[openssl-users] FIPS compile issue with Perl on Windows

Steve Marquess marquess at openssl.com
Mon Apr 18 16:08:32 UTC 2016


On 04/18/2016 11:01 AM, Tristan Leask wrote:
> Hi All,
> 
> I am currently trying to setup an automated build process for a
> cloned copy of the code.  ...
> 
> In the link mentioned, it is talked about modifying the perl script
> to change how STDOUT works, however when you are compiling FIPS you
> aren't meant to modify the code shipped in the tarball, so how does
> one work around this issue apart from just compiling the code
> manually all the time?

There is really no point in trying to automate the build of the FIPS
module (fipscanister.o). As noted you can't change the source code
(contents of the tarball) at all, plus you're constrained by the
requirements of the Security Policy to build the module with precisely
the commands:

  gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
  cd openssl-fips-2.0.12
  ./config
  make

The Security Policy doesn't expressly prohibit you from embedding those
commands in a script, but IMHO you gain nothing but grief by doing so.
Build it manually, once, with some sort of record as a CYA for your file
cabinet.

Once you have the one and only copy of fipscanister.o you need (per
platform), you can then use normal software engineering best practice
for building OpenSSL proper (e.g. 1.0.2g) and your application code, and
automation would make more sense.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list