Digi ConnectCore 6, ConnectCore 6 Plus, and ConnectCore 6UL modules running kernel v4.9 are currently FIPS-ready. This topic describes how to enable, verify, and use FIPS-Capable OpenSSL on these modules.

The FIPS (Federal Information Processing Standards) 140-2 level 1 standard is an information technology security approval program for cryptographic modules. It is geared toward private-sector vendors who seek certification for products used in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share, and disseminate sensitive but unclassified (SBU) information.

OpenSSL itself is not FIPS validated, nor will it be validated in the future. Instead, a special carefully defined software component called the OpenSSL FIPS Object Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography.

Digi Embedded Yocto enables you to build the OpenSSL FIPS Object Module 2.0 and configure OpenSSL to use it.

This feature is not available out of the box and requires a Non-Disclosure Agreement to be in place. Contact a Digi sales representative for more information.

Add the meta-digi-fips layer

Contact a Digi sales representative to request the meta-digi-fips layer.
  1. Extract the meta-digi-fips Yocto layer under the Digi Embedded Yocto sources directory.

    $ tar -xf meta-digi-fips.tar -C <DEY-INSTALLDIR>/sources
  2. Edit your project’s bblayers.conf configuration file and add the meta-digi-fips layer by adding the following line:

    <DEY-INSTALLDIR>/sources/meta-digi-fips

Enable FIPS-capable OpenSSL

To enable FIPS-capable OpenSSL, add the following line to your local.conf:

OPENSSL_FIPS = "1"

This configures Digi Embedded Yocto to:

  • Build a FIPS Object Module

  • Build OpenSSL with the fips configuration option

The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this way is referred to as a FIPS-capable OpenSSL. You can use it either as a drop-in replacement for a non-FIPS OpenSSL or to generate FIPS mode applications.

Verify FIPS-capable OpenSSL

Check the openssl version with:

~# openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016

The -fips suffix after the version number indicates that OpenSSL was built with FIPS support.

Note, however, that the openssl application does NOT use FIPS mode by default. To use FIPS mode, you must define the environment variable OPENSSL_FIPS. The following fragment shows the differences when enabling TIPS mode:

  • In a non-FIPS-capable OpenSSL, an error is shown.

~$ openssl version
OpenSSL 1.0.2j  26 Sep 2016
~$ OPENSSL_FIPS=1 openssl version
FIPS mode not supported.
  • When you run a command in a FIPS-capable OpenSSL with FIPS mode enabled, execution time increases due to the POST (Power On Self Test), a procedure required by FIPS 140-2.

~$ time openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016
real    0m 0.07s
user    0m 0.05s
sys     0m 0.01s
~$ OPENSSL_FIPS=1 time openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016
real    0m 0.42s
user    0m 0.40s
sys     0m 0.02

Use FIPS-capable OpenSSL

Applications using the OpenSSL API should explicitly enable FIPS mode if desired. For reference, use the following code excerpt in the randtest application (automatically installed along with the OpenSSL library when using meta-digi-fips) to set and check FIPS mode:

#ifdef OPENSSL_FIPS
    if (!FIPS_mode_set(1))
        printf("Failed to enable FIPS mode\n");
    else
        printf("FIPS mode is set\n");
#else
    printf("FIPS mode is not available\n");
#endif

When building OpenSSL with FIPS 140-2 support, the randtest application will take some extra time doing the FIPS 140-2 Power On Self Test, and then it will run the random number test:

~$ time randtest
FIPS mode is set
test 1 done
test 2 done
test 3 done
test 4 done

real    0m0.143s
user    0m0.130s
sys     0m0.010s

On the other hand, building OpenSSL without FIPS 140-2 support results in the following execution time and message:

~$ time randtest
FIPS mode is not available
test 1 done
test 2 done
test 3 done
test 4 done

real    0m0.009s
user    0m0.010s
sys     0m0.000s

For more information, see Section 5: Creating Applications Which Reference the FIPS Object Module of the OpenSSL User Guide 2.0.