diff --git a/crypto/s2n_fips.c b/crypto/s2n_fips.c index ff73433a6ce..18bb417d889 100644 --- a/crypto/s2n_fips.c +++ b/crypto/s2n_fips.c @@ -26,17 +26,24 @@ static bool s2n_fips_mode_enabled = false; -/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which then defines OPENSSL_FIPS. +/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which + * then defines OPENSSL_FIPS. * - * AWS-LC always defines FIPS_mode() that you can call and check what the library was built with. It does not define - * a public OPENSSL_FIPS/AWSLC_FIPS macro that we can (or need to) check here + * AWS-LC always defines FIPS_mode() that you can call and check what the + * library was built with. It does not define a public OPENSSL_FIPS/AWSLC_FIPS + * macro that we can (or need to) check here * - * Safeguard with macro's, for example because Libressl dosn't define + * Safeguard with macro's, for example because Libressl doesn't define * FIPS_mode() by default. * - * Note: FIPS_mode() does not change the FIPS state of libcrypto. This only returns the current state. Applications - * using s2n must call FIPS_mode_set(1) prior to s2n_init. - * */ + * Note: FIPS_mode() does not change the FIPS state of libcrypto. This only + * returns the current state. Applications using s2n must call FIPS_mode_set(1) + * prior to s2n_init. + * + * Note: Developers should use `s2n_is_in_fips_mode()` instead of calling this + * directly. `s2n_is_in_fips_mode()` returns libcrypto FIPS status at library + * initialization, ie. s2n_init(). + */ bool s2n_libcrypto_is_fips(void) { #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) diff --git a/crypto/s2n_fips.h b/crypto/s2n_fips.h index f9eafef5907..9cce9b50bfa 100644 --- a/crypto/s2n_fips.h +++ b/crypto/s2n_fips.h @@ -23,7 +23,6 @@ int s2n_fips_init(void); bool s2n_is_in_fips_mode(void); -bool s2n_libcrypto_is_fips(void); struct s2n_cipher_suite; S2N_RESULT s2n_fips_validate_cipher_suite(const struct s2n_cipher_suite *cipher_suite, bool *valid); diff --git a/crypto/s2n_libcrypto.c b/crypto/s2n_libcrypto.c index 166e3bf86e3..cd269abde75 100644 --- a/crypto/s2n_libcrypto.c +++ b/crypto/s2n_libcrypto.c @@ -99,16 +99,33 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_number(void) } /* s2n_libcrypto_is_*() encodes the libcrypto version used at build-time. - * Currently only captures AWS-LC and BoringSSL. When a libcrypto-dependent - * branch is required, we prefer these functions where possible to reduce - # #ifs and avoid potential bugs where the header containing the #define is not - * included. + * + * When a libcrypto-dependent branch is required, we prefer these functions + * where possible to reduce #ifs and avoid potential bugs where the header + * containing the #define is not included. */ #if defined(OPENSSL_IS_AWSLC) && defined(OPENSSL_IS_BORINGSSL) #error "Both OPENSSL_IS_AWSLC and OPENSSL_IS_BORINGSSL are defined at the same time!" #endif +/* Attempt to detect if the libcrypto is OpenSSL. + * + * Since, quite a few libcrypto (BoringSSL, AWSLC) implementations are ABI + * compatible forks of OpenSSL, detecting OpenSSL is done by checking the + * absence of other libcrypto variants. + * + * Note: This check needs to be updated if s2n-tls adds support for a new + * libcrypto in the future. + */ +bool s2n_libcrypto_is_openssl() +{ + bool is_other_libcrypto_variant = + s2n_libcrypto_is_boringssl() || s2n_libcrypto_is_libressl() || s2n_libcrypto_is_awslc(); + + return !is_other_libcrypto_variant; +} + bool s2n_libcrypto_is_awslc() { #if defined(OPENSSL_IS_AWSLC) diff --git a/crypto/s2n_openssl.h b/crypto/s2n_openssl.h index cd43cb8f4e1..d09c249dbd2 100644 --- a/crypto/s2n_openssl.h +++ b/crypto/s2n_openssl.h @@ -56,6 +56,7 @@ #define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0 #endif +bool s2n_libcrypto_is_openssl(); bool s2n_libcrypto_is_awslc(); bool s2n_libcrypto_is_boringssl(); bool s2n_libcrypto_is_libressl(); diff --git a/tests/unit/s2n_pq_kem_test.c b/tests/unit/s2n_pq_kem_test.c index 355dbd0b83a..4c6d84f243a 100644 --- a/tests/unit/s2n_pq_kem_test.c +++ b/tests/unit/s2n_pq_kem_test.c @@ -41,7 +41,7 @@ int main() #if defined(OPENSSL_IS_AWSLC) && defined(AWSLC_API_VERSION) /* If using non-FIPS AWS-LC >= v1.6 (API vers. 21), expect Kyber512 KEM from AWS-LC */ - if (!s2n_libcrypto_is_fips() && AWSLC_API_VERSION >= 21) { + if (!s2n_is_in_fips_mode() && AWSLC_API_VERSION >= 21) { EXPECT_TRUE(s2n_libcrypto_supports_evp_kem()); } #endif diff --git a/utils/s2n_random.c b/utils/s2n_random.c index ac8f9817b1f..52904b13fda 100644 --- a/utils/s2n_random.c +++ b/utils/s2n_random.c @@ -48,6 +48,9 @@ #include #include #include +/* LibreSSL requires include. + * https://github.com/aws/s2n-tls/issues/153#issuecomment-129651643 + */ #include #include #include