New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failures to load fips provider result in cryptic error due to bundling of conditionals #24179
Comments
It seems reasonable to me to separate the conditionals. Adding "help wanted" to this issue. |
Not sure what would be the improvement as the first condition is not going to fail ever - it could be even converted to an ossl_assert(). The error message The config data is in your case missing because you've placed |
@mattcaswell : I can provide a patch if desired. |
The problem is that at this place in the code there is not much else you can report than missing checksum data. Something could be done in fips_get_params_from_core() - there we could report that some mandatory params are missing - i.e. the |
One of the common issues I've run into dealing with the FIPS provider is that the error handling in selftest.c isn't incredibly helpful. In particular, this line bundles together 2 conditionals to ensure the second conditional doesn't result in a SIGSEGV from a NULL pointer dereference...
openssl/providers/fips/self_test.c
Lines 338 to 339 in e1fd043
This results in this cryptic error though:
Separating out the two conditionals would (at the very least) allow end-users to better determine what condition is causing the fips provider to not load.
(in my particular scenario, it's the second case that's failing)
Contents of
$OPENSSL_CONF
"fipsmodule.cnf" (ossl_cnf_43Rk3C.fips)
The text was updated successfully, but these errors were encountered: