pr comments

aws · Nov 15, 2024 · 5e481a9 · 5e481a9
1 parent 05d9336
commit 5e481a9
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 28 deletions.
diff --git a/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c b/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c
@@ -14,31 +14,33 @@
  */
 
 /*
- * This feature probe checks if the linked libcrypto has ENGINE support [1].
+ * This feature probe checks if the linked libcrypto has ENGINE support.
  *
- * Normally, we would always expect the `openssl/engine.h` header to be
- * available. However, some platforms (CentOS 10,  Fedora 41, and RHEL 10 are
- * manually removing the `openssl/engine.h` header (for more detail look at
- * issues [2] [3]).
- *
- * [1] https://docs.openssl.org/1.0.2/man3/engine/
- * [2] https://github.com/aws/s2n-tls/pull/4705
- * [3] https://github.com/aws/s2n-tls/pull/4873
+ * https://docs.openssl.org/1.0.2/man3/engine/
  */
 
+/*
+ * We would always expect the `openssl/engine.h` header to be available.
+ * However, some platforms (CentOS 10,  Fedora 41, and RHEL 10) have reportedly
+ * been removing the `openssl/engine.h` header.
+ *
+ * See the related issues:
+ * - https://github.com/aws/s2n-tls/pull/4705
+ * - https://github.com/aws/s2n-tls/pull/4873
+ */
 #include <openssl/engine.h>
 
-int s2n_openssl_compat_rand(unsigned char *buf, int num)
+#if defined(OPENSSL_NO_ENGINE)
+    #error "engine is not supported"
+#endif
+
+int s2n_noop_rand(unsigned char *buf, int num)
 {
     return 1;
 }
 
 int main()
 {
-#if defined(OPENSSL_NO_ENGINE)
-    #error "engine is not supported"
-#endif
-
     /* Init usage in utils/s2n_random.c */
     ENGINE *e = ENGINE_new();
     ENGINE_set_id(e, "id");
@@ -69,12 +71,12 @@ int main()
      * [1] AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124
      * [2] OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42
      */
-    RAND_METHOD s2n_openssl_rand_method = {
+    RAND_METHOD s2n_noop_rand_method = {
         .seed = NULL,
-        .bytes = s2n_openssl_compat_rand,
+        .bytes = s2n_noop_rand,
         .cleanup = NULL,
         .add = NULL,
-        .pseudorand = s2n_openssl_compat_rand,
+        .pseudorand = s2n_noop_rand,
         .status = NULL
     };
 

diff --git a/tests/unit/s2n_random_test.c b/tests/unit/s2n_random_test.c
@@ -900,7 +900,7 @@ int main(int argc, char **argv)
     /* Feature probe */
     {
 #if defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) && defined(OPENSSL_NO_ENGINE)
-        FAIL_MSG("Engine feature probe failed.")
+        FAIL_MSG("Logic error with the Engine feature probe.")
 #endif
     };
 

diff --git a/utils/s2n_random.c b/utils/s2n_random.c
@@ -518,15 +518,11 @@ int s2n_openssl_compat_init(ENGINE *unused)
     return 1;
 }
 
-/* S2N_LIBCRYPTO_SUPPORTS_ENGINE is disabled when compiling with AWS-LC.
+/* RAND_METHOD is gated behind S2N_LIBCRYPTO_SUPPORTS_ENGINE because AWS-LC has
+ * a different signature for RAND_METHOD and fails to compile.
  *
- * Custom random is only used when linked with OpenSSL. However, it should be
- * possible to compile the ENGINE related code with other libcrypto (eg.
- * BoringSSL, LibreSSL). This is not the case with AWS-LC which has a different
- * `RAND_METHOD` signature and results in a compilation error.
- *
- * [1] AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124
- * [2] OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42
+ * - AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124
+ * - OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42
  */
 RAND_METHOD s2n_openssl_rand_method = {
     .seed = NULL,
@@ -557,9 +553,9 @@ bool s2n_supports_custom_rand()
 {
 #if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE)
     return false;
-#endif
-
+#else
     return !s2n_libcrypto_is_boringssl() && !s2n_libcrypto_is_libressl() && !s2n_libcrypto_is_awslc() && !s2n_is_in_fips_mode();
+#endif
 }
 
 S2N_RESULT s2n_rand_init(void)