272454 – openssl 3 fips module doesn't load on arm64

Bug 272454 - openssl 3 fips module doesn't load on arm64

Summary: openssl 3 fips module doesn't load on arm64

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	arm64 Any

Importance:	--- Affects Some People
Assignee:	Pierre Pronchery

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-11 18:22 UTC by Mark Johnston
Modified:	2023-07-20 20:55 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Build AES functions into the FIPS module (1.49 KB, patch) 2023-07-12 16:48 UTC, Pierre Pronchery	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Johnston freebsd_committer

2023-07-11 18:22:59 UTC

At commit 43ed91e00bbb, I see:

markj@devkit> openssl rc4 -provider fips -e -a -pbkdf2
rc4: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
0020A10D3A430000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/root/freebsd/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/fips.so): /usr/lib/ossl-modules/fips.so: Undefined symbol "aes_v8_encrypt"
0020A10D3A430000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/root/freebsd/crypto/openssl/crypto/dso/dso_lib.c:152:
0020A10D3A430000:error:07880025:common libcrypto routines:provider_init:reason(524325):/root/freebsd/crypto/openssl/crypto/provider_core.c:912:name=fips

Whereas on amd64 at the same revision:

markj@biggie> openssl rc4 -provider fips -e -a -pbkdf2
rc4: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
002061FB0A5B0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:/root/freebsd/crypto/openssl/providers/fips/self_test.c:290:
002061FB0A5B0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:/root/freebsd/crypto/openssl/providers/fips/self_test.c:388:
002061FB0A5B0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:/root/freebsd/crypto/openssl/providers/fips/fipsprov.c:707:
002061FB0A5B0000:error:078C0105:common libcrypto routines:provider_init:init fail:/root/freebsd/crypto/openssl/crypto/provider_core.c:932:name=fips

Comment 1 Pierre Pronchery 2023-07-12 16:47:58 UTC

According to https://www.openssl.org/docs/man3.0/man7/EVP_CIPHER-AES.html most of the AES algorithms should be provided by the FIPS module, but the Makefile does not build them. I suspect that on amd64 the symbols are exposed through libcrypto.so, while arm64 looks for them only in fips.so.
Does it make sense?
I am preparing a patch anyway.

Comment 2 Pierre Pronchery 2023-07-12 16:48:49 UTC

Created attachment 243357 [details]
Build AES functions into the FIPS module

Comment 3 Mark Johnston freebsd_committer

2023-07-12 20:12:12 UTC

(In reply to Pierre Pronchery from comment #1)
The patch fixes the error, but now I get an error for a different symbol:

markj@devkit> openssl rc4 -provider fips -e -a -pbkdf2
rc4: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
0020018DE9650000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/home/markj/src/freebsd/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/fips.so): /usr/lib/ossl-modules/fips.so: Undefined symbol "gcm_ghash_v8"
0020018DE9650000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/home/markj/src/freebsd/crypto/openssl/crypto/dso/dso_lib.c:152:
0020018DE9650000:error:07880025:common libcrypto routines:provider_init:reason(524325):/usr/home/markj/src/freebsd/crypto/openssl/crypto/provider_core.c:912:name=fips

(In reply to Pierre Pronchery from comment #1)
> I suspect that on amd64 the symbols are exposed through libcrypto.so, while arm64 looks for them only in fips.so. Does it make sense?

You're suggesting that symbol resolution is somehow working differently on arm64 than amd64?  I think this is unlikely.

Comment 4 Pierre Pronchery 2023-07-13 15:19:18 UTC

I have prepared a more complete patch for review in https://reviews.freebsd.org/D41018.

Comment 5 Pierre Pronchery 2023-07-17 17:52:11 UTC

@markj can we close this?

Comment 6 Ed Maste freebsd_committer

2023-07-17 18:19:45 UTC

(In reply to Pierre Pronchery from comment #5)
We still need to get D41018 committed?

Comment 7 commit-hook freebsd_committer

2023-07-20 19:16:48 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=1c42ed54bfe2d3255ab4df4245de4b97c1064e40

commit 1c42ed54bfe2d3255ab4df4245de4b97c1064e40
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2023-07-20 18:16:14 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-07-20 19:05:12 +0000

    libcrypto: add missing symbols to the FIPS provider

    The fips.so provider module exposing FIPS-validated algorithms was still
    missing a number of symbols.

    PR:             272454
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D41018

 secure/lib/libcrypto/modules/fips/Makefile | 73 ++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)