openssl: OpenSSL 3.0.1: FIPS provider not available

In migrating my OpenSSL 1.0.2 FIPS app to OpenSSL 3.0.1, I am having difficulty in loading the FIPS module. I am following closely the “Programmatically loading the FIPS module (default library context)” section of the fips module guide doc.

With the following changes, FIPS module failed to load. In fact, OSSL_PROVIDER_available(NULL, "fips") returns 0.

Can someone please review my changes and see what might still be missing?

Config/Installation changes:

enable-fips, --api=1.1.1, and --libdir=lib were added to config (latter 2 for app compat)
After build & install, openssl-3.0.1/providers/fips.so, openssl-3.0.1/providers/fipsmodule.cnf and openssl-3.0.1/apps/openssl.cnf were copied from the build VM to the app VM.

App changes:

Edited the openssl.cnf to have the settings described in the fips module guide.
Pointed app to the openssl config location: OPENSSL_config("/opt/uno/etc/openssl.cnf")
Added the following loading code:

            const char* default_search_path = "/opt/uno/lib/crypto";
            OSSL_PROVIDER_set_default_search_path(NULL, default_search_path);

            if (!OSSL_PROVIDER_available(NULL, "fips")) {
               SvcLog(LEVEL_ERROR, "FIPS provider not available");
               return false;
            }

            fips = OSSL_PROVIDER_load(NULL, "fips");
            if (fips == NULL) {
                SvcLog(LEVEL_ERROR,"Failed to load FIPS provider\n");
                return false;
            }

Key file locations in app:

[root@ven-rhel lib]# ls /opt/uno/lib/crypto/fips.so
/opt/uno/lib/crypto/fips.so

[root@ven-rhel etc]# ls /opt/uno/etc/openssl.cnf /opt/uno/etc/fipsmodule.cnf
/opt/uno/etc/fipsmodule.cnf  /opt/uno/etc/openssl.cnf

Selected content from openssl.cnf

openssl_conf = openssl_init

.include fipsmodule.cnf

[openssl_init]
providers = provider_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

fipsmodule.cnf content

[root@ven-rhel etc]# cat fipsmodule.cnf
[fips_sect]
# activate = 1
conditional-errors = 1
security-checks = 1
module-mac = 67:48:52:5C:46:50:3C:D9:FD:73:DD:77:C0:51:DB:1C:32:48:8D:73:DA:CF:55:B6:38:C9:40:C1:54:7B:B6:D1

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 1
Comments: 29 (15 by maintainers)

Most upvoted comments

I have a couple fundamental questions:

1. Is FIPS module load by config file and by explicit API calls mutually exclusive or not. As I quoted from fips module guide above, the guide is pretty clear you need config file even if you load `fips.so` explicitly. Now what's not clear is for manual load, you need just `fipsmodule.cnf`? or you still need `openssl.cnf` where `fipsmodule.cnf` is referenced. @paulidale it would be great if you can clarify on that.

You need to somehow load the fipsmodule.cnf file. The easiest way to do that is to properly include it from the default openssl.cnf file.

2. Is `openssl fipsinstall` build target required? I don't know why that's the case based on fips module guide. @paulidale can you please elaborate on why including this **special purpose** build target is unconditional?

make install in a build with enable-fips should create the fipsmodule.cnf with the module checksum. Doesn’t it for you?

… using the enable-fips option. If it is enabled, the FIPS provider gets built and installed in addition to the other standard providers. No separate installation procedure is necessary. There is however a dedicated install_fips make target, which serves the special purpose of installing only the FIPS provider into an existing OpenSSL installation.
3. Must `fipsmodule.cnf` be placed in the same directory as `fips.so` in the app?

The fipsmodule.cnf can be placed anywhere. The point is that it must be somehow loaded which is not done automatically.

@t8m, the sample openssl.cnf uses non- absolute path. I tried .include ./fipsmodule.cnf to no avail.

./fipsmodule.cnf is not an absolute path. You need to use absolute path or set OPENSSL_CONF_INCLUDE environment variable, otherwise the file is looked up in the current working directory of the process that loads the openssl library.

# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf

Yeah, we should adjust the sample openssl.cnf to not use the relative path.

t8m on Mar 16, 2022