Bug 756109

Summary: FIPS_mode() is in the wrong header file
Product: [Fedora] Fedora Reporter: Henrik Bakken <hgb>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: mbroz, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.0.1c-1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-16 20:27:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Henrik Bakken 2011-11-22 17:28:11 UTC 
Description of problem:

In upstream openssl, the function FIPS_mode() (which is used to determine if the application is running in FIPS-mode) is in <openssl/crypto.h>.  In Fedora, where I believe the FIPS support has been backported to version 1.0.0e (it's in 1.0.1, which is not yet released, upstream), the function is in <openssl/fips.h>.

This causes problems when building applications using the function, since files should include <openssl/crypto.h>, and not fips.h to get the prototype.

Version-Release number of selected component (if applicable):

1.0.0e

How reproducible:

Always

Steps to Reproduce:
1. #include <openssl/crypto.h>, use FIPS_mode()
2.
3.
  
Actual results:
Compiler error (or, rather, warning)

Expected results:
Success!

Additional info:
I suppose moving it to crypto.h could break some applications written against Fedora OpenSSL, but a solution could perhaps be to do #include <openssl/crypto.h> in fips.h.
Comment 1 Tomas Mraz 2011-11-22 17:40:18 UTC 
Actually the FIPS support in the fedora's OpenSSL pre-dates the unreleased upstream support on the 1.0.1 branch. It is a partial forward-port from the 0.9.8 fips branch and there it was in the openssl/fips.h include file.
Comment 2 Henrik Bakken 2011-11-22 18:29:22 UTC 
Ah, okay.  I expected something like this.  Would it be possible to get an #include <openssl/fips.h> in crypto.h, for example?  Right now it's hard to write code for both.
Comment 3 Tomas Mraz 2011-11-22 19:51:22 UTC 
You can test for the openssl version and include either fips.h or crypto.h. Note that Fedora will sooner or later upgrade to 1.0.1 branch anyway and if you want to support the RHEL-5 or 6 you'll have to live with the current placement of FIPS_mode() in fips.h as these distributions will not be changed in this regard.
Comment 4 Henrik Bakken 2011-11-23 08:03:08 UTC 
Understandable, thanks for your comments.
Comment 5 Fedora End Of Life 2013-01-16 20:14:52 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping