On 2/10/2016 12:47 PM, Steve Marquess wrote: > Since you're required to start with the official tarball, and aren't > allowed to change the contents of the tarball, not even a teeny tiny > little bit, there is no point in dumping the tarball contents into > your local source code management/version control system. My > recommendation is that one time only you conduct a solemn candlelit > ceremony in which the build is manually performed in profound and > reverential observance of the mandated procedure. Then take the > resulting fipscanister.* and fips_premain.* files and version control > those from then on out. Don't try to continually rebuild the FIPS > module from source that cannot be modified anyway. -Steve M. And once you build them, make sure to get SHA-256 and SHA-512 digests of them, print them out on a piece of paper along with an "I, ______________________, do certify that I built the OpenSSL FIPS version _______ distribution in accordance with its Security Policy under FIPS Certificate #_____ and generated these files with the following digests, on ____________." statement. Then sign the statement. Everything related to FIPS is related to being able to document it, if you want to sell to a government agency... and if you don't want to sell to a government agency, there's no real reason for you to bother with it. -Kyle H
