search

cisco / libacvp

The libacvp library is a client-side implementation of the draft ACVP protocol (github.com/usnistgov/ACVP).
Apache License 2.0
67 stars 69 forks source link

FIPS provider #863

Closed akelly381 closed 2 weeks ago

akelly381 commented 1 month ago

I had a working client a few weeks ago, but I have been trying to modify my docker image to install openssl 3.3.1 but use the FIPS provider from openssl 3.0.0. I'm not sure where I'm going wrong, but now when trying to use the app I receive:

Crypto module returned failure code when running quick digest.
Error occured when testing FIPS at startup (rv = 10). Please verify the FIPS provider is
properly installed and configured. Exiting...

Could you provide any guidance on how to configure the FIPS provider within a docker image?

abkarcher commented 1 month ago

Hello,

Apologies for the delay here; was out of the office last week.

While we generally do not provide guidance as to configuring OpenSSL, I can give some general feedback. Note that the below comments are for a newly generated openssl.cnf file and I cannot speak to how distros have OpenSSL pre-configured.

There are two important things required for a FIPS provider to load properly. for one, you need a fipsmodule.cnf which contains the mac of the specific binary of the fips.so built. This is unique to the specific file for a specific build of OpenSSL.

Then, the openssl.cnf file needs to be properly pointing to that file, and activating the fips module. To adjust openssl.cnf, there is an ".include" line that points directly to the fipsmodule.cnf file.

Additionally, there is a "fips = fips_sect" line that cannot be commented out. This basically imports the provider info from fipsmodule.cnf. If a FIPS provider was already being used, this likely is already in use so no changes would be needed.

If I had to make a complete guess, you might just only have to change the path for fipsmodule.cnf in the openssl.cnf file, and not worry about the other changes. Take with a grain of salt though! The below changes are provided for more info about use with libacvp, but you should probably not change them in any distro provided configuration.

If fipsmodule.cnf has an "activate = 1" line, this means the fips module will be loaded by default. Whenever a module is explicitly loaded by default like this, the default provider is no longer implicitly loaded by default. So "activate = 1" should be un-commented under the "default_sect" in openssl.cnf. This is needed for libcurl to work properly.

Thanks, Andrew

abkarcher commented 2 weeks ago

Hello,

I am closing this issue, but feel free to reopen if you have any further questions.

Thanks, Andrew