[openssl-users] FIPS compile issue with Perl on Windows

Steve Marquess marquess at openssl.com
Tue Apr 19 14:31:46 UTC 2016

On 04/19/2016 09:16 AM, Jakob Bohm wrote:
> On 19/04/2016 13:44, Leaky wrote:
>>> The Security Policy is quite specific on the requirements, which make no
>>> allowance for the common sense (to a software engineer) fact that there
>>> are equivalent multiple ways to accomplish each step (such as unzipping
>>> the tarball). You are also specifically required to begin with the
>>> official tarball. Per the Security Policy, you *must* do:
>>>     gunzip -c openssl-fips-2.0.12.tar.gz | tar xf -
>>> and *not* any functionally equivalent alternative such as:
>>>     tar -zxf openssl-fips-2.0.12.tar.gz
>> Thanks, but I am still scratching my head as to if that is even
>> possible on
>> Windows, which would mean you can't actually compile the FIPS canister on
>> Windows and meet the security policy.
> There are Windows ports of gzip, gunzip and tar.  For example in the CYGWIN
> distribution (from https://cygwin.com) or MingW32 (those 2 are free), there
> are also commercial versions such as MKS.
> If you use the CYGWIN variant, but run under the Windows CMD shell, you
> will
> have to crate a .CMD equivalent of the gunzip shell script. Instead of the
> long winded code to output messages about what gunzip is, the following one
> line file should do the trick (there is no lf or crlf at the end of the
> line!), save this as gunzip.cmd somewhere on your PATH.
> @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %*
> (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN)
> Similarly create tar.cmd

Good catch, Jakob. I missed the Windows part.

As documented in Appendix A of the Security Policy, for Windows the
required canonical build commands are:

  ms\do_fips no-asm



instead of the "./config ...; make" used for *nix style platforms. The

  gunzip -c openssl-fips-2.0.N.tar.gz | tar xf -
  cd openssl-fips-2.0.N

is still required, which as you noted can be done with a third party
"gunzip", e.g. from Cygwin.

Note that from a software engineering viewpoint it doesn't make much
sense to require that a "gunzip" command be installed and used when
another equivalent method of expanding the tarball is available, but the
CMVP required the specification of fixed build commands from the very
first validation.

No requirement that a specific version of "gunzip" be used, so the use
of a script would appear to be permitted.

Confusing, for sure...

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list