programmatic way of generating fipsmodule.cnf using statically linked openssl

[aniljadaun]

We used statically linked openssl libs in our code and we provide user option to turn on fips mode.

Is it possible to programmatically generate the fipsmodule.cnf file using statically linked OpenSSL in our code, for users who have enabled FIPS mode in our app? If so, how can we do this?

The current process for generating the fipsmodule.cnf file is to run the openssl fipsinstall command on the user's machine. However, this requires shipping the OpenSSL DLL with our app, which can be inconvenient and unnecessary. If we could programmatically generate the fipsmodule.cnf file using statically linked OpenSSL, we would avoid this problem.

So, the question is: is it possible to do this? And if so, how?

[paulidale]

The only way to get a FIPS compliant outcome, is to exactly follow the instructions in appendix A of the security policy.
If you do what you are asking, you will not be compliant.

That said, what's required is in the fipsinstall command. In boils down to generating a checksum of the fips.dll file. You will need to bundle and dynamically load fips.dll, statically linking this isn't supported.

It would also be possible to statically build the openssl command and run that without having the OpenSSL DLLs.

[paulidale]

No. You must follow the instructions in the security policy exactly.

What you are saying isn't.
Read the security policy. All of it. FIPS imposes restrictions which obvious. They must be followed.

[aniljadaun]

Ok, I understand programmatic solution is not a fips compliant. so we can't move ahead with this.

Now our issue is we already have linked openssl statically into our project . So we don't want to carry duplicate openssl dll in our package and that would also result in increased size of our package.

@paulidale --> It would also be possible to statically build the openssl command and run that without having the OpenSSL DLLs.

How do we do this ? We would like to explore this . Can you please mentions details or some documentation or link to any previous discussion ?

[aniljadaun]

Hi @mattcaswell @paulidale @t8m

Does this mean user needs to manually generate fipsmodule.cnf file on their system ? Shipping openssl.exe is the only way ?

Please confirm .

[mattcaswell]

Does this mean user needs to manually generate fipsmodule.cnf file on their system ? Shipping openssl.exe is the only way ?

You can either build openssl directly on the target system and use "make install", or you can build the binaries elsewhere, distribute the openssl binary/libraries to the target system and then run openssl fipsinstall. These are the only ways that will result in a compliant implementation.

How do we do this ? We would like to explore this . Can you please mentions details or some documentation or link to any previous discussion ?

Build OpenSSL using the "no-shared" config option. This builds the static libraries and a statically linked version of the OpenSSL executable

[aniljadaun]

Hi @mattcaswell

1. Building openssl on target system is not a option. It is time taking lengthy process and it would add considerable overhead on client machines.
2. openssl fipsinstall is a feasible option. We would need to ship openssl executable with our package. Size of the statically linked executable is more than 5 MB. Since we know we would be only using this executable for fipsinstall . Do you suggest some configuration setting which can help in reducing the size of the openssl executable.

[t8m]

Does this mean user needs to manually generate fipsmodule.cnf file on their system ?

No, it can be done by installation script but it needs to do the things exactly as specified by the security policy if you want to be fips compliant by the letter.

You should however consult all FIPS compliance related questions with a FIPS validation lab, we cannot provide you authoritative answers.

For example fipsmodule.cnf without the install checksum means the FIPS module will perform the self tests on each start up so in the sense of compliance of FIPS module operational requirements this is compliant, but you would not be compliant with the security policy letter.

[aniljadaun]

@t8m Thanks for your response.

No, it can be done by installation script but it needs to do the things exactly as specified by the security policy if you want to be fips compliant by the letter.

1. We want fips to be compliant by the letter.As i understand we need to make sure we build certified version for fips . Current we are using openssl 3.0.8 for fips module generation.
2. fipsinstall command should be run on each target machine generating fipsmodule.cnf file. @mattcaswell suggested though possible programmatically. it won't be considered as fips compliant. i am not able to clearly think through this.

Can you please provide us a code example of what is the way to achieve it via script or programmatically ? Manual step for each user is a big overhead and we would want to avoid it until absolute necessity.

[t8m]

@t8m Thanks for your response.

No, it can be done by installation script but it needs to do the things exactly as specified by the security policy if you want to be fips compliant by the letter.

1. We want fips to be compliant by the letter.As i understand we need to make sure we build certified version for fips . Current we are using openssl 3.0.8 for fips module generation.

2. fipsinstall command should be run on each target machine generating fipsmodule.cnf file. @mattcaswell suggested though possible programmatically. it won't be considered as fips compliant. i am not able to clearly think through this.

Can you please provide us a code example of what is the way to achieve it via script or programmatically ? Manual step for each user is a big overhead and we would want to avoid it until absolute necessity.

The command as specified in the security policy does not have to be executed manually. It can be executed by a script - shell script or from another application. What @mattcaswell said that wouldn't be fips compliant by letter is to do the same that the openssl fipsinstall command does via another application. But again I have to repeat - if you want to be sure for any FIPS compliance question you have to consult a FIPS validation lab. We are not a FIPS lab so any of our answers are to be taken just as hints and we might be even mistaken one way or another.

[aniljadaun]

Ok.
@mattcaswell @paulidale @t8m Thanks for your help and suggestion.

openssl executable is of nearly 5 MB. We have libcrypto and libssl statically linked into our project. Any configurations that you can suggest by which we can reduce size of openssl executable . We would be using openssl executable specifically for running fipsinstall command for generating fipsmodule.cnf.

[paulidale]

My suggestion is dynamicly linking OpenSSL: that is exactly what dynamic linking is meant for.

If that's not possible, OpenSSL has plenty of options to reduce it's size. They either omit algorithms or trade against performance.
Unless you are targeting an embedded platform, I'd advise against using them. The installation & configuration documentation has details.

[aniljadaun]

I understand what you mean. Though due to some known issues .We need to statically link our project with libcrypto and libssl. Once we do that, it would not be wise to carry separate dynamic libraries with us. Therefore, we want to create a smaller openssl.exe file that will only be used in a client environment for running fipsinstall command to generate conf file. We will keep your suggestion about the performance trade-off in mind, but we would like to evaluate it before making a decision.

Installation guide suggest multiple options to disable https://github.com/openssl/openssl/blob/master/INSTALL.md#quick-installation-guide . Can you please suggest which of these when diabled would not impact the fipsinstall step.

The OpenSSL team has been very helpful at every step.Thank you all for your help and guidance.

[mattcaswell]

If you must use static linking then I suggest that you build the OpenSSL command line app with a completely different set of options to the ones that you use for the libraries and fips.dll, i.e. the objective is just to get a working openssl fipsinstall command which is as small as possible and we don't care about anything else. Probably this might work:

./config no-shared no-aria no-async no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-cmp no-comp no-ct no-des no-dgram no-dh no-dsa no-ec no-engine no-filenames no-idea no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-siv no-sm3 no-sm4 no-srp no-srtp -no-ssl3-method no-ssl-trace no-ts no-ui-console no-whirlpool no-dtls no-tls no-legacy no-md2 no-mdc2 no-scrypt no-err

I just tried that out and hit a compilation error and a test failure because its a very aggressive set of "no" options that we don't explicitly test together (there are too may ways of combining these for us to test all possible combinations). Fix in #21722.