Digi ConnectCore 6, ConnectCore 6 Plus, and ConnectCore 6UL modules running kernel v4.9 are currently FIPS-ready. This topic describes how to enable, verify, and use FIPS-Capable OpenSSL on these modules.
The FIPS (Federal Information Processing Standards) 140-2 level 1 standard is an information technology security approval program for cryptographic modules. It is geared toward private-sector vendors who seek certification for products used in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information.
OpenSSL itself is not FIPS validated, nor will it be validated in the future. Instead, a special carefully defined software component called the OpenSSL FIPS Object Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography.
Digi Embedded Yocto enables you to build the OpenSSL FIPS Object Module 2.0 and configure OpenSSL to use it.
| This feature is not available out of the box and requires a Non-Disclosure Agreement to be in place. Contact a Digi sales representative for more information. |
Add the meta-digi-fips layer
| Contact a Digi sales representative to request the meta-digi-fips layer. |
-
Extract the meta-digi-fips Yocto layer under the Digi Embedded Yocto sources directory.
$ tar -xf meta-digi-fips.tar -C <DEY-INSTALLDIR>/sources
-
Edit your project’s bblayers.conf configuration file and add the meta-digi-fips layer by adding the following line:
<DEY-INSTALLDIR>/sources/meta-digi-fips
Enable FIPS-capable OpenSSL
To enable FIPS-capable OpenSSL, add the following line to your local.conf:
OPENSSL_FIPS = "1"
This configures Digi Embedded Yocto to:
-
Build a FIPS Object Module
-
Build OpenSSL with the fips configuration option
The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this way is referred to as a FIPS-capable OpenSSL. You can use it either as a drop-in replacement for a non-FIPS OpenSSL or to generate FIPS mode applications.
Verify FIPS-capable OpenSSL
Check the openssl version with:
~# openssl version OpenSSL 1.0.2j-fips 26 Sep 2016
The -fips suffix after the version number indicates that OpenSSL was built with FIPS support.
Note, however, that the openssl application does NOT use FIPS mode by default. To use FIPS mode, you must define the environment variable OPENSSL_FIPS. The following fragment shows the differences when enabling TIPS mode:
-
In a non-FIPS-capable OpenSSL, an error is shown.
~$ openssl version OpenSSL 1.0.2j 26 Sep 2016 ~$ OPENSSL_FIPS=1 openssl version FIPS mode not supported.
-
When you run a command in a FIPS-capable OpenSSL with FIPS mode enabled, execution time increases due to the POST (Power On Self Test), a procedure required by FIPS 140-2.
~$ time openssl version OpenSSL 1.0.2j-fips 26 Sep 2016 real 0m 0.07s user 0m 0.05s sys 0m 0.01s ~$ OPENSSL_FIPS=1 time openssl version OpenSSL 1.0.2j-fips 26 Sep 2016 real 0m 0.42s user 0m 0.40s sys 0m 0.02
Use FIPS-capable OpenSSL
Applications using the OpenSSL API should explicitly enable FIPS mode if desired. For reference, use the following code excerpt in the randtest application (automatically installed along with the OpenSSL library when using meta-digi-fips) to set and check FIPS mode:
#ifdef OPENSSL_FIPS
if (!FIPS_mode_set(1))
printf("Failed to enable FIPS mode\n");
else
printf("FIPS mode is set\n");
#else
printf("FIPS mode is not available\n");
#endif
When building OpenSSL with FIPS 140-2 support, the randtest application will take some extra time doing the FIPS 140-2 Power On Self Test, and then it will run the random number test:
~$ time randtest FIPS mode is set test 1 done test 2 done test 3 done test 4 done real 0m0.143s user 0m0.130s sys 0m0.010s
On the other hand, building OpenSSL without FIPS 140-2 support results in the following execution time and message:
~$ time randtest FIPS mode is not available test 1 done test 2 done test 3 done test 4 done real 0m0.009s user 0m0.010s sys 0m0.000s
For more information, see Section 5: Creating Applications Which Reference the FIPS Object Module of the OpenSSL User Guide 2.0.
