Feature Overview

The SBC supports FIPS 140-3 mode. OpenSSL3 provides EVP_KDF APIs used to perform KDF KAT self tests. For the SBC to be FIPS compliant, the KDF KATs are performed during FIPS Power-On Self Tests (POST). OpenSSL3 inherently performs the KATs for all the available algorithms during module load and can also perform them on demand. In the SBC 12.0, the fipsPost application loads the OpenSSL 3 FIPS provider and performs self tests for all algorithms. The KAT self tests for all the available algorithms are performed including DH, SSH KDF and TLS KDF, and proper logs are generated for confirmation.

All occurrences of the FIPS-140-2 in the source code, including user visible occurrences, are refactored to the FIPS-140-3 while maintaining existing FIPS functionality. The SBC supports upgrading with FIPS-140-2 mode enabled. The new FIPS-140-3 mode stays enabled after upgrade.

CLI Changes to Support FIPS 140-3 

In the CLI to enable FIPS mode, the parameter fips-140-2 is changed to fips-140-3. Refer to FIPS-140-3 - CLI, for details.

EMA Changes to Support FIPS 140-3

In the SBC EMA screen, under All > System > Admin screen, in the option to enable FIPS mode, the parameter Fips-140-2 is changed to Fips-140-3.

In the SBC EMA screen, under Users and Applications Management, in the option to enable FIPS mode, the parameter Fips-140-2 is changed to Fips-140-3. For details refer to System - Admin - Fips-140-3 and Users and Application Management - FIPS-140-3.

Note

The SBC updates existing FIPS Power-On Self Test (POST) tests to include Known Answer Tests (KAT) for the following cryptographic algorithms: AES_256_GCM Encrypt/Decrypt, and SRTP KDF. This ensures that corrupt mode tests are done during FIPS KATs.

Modified: for 12.1.4