Openssl 3.0 fipsinstall fails in yocto linux environment
Susan Tremel
susan.tremel at datasoft.com
Tue Nov 9 22:21:17 UTC 2021
I've successfully built and installed openssl 3.0 and the fips.so module in
my yocto build environment. My goal is to make the FIPs module the default
provider for all applications so I modified my openssl.cnf file to match
the docs like the following.
config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/lib/ssl-3/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
After boot, I check the installed providers with "openssl list -providers"
and see only the base provider. I then try to install the FIPS module with
the following.
openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf
and I get the error output:
Unable to get MAC of type HMAC
INSTALL FAILED
1020F876:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp
_fetch.c:346:Global default library context, Algorithm (HMAC : 0),
Properties (<null>)
When I replace the base provider with the default provider, leaving the fips
module like the following
config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/lib/ssl-3/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
fips = fips_sect
[default_sect]
activate = 1
I see only the default provider installed after I boot and when I try to
manually install the FIPS module with the above command I get the following.
Failed to load FIPS module
INSTALL FAILED
1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.0/providers/fips/self_test.c:261:
1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test
post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706:
1080F176:error:078C0105:common libcrypto routines:provider_init:init
fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips
>From this state, if I copy the ossl-modules directory to a different
location like /usr/lib/ssl-3/ and try to manually install the FIPS module
with
openssl fipsinstall -module /usr/lib/ssl-3/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf
it successful installs with the following output and I see both the fips and
default providers installed.
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
I need to get the FIPS module to install without needing the default
provider. It seems like the FIPS module is trying to install and getting
stuck in a bad state, but I could use some help debugging this.
Thanks for any help you can provide.
Susan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211109/ec158f3a/attachment.html>
More information about the openssl-users
mailing list