Kyle Hamilton wrote:
>
> No, you got the problem exactly right, and it is a bug that
> does need to be addressed. (HMAC_SHA1_SIG is defined as a
> string with a nil terminator. gcc doesn't throw the error,
> but g++ rightly does. I think there's a command-line
> parameter to disable that particular error check, but I'm not
> sure -- but, as a possible workaround, you might be able to
> use gcc to call fipsld and use g++ for everything
> else.)
>
> The proper definition would be in explicit declarative mode,
> as opposed to string mode. (that is, { 's', 't', 'r', ... };
> instead of "stringhere"). It's difficult to update, though,
> as any modification of the -fips tarball invalidates the FIPS
> certification. (I'd like to see a FIPS validation system, as
> defined by the FIPS testing criteria, built for OpenSSL, in
> order to validate that any changes to the source tree won't
> cause a recertification to fail, and to perhaps fast-track
> any bugfixed code through a recertification. The cost of a
> recertification is not trivial, though...)
The pieces for such a FIPS 140-2 regression test are more or less in
place, in the form of the algorithm test drivers and the "fips_test_suite"
test program. The use of those test utilities is documented in the FIPS
Object Module User Guide.
> Steve: If you know how much the original certification cost,
> could you perhaps mention it? Or would you be able to point
> to someone I could ask?
It's hard to put a price tag on the overall OpenSSL FIPS object module
validation effort (not certification, BTW) for several reasons. One is
that this validation was unique as the first ever validated product
delivered in source form, in the amount of time and effort expended over
3-1/2 years, and in the amount of external opposition encountered. A
great deal of non-compensated labor was contributed, in addition to the
US$120,000+ of initial cash funding. I guesstimate the total effort would
easily have exceeded half a million bucks if the non-cash contributions
were accounted for at fair market rates.
A revalidation should be much simpler and cheaper, fortunately. John
Weathersby of the OSSI (www.oss-institute.org) is currently working on
coordinating a follow-up validation with interested sponsors. What that
revalidation will include and what it will cost will depend on the
sponsors he signs up.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
301-524-9915 cell
301-831-8447 land/fax
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
