No, you got the problem exactly right, and it is a bug that does need to be addressed. (HMAC_SHA1_SIG is defined as a string with a nil terminator. gcc doesn't throw the error, but g++ rightly does. I think there's a command-line parameter to disable that particular error check, but I'm not sure -- but, as a possible workaround, you might be able to use gcc to call fipsld and use g++ for everything else.)
The proper definition would be in explicit declarative mode, as opposed to string mode. (that is, { 's', 't', 'r', ... }; instead of "stringhere"). It's difficult to update, though, as any modification of the -fips tarball invalidates the FIPS certification. (I'd like to see a FIPS validation system, as defined by the FIPS testing criteria, built for OpenSSL, in order to validate that any changes to the source tree won't cause a recertification to fail, and to perhaps fast-track any bugfixed code through a recertification. The cost of a recertification is not trivial, though...) Steve: If you know how much the original certification cost, could you perhaps mention it? Or would you be able to point to someone I could ask? -Kyle H On 6/12/06, Marty Lamb <[EMAIL PROTECTED]> wrote:
I just noticed an insanely bad typo in my original message: > However, when "CC=gcc fipsld" is used, the following error results: Should instead be > However, when "CC=g++ fipsld" is used, the following error results: Sorry for any confusion. Any help would be very much appreciated. - Marty -- Marty Lamb Rajant Corporation 610-873-6788 Marty Lamb wrote: > Hello, > > I am trying to build a C++ application using OpenSSL-fips-1.0. The > application compiles and runs fine (sans FIPS_mode_set()) when simply > compiled using g++. > > However, when "CC=gcc fipsld" is used, the following error results: > > /usr/local/ssl/bin/../lib/fips_premain.c:66: error: initializer-string > for array of chars is too long > > The line in question (line 66 of fips_premain.c) is: > > static const unsigned char FINGERPRINT_ascii_value[40] = HMAC_SHA1_SIG; > > As far as I can tell this looks like an off by one error (no room in > array for null terminator). Of course, I cannot modify fips_premain.c > and still run fipsld. > > My compiler version is: g++ (GCC) 3.4.4 20050721 (Red Hat 3.4.4-2) > > This is trivial to test using the following program: > > int main(int argc, char **argv) { > return 0; > } > > Am I missing something? > > Thanks, > > Marty > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]