Regarding FIPS 140-2 support on embedded target

Tomas Mraz tomas at openssl.org
Wed Nov 15 16:09:26 UTC 2023 

The most probable reason is that the /etc/ssl/openssl.cnf file is
actually not being loaded because the libcrypto.so expects it to be at
a different location.

I would recommend using strace to find out what config file is
libcrypto trying to load.

Tomas Mraz, OpenSSL

On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote:
> Hi
> I want to bring up the FIPS 140-2 support for my embedded target for
> openssl. The current version of openssl is being used is 
>  OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and
> the kernel is LInux 5.15.32 (arm64). Aim is to execute  a sample
>  application, nginx, openssh to execute as FIPS 140-2 compliance. 
> For this I had set up the configuration environment for 
> the FIPS provider and tried to execute a sample application
> programmatically to load fips provider (fips.so)  which all failed.
> I have attached the following file as reference. 
> openssl.cnf
> fipsmodule.cnf
> fp.cpp (fips-test executable)
>    
> With cross compilation of openssl from Yocto with fips support
> (enable-fips as part of configuration),  fips provider 'fips.so'
> shared library
> is produced. 
> From build outcome used following files are placed in embedded
> target: 
> binary file: /usr/bin/openssl 
> libraries: /usr/lib/libcrypto.so.3 
>               /usr/lib/libssl.so.3
>               /usr/lib/ossl-modules/fips.so
> configuration files: 
>              /etc/ssl/openssl.cnf
>              /usr/lib/ssl-3/fipsmodule.cnf 
> The file /etc/ssl/openssl.cnf is configured for fips/base providers
> and includes the path for fipsmodule.cnf. 
> Below are changes in file  /etc/ssl/openssl.cnf. 
> -------------
> --- /home/root/backup-openssl/openssl.cnf       2023-11-14
> 16:28:59.117481173 +0000
> +++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042 +0000
> @@ -8,6 +8,7 @@
>  # Note that you can include other files from the main configuration
>  # file using the .include directive.
>  #.include filename
> +.include /usr/lib/ssl-3/fipsmodule.cnf
> 
>  # This definition stops the following lines choking if HOME isn't
>  # defined.
> @@ -64,8 +65,11 @@
> 
>  # List of providers to load
>  [provider_sect]
> -default = default_sect
> -legacy = legacy_sect
> +fips = fips_sect
> +base = base_sect
> +
> +#default = default_sect
> +#legacy = legacy_sect
>  # The fips section name should match the section name inside the
>  # included fipsmodule.cnf.
>  # fips = fips_sect
> @@ -78,13 +82,16 @@
>  # becomes unavailable in openssl.  As a consequence applications
> depending on
>  # OpenSSL may not work correctly which could lead to significant
> system
>  # problems including inability to remotely access the system.
> -[default_sect]
> - activate = 1
> +#[default_sect]
> +# activate = 1
> 
> -[legacy_sect]
> -activate = 1
> +#[legacy_sect]
> +#activate = 1
> 
> 
> +[base_sect]
> +activate = 1
> +
>  ####################################################################
>  [ ca ]
>  default_ca     = CA_default            # The default ca section
> --------------
> 
> After the above changes executed below command which was successful
> for self test and updating digest of fips provider.  
> openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module
> /usr/lib/ossl-modules/fips.so
> HMAC : (Module_Integrity) : Pass
> SHA1 : (KAT_Digest) : Pass
> SHA2 : (KAT_Digest) : Pass
> SHA3 : (KAT_Digest) : Pass
> TDES : (KAT_Cipher) : Pass
> AES_GCM : (KAT_Cipher) : Pass
> AES_ECB_Decrypt : (KAT_Cipher) : Pass
> RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> Pass
> ECDSA : (PCT_Signature) : Pass
> ECDSA : (PCT_Signature) : Pass
> DSA : (PCT_Signature) : Pass
> TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> TLS12_PRF : (KAT_KDF) : Pass
> PBKDF2 : (KAT_KDF) : Pass
> SSHKDF : (KAT_KDF) : Pass
> KBKDF : (KAT_KDF) : Pass
> HKDF : (KAT_KDF) : Pass
> SSKDF : (KAT_KDF) : Pass
> X963KDF : (KAT_KDF) : Pass
> X942KDF : (KAT_KDF) : Pass
> HASH : (DRBG) : Pass
> CTR : (DRBG) : Pass
> HMAC : (DRBG) : Pass
> DH : (KAT_KA) : Pass
> ECDH : (KAT_KA) : Pass
> RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> INSTALL PASSED
> ---
> Further testing of the below command shows MD5 is still supported,
> where the expectation digest is unsupported. 
> openssl md5 /dev/null
> MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
> 
> Also executed sample application fips-test which fails to load fips
> provider. Below is the output.  
> ---
> /tmp/fips-test
> Failed to load FIPS provider
> ----
> 
> Please let me know if I am doing anything wrong in my settings. Also
> let me know how to test nginx, openssh with fips provider. 
> I appreciate your help. Thanks in advance. 
> 
> Regards
> Manjunatha Srinivasan N

-- 
Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list