[openssl-users] FIPS compile issue with Perl on Windows

Steve Marquess marquess at openssl.com
Tue Apr 19 15:12:11 UTC 2016


On 04/19/2016 10:43 AM, Jakob Bohm wrote:
> On 19/04/2016 16:31, Steve Marquess wrote:
>> On 04/19/2016 09:16 AM, Jakob Bohm wrote:
>>> On 19/04/2016 13:44, Leaky wrote:
>>>> Thanks, but I am still scratching my head as to if that is even
>>>> possible on
>>>> Windows, which would mean you can't actually compile the FIPS
>>>> canister on
>>>> Windows and meet the security policy.
>>>>...
> 
>> As documented in Appendix A of the Security Policy, for Windows the
>> required canonical build commands are:
>>
>>    ms\do_fips no-asm
>>
>> or
>>
>>    ms\do_fips
>>
>> instead of the "./config ...; make" used for *nix style platforms. The
>>
>>    gunzip -c openssl-fips-2.0.N.tar.gz | tar xf -
>>    cd openssl-fips-2.0.N
>>
>> is still required, which as you noted can be done with a third party
>> "gunzip", e.g. from Cygwin.
>>
>> Note that from a software engineering viewpoint it doesn't make much
>> sense to require that a "gunzip" command be installed and used when
>> another equivalent method of expanding the tarball is available, but the
>> CMVP required the specification of fixed build commands from the very
>> first validation.
>>
>> No requirement that a specific version of "gunzip" be used, so the use
>> of a script would appear to be permitted.
> Note that the official GNU gunzip is (as mentioned) a shell script.

My point was that even more generally use of various command definitions
appears to be allowed. For example, we have sometimes used such scripts
and/or "CC=gcc" style aliases for formal platform testing. Cross
compilations in particular generally aren't possible without such
command redefinitions; for those you're usually replacing multiple
native (to the build system) commands with those in the cross-compile
toolkit.

Use of command redefinitions to affect the behavior of the compiler (as
by adding compiler options) is rather more of a dark gray area.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list