Hi all,
I'm replacing OpenSSL 1.0.2 with OpenSSL 3.0 in an embedded environment with very limited flash space. We need and use libcrypto and libssl but we have no need for the openssl binary. To date it was never necessary to ship this utility in our product. Now with OpenSSL 3.0 it appears the only way to get FIPS support is to run "openssl fipsinstall ..." to create a FIPS config file to be included by the main config file. However, at nearly 1MB in size this binary is prohibitively large.
I am able to reproduce the output of "openssl fipsinstall ..." with a (considerably smaller) standalone tool that links with libcrypto and generates HMAC-SHA256 (using FIPS_KEY_STRING from fipskey.h) but I'm unclear on what the actual FIPS requirements are for this. Would I still be considered FIPS compliant if I use my own standalone tool instead of the openssl binary to generate the FIPS config? I presume I don't need to bother with the self-test callback and that it only matters whether or not OSSL_PROVIDER_load(NULL, "fips") succeeds?
Thanks,
Tom.III
