OpenSSL 3.0 hangs at exit with FIPS provider

Matt Caswell matt at openssl.org
Mon Jul 20 11:45:02 UTC 2020



On 15/07/2020 18:20, Thomas Dwyer III wrote:
> Platform: Linux x86_64
> 
> I understand this is still alpha but how complete is the FIPS provider
> right now? 

Fairly complete.

Please could you raise this as a github issue so that it can be properly
investigated and tracked?

> When I run this it prints "finished!" and then hangs in some kind of
> spin loop consuming 100% CPU. Skipping the call to EVP_DigestInit_ex()
> allows it to exit successfully, as does inserting a call to
> OPENSSL_init_crypto() at the very top with the OPENSSL_INIT_NO_ATEXIT
> flag. Passing "default" instead of "fips" to OSSL_PROVIDER_load() also
> seems to work fine. What am I missing?
> 
> Also, per section 7.8 of the wiki referenced above, I'm unable to
> confirm that the digest algorithm I want to use is being provided by the
> FIPS module. EVP_MD_provider(md) returns NULL even though the actual
> digest is computed correctly.

You need to explicitly fetch your md using EVP_MD_fetch(). The md you
are using at the moment has no associated provider - one is implicitly
fetched and used during the EVP_DigestInit_ex() call - but that doesn't
affect the md object. By using "EVP_MD_fetch()" you can make the fetch
explicit and EVP_MD_provider() should return the expected results.

Matt


> 
> 
> Thanks,
> Tom.III
> 
> 


More information about the openssl-users mailing list