Need help on self test post failure - programmatically load FIPS provider

Fri May 24 13:25:39 UTC 2024

I assume that, after building the openssl library you ran openssl
fipsinstall?  i.e. you're not just using a previously generated
fipsmodule.cnf file?  The above errors initially seem like self tests
failed on the fips provider load, suggesting that the module-mac or
install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
murugesh.pitchaiah at gmail.com> wrote:

> Hi,
>
> Need your help on using openssl fips provider programmatically with
> openssl 3.0.9.
>
> Error seen:
>
> *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> *80D1CD65667F0000:error:1C8000D8:Provider
> routines:OSSL_provider_init_int:self test post
> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> *80D1CD65667F0000:error:078C0105:common libcrypto
> routines:provider_init:init
> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> *Error loading FIPS provider.*
>
>
> Steps:
>
> Followed the steps @
> https://www.openssl.org/docs/man3.0/man7/fips_module.html
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0>
>
> #include <openssl/provider.h>
>
>
>
> int main(void)
>
> {
>
>     OSSL_PROVIDER *fips;
>
>     OSSL_PROVIDER *base;
>
>
>
>     fips = OSSL_PROVIDER_load(NULL, "fips");
>
>     if (fips == NULL) {
>
>         printf("Failed to load FIPS provider\n");
>
>         exit(EXIT_FAILURE);
>
>     }
>
>     base = OSSL_PROVIDER_load(NULL, "base");
>
>     if (base == NULL) {
>
>         OSSL_PROVIDER_unload(fips);
>
>         printf("Failed to load base provider\n");
>
>         exit(EXIT_FAILURE);
>
>     }
>
>
>
>     /* Rest of application */
>
>
>
>     OSSL_PROVIDER_unload(base);
>
>     OSSL_PROVIDER_unload(fips);
>
>     exit(EXIT_SUCCESS);
>
> }
>
>
> More info:
>
>
> /usr/bin # openssl version -d
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> /exos/bin # openssl version -a
>
> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>
> built on: Tue May 30 12:31:57 2023 UTC
>
> platform: linux-x86_64
>
> options:  bn(64,64)
>
> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
> -fmacro-prefix-map=                      -fdebug-prefix-map=
>        -fdebug-prefix-map=                      -fdebug-prefix-map=
>  -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
> -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> ENGINESDIR: "/usr/lib/engines-3"
>
> MODULESDIR: "/usr/lib/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: N/A
>
>
> Attached the openssl and fips conf.
>
>
> Could you guys please check and share what is missing here? Any help would
> be appreciated.
>
>
> Thanks,
>
> Murugesh
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240524/d5fdb617/attachment.htm>