Regarding FIPS 140-2 support on embedded target

Tomas Mraz tomas at openssl.org
Wed Nov 15 16:12:28 UTC 2023


You can also use openssl version -d to check for the directory where
openssl.cnf is expected to be placed.

Tomas Mraz, OpenSSL


On Wed, 2023-11-15 at 17:09 +0100, Tomas Mraz wrote:
> The most probable reason is that the /etc/ssl/openssl.cnf file is
> actually not being loaded because the libcrypto.so expects it to be
> at
> a different location.
> 
> I would recommend using strace to find out what config file is
> libcrypto trying to load.
> 
> Tomas Mraz, OpenSSL
> 
> On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote:
> > Hi
> > I want to bring up the FIPS 140-2 support for my embedded target
> > for
> > openssl. The current version of openssl is being used is 
> >  OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and
> > the kernel is LInux 5.15.32 (arm64). Aim is to execute  a sample
> >  application, nginx, openssh to execute as FIPS 140-2 compliance. 
> > For this I had set up the configuration environment for 
> > the FIPS provider and tried to execute a sample application
> > programmatically to load fips provider (fips.so)  which all failed.
> > I have attached the following file as reference. 
> > openssl.cnf
> > fipsmodule.cnf
> > fp.cpp (fips-test executable)
> >    
> > With cross compilation of openssl from Yocto with fips support
> > (enable-fips as part of configuration),  fips provider 'fips.so'
> > shared library
> > is produced. 
> > From build outcome used following files are placed in embedded
> > target: 
> > binary file: /usr/bin/openssl 
> > libraries: /usr/lib/libcrypto.so.3 
> >               /usr/lib/libssl.so.3
> >               /usr/lib/ossl-modules/fips.so
> > configuration files: 
> >              /etc/ssl/openssl.cnf
> >              /usr/lib/ssl-3/fipsmodule.cnf 
> > The file /etc/ssl/openssl.cnf is configured for fips/base providers
> > and includes the path for fipsmodule.cnf. 
> > Below are changes in file  /etc/ssl/openssl.cnf. 
> > -------------
> > --- /home/root/backup-openssl/openssl.cnf       2023-11-14
> > 16:28:59.117481173 +0000
> > +++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042 +0000
> > @@ -8,6 +8,7 @@
> >  # Note that you can include other files from the main
> > configuration
> >  # file using the .include directive.
> >  #.include filename
> > +.include /usr/lib/ssl-3/fipsmodule.cnf
> > 
> >  # This definition stops the following lines choking if HOME isn't
> >  # defined.
> > @@ -64,8 +65,11 @@
> > 
> >  # List of providers to load
> >  [provider_sect]
> > -default = default_sect
> > -legacy = legacy_sect
> > +fips = fips_sect
> > +base = base_sect
> > +
> > +#default = default_sect
> > +#legacy = legacy_sect
> >  # The fips section name should match the section name inside the
> >  # included fipsmodule.cnf.
> >  # fips = fips_sect
> > @@ -78,13 +82,16 @@
> >  # becomes unavailable in openssl.  As a consequence applications
> > depending on
> >  # OpenSSL may not work correctly which could lead to significant
> > system
> >  # problems including inability to remotely access the system.
> > -[default_sect]
> > - activate = 1
> > +#[default_sect]
> > +# activate = 1
> > 
> > -[legacy_sect]
> > -activate = 1
> > +#[legacy_sect]
> > +#activate = 1
> > 
> > 
> > +[base_sect]
> > +activate = 1
> > +
> >  ##################################################################
> > ##
> >  [ ca ]
> >  default_ca     = CA_default            # The default ca section
> > --------------
> > 
> > After the above changes executed below command which was successful
> > for self test and updating digest of fips provider.  
> > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module
> > /usr/lib/ossl-modules/fips.so
> > HMAC : (Module_Integrity) : Pass
> > SHA1 : (KAT_Digest) : Pass
> > SHA2 : (KAT_Digest) : Pass
> > SHA3 : (KAT_Digest) : Pass
> > TDES : (KAT_Cipher) : Pass
> > AES_GCM : (KAT_Cipher) : Pass
> > AES_ECB_Decrypt : (KAT_Cipher) : Pass
> > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> > Pass
> > ECDSA : (PCT_Signature) : Pass
> > ECDSA : (PCT_Signature) : Pass
> > DSA : (PCT_Signature) : Pass
> > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> > TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> > TLS12_PRF : (KAT_KDF) : Pass
> > PBKDF2 : (KAT_KDF) : Pass
> > SSHKDF : (KAT_KDF) : Pass
> > KBKDF : (KAT_KDF) : Pass
> > HKDF : (KAT_KDF) : Pass
> > SSKDF : (KAT_KDF) : Pass
> > X963KDF : (KAT_KDF) : Pass
> > X942KDF : (KAT_KDF) : Pass
> > HASH : (DRBG) : Pass
> > CTR : (DRBG) : Pass
> > HMAC : (DRBG) : Pass
> > DH : (KAT_KA) : Pass
> > ECDH : (KAT_KA) : Pass
> > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > INSTALL PASSED
> > ---
> > Further testing of the below command shows MD5 is still supported,
> > where the expectation digest is unsupported. 
> > openssl md5 /dev/null
> > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
> > 
> > Also executed sample application fips-test which fails to load fips
> > provider. Below is the output.  
> > ---
> > /tmp/fips-test
> > Failed to load FIPS provider
> > ----
> > 
> > Please let me know if I am doing anything wrong in my settings.
> > Also
> > let me know how to test nginx, openssh with fips provider. 
> > I appreciate your help. Thanks in advance. 
> > 
> > Regards
> > Manjunatha Srinivasan N
> 

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list