When I build the FIPS module and install, it populates a fips-2.0/include/openssl directory with a set of header files.
When I build the FIPS-capable OpenSSL library libcrypto, it has the fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS include directory has a subset of the files in the usual include/openssl directory, and since the FIPS include directory comes last in CFLAGS, it seems that the FIPS include files are never used. So, I don't see why it is even listed in CFLAGS. E.g, powerpc--netbsd-gcc -I.. -I../.. -I../modes -I../asn1 -I../evp* -I../../include * -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -O3 -fomit-frame-pointer -Wall *-I/usr/local/ssl/fips-2.0/include* -c -o i_cbc.o i_cbc.c But my real question is, when writing an application that uses the FIPS-capable libcrypto, should that application pick up the header files in the usual include/openssl directory, or the header files in the fips-2.0/include/openssl directory? While some files are identical, a few have differences. Is this a benign issue when using the FIPS-capable libcrypto, even when FIPS mode is enabled? I.e., once I have the library, do I ever need the fips-2.0/include/openssl versions? Thanks, Kevin
