Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Thanks Matt for looking into this.

Here is the output:

 # openssl list --providers -provider fips -provider base

Providers:

  base

name: OpenSSL Base Provider

version: 3.0.9

status: active

  fips

name: OpenSSL FIPS Provider

version: 3.0.9

status: active


Also please find the fipsmodule.conf file contents before and after
fipsinstall which I missed to attach in previous mail:

before install fipsmodule.cnf is :

 # cat /usr/lib/ssl-3/fipsmodule.cnf

[fips_sect]

activate = 1

conditional-errors = 1

security-checks = 1

module-mac =
F9:2B:17:EB:57:57:C5:DA:4F:4B:BE:02:05:16:50:0A:4B:5F:02:C7:38:62:B4:36:DF:D1:6E:E1:BA:FA:12:69


After fips install :

 [fips_sect]

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN


Note: Removed the 'activate=1' manually.


Thanks,

Murugesh

On Fri, May 24, 2024 at 8:35 PM Matt Caswell  wrote:

> What do you get by loading the provider via the "openssl list" command,
> i.e. what is the output from:
>
> $ openssl list --providers -provider fips -provider base
>
>
> Matt
>
> On 24/05/2024 15:48, murugesh pitchaiah wrote:
> > Thanks Neil for your response. Please find more details below.
> >
> > Yes we run fipsinstall and then edit the fipsmodule.conf file to remove
> > the 'activate=1' line. Then try to programmatically load FIPS provider.
> > Here are the details steps.
> > Once the device boots up , The device has fipsmoudle.cnfpresent in
> > /usr/lib/ssl-3 which does not have install_mac and insatll_status. We
> > have edited openssl.cnf file as mentioned below:
> >
> > |.include /usr/local/ssl/fipsmodule.cnf|
> >
> > |[openssl_init]|
> >
> > |providers = provider_sect|
> >
> > |
> > |
> >
> > |[provider_sect]|
> >
> > |fips = fips_sect|
> >
> > |base = base_sect|
> >
> > |
> > |
> >
> > |[base_sect]|
> >
> > |activate = 1|
> >
> > We executed below command to install which also
> > generates/updates fipsmodule.cnf file
> >
> >   openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
> > /usr/lib/ssl-3/fipsmodule.cnf
> >
> >   The above command successfully executed and updated install-status to
> > fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:
> >
> > [fips_sect]
> >
> > activate = 1
> >
> > install-version = 1
> >
> > conditional-errors = 1
> >
> > security-checks = 1
> >
> > module-mac =
> >
>  
> 5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3
> >
> > install-mac =
> >
>  
> 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> >
> > install-status = INSTALL_SELF_TEST_KATS_RUN
> >
> > Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
> > this we triggered the programatically load fips code, which caused the
> > error:
> >
> > >/*80D1CD65667F:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid /
> >
> > >/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /
> >
> > >/*80D1CD65667F:error:1C8000D8:Provider /
> >
> > >/routines:OSSL_provider_init_int:self test post /
> >
> > >/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /
> >
> > >/*80D1CD65667F:error:078C0105:common libcrypto /
> >
> > >/routines:provider_init:init /
> >
> > >/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /
> >
> > >/*Error loading FIPS provider.*/
> >
> >
> > Please share if we are missing something. Thanks in advance.
> >
> >
> > Regards,
> >
> > Murugesh
> >
> >
> >
> > On Fri, May 24, 2024 at 6:55 PM Neil Horman  > > wrote:
> >
> > I assume that, after building the openssl library you ran openssl
> > fipsinstall?  i.e. you're not just using a previously generated
> > fipsmodule.cnf file?  The above errors initially seem like self
> > tests failed on the fips provider load, suggesting that the
> > module-mac or install-mac is incorrect in your config
> > 'Neil
> >
> > On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
> > mailto:murugesh.pitcha...@gmail.com>>
> > wrote:
> >
> > Hi,
> >
> > Need your help on using openssl fips provider
> > programmatically with openssl 3.0.9.
> >
> > Error seen:
> >
> > *80D1CD65667F:error:1C8000D4:Provider
> > routines:SELF_TEST_post:invalid
> > state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> > *80D1CD65667F:error:1C8000D8:Provider
> > routines:OSSL_provider_init_int:self test post
> > failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> >

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread Matt Caswell 
What do you get by loading the provider via the "openssl list" command, 
i.e. what is the output from:


$ openssl list --providers -provider fips -provider base


Matt

On 24/05/2024 15:48, murugesh pitchaiah wrote:

Thanks Neil for your response. Please find more details below.

Yes we run fipsinstall and then edit the fipsmodule.conf file to remove 
the 'activate=1' line. Then try to programmatically load FIPS provider. 
Here are the details steps.
Once the device boots up , The device has fipsmoudle.cnfpresent in 
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We 
have edited openssl.cnf file as mentioned below:


|.include /usr/local/ssl/fipsmodule.cnf|

|[openssl_init]|

|providers = provider_sect|

|
|

|[provider_sect]|

|fips = fips_sect|

|base = base_sect|

|
|

|[base_sect]|

|activate = 1|

We executed below command to install which also 
generates/updates fipsmodule.cnf file


  openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf

  The above command successfully executed and updated install-status to 
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:


[fips_sect]

activate = 1

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =

5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =

41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Then we removed the line "activate = 1" from fipsmodule.cnf file.  After 
this we triggered the programatically load fips code, which caused the 
error:


>/*80D1CD65667F:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid /

>/state:../openssl-3.0.9/providers/fips/self_test.c:262:* /

>/*80D1CD65667F:error:1C8000D8:Provider /

>/routines:OSSL_provider_init_int:self test post /

>/failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:* /

>/*80D1CD65667F:error:078C0105:common libcrypto /

>/routines:provider_init:init /

>/fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips* /

>/*Error loading FIPS provider.*/


Please share if we are missing something. Thanks in advance.


Regards,

Murugesh



On Fri, May 24, 2024 at 6:55 PM Neil Horman > wrote:


I assume that, after building the openssl library you ran openssl
fipsinstall?  i.e. you're not just using a previously generated
fipsmodule.cnf file?  The above errors initially seem like self
tests failed on the fips provider load, suggesting that the
module-mac or install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah
mailto:murugesh.pitcha...@gmail.com>>
wrote:

Hi,

Need your help on using openssl fips provider
programmatically with openssl 3.0.9.

Error seen:

*80D1CD65667F:error:1C8000D4:Provider
routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*

*
*
Steps:

Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html



#include 

int main(void)

{

     OSSL_PROVIDER *fips;

     OSSL_PROVIDER *base;

     fips = OSSL_PROVIDER_load(NULL, "fips");

     if (fips == NULL) {

     printf("Failed to load FIPS provider\n");

     exit(EXIT_FAILURE);

     }

     base = OSSL_PROVIDER_load(NULL, "base");

     if (base == NULL) {

     OSSL_PROVIDER_unload(fips);

     printf("Failed to load base provider\n");

     exit(EXIT_FAILURE);

     }

     /* Rest of application */

     OSSL_PROVIDER_unload(base);

     OSSL_PROVIDER_unload(fips);

     exit(EXIT_SUCCESS);

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Thanks Neil for your response. Please find more details below.

Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the
'activate=1' line. Then try to programmatically load FIPS provider. Here
are the details steps.
Once the device boots up , The device has fipsmoudle.cnf present in
/usr/lib/ssl-3 which does not have install_mac and insatll_status. We have
edited openssl.cnf file as mentioned below:

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]

providers = provider_sect


[provider_sect]

fips = fips_sect

base = base_sect


[base_sect]

activate = 1

We executed below command to install which also
generates/updates fipsmodule.cnf file

 openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out
/usr/lib/ssl-3/fipsmodule.cnf

 The above command successfully executed and updated install-status to
fipsmodule.cnf file. The resultant fipsmodule.cnf file is as follows:

[fips_sect]

activate = 1

install-version = 1

conditional-errors = 1

security-checks = 1

module-mac =
5E:4A:02:9F:6E:26:2F:FE:FD:4D:45:6A:7E:D1:18:18:59:9C:04:56:50:6C:59:FC:3B:2F:BE:39:D4:79:08:E3

install-mac =
41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11

install-status = INSTALL_SELF_TEST_KATS_RUN

Then we removed the line "activate = 1" from fipsmodule.cnf file.  After
this we triggered the programatically load fips code, which caused the
error:

>* *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
*

>* state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*

>* *80D1CD65667F:error:1C8000D8:Provider
*

>* routines:OSSL_provider_init_int:self test post
*

>* failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*

>* *80D1CD65667F:error:078C0105:common libcrypto
*

>* routines:provider_init:init
*

>* fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*

>* *Error loading FIPS provider.**


Please share if we are missing something. Thanks in advance.


Regards,

Murugesh



On Fri, May 24, 2024 at 6:55 PM Neil Horman  wrote:

> I assume that, after building the openssl library you ran openssl
> fipsinstall?  i.e. you're not just using a previously generated
> fipsmodule.cnf file?  The above errors initially seem like self tests
> failed on the fips provider load, suggesting that the module-mac or
> install-mac is incorrect in your config
> 'Neil
>
> On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
> murugesh.pitcha...@gmail.com> wrote:
>
>> Hi,
>>
>> Need your help on using openssl fips provider programmatically with
>> openssl 3.0.9.
>>
>> Error seen:
>>
>> *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
>> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
>> *80D1CD65667F:error:1C8000D8:Provider
>> routines:OSSL_provider_init_int:self test post
>> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
>> *80D1CD65667F:error:078C0105:common libcrypto
>> routines:provider_init:init
>> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
>> *Error loading FIPS provider.*
>>
>>
>> Steps:
>>
>> Followed the steps @
>> https://www.openssl.org/docs/man3.0/man7/fips_module.html
>> 
>>
>> #include 
>>
>>
>>
>> int main(void)
>>
>> {
>>
>> OSSL_PROVIDER *fips;
>>
>> OSSL_PROVIDER *base;
>>
>>
>>
>> fips = OSSL_PROVIDER_load(NULL, "fips");
>>
>> if (fips == NULL) {
>>
>> printf("Failed to load FIPS provider\n");
>>
>> exit(EXIT_FAILURE);
>>
>> }
>>
>> base = OSSL_PROVIDER_load(NULL, "base");
>>
>> if (base == NULL) {
>>
>> OSSL_PROVIDER_unload(fips);
>>
>> printf("Failed to load base provider\n");
>>
>> exit(EXIT_FAILURE);
>>
>> }
>>
>>
>>
>> /* Rest of application */
>>
>>
>>
>> OSSL_PROVIDER_unload(base);
>>
>> OSSL_PROVIDER_unload(fips);
>>
>> exit(EXIT_SUCCESS);
>>
>> }
>>
>>
>> More info:
>>
>>
>> /usr/bin # openssl version -d
>>
>> OPENSSLDIR: "/usr/lib/ssl-3"
>>
>> /exos/bin # openssl version -a
>>
>> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>>
>> built on: Tue May 30 12:31:57 2023 UTC
>>
>> platform: linux-x86_64
>>
>> options:  bn(64,64)
>>
>> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
>> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
>> -fmacro-prefix-map=  -fdebug-prefix-map=
>>-fdebug-prefix-map=  -fdebug-prefix-map=
>>  -DOPENSSL_USE_NODELETE -DL_ENDIAN

Re: Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread Neil Horman 
I assume that, after building the openssl library you ran openssl
fipsinstall?  i.e. you're not just using a previously generated
fipsmodule.cnf file?  The above errors initially seem like self tests
failed on the fips provider load, suggesting that the module-mac or
install-mac is incorrect in your config
'Neil

On Fri, May 24, 2024 at 2:05 AM murugesh pitchaiah <
murugesh.pitcha...@gmail.com> wrote:

> Hi,
>
> Need your help on using openssl fips provider programmatically with
> openssl 3.0.9.
>
> Error seen:
>
> *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
> state:../openssl-3.0.9/providers/fips/self_test.c:262:*
> *80D1CD65667F:error:1C8000D8:Provider
> routines:OSSL_provider_init_int:self test post
> failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
> *80D1CD65667F:error:078C0105:common libcrypto
> routines:provider_init:init
> fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
> *Error loading FIPS provider.*
>
>
> Steps:
>
> Followed the steps @
> https://www.openssl.org/docs/man3.0/man7/fips_module.html
> 
>
> #include 
>
>
>
> int main(void)
>
> {
>
> OSSL_PROVIDER *fips;
>
> OSSL_PROVIDER *base;
>
>
>
> fips = OSSL_PROVIDER_load(NULL, "fips");
>
> if (fips == NULL) {
>
> printf("Failed to load FIPS provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
> base = OSSL_PROVIDER_load(NULL, "base");
>
> if (base == NULL) {
>
> OSSL_PROVIDER_unload(fips);
>
> printf("Failed to load base provider\n");
>
> exit(EXIT_FAILURE);
>
> }
>
>
>
> /* Rest of application */
>
>
>
> OSSL_PROVIDER_unload(base);
>
> OSSL_PROVIDER_unload(fips);
>
> exit(EXIT_SUCCESS);
>
> }
>
>
> More info:
>
>
> /usr/bin # openssl version -d
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> /exos/bin # openssl version -a
>
> OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
>
> built on: Tue May 30 12:31:57 2023 UTC
>
> platform: linux-x86_64
>
> options:  bn(64,64)
>
> compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
> --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
> -fmacro-prefix-map=  -fdebug-prefix-map=
>-fdebug-prefix-map=  -fdebug-prefix-map=
>  -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
> -DNDEBUG
>
> OPENSSLDIR: "/usr/lib/ssl-3"
>
> ENGINESDIR: "/usr/lib/engines-3"
>
> MODULESDIR: "/usr/lib/ossl-modules"
>
> Seeding source: os-specific
>
> CPUINFO: N/A
>
>
> Attached the openssl and fips conf.
>
>
> Could you guys please check and share what is missing here? Any help would
> be appreciated.
>
>
> Thanks,
>
> Murugesh
>
>
>

Re: Blocking on a non-blocking socket?

2024-05-24 Thread Matt Caswell 




On 24/05/2024 02:30, Wiebe Cazemier wrote:


Can you show me in the code where that is?


It's here:

https://github.com/openssl/openssl/blob/b9e084f139c53ce133e66aba2f523c680141c0e6/ssl/record/rec_layer_s3.c#L1038-L1054

The "retry" codepath occurs where we hit the "goto start".


My main concern is, if it would get an EWOULDBLOCK, there is (almost) no sense 
in retrying because in the 100 microseconds or so that passed, there is likely 
still no data.


This situation does not occur. The "auto-retry" only occurs in the case 
where we have *successfully* read a non-application data record. If we 
get an EWOULDBLOCK then this is always propagated back to the application.



> Wouldn't the option then have to be called 'read more than one record 
at a time'? To me, 'retry' is a bit of a misnomer in that description.


The "retry" here is the normal meaning of the English word, and does not 
refer to a "network" retry, i.e. we tried to read application data but 
actually got something else, so retry that attempt.


Matt

Need help on self test post failure - programmatically load FIPS provider

2024-05-24 Thread murugesh pitchaiah 
Hi,

Need your help on using openssl fips provider programmatically with openssl
3.0.9.

Error seen:

*80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.9/providers/fips/fipsprov.c:707:*
*80D1CD65667F:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.9/crypto/provider_core.c:932:name=fips*
*Error loading FIPS provider.*


Steps:

Followed the steps @
https://www.openssl.org/docs/man3.0/man7/fips_module.html


#include 



int main(void)

{

OSSL_PROVIDER *fips;

OSSL_PROVIDER *base;



fips = OSSL_PROVIDER_load(NULL, "fips");

if (fips == NULL) {

printf("Failed to load FIPS provider\n");

exit(EXIT_FAILURE);

}

base = OSSL_PROVIDER_load(NULL, "base");

if (base == NULL) {

OSSL_PROVIDER_unload(fips);

printf("Failed to load base provider\n");

exit(EXIT_FAILURE);

}



/* Rest of application */



OSSL_PROVIDER_unload(base);

OSSL_PROVIDER_unload(fips);

exit(EXIT_SUCCESS);

}


More info:


/usr/bin # openssl version -d

OPENSSLDIR: "/usr/lib/ssl-3"

/exos/bin # openssl version -a

OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

built on: Tue May 30 12:31:57 2023 UTC

platform: linux-x86_64

options:  bn(64,64)

compiler: x86_64-poky-linux-gcc  -m64 -fstack-protector-strong  -O2
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security
--sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types
-fmacro-prefix-map=  -fdebug-prefix-map=
   -fdebug-prefix-map=  -fdebug-prefix-map=
 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL
-DNDEBUG

OPENSSLDIR: "/usr/lib/ssl-3"

ENGINESDIR: "/usr/lib/engines-3"

MODULESDIR: "/usr/lib/ossl-modules"

Seeding source: os-specific

CPUINFO: N/A


Attached the openssl and fips conf.


Could you guys please check and share what is missing here? Any help would
be appreciated.


Thanks,

Murugesh


fipsmodule.cnf
Description: Binary data


openssl.cnf
Description: Binary data