OpenVPN FIPS support (almost there)

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
jamercee
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 21, 2017 4:28 pm

OpenVPN FIPS support (almost there)

Post by jamercee » Tue Nov 21, 2017 5:06 pm

I've been working on building OpenVPN+OpenSSL for FIPS support. I feel like I've just about gotten it done, but I've run into an issue that's beyond a simple build sequence and was looking for some guidance.

The issue is that the OpenSSL FIPS Object Module v2.0 forbids MD5 once an application enables FIPS mode (eg: FIPS_set_mode(1)). But the code src/openvpn/ssl.c:tls1_PRF() makes a call to md_kt_get("MD5") without checking the return code. This results in a SIGSEGV a few lines later, when the function calls tls1_P_hash(md5, ...).

I'm not exactly sure how to resolve this. I tried to blindly just disable the code that attempts to call md_kt_get("MD5") and instead rely on the results of out2 (which are filled with SHA1 digest values). This prevents the SIGSEGV, but causes the tunnels to be unusable "AEAD Decrypt error: cipher final failed" (note: I did NOT expect this to succeed -- I only did it confirm I'd found the bit of code causing trouble). It's clear I can't just drop the MD5 call.

Does anyone have any advice on the right way to proceed?

Once we have this working, I'd be happy to share my work with the Community as either "HowTo's" or even a code diff.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN FIPS support (almost there)

Post by TinCanTech » Tue Nov 21, 2017 6:30 pm

Start here and then see the openssl FIPS user guide.

As for openvpn, try the mailing list.

jamercee
OpenVpn Newbie
Posts: 2
Joined: Tue Nov 21, 2017 4:28 pm

Re: OpenVPN FIPS support (almost there)

Post by jamercee » Tue Nov 21, 2017 6:32 pm

Thanks for responding...but we are way..way past that. We already have OpenSSL configured for FIPS. I am asking for assistance regarding the OpenVPN source code. Frankly, our question may be posted to the wrong forum for OpenVPN -- but I wasn't sure how to reach the developers.

Post Reply