Regarding FIPS 140-2 support on embedded target

manjunatha srinivasan manjunathan.n at gmail.com
Wed Nov 15 14:48:12 UTC 2023 

Hi

With further testing by calling ERR_print_errors_fp(stderr) is sample
application following are  error output.
 */tmp/fips-test*
Failed to load FIPS provider
8094B6B6FFFF0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing
config data:../openssl-3.0.2/providers/fips/self_test.c:289:
8094B6B6FFFF0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips
module entering error state:../openssl-3.0.2/providers/fips/self_test.c:387:
8094B6B6FFFF0000:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.2/providers/fips/fipsprov.c:706:
8094B6B6FFFF0000:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.2/crypto/provider_core.c:910:name=fips

Regards
Manjunatha Srinivasan N


On Wed, 15 Nov 2023 at 19:03, manjunatha srinivasan <manjunathan.n at gmail.com>
wrote:

> Hi
> I want to bring up the FIPS 140-2 support for my embedded target for
> openssl. The current version of openssl is being used is
>  OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and the
> kernel is LInux 5.15.32 (arm64). Aim is to execute  a sample
>  application, nginx, openssh to execute as FIPS 140-2 compliance.  For
> this I had set up the configuration environment for
> the FIPS provider and tried to execute a sample application
> programmatically to load fips provider (fips.so)  which all failed.
> I have attached the following file as reference.
> openssl.cnf
> fipsmodule.cnf
> fp.cpp (fips-test executable)
>
> With cross compilation of openssl from Yocto with fips support
> (enable-fips as part of configuration),  fips provider 'fips.so' shared
> library
> is produced.
> From build outcome used following files are placed in embedded target:
> binary file: /usr/bin/openssl
> libraries: /usr/lib/libcrypto.so.3
>               /usr/lib/libssl.so.3
>               /usr/lib/ossl-modules/fips.so
> configuration files:
>              /etc/ssl/openssl.cnf
>              /usr/lib/ssl-3/fipsmodule.cnf
> The file /etc/ssl/openssl.cnf is configured for fips/base providers and
> includes the path for fipsmodule.cnf.
> Below are changes in file  /etc/ssl/openssl.cnf.
> -------------
> --- /home/root/backup-openssl/openssl.cnf       2023-11-14
> 16:28:59.117481173 +0000
> +++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042 +0000
> @@ -8,6 +8,7 @@
>  # Note that you can include other files from the main configuration
>  # file using the .include directive.
>  #.include filename
> +.include /usr/lib/ssl-3/fipsmodule.cnf
>
>  # This definition stops the following lines choking if HOME isn't
>  # defined.
> @@ -64,8 +65,11 @@
>
>  # List of providers to load
>  [provider_sect]
> -default = default_sect
> -legacy = legacy_sect
> +fips = fips_sect
> +base = base_sect
> +
> +#default = default_sect
> +#legacy = legacy_sect
>  # The fips section name should match the section name inside the
>  # included fipsmodule.cnf.
>  # fips = fips_sect
> @@ -78,13 +82,16 @@
>  # becomes unavailable in openssl.  As a consequence applications
> depending on
>  # OpenSSL may not work correctly which could lead to significant system
>  # problems including inability to remotely access the system.
> -[default_sect]
> - activate = 1
> +#[default_sect]
> +# activate = 1
>
> -[legacy_sect]
> -activate = 1
> +#[legacy_sect]
> +#activate = 1
>
>
> +[base_sect]
> +activate = 1
> +
>  ####################################################################
>  [ ca ]
>  default_ca     = CA_default            # The default ca section
> --------------
>
> After the above changes executed below command which was successful for
> self test and updating digest of fips provider.
> *openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module
> /usr/lib/ossl-modules/fips.so*
> HMAC : (Module_Integrity) : Pass
> SHA1 : (KAT_Digest) : Pass
> SHA2 : (KAT_Digest) : Pass
> SHA3 : (KAT_Digest) : Pass
> TDES : (KAT_Cipher) : Pass
> AES_GCM : (KAT_Cipher) : Pass
> AES_ECB_Decrypt : (KAT_Cipher) : Pass
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> Pass
> ECDSA : (PCT_Signature) : Pass
> ECDSA : (PCT_Signature) : Pass
> DSA : (PCT_Signature) : Pass
> TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> TLS12_PRF : (KAT_KDF) : Pass
> PBKDF2 : (KAT_KDF) : Pass
> SSHKDF : (KAT_KDF) : Pass
> KBKDF : (KAT_KDF) : Pass
> HKDF : (KAT_KDF) : Pass
> SSKDF : (KAT_KDF) : Pass
> X963KDF : (KAT_KDF) : Pass
> X942KDF : (KAT_KDF) : Pass
> HASH : (DRBG) : Pass
> CTR : (DRBG) : Pass
> HMAC : (DRBG) : Pass
> DH : (KAT_KA) : Pass
> ECDH : (KAT_KA) : Pass
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> INSTALL PASSED
> ---
> Further testing of the below command shows MD5 is still supported, where
> the expectation digest is unsupported.
> *openssl md5 /dev/null*
> MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
>
> Also executed sample application fips-test which fails to load fips
> provider. Below is the output.
> ---
> */tmp/fips-test*
> Failed to load FIPS provider
> ----
>
> Please let me know if I am doing anything wrong in my settings. Also let
> me know how to test nginx, openssh with fips provider.
> I appreciate your help. Thanks in advance.
>
> Regards
> Manjunatha Srinivasan N
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/c66200c3/attachment.htm>

More information about the openssl-users mailing list