openssl: Properly log FIPS mode when enabled via openssl.conf
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
index fb34a68..b6d699d 100644 (file)
@@ -520,13 +520,14 @@ plugin_t *openssl_plugin_create()
        fips_mode = lib->settings->get_int(lib->settings,
                                                "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
 #ifdef OPENSSL_FIPS
-       if (!FIPS_mode_set(fips_mode))
+       if (fips_mode)
        {
-               DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
-               return NULL;
+               if (!FIPS_mode_set(fips_mode))
+               {
+                       DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+                       return NULL;
+               }
        }
-       DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
-                                  fips_mode ? "en" : "dis");
 #else
        if (fips_mode)
        {
@@ -550,6 +551,13 @@ plugin_t *openssl_plugin_create()
        OPENSSL_config(NULL);
        OpenSSL_add_all_algorithms();
 
+#ifdef OPENSSL_FIPS
+       /* we do this here as it may have been enabled via openssl.conf */
+       fips_mode = FIPS_mode();
+       DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ", fips_mode,
+                fips_mode ? "en" : "dis");
+#endif /* OPENSSL_FIPS */
+
 #ifndef OPENSSL_NO_ENGINE
        /* activate support for hardware accelerators */
        ENGINE_load_builtin_engines();