From 72bbe8321f2a286a2438127b611c26953d9f2569 Mon Sep 17 00:00:00 2001
From: David Benoit <dbenoit@redhat.com>
Date: Mon, 18 Sep 2023 16:21:22 -0400
Subject: [PATCH] Fix OpenSSL Runtime Check (#117)

This check can not happen before the openssl
backend is initialized.
---
 src/crypto/internal/boring/boring.go      | 4 +---
 src/crypto/internal/boring/strict_fips.go | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
index 88e63fea25..c383690df3 100644
--- a/src/crypto/internal/boring/boring.go
+++ b/src/crypto/internal/boring/boring.go
@@ -34,9 +34,6 @@ const (
 	OPENSSL_VERSION_3_0_0 = uint64(C.ulong(0x30000000))
 )
 
-func init() {
-	strictFIPSOpenSSLRuntimeCheck()
-}
 
 // Enabled controls whether FIPS crypto is enabled.
 var enabled = false
@@ -58,6 +55,7 @@ func init() {
 
 	// Check if we can `dlopen` OpenSSL
 	if C._goboringcrypto_DLOPEN_OPENSSL() == C.NULL {
+		strictFIPSOpenSSLRuntimeCheck()
 		return
 	}
 
diff --git a/src/crypto/internal/boring/strict_fips.go b/src/crypto/internal/boring/strict_fips.go
index 25101d08ea..227a9afb4f 100644
--- a/src/crypto/internal/boring/strict_fips.go
+++ b/src/crypto/internal/boring/strict_fips.go
@@ -11,7 +11,7 @@ import (
 var isStrictFIPS bool = true
 
 func strictFIPSOpenSSLRuntimeCheck() {
-	if hostFIPSModeEnabled() && !Enabled() {
+	if hostFIPSModeEnabled() {
 		fmt.Fprintln(os.Stderr, "FIPS mode is enabled, but the required OpenSSL backend is unavailable")
 		os.Exit(1)
 	}