On 04/19/2016 09:16 AM, Jakob Bohm wrote: > On 19/04/2016 13:44, Leaky wrote: >>> The Security Policy is quite specific on the requirements, which make no >>> allowance for the common sense (to a software engineer) fact that there >>> are equivalent multiple ways to accomplish each step (such as unzipping >>> the tarball). You are also specifically required to begin with the >>> official tarball. Per the Security Policy, you *must* do: >>> >>> gunzip -c openssl-fips-2.0.12.tar.gz | tar xf - >>> >>> and *not* any functionally equivalent alternative such as: >>> >>> tar -zxf openssl-fips-2.0.12.tar.gz >>> >> Thanks, but I am still scratching my head as to if that is even >> possible on >> Windows, which would mean you can't actually compile the FIPS canister on >> Windows and meet the security policy. >> > There are Windows ports of gzip, gunzip and tar. For example in the CYGWIN > distribution (from https://cygwin.com) or MingW32 (those 2 are free), there > are also commercial versions such as MKS. > > If you use the CYGWIN variant, but run under the Windows CMD shell, you > will > have to crate a .CMD equivalent of the gunzip shell script. Instead of the > long winded code to output messages about what gunzip is, the following one > line file should do the trick (there is no lf or crlf at the end of the > line!), save this as gunzip.cmd somewhere on your PATH. > > @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %* > > (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN) > > Similarly create tar.cmd Good catch, Jakob. I missed the Windows part. As documented in Appendix A of the Security Policy, for Windows the required canonical build commands are: ms\do_fips no-asm or ms\do_fips instead of the "./config ...; make" used for *nix style platforms. The gunzip -c openssl-fips-2.0.N.tar.gz | tar xf - cd openssl-fips-2.0.N is still required, which as you noted can be done with a third party "gunzip", e.g. from Cygwin. Note that from a software engineering viewpoint it doesn't make much sense to require that a "gunzip" command be installed and used when another equivalent method of expanding the tarball is available, but the CMVP required the specification of fixed build commands from the very first validation. No requirement that a specific version of "gunzip" be used, so the use of a script would appear to be permitted. Confusing, for sure... -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc