Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-31 Thread Matt Caswell 




On 24/05/2024 16:57, murugesh pitchaiah wrote:

Thanks Matt for looking into this.

Here is the output:

  # openssl list --providers -provider fips -provider base

Providers:

   base

     name: OpenSSL Base Provider

     version: 3.0.9

     status: active

   fips

     name: OpenSSL FIPS Provider

     version: 3.0.9

     status: active



So this suggests that the fips provider is correctly installed and 
configured and is able to activate without problems. So its currently 
unclear why you can't do this programmatically.




Also please find the fipsmodule.conf file contents before and after 
fipsinstall which I missed to attach in previous mail:


before install fipsmodule.cnf is :


Err...so you already had a fips module installed before you ran 
fipsinstall, and you are replacing it with a new one?


Where did you put the new fips.so file? Were you overwriting the 
previous one?



Matt







After fips install :

  [fips_sect]

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac = 
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3


install-mac = 
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11


install-status = INSTALL_SELF_TEST_KATS_RUN


Note: Removed the 'activate=1' manually.


Thanks,

Murugesh


On Fri, May 24, 2024 at 8:35 PM Matt Caswell > wrote:


What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:

$ openssl list --providers -provider fips -provider base


Matt

On 24/05/2024 15:48, murugesh pitchaiah wrote:
 > Thanks Neil for your response. Please find more details below.
 >
 > Yes we run fipsinstall and then edit the fipsmodule.conf file to
remove
 > the 'activate=1' line. Then try to programmatically load FIPS
provider.
 > Here are the details steps.
 > Once the device boots up , The device has fipsmoudle.cnfpresent in
 > /usr/lib/ssl-3 which does not have install_mac and
insatll_status. We
 > have edited openssl.cnf file as mentioned below:
 >
 >     |.include /usr/local/ssl/fipsmodule.cnf|
 >
 >     |[openssl_init]|
 >
 >     |providers = provider_sect|
 >
 >     |
 >     |
 >
 >     |[provider_sect]|
 >
 >     |fips = fips_sect|
 >
 >     |base = base_sect|
 >
 >     |
 >     |
 >
 >     |[base_sect]|
 >
 >     |activate = 1|
 >
 > We executed below command to install which also
 > generates/updates fipsmodule.cnf file
 >
 >       openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
 >     /usr/lib/ssl-3/fipsmodule.cnf
 >
 >   The above command successfully executed and updated
install-status to
 > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
 >
 >     [fips_sect]
 >
 >     activate = 1
 >
 >     install-version = 1
 >
 >     conditional-errors = 1
 >
 >     security-checks = 1
 >
 >     module-mac =
 >   
  5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

 >
 >     install-mac =
 >   
  41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

 >
 >     install-status = INSTALL_SELF_TEST_KATS_RUN
 >
 > Then we removed the line "activate = 1" from fipsmodule.cnf
file.  After
 > this we triggered the programatically load fips code, which
caused the
 > error:
 >
 >     >/*80D1CD65667F:error:1C8000D4:Provider
 >     routines:SELF_TEST_post:invalid /
 >
 >     >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
 >
 >     >/*80D1CD65667F:error:1C8000D8:Provider /
 >
 >     >/routines:OSSL_provider_init_int:self test post /
 >
 >     >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
 >
 >     >/*80D1CD65667F:error:078C0105:common libcrypto /
 >
 >     >/routines:provider_init:init /
 >
 >     >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
 >
 >     >/*Error loading FIPS provider.*/
 >
 >
 > Please share if we are missing something. Thanks in advance.
 >
 >
 > Regards,
 >
 > Murugesh
 >
 >
 >
 > On Fri, May 24, 2024 at 6:55 PM Neil Horman mailto:nhor...@openssl.org>
 > >> wrote:
 >
 >     I assume that, after building the openssl library you ran openssl
 >     fipsinstall?  i.e. you're not just using a previously generated
 >     fipsmodule.cnf file?  The above errors initially seem like self
 >     tests failed on the fips provider load, suggesting that the
 >     module-mac or

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-30 Thread murugesh pitchaiah 
Hi Matt,

Could you please share any insights on why these errors seen on
programmatically loading fips provider :

*80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*


Code for loading fips:

#include 



int main(void)

{

OSSL_PROVIDER *fips;

OSSL_PROVIDER *base;



fips = OSSL_PROVIDER_load(NULL, "fips");

if (fips == NULL) {

printf("Failed to load FIPS provider\n");

exit(EXIT_FAILURE);

}

base = OSSL_PROVIDER_load(NULL, "base");

if (base == NULL) {

OSSL_PROVIDER_unload(fips);

printf("Failed to load base provider\n");

exit(EXIT_FAILURE);

}



/* Rest of application */



OSSL_PROVIDER_unload(base);

OSSL_PROVIDER_unload(fips);

exit(EXIT_SUCCESS);

}


Thanks,
Murugesh

On Fri, May 24, 2024 at 9:27 PM murugesh pitchaiah <
murugesh.pitcha...@gmail.com> wrote:

> Thanks Matt for looking into this.
>
> Here is the output:
>
>  # openssl list --providers -provider fips -provider base
>
> Providers:
>
>   base
>
> name: OpenSSL Base Provider
>
> version: 3.0.9
>
> status: active
>
>   fips
>
> name: OpenSSL FIPS Provider
>
> version: 3.0.9
>
> status: active
>
>
> Also please find the fipsmodule.conf file contents before and after
> fipsinstall which I missed to attach in previous mail:
>
> before install fipsmodule.cnf is :
>
>  # cat /usr/lib/ssl-3/fipsmodule.cnf
>
> [fips_sect]
>
> activate = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69
>
>
> After fips install :
>
>  [fips_sect]
>
> install-version = 1
>
> conditional-errors = 1
>
> security-checks = 1
>
> module-mac =
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>
> install-mac =
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
>
> Note: Removed the 'activate=1' manually.
>
>
> Thanks,
>
> Murugesh
>
> On Fri, May 24, 2024 at 8:35 PM Matt Caswell  wrote:
>
>> What do you get by loading the provider via the "openssl list" command,
>> i.e. what is the output from:
>>
>> $ openssl list --providers -provider fips -provider base
>>
>>
>> Matt
>>
>> On 24/05/2024 15:48, murugesh pitchaiah wrote:
>> > Thanks Neil for your response. Please find more details below.
>> >
>> > Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
>> > the 'activate=1' line. Then try to programmatically load FIPS provider.
>> > Here are the details steps.
>> > Once the device boots up , The device has fipsmoudle.cnfpresent in
>> > /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
>> > have edited openssl.cnf file as mentioned below:
>> >
>> > |.include /usr/local/ssl/fipsmodule.cnf|
>> >
>> > |[openssl_init]|
>> >
>> > |providers = provider_sect|
>> >
>> > |
>> > |
>> >
>> > |[provider_sect]|
>> >
>> > |fips = fips_sect|
>> >
>> > |base = base_sect|
>> >
>> > |
>> > |
>> >
>> > |[base_sect]|
>> >
>> > |activate = 1|
>> >
>> > We executed below command to install which also
>> > generates/updates fipsmodule.cnf file
>> >
>> >   openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
>> > /usr/lib/ssl-3/fipsmodule.cnf
>> >
>> >   The above command successfully executed and updated install-status to
>> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
>> >
>> > [fips_sect]
>> >
>> > activate = 1
>> >
>> > install-version = 1
>> >
>> > conditional-errors = 1
>> >
>> > security-checks = 1
>> >
>> > module-mac =
>> >
>>  
>> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
>> >
>> > install-mac =
>> >
>>  
>> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
>> >
>> > install-status = INSTALL_SELF_TEST_KATS_RUN
>> >
>> > Then we removed the line "activate = 1" from fipsmodule.cnf file.
>> After
>> > this we triggered the programatically load fips code, which caused the
>> > error:
>> >
>> > >/*80D1CD65667F:error:1C8000D4:Provider
>> > routines:SELF_TEST_post:invalid /
>> >
>> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
>> >
>> > >/*80D1CD65667F:error:1C8000D8:Provider /
>> >
>> > >/routines:OSSL_provider_init_int:self test post /
>> >
>> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
>> >
>> >

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Thanks Matt for looking into this.

Here is the output:

 # openssl list --providers -provider fips -provider base

Providers:

  base

name: OpenSSL Base Provider

version: 3.0.9

status: active

  fips

name: OpenSSL FIPS Provider

version: 3.0.9

status: active


Also please find the fipsmodule.conf file contents before and after
fipsinstall which I missed to attach in previous mail:

before install fipsmodule.cnf is :

 # cat /usr/lib/ssl-3/fipsmodule.cnf

[fips_sect]

activate = 1

conditional-errors = 1

security-checks = 1

module-mac =
F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69


After fips install :

 [fips_sect]

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN


Note: Removed the 'activate=1' manually.


Thanks,

Murugesh

On Fri, May 24, 2024 at 8:35 PM Matt Caswell  wrote:

> What do you get by loading the provider via the "openssl list" command,
> i.e. what is the output from:
>
> $ openssl list --providers -provider fips -provider base
>
>
> Matt
>
> On 24/05/2024 15:48, murugesh pitchaiah wrote:
> > Thanks Neil for your response. Please find more details below.
> >
> > Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
> > the 'activate=1' line. Then try to programmatically load FIPS provider.
> > Here are the details steps.
> > Once the device boots up , The device has fipsmoudle.cnfpresent in
> > /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
> > have edited openssl.cnf file as mentioned below:
> >
> > |.include /usr/local/ssl/fipsmodule.cnf|
> >
> > |[openssl_init]|
> >
> > |providers = provider_sect|
> >
> > |
> > |
> >
> > |[provider_sect]|
> >
> > |fips = fips_sect|
> >
> > |base = base_sect|
> >
> > |
> > |
> >
> > |[base_sect]|
> >
> > |activate = 1|
> >
> > We executed below command to install which also
> > generates/updates fipsmodule.cnf file
> >
> >   openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> > /usr/lib/ssl-3/fipsmodule.cnf
> >
> >   The above command successfully executed and updated install-status to
> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
> >
> > [fips_sect]
> >
> > activate = 1
> >
> > install-version = 1
> >
> > conditional-errors = 1
> >
> > security-checks = 1
> >
> > module-mac =
> >
>  
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
> >
> > install-mac =
> >
>  
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> >
> > install-status = INSTALL_SELF_TEST_KATS_RUN
> >
> > Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
> > this we triggered the programatically load fips code, which caused the
> > error:
> >
> > >/*80D1CD65667F:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid /
> >
> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
> >
> > >/*80D1CD65667F:error:1C8000D8:Provider /
> >
> > >/routines:OSSL_provider_init_int:self test post /
> >
> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
> >
> > >/*80D1CD65667F:error:078C0105:common libcrypto /
> >
> > >/routines:provider_init:init /
> >
> > >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
> >
> > >/*Error loading FIPS provider.*/
> >
> >
> > Please share if we are missing something. Thanks in advance.
> >
> >
> > Regards,
> >
> > Murugesh
> >
> >
> >
> > On Fri, May 24, 2024 at 6:55 PM Neil Horman  > > wrote:
> >
> > I assume that, after building the openssl library you ran openssl
> > fipsinstall?  i.e. you're not just using a previously generated
> > fipsmodule.cnf file?  The above errors initially seem like self
> > tests failed on the fips provider load, suggesting that the
> > module-mac or install-mac is incorrect in your config
> > 'Neil
> >
> > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> > mailto:murugesh.pitcha...@gmail.com>>
> > wrote:
> >
> > Hi,
> >
> > Need your help on using openssl fips provider
> > programmatically with openssl 3.0.9.
> >
> > Error seen:
> >
> > *80D1CD65667F:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid
> > state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> > *80D1CD65667F:error:1C8000D8:Provider
> > routines:OSSL_provider_init_int:self test post
> > failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> >

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread Matt Caswell 
What do you get by loading the provider via the "openssl list" command, 
i.e. what is the output from:


$ openssl list --providers -provider fips -provider base


Matt

On 24/05/2024 15:48, murugesh pitchaiah wrote:

Thanks Neil for your response. Please find more details below.

Yes we run fipsinstall and then edit the fipsmodule.conf file to remove 
the 'activate=1' line. Then try to programmatically load FIPS provider. 
Here are the details steps.
Once the device boots up , The device has fipsmoudle.cnfpresent in 
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We 
have edited openssl.cnf file as mentioned below:


|.include /usr/local/ssl/fipsmodule.cnf|

|[openssl_init]|

|providers = provider_sect|

|
|

|[provider_sect]|

|fips = fips_sect|

|base = base_sect|

|
|

|[base_sect]|

|activate = 1|

We executed below command to install which also 
generates/updates fipsmodule.cnf file


  openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf

  The above command successfully executed and updated install-status to 
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:


[fips_sect]

activate = 1

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =

5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =

41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Then we removed the line "activate = 1" from fipsmodule.cnf file.  After 
this we triggered the programatically load fips code, which caused the 
error:


>/*80D1CD65667F:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid /

>/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /

>/*80D1CD65667F:error:1C8000D8:Provider /

>/routines:OSSL_provider_init_int:self test post /

>/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /

>/*80D1CD65667F:error:078C0105:common libcrypto /

>/routines:provider_init:init /

>/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /

>/*Error loading FIPS provider.*/


Please share if we are missing something. Thanks in advance.


Regards,

Murugesh



On Fri, May 24, 2024 at 6:55 PM Neil Horman > wrote:


I assume that, after building the openssl library you ran openssl
fipsinstall?  i.e. you're not just using a previously generated
fipsmodule.cnf file?  The above errors initially seem like self
tests failed on the fips provider load, suggesting that the
module-mac or install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
mailto:murugesh.pitcha...@gmail.com>>
wrote:

Hi,

Need your help on using openssl fips provider
programmatically with openssl 3.0.9.

Error seen:

*80D1CD65667F:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*

*
*
Steps:

Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html



#include 

int main(void)

{

     OSSL_PROVIDER *fips;

     OSSL_PROVIDER *base;

     fips = OSSL_PROVIDER_load(NULL, "fips");

     if (fips == NULL) {

     printf("Failed to load FIPS provider\n");

     exit(EXIT_FAILURE);

     }

     base = OSSL_PROVIDER_load(NULL, "base");

     if (base == NULL) {

     OSSL_PROVIDER_unload(fips);

     printf("Failed to load base provider\n");

     exit(EXIT_FAILURE);

     }

     /* Rest of application */

     OSSL_PROVIDER_unload(base);

     OSSL_PROVIDER_unload(fips);

     exit(EXIT_SUCCESS);

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Thanks Neil for your response. Please find more details below.

Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the
'activate=1' line. Then try to programmatically load FIPS provider. Here
are the details steps.
Once the device boots up , The device has fipsmoudle.cnf present in
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We have
edited openssl.cnf file as mentioned below:

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]

providers = provider_sect


[provider_sect]

fips = fips_sect

base = base_sect


[base_sect]

activate = 1

We executed below command to install which also
generates/updates fipsmodule.cnf file

 openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf

 The above command successfully executed and updated install-status to
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:

[fips_sect]

activate = 1

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
this we triggered the programatically load fips code, which caused the
error:

>* *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
*

>* state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*

>* *80D1CD65667F:error:1C8000D8:Provider
*

>* routines:OSSL_provider_init_int:self test post
*

>* failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*

>* *80D1CD65667F:error:078C0105:common libcrypto
*

>* routines:provider_init:init
*

>* fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*

>* *Error loading FIPS provider.**


Please share if we are missing something. Thanks in advance.


Regards,

Murugesh



On Fri, May 24, 2024 at 6:55 PM Neil Horman  wrote:

> I assume that, after building the openssl library you ran openssl
> fipsinstall?  i.e. you're not just using a previously generated
> fipsmodule.cnf file?  The above errors initially seem like self tests
> failed on the fips provider load, suggesting that the module-mac or
> install-mac is incorrect in your config
> 'Neil
>
> On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
> murugesh.pitcha...@gmail.com> wrote:
>
>> Hi,
>>
>> Need your help on using openssl fips provider programmatically with
>> openssl 3.0.9.
>>
>> Error seen:
>>
>> *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
>> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
>> *80D1CD65667F:error:1C8000D8:Provider
>> routines:OSSL_provider_init_int:self test post
>> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
>> *80D1CD65667F:error:078C0105:common libcrypto
>> routines:provider_init:init
>> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
>> *Error loading FIPS provider.*
>>
>>
>> Steps:
>>
>> Followed the steps @
>> https://www.openssl.org/docs/man3.0/man7/fips_module.html
>> 
>>
>> #include 
>>
>>
>>
>> int main(void)
>>
>> {
>>
>> OSSL_PROVIDER *fips;
>>
>> OSSL_PROVIDER *base;
>>
>>
>>
>> fips = OSSL_PROVIDER_load(NULL, "fips");
>>
>> if (fips == NULL) {
>>
>> printf("Failed to load FIPS provider\n");
>>
>> exit(EXIT_FAILURE);
>>
>> }
>>
>> base = OSSL_PROVIDER_load(NULL, "base");
>>
>> if (base == NULL) {
>>
>> OSSL_PROVIDER_unload(fips);
>>
>> printf("Failed to load base provider\n");
>>
>> exit(EXIT_FAILURE);
>>
>> }
>>
>>
>>
>> /* Rest of application */
>>
>>
>>
>> OSSL_PROVIDER_unload(base);
>>
>> OSSL_PROVIDER_unload(fips);
>>
>> exit(EXIT_SUCCESS);
>>
>> }
>>
>>
>> More info:
>>
>>
>> /usr/bin # openssl version -d
>>
>> OPENSSLDIR: "/usr/lib/ssl-3"
>>
>> /exos/bin # openssl version -a
>>
>> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>>
>> built on: Tue May 30 12:31:57 2023 UTC
>>
>> platform: linux-x86_64
>>
>> options:  bn(64,64)
>>
>> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
>> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
>> -fmacro-prefix-map=  -fdebug-prefix-map=
>>-fdebug-prefix-map=  -fdebug-prefix-map=
>>  -DOPENSSL_USE_NODELETE -DL_ENDIAN

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread Neil Horman 
I assume that, after building the openssl library you ran openssl
fipsinstall?  i.e. you're not just using a previously generated
fipsmodule.cnf file?  The above errors initially seem like self tests
failed on the fips provider load, suggesting that the module-mac or
install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
murugesh.pitcha...@gmail.com> wrote:

> Hi,
>
> Need your help on using openssl fips provider programmatically with
> openssl 3.0.9.
>
> Error seen:
>
> *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> *80D1CD65667F:error:1C8000D8:Provider
> routines:OSSL_provider_init_int:self test post
> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> *80D1CD65667F:error:078C0105:common libcrypto
> routines:provider_init:init
> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> *Error loading FIPS provider.*
>
>
> Steps:
>
> Followed the steps @
> https://www.openssl.org/docs/man3.0/man7/fips_module.html
> 
>
> #include 
>
>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
>
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
>
>
> /* Rest of application */
>
>
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
>
> More info:
>
>
> /usr/bin # openssl version -d
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> /exos/bin # openssl version -a
>
> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>
> built on: Tue May 30 12:31:57 2023 UTC
>
> platform: linux-x86_64
>
> options:  bn(64,64)
>
> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
> -fmacro-prefix-map=  -fdebug-prefix-map=
>-fdebug-prefix-map=  -fdebug-prefix-map=
>  -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
> -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> ENGINESDIR: "/usr/lib/engines-3"
>
> MODULESDIR: "/usr/lib/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: N/A
>
>
> Attached the openssl and fips conf.
>
>
> Could you guys please check and share what is missing here? Any help would
> be appreciated.
>
>
> Thanks,
>
> Murugesh
>
>
>

Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Hi,

Need your help on using openssl fips provider programmatically with openssl
3.0.9.

Error seen:

*80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*


Steps:

Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html


#include 



int main(void)

{

OSSL_PROVIDER *fips;

OSSL_PROVIDER *base;



fips = OSSL_PROVIDER_load(NULL, "fips");

if (fips == NULL) {

printf("Failed to load FIPS provider\n");

exit(EXIT_FAILURE);

}

base = OSSL_PROVIDER_load(NULL, "base");

if (base == NULL) {

OSSL_PROVIDER_unload(fips);

printf("Failed to load base provider\n");

exit(EXIT_FAILURE);

}



/* Rest of application */



OSSL_PROVIDER_unload(base);

OSSL_PROVIDER_unload(fips);

exit(EXIT_SUCCESS);

}


More info:


/usr/bin # openssl version -d

OPENSSLDIR: "/usr/lib/ssl-3"

/exos/bin # openssl version -a

OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

built on: Tue May 30 12:31:57 2023 UTC

platform: linux-x86_64

options:  bn(64,64)

compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
--sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
-fmacro-prefix-map=  -fdebug-prefix-map=
   -fdebug-prefix-map=  -fdebug-prefix-map=
 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
-DNDEBUG

OPENSSLDIR: "/usr/lib/ssl-3"

ENGINESDIR: "/usr/lib/engines-3"

MODULESDIR: "/usr/lib/ossl-modules"

Seeding source: os-specific

CPUINFO: N/A


Attached the openssl and fips conf.


Could you guys please check and share what is missing here? Any help would
be appreciated.


Thanks,

Murugesh


fipsmodule.cnf
Description: Binary data


openssl.cnf
Description: Binary data