FIPS_mode() and FIPS_mode_set() are functions that were used by the old FOM.
In OpenSSL_111 they were stripped down to do almost nothing i.e:- int FIPS_mode(void) { /* This version of the library does not support FIPS mode. */ return 0; } int FIPS_mode_set(int on) { if (r == 0) return 1; CRYPTOerr(0, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); return 0; } The original plan for these API’s is listed in the design document for 3.0 i.e- the set would - set the global property and then do a fetch of a particular algorithm (this is problematic in itself since the algorithm may not exist for a 3rd party fips provider which could just implement a single algorithm). And FIPS_mode() would just return true if the global property for fips was set. This got some pushback and after discussion with a few other otc members - it was decided that the functions should be deprecated since it would be confusing to a user because there are multiple library contexts allowed each with their own fips property that can be changed at any time. This is done in https://github.com/openssl/openssl/pull/11075 <https://github.com/openssl/openssl/pull/11075> and there is a related discussion in the comments. This PR has also been rejected the deprecation and discusses - FIPS_mode_set() function could be completely removed. - FIPS_mode() - query using the default library context OR completely remove. I have no issue with both functions being deleted as they no longer really mean the same thing as they did before. Each library context has its own default properties - so querying FIPS_mode() could only return what the default library context’s fips properties are - it doesnt mean every library context is in fips mode, or even that the fips module is loaded. If the functions are removed then it may require a OMC vote since this could be viewed as a breaking change.. Does anyone have any thoughts on this? Regards Shane