FIPS_mode() and FIPS_mode_set() are functions that were used by the old FOM.

In OpenSSL_111 they were stripped down to do almost nothing

int FIPS_mode(void)      
    /* This version of the library does not support FIPS mode. */      
    return 0;      

int FIPS_mode_set(int on)      
if (r == 0)      
    return 1;    

return 0;      

The original plan for these API’s is listed in the design document for 3.0
i.e- the set would - set the global property and then do a fetch of a 
particular algorithm (this is problematic in itself since the algorithm may not 
exist for a 3rd party fips provider which could just implement a single 
And FIPS_mode() would just return true if the global property for fips was set.

This got some pushback and after discussion with a few other otc members - it 
was decided that the functions should be deprecated since it would be confusing 
to a user because there are multiple library contexts allowed each with their 
own fips property that can be changed at
any time.

This is done in 
<> and there is a related 
discussion in the comments.

This PR has also been rejected the deprecation and discusses
- FIPS_mode_set() function could be completely removed.
- FIPS_mode() - query using the default library context OR completely remove.

I have no issue with both functions being deleted as they no longer really mean 
the same thing as they did before.
Each library context has its own default properties - so querying FIPS_mode() 
could only return what the default library context’s fips properties are - it 
doesnt mean every library context is in fips mode, or even that the fips module 
is loaded. 
If the functions are removed then it may require a OMC vote since this could be 
viewed as a breaking change..

Does anyone have any thoughts on this?


Reply via email to