No, you got the problem exactly right, and it is a bug that does need
to be addressed. (HMAC_SHA1_SIG is defined as a string with a nil
terminator. gcc doesn't throw the error, but g++ rightly does. I
think there's a command-line parameter to disable that particular
error check, but I'm not sure -- but, as a possible workaround, you
might be able to use gcc to call fipsld and use g++ for everything
else.)
The proper definition would be in explicit declarative mode, as
opposed to string mode. (that is, { 's', 't', 'r', ... }; instead of
"stringhere"). It's difficult to update, though, as any modification
of the -fips tarball invalidates the FIPS certification. (I'd like to
see a FIPS validation system, as defined by the FIPS testing criteria,
built for OpenSSL, in order to validate that any changes to the source
tree won't cause a recertification to fail, and to perhaps fast-track
any bugfixed code through a recertification. The cost of a
recertification is not trivial, though...)
Steve: If you know how much the original certification cost, could you
perhaps mention it? Or would you be able to point to someone I could
ask?
-Kyle H
On 6/12/06, Marty Lamb <[EMAIL PROTECTED]> wrote:
I just noticed an insanely bad typo in my original message:
> However, when "CC=gcc fipsld" is used, the following error results:
Should instead be
> However, when "CC=g++ fipsld" is used, the following error results:
Sorry for any confusion. Any help would be very much appreciated.
- Marty
--
Marty Lamb
Rajant Corporation
610-873-6788
Marty Lamb wrote:
> Hello,
>
> I am trying to build a C++ application using OpenSSL-fips-1.0. The
> application compiles and runs fine (sans FIPS_mode_set()) when simply
> compiled using g++.
>
> However, when "CC=gcc fipsld" is used, the following error results:
>
> /usr/local/ssl/bin/../lib/fips_premain.c:66: error: initializer-string
> for array of chars is too long
>
> The line in question (line 66 of fips_premain.c) is:
>
> static const unsigned char FINGERPRINT_ascii_value[40] = HMAC_SHA1_SIG;
>
> As far as I can tell this looks like an off by one error (no room in
> array for null terminator). Of course, I cannot modify fips_premain.c
> and still run fipsld.
>
> My compiler version is: g++ (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2)
>
> This is trivial to test using the following program:
>
> int main(int argc, char **argv) {
> return 0;
> }
>
> Am I missing something?
>
> Thanks,
>
> Marty
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
