How to dynamically use FIPS and non-FIPS openssl library based on flags?

Question

I am using FIPS along with OpenSSL libraries. When I don't want FIPS, system performance degrades due to FIPS self test. Due to performance issues, I want to have following solution :-

1. LibA -> OpenSSL + FIPS
2. LibB -> OpenSLL only

When I enable FIPS, it touches a file in /tmp directory & reboots the system. Now, based on the presence of file, I want to either load LibA or LibB. Here, Both LibA & LibB are openssl libraries either with FIPS or without.

Is is possible to do it? If yes, How? Is there any other better solution?

Note :- Platform is LINUX.

Answer 1

I want to have following solution:

• LibA -> OpenSSL + FIPS
• LibB -> OpenSLL only

To enable or disable FIPS, you call FIPS_mode_set. FIPS_mode_set(1) should enable the mode if the library is FIPS capable, while FIPS_mode_set(0) disables FIPS algorithms.

I think in your desired usage, when libA is loaded, it checks for the temp file and only calls FIPS_mode_set(1) if the file is present.

If you compile and link against FIPS capable and FIPS non-capable, then you should guard the code with OPENSSL_FIPS.

So maybe something like:

#ifdef OPENSSL_FIPS

int mode, ret = 0; unsigned long err = 0;
mode = FIPS_mode();

if (temp_file_exsts && mode == 0)
{      
    ret = FIPS_mode_set(1 /*on*/);
    err = ERR_get_error();
}
else if (temp_file_exsts && mode != 0))
{
    ret = FIPS_mode_set(0 /*off*/);
    err = ERR_get_error();
}
else
{
    printf("Who knows...");  
}

if(ret != 1)
{
    printf("FIPS_mode_set failed: %lx.", err);    
}
#endif

---

How to dynamically use FIPS and non-FIPS

You use dlopen and friends. You will have to perform some tricks to ensure libA is always loads/runtime links before libB. Research it and ask a new question if you have trouble.

---

it touches a file in /tmp directory & reboots the system

Research how to write a temp file and how to programmatically reboot the system. Ask a new question if you have trouble.