Need help on self test post failure - programmatically load FIPS provider
murugesh pitchaiah
murugesh.pitchaiah at gmail.com
Fri May 24 15:57:11 UTC 2024
Thanks Matt for looking into this.
Here is the output:
# openssl list --providers -provider fips -provider base
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
Also please find the fipsmodule.conf file contents before and after
fipsinstall which I missed to attach in previous mail:
before install fipsmodule.cnf is :
# cat /usr/lib/ssl-3/fipsmodule.cnf
[fips_sect]
activate = 1
conditional-errors = 1
security-checks = 1
module-mac =
F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69
After fips install :
[fips_sect]
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN
Note: Removed the 'activate=1' manually.
Thanks,
Murugesh
On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt at openssl.org> wrote:
> What do you get by loading the provider via the "openssl list" command,
> i.e. what is the output from:
>
> $ openssl list --providers -provider fips -provider base
>
>
> Matt
>
> On 24/05/2024 15:48, murugesh pitchaiah wrote:
> > Thanks Neil for your response. Please find more details below.
> >
> > Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
> > the 'activate=1' line. Then try to programmatically load FIPS provider.
> > Here are the details steps.
> > Once the device boots up , The device has fipsmoudle.cnfpresent in
> > /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
> > have edited openssl.cnf file as mentioned below:
> >
> > |.include /usr/local/ssl/fipsmodule.cnf|
> >
> > |[openssl_init]|
> >
> > |providers = provider_sect|
> >
> > |
> > |
> >
> > |[provider_sect]|
> >
> > |fips = fips_sect|
> >
> > |base = base_sect|
> >
> > |
> > |
> >
> > |[base_sect]|
> >
> > |activate = 1|
> >
> > We executed below command to install which also
> > generates/updates fipsmodule.cnf file
> >
> > openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> > /usr/lib/ssl-3/fipsmodule.cnf
> >
> > The above command successfully executed and updated install-status to
> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
> >
> > [fips_sect]
> >
> > activate = 1
> >
> > install-version = 1
> >
> > conditional-errors = 1
> >
> > security-checks = 1
> >
> > module-mac =
> >
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
> >
> > install-mac =
> >
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> >
> > install-status = INSTALL_SELF_TEST_KATS_RUN
> >
> > Then we removed the line "activate = 1" from fipsmodule.cnf file. After
> > this we triggered the programatically load fips code, which caused the
> > error:
> >
> > >/*80D1CD65667F0000:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid /
> >
> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
> >
> > >/*80D1CD65667F0000:error:1C8000D8:Provider /
> >
> > >/routines:OSSL_provider_init_int:self test post /
> >
> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
> >
> > >/*80D1CD65667F0000:error:078C0105:common libcrypto /
> >
> > >/routines:provider_init:init /
> >
> > >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
> >
> > >/*Error loading FIPS provider.*/
> >
> >
> > Please share if we are missing something. Thanks in advance.
> >
> >
> > Regards,
> >
> > Murugesh
> >
> >
> >
> > On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman at openssl.org
> > <mailto:nhorman at openssl.org>> wrote:
> >
> > I assume that, after building the openssl library you ran openssl
> > fipsinstall? i.e. you're not just using a previously generated
> > fipsmodule.cnf file? The above errors initially seem like self
> > tests failed on the fips provider load, suggesting that the
> > module-mac or install-mac is incorrect in your config
> > 'Neil
> >
> > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> > <murugesh.pitchaiah at gmail.com <mailto:murugesh.pitchaiah at gmail.com>>
> > wrote:
> >
> > Hi,
> >
> > Need your help on using openssl fips provider
> > programmatically with openssl 3.0.9.
> >
> > Error seen:
> >
> > *80D1CD65667F0000:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid
> > state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> > *80D1CD65667F0000:error:1C8000D8:Provider
> > routines:OSSL_provider_init_int:self test post
> > failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> > *80D1CD65667F0000:error:078C0105:common libcrypto
> > routines:provider_init:init
> > fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> > *Error loading FIPS provider.*
> >
> > *
> > *
> > Steps:
> >
> > Followed the steps @
> > https://www.openssl.org/docs/man3.0/man7/fips_module.html
> > <
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0
> >
> >
> > #include <openssl/provider.h>
> >
> > int main(void)
> >
> > {
> >
> > OSSL_PROVIDER *fips;
> >
> > OSSL_PROVIDER *base;
> >
> > fips = OSSL_PROVIDER_load(NULL, "fips");
> >
> > if (fips == NULL) {
> >
> > printf("Failed to load FIPS provider\n");
> >
> > exit(EXIT_FAILURE);
> >
> > }
> >
> > base = OSSL_PROVIDER_load(NULL, "base");
> >
> > if (base == NULL) {
> >
> > OSSL_PROVIDER_unload(fips);
> >
> > printf("Failed to load base provider\n");
> >
> > exit(EXIT_FAILURE);
> >
> > }
> >
> > /* Rest of application */
> >
> > OSSL_PROVIDER_unload(base);
> >
> > OSSL_PROVIDER_unload(fips);
> >
> > exit(EXIT_SUCCESS);
> >
> > }
> >
> >
> > More info:
> >
> >
> > /usr/bin # openssl version -d
> >
> > OPENSSLDIR: "/usr/lib/ssl-3"
> >
> > /exos/bin # openssl version -a
> >
> > OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May
> 2023)
> >
> > built on: Tue May 30 12:31:57 2023 UTC
> >
> > platform: linux-x86_64
> >
> > options: bn(64,64)
> >
> > compiler: x86_64-poky-linux-gcc -m64
> > -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat
> > -Wformat-security -Werror=format-security
> > --sysroot=recipe-sysroot -O2 -pipe -g
> > -feliminate-unused-debug-types -fmacro-prefix-map=
> > -fdebug-prefix-map=
> > -fdebug-prefix-map=
> > -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
> > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
> >
> > OPENSSLDIR: "/usr/lib/ssl-3"
> >
> > ENGINESDIR: "/usr/lib/engines-3"
> >
> > MODULESDIR: "/usr/lib/ossl-modules"
> >
> > Seeding source: os-specific
> >
> > CPUINFO: N/A
> >
> >
> > Attached the openssl and fips conf.
> >
> >
> > Could you guys please check and share what is missing here? Any
> > help would be appreciated.
> >
> >
> > Thanks,
> >
> > Murugesh
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/70170acb/attachment-0001.htm>
More information about the openssl-users
mailing list