Thanks Neil for your response. Please find more details below. Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the 'activate=1' line. Then try to programmatically load FIPS provider. Here are the details steps. Once the device boots up , The device has fipsmoudle.cnf present in /usr/lib/ssl-3 which does not have install_mac and insatll_status. We have edited openssl.cnf file as mentioned below:
.include /usr/local/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 We executed below command to install which also generates/updates fipsmodule.cnf file openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /usr/lib/ssl-3/fipsmodule.cnf The above command successfully executed and updated install-status to fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows: [fips_sect] activate = 1 install-version = 1 conditional-errors = 1 security-checks = 1 module-mac = 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3 install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11 install-status = INSTALL_SELF_TEST_KATS_RUN Then we removed the line "activate = 1" from fipsmodule.cnf file. After this we triggered the programatically load fips code, which caused the error: >* *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid * >* state:../openssl-3.0.9/providers/fips/self_test.c:262:* * >* *80D1CD65667F0000:error:1C8000D8:Provider * >* routines:OSSL_provider_init_int:self test post * >* failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* * >* *80D1CD65667F0000:error:078C0105:common libcrypto * >* routines:provider_init:init * >* fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* * >* *Error loading FIPS provider.** Please share if we are missing something. Thanks in advance. Regards, Murugesh On Fri, May 24, 2024 at 6:55 PM Neil Horman <nhor...@openssl.org> wrote: > I assume that, after building the openssl library you ran openssl > fipsinstall? i.e. you're not just using a previously generated > fipsmodule.cnf file? The above errors initially seem like self tests > failed on the fips provider load, suggesting that the module-mac or > install-mac is incorrect in your config > 'Neil > > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah < > murugesh.pitcha...@gmail.com> wrote: > >> Hi, >> >> Need your help on using openssl fips provider programmatically with >> openssl 3.0.9. >> >> Error seen: >> >> *80D1CD65667F0000:error:1C8000D4:Provider routines:SELF_TEST_post:invalid >> state:../openssl-3.0.9/providers/fips/self_test.c:262:* >> *80D1CD65667F0000:error:1C8000D8:Provider >> routines:OSSL_provider_init_int:self test post >> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* >> *80D1CD65667F0000:error:078C0105:common libcrypto >> routines:provider_init:init >> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* >> *Error loading FIPS provider.* >> >> >> Steps: >> >> Followed the steps @ >> https://www.openssl.org/docs/man3.0/man7/fips_module.html >> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Ffips_module.html&data=05%7C02%7Cmpitchaiah%40extremenetworks.com%7Caf52a4e39993457c861108dc7bb5aaa9%7Cfc8c2bf6914d4c1fb35246a9adb87030%7C0%7C0%7C638521267407330615%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=w2QJpyWjNlvURzzptRoMSWDUkPSwgmttzBDysV5B4Cs%3D&reserved=0> >> >> #include <openssl/provider.h> >> >> >> >> int main(void) >> >> { >> >> OSSL_PROVIDER *fips; >> >> OSSL_PROVIDER *base; >> >> >> >> fips = OSSL_PROVIDER_load(NULL, "fips"); >> >> if (fips == NULL) { >> >> printf("Failed to load FIPS provider\n"); >> >> exit(EXIT_FAILURE); >> >> } >> >> base = OSSL_PROVIDER_load(NULL, "base"); >> >> if (base == NULL) { >> >> OSSL_PROVIDER_unload(fips); >> >> printf("Failed to load base provider\n"); >> >> exit(EXIT_FAILURE); >> >> } >> >> >> >> /* Rest of application */ >> >> >> >> OSSL_PROVIDER_unload(base); >> >> OSSL_PROVIDER_unload(fips); >> >> exit(EXIT_SUCCESS); >> >> } >> >> >> More info: >> >> >> /usr/bin # openssl version -d >> >> OPENSSLDIR: "/usr/lib/ssl-3" >> >> /exos/bin # openssl version -a >> >> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023) >> >> built on: Tue May 30 12:31:57 2023 UTC >> >> platform: linux-x86_64 >> >> options: bn(64,64) >> >> compiler: x86_64-poky-linux-gcc -m64 -fstack-protector-strong -O2 >> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security >> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types >> -fmacro-prefix-map= -fdebug-prefix-map= >> -fdebug-prefix-map= -fdebug-prefix-map= >> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL >> -DNDEBUG >> >> OPENSSLDIR: "/usr/lib/ssl-3" >> >> ENGINESDIR: "/usr/lib/engines-3" >> >> MODULESDIR: "/usr/lib/ossl-modules" >> >> Seeding source: os-specific >> >> CPUINFO: N/A >> >> >> Attached the openssl and fips conf. >> >> >> Could you guys please check and share what is missing here? Any help >> would be appreciated. >> >> >> Thanks, >> >> Murugesh >> >> >>
