Regarding FIPS 140-2 support on embedded target
Tomas Mraz
tomas at openssl.org
Thu Nov 16 07:56:02 UTC 2023
Hmm... that seems correct. Can you please send me the openssl.cnf and
fipsmodule.cnf files?
It looks like if there is some option missing that would actually make
OpenSSL to consider the provider configuration.
Tomas Mraz, OpenSSL
On Wed, 2023-11-15 at 23:48 +0530, manjunatha srinivasan wrote:
> Hi Tomas
> Thanks for your response.
> With strace both openssl.cnf and included file fipsmodule.cnf and
> fips.so are opened for read.
> The default location of openssl is referring to /usr/lib/ssl-3/. So
> even keeping openssl.cnf at that
> location fails for loading fips provider.
> --------------------------
> openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
> futex(0xffff901297bc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=12563, ...},
> AT_EMPTY_PATH) = 0
> read(3, "#\n# OpenSSL example configuratio"..., 4096) = 4096
>
> newfstatat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf",
> {st_mode=S_IFREG|0644, st_size=351, ...}, 0) = 0
> openat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf", O_RDONLY) = 4
> newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=351, ...},
> AT_EMPTY_PATH) = 0
> read(4, "[fips_sect]\nactivate = 1\ninstall"..., 4096) = 351
> read(4, "", 4096) = 0
>
> openat(AT_FDCWD, "/usr/lib/ossl-modules/fips.so", O_RDONLY|O_CLOEXEC)
> = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..
> ., 832) = 832
> newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=4796120, ...},
> AT_EMPTY_PATH) = 0
> ------------------
>
> Further debugging of error as stated earlier, the line of error at
> file openssl-3.0.2/providers/fips/self_test.c
> is as below:
>
> if (st == NULL
> || st->module_checksum_data == NULL) {
> ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
> goto end;
>
> Regards
> Manjunatha Srinivasan N
>
>
> On Wed, 15 Nov 2023 at 21:42, Tomas Mraz <tomas at openssl.org> wrote:
> > You can also use openssl version -d to check for the directory
> > where
> > openssl.cnf is expected to be placed.
> >
> > Tomas Mraz, OpenSSL
> >
> >
> > On Wed, 2023-11-15 at 17:09 +0100, Tomas Mraz wrote:
> > > The most probable reason is that the /etc/ssl/openssl.cnf file is
> > > actually not being loaded because the libcrypto.so expects it to
> > > be
> > > at
> > > a different location.
> > >
> > > I would recommend using strace to find out what config file is
> > > libcrypto trying to load.
> > >
> > > Tomas Mraz, OpenSSL
> > >
> > > On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote:
> > > > Hi
> > > > I want to bring up the FIPS 140-2 support for my embedded
> > > > target
> > > > for
> > > > openssl. The current version of openssl is being used is
> > > > OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> > > > and
> > > > the kernel is LInux 5.15.32 (arm64). Aim is to execute a
> > > > sample
> > > > application, nginx, openssh to execute as FIPS 140-2
> > > > compliance.
> > > > For this I had set up the configuration environment for
> > > > the FIPS provider and tried to execute a sample application
> > > > programmatically to load fips provider (fips.so) which all
> > > > failed.
> > > > I have attached the following file as reference.
> > > > openssl.cnf
> > > > fipsmodule.cnf
> > > > fp.cpp (fips-test executable)
> > > >
> > > > With cross compilation of openssl from Yocto with fips support
> > > > (enable-fips as part of configuration), fips provider
> > > > 'fips.so'
> > > > shared library
> > > > is produced.
> > > > From build outcome used following files are placed in embedded
> > > > target:
> > > > binary file: /usr/bin/openssl
> > > > libraries: /usr/lib/libcrypto.so.3
> > > > /usr/lib/libssl.so.3
> > > > /usr/lib/ossl-modules/fips.so
> > > > configuration files:
> > > > /etc/ssl/openssl.cnf
> > > > /usr/lib/ssl-3/fipsmodule.cnf
> > > > The file /etc/ssl/openssl.cnf is configured for fips/base
> > > > providers
> > > > and includes the path for fipsmodule.cnf.
> > > > Below are changes in file /etc/ssl/openssl.cnf.
> > > > -------------
> > > > --- /home/root/backup-openssl/openssl.cnf 2023-11-14
> > > > 16:28:59.117481173 +0000
> > > > +++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042
> > > > +0000
> > > > @@ -8,6 +8,7 @@
> > > > # Note that you can include other files from the main
> > > > configuration
> > > > # file using the .include directive.
> > > > #.include filename
> > > > +.include /usr/lib/ssl-3/fipsmodule.cnf
> > > >
> > > > # This definition stops the following lines choking if HOME
> > > > isn't
> > > > # defined.
> > > > @@ -64,8 +65,11 @@
> > > >
> > > > # List of providers to load
> > > > [provider_sect]
> > > > -default = default_sect
> > > > -legacy = legacy_sect
> > > > +fips = fips_sect
> > > > +base = base_sect
> > > > +
> > > > +#default = default_sect
> > > > +#legacy = legacy_sect
> > > > # The fips section name should match the section name inside
> > > > the
> > > > # included fipsmodule.cnf.
> > > > # fips = fips_sect
> > > > @@ -78,13 +82,16 @@
> > > > # becomes unavailable in openssl. As a consequence
> > > > applications
> > > > depending on
> > > > # OpenSSL may not work correctly which could lead to
> > > > significant
> > > > system
> > > > # problems including inability to remotely access the system.
> > > > -[default_sect]
> > > > - activate = 1
> > > > +#[default_sect]
> > > > +# activate = 1
> > > >
> > > > -[legacy_sect]
> > > > -activate = 1
> > > > +#[legacy_sect]
> > > > +#activate = 1
> > > >
> > > >
> > > > +[base_sect]
> > > > +activate = 1
> > > > +
> > > > ##############################################################
> > > > ####
> > > > ##
> > > > [ ca ]
> > > > default_ca = CA_default # The default ca
> > > > section
> > > > --------------
> > > >
> > > > After the above changes executed below command which was
> > > > successful
> > > > for self test and updating digest of fips provider.
> > > > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf -module
> > > > /usr/lib/ossl-modules/fips.so
> > > > HMAC : (Module_Integrity) : Pass
> > > > SHA1 : (KAT_Digest) : Pass
> > > > SHA2 : (KAT_Digest) : Pass
> > > > SHA3 : (KAT_Digest) : Pass
> > > > TDES : (KAT_Cipher) : Pass
> > > > AES_GCM : (KAT_Cipher) : Pass
> > > > AES_ECB_Decrypt : (KAT_Cipher) : Pass
> > > > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> > > > Pass
> > > > ECDSA : (PCT_Signature) : Pass
> > > > ECDSA : (PCT_Signature) : Pass
> > > > DSA : (PCT_Signature) : Pass
> > > > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> > > > TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> > > > TLS12_PRF : (KAT_KDF) : Pass
> > > > PBKDF2 : (KAT_KDF) : Pass
> > > > SSHKDF : (KAT_KDF) : Pass
> > > > KBKDF : (KAT_KDF) : Pass
> > > > HKDF : (KAT_KDF) : Pass
> > > > SSKDF : (KAT_KDF) : Pass
> > > > X963KDF : (KAT_KDF) : Pass
> > > > X942KDF : (KAT_KDF) : Pass
> > > > HASH : (DRBG) : Pass
> > > > CTR : (DRBG) : Pass
> > > > HMAC : (DRBG) : Pass
> > > > DH : (KAT_KA) : Pass
> > > > ECDH : (KAT_KA) : Pass
> > > > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> > > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > > > INSTALL PASSED
> > > > ---
> > > > Further testing of the below command shows MD5 is still
> > > > supported,
> > > > where the expectation digest is unsupported.
> > > > openssl md5 /dev/null
> > > > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
> > > >
> > > > Also executed sample application fips-test which fails to load
> > > > fips
> > > > provider. Below is the output.
> > > > ---
> > > > /tmp/fips-test
> > > > Failed to load FIPS provider
> > > > ----
> > > >
> > > > Please let me know if I am doing anything wrong in my settings.
> > > > Also
> > > > let me know how to test nginx, openssh with fips provider.
> > > > I appreciate your help. Thanks in advance.
> > > >
> > > > Regards
> > > > Manjunatha Srinivasan N
> > >
> >
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list