From c27d982b37f7212ee3149004303b24320f888622 Mon Sep 17 00:00:00 2001
From: Apoorv Kothari <apoorv@toidiu.com>
Date: Fri, 22 Nov 2024 22:19:13 -0800
Subject: [PATCH] chore: add s2n_libcrypto_is_openssl helper, docs, fix test

---
 crypto/s2n_fips.c            | 21 ++++++++++++++-------
 crypto/s2n_fips.h            |  1 -
 crypto/s2n_libcrypto.c       | 25 +++++++++++++++++++++----
 crypto/s2n_openssl.h         |  1 +
 tests/unit/s2n_pq_kem_test.c |  2 +-
 utils/s2n_random.c           |  3 +++
 6 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/crypto/s2n_fips.c b/crypto/s2n_fips.c
index ff73433a6ce..18bb417d889 100644
--- a/crypto/s2n_fips.c
+++ b/crypto/s2n_fips.c
@@ -26,17 +26,24 @@
 
 static bool s2n_fips_mode_enabled = false;
 
-/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which then defines OPENSSL_FIPS.
+/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which
+ * then defines OPENSSL_FIPS.
  *
- * AWS-LC always defines FIPS_mode() that you can call and check what the library was built with. It does not define
- * a public OPENSSL_FIPS/AWSLC_FIPS macro that we can (or need to) check here
+ * AWS-LC always defines FIPS_mode() that you can call and check what the
+ * library was built with. It does not define a public OPENSSL_FIPS/AWSLC_FIPS
+ * macro that we can (or need to) check here
  *
- * Safeguard with macro's, for example because Libressl dosn't define
+ * Safeguard with macro's, for example because Libressl doesn't define
  * FIPS_mode() by default.
  *
- * Note: FIPS_mode() does not change the FIPS state of libcrypto. This only returns the current state. Applications
- * using s2n must call FIPS_mode_set(1) prior to s2n_init.
- * */
+ * Note: FIPS_mode() does not change the FIPS state of libcrypto. This only
+ * returns the current state. Applications using s2n must call FIPS_mode_set(1)
+ * prior to s2n_init.
+ *
+ * Note: Developers should use `s2n_is_in_fips_mode()` instead of calling this
+ * directly. `s2n_is_in_fips_mode()` returns libcrypto FIPS status at library
+ * initialization, ie. s2n_init().
+ */
 bool s2n_libcrypto_is_fips(void)
 {
 #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
diff --git a/crypto/s2n_fips.h b/crypto/s2n_fips.h
index f9eafef5907..9cce9b50bfa 100644
--- a/crypto/s2n_fips.h
+++ b/crypto/s2n_fips.h
@@ -23,7 +23,6 @@
 
 int s2n_fips_init(void);
 bool s2n_is_in_fips_mode(void);
-bool s2n_libcrypto_is_fips(void);
 
 struct s2n_cipher_suite;
 S2N_RESULT s2n_fips_validate_cipher_suite(const struct s2n_cipher_suite *cipher_suite, bool *valid);
diff --git a/crypto/s2n_libcrypto.c b/crypto/s2n_libcrypto.c
index 166e3bf86e3..cd269abde75 100644
--- a/crypto/s2n_libcrypto.c
+++ b/crypto/s2n_libcrypto.c
@@ -99,16 +99,33 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_number(void)
 }
 
 /* s2n_libcrypto_is_*() encodes the libcrypto version used at build-time.
- * Currently only captures AWS-LC and BoringSSL. When a libcrypto-dependent
- * branch is required, we prefer these functions where possible to reduce
- # #ifs and avoid potential bugs where the header containing the #define is not
- * included.
+ *
+ * When a libcrypto-dependent branch is required, we prefer these functions
+ * where possible to reduce #ifs and avoid potential bugs where the header
+ * containing the #define is not included.
  */
 
 #if defined(OPENSSL_IS_AWSLC) && defined(OPENSSL_IS_BORINGSSL)
     #error "Both OPENSSL_IS_AWSLC and OPENSSL_IS_BORINGSSL are defined at the same time!"
 #endif
 
+/* Attempt to detect if the libcrypto is OpenSSL.
+ *
+ * Since, quite a few libcrypto (BoringSSL, AWSLC) implementations are ABI
+ * compatible forks of OpenSSL, detecting OpenSSL is done by checking the
+ * absence of other libcrypto variants.
+ *
+ * Note: This check needs to be updated if s2n-tls adds support for a new
+ * libcrypto in the future.
+ */
+bool s2n_libcrypto_is_openssl()
+{
+    bool is_other_libcrypto_variant =
+            s2n_libcrypto_is_boringssl() || s2n_libcrypto_is_libressl() || s2n_libcrypto_is_awslc();
+
+    return !is_other_libcrypto_variant;
+}
+
 bool s2n_libcrypto_is_awslc()
 {
 #if defined(OPENSSL_IS_AWSLC)
diff --git a/crypto/s2n_openssl.h b/crypto/s2n_openssl.h
index cd43cb8f4e1..d09c249dbd2 100644
--- a/crypto/s2n_openssl.h
+++ b/crypto/s2n_openssl.h
@@ -56,6 +56,7 @@
     #define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0
 #endif
 
+bool s2n_libcrypto_is_openssl();
 bool s2n_libcrypto_is_awslc();
 bool s2n_libcrypto_is_boringssl();
 bool s2n_libcrypto_is_libressl();
diff --git a/tests/unit/s2n_pq_kem_test.c b/tests/unit/s2n_pq_kem_test.c
index 355dbd0b83a..4c6d84f243a 100644
--- a/tests/unit/s2n_pq_kem_test.c
+++ b/tests/unit/s2n_pq_kem_test.c
@@ -41,7 +41,7 @@ int main()
 
 #if defined(OPENSSL_IS_AWSLC) && defined(AWSLC_API_VERSION)
     /* If using non-FIPS AWS-LC >= v1.6 (API vers. 21), expect Kyber512 KEM from AWS-LC */
-    if (!s2n_libcrypto_is_fips() && AWSLC_API_VERSION >= 21) {
+    if (!s2n_is_in_fips_mode() && AWSLC_API_VERSION >= 21) {
         EXPECT_TRUE(s2n_libcrypto_supports_evp_kem());
     }
 #endif
diff --git a/utils/s2n_random.c b/utils/s2n_random.c
index ac8f9817b1f..52904b13fda 100644
--- a/utils/s2n_random.c
+++ b/utils/s2n_random.c
@@ -48,6 +48,9 @@
 #include <errno.h>
 #include <limits.h>
 #include <openssl/engine.h>
+/* LibreSSL requires <openssl/rand.h> include.
+ * https://github.com/aws/s2n-tls/issues/153#issuecomment-129651643
+ */
 #include <openssl/rand.h>
 #include <pthread.h>
 #include <stdint.h>