Openssl 3.0 fipsinstall fails in yocto linux environment

Tue Nov 9 22:59:49 UTC 2021

Hi Kory,

I am cross-compiling. Here is the command line from the "perl configdta.pm
--dump" command. I'm using an existing openssl 3. 0 recipe which I just
modified with enable-fips.

perl ../openssl-3.0.0/Configure disable-devcryptoeng enable-fips
--prefix=/usr --openssldir=/usr/lib/ssl-3 --libdir=/usr/lib linux-armv4

The output of openssl version -a is as follows.

OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
built on: Tue Sep  7 11:46:32 2021 UTC
platform: linux-armv4
options:  bn(64,32)
compiler: arm-poky-linux-gnueabi-gcc  -mthumb -mfpu=neon -mfloat-abi=hard
-mcpu=cortex-a7 -fstack-protector-strong  -D_FORTIFY_SOURCE=2 -Wformat
-Wformat-security -Werror=format-security --sysroot=recipe-sysroot -O2 -pipe
-g -feliminate-unused-debug-types -fmacro-prefix-map=
-fdebug-prefix-map=                      -fdebug-prefix-map=
-fdebug-prefix-map=  -DOPENSSL_USE_NODELETE -DOPENSSL_PIC
-DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl-3"
ENGINESDIR: "/usr/lib/engines-3"
MODULESDIR: "/usr/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x1

thanks,
Susan

--------------------------------------------
Message: 2
Date: Tue, 9 Nov 2021 14:32:19 -0800
From: Kory Hamzeh <kory at avatarci.com>
To: openssl-users at openssl.org
Subject: Re: Openssl 3.0 fipsinstall fails in yocto linux environment
Message-ID: <A74C84CA-8DB3-4DF9-997B-FD89FDADA932 at avatarci.com>
Content-Type: text/plain; charset="utf-8"

Hi Susan,

How did you run Configure? Are you cross compiling?

Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there
or use a Configure option if you want to install it somewhere else.

Kory

> On Nov 9, 2021, at 2:21 PM, Susan Tremel <susan.tremel at datasoft.com>
wrote:
> 
> I?ve successfully built and installed openssl 3.0 and the fips.so module
in my yocto build environment. My goal is to make the FIPs module the
default provider for all applications so I modified my openssl.cnf file  to
match the docs like the following.
>  
>     config_diagnostics = 1
>     openssl_conf = openssl_init
>  
>     .include /usr/lib/ssl-3/fipsmodule.cnf
>  
>     [openssl_init]
>     providers = provider_sect
>  
>     [provider_sect]
>     fips = fips_sect
>     base = base_sect
>  
>     [base_sect]
>     activate = 1
>  
> After boot, I check the installed providers with ?openssl list ?providers?
and see only the base provider. I then try to install the FIPS module with
the following.
>  
> openssl fipsinstall ?module /usr/lib/ossl-modules/fips.so ?out
/usr/lib/ssl-3/fipsmodule.cnf 
>  
> and I get the error output:
> Unable to get MAC of type HMAC
> INSTALL FAILED
> 1020F876:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp
_fetch.c:346:Global default library context, Algorithm (HMAC : 0),
Properties (<null>)
>  
> When I replace the base provider with the default provider, leaving the
fips module like the following
>  
>     config_diagnostics = 1
>     openssl_conf = openssl_init
>  
>     .include /usr/lib/ssl-3/fipsmodule.cnf
>  
>     [openssl_init]
>     providers = provider_sect
>  
>     [provider_sect]
>     default = default_sect
>     fips = fips_sect
>  
>     [default_sect]
>     activate = 1
>  
> I see only the default provider installed after I boot and when I try to
manually install the FIPS module with the above command I get the following.
> Failed to load FIPS module
> INSTALL FAILED
> 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.0/providers/fips/self_test.c:261:
> 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test
post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706:
> 1080F176:error:078C0105:common libcrypto routines:provider_init:init
fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips
>  
> From this state, if I copy the ossl-modules directory to a different
location like /usr/lib/ssl-3/ and try to manually install the FIPS module
with
>  
> openssl fipsinstall ?module /usr/lib/ssl-3/ossl-modules/fips.so ?out
/usr/lib/ssl-3/fipsmodule.cnf 
>  
> it successful installs with the following output and I see both the fips
and default providers installed.
> HMAC : (Module_Integrity) : Pass
> SHA1 : (KAT_Digest) : Pass
> SHA2 : (KAT_Digest) : Pass
> SHA3 : (KAT_Digest) : Pass
> TDES : (KAT_Cipher) : Pass
> AES_GCM : (KAT_Cipher) : Pass
> AES_ECB_Decrypt : (KAT_Cipher) : Pass
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> Pass
> ECDSA : (PCT_Signature) : Pass
> ECDSA : (PCT_Signature) : Pass
> DSA : (PCT_Signature) : Pass
> TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> TLS12_PRF : (KAT_KDF) : Pass
> PBKDF2 : (KAT_KDF) : Pass
> SSHKDF : (KAT_KDF) : Pass
> KBKDF : (KAT_KDF) : Pass
> HKDF : (KAT_KDF) : Pass
> SSKDF : (KAT_KDF) : Pass
> X963KDF : (KAT_KDF) : Pass
> X942KDF : (KAT_KDF) : Pass
> HASH : (DRBG) : Pass
> CTR : (DRBG) : Pass
> HMAC : (DRBG) : Pass
> DH : (KAT_KA) : Pass
> ECDH : (KAT_KA) : Pass
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> INSTALL PASSED
>  
> I need to get the FIPS module to install without needing the default
provider. It seems like the FIPS module is trying to install and getting
stuck in a bad state, but I could use some help debugging this.
>  
> Thanks for any help you can provide.
> Susan

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://mta.openssl.org/pipermail/openssl-users/attachments/20211109/b5cd5f
1e/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
openssl-users mailing list
openssl-users at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users

------------------------------

End of openssl-users Digest, Vol 84, Issue 18
*********************************************