fips mode and key management

Tue Jan 21 20:18:18 UTC 2020

> >    distinguish those two cases. Maybe the name OSSL_FIPS_PROVIDER would be
>     more fitting than FIPS_MODE?
> 
> 
> Or perhaps OPENSSL_BUILDING_FIPS, since a couple of PR's already have and use OPENSSL_BUILDING_OPENSSL ...

OPENSSL_BUILDING_OPENSSL is really a remarkably long name.  I hope this does not blow up any commandline
length limits 😉. How about using OSSL_LIBRARY library instead? This would fit nicely to OSSL_FIPS_PROVIDER:

    #ifdef OSSL_LIBRARY
        ...
    #endif

    #ifdef OSSL_FIPS_PROVIDER
        ...
    #endif

> There's no reason to use OSSL for internal macros.

But it avoids unnecessary name clashes with system headers. Just today, I saw this collision with Windows headers:

    include/openssl/types.h:74:#  undef OCSP_REQUEST
    include/openssl/types.h:75:#  undef OCSP_RESPONSE

(Yes I know, Window headers are really polluting the global namespace).