Need help on self test post failure - programmatically load FIPS provider

murugesh pitchaiah murugesh.pitchaiah at gmail.com
Fri May 24 14:48:57 UTC 2024 

Thanks Neil for your response. Please find more details below.

Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the
'activate=1' line. Then try to programmatically load FIPS provider. Here
are the details steps.
Once the device boots up , The device has fipsmoudle.cnf present in
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We have
edited openssl.cnf file as mentioned below:

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]

providers = provider_sect


[provider_sect]

fips = fips_sect

base = base_sect


[base_sect]

activate = 1

We executed below command to install which also
generates/updates fipsmodule.cnf file

 openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf

 The above command successfully executed and updated install-status to
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:

[fips_sect]

activate = 1

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
this we triggered the programatically load fips code, which caused the
error:

>* *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
*

>* state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*

>* *80D1CD65667F0000:error:1C8000D8:Provider
*

>* routines:OSSL_provider_init_int:self test post
*

>* failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*

>* *80D1CD65667F0000:error:078C0105:common libcrypto
*

>* routines:provider_init:init
*

>* fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*

>* *Error loading FIPS provider.**


Please share if we are missing something. Thanks in advance.


Regards,

Murugesh



On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman at openssl.org> wrote:

> I assume that, after building the openssl library you ran openssl
> fipsinstall?  i.e. you're not just using a previously generated
> fipsmodule.cnf file?  The above errors initially seem like self tests
> failed on the fips provider load, suggesting that the module-mac or
> install-mac is incorrect in your config
> 'Neil
>
> On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
> murugesh.pitchaiah at gmail.com> wrote:
>
>> Hi,
>>
>> Need your help on using openssl fips provider programmatically with
>> openssl 3.0.9.
>>
>> Error seen:
>>
>> *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
>> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
>> *80D1CD65667F0000:error:1C8000D8:Provider
>> routines:OSSL_provider_init_int:self test post
>> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
>> *80D1CD65667F0000:error:078C0105:common libcrypto
>> routines:provider_init:init
>> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
>> *Error loading FIPS provider.*
>>
>>
>> Steps:
>>
>> Followed the steps @
>> https://www.openssl.org/docs/man3.0/man7/fips_module.html
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>
>>
>> #include <openssl/provider.h>
>>
>>
>>
>> int main(void)
>>
>> {
>>
>>     OSSL_PROVIDER *fips;
>>
>>     OSSL_PROVIDER *base;
>>
>>
>>
>>     fips = OSSL_PROVIDER_load(NULL, "fips");
>>
>>     if (fips == NULL) {
>>
>>         printf("Failed to load FIPS provider\n");
>>
>>         exit(EXIT_FAILURE);
>>
>>     }
>>
>>     base = OSSL_PROVIDER_load(NULL, "base");
>>
>>     if (base == NULL) {
>>
>>         OSSL_PROVIDER_unload(fips);
>>
>>         printf("Failed to load base provider\n");
>>
>>         exit(EXIT_FAILURE);
>>
>>     }
>>
>>
>>
>>     /* Rest of application */
>>
>>
>>
>>     OSSL_PROVIDER_unload(base);
>>
>>     OSSL_PROVIDER_unload(fips);
>>
>>     exit(EXIT_SUCCESS);
>>
>> }
>>
>>
>> More info:
>>
>>
>> /usr/bin # openssl version -d
>>
>> OPENSSLDIR: "/usr/lib/ssl-3"
>>
>> /exos/bin # openssl version -a
>>
>> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>>
>> built on: Tue May 30 12:31:57 2023 UTC
>>
>> platform: linux-x86_64
>>
>> options:  bn(64,64)
>>
>> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
>> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
>> -fmacro-prefix-map=                      -fdebug-prefix-map=
>>        -fdebug-prefix-map=                      -fdebug-prefix-map=
>>  -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
>> -DNDEBUG
>>
>> OPENSSLDIR: "/usr/lib/ssl-3"
>>
>> ENGINESDIR: "/usr/lib/engines-3"
>>
>> MODULESDIR: "/usr/lib/ossl-modules"
>>
>> Seeding source: os-specific
>>
>> CPUINFO: N/A
>>
>>
>> Attached the openssl and fips conf.
>>
>>
>> Could you guys please check and share what is missing here? Any help
>> would be appreciated.
>>
>>
>> Thanks,
>>
>> Murugesh
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/09c083e9/attachment-0001.htm>

More information about the openssl-users mailing list