Subject: Use OpenSSL 3 FIPS API
Author: Andreas Schärtl <andreas@schaertl.me>
Forwarded: https://github.com/cisco/libest/pull/124
Last-Update: 2024-01-26

--- a/example/client-brski/estclient-brski.c
+++ b/example/client-brski/estclient-brski.c
@@ -17,6 +17,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/crypto.h>
+#include <openssl/evp.h>
 #ifndef WIN32
 #include <strings.h>
 #endif
@@ -388,7 +389,7 @@
                 break;
             case 'f':
                 /* Turn FIPS on if requested and exit if failure */
-                set_fips_return = FIPS_mode_set(1);
+                set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
                 if (!set_fips_return) {
                     printf("\nERROR setting FIPS MODE ON ...\n");
                     ERR_load_crypto_strings();
--- a/example/client/estclient.c
+++ b/example/client/estclient.c
@@ -24,6 +24,7 @@
 #include <sys/stat.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #ifndef WIN32
@@ -1280,7 +1281,7 @@
                 break;
             case 'f':
                 /* Turn FIPS on if requested and exit if failure */
-                set_fips_return = FIPS_mode_set(1);
+                set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
                 if (!set_fips_return) {
                     printf("\nERROR setting FIPS MODE ON ...\n");
                     ERR_load_crypto_strings();
--- a/example/server/estserver.c
+++ b/example/server/estserver.c
@@ -26,6 +26,7 @@
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
+#include <openssl/evp.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/md5.h>
@@ -2276,7 +2277,7 @@
             /* turn FIPS on if user requested it
              * and exit if failure.
              */
-            set_fips_return = FIPS_mode_set(1);
+            set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
             if (set_fips_return != 1) {
                 set_fips_error = ERR_get_error();
                 printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");
--- a/java/jni/client.c
+++ b/java/jni/client.c
@@ -14,6 +14,7 @@
 #include <est/est.h>
 #include <openssl/x509v3.h>
 #include <openssl/bio.h>
+#include <openssl/evp.h>
 #include "safe_mem_lib.h"
 
 #define EST_CLASS_ENROLL_EXCEPTION 			"com/cisco/c3m/est/EnrollException"
@@ -163,7 +164,7 @@
  */
 JNIEXPORT jint JNICALL Java_com_cisco_c3m_est_ESTClient_enable_1fips(
 		JNIEnv *env, jclass obj) {
-	if (!FIPS_mode() && !FIPS_mode_set(1)) {
+	if (!EVP_default_properties_is_fips_enabled(NULL) && !EVP_default_properties_enable_fips(NULL, 1)) {
 		ERR_print_errors_fp(stderr);
 		return -1;
 	} else {
--- a/src/est/est_client.c
+++ b/src/est/est_client.c
@@ -34,6 +34,7 @@
 #include <openssl/ssl.h>
 #include <openssl/cms.h>
 #include <openssl/rand.h>
+#include <openssl/evp.h>
 #include "est.h"
 #include "est_locl.h"
 #include "est_ossl_util.h"
@@ -3176,7 +3177,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
             EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
             rv = EST_ERR_BAD_MODE;
             goto err;
@@ -3587,7 +3588,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
 	    EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
 	    rv = EST_ERR_BAD_MODE;
             goto err;
@@ -3673,7 +3674,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
             EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
             rv = EST_ERR_BAD_MODE;
             goto err;
@@ -5865,7 +5866,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
             EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
             rv = EST_ERR_BAD_MODE;
             goto err;
@@ -6359,7 +6360,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
             EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
             rv = EST_ERR_BAD_MODE;
             goto err;
@@ -6528,7 +6529,7 @@
          * HTTPS digest mode requires the use of MD5.  Make sure we're not
          * in FIPS mode and can use MD5
          */
-        if (ctx->auth_mode == AUTH_DIGEST && (FIPS_mode())){
+        if (ctx->auth_mode == AUTH_DIGEST && (EVP_default_properties_is_fips_enabled(NULL))){
             EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
             rv = EST_ERR_BAD_MODE;
             goto err;
--- a/src/est/est_server.c
+++ b/src/est/est_server.c
@@ -30,6 +30,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/cms.h>
 #include <openssl/bio.h>
+#include <openssl/evp.h>
 
 
 static ASN1_OBJECT *o_cmcRA = NULL;
@@ -3333,7 +3334,7 @@
         /*
          * Since HTTP digest auth uses MD5, make sure we're not in FIPS mode.
          */
-	if (FIPS_mode()) {
+	if (EVP_default_properties_is_fips_enabled(NULL)) {
 	    EST_LOG_ERR("HTTP digest auth not allowed while in FIPS mode");
 	    return (EST_ERR_BAD_MODE);
 	}
--- a/test/UT/US1864/us1864.c
+++ b/test/UT/US1864/us1864.c
@@ -17,6 +17,7 @@
 #include "test_utils.h"
 #include "st_server.h"
 #include <openssl/ssl.h>
+#include <openssl/evp.h>
 
 #ifdef HAVE_CUNIT
 #include "CUnit/Basic.h"
@@ -218,12 +219,12 @@
     /*
      * Make sure we don't allow DIGEST mode when in FIPS mode
      */
-    if (!FIPS_mode_set(1)) {
+    if (!EVP_default_properties_enable_fips(NULL, 1)) {
         printf("FIPS mode not supported, skipping test to prevent digest auth when in FIPS mode");
     } else {
         est_rv = est_server_set_auth_mode(ctx, AUTH_DIGEST);
         CU_ASSERT(est_rv == EST_ERR_BAD_MODE);
-        FIPS_mode_set(0);
+        EVP_default_properties_enable_fips(NULL, 0)
     }
 
     X509_free(x);
--- a/example/proxy/estproxy.c
+++ b/example/proxy/estproxy.c
@@ -27,6 +27,7 @@
 #include <getopt.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
+#include <openssl/evp.h>
 #include <est.h>
 #include <sys/types.h>
 #ifndef WIN32
@@ -593,7 +594,7 @@
             /*
              * Turn FIPS on if user requested it and exit if failure
              */
-            set_fips_return = FIPS_mode_set(1);
+            set_fips_return = EVP_default_properties_enable_fips(NULL, 1);
             if (set_fips_return != 1) {
                 set_fips_error = ERR_get_error();
                 printf("\nERROR WHILE SETTING FIPS MODE ON exiting ....\n");