crypto: Deprecate enable_fips_mode/1

According to OpenSSL 3 documentation the function EVP_default_properties_enable_fips() used by enable_fips_mode "...are not thread safe. They are intended to be called only during the initialisation phase of a libctx."
erlang · Jun 24, 2024 · c6d175b · c6d175b
1 parent 91a0a69
commit c6d175b
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/lib/crypto/doc/crypto_app.md b/lib/crypto/doc/crypto_app.md
@@ -51,6 +51,7 @@ The following configuration parameters are defined for the crypto application.
 See [`app(3)`](`e:kernel:app.md`) for more information about configuration
 parameters.
 
+[](){: #fips_mode }
 - **`fips_mode = boolean()`** - Specifies whether to run crypto in FIPS mode.
   This setting will take effect when the nif module is loaded. If FIPS mode is
   requested but not available at run time the nif module and thus the crypto

diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
@@ -198,7 +198,8 @@ end
              {public_encrypt,  4,  "do not use"},
              {public_decrypt,  4,  "use public_key:verify/4 instead"},
              {start, 0, "use application:start(crypto) instead"},
-             {stop,  0, "use application:stop(crypto) instead"}
+             {stop,  0, "use application:stop(crypto) instead"},
+             {enable_fips_mode, 1, "use config parameter fips_mode"}
             ]).
 %%%----------------------------------------------------------------
 %% Removed functions.
@@ -937,7 +938,8 @@ library. If crypto was built with FIPS support this can be either `enabled`
 (when running in FIPS mode) or `not_enabled`. For other builds
 this value is always `not_supported`.
 
-See `enable_fips_mode/1` about how to enable FIPS mode.
+See configuration parameter [fips_mode](`e:crypto:crypto_app.md#fips_mode`)
+about how to enable FIPS mode.
 
 > #### Warning {: .warning }
 >
@@ -962,7 +964,7 @@ option `--enable-fips`, and the underlying libcrypto must also support FIPS.
 
 See also `info_fips/0`.
 """.
--doc(#{title => <<"Utility Functions">>,
+-doc(#{title => <<"Deprecated API">>,
        since => <<"OTP 21.1">>}).
 -spec enable_fips_mode(Enable) -> Result when Enable :: boolean(),
                                               Result :: boolean().

diff --git a/system/doc/general_info/DEPRECATIONS b/system/doc/general_info/DEPRECATIONS
@@ -22,6 +22,7 @@
 #
 crypto:start/0 since=28
 crypto:stop/0 since=28
+crypto:enable_fips_mode/1 since=28
 
 #
 # Added in OTP 27.