<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">FIPS_mode() and FIPS_mode_set() are functions that were used by the old FOM.</div><div class=""><br class=""></div><div class="">In OpenSSL_111 they were stripped down to do almost nothing</div><div class="">i.e:-</div><div class=""><br class=""><table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code"><span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker=" "><span class="pl-k">int</span> <span class="pl-en">FIPS_mode</span>(<span class="pl-k">void</span>)</span>
</span></td></tr><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""></tr></tbody></table></div><div class="">
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker=" ">{</span> </span></td></tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-deletion code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker="-"><span class="pl-c"><span class="x pl-c x-first"> /*</span><span class="x"> This version of the library does not support FIPS mode. </span><span class="x pl-c x-last">*/</span></span></span> </span></td></tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker=" "><span class="pl-k"> return</span> <span class="pl-c1">0</span>;</span>
</span></td>
</tr>
<tr data-hunk="55cef2144be6b1fd94874ad973d12248" class="">
</tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code">
<span class="blob-code-inner blob-code-marker" data-code-marker=" " style="font-size: 12px;">}</span></td></tr></tbody></table>
<br class="">
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-addition code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker="+"><span class="pl-k">int</span> <span class="pl-en">FIPS_mode_set</span>(<span class="pl-k">int</span> <span class="x x-first x-last">on</span>)</span>
</span></td>
</tr>
<tr data-hunk="55cef2144be6b1fd94874ad973d12248" class="">
</tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code">
<span class="blob-code-inner blob-code-marker" data-code-marker=" " style="font-size: 12px;">{</span></td></tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-deletion code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker="-"> <span class="pl-k">if</span> (r == <span class="pl-c1">0</span>)</span>
</span></td>
</tr></tbody></table><table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-deletion code-review blob-code"><span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker="-"><span class="pl-k"> return</span> <span class="pl-c1">1</span>;</span> </span></td></tr></tbody></table><div class=""><br class=""></div><table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-addition code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker="+"> <span class="pl-c1">CRYPTOerr</span>(<span class="pl-c1">0</span>, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);</span> </span></td></tr></tbody></table>
<table class=" diff-table tab-size file-diff-split js-diff-table js-file-diff-split" data-tab-size="8" data-diff-anchor="diff-263561fdcbd8ec0d328c00da83060085"><tbody class=""><tr data-hunk="55cef2144be6b1fd94874ad973d12248" class=""><td class="blob-code-context code-review blob-code">
<span style="font-size: 12px;" class=""><span class="blob-code-inner blob-code-marker" data-code-marker=" "> <span class="pl-k">return</span> <span class="pl-c1">0</span>;</span>
</span></td>
</tr>
<tr data-hunk="55cef2144be6b1fd94874ad973d12248" class="">
</tr></tbody></table>
<span class="blob-code-inner blob-code-marker" data-code-marker=" ">}</span></div><div class=""><br class=""></div><div class="">The original plan for these API’s is listed in the design document for 3.0</div><div class="">i.e- the set would - set the global property and then do a fetch of a particular algorithm (this is problematic in itself since the algorithm may not exist for a 3rd party fips provider which could just implement a single algorithm).</div><div class="">And FIPS_mode() would just return true if the global property for fips was set.</div><div class=""><br class=""></div><div class="">This got some pushback and after discussion with a few other otc members - it was decided that the functions should be deprecated since it would be confusing to a user because there are multiple library contexts allowed each with their own fips property that can be changed at</div><div class="">any time.</div><div class=""><br class=""></div><div class="">This is done in <a href="https://github.com/openssl/openssl/pull/11075" class="">https://github.com/openssl/openssl/pull/11075</a> and there is a related discussion in the comments.</div><div class=""><br class=""></div><div class="">This PR has also been rejected the deprecation and discusses</div><div class="">- FIPS_mode_set() function could be completely removed.</div><div class="">- FIPS_mode() - query using the default library context OR completely remove.</div><div class=""><br class=""></div><div class="">I have no issue with both functions being deleted as they no longer really mean the same thing as they did before.</div><div class="">Each library context has its own default properties - so querying FIPS_mode() could only return what the default library context’s fips properties are - it doesnt mean every library context is in fips mode, or even that the fips module is loaded. </div><div class="">If the functions are removed then it may require a OMC vote since this could be viewed as a breaking change..</div><div class=""><br class=""></div><div class="">Does anyone have any thoughts on this?</div><div class=""><br class=""></div><div class="">Regards</div><div class="">Shane</div></body></html>