Need help on self test post failure - programmatically load FIPS provider

murugesh pitchaiah murugesh.pitchaiah at gmail.com
Fri May 24 06:05:02 UTC 2024 

Hi,

Need your help on using openssl fips provider programmatically with openssl
3.0.9.

Error seen:

*80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F0000:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F0000:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*


Steps:

Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>

#include <openssl/provider.h>



int main(void)

{

    OSSL_PROVIDER *fips;

    OSSL_PROVIDER *base;



    fips = OSSL_PROVIDER_load(NULL, "fips");

    if (fips == NULL) {

        printf("Failed to load FIPS provider\n");

        exit(EXIT_FAILURE);

    }

    base = OSSL_PROVIDER_load(NULL, "base");

    if (base == NULL) {

        OSSL_PROVIDER_unload(fips);

        printf("Failed to load base provider\n");

        exit(EXIT_FAILURE);

    }



    /* Rest of application */



    OSSL_PROVIDER_unload(base);

    OSSL_PROVIDER_unload(fips);

    exit(EXIT_SUCCESS);

}


More info:


/usr/bin # openssl version -d

OPENSSLDIR: "/usr/lib/ssl-3"

/exos/bin # openssl version -a

OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

built on: Tue May 30 12:31:57 2023 UTC

platform: linux-x86_64

options:  bn(64,64)

compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
--sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
-fmacro-prefix-map=                      -fdebug-prefix-map=
       -fdebug-prefix-map=                      -fdebug-prefix-map=
 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
-DNDEBUG

OPENSSLDIR: "/usr/lib/ssl-3"

ENGINESDIR: "/usr/lib/engines-3"

MODULESDIR: "/usr/lib/ossl-modules"

Seeding source: os-specific

CPUINFO: N/A


Attached the openssl and fips conf.


Could you guys please check and share what is missing here? Any help would
be appreciated.


Thanks,

Murugesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/b177a025/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fipsmodule.cnf
Type: application/octet-stream
Size: 338 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/b177a025/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl.cnf
Type: application/octet-stream
Size: 12396 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/b177a025/attachment-0003.obj>

More information about the openssl-users mailing list