Unable to load the FIPs config file OpenSSL 3.0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to load the FIPs config file OpenSSL 3.0

OpenSSL - User mailing list
Hi All,

Can you kindly help me with this error while running the below program that tries to load the configuration which has the FIPs provider?

The program is built on build machine and to be run on linux MIPS platform and below error is seen:

 #include <openssl/crypto.h>
  main () {
      OSSL_LIB_CTX *libctx;
      libctx = OSSL_LIB_CTX_new();
      OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
      if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
          fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
          ERR_print_errors_fp(stderr);
      }
      fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
}

ERROR: OSSL_LIB_CTX_load_config()
000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): ./providers/fips.so: cannot open shared object file: No such file or directory
000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_lib.c:162:
000000FFF2406000:error:078C0105:common libcrypto routines:(unknown function):init fail:crypto/provider_core.c:557:name=fips
000000FFF2406000:error:0700006D:configuration file routines:(unknown function):module initialization error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021

~ # ls -lrt providers/
-rwxrwxrwx    1 root    root      1748513 Mar 30 13:24 fips.so

~ # echo $LD_LIBRARY_PATH
~ #

Steps done:
1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and copy the required binaries on the Linux MIPs box.
2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (KAT_Signature) : Pass
DSA : (KAT_Signature) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED

~ # cat fipsmod.cnf
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN

3>In the build machine, modify the contents of "openssl.cnf" with above output, and build the test program linking with crypto library.

  cat openssl-3.0.0-alpha13/apps/openssl.cnf
  1 openssl_conf = openssl_init
  2
  3 [fips_sect]
  4 activate = 1
  5 install-version = 1
  6 conditional-errors = 1
  7 security-checks = 1
  8 module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
  9 install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
10 install-status = INSTALL_SELF_TEST_KATS_RUN
11
12 [openssl_init]
13 providers = provider_sect
14 alg_section = algorithm_sect
15
16 [provider_sect]
17 default = default_sect
18 fips = fips_sect
19
20 [default_sect]
21 activate = 1
22
23 [algorithm_sect]
24 default_properties = fips=yes

4>Copy the openssl.cnf to the Linux box to "/" and also executed "export OPENSSL_CONF=/"

4>Now on executing the test program on Linux box, observing the load error.

Do we need to set any environ variable to get the load working or is any step missing/wrong?

This test program has worked fine on my build machine when I build, fipsinstall and rebuild my test program and run the test on the build machine.

Your input will help me.

Thanks
Bala
Reply | Threaded
Open this post in threaded view
|

Re: Unable to load the FIPs config file OpenSSL 3.0

Dr Paul Dale-2
Our general suggestion is to keep the FIPS configuration in it's own
file and include that -- this helps when updating.

Does a full path to the providers directory help?
Could you try a build with debugging symbols so it's possible to see
what's going on better?
Set a breakpoint on OSSL_PROVIDER_load() and see what's happening?


Pauli

On 31/3/21 12:29 am, Bala Duvvuri via openssl-users wrote:

> Hi All,
>
> Can you kindly help me with this error while running the below program that tries to load the configuration which has the FIPs provider?
>
> The program is built on build machine and to be run on linux MIPS platform and below error is seen:
>
>   #include <openssl/crypto.h>
>    main () {
>        OSSL_LIB_CTX *libctx;
>        libctx = OSSL_LIB_CTX_new();
>        OSSL_PROVIDER_set_default_search_path(libctx, "./providers");
>        if (!OSSL_LIB_CTX_load_config(libctx, "openssl.cnf")) {
>            fputs("ERROR: OSSL_LIB_CTX_load_config()\n", stderr);
>            ERR_print_errors_fp(stderr);
>        }
>        fprintf(stdout, "Version: %s\n", OpenSSL_version(OPENSSL_VERSION));
> }
>
> ERROR: OSSL_LIB_CTX_load_config()
> 000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(./providers/fips.so): ./providers/fips.so: cannot open shared object file: No such file or directory
> 000000FFF2406000:error:12800067:DSO support routines:(unknown function):could not load the shared library:crypto/dso/dso_lib.c:162:
> 000000FFF2406000:error:078C0105:common libcrypto routines:(unknown function):init fail:crypto/provider_core.c:557:name=fips
> 000000FFF2406000:error:0700006D:configuration file routines:(unknown function):module initialization error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect retcode=-1
> Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
>
> ~ # ls -lrt providers/
> -rwxrwxrwx    1 root    root      1748513 Mar 30 13:24 fips.so
>
> ~ # echo $LD_LIBRARY_PATH
> ~ #
>
> Steps done:
> 1>On build machine, build OpenSSL for the target architecture, Linux MIPs, and copy the required binaries on the Linux MIPs box.
> 2>On Linux MIPs box, run ./openssl fipsinstall -out fipsmod.cnf -module fips.so
> HMAC : (Module_Integrity) : Pass
> SHA1 : (KAT_Digest) : Pass
> SHA2 : (KAT_Digest) : Pass
> SHA3 : (KAT_Digest) : Pass
> TDES : (KAT_Cipher) : Pass
> AES_GCM : (KAT_Cipher) : Pass
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> Pass
> ECDSA : (KAT_Signature) : Pass
> DSA : (KAT_Signature) : Pass
> TLS12_PRF : (KAT_KDF) : Pass
> PBKDF2 : (KAT_KDF) : Pass
> SSHKDF : (KAT_KDF) : Pass
> KBKDF : (KAT_KDF) : Pass
> HKDF : (KAT_KDF) : Pass
> SSKDF : (KAT_KDF) : Pass
> X963KDF : (KAT_KDF) : Pass
> X942KDF : (KAT_KDF) : Pass
> HASH : (DRBG) : Pass
> CTR : (DRBG) : Pass
> HMAC : (DRBG) : Pass
> DH : (KAT_KA) : Pass
> ECDH : (KAT_KA) : Pass
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> INSTALL PASSED
>
> ~ # cat fipsmod.cnf
> [fips_sect]
> activate = 1
> install-version = 1
> conditional-errors = 1
> security-checks = 1
> module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
> install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> install-status = INSTALL_SELF_TEST_KATS_RUN
>
> 3>In the build machine, modify the contents of "openssl.cnf" with above output, and build the test program linking with crypto library.
>
>    cat openssl-3.0.0-alpha13/apps/openssl.cnf
>    1 openssl_conf = openssl_init
>    2
>    3 [fips_sect]
>    4 activate = 1
>    5 install-version = 1
>    6 conditional-errors = 1
>    7 security-checks = 1
>    8 module-mac = 60:26:6C:C9:2D:86:A2:25:86:44:67:DC:EE:95:8F:1F:A1:84:4E:42:C4:E6:1F:6A:12:24:A3:29:72:58:A4:0E
>    9 install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
> 10 install-status = INSTALL_SELF_TEST_KATS_RUN
> 11
> 12 [openssl_init]
> 13 providers = provider_sect
> 14 alg_section = algorithm_sect
> 15
> 16 [provider_sect]
> 17 default = default_sect
> 18 fips = fips_sect
> 19
> 20 [default_sect]
> 21 activate = 1
> 22
> 23 [algorithm_sect]
> 24 default_properties = fips=yes
>
> 4>Copy the openssl.cnf to the Linux box to "/" and also executed "export OPENSSL_CONF=/"
>
> 4>Now on executing the test program on Linux box, observing the load error.
>
> Do we need to set any environ variable to get the load working or is any step missing/wrong?
>
> This test program has worked fine on my build machine when I build, fipsinstall and rebuild my test program and run the test on the build machine.
>
> Your input will help me.
>
> Thanks
> Bala
>