Openssl 3.0 fipsinstall fails in yocto linux environment

Susan Tremel susan.tremel at
Tue Nov 9 22:21:17 UTC 2021

I've successfully built and installed openssl 3.0 and the module in
my yocto build environment. My goal is to make the FIPs module the default
provider for all applications so I modified my openssl.cnf file  to match
the docs like the following.


    config_diagnostics = 1

    openssl_conf = openssl_init


    .include /usr/lib/ssl-3/fipsmodule.cnf



    providers = provider_sect



    fips = fips_sect

    base = base_sect



    activate = 1


After boot, I check the installed providers with "openssl list -providers"
and see only the base provider. I then try to install the FIPS module with
the following.


openssl fipsinstall -module /usr/lib/ossl-modules/ -out


and I get the error output:

Unable to get MAC of type HMAC


1020F876:error:0308010C:digital envelope
_fetch.c:346:Global default library context, Algorithm (HMAC : 0),
Properties (<null>)


When I replace the base provider with the default provider, leaving the fips
module like the following


    config_diagnostics = 1

    openssl_conf = openssl_init


    .include /usr/lib/ssl-3/fipsmodule.cnf



    providers = provider_sect



    default = default_sect

    fips = fips_sect



    activate = 1


I see only the default provider installed after I boot and when I try to
manually install the FIPS module with the above command I get the following.

Failed to load FIPS module


1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid

1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test
post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706:

1080F176:error:078C0105:common libcrypto routines:provider_init:init


>From this state, if I copy the ossl-modules directory to a different
location like /usr/lib/ssl-3/ and try to manually install the FIPS module


openssl fipsinstall -module /usr/lib/ssl-3/ossl-modules/ -out


it successful installs with the following output and I see both the fips and
default providers installed.

HMAC : (Module_Integrity) : Pass

SHA1 : (KAT_Digest) : Pass

SHA2 : (KAT_Digest) : Pass

SHA3 : (KAT_Digest) : Pass

TDES : (KAT_Cipher) : Pass

AES_GCM : (KAT_Cipher) : Pass

AES_ECB_Decrypt : (KAT_Cipher) : Pass

RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass


ECDSA : (PCT_Signature) : Pass

ECDSA : (PCT_Signature) : Pass

DSA : (PCT_Signature) : Pass



TLS12_PRF : (KAT_KDF) : Pass

PBKDF2 : (KAT_KDF) : Pass


KBKDF : (KAT_KDF) : Pass

HKDF : (KAT_KDF) : Pass

SSKDF : (KAT_KDF) : Pass

X963KDF : (KAT_KDF) : Pass

X942KDF : (KAT_KDF) : Pass

HASH : (DRBG) : Pass

CTR : (DRBG) : Pass

HMAC : (DRBG) : Pass

DH : (KAT_KA) : Pass

ECDH : (KAT_KA) : Pass

RSA_Encrypt : (KAT_AsymmetricCipher) : Pass

RSA_Decrypt : (KAT_AsymmetricCipher) : Pass

RSA_Decrypt : (KAT_AsymmetricCipher) : Pass



I need to get the FIPS module to install without needing the default
provider. It seems like the FIPS module is trying to install and getting
stuck in a bad state, but I could use some help debugging this.


Thanks for any help you can provide.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list