OpenSSL3 unloading and re-loading the FIPS provider after it enters error state

Matt Caswell matt at openssl.org
Mon Dec 6 16:33:16 UTC 2021 


On 06/12/2021 15:49, Cristian Andrei Sandu wrote:
> Hi guys,
> 
> Is there any way I can re-load the FIPS provider after it reached its 
> error state? I’d like to do it without restarting the process. (If it 
> matters, I’m already using a non-default library context with a separate 
> configuration file that I load with OSSL_LIB_CTX_load_config()).
> 
> I’d like to be able to explicitly load the provider with 
> OSSL_PROVIDER_load(), call OSSL_PROVIDER_self_test() with a corrupted 
> test, unload the provider, re-load it and run OSSL_self_test() again 
> without the previous corrupted test. (all of these without killing the 
> process)
> 
> Which approach would you recommend?

In principle if you unload the provider using OSSL_PROVIDER_unload() and 
free anything you fetched from the provider as well as freeing the 
libctx using OSSL_LIB_CTX_free() - then this should result in dlclose 
being called on the fips.so file. What happens then is up to the mercy 
of the OS - but it is likely to unload the .so from the process. 
Subsequently loading it again into a new libctx should then give you a 
blank slate to start again. However this all very much depends on 
whether the fips.so does actually get removed by the OS. If it doesn't 
then it will simply remember the self test result from last time and 
will fail to start up properly - so this is probably not sufficiently 
reliable for you to depend on it.

There isn't another way of doing this AFAIK.

Matt


> 
> Thanks,
> 
> Cristian Sandu
> 
> This email message and any attachments are intended solely for the use 
> of the addressees hereof.
> This message and any attachments may contain information that is 
> confidential, privileged and exempt from disclosure under applicable law.
> If you are not the intended recipient of this message, you are 
> prohibited from reading, disclosing, reproducing, distributing, 
> disseminating or otherwise using this transmission.
> If you have received this message in error, please promptly notify the 
> sender at Ceragon by reply E-mail and immediately delete this message 
> from your system.

More information about the openssl-users mailing list