waf: Check correctly if gnutls has been compiled with fips mode support

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 13 19:17:56 UTC 2021 on sn-devel-184

1 files changed, 26 insertions, 3 deletions

diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index 2ec217fb9dc..28abd29f964 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -1,4 +1,5 @@
 from waflib import Options
+import os
 
 def parse_version(v):
     return tuple(map(int, (v.split("."))))
@@ -35,9 +36,31 @@ conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
 if (parse_version(gnutls_version) > parse_version('3.6.14')):
     conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
 
-# Check if we have support for crypto policies
-if conf.CHECK_FUNCS_IN('gnutls_get_system_config_file', 'gnutls'):
-    conf.DEFINE('HAVE_GNUTLS_CRYPTO_POLICIES', 1)
+# Check if gnutls has fips mode support
+# gnutls_fips140_mode_enabled() is available since 3.3.0
+fragment = '''
+#include <gnutls/gnutls.h>
+#include <stdlib.h>
+
+int main(void)
+{
+    unsigned int ok;
+
+    ok = gnutls_fips140_mode_enabled();
+
+    return !ok;
+}
+'''
+
+os.environ['GNUTLS_FORCE_FIPS_MODE'] = '1'
+conf.CHECK_CODE(fragment,
+                'HAVE_GNUTLS_FIPS_MODE_SUPPORTED',
+                execute=True,
+                addmain=False,
+                add_headers=False,
+                lib='gnutls',
+                msg='Checking for gnutls fips mode support')
+del os.environ['GNUTLS_FORCE_FIPS_MODE']
 
 if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
     conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)