Hello,
According the current version scheme 1.0.2 retain binary compatibility.
In this case is expected external application linked 1.0.1 to work with
1.0.2 without modification.
It seems to me now FIPS build retain binary but lost functional
compatibility. For instance EVP_dss1 could be used in FIPS mode but now
this functionality is if broken by commit "Experimental
multi-implementation support for FIPS capable OpenSSL. When in FIPS mode
the approved implementations are used as normal, when not in FIPS mode
the internal unapproved versions are used instead. This means that the
FIPS capable OpenSSL isn't forced to use the (often lower perfomance)
FIPS implementations outside FIPS mode."
What about to use following instead FIPS_get_digestbynid
==================
diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c
index a010103..5236abe 100644
--- a/crypto/evp/m_dss1.c
+++ b/crypto/evp/m_dss1.c
@@ -93,8 +93,16 @@ static const EVP_MD dss1_md=
sizeof(EVP_MD *)+sizeof(SHA_CTX),
};
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
const EVP_MD *EVP_dss1(void)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return(FIPS_evp_dss1());
+#endif
return(&dss1_md);
}
#endif
==================
It seems to me FIPS_get_digestbynid return limited number of EVP
"primitives" .
Regards,
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
