Please add support for FIPS module in OpenSSL 3.0.0

[alienbob]

Hi!

Enabling the new officially supported FIPS module in the just released OpenSSL 3.0.0 and then adding '--with-crypto-backend=openssl --enable-fips" in SoftHSM's configure leads to the following error:

checking for OpenSSL version... >= 1.0.1
checking for OpenSSL ECC support... Found P256, P384, and P521
checking for OpenSSL EDDSA ED25519 support... Found ED25519
checking for OpenSSL EDDSA ED448 support... Found ED448
checking for OpenSSL FIPS capable library... FIPS_mode_set(1) failed
configure: error: OpenSSL library is not FIPS capable

The config.log shows a bit more detail:

conftest.c: In function 'main':
conftest.c:32:49: warning: implicit declaration of function 'FIPS_mode_set' [-Wimplicit-function-declaration]
   32 |                                         return !FIPS_mode_set(1);
      |                                                 ^~~~~~~~~~~~~
/usr/bin/ld: /tmp/cc1QaQXP.o: in function `main':
conftest.c:(.text.startup+0xc): undefined reference to `FIPS_mode_set'
collect2: error: ld returned 1 exit status

The OpenSSL documentation for the new FIPS module in 3.0.0 (https://www.openssl.org/docs/manmaster/man7/fips_module.html) states:

Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer present
so you must remove them from your application if you use them.
Applications written to use the OpenSSL 3.0 FIPS module should not use any
legacy APIs or features that avoid the FIPS module.

Could you please add support to SoftHSM for this new FIPS module in OpenSSL 3.0.0? It will allow people to use SoftHSM instead of a hardware solution like YubiHSM when they need a FIPS-compliant solution for their computers but are not able to shell out a thousand euros per HSM. For instance, Open Source and not-for-profit organizations.

Thanks a lot, Eric

[totti0858]

I confront the similar issue that compile the FIPS capable SoftHSM2 library with OpenSSL 3.0 library.

Do you have the plan to support this feature?