[openssl-users] FIPS compile issue with Perl on Windows

Steve Marquess marquess at openssl.com
Mon Apr 18 23:51:23 UTC 2016

On 04/18/2016 04:05 PM, Leaky wrote:
>>> plus you're constrained by the
>>> requirements of the Security Policy to build the module with precisely
>>> the commands:
>>>  gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf -
>>>  cd openssl-fips-2.0.12
>>>  ./config
>>>  make
> Silly question... I know that you should only run the above commands, but
> can you deviate from the unzip tool, i.e. use 7zip?
> I managed to get it to work without editing anything, but I am now wondering
> if my process to compile the FIPS canister is bad purely because i am
> storing the deflated tarball on our SVN and using that uncompressed code to
> build from.  Putting aside the fact that this is automated, and that it is
> best to "run once and use many", should my script work with the raw tarball
> straight from the web, and not a locally expanded copy?

This is a mistake I've seen many times ("storing the deflated tarball on
our SVN"). You're thinking like a software engineer, when you should be
thinking like Alice down in the FIPS 140-2 rabbit hole.

There is no point in attempting to do the usual configuration management
and software version control on the contents of the
openssl-fips-2.0.12.tar.gz tarball. You CANNOT change the content; there
can be no changes to manage!!!

The Security Policy is quite specific on the requirements, which make no
allowance for the common sense (to a software engineer) fact that there
are equivalent multiple ways to accomplish each step (such as unzipping
the tarball). You are also specifically required to begin with the
official tarball. Per the Security Policy, you *must* do:

  gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -

and *not* any functionally equivalent alternative such as:

  tar -zxf openssl-fips-2.0.12.tar.gz

or even worse, a checkout of the expanded contents from your version
management system.

This is why I recommend you build the FIPS module once, manually,
exactly per the documented requirements. It doesn't make sense, from the
software engineering viewpoint, but is what the FIPS 140-2 validation
bureaucracy insists on.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list