In the past the the libgcrypt in FIPS mode was started in "soft" FIPS mode and applications could elect to switch to enforced FIPS mode. This was removed during last months and when system is in FIPS mode, the libgcrypt is enforcing all the FIPS requirements. Some applications might use some algorithms for non-cryptographic or legacy uses, which will not work in FIPS mode. Therefore we need an API to switch from the FIPS mode to normal mode of operation.
My suggestion would be to use something like GCRYCTL_NO_FIPS_SERVICE, which could change the FIPS status to non-enforced.
Stephan mentioned that the only requirement to do that is to have it in two-step from the FIPS enforced mode. But in our case, it means calling gcry_control with the above argument and the second the actual operation with non-FIPS allowed key/cipher.
We can either allow this operation only before the init is finalized by the application and no threads were started or we would have to figure out if we can make this reliably thread-safe so the applications can "switch off" the FIPS mode only for the particular operations. It will probably require some modification to the documentation and the FIPS FSM.
This would be much easier if we would have some library contexts in place, but introducing it now would be probably overkill right now.