Need help on self test post failure - programmatically load FIPS provider
Matt Caswell
matt at openssl.org
Fri May 31 09:00:52 UTC 2024
On 24/05/2024 16:57, murugesh pitchaiah wrote:
> Thanks Matt for looking into this.
>
> Here is the output:
>
> # openssl list --providers -provider fips -provider base
>
> Providers:
>
> base
>
> name: OpenSSL Base Provider
>
> version: 3.0.9
>
> status: active
>
> fips
>
> name: OpenSSL FIPS Provider
>
> version: 3.0.9
>
> status: active
>
So this suggests that the fips provider is correctly installed and
configured and is able to activate without problems. So its currently
unclear why you can't do this programmatically.
>
> Also please find the fipsmodule.conf file contents before and after
> fipsinstall which I missed to attach in previous mail:
>
> before install fipsmodule.cnf is :
Err...so you already had a fips module installed before you ran
fipsinstall, and you are replacing it with a new one?
Where did you put the new fips.so file? Were you overwriting the
previous one?
Matt
>
>
> After fips install :
>
> [fips_sect]
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
> install-mac =
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
>
> Note: Removed the 'activate=1' manually.
>
>
> Thanks,
>
> Murugesh
>
>
> On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
> What do you get by loading the provider via the "openssl list" command,
> i.e. what is the output from:
>
> $ openssl list --providers -provider fips -provider base
>
>
> Matt
>
> On 24/05/2024 15:48, murugesh pitchaiah wrote:
> > Thanks Neil for your response. Please find more details below.
> >
> > Yes we run fipsinstall and then edit the fipsmodule.conf file to
> remove
> > the 'activate=1' line. Then try to programmatically load FIPS
> provider.
> > Here are the details steps.
> > Once the device boots up , The device has fipsmoudle.cnfpresent in
> > /usr/lib/ssl-3 which does not have install_mac and
> insatll_status. We
> > have edited openssl.cnf file as mentioned below:
> >
> > |.include /usr/local/ssl/fipsmodule.cnf|
> >
> > |[openssl_init]|
> >
> > |providers = provider_sect|
> >
> > |
> > |
> >
> > |[provider_sect]|
> >
> > |fips = fips_sect|
> >
> > |base = base_sect|
> >
> > |
> > |
> >
> > |[base_sect]|
> >
> > |activate = 1|
> >
> > We executed below command to install which also
> > generates/updates fipsmodule.cnf file
> >
> > openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> > /usr/lib/ssl-3/fipsmodule.cnf
> >
> > The above command successfully executed and updated
> install-status to
> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
> >
> > [fips_sect]
> >
> > activate = 1
> >
> > install-version = 1
> >
> > conditional-errors = 1
> >
> > security-checks = 1
> >
> > module-mac =
> >
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
> >
> > install-mac =
> >
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> >
> > install-status = INSTALL_SELF_TEST_KATS_RUN
> >
> > Then we removed the line "activate = 1" from fipsmodule.cnf
> file. After
> > this we triggered the programatically load fips code, which
> caused the
> > error:
> >
> > >/*80D1CD65667F0000:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid /
> >
> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
> >
> > >/*80D1CD65667F0000:error:1C8000D8:Provider /
> >
> > >/routines:OSSL_provider_init_int:self test post /
> >
> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
> >
> > >/*80D1CD65667F0000:error:078C0105:common libcrypto /
> >
> > >/routines:provider_init:init /
> >
> > >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
> >
> > >/*Error loading FIPS provider.*/
> >
> >
> > Please share if we are missing something. Thanks in advance.
> >
> >
> > Regards,
> >
> > Murugesh
> >
> >
> >
> > On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman at openssl.org
> <mailto:nhorman at openssl.org>
> > <mailto:nhorman at openssl.org <mailto:nhorman at openssl.org>>> wrote:
> >
> > I assume that, after building the openssl library you ran openssl
> > fipsinstall? i.e. you're not just using a previously generated
> > fipsmodule.cnf file? The above errors initially seem like self
> > tests failed on the fips provider load, suggesting that the
> > module-mac or install-mac is incorrect in your config
> > 'Neil
> >
> > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> > <murugesh.pitchaiah at gmail.com
> <mailto:murugesh.pitchaiah at gmail.com>
> <mailto:murugesh.pitchaiah at gmail.com
> <mailto:murugesh.pitchaiah at gmail.com>>>
> > wrote:
> >
> > Hi,
> >
> > Need your help on using openssl fips provider
> > programmatically with openssl 3.0.9.
> >
> > Error seen:
> >
> > *80D1CD65667F0000:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid
> > state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> > *80D1CD65667F0000:error:1C8000D8:Provider
> > routines:OSSL_provider_init_int:self test post
> > failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> > *80D1CD65667F0000:error:078C0105:common libcrypto
> > routines:provider_init:init
> >
> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> > *Error loading FIPS provider.*
> >
> > *
> > *
> > Steps:
> >
> > Followed the steps @
> > https://www.openssl.org/docs/man3.0/man7/fips_module.html
> <https://www.openssl.org/docs/man3.0/man7/fips_module.html>
> >
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0 <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>>
> >
> > #include <openssl/provider.h>
> >
> > int main(void)
> >
> > {
> >
> > OSSL_PROVIDER *fips;
> >
> > OSSL_PROVIDER *base;
> >
> > fips = OSSL_PROVIDER_load(NULL, "fips");
> >
> > if (fips == NULL) {
> >
> > printf("Failed to load FIPS provider\n");
> >
> > exit(EXIT_FAILURE);
> >
> > }
> >
> > base = OSSL_PROVIDER_load(NULL, "base");
> >
> > if (base == NULL) {
> >
> > OSSL_PROVIDER_unload(fips);
> >
> > printf("Failed to load base provider\n");
> >
> > exit(EXIT_FAILURE);
> >
> > }
> >
> > /* Rest of application */
> >
> > OSSL_PROVIDER_unload(base);
> >
> > OSSL_PROVIDER_unload(fips);
> >
> > exit(EXIT_SUCCESS);
> >
> > }
> >
> >
> > More info:
> >
> >
> > /usr/bin # openssl version -d
> >
> > OPENSSLDIR: "/usr/lib/ssl-3"
> >
> > /exos/bin # openssl version -a
> >
> > OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30
> May 2023)
> >
> > built on: Tue May 30 12:31:57 2023 UTC
> >
> > platform: linux-x86_64
> >
> > options: bn(64,64)
> >
> > compiler: x86_64-poky-linux-gcc -m64
> > -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2
> -Wformat
> > -Wformat-security -Werror=format-security
> > --sysroot=recipe-sysroot -O2 -pipe -g
> > -feliminate-unused-debug-types -fmacro-prefix-map=
> > -fdebug-prefix-map=
> > -fdebug-prefix-map=
> > -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
> > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
> >
> > OPENSSLDIR: "/usr/lib/ssl-3"
> >
> > ENGINESDIR: "/usr/lib/engines-3"
> >
> > MODULESDIR: "/usr/lib/ossl-modules"
> >
> > Seeding source: os-specific
> >
> > CPUINFO: N/A
> >
> >
> > Attached the openssl and fips conf.
> >
> >
> > Could you guys please check and share what is missing
> here? Any
> > help would be appreciated.
> >
> >
> > Thanks,
> >
> > Murugesh
> >
> >
>
More information about the openssl-users
mailing list