On Tue, Sep 25, 2012, blaan...@rockwellcollins.com wrote: > > After further investigation, the FIPS private headers (for instance, > fipssyms.h) are definitely being installed when I do "make install" in the > openssl-fips-2.0.1 directory. Then those headers are being used by my > openssl build, likely due to the openssl FIPS installation directory being > included in the include path when openssl compiles. I thought only the > following would have been installed by openssh-FIPS (and thus visible when > building openssl later): fipsld, fips_standalone_sha1, fips_premain.c, > fips_premain.c.sha1, fipscanister.o, and fipscanister.o.sha1. It turns out > that many fips-private headers (most importantly fipssyms.h which was > included by the FIPS version of crypto.h) are also installed, which is bad > because then openssl library ends up using the redefined FIPS_digestinit > version of EVP_DigestInit(), which doesn't do the initialization. > > I removed all of those headers that were installed with openssl-FIPS "make > install", so that openssl wouldn't find them. I eventually came to the > conclusion that the only headers that are necessary are fips.h and > fips_rand.h. The rest don't need to be "installed" in order for openssl to > build, so I'm not sure why they are installed -- especially since use of > them is detrimental to the functionality (or can be, at least in some > cases). The Makefiles all have a variable called EXHEADER and I'm thinking > the only ones that should be installed are those that aren't included in > the openssl 1.0.1c codebase -- namely fips.h and fips_rand.h. But, to each > their own, there must be a reason I'm not aware of that these others are > being installed. >
Well what should be happening is that the FIPS capable OpenSSL finds its own headers and refers to those first and then only uses the FIPS module headers where necessary. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
