Regarding FIPS 140-2 support on embedded target

manjunatha srinivasan manjunathan.n at gmail.com
Wed Nov 15 13:33:00 UTC 2023 

Hi
I want to bring up the FIPS 140-2 support for my embedded target for
openssl. The current version of openssl is being used is
 OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and the
kernel is LInux 5.15.32 (arm64). Aim is to execute  a sample
 application, nginx, openssh to execute as FIPS 140-2 compliance.  For this
I had set up the configuration environment for
the FIPS provider and tried to execute a sample application
programmatically to load fips provider (fips.so)  which all failed.
I have attached the following file as reference.
openssl.cnf
fipsmodule.cnf
fp.cpp (fips-test executable)

With cross compilation of openssl from Yocto with fips support (enable-fips
as part of configuration),  fips provider 'fips.so' shared library
is produced.
>From build outcome used following files are placed in embedded target:
binary file: /usr/bin/openssl
libraries: /usr/lib/libcrypto.so.3
              /usr/lib/libssl.so.3
              /usr/lib/ossl-modules/fips.so
configuration files:
             /etc/ssl/openssl.cnf
             /usr/lib/ssl-3/fipsmodule.cnf
The file /etc/ssl/openssl.cnf is configured for fips/base providers and
includes the path for fipsmodule.cnf.
Below are changes in file  /etc/ssl/openssl.cnf.
-------------
--- /home/root/backup-openssl/openssl.cnf       2023-11-14
16:28:59.117481173 +0000
+++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042 +0000
@@ -8,6 +8,7 @@
 # Note that you can include other files from the main configuration
 # file using the .include directive.
 #.include filename
+.include /usr/lib/ssl-3/fipsmodule.cnf

 # This definition stops the following lines choking if HOME isn't
 # defined.
@@ -64,8 +65,11 @@

 # List of providers to load
 [provider_sect]
-default = default_sect
-legacy = legacy_sect
+fips = fips_sect
+base = base_sect
+
+#default = default_sect
+#legacy = legacy_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -78,13 +82,16 @@
 # becomes unavailable in openssl.  As a consequence applications depending
on
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
-[default_sect]
- activate = 1
+#[default_sect]
+# activate = 1

-[legacy_sect]
-activate = 1
+#[legacy_sect]
+#activate = 1


+[base_sect]
+activate = 1
+
 ####################################################################
 [ ca ]
 default_ca     = CA_default            # The default ca section
--------------

After the above changes executed below command which was successful for
self test and updating digest of fips provider.
*openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module
/usr/lib/ossl-modules/fips.so*
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
---
Further testing of the below command shows MD5 is still supported, where
the expectation digest is unsupported.
*openssl md5 /dev/null*
MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e

Also executed sample application fips-test which fails to load fips
provider. Below is the output.
---
*/tmp/fips-test*
Failed to load FIPS provider
----

Please let me know if I am doing anything wrong in my settings. Also let me
know how to test nginx, openssh with fips provider.
I appreciate your help. Thanks in advance.

Regards
Manjunatha Srinivasan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/bfcbdd2b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl.cnf
Type: application/octet-stream
Size: 12563 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/bfcbdd2b/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fipsmodule.cnf
Type: application/octet-stream
Size: 351 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/bfcbdd2b/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fp.cpp
Type: application/octet-stream
Size: 953 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/bfcbdd2b/attachment-0005.obj>

More information about the openssl-users mailing list