The provider fips can't be loaded on openssl3.0.8
Johnson Wang (王舜樸)
JohnsonWang at ami.com
Fri May 5 08:42:29 UTC 2023
Hi Matt,
This is my fault. I have no question. Thanks for your help.
Thanks,
Johnson
-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Matt Caswell
Sent: Friday, May 5, 2023 4:26 PM
To: openssl-users at openssl.org
Subject: [EXTERNAL] Re: The provider fips can't be loaded on openssl3.0.8
**CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.**
On 05/05/2023 08:27, Johnson Wang (王舜樸) via openssl-users wrote:
> fips = OSSL_PROVIDER_load(NULL, "fips_sect");
This looks odd. You should just be loading "fips" not "fips_sect".
Matt
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> /* Rest of application */
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
> Thanks,
>
> Johnson
>
> *From:*openssl-users <openssl-users-bounces at openssl.org> *On Behalf Of
> *pauli at openssl.org
> *Sent:* Friday, May 5, 2023 11:23 AM
> *To:* openssl-users at openssl.org
> *Subject:* [EXTERNAL] Re: The provider fips can't be loaded on
> openssl3.0.8
>
> ***CAUTION:*The e-mail below is from an external source. Please
> exercise caution before opening attachments, clicking links, or
> following
> guidance.**
>
> My initial guess would be that the configuration file isn't being
> found by your application.
> Have you set OPENSSL_CONF?
> What about OPENSSL_CONF_INCLUDE?
>
> Useful places to look are the FIPS module
> <https://www/
> .openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C01%7Cjohnsonwang%40ami.com%7C13a22144f1bd4a80c96108db4d4274b0%7C27e97857e15f486cb58e86c2b3040f93%7C1%7C1%7C638188720071580362%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=gcKwSbDQB6zIHqFO3LEgJHDrQxanB9i1VB1D5KooMYQ%3D&reserved=0> and the config <https://www.openssl.org/docs/man3.0/man5/config.html> documentation.
>
>
> Pauli
>
> On 5/5/2023 12:28 pm, Johnson Wang (王舜樸) via openssl-users wrote:
>
> Hi,
>
> Environment: Debian buster
>
> After installing openssl and running fipsinstall, I tried to execute
> "openssl list -providers". The log didn't print provider fips.
>
> And, I went to try the test code as below. It printed "Failed to
> load FIPS provider".
>
> Test code:
>
> #include <openssl/provider.h>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> /* Rest of application */
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
> Test command:
>
> openssl list -providers
>
> Providers:
>
> base
>
> name: OpenSSL Base Provider
>
> version: 3.0.8
>
> status: active
>
> Complete steps:
>
> 1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl
> --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib
> no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
>
> 2. make depend
>
> 3. make
>
> 4. make install
>
> 5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
> /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
>
> 6. Modify openssl.cnf
>
> 7. Run openssl list -providers
>
> openssl.cnf:
>
> I have added the setting:
>
> openssl_conf = openssl_init
>
> config_diagnostics = 1
>
> .include /usr/lib/ssl/fipsmodule.cnf
>
> [openssl_init]
>
> providers = provider_sect
>
> [provider_sect]
>
> fips = fips_sect
>
> base = base_sect
>
> [base_sect]
>
> activate = 1
>
> fipsmodule.cnf:
>
> [fips_sect]
>
> activate = 1
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
>
> C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:9
> 7:6D:DB:D9:96:CF:1B:CA:8B
>
> install-mac =
>
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3
> A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> Some test result:
>
> openssl version -a
>
> OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
>
> built on: Tue May 2 07:20:31 2023 UTC
>
> platform: linux-armv4
>
> options: bn(64,32)
>
> compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3
> -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
> -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl"
>
> ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
>
> MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: OPENSSL_armcap=0x0
>
> openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module
> /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
>
> HMAC : (Module_Integrity) : Pass
>
> SHA1 : (KAT_Digest) : Pass
>
> SHA2 : (KAT_Digest) : Pass
>
> SHA3 : (KAT_Digest) : Pass
>
> TDES : (KAT_Cipher) : Pass
>
> AES_GCM : (KAT_Cipher) : Pass
>
> AES_ECB_Decrypt : (KAT_Cipher) : Pass
>
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
>
> Pass
>
> ECDSA : (PCT_Signature) : Pass
>
> ECDSA : (PCT_Signature) : Pass
>
> DSA : (PCT_Signature) : Pass
>
> TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
>
> TLS13_KDF_EXPAND : (KAT_KDF) : Pass
>
> TLS12_PRF : (KAT_KDF) : Pass
>
> PBKDF2 : (KAT_KDF) : Pass
>
> SSHKDF : (KAT_KDF) : Pass
>
> KBKDF : (KAT_KDF) : Pass
>
> HKDF : (KAT_KDF) : Pass
>
> SSKDF : (KAT_KDF) : Pass
>
> X963KDF : (KAT_KDF) : Pass
>
> X942KDF : (KAT_KDF) : Pass
>
> HASH : (DRBG) : Pass
>
> CTR : (DRBG) : Pass
>
> HMAC : (DRBG) : Pass
>
> DH : (KAT_KA) : Pass
>
> ECDH : (KAT_KA) : Pass
>
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
>
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>
> INSTALL PASSED
>
> Could you please help to check whether I have wrong steps?
>
> Thanks,
>
> Johnson
>
> -The information contained in this message may be confidential and
> proprietary to American Megatrends (AMI). This communication is
> intended to be read only by the individual or entity to whom it is
> addressed or by their designee. If the reader of this message is not
> the intended recipient, you are on notice that any distribution of
> this message, in any form, is strictly prohibited. Please promptly
> notify the sender by reply e-mail or by telephone at 770-246-8600,
> and then delete or destroy all copies of the transmission.
>
> -The information contained in this message may be confidential and
> proprietary to American Megatrends (AMI). This communication is
> intended to be read only by the individual or entity to whom it is
> addressed or by their designee. If the reader of this message is not
> the intended recipient, you are on notice that any distribution of
> this message, in any form, is strictly prohibited. Please promptly
> notify the sender by reply e-mail or by telephone at 770-246-8600, and
> then delete or destroy all copies of the transmission.
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
More information about the openssl-users
mailing list