FIPS-capable OpenSSL
Note Digi ConnectCore 6, ConnectCore 6 Plus, and ConnectCore 6UL modules running kernel v4.9 are currently FIPS-ready. This topic describes how to enable, verify, and use FIPS-Capable OpenSSL on these modules. Contact Digi support for more information.
The FIPS (Federal Information Processing Standards) 140-2 level 1 standard is an information technology security approval program for cryptographic modules. It is geared toward private-sector vendors who seek certification for products used in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information.
OpenSSL itself is not FIPS validated, nor will it be validated in the future. Instead, a special carefully defined software component called the OpenSSL FIPS Object Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography.
Digi Embedded Yocto enables you to build the OpenSSL FIPS Object Module 2.0 and configure OpenSSL to use it.
Add the meta-digi-fips layer
Note Contact Digi support to get the meta-digi-fips layer.
- Extract the meta-digi-fips Yocto layer under the Digi Embedded Yocto sources directory.
$ tar -xf meta-digi-fips.tar -C <DEY-INSTALLDIR>/sources
- Edit your project's bblayers.conf configuration file and add the meta-digi-fips layer by adding the following line:
<DEY-INSTALLDIR>/sources/meta-digi-fips
Enable FIPS-capable OpenSSL
To enable FIPS-capable OpenSSL, add the following line to your local.conf:
OPENSSL_FIPS = "1"
This configures Digi Embedded Yocto to:
- Build a FIPS Object Module
- Build OpenSSL with the fips configuration option
The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this way is referred to as a FIPS-capable OpenSSL. You can use it either as a drop-in replacement for a non-FIPS OpenSSL or to generate FIPS mode applications.
Verify FIPS-capable OpenSSL
Check the openssl version with:
root@ccimx6sbc:~# openssl version
OpenSSL 1.0.2j-fips 26 Sep 2016
The -fips suffix after the version number indicates that OpenSSL was built with FIPS support.
Note, however, that the openssl application does NOT use FIPS mode by default. To use FIPS mode, you must define the environment variable OPENSSL_FIPS. The following fragment shows the differences when enabling TIPS mode:
- In a non-FIPS-capable OpenSSL, an error is shown.
root@ccimx6sbc:~# openssl version OpenSSL 1.0.2j 26 Sep 2016 root@ccimx6sbc:~# OPENSSL_FIPS=1 openssl version FIPS mode not supported.
- When you run a command in a FIPS-capable OpenSSL with FIPS mode enabled, execution time increases due to the POST (Power On Self Test), a procedure required by FIPS 140-2.
root@ccimx6sbc:~# time openssl version OpenSSL 1.0.2j-fips 26 Sep 2016 real 0m 0.07s user 0m 0.05s sys 0m 0.01s root@ccimx6sbc:~# OPENSSL_FIPS=1 time openssl version OpenSSL 1.0.2j-fips 26 Sep 2016 real 0m 0.42s user 0m 0.40s sys 0m 0.02
Use FIPS-capable OpenSSL
Applications using the OpenSSL API should explicitly enable FIPS mode if desired. For reference, use the following code excerpt in the openssl application to set and check FIPS mode:
#ifdef OPENSSL_FIPS if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); EXIT(1); } #else fprintf(stderr, "FIPS mode not supported.\n"); EXIT(1); #endif
For more information, see Section 5: Creating Applications Which Reference the FIPS Object Module of the OpenSSL User Guide 2.0.