[SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
Thomas Dwyer III
tomiii at tomiii.com
Fri Jul 17 16:57:11 UTC 2020
It turns out the problem was caused by a misinterpretation of the phrase
"add the following lines near the beginning" in section 7.1 of the
documentation at https://wiki.openssl.org/index.php/OpenSSL_3.0 for
enabling FIPS support. I added these lines to the very top of the file:
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
This caused the existing default section to now become part of the
[provider_sect] section. Apparently any name=value line in that particular
section where no [value] section exists causes OpenSSL to hang at exit when
the FIPS provider is used. I consider this a bug, of course, but at least
now I know what's causing it and how to work around it.
Regarding how to confirm which provider is actually providing a given
algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD
obtained via EVP_get_digestbyname() (even after it's used successfully by
EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD
obtained via EVP_MD_fetch(). Is this intentional?
Tom.III
On Wed, Jul 15, 2020 at 10:20 AM Thomas Dwyer III <tomiii at tomiii.com> wrote:
> Platform: Linux x86_64
>
> I understand this is still alpha but how complete is the FIPS provider
> right now? I'm following the documentation at
> https://wiki.openssl.org/index.php/OpenSSL_3.0 but I'm having a problem
> where my application hangs during exit() when I use the "fips" provider. I
> reduced my code down to this minimal snippet that reproduces the problem:
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <openssl/evp.h>
> #include <openssl/crypto.h>
> #include <openssl/err.h>
> #include <openssl/provider.h>
>
> int
> main(int argc, char **argv)
> {
> OSSL_PROVIDER *pvdr = NULL;
> EVP_MD_CTX *ctx;
> const EVP_MD *md;
> char *alg = "sha1";
> int rc = 0;
>
> pvdr = OSSL_PROVIDER_load(NULL, "fips");
> if (pvdr == NULL) {
> fprintf(stderr, "Error loading FIPS provider\n");
> exit(1);
> }
>
> md = EVP_get_digestbyname(alg);
> if (!md) {
> fprintf(stderr, "unknown digest '%s'\n", alg);
> exit(1);
> }
>
> ctx = EVP_MD_CTX_create();
>
> if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
> long err = ERR_get_error();
> char *msg = ERR_error_string(err, NULL);
> fprintf(stderr, "EVP_DigestInit_ex() failed: %s\n", msg);
> exit(1);
> }
>
> EVP_MD_CTX_destroy(ctx);
>
> rc = OSSL_PROVIDER_unload(pvdr);
> if (rc != 1) {
> fprintf(stderr, "Error unloading FIPS provider\n");
> exit(1);
> }
>
> printf("finished!\n");
> exit(0);
> }
>
> When I run this it prints "finished!" and then hangs in some kind of spin
> loop consuming 100% CPU. Skipping the call to EVP_DigestInit_ex() allows it
> to exit successfully, as does inserting a call to OPENSSL_init_crypto() at
> the very top with the OPENSSL_INIT_NO_ATEXIT flag. Passing "default"
> instead of "fips" to OSSL_PROVIDER_load() also seems to work fine. What am
> I missing?
>
> Also, per section 7.8 of the wiki referenced above, I'm unable to confirm
> that the digest algorithm I want to use is being provided by the FIPS
> module. EVP_MD_provider(md) returns NULL even though the actual digest is
> computed correctly.
>
>
> Thanks,
> Tom.III
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200717/a6fc64a9/attachment.html>
More information about the openssl-users
mailing list