From 6e64ec2af4980a0b695e7b041c5dba752f00568d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jun 2022 14:10:06 +1000
Subject: [PATCH] Detect if FIPS mode is configured at the OS level

Always look for FIPS_mode and EVP_default_properties_enable_fips
rather than just when requested by --enable-fips.
---
 configure.ac | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index f829571271..1cc2a537c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -777,6 +777,8 @@ AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
 # does not support FIPS mode.
 #
 # [pairwise: --enable-fips-mode, --disable-fips-mode]
+AC_CHECK_FUNCS(EVP_default_properties_enable_fips FIPS_mode)
+
 AC_ARG_ENABLE([fips-mode],
 	      [AS_HELP_STRING([--enable-fips-mode],
 			      [enable FIPS mode in OpenSSL library [default=no]])],
@@ -785,11 +787,9 @@ AC_ARG_ENABLE([fips-mode],
 AC_MSG_CHECKING([whether to enable FIPS mode in OpenSSL library])
 AS_CASE([$enable_fips_mode],
 	[yes], [AC_MSG_RESULT([yes])
-		AC_CHECK_FUNCS([EVP_default_properties_enable_fips],
-			       [],
-			       [AC_CHECK_FUNCS([FIPS_mode],
-					       [],
-					       AC_MSG_FAILURE([OpenSSL FIPS mode requested but not available.])]))],
+	        AC_DEFINE([ENABLE_FIPS_MODE], [1], [Define to 1 if you want FIPS mode to be enabled])
+		AS_IF([test "x$ac_cv_func_FIPS_mode" != xyes -a "x$ac_cv_func_EVP_default_properties_enable_fips" != xyes],
+		      AC_MSG_FAILURE([OpenSSL FIPS mode requested but not available.]))],
 	[no], [AC_MSG_RESULT([no])])
 
 AX_RESTORE_FLAGS([openssl])