<div dir="ltr"><div>It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of the documentation at <a href="https://wiki.openssl.org/index.php/OpenSSL_3.0">https://wiki.openssl.org/index.php/OpenSSL_3.0</a> for enabling FIPS support. I added these lines to the very top of the file:</div><div><br></div><div></div><div style="margin-left:40px"><pre><span style="color:rgb(0,0,255)">openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect</span></pre></div><div><br></div><div>This caused the existing default section to now become part of the [provider_sect] section. Apparently any name=value line in that particular section where no [value] section exists causes OpenSSL to hang at exit when the FIPS provider is used. I consider this a bug, of course, but at least now I know what's causing it and how to work around it.<br></div><div><br></div><div>Regarding how to confirm which provider is actually providing a given algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD obtained via EVP_get_digestbyname() (even after it's used successfully by EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD obtained via EVP_MD_fetch(). Is this intentional?<br></div><div><br></div><div><br></div><div>Tom.III</div><div><br></div><div><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 15, 2020 at 10:20 AM Thomas Dwyer III <<a href="mailto:tomiii@tomiii.com">tomiii@tomiii.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Platform: Linux x86_64</div><div><br></div><div>I understand this is still alpha but how complete is the FIPS provider right now? I'm following the documentation at <a href="https://wiki.openssl.org/index.php/OpenSSL_3.0" target="_blank">https://wiki.openssl.org/index.php/OpenSSL_3.0</a> but I'm having a problem where my application hangs during exit() when I use the "fips" provider. I reduced my code down to this minimal snippet that reproduces the problem:</div><div><br></div><div><span style="color:rgb(0,0,255)"><span style="font-family:monospace">#include <stdio.h><br>#include <stdlib.h><br>#include <unistd.h><br>#include <openssl/evp.h><br>#include <openssl/crypto.h><br>#include <openssl/err.h><br>#include <openssl/provider.h><br><br>int<br>main(int argc, char **argv)<br>{<br> OSSL_PROVIDER *pvdr = NULL;<br> EVP_MD_CTX *ctx;<br> const EVP_MD *md;<br> char *alg = "sha1";<br> int rc = 0;<br><br> pvdr = OSSL_PROVIDER_load(NULL, "fips");<br> if (pvdr == NULL) {<br> fprintf(stderr, "Error loading FIPS provider\n");<br> exit(1);<br> }<br><br> md = EVP_get_digestbyname(alg);<br> if (!md) {<br> fprintf(stderr, "unknown digest '%s'\n", alg);<br> exit(1);<br> }<br><br> ctx = EVP_MD_CTX_create();<br><br> if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {<br> long err = ERR_get_error();<br> char *msg = ERR_error_string(err, NULL);<br> fprintf(stderr, "EVP_DigestInit_ex() failed: %s\n", msg);<br> exit(1);<br> }<br><br> EVP_MD_CTX_destroy(ctx);<br><br> rc = OSSL_PROVIDER_unload(pvdr);<br> if (rc != 1) {<br> fprintf(stderr, "Error unloading FIPS provider\n");<br> exit(1);<br> }<br><br> printf("finished!\n");</span></span></div><div><span style="color:rgb(0,0,255)"><span style="font-family:monospace"> exit(0);<br>}<br></span></span></div><div><span style="color:rgb(0,0,255)"><span style="font-family:monospace"><br></span></span></div><div>When I run this it prints "finished!" and then hangs in some kind of spin loop consuming 100% CPU. Skipping the call to EVP_DigestInit_ex() allows it to exit successfully, as does inserting a call to OPENSSL_init_crypto() at the very top with the OPENSSL_INIT_NO_ATEXIT flag. Passing "default" instead of "fips" to OSSL_PROVIDER_load() also seems to work fine. What am I missing?</div><div><br></div><div>Also, per section 7.8 of the wiki referenced above, I'm unable to confirm that the digest algorithm I want to use is being provided by the FIPS module. EVP_MD_provider(md) returns NULL even though the actual digest is computed correctly.<br></div><div><br></div><div><br></div><div>Thanks,</div><div>Tom.III</div><div><br></div><div><br></div></div>
</blockquote></div></div></div>