You can also use openssl version -d to check for the directory where openssl.cnf is expected to be placed. Tomas Mraz, OpenSSL On Wed, 2023-11-15 at 17:09 +0100, Tomas Mraz wrote: > The most probable reason is that the /etc/ssl/openssl.cnf file is > actually not being loaded because the libcrypto.so expects it to be > at > a different location. > > I would recommend using strace to find out what config file is > libcrypto trying to load. > > Tomas Mraz, OpenSSL > > On Wed, 2023-11-15 at 19:03 +0530, manjunatha srinivasan wrote: > > Hi > > I want to bring up the FIPS 140-2 support for my embedded target > > for > > openssl. The current version of openssl is being used is > > OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) and > > the kernel is LInux 5.15.32 (arm64). Aim is to execute a sample > > application, nginx, openssh to execute as FIPS 140-2 compliance. > > For this I had set up the configuration environment for > > the FIPS provider and tried to execute a sample application > > programmatically to load fips provider (fips.so) which all failed. > > I have attached the following file as reference. > > openssl.cnf > > fipsmodule.cnf > > fp.cpp (fips-test executable) > > > > With cross compilation of openssl from Yocto with fips support > > (enable-fips as part of configuration), fips provider 'fips.so' > > shared library > > is produced. > > From build outcome used following files are placed in embedded > > target: > > binary file: /usr/bin/openssl > > libraries: /usr/lib/libcrypto.so.3 > > /usr/lib/libssl.so.3 > > /usr/lib/ossl-modules/fips.so > > configuration files: > > /etc/ssl/openssl.cnf > > /usr/lib/ssl-3/fipsmodule.cnf > > The file /etc/ssl/openssl.cnf is configured for fips/base providers > > and includes the path for fipsmodule.cnf. > > Below are changes in file /etc/ssl/openssl.cnf. > > ------------- > > --- /home/root/backup-openssl/openssl.cnf 2023-11-14 > > 16:28:59.117481173 +0000 > > +++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000 > > @@ -8,6 +8,7 @@ > > # Note that you can include other files from the main > > configuration > > # file using the .include directive. > > #.include filename > > +.include /usr/lib/ssl-3/fipsmodule.cnf > > > > # This definition stops the following lines choking if HOME isn't > > # defined. > > @@ -64,8 +65,11 @@ > > > > # List of providers to load > > [provider_sect] > > -default = default_sect > > -legacy = legacy_sect > > +fips = fips_sect > > +base = base_sect > > + > > +#default = default_sect > > +#legacy = legacy_sect > > # The fips section name should match the section name inside the > > # included fipsmodule.cnf. > > # fips = fips_sect > > @@ -78,13 +82,16 @@ > > # becomes unavailable in openssl. As a consequence applications > > depending on > > # OpenSSL may not work correctly which could lead to significant > > system > > # problems including inability to remotely access the system. > > -[default_sect] > > - activate = 1 > > +#[default_sect] > > +# activate = 1 > > > > -[legacy_sect] > > -activate = 1 > > +#[legacy_sect] > > +#activate = 1 > > > > > > +[base_sect] > > +activate = 1 > > + > > ################################################################## > > ## > > [ ca ] > > default_ca = CA_default # The default ca section > > -------------- > > > > After the above changes executed below command which was successful > > for self test and updating digest of fips provider. > > openssl fipsinstall -out /usr/lib/ssl-3/fipsmodule.cnf -module > > /usr/lib/ossl-modules/fips.so > > HMAC : (Module_Integrity) : Pass > > SHA1 : (KAT_Digest) : Pass > > SHA2 : (KAT_Digest) : Pass > > SHA3 : (KAT_Digest) : Pass > > TDES : (KAT_Cipher) : Pass > > AES_GCM : (KAT_Cipher) : Pass > > AES_ECB_Decrypt : (KAT_Cipher) : Pass > > RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass > > Pass > > ECDSA : (PCT_Signature) : Pass > > ECDSA : (PCT_Signature) : Pass > > DSA : (PCT_Signature) : Pass > > TLS13_KDF_EXTRACT : (KAT_KDF) : Pass > > TLS13_KDF_EXPAND : (KAT_KDF) : Pass > > TLS12_PRF : (KAT_KDF) : Pass > > PBKDF2 : (KAT_KDF) : Pass > > SSHKDF : (KAT_KDF) : Pass > > KBKDF : (KAT_KDF) : Pass > > HKDF : (KAT_KDF) : Pass > > SSKDF : (KAT_KDF) : Pass > > X963KDF : (KAT_KDF) : Pass > > X942KDF : (KAT_KDF) : Pass > > HASH : (DRBG) : Pass > > CTR : (DRBG) : Pass > > HMAC : (DRBG) : Pass > > DH : (KAT_KA) : Pass > > ECDH : (KAT_KA) : Pass > > RSA_Encrypt : (KAT_AsymmetricCipher) : Pass > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > > RSA_Decrypt : (KAT_AsymmetricCipher) : Pass > > INSTALL PASSED > > --- > > Further testing of the below command shows MD5 is still supported, > > where the expectation digest is unsupported. > > openssl md5 /dev/null > > MD5(/dev/null)= d41d8cd98f00b204e9800998ecf8427e > > > > Also executed sample application fips-test which fails to load fips > > provider. Below is the output. > > --- > > /tmp/fips-test > > Failed to load FIPS provider > > ---- > > > > Please let me know if I am doing anything wrong in my settings. > > Also > > let me know how to test nginx, openssh with fips provider. > > I appreciate your help. Thanks in advance. > > > > Regards > > Manjunatha Srinivasan N > -- Tomáš Mráz, OpenSSL
