I've successfully built and installed openssl 3.0 and the fips.so module in
my yocto build environment. My goal is to make the FIPs module the default
provider for all applications so I modified my openssl.cnf file to match
the docs like the following.
config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/lib/ssl-3/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
After boot, I check the installed providers with "openssl list -providers"
and see only the base provider. I then try to install the FIPS module with
the following.
openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf
and I get the error output:
Unable to get MAC of type HMAC
INSTALL FAILED
1020F876:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp
_fetch.c:346:Global default library context, Algorithm (HMAC : 0),
Properties (<null>)
When I replace the base provider with the default provider, leaving the fips
module like the following
config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/lib/ssl-3/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
fips = fips_sect
[default_sect]
activate = 1
I see only the default provider installed after I boot and when I try to
manually install the FIPS module with the above command I get the following.
Failed to load FIPS module
INSTALL FAILED
1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.0/providers/fips/self_test.c:261:
1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test
post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706:
1080F176:error:078C0105:common libcrypto routines:provider_init:init
fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips
>From this state, if I copy the ossl-modules directory to a different
location like /usr/lib/ssl-3/ and try to manually install the FIPS module
with
openssl fipsinstall -module /usr/lib/ssl-3/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf
it successful installs with the following output and I see both the fips and
default providers installed.
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
I need to get the FIPS module to install without needing the default
provider. It seems like the FIPS module is trying to install and getting
stuck in a bad state, but I could use some help debugging this.
Thanks for any help you can provide.
Susan
