So fipsld is outside of the security boundary? What all needs to stay the same? What can be changed?
Can fips_premain.c be altered as part of the compilation process, for example doing something like a gcc -E, then running a sed script over it to convert the key to brace format before doing the full compilation? (I would think this would be... untrustworthy, because fips_premain.c is the enforcer of the security boundary and thus inside the security boundary?) Just some confusion. :/ -Kyle H On 7/7/06, Stephen Henson via RT <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] - Thu Jul 6 20:52:49 2006]: > Hello, > > > > I have encountered a error compiling fips_premain.c with the Sun Studio C++ > compiler. Lines 62-66 assign the 41-byte literal HMAC_SHA1_SIG (40 > characters plus null terminator) to the unsigned char array > FINGERPRINT_ascii_value[40]. On the Sun Studio C++ compiler, this results > in an error that prevents further compilation. The same problem using g++ > has been described on the OpenSSL Users mailing list: > http://www.mail-archive.com/[email protected]/msg45116.html > > > > I've checked today's snapshot of the 0.9.7 branch, and see that this code is > unchanged. > > > > Is this documented as a bug? If so, is it scheduled to be fixed in a > particular release or is there a suggested workaround? > The file fips_premain.c is part of the validated source and the version you would have to use would come from the validated sources. It is identical to 0.9.7 at present. The only changes in the FIPS 1.1 distribution are those related to the cryptographic boundary. This (and other issues) will be addressed in a followup validation if funding is available. There are several possible workarounds. You do not have to use the supplied fipsld script, anything with equivalent functionality is acceptable. Windows for example uses a perl script for this purpose. Therefore you can modify fipsld to either use a C compiler to compile fips_premain.c or to convert the hash to brace format. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
