It's possible to be in FIPS mode in two ways on version 3:
Have non-FIPS providers loaded but algorithm selection limited to those with a "fips=yes" property. This is what we currently check for with EVP_default_properties_is_fips_enabled().
Have only the FIPS provider loaded to begin with. When this is true, there is no need to limit algorithm selection by property, because only FIPS approved algorithms are available to begin with.
This PR expands the existing check to include scenario (2).
jeroen
commented
2 years ago
It's possible to be in FIPS mode in two ways on version 3:
Have non-FIPS providers loaded but algorithm selection limited to those with a
"fips=yes"property. This is what we currently check for withEVP_default_properties_is_fips_enabled().Have only the FIPS provider loaded to begin with. When this is true, there is no need to limit algorithm selection by property, because only FIPS approved algorithms are available to begin with.
This PR expands the existing check to include scenario (2).
Tested on Fedora 36 with OpenSSL 3.