The most probable reason is that the /etc/ssl/openssl.cnf file is actually not being loaded because the libcrypto.so expects it to be at a different location. I would recommend using strace to find out what config file is libcrypto trying to load. Tomas Mraz, OpenSSL On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote: > Hi > I want to bring up the FIPS 140-2 support for my embedded target for > openssl. The current version of openssl is being used is > OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and > the kernel is LInux 5.15.32 (arm64). Aim is to execute a sample > application, nginx, openssh to execute as FIPS 140-2 compliance. > For this I had set up the configuration environment for > the FIPS provider and tried to execute a sample application > programmatically to load fips provider (fips.so) which all failed. > I have attached the following file as reference. > openssl.cnf > fipsmodule.cnf > fp.cpp (fips-test executable) > > With cross compilation of openssl from Yocto with fips support > (enable-fips as part of configuration), fips provider 'fips.so' > shared library > is produced. > From build outcome used following files are placed in embedded > target: > binary file: /usr/bin/openssl > libraries: /usr/lib/libcrypto.so.3 > /usr/lib/libssl.so.3 > /usr/lib/ossl-modules/fips.so > configuration files: > /etc/ssl/openssl.cnf > /usr/lib/ssl-3/fipsmodule.cnf > The file /etc/ssl/openssl.cnf is configured for fips/base providers > and includes the path for fipsmodule.cnf. > Below are changes in file /etc/ssl/openssl.cnf. > ------------- > --- /home/root/backup-openssl/openssl.cnf 2023-11-14 > 16:28:59.117481173 +0000 > +++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000 > @@ -8,6 +8,7 @@ > # Note that you can include other files from the main configuration > # file using the .include directive. > #.include filename > +.include /usr/lib/ssl-3/fipsmodule.cnf > > # This definition stops the following lines choking if HOME isn't > # defined. > @@ -64,8 +65,11 @@ > > # List of providers to load > [provider_sect] > -default = default_sect > -legacy = legacy_sect > +fips = fips_sect > +base = base_sect > + > +#default = default_sect > +#legacy = legacy_sect > # The fips section name should match the section name inside the > # included fipsmodule.cnf. > # fips = fips_sect > @@ -78,13 +82,16 @@ > # becomes unavailable in openssl. As a consequence applications > depending on > # OpenSSL may not work correctly which could lead to significant > system > # problems including inability to remotely access the system. > -[default_sect] > - activate = 1 > +#[default_sect] > +# activate = 1 > > -[legacy_sect] > -activate = 1 > +#[legacy_sect] > +#activate = 1 > > > +[base_sect] > +activate = 1 > + > #################################################################### > [ ca ] > default_ca = CA_default # The default ca section > -------------- > > After the above changes executed below command which was successful > for self test and updating digest of fips provider. > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf -module > /usr/lib/ossl-modules/fips.so > HMAC : (Module_Integrity) : Pass > SHA1 : (KAT_Digest) : Pass > SHA2 : (KAT_Digest) : Pass > SHA3 : (KAT_Digest) : Pass > TDES : (KAT_Cipher) : Pass > AES_GCM : (KAT_Cipher) : Pass > AES_ECB_Decrypt : (KAT_Cipher) : Pass > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass > Pass > ECDSA : (PCT_Signature) : Pass > ECDSA : (PCT_Signature) : Pass > DSA : (PCT_Signature) : Pass > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass > TLS13_KDF_EXPAND : (KAT_KDF) : Pass > TLS12_PRF : (KAT_KDF) : Pass > PBKDF2 : (KAT_KDF) : Pass > SSHKDF : (KAT_KDF) : Pass > KBKDF : (KAT_KDF) : Pass > HKDF : (KAT_KDF) : Pass > SSKDF : (KAT_KDF) : Pass > X963KDF : (KAT_KDF) : Pass > X942KDF : (KAT_KDF) : Pass > HASH : (DRBG) : Pass > CTR : (DRBG) : Pass > HMAC : (DRBG) : Pass > DH : (KAT_KA) : Pass > ECDH : (KAT_KA) : Pass > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > INSTALL PASSED > --- > Further testing of the below command shows MD5 is still supported, > where the expectation digest is unsupported. > openssl md5 /dev/null > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e > > Also executed sample application fips-test which fails to load fips > provider. Below is the output. > --- > /tmp/fips-test > Failed to load FIPS provider > ---- > > Please let me know if I am doing anything wrong in my settings. Also > let me know how to test nginx, openssh with fips provider. > I appreciate your help. Thanks in advance. > > Regards > Manjunatha Srinivasan N -- Tomáš Mráz, OpenSSL
