From: Martin Willi <martin@revosec.ch>
Date: Wed, 2 Apr 2014 13:16:15 +0000 (+0200)
Subject: openssl: Don't re-enter FIPS mode if we are already using it
X-Git-Tag: 5.2.0dr6~24^2~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d34d800c6c77f2dc6efba12ab079b49f1a39301e;p=thirdparty%2Fstrongswan.git

openssl: Don't re-enter FIPS mode if we are already using it

If FIPS mode has been enabled by other means, under some environments it can't
be entered again. It fails with "FIPS mode already set". To avoid it, we first
check the mode before changing it.
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 1ca1690ad4..a426cdcb3e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -526,9 +526,10 @@ plugin_t *openssl_plugin_create()
 #ifdef OPENSSL_FIPS
 	if (fips_mode)
 	{
-		if (!FIPS_mode_set(fips_mode))
+		if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
 		{
-			DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+			DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
+				 fips_mode, FIPS_mode());
 			return NULL;
 		}
 	}