I can only add +1 to what Matthias suggests. Although I know the meaning of the FIPS_MODE define, for a newcomer it is obviously not clear what the define really means.
Tomas On Tue, 2020-01-21 at 13:31 +0100, Matthias St. Pierre wrote: > On 21.01.20 10:36, Richard Levitte wrote: > > I think that the misunderstanding lies in when FIPS_MODE is > > defined. > > Reading this sentence it occurred to me that the misunderstanding > comes from > the fact that the define is indeed misnamed. The term "FIPS mode" is > a relict > from FIPS 2.0, where the OpenSSL 1.0.x library had an API to enable > FIPS mode > *at runtime*. > > (Note that the *compile time* option to include the FOM was called > OPENSSL_FIPS, > not FIPS_MODE. So the misleading name must have crept in only > recently.) > > > It's defined when the FIPS provider module is being built, never > > otherwise. > > Exactly, in OpenSSL 3.0 the DEFAULT and the FIPS provider are > partially built from > the same source files, which is the reason why we need a build time > constant to > distinguish those two cases. Maybe the name OSSL_FIPS_PROVIDER would > be > more fitting than FIPS_MODE? > > > #ifdef OSSL_FIPS_PROVIDER > ... > #endif > > > Matthias > > > P.S: Even though it is an internal define, it should have an OSSL_ > prefix IMHO. > P.P.S: Optionally, one could also #define an OSSL_DEFAULT_PROVIDER, > OSSL_LEGACY_PROVIDER, ... > -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]