[openssl-users] FIPS compile issue with Perl on Windows
Steve Marquess
marquess at openssl.com
Mon Apr 18 16:08:32 UTC 2016
On 04/18/2016 11:01 AM, Tristan Leask wrote:
> Hi All,
>
> I am currently trying to setup an automated build process for a
> cloned copy of the code. ...
>
> In the link mentioned, it is talked about modifying the perl script
> to change how STDOUT works, however when you are compiling FIPS you
> aren't meant to modify the code shipped in the tarball, so how does
> one work around this issue apart from just compiling the code
> manually all the time?
There is really no point in trying to automate the build of the FIPS
module (fipscanister.o). As noted you can't change the source code
(contents of the tarball) at all, plus you're constrained by the
requirements of the Security Policy to build the module with precisely
the commands:
gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
cd openssl-fips-2.0.12
./config
make
The Security Policy doesn't expressly prohibit you from embedding those
commands in a script, but IMHO you gain nothing but grief by doing so.
Build it manually, once, with some sort of record as a CYA for your file
cabinet.
Once you have the one and only copy of fipscanister.o you need (per
platform), you can then use normal software engineering best practice
for building OpenSSL proper (e.g. 1.0.2g) and your application code, and
automation would make more sense.
-Steve M.
--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users
mailing list