[openssl-users] FIPS compile issue with Perl on Windows

Jakob Bohm jb-openssl at wisemo.com
Tue Apr 19 14:43:44 UTC 2016

On 19/04/2016 16:31, Steve Marquess wrote:
> On 04/19/2016 09:16 AM, Jakob Bohm wrote:
>> On 19/04/2016 13:44, Leaky wrote:
>>> Thanks, but I am still scratching my head as to if that is even
>>> possible on
>>> Windows, which would mean you can't actually compile the FIPS canister on
>>> Windows and meet the security policy.
>> There are Windows ports of gzip, gunzip and tar.  For example in the CYGWIN
>> distribution (from https://cygwin.com) or MingW32 (those 2 are free), there
>> are also commercial versions such as MKS.
>> If you use the CYGWIN variant, but run under the Windows CMD shell, you
>> will
>> have to crate a .CMD equivalent of the gunzip shell script. Instead of the
>> long winded code to output messages about what gunzip is, the following one
>> line file should do the trick (there is no lf or crlf at the end of the
>> line!), save this as gunzip.cmd somewhere on your PATH.
>> @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %*
>> (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN)
>> Similarly create tar.cmd
> Good catch, Jakob. I missed the Windows part.
I missed it too, Leaky caught it

> As documented in Appendix A of the Security Policy, for Windows the
> required canonical build commands are:
>    ms\do_fips no-asm
> or
>    ms\do_fips
> instead of the "./config ...; make" used for *nix style platforms. The
>    gunzip -c openssl-fips-2.0.N.tar.gz | tar xf -
>    cd openssl-fips-2.0.N
> is still required, which as you noted can be done with a third party
> "gunzip", e.g. from Cygwin.
> Note that from a software engineering viewpoint it doesn't make much
> sense to require that a "gunzip" command be installed and used when
> another equivalent method of expanding the tarball is available, but the
> CMVP required the specification of fixed build commands from the very
> first validation.
> No requirement that a specific version of "gunzip" be used, so the use
> of a script would appear to be permitted.
Note that the official GNU gunzip is (as mentioned) a shell script.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list