Hi
I want to bring up the FIPS 140-2 support for my embedded target for openssl. The current version of openssl is being used is
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and the kernel is LInux 5.15.32 (arm64). Aim is to execute a sample
application, nginx, openssh to execute as FIPS 140-2 compliance. For this I had set up the configuration environment for
the FIPS provider and tried to execute a sample application programmatically to load fips provider (fips.so) which all failed.
I have attached the following file as reference.
openssl.cnf
fipsmodule.cnf
fp.cpp (fips-test executable)
With cross compilation of openssl from Yocto with fips support (enable-fips as part of configuration), fips provider 'fips.so' shared library
is produced.
From build outcome used following files are placed in embedded target:
binary file: /usr/bin/openssl
libraries: /usr/lib/libcrypto.so.3
/usr/lib/libssl.so.3
/usr/lib/ossl-modules/fips.so
configuration files:
/etc/ssl/openssl.cnf
/usr/lib/ssl-3/fipsmodule.cnf
The file /etc/ssl/openssl.cnf is configured for fips/base providers and includes the path for fipsmodule.cnf.
Below are changes in file /etc/ssl/openssl.cnf.
-------------
--- /home/root/backup-openssl/openssl.cnf 2023-11-14 16:28:59.117481173 +0000
+++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000
@@ -8,6 +8,7 @@
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
+.include /usr/lib/ssl-3/fipsmodule.cnf
# This definition stops the following lines choking if HOME isn't
# defined.
@@ -64,8 +65,11 @@
# List of providers to load
[provider_sect]
-default = default_sect
-legacy = legacy_sect
+fips = fips_sect
+base = base_sect
+
+#default = default_sect
+#legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -78,13 +82,16 @@
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
-[default_sect]
- activate = 1
+#[default_sect]
+# activate = 1
-[legacy_sect]
-activate = 1
+#[legacy_sect]
+#activate = 1
+[base_sect]
+activate = 1
+
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
+++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000
@@ -8,6 +8,7 @@
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
+.include /usr/lib/ssl-3/fipsmodule.cnf
# This definition stops the following lines choking if HOME isn't
# defined.
@@ -64,8 +65,11 @@
# List of providers to load
[provider_sect]
-default = default_sect
-legacy = legacy_sect
+fips = fips_sect
+base = base_sect
+
+#default = default_sect
+#legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -78,13 +82,16 @@
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
-[default_sect]
- activate = 1
+#[default_sect]
+# activate = 1
-[legacy_sect]
-activate = 1
+#[legacy_sect]
+#activate = 1
+[base_sect]
+activate = 1
+
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
--------------
After the above changes executed below command which was successful for self test and updating digest of fips provider.
openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf -module /usr/lib/ossl-modules/fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
---
Further testing of the below command shows MD5 is still supported, where the expectation digest is unsupported.
openssl md5 /dev/null
MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e
Also executed sample application fips-test which fails to load fips provider. Below is the output.
---
/tmp/fips-test
Failed to load FIPS provider
----
Failed to load FIPS provider
----
Please let me know if I am doing anything wrong in my settings. Also let me know how to test nginx, openssh with fips provider.
I appreciate your help. Thanks in advance.
Regards
Manjunatha Srinivasan N
Manjunatha Srinivasan N
Attachment:
openssl.cnf
Description: Binary data
Attachment:
fipsmodule.cnf
Description: Binary data
Attachment:
fp.cpp
Description: Binary data
