I'm asking here about the header files with the same name in both directories. I see that there are three fips-specific header files in the fips-2.0 include directory - which I would guess is what is getting picked up by the last "-I" in CFLAGS...
On Sun, Jan 29, 2012 at 2:19 PM, Kevin Fowler <kevpfow...@gmail.com> wrote: > When I build the FIPS module and install, it populates a > fips-2.0/include/openssl directory with a set of header files. > > When I build the FIPS-capable OpenSSL library libcrypto, it has the > fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS > include directory has a subset of the files in the usual include/openssl > directory, and since the FIPS include directory comes last in CFLAGS, it > seems that the FIPS include files are never used. So, I don't see why it is > even listed in CFLAGS. > > E.g, > powerpc--netbsd-gcc -I.. -I../.. -I../modes -I../asn1 -I../evp* > -I../../include * -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread > -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -O3 > -fomit-frame-pointer -Wall *-I/usr/local/ssl/fips-2.0/include* -c -o > i_cbc.o i_cbc.c > > But my real question is, when writing an application that uses the > FIPS-capable libcrypto, should that application pick up the header files in > the usual include/openssl directory, or the header files in the > fips-2.0/include/openssl directory? While some files are identical, a few > have differences. Is this a benign issue when using the FIPS-capable > libcrypto, even when FIPS mode is enabled? I.e., once I have the library, > do I ever need the fips-2.0/include/openssl versions? > > Thanks, > Kevin >
