It needs to be called for each library context.
If you are only using the default library context, calling it in a
constructor would be enough.
Alternatively, modify the library context creation function to include a
call to this.
Pauli
On 17/2/2023 7:51 am, Thomas Dwyer III wrote:
For historical reasons going way back to the earliest days of the FIPS
Object Module, we modified libcrypto to add a constructor function
that reads a configuration file and calls FIPS_mode_set() to enable or
disable FIPS mode. This mechanism ensures that FIPS mode is enabled
for all applications system-wide. I need to preserve this
functionality with OpenSSL 3.x, even for applications that might
explicitly set OPENSSL_CONF to point at some other configuration
(effectively forcing them to fail if that other configuration does not
have a valid FIPS section from "openssl fipsinstall"). I'd like to
confirm that with OpenSSL 3.x and the new FIPS provider, is it valid
to call EVP_default_properties_enable_fips(NULL, 1) from a libcrypto
constructor prior to main() or any other OpenSSL APIs getting invoked?
Thanks,
Tom.III
