of this message, in 
> any form, is strictly prohibited. Please promptly notify the sender by 
> reply e-mail or by telephone at 770-246-8600, and then delete or destroy 
> all copies of the transmission.

More information about the openssl-users mailing list