The provider fips can't be loaded on openssl3.0.8

Johnson Wang (王舜樸) JohnsonWang at ami.com
Fri May 5 07:27:24 UTC 2023 

Hi Pauli,

Thanks. You are right. It was caused by env. The command “openssl list -providers” work normally. However, I executed the test code which still printed “Failed to load FIPS provider”.

Compiler command: gcc fips_test.c -lcrypto
Result:
./a.out
Failed to load FIPS provider

Test code:
#include <openssl/provider.h>
#include <stdlib.h>
#include <stdio.h>

int main(void)
{
    OSSL_PROVIDER *fips;
    OSSL_PROVIDER *base;

    fips = OSSL_PROVIDER_load(NULL, "fips_sect");
    if (fips == NULL) {
        printf("Failed to load FIPS provider\n");
        exit(EXIT_FAILURE);
    }
    base = OSSL_PROVIDER_load(NULL, "base");
    if (base == NULL) {
        OSSL_PROVIDER_unload(fips);
        printf("Failed to load base provider\n");
        exit(EXIT_FAILURE);
    }

    /* Rest of application */

    OSSL_PROVIDER_unload(base);
    OSSL_PROVIDER_unload(fips);
    exit(EXIT_SUCCESS);
}

Thanks,
Johnson

From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of pauli at openssl.org
Sent: Friday, May 5, 2023 11:23 AM
To: openssl-users at openssl.org
Subject: [EXTERNAL] Re: The provider fips can't be loaded on openssl3.0.8


**CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.**
My initial guess would be that the configuration file isn't being found by your application.
Have you set OPENSSL_CONF?
What about OPENSSL_CONF_INCLUDE?

Useful places to look are the FIPS module<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the config<https://www.openssl.org/docs/man3.0/man5/config.html> documentation.


Pauli
On 5/5/2023 12:28 pm, Johnson Wang (王舜樸) via openssl-users wrote:
Hi,

Environment: Debian buster

After installing openssl and running fipsinstall, I tried to execute "openssl list -providers". The log didn't print provider fips.
And, I went to try the test code as below. It printed "Failed to load FIPS provider".

Test code:
#include <openssl/provider.h>
int main(void)
{
    OSSL_PROVIDER *fips;
    OSSL_PROVIDER *base;

    fips = OSSL_PROVIDER_load(NULL, "fips");
    if (fips == NULL) {
        printf("Failed to load FIPS provider\n");
        exit(EXIT_FAILURE);
    }
    base = OSSL_PROVIDER_load(NULL, "base");
    if (base == NULL) {
        OSSL_PROVIDER_unload(fips);
        printf("Failed to load base provider\n");
        exit(EXIT_FAILURE);
    }

    /* Rest of application */

    OSSL_PROVIDER_unload(base);
    OSSL_PROVIDER_unload(fips);
    exit(EXIT_SUCCESS);
}

Test command:
openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.8
    status: active


Complete steps:
1. ./Configure --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/arm-linux-gnueabi shared no-idea no-mdc2 no-rc5 no-zlib no-ssl3 no-rc4 no-dtls1 linux-armv4 enable-fips
2. make depend
3. make
4. make install
5. openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
6. Modify openssl.cnf
7. Run openssl list -providers

openssl.cnf:
I have added the setting:

openssl_conf = openssl_init
config_diagnostics = 1
.include /usr/lib/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1

fipsmodule.cnf:

[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = C1:D0:1D:D2:1F:74:98:86:8C:55:DB:B0:5D:74:F0:74:FF:A1:63:E9:ED:6C:E6:97:6D:DB:D9:96:CF:1B:CA:8B
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN

Some test result:

openssl version -a
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
built on: Tue May  2 07:20:31 2023 UTC
platform: linux-armv4
options:  bn(64,32)
compiler: gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/arm-linux-gnueabi/engines-3"
MODULESDIR: "/usr/lib/arm-linux-gnueabi/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x0

openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/arm-linux-gnueabi/ossl-modules/fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED

Could you please help to check whether I have wrong steps?


Thanks,
Johnson

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230505/ace029da/attachment-0001.htm>

More information about the openssl-users mailing list