I'm asking here about the header files with the same name in both
directories. I see that there are three fips-specific header files in the
fips-2.0 include directory - which I would guess is what is getting picked
up by the last -I in CFLAGS...
On Sun, Jan 29, 2012 at 2:19 PM, Kevin Fowler kevpfow...@gmail.com wrote:
When I build the FIPS module and install, it populates a
fips-2.0/include/openssl directory with a set of header files.
When I build the FIPS-capable OpenSSL library libcrypto, it has the
fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS
include directory has a subset of the files in the usual include/openssl
directory, and since the FIPS include directory comes last in CFLAGS, it
seems that the FIPS include files are never used. So, I don't see why it is
even listed in CFLAGS.
E.g,
powerpc--netbsd-gcc -I.. -I../.. -I../modes -I../asn1 -I../evp*
-I../../include * -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread
-D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -O3
-fomit-frame-pointer -Wall *-I/usr/local/ssl/fips-2.0/include* -c -o
i_cbc.o i_cbc.c
But my real question is, when writing an application that uses the
FIPS-capable libcrypto, should that application pick up the header files in
the usual include/openssl directory, or the header files in the
fips-2.0/include/openssl directory? While some files are identical, a few
have differences. Is this a benign issue when using the FIPS-capable
libcrypto, even when FIPS mode is enabled? I.e., once I have the library,
do I ever need the fips-2.0/include/openssl versions?
Thanks,
Kevin
