Regarding FIPS 140-2 support on embedded target
manjunatha srinivasan
manjunathan.n at gmail.com
Wed Nov 15 19:20:41 UTC 2023
Hi
Please let me know to debug more on this issue. Still I am facing issue in
loading fips provider with sample application.
*/tmp/fips-test*
Failed to load FIPS provider
8094B6B6FFFF0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing
config data:../openssl-3.0.2/providers/fips/self_test.c:289:
8094B6B6FFFF0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips
module entering error state:../openssl-3.0.2/providers/fips/self_test.c:387:
8094B6B6FFFF0000:error:1C8000D8:Provider
routines:OSSL_provider_init_int:self test post
failure:../openssl-3.0.2/providers/fips/fipsprov.c:706:
8094B6B6FFFF0000:error:078C0105:common libcrypto
routines:provider_init:init
fail:../openssl-3.0.2/crypto/provider_core.c:910:name=fips
Regards
Manjunatha Srinivasan N
On Wed, 15 Nov 2023 at 23:48, manjunatha srinivasan <manjunathan.n at gmail.com>
wrote:
> Hi Tomas
> Thanks for your response.
> With strace both openssl.cnf and included file fipsmodule.cnf and
> fips.so are opened for read.
> The default location of openssl is referring to /usr/lib/ssl-3/. So even
> keeping openssl.cnf at that
> location fails for loading fips provider.
> --------------------------
> openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
> futex(0xffff901297bc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=12563, ...},
> AT_EMPTY_PATH) = 0
> read(3, "#\n# OpenSSL example configuratio"..., 4096) = 4096
>
> newfstatat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf",
> {st_mode=S_IFREG|0644, st_size=351, ...}, 0) = 0
> openat(AT_FDCWD, "/usr/lib/ssl-3/fipsmodule.cnf", O_RDONLY) = 4
> newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=351, ...}, AT_EMPTY_PATH)
> = 0
> read(4, "[fips_sect]\nactivate = 1\ninstall"..., 4096) = 351
> read(4, "", 4096) = 0
>
> openat(AT_FDCWD, "/usr/lib/ossl-modules/fips.so", O_RDONLY|O_CLOEXEC) = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\0\0\0\0\0\0\0\0"...,
> 832) = 832
> newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=4796120, ...},
> AT_EMPTY_PATH) = 0
> ------------------
>
> Further debugging of error as stated earlier, the line of error at
> file openssl-3.0.2/providers/fips/self_test.c
> is as below:
>
> if (st == NULL
> || st->module_checksum_data == NULL) {
> ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
> goto end;
>
> Regards
> Manjunatha Srinivasan N
>
>
> On Wed, 15 Nov 2023 at 21:42, Tomas Mraz <tomas at openssl.org> wrote:
>
>> You can also use openssl version -d to check for the directory where
>> openssl.cnf is expected to be placed.
>>
>> Tomas Mraz, OpenSSL
>>
>>
>> On Wed, 2023-11-15 at 17:09 +0100, Tomas Mraz wrote:
>> > The most probable reason is that the /etc/ssl/openssl.cnf file is
>> > actually not being loaded because the libcrypto.so expects it to be
>> > at
>> > a different location.
>> >
>> > I would recommend using strace to find out what config file is
>> > libcrypto trying to load.
>> >
>> > Tomas Mraz, OpenSSL
>> >
>> > On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote:
>> > > Hi
>> > > I want to bring up the FIPS 140-2 support for my embedded target
>> > > for
>> > > openssl. The current version of openssl is being used is
>> > > OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and
>> > > the kernel is LInux 5.15.32 (arm64). Aim is to execute a sample
>> > > application, nginx, openssh to execute as FIPS 140-2 compliance.
>> > > For this I had set up the configuration environment for
>> > > the FIPS provider and tried to execute a sample application
>> > > programmatically to load fips provider (fips.so) which all failed.
>> > > I have attached the following file as reference.
>> > > openssl.cnf
>> > > fipsmodule.cnf
>> > > fp.cpp (fips-test executable)
>> > >
>> > > With cross compilation of openssl from Yocto with fips support
>> > > (enable-fips as part of configuration), fips provider 'fips.so'
>> > > shared library
>> > > is produced.
>> > > From build outcome used following files are placed in embedded
>> > > target:
>> > > binary file: /usr/bin/openssl
>> > > libraries: /usr/lib/libcrypto.so.3
>> > > /usr/lib/libssl.so.3
>> > > /usr/lib/ossl-modules/fips.so
>> > > configuration files:
>> > > /etc/ssl/openssl.cnf
>> > > /usr/lib/ssl-3/fipsmodule.cnf
>> > > The file /etc/ssl/openssl.cnf is configured for fips/base providers
>> > > and includes the path for fipsmodule.cnf.
>> > > Below are changes in file /etc/ssl/openssl.cnf.
>> > > -------------
>> > > --- /home/root/backup-openssl/openssl.cnf 2023-11-14
>> > > 16:28:59.117481173 +0000
>> > > +++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000
>> > > @@ -8,6 +8,7 @@
>> > > # Note that you can include other files from the main
>> > > configuration
>> > > # file using the .include directive.
>> > > #.include filename
>> > > +.include /usr/lib/ssl-3/fipsmodule.cnf
>> > >
>> > > # This definition stops the following lines choking if HOME isn't
>> > > # defined.
>> > > @@ -64,8 +65,11 @@
>> > >
>> > > # List of providers to load
>> > > [provider_sect]
>> > > -default = default_sect
>> > > -legacy = legacy_sect
>> > > +fips = fips_sect
>> > > +base = base_sect
>> > > +
>> > > +#default = default_sect
>> > > +#legacy = legacy_sect
>> > > # The fips section name should match the section name inside the
>> > > # included fipsmodule.cnf.
>> > > # fips = fips_sect
>> > > @@ -78,13 +82,16 @@
>> > > # becomes unavailable in openssl. As a consequence applications
>> > > depending on
>> > > # OpenSSL may not work correctly which could lead to significant
>> > > system
>> > > # problems including inability to remotely access the system.
>> > > -[default_sect]
>> > > - activate = 1
>> > > +#[default_sect]
>> > > +# activate = 1
>> > >
>> > > -[legacy_sect]
>> > > -activate = 1
>> > > +#[legacy_sect]
>> > > +#activate = 1
>> > >
>> > >
>> > > +[base_sect]
>> > > +activate = 1
>> > > +
>> > > ##################################################################
>> > > ##
>> > > [ ca ]
>> > > default_ca = CA_default # The default ca section
>> > > --------------
>> > >
>> > > After the above changes executed below command which was successful
>> > > for self test and updating digest of fips provider.
>> > > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf -module
>> > > /usr/lib/ossl-modules/fips.so
>> > > HMAC : (Module_Integrity) : Pass
>> > > SHA1 : (KAT_Digest) : Pass
>> > > SHA2 : (KAT_Digest) : Pass
>> > > SHA3 : (KAT_Digest) : Pass
>> > > TDES : (KAT_Cipher) : Pass
>> > > AES_GCM : (KAT_Cipher) : Pass
>> > > AES_ECB_Decrypt : (KAT_Cipher) : Pass
>> > > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
>> > > Pass
>> > > ECDSA : (PCT_Signature) : Pass
>> > > ECDSA : (PCT_Signature) : Pass
>> > > DSA : (PCT_Signature) : Pass
>> > > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
>> > > TLS13_KDF_EXPAND : (KAT_KDF) : Pass
>> > > TLS12_PRF : (KAT_KDF) : Pass
>> > > PBKDF2 : (KAT_KDF) : Pass
>> > > SSHKDF : (KAT_KDF) : Pass
>> > > KBKDF : (KAT_KDF) : Pass
>> > > HKDF : (KAT_KDF) : Pass
>> > > SSKDF : (KAT_KDF) : Pass
>> > > X963KDF : (KAT_KDF) : Pass
>> > > X942KDF : (KAT_KDF) : Pass
>> > > HASH : (DRBG) : Pass
>> > > CTR : (DRBG) : Pass
>> > > HMAC : (DRBG) : Pass
>> > > DH : (KAT_KA) : Pass
>> > > ECDH : (KAT_KA) : Pass
>> > > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
>> > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>> > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
>> > > INSTALL PASSED
>> > > ---
>> > > Further testing of the below command shows MD5 is still supported,
>> > > where the expectation digest is unsupported.
>> > > openssl md5 /dev/null
>> > > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
>> > >
>> > > Also executed sample application fips-test which fails to load fips
>> > > provider. Below is the output.
>> > > ---
>> > > /tmp/fips-test
>> > > Failed to load FIPS provider
>> > > ----
>> > >
>> > > Please let me know if I am doing anything wrong in my settings.
>> > > Also
>> > > let me know how to test nginx, openssh with fips provider.
>> > > I appreciate your help. Thanks in advance.
>> > >
>> > > Regards
>> > > Manjunatha Srinivasan N
>> >
>>
>> --
>> Tomáš Mráz, OpenSSL
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231116/cf25d220/attachment-0001.htm>
More information about the openssl-users
mailing list