openssl: Don't re-enter FIPS mode if we are already using it

If FIPS mode has been enabled by other means, under some environments it can't
be entered again. It fails with "FIPS mode already set". To avoid it, we first
check the mode before changing it.

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 1ca1690ad4e3905cfe4c8b16ee64bef65236d6f7..a426cdcb3e3652c2f658d29c321fe40191918d4d 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -526,9 +526,10 @@ plugin_t *openssl_plugin_create()
 #ifdef OPENSSL_FIPS
        if (fips_mode)
        {
-               if (!FIPS_mode_set(fips_mode))
+               if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
                {
-                       DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+                       DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
+                                fips_mode, FIPS_mode());
                        return NULL;
                }
        }