Kyle Hamilton wrote:
No, you got the problem exactly right, and it is a bug that does need
to be addressed. (HMAC_SHA1_SIG is defined as a string with a nil
terminator. gcc doesn't throw the error, but g++ rightly does. I
think there's a command-line parameter to disable that particular
error check, but I'm not sure -- but, as a possible workaround, you
might be able to use gcc to call fipsld and use g++ for everything
else.)
Thanks. At least now I know I'm not crazy. I searched for a g++
command line parameter to disable that check, but couldn't find anything.
Just a few minutes ago, however, I discovered exactly the solution you
suggest. Compile everything (c and c++) into object files using
whatever compiler is appropriate, then use gcc with fipsld to link, but
manually specify the c++ library for the linker:
CC=gcc fipsld ... -lstdc++
This works fine, and does not appear to violate any of the OpenSSL FIPS
criteria. It might even be obvious to developers used to mixing C and
C++ (unlike myself. :)
(I'd like to
see a FIPS validation system, as defined by the FIPS testing criteria,
built for OpenSSL, in order to validate that any changes to the source
tree won't cause a recertification to fail, and to perhaps fast-track
any bugfixed code through a recertification. The cost of a
recertification is not trivial, though...)
That would be great. And I'm sure that there are plenty of parties who
would be more than happy to help fund recertifications for future bug fixes.
Thanks for the response and the dead-on solution.
- Marty
--
Marty Lamb
Rajant Corporation
610-873-6788
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
