Need help on self test post failure - programmatically load FIPS provider
murugesh pitchaiah
murugesh.pitchaiah at gmail.com
Fri May 31 04:49:52 UTC 2024
Hi Matt,
Could you please share any insights on why these errors seen on
programmatically loading fips provider :
*80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F0000:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F0000:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*
Code for loading fips:
#include <openssl/provider.h>
int main(void)
{
OSSL_PROVIDER *fips;
OSSL_PROVIDER *base;
fips = OSSL_PROVIDER_load(NULL, "fips");
if (fips == NULL) {
printf("Failed to load FIPS provider\n");
exit(EXIT_FAILURE);
}
base = OSSL_PROVIDER_load(NULL, "base");
if (base == NULL) {
OSSL_PROVIDER_unload(fips);
printf("Failed to load base provider\n");
exit(EXIT_FAILURE);
}
/* Rest of application */
OSSL_PROVIDER_unload(base);
OSSL_PROVIDER_unload(fips);
exit(EXIT_SUCCESS);
}
Thanks,
Murugesh
On Fri, May 24, 2024 at 9:27 PM murugesh pitchaiah <
murugesh.pitchaiah at gmail.com> wrote:
> Thanks Matt for looking into this.
>
> Here is the output:
>
> # openssl list --providers -provider fips -provider base
>
> Providers:
>
> base
>
> name: OpenSSL Base Provider
>
> version: 3.0.9
>
> status: active
>
> fips
>
> name: OpenSSL FIPS Provider
>
> version: 3.0.9
>
> status: active
>
>
> Also please find the fipsmodule.conf file contents before and after
> fipsinstall which I missed to attach in previous mail:
>
> before install fipsmodule.cnf is :
>
> # cat /usr/lib/ssl-3/fipsmodule.cnf
>
> [fips_sect]
>
> activate = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69
>
>
> After fips install :
>
> [fips_sect]
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
> install-mac =
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
>
> Note: Removed the 'activate=1' manually.
>
>
> Thanks,
>
> Murugesh
>
> On Fri, May 24, 2024 at 8:35 PM Matt Caswell <matt at openssl.org> wrote:
>
>> What do you get by loading the provider via the "openssl list" command,
>> i.e. what is the output from:
>>
>> $ openssl list --providers -provider fips -provider base
>>
>>
>> Matt
>>
>> On 24/05/2024 15:48, murugesh pitchaiah wrote:
>> > Thanks Neil for your response. Please find more details below.
>> >
>> > Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
>> > the 'activate=1' line. Then try to programmatically load FIPS provider.
>> > Here are the details steps.
>> > Once the device boots up , The device has fipsmoudle.cnfpresent in
>> > /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
>> > have edited openssl.cnf file as mentioned below:
>> >
>> > |.include /usr/local/ssl/fipsmodule.cnf|
>> >
>> > |[openssl_init]|
>> >
>> > |providers = provider_sect|
>> >
>> > |
>> > |
>> >
>> > |[provider_sect]|
>> >
>> > |fips = fips_sect|
>> >
>> > |base = base_sect|
>> >
>> > |
>> > |
>> >
>> > |[base_sect]|
>> >
>> > |activate = 1|
>> >
>> > We executed below command to install which also
>> > generates/updates fipsmodule.cnf file
>> >
>> > openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
>> > /usr/lib/ssl-3/fipsmodule.cnf
>> >
>> > The above command successfully executed and updated install-status to
>> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
>> >
>> > [fips_sect]
>> >
>> > activate = 1
>> >
>> > install-version = 1
>> >
>> > conditional-errors = 1
>> >
>> > security-checks = 1
>> >
>> > module-mac =
>> >
>> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>> >
>> > install-mac =
>> >
>> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>> >
>> > install-status = INSTALL_SELF_TEST_KATS_RUN
>> >
>> > Then we removed the line "activate = 1" from fipsmodule.cnf file.
>> After
>> > this we triggered the programatically load fips code, which caused the
>> > error:
>> >
>> > >/*80D1CD65667F0000:error:1C8000D4:Provider
>> > routines:SELF_TEST_post:invalid /
>> >
>> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>> >
>> > >/*80D1CD65667F0000:error:1C8000D8:Provider /
>> >
>> > >/routines:OSSL_provider_init_int:self test post /
>> >
>> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>> >
>> > >/*80D1CD65667F0000:error:078C0105:common libcrypto /
>> >
>> > >/routines:provider_init:init /
>> >
>> > >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
>> >
>> > >/*Error loading FIPS provider.*/
>> >
>> >
>> > Please share if we are missing something. Thanks in advance.
>> >
>> >
>> > Regards,
>> >
>> > Murugesh
>> >
>> >
>> >
>> > On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhorman at openssl.org
>> > <mailto:nhorman at openssl.org>> wrote:
>> >
>> > I assume that, after building the openssl library you ran openssl
>> > fipsinstall? i.e. you're not just using a previously generated
>> > fipsmodule.cnf file? The above errors initially seem like self
>> > tests failed on the fips provider load, suggesting that the
>> > module-mac or install-mac is incorrect in your config
>> > 'Neil
>> >
>> > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
>> > <murugesh.pitchaiah at gmail.com <mailto:murugesh.pitchaiah at gmail.com
>> >>
>> > wrote:
>> >
>> > Hi,
>> >
>> > Need your help on using openssl fips provider
>> > programmatically with openssl 3.0.9.
>> >
>> > Error seen:
>> >
>> > *80D1CD65667F0000:error:1C8000D4:Provider
>> > routines:SELF_TEST_post:invalid
>> > state:../openssl-3.0.9/providers/fips/self_test.c:262:*
>> > *80D1CD65667F0000:error:1C8000D8:Provider
>> > routines:OSSL_provider_init_int:self test post
>> > failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
>> > *80D1CD65667F0000:error:078C0105:common libcrypto
>> > routines:provider_init:init
>> > fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
>> > *Error loading FIPS provider.*
>> >
>> > *
>> > *
>> > Steps:
>> >
>> > Followed the steps @
>> > https://www.openssl.org/docs/man3.0/man7/fips_module.html
>> > <
>> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0
>> >
>> >
>> > #include <openssl/provider.h>
>> >
>> > int main(void)
>> >
>> > {
>> >
>> > OSSL_PROVIDER *fips;
>> >
>> > OSSL_PROVIDER *base;
>> >
>> > fips = OSSL_PROVIDER_load(NULL, "fips");
>> >
>> > if (fips == NULL) {
>> >
>> > printf("Failed to load FIPS provider\n");
>> >
>> > exit(EXIT_FAILURE);
>> >
>> > }
>> >
>> > base = OSSL_PROVIDER_load(NULL, "base");
>> >
>> > if (base == NULL) {
>> >
>> > OSSL_PROVIDER_unload(fips);
>> >
>> > printf("Failed to load base provider\n");
>> >
>> > exit(EXIT_FAILURE);
>> >
>> > }
>> >
>> > /* Rest of application */
>> >
>> > OSSL_PROVIDER_unload(base);
>> >
>> > OSSL_PROVIDER_unload(fips);
>> >
>> > exit(EXIT_SUCCESS);
>> >
>> > }
>> >
>> >
>> > More info:
>> >
>> >
>> > /usr/bin # openssl version -d
>> >
>> > OPENSSLDIR: "/usr/lib/ssl-3"
>> >
>> > /exos/bin # openssl version -a
>> >
>> > OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May
>> 2023)
>> >
>> > built on: Tue May 30 12:31:57 2023 UTC
>> >
>> > platform: linux-x86_64
>> >
>> > options: bn(64,64)
>> >
>> > compiler: x86_64-poky-linux-gcc -m64
>> > -fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2 -Wformat
>> > -Wformat-security -Werror=format-security
>> > --sysroot=recipe-sysroot -O2 -pipe -g
>> > -feliminate-unused-debug-types -fmacro-prefix-map=
>> > -fdebug-prefix-map=
>> > -fdebug-prefix-map=
>> > -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DL_ENDIAN
>> > -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
>> >
>> > OPENSSLDIR: "/usr/lib/ssl-3"
>> >
>> > ENGINESDIR: "/usr/lib/engines-3"
>> >
>> > MODULESDIR: "/usr/lib/ossl-modules"
>> >
>> > Seeding source: os-specific
>> >
>> > CPUINFO: N/A
>> >
>> >
>> > Attached the openssl and fips conf.
>> >
>> >
>> > Could you guys please check and share what is missing here? Any
>> > help would be appreciated.
>> >
>> >
>> > Thanks,
>> >
>> > Murugesh
>> >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240531/08efabde/attachment-0001.htm>
More information about the openssl-users
mailing list