diff --git a/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c b/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c index 41246a4b3f0..82b4d5d43ae 100644 --- a/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c +++ b/tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c @@ -14,31 +14,33 @@ */ /* - * This feature probe checks if the linked libcrypto has ENGINE support [1]. + * This feature probe checks if the linked libcrypto has ENGINE support. * - * Normally, we would always expect the `openssl/engine.h` header to be - * available. However, some platforms (CentOS 10, Fedora 41, and RHEL 10 are - * manually removing the `openssl/engine.h` header (for more detail look at - * issues [2] [3]). - * - * [1] https://docs.openssl.org/1.0.2/man3/engine/ - * [2] https://github.com/aws/s2n-tls/pull/4705 - * [3] https://github.com/aws/s2n-tls/pull/4873 + * https://docs.openssl.org/1.0.2/man3/engine/ */ +/* + * We would always expect the `openssl/engine.h` header to be available. + * However, some platforms (CentOS 10, Fedora 41, and RHEL 10) have reportedly + * been removing the `openssl/engine.h` header. + * + * See the related issues: + * - https://github.com/aws/s2n-tls/pull/4705 + * - https://github.com/aws/s2n-tls/pull/4873 + */ #include -int s2n_openssl_compat_rand(unsigned char *buf, int num) +#if defined(OPENSSL_NO_ENGINE) + #error "engine is not supported" +#endif + +int s2n_noop_rand(unsigned char *buf, int num) { return 1; } int main() { -#if defined(OPENSSL_NO_ENGINE) - #error "engine is not supported" -#endif - /* Init usage in utils/s2n_random.c */ ENGINE *e = ENGINE_new(); ENGINE_set_id(e, "id"); @@ -69,12 +71,12 @@ int main() * [1] AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124 * [2] OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42 */ - RAND_METHOD s2n_openssl_rand_method = { + RAND_METHOD s2n_noop_rand_method = { .seed = NULL, - .bytes = s2n_openssl_compat_rand, + .bytes = s2n_noop_rand, .cleanup = NULL, .add = NULL, - .pseudorand = s2n_openssl_compat_rand, + .pseudorand = s2n_noop_rand, .status = NULL }; diff --git a/tests/unit/s2n_random_test.c b/tests/unit/s2n_random_test.c index a2280ffbc57..c0970d1ebb0 100644 --- a/tests/unit/s2n_random_test.c +++ b/tests/unit/s2n_random_test.c @@ -900,7 +900,7 @@ int main(int argc, char **argv) /* Feature probe */ { #if defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) && defined(OPENSSL_NO_ENGINE) - FAIL_MSG("Engine feature probe failed.") + FAIL_MSG("Logic error with the Engine feature probe.") #endif }; diff --git a/utils/s2n_random.c b/utils/s2n_random.c index 69ddca0a422..7ed6e2080fb 100644 --- a/utils/s2n_random.c +++ b/utils/s2n_random.c @@ -518,15 +518,11 @@ int s2n_openssl_compat_init(ENGINE *unused) return 1; } -/* S2N_LIBCRYPTO_SUPPORTS_ENGINE is disabled when compiling with AWS-LC. +/* RAND_METHOD is gated behind S2N_LIBCRYPTO_SUPPORTS_ENGINE because AWS-LC has + * a different signature for RAND_METHOD and fails to compile. * - * Custom random is only used when linked with OpenSSL. However, it should be - * possible to compile the ENGINE related code with other libcrypto (eg. - * BoringSSL, LibreSSL). This is not the case with AWS-LC which has a different - * `RAND_METHOD` signature and results in a compilation error. - * - * [1] AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124 - * [2] OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42 + * - AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124 + * - OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42 */ RAND_METHOD s2n_openssl_rand_method = { .seed = NULL, @@ -557,9 +553,9 @@ bool s2n_supports_custom_rand() { #if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) return false; -#endif - +#else return !s2n_libcrypto_is_boringssl() && !s2n_libcrypto_is_libressl() && !s2n_libcrypto_is_awslc() && !s2n_is_in_fips_mode(); +#endif } S2N_RESULT s2n_rand_init(void)