Re: Regarding FIPS 140-2 support on embedded target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi 

With further testing by calling ERR_print_errors_fp(stderr) is sample application following are  error output.  
 /tmp/fips-test
Failed to load FIPS provider
8094B6B6FFFF0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:../openssl-3.0.2/providers/fips/self_test.c:289:
8094B6B6FFFF0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:../openssl-3.0.2/providers/fips/self_test.c:387:
8094B6B6FFFF0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:../openssl-3.0.2/providers/fips/fipsprov.c:706:
8094B6B6FFFF0000:error:078C0105:common libcrypto routines:provider_init:init fail:../openssl-3.0.2/crypto/provider_core.c:910:name=fips

Regards
Manjunatha Srinivasan N


On Wed, 15 Nov 2023 at 19:03, manjunatha srinivasan <manjunathan.n@xxxxxxxxx> wrote:
Hi
I want to bring up the FIPS 140-2 support for my embedded target for openssl. The current version of openssl is being used is 
 OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and the kernel is LInux 5.15.32 (arm64). Aim is to execute  a sample
 application, nginx, openssh to execute as FIPS 140-2 compliance.  For this I had set up the configuration environment for 
the FIPS provider and tried to execute a sample application programmatically to load fips provider (fips.so)  which all failed.
I have attached the following file as reference. 
openssl.cnf
fipsmodule.cnf
fp.cpp (fips-test executable)
   
With cross compilation of openssl from Yocto with fips support (enable-fips as part of configuration),  fips provider 'fips.so' shared library
is produced. 
From build outcome used following files are placed in embedded target: 
binary file: /usr/bin/openssl 
libraries: /usr/lib/libcrypto.so.3 
              /usr/lib/libssl.so.3
              /usr/lib/ossl-modules/fips.so
configuration files: 
             /etc/ssl/openssl.cnf
             /usr/lib/ssl-3/fipsmodule.cnf 
The file /etc/ssl/openssl.cnf is configured for fips/base providers and includes the path for fipsmodule.cnf. 
Below are changes in file  /etc/ssl/openssl.cnf. 
-------------
--- /home/root/backup-openssl/openssl.cnf       2023-11-14 16:28:59.117481173 +0000
+++ /etc/ssl/openssl.cnf        2023-11-14 17:19:55.627228042 +0000
@@ -8,6 +8,7 @@
 # Note that you can include other files from the main configuration
 # file using the .include directive.
 #.include filename
+.include /usr/lib/ssl-3/fipsmodule.cnf

 # This definition stops the following lines choking if HOME isn't
 # defined.
@@ -64,8 +65,11 @@

 # List of providers to load
 [provider_sect]
-default = default_sect
-legacy = legacy_sect
+fips = fips_sect
+base = base_sect
+
+#default = default_sect
+#legacy = legacy_sect
 # The fips section name should match the section name inside the
 # included fipsmodule.cnf.
 # fips = fips_sect
@@ -78,13 +82,16 @@
 # becomes unavailable in openssl.  As a consequence applications depending on
 # OpenSSL may not work correctly which could lead to significant system
 # problems including inability to remotely access the system.
-[default_sect]
- activate = 1
+#[default_sect]
+# activate = 1

-[legacy_sect]
-activate = 1
+#[legacy_sect]
+#activate = 1


+[base_sect]
+activate = 1
+
 ####################################################################
 [ ca ]
 default_ca     = CA_default            # The default ca section
--------------

After the above changes executed below command which was successful for self test and updating digest of fips provider.  
openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf  -module /usr/lib/ossl-modules/fips.so
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
---
Further testing of the below command shows MD5 is still supported, where the expectation digest is unsupported. 
openssl md5 /dev/null
MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e

Also executed sample application fips-test which fails to load fips provider. Below is the output.  
---
/tmp/fips-test
Failed to load FIPS provider
----

Please let me know if I am doing anything wrong in my settings. Also let me know how to test nginx, openssh with fips provider. 
I appreciate your help. Thanks in advance. 

Regards
Manjunatha Srinivasan N
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux