RE: Openssl 3.0 fipsinstall fails in yocto linux environment
Hi Kory, I am cross-compiling. Here is the command line from the "perl configdta.pm --dump" command. I'm using an existing openssl 3. 0 recipe which I just modified with enable-fips. perl ../openssl-3.0.0/Configure disable-devcryptoeng enable-fips --prefix=/usr --openssldir=/usr/lib/ssl-3 --libdir=/usr/lib linux-armv4 The output of openssl version -a is as follows. OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021) built on: Tue Sep 7 11:46:32 2021 UTC platform: linux-armv4 options: bn(64,32) compiler: arm-poky-linux-gnueabi-gcc -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a7 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=recipe-sysroot -O2 -pipe -g -feliminate-unused-debug-types -fmacro-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -fdebug-prefix-map= -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/usr/lib/ssl-3" ENGINESDIR: "/usr/lib/engines-3" MODULESDIR: "/usr/lib/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_armcap=0x1 thanks, Susan Message: 2 Date: Tue, 9 Nov 2021 14:32:19 -0800 From: Kory Hamzeh To: openssl-users@openssl.org Subject: Re: Openssl 3.0 fipsinstall fails in yocto linux environment Message-ID: Content-Type: text/plain; charset="utf-8" Hi Susan, How did you run Configure? Are you cross compiling? Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there or use a Configure option if you want to install it somewhere else. Kory > On Nov 9, 2021, at 2:21 PM, Susan Tremel wrote: > > I?ve successfully built and installed openssl 3.0 and the fips.so module in my yocto build environment. My goal is to make the FIPs module the default provider for all applications so I modified my openssl.cnf file to match the docs like the following. > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > fips = fips_sect > base = base_sect > > [base_sect] > activate = 1 > > After boot, I check the installed providers with ?openssl list ?providers? and see only the base provider. I then try to install the FIPS module with the following. > > openssl fipsinstall ?module /usr/lib/ossl-modules/fips.so ?out /usr/lib/ssl-3/fipsmodule.cnf > > and I get the error output: > Unable to get MAC of type HMAC > INSTALL FAILED > 1020F876:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp _fetch.c:346:Global default library context, Algorithm (HMAC : 0), Properties () > > When I replace the base provider with the default provider, leaving the fips module like the following > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > default = default_sect > fips = fips_sect > > [default_sect] > activate = 1 > > I see only the default provider installed after I boot and when I try to manually install the FIPS module with the above command I get the following. > Failed to load FIPS module > INSTALL FAILED > 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.0/providers/fips/self_test.c:261: > 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706: > 1080F176:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips > > From this state, if I copy the ossl-modules directory to a different location like /usr/lib/ssl-3/ and try to manually install the FIPS module with > > openssl fipsinstall ?module /usr/lib/ssl-3/ossl-modules/fips.so ?out /usr/lib/ssl-3/fipsmodule.cnf > > it successful installs with the following output and I see both the fips and default providers installed. > HMAC : (Module_Integrity) : Pass > SHA1 : (KAT_Digest) : Pass > SHA2 : (KAT_Digest) : Pass > SHA3 : (KAT_Digest) : Pass > TDES : (KAT_Cipher) : Pass > AES_GCM : (KAT_Cipher) : Pass > AES_ECB_Decrypt : (KAT_Cipher) : Pass > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass > Pass > ECDSA : (PCT_Signature) : Pass > ECDSA : (PCT_Signature) : Pass > DSA : (PCT_Signature) : Pass > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass > TLS13_KDF_EXPAND : (KAT_KDF) : Pass > TLS12_PRF : (KAT_KDF) : Pass > PBKDF2 : (KAT_KDF) : Pass > SSHKDF : (KAT_KDF) : Pass > KBKDF : (KAT_KDF) : Pass > HKDF :
Re: Openssl 3.0 fipsinstall fails in yocto linux environment
Hi Susan, How did you run Configure? Are you cross compiling? Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there or use a Configure option if you want to install it somewhere else. Kory > On Nov 9, 2021, at 2:21 PM, Susan Tremel wrote: > > I’ve successfully built and installed openssl 3.0 and the fips.so module in > my yocto build environment. My goal is to make the FIPs module the default > provider for all applications so I modified my openssl.cnf file to match the > docs like the following. > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > fips = fips_sect > base = base_sect > > [base_sect] > activate = 1 > > After boot, I check the installed providers with “openssl list –providers” > and see only the base provider. I then try to install the FIPS module with > the following. > > openssl fipsinstall –module /usr/lib/ossl-modules/fips.so –out > /usr/lib/ssl-3/fipsmodule.cnf > > and I get the error output: > Unable to get MAC of type HMAC > INSTALL FAILED > 1020F876:error:0308010C:digital envelope > routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp_fetch.c:346:Global > default library context, Algorithm (HMAC : 0), Properties () > > When I replace the base provider with the default provider, leaving the fips > module like the following > > config_diagnostics = 1 > openssl_conf = openssl_init > > .include /usr/lib/ssl-3/fipsmodule.cnf > > [openssl_init] > providers = provider_sect > > [provider_sect] > default = default_sect > fips = fips_sect > > [default_sect] > activate = 1 > > I see only the default provider installed after I boot and when I try to > manually install the FIPS module with the above command I get the following. > Failed to load FIPS module > INSTALL FAILED > 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid > state:../openssl-3.0.0/providers/fips/self_test.c:261: > 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test > post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706: > 1080F176:error:078C0105:common libcrypto routines:provider_init:init > fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips > > From this state, if I copy the ossl-modules directory to a different location > like /usr/lib/ssl-3/ and try to manually install the FIPS module with > > openssl fipsinstall –module /usr/lib/ssl-3/ossl-modules/fips.so –out > /usr/lib/ssl-3/fipsmodule.cnf > > it successful installs with the following output and I see both the fips and > default providers installed. > HMAC : (Module_Integrity) : Pass > SHA1 : (KAT_Digest) : Pass > SHA2 : (KAT_Digest) : Pass > SHA3 : (KAT_Digest) : Pass > TDES : (KAT_Cipher) : Pass > AES_GCM : (KAT_Cipher) : Pass > AES_ECB_Decrypt : (KAT_Cipher) : Pass > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass > Pass > ECDSA : (PCT_Signature) : Pass > ECDSA : (PCT_Signature) : Pass > DSA : (PCT_Signature) : Pass > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass > TLS13_KDF_EXPAND : (KAT_KDF) : Pass > TLS12_PRF : (KAT_KDF) : Pass > PBKDF2 : (KAT_KDF) : Pass > SSHKDF : (KAT_KDF) : Pass > KBKDF : (KAT_KDF) : Pass > HKDF : (KAT_KDF) : Pass > SSKDF : (KAT_KDF) : Pass > X963KDF : (KAT_KDF) : Pass > X942KDF : (KAT_KDF) : Pass > HASH : (DRBG) : Pass > CTR : (DRBG) : Pass > HMAC : (DRBG) : Pass > DH : (KAT_KA) : Pass > ECDH : (KAT_KA) : Pass > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > INSTALL PASSED > > I need to get the FIPS module to install without needing the default > provider. It seems like the FIPS module is trying to install and getting > stuck in a bad state, but I could use some help debugging this. > > Thanks for any help you can provide. > Susan
Openssl 3.0 fipsinstall fails in yocto linux environment
I've successfully built and installed openssl 3.0 and the fips.so module in my yocto build environment. My goal is to make the FIPs module the default provider for all applications so I modified my openssl.cnf file to match the docs like the following. config_diagnostics = 1 openssl_conf = openssl_init .include /usr/lib/ssl-3/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 After boot, I check the installed providers with "openssl list -providers" and see only the base provider. I then try to install the FIPS module with the following. openssl fipsinstall -module /usr/lib/ossl-modules/fips.so -out /usr/lib/ssl-3/fipsmodule.cnf and I get the error output: Unable to get MAC of type HMAC INSTALL FAILED 1020F876:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../openssl-3.0.0/crypto/evp/evp _fetch.c:346:Global default library context, Algorithm (HMAC : 0), Properties () When I replace the base provider with the default provider, leaving the fips module like the following config_diagnostics = 1 openssl_conf = openssl_init .include /usr/lib/ssl-3/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] default = default_sect fips = fips_sect [default_sect] activate = 1 I see only the default provider installed after I boot and when I try to manually install the FIPS module with the above command I get the following. Failed to load FIPS module INSTALL FAILED 1080F176:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.0/providers/fips/self_test.c:261: 1080F176:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.0/providers/fips/fipsprov.c:706: 1080F176:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.0/crypto/provider_core.c:903:name=fips >From this state, if I copy the ossl-modules directory to a different location like /usr/lib/ssl-3/ and try to manually install the FIPS module with openssl fipsinstall -module /usr/lib/ssl-3/ossl-modules/fips.so -out /usr/lib/ssl-3/fipsmodule.cnf it successful installs with the following output and I see both the fips and default providers installed. HMAC : (Module_Integrity) : Pass SHA1 : (KAT_Digest) : Pass SHA2 : (KAT_Digest) : Pass SHA3 : (KAT_Digest) : Pass TDES : (KAT_Cipher) : Pass AES_GCM : (KAT_Cipher) : Pass AES_ECB_Decrypt : (KAT_Cipher) : Pass RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass Pass ECDSA : (PCT_Signature) : Pass ECDSA : (PCT_Signature) : Pass DSA : (PCT_Signature) : Pass TLS13_KDF_EXTRACT : (KAT_KDF) : Pass TLS13_KDF_EXPAND : (KAT_KDF) : Pass TLS12_PRF : (KAT_KDF) : Pass PBKDF2 : (KAT_KDF) : Pass SSHKDF : (KAT_KDF) : Pass KBKDF : (KAT_KDF) : Pass HKDF : (KAT_KDF) : Pass SSKDF : (KAT_KDF) : Pass X963KDF : (KAT_KDF) : Pass X942KDF : (KAT_KDF) : Pass HASH : (DRBG) : Pass CTR : (DRBG) : Pass HMAC : (DRBG) : Pass DH : (KAT_KA) : Pass ECDH : (KAT_KA) : Pass RSA_Encrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass RSA_Decrypt : (KAT_AsymmetricCipher) : Pass INSTALL PASSED I need to get the FIPS module to install without needing the default provider. It seems like the FIPS module is trying to install and getting stuck in a bad state, but I could use some help debugging this. Thanks for any help you can provide. Susan