Regarding FIPS 140-2 support on embedded target

manjunatha srinivasan manjunathan.n at gmail.com
Wed Nov 22 12:29:56 UTC 2023 

Hi Tomas

Very thanks for your reply.  I was away from work due to an emergency.
It worked for me. I have attached openssl.cnf.

Regards
Manjunatha Srinivasan N


On Thu, 16 Nov 2023 at 13:26, Tomas Mraz <tomas at openssl.org> wrote:

> Hmm... that seems correct. Can you please send me the openssl.cnf and
> fipsmodule.cnf files?
>
> It looks like if there is some option missing that would actually make
> OpenSSL to consider the provider configuration.
>
> Tomas Mraz, OpenSSL
>
> On Wed, 2023-11-15 at 23:48 +0530, manjunatha srinivasan wrote:
> > Hi Tomas
> > Thanks for your response.
> > With  strace both openssl.cnf and included file fipsmodule.cnf and
> > fips.so  are opened for read.
> > The default location of openssl is referring to /usr/lib/ssl-3/.  So
> > even keeping openssl.cnf at  that
> > location fails for loading fips provider.
> >  --------------------------
> > openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
> > futex(0xffff901297bc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=12563, ...},
> > AT_EMPTY_PATH) = 0
> > read(3, "#\n# OpenSSL example configuratio"..., 4096) = 4096
> >
> > newfstatat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf",
> > {st_mode=S_IFREG|0644, st_size=351, ...}, 0) = 0
> > openat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf", O_RDONLY) = 4
> > newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=351, ...},
> > AT_EMPTY_PATH) = 0
> > read(4, "[fips_sect]\nactivate = 1\ninstall"..., 4096) = 351
> > read(4, "", 4096)                       = 0
> >
> > openat(AT_FDCWD, "/usr/lib/ossl-modules/fips.so", O_RDONLY|O_CLOEXEC)
> > = 3
> > read(3,
> > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"..
> > ., 832) = 832
> > newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=4796120, ...},
> > AT_EMPTY_PATH) = 0
> > ------------------
> >
> > Further debugging of error as stated earlier, the line of error at
> > file openssl-3.0.2/providers/fips/self_test.c
> > is as below:
> >
> > if (st == NULL
> >             || st->module_checksum_data == NULL) {
> >         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
> >         goto end;
> >
> > Regards
> > Manjunatha Srinivasan N
> >
> >
> > On Wed, 15 Nov 2023 at 21:42, Tomas Mraz <tomas at openssl.org> wrote:
> > > You can also use openssl version -d to check for the directory
> > > where
> > > openssl.cnf is expected to be placed.
> > >
> > > Tomas Mraz, OpenSSL
> > >
> > >
> > > On Wed, 2023-11-15 at 17:09 +0100, Tomas Mraz wrote:
> > > > The most probable reason is that the /etc/ssl/openssl.cnf file is
> > > > actually not being loaded because the libcrypto.so expects it to
> > > > be
> > > > at
> > > > a different location.
> > > >
> > > > I would recommend using strace to find out what config file is
> > > > libcrypto trying to load.
> > > >
> > > > Tomas Mraz, OpenSSL
> > > >
> > > > On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote:
> > > > > Hi
> > > > > I want to bring up the FIPS 140-2 support for my embedded
> > > > > target
> > > > > for
> > > > > openssl. The current version of openssl is being used is
> > > > >  OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> > > > > and
> > > > > the kernel is LInux 5.15.32 (arm64). Aim is to execute  a
> > > > > sample
> > > > >  application, nginx, openssh to execute as FIPS 140-2
> > > > > compliance.
> > > > > For this I had set up the configuration environment for
> > > > > the FIPS provider and tried to execute a sample application
> > > > > programmatically to load fips provider (fips.so)  which all
> > > > > failed.
> > > > > I have attached the following file as reference.
> > > > > openssl.cnf
> > > > > fipsmodule.cnf
> > > > > fp.cpp (fips-test executable)
> > > > >
> > > > > With cross compilation of openssl from Yocto with fips support
> > > > > (enable-fips as part of configuration),  fips provider
> > > > > 'fips.so'
> > > > > shared library
> > > > > is produced.
> > > > > From build outcome used following files are placed in embedded
> > > > > target:
> > > > > binary file: /usr/bin/openssl
> > > > > libraries: /usr/lib/libcrypto.so.3
> > > > >               /usr/lib/libssl.so.3
> > > > >               /usr/lib/ossl-modules/fips.so
> > > > > configuration files:
> > > > >              /etc/ssl/openssl.cnf
> > > > >              /usr/lib/ssl-3/fipsmodule.cnf
> > > > > The file /etc/ssl/openssl.cnf is configured for fips/base
> > > > > providers
> > > > > and includes the path for fipsmodule.cnf.
> > > > > Below are changes in file  /etc/ssl/openssl.cnf.
> > > > > -------------
> > > > > --- /home/root/backup-openssl/openssl.cnf       2023-11-14
> > > > > 16:28:59.117481173 +0000
> > > > > +++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042
> > > > > +0000
> > > > > @@ -8,6 +8,7 @@
> > > > >  # Note that you can include other files from the main
> > > > > configuration
> > > > >  # file using the .include directive.
> > > > >  #.include filename
> > > > > +.include /usr/lib/ssl-3/fipsmodule.cnf
> > > > >
> > > > >  # This definition stops the following lines choking if HOME
> > > > > isn't
> > > > >  # defined.
> > > > > @@ -64,8 +65,11 @@
> > > > >
> > > > >  # List of providers to load
> > > > >  [provider_sect]
> > > > > -default = default_sect
> > > > > -legacy = legacy_sect
> > > > > +fips = fips_sect
> > > > > +base = base_sect
> > > > > +
> > > > > +#default = default_sect
> > > > > +#legacy = legacy_sect
> > > > >  # The fips section name should match the section name inside
> > > > > the
> > > > >  # included fipsmodule.cnf.
> > > > >  # fips = fips_sect
> > > > > @@ -78,13 +82,16 @@
> > > > >  # becomes unavailable in openssl.  As a consequence
> > > > > applications
> > > > > depending on
> > > > >  # OpenSSL may not work correctly which could lead to
> > > > > significant
> > > > > system
> > > > >  # problems including inability to remotely access the system.
> > > > > -[default_sect]
> > > > > - activate = 1
> > > > > +#[default_sect]
> > > > > +# activate = 1
> > > > >
> > > > > -[legacy_sect]
> > > > > -activate = 1
> > > > > +#[legacy_sect]
> > > > > +#activate = 1
> > > > >
> > > > >
> > > > > +[base_sect]
> > > > > +activate = 1
> > > > > +
> > > > >  ##############################################################
> > > > > ####
> > > > > ##
> > > > >  [ ca ]
> > > > >  default_ca     = CA_default            # The default ca
> > > > > section
> > > > > --------------
> > > > >
> > > > > After the above changes executed below command which was
> > > > > successful
> > > > > for self test and updating digest of fips provider.
> > > > > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module
> > > > > /usr/lib/ossl-modules/fips.so
> > > > > HMAC : (Module_Integrity) : Pass
> > > > > SHA1 : (KAT_Digest) : Pass
> > > > > SHA2 : (KAT_Digest) : Pass
> > > > > SHA3 : (KAT_Digest) : Pass
> > > > > TDES : (KAT_Cipher) : Pass
> > > > > AES_GCM : (KAT_Cipher) : Pass
> > > > > AES_ECB_Decrypt : (KAT_Cipher) : Pass
> > > > > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
> > > > > Pass
> > > > > ECDSA : (PCT_Signature) : Pass
> > > > > ECDSA : (PCT_Signature) : Pass
> > > > > DSA : (PCT_Signature) : Pass
> > > > > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
> > > > > TLS13_KDF_EXPAND : (KAT_KDF) : Pass
> > > > > TLS12_PRF : (KAT_KDF) : Pass
> > > > > PBKDF2 : (KAT_KDF) : Pass
> > > > > SSHKDF : (KAT_KDF) : Pass
> > > > > KBKDF : (KAT_KDF) : Pass
> > > > > HKDF : (KAT_KDF) : Pass
> > > > > SSKDF : (KAT_KDF) : Pass
> > > > > X963KDF : (KAT_KDF) : Pass
> > > > > X942KDF : (KAT_KDF) : Pass
> > > > > HASH : (DRBG) : Pass
> > > > > CTR : (DRBG) : Pass
> > > > > HMAC : (DRBG) : Pass
> > > > > DH : (KAT_KA) : Pass
> > > > > ECDH : (KAT_KA) : Pass
> > > > > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
> > > > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > > > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
> > > > > INSTALL PASSED
> > > > > ---
> > > > > Further testing of the below command shows MD5 is still
> > > > > supported,
> > > > > where the expectation digest is unsupported.
> > > > > openssl md5 /dev/null
> > > > > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
> > > > >
> > > > > Also executed sample application fips-test which fails to load
> > > > > fips
> > > > > provider. Below is the output.
> > > > > ---
> > > > > /tmp/fips-test
> > > > > Failed to load FIPS provider
> > > > > ----
> > > > >
> > > > > Please let me know if I am doing anything wrong in my settings.
> > > > > Also
> > > > > let me know how to test nginx, openssh with fips provider.
> > > > > I appreciate your help. Thanks in advance.
> > > > >
> > > > > Regards
> > > > > Manjunatha Srinivasan N
> > > >
> > >
>
> --
> Tomáš Mráz, OpenSSL
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231122/cd0effed/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl.cnf
Type: application/octet-stream
Size: 12563 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231122/cd0effed/attachment-0001.obj>

More information about the openssl-users mailing list