At commit 43ed91e00bbb, I see: markj@devkit> openssl rc4 -provider fips -e -a -pbkdf2 rc4: unable to load provider fips Hint: use -provider-path option or OPENSSL_MODULES environment variable. 0020A10D3A430000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/root/freebsd/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/fips.so): /usr/lib/ossl-modules/fips.so: Undefined symbol "aes_v8_encrypt" 0020A10D3A430000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/root/freebsd/crypto/openssl/crypto/dso/dso_lib.c:152: 0020A10D3A430000:error:07880025:common libcrypto routines:provider_init:reason(524325):/root/freebsd/crypto/openssl/crypto/provider_core.c:912:name=fips Whereas on amd64 at the same revision: markj@biggie> openssl rc4 -provider fips -e -a -pbkdf2 rc4: unable to load provider fips Hint: use -provider-path option or OPENSSL_MODULES environment variable. 002061FB0A5B0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:/root/freebsd/crypto/openssl/providers/fips/self_test.c:290: 002061FB0A5B0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:/root/freebsd/crypto/openssl/providers/fips/self_test.c:388: 002061FB0A5B0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:/root/freebsd/crypto/openssl/providers/fips/fipsprov.c:707: 002061FB0A5B0000:error:078C0105:common libcrypto routines:provider_init:init fail:/root/freebsd/crypto/openssl/crypto/provider_core.c:932:name=fips
According to https://www.openssl.org/docs/man3.0/man7/EVP_CIPHER-AES.html most of the AES algorithms should be provided by the FIPS module, but the Makefile does not build them. I suspect that on amd64 the symbols are exposed through libcrypto.so, while arm64 looks for them only in fips.so. Does it make sense? I am preparing a patch anyway.
Created attachment 243357 [details] Build AES functions into the FIPS module
(In reply to Pierre Pronchery from comment #1) The patch fixes the error, but now I get an error for a different symbol: markj@devkit> openssl rc4 -provider fips -e -a -pbkdf2 rc4: unable to load provider fips Hint: use -provider-path option or OPENSSL_MODULES environment variable. 0020018DE9650000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/home/markj/src/freebsd/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/fips.so): /usr/lib/ossl-modules/fips.so: Undefined symbol "gcm_ghash_v8" 0020018DE9650000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/home/markj/src/freebsd/crypto/openssl/crypto/dso/dso_lib.c:152: 0020018DE9650000:error:07880025:common libcrypto routines:provider_init:reason(524325):/usr/home/markj/src/freebsd/crypto/openssl/crypto/provider_core.c:912:name=fips (In reply to Pierre Pronchery from comment #1) > I suspect that on amd64 the symbols are exposed through libcrypto.so, while arm64 looks for them only in fips.so. Does it make sense? You're suggesting that symbol resolution is somehow working differently on arm64 than amd64? I think this is unlikely.
I have prepared a more complete patch for review in https://reviews.freebsd.org/D41018.
@markj can we close this?
(In reply to Pierre Pronchery from comment #5) We still need to get D41018 committed?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1c42ed54bfe2d3255ab4df4245de4b97c1064e40 commit 1c42ed54bfe2d3255ab4df4245de4b97c1064e40 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2023-07-20 18:16:14 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-07-20 19:05:12 +0000 libcrypto: add missing symbols to the FIPS provider The fips.so provider module exposing FIPS-validated algorithms was still missing a number of symbols. PR: 272454 Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41018 secure/lib/libcrypto/modules/fips/Makefile | 73 ++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)