OpenSSL 3.0 FIPS questions

Matt Caswell matt at openssl.org
Thu Oct 28 07:39:15 UTC 2021



On 27/10/2021 17:28, Jason Schultz wrote:
> With these config files and the code above, the 
> OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the 
> messages from the ERR_print_errors_fp() call:
> 
> 2097C692B57F0000:error:1C8000D5:Provider routines:(unknown 
> function):missing config data:providers/fips/self_test.c:289:
> 2097C692B57F0000:error:1C8000E0:Provider routines:(unknown 
> function):fips module entering error state:providers/fips/self_test.c:387:
> 2097C692B57F0000:error:1C8000D8:Provider routines:(unknown 
> function):self test post failure:providers/fips/fipsprov.c:706:
> 2097C692B57F0000:error:078C0105:common libcrypto routines:(unknown 
> function):init fail:crypto/provider_core.c:903:name=fips


This tells us that the fips provider has successfully loaded, but then 
subsequently failed during its self-test because it cannot find its 
config data.

I can see that you have created a separate libctx for fips. However 
automatic loading of the config file only works for the *default* 
libctx. If you create your own one then you need to explicitly load the 
config file:

if (!OSSL_LIB_CTX_load_config(fips_libtx, "/usr/local/ssl/openssl.cnf")) {
     /* error handling */
}

Actually if you do this then you should not need to call 
OSSL_PROVIDER_load() explicitly to load the fips provider since you 
already activated it in the config file. You can either drop the 
explicit call to OSSL_PROVIDER_load() for the fips provider, or remove 
the "activate = 1" line in "fips_sect" in fipsmodule.cnf. This is just a 
minor optimisation though. Doing both is redundant but harmless. You 
could also load the base provider via config if you wanted to.

Matt




More information about the openssl-users mailing list