openssl: Properly log FIPS mode when enabled via openssl.conf

Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).

Either way, we should log whether FIPS mode is enabled or not.

References #412.

1 files changed, 13 insertions, 5 deletions

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index fb34a6858..b6d699de2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -520,13 +520,14 @@ plugin_t *openssl_plugin_create()
 	fips_mode = lib->settings->get_int(lib->settings,
 						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
 #ifdef OPENSSL_FIPS
-	if (!FIPS_mode_set(fips_mode))
+	if (fips_mode)
 	{
-		DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
-		return NULL;
+		if (!FIPS_mode_set(fips_mode))
+		{
+			DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+			return NULL;
+		}
 	}
-	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
-				   fips_mode ? "en" : "dis");
 #else
 	if (fips_mode)
 	{
@@ -550,6 +551,13 @@ plugin_t *openssl_plugin_create()
 	OPENSSL_config(NULL);
 	OpenSSL_add_all_algorithms();
 
+#ifdef OPENSSL_FIPS
+	/* we do this here as it may have been enabled via openssl.conf */
+	fips_mode = FIPS_mode();
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ", fips_mode,
+		 fips_mode ? "en" : "dis");
+#endif /* OPENSSL_FIPS */
+
 #ifndef OPENSSL_NO_ENGINE
 	/* activate support for hardware accelerators */
 	ENGINE_load_builtin_engines();