Platform: Linux x86_64
I understand this is still alpha but how complete is the FIPS provider
right now? I'm following the documentation at
https://wiki.openssl.org/index.php/OpenSSL_3.0 but I'm having a problem
where my application hangs during exit() when I use the "fips" provider. I
reduced my code down to this minimal snippet that reproduces the problem:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <openssl/evp.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/provider.h>
int
main(int argc, char **argv)
{
OSSL_PROVIDER *pvdr = NULL;
EVP_MD_CTX *ctx;
const EVP_MD *md;
char *alg = "sha1";
int rc = 0;
pvdr = OSSL_PROVIDER_load(NULL, "fips");
if (pvdr == NULL) {
fprintf(stderr, "Error loading FIPS provider\n");
exit(1);
}
md = EVP_get_digestbyname(alg);
if (!digest) {
fprintf(stderr, "unknown digest '%s'\n", alg);
exit(1);
}
ctx = EVP_MD_CTX_create();
if (EVP_DigestInit_ex(ctx, md, NULL) != 1) {
long err = ERR_get_error();
char *msg = ERR_error_string(err, NULL);
fprintf(stderr, "EVP_DigestInit_ex() failed: %s\n", msg);
exit(1);
}
EVP_MD_CTX_destroy(ctx);
rc = OSSL_PROVIDER_unload(pvdr);
if (rc != 1) {
fprintf(stderr, "Error unloading FIPS provider\n");
exit(1);
}
printf("finished!\n");
exit(0);
}
When I run this it prints "finished!" and then hangs in some kind of spin
loop consuming 100% CPU. Skipping the call to EVP_DigestInit_ex() allows it
to exit successfully, as does inserting a call to OPENSSL_init_crypto() at
the very top with the OPENSSL_INIT_NO_ATEXIT flag. Passing "default"
instead of "fips" to OSSL_PROVIDER_load() also seems to work fine. What am
I missing?
Also, per section 7.8 of the wiki referenced above, I'm unable to confirm
that the digest algorithm I want to use is being provided by the FIPS
module. EVP_MD_provider(md) returns NULL even though the actual digest is
computed correctly.
Thanks,
Tom.III
