Skip to content

Commit

Permalink
chore: add s2n_libcrypto_is_openssl helper, docs, fix test
Browse files Browse the repository at this point in the history
  • Loading branch information
toidiu committed Nov 23, 2024
1 parent 9877437 commit 5dfe535
Show file tree
Hide file tree
Showing 7 changed files with 64 additions and 27 deletions.
21 changes: 14 additions & 7 deletions crypto/s2n_fips.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,24 @@

static bool s2n_fips_mode_enabled = false;

/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which then defines OPENSSL_FIPS.
/* FIPS mode can be checked if OpenSSL was configured and built for FIPS which
* then defines OPENSSL_FIPS.
*
* AWS-LC always defines FIPS_mode() that you can call and check what the library was built with. It does not define
* a public OPENSSL_FIPS/AWSLC_FIPS macro that we can (or need to) check here
* AWS-LC always defines FIPS_mode() that you can call and check what the
* library was built with. It does not define a public OPENSSL_FIPS/AWSLC_FIPS
* macro that we can (or need to) check here
*
* Safeguard with macro's, for example because Libressl dosn't define
* Safeguard with macro's, for example because Libressl doesn't define
* FIPS_mode() by default.
*
* Note: FIPS_mode() does not change the FIPS state of libcrypto. This only returns the current state. Applications
* using s2n must call FIPS_mode_set(1) prior to s2n_init.
* */
* Note: FIPS_mode() does not change the FIPS state of libcrypto. This only
* returns the current state. Applications using s2n must call FIPS_mode_set(1)
* prior to s2n_init.
*
* Note: Developers should use `s2n_is_in_fips_mode()` instead of calling this
* directly. `s2n_is_in_fips_mode()` returns libcrypto FIPS status at library
* initialization, ie. s2n_init().
*/
bool s2n_libcrypto_is_fips(void)
{
#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
Expand Down
1 change: 0 additions & 1 deletion crypto/s2n_fips.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@

int s2n_fips_init(void);
bool s2n_is_in_fips_mode(void);
bool s2n_libcrypto_is_fips(void);

struct s2n_cipher_suite;
S2N_RESULT s2n_fips_validate_cipher_suite(const struct s2n_cipher_suite *cipher_suite, bool *valid);
Expand Down
25 changes: 21 additions & 4 deletions crypto/s2n_libcrypto.c
Original file line number Diff line number Diff line change
Expand Up @@ -99,16 +99,33 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_number(void)
}

/* s2n_libcrypto_is_*() encodes the libcrypto version used at build-time.
* Currently only captures AWS-LC and BoringSSL. When a libcrypto-dependent
* branch is required, we prefer these functions where possible to reduce
# #ifs and avoid potential bugs where the header containing the #define is not
* included.
*
* When a libcrypto-dependent branch is required, we prefer these functions
* where possible to reduce #ifs and avoid potential bugs where the header
* containing the #define is not included.
*/

#if defined(OPENSSL_IS_AWSLC) && defined(OPENSSL_IS_BORINGSSL)
#error "Both OPENSSL_IS_AWSLC and OPENSSL_IS_BORINGSSL are defined at the same time!"
#endif

/* Attempt to detect if the libcrypto is OpenSSL.
*
* Since, quite a few libcrypto (BoringSSL, AWSLC) implementations are ABI
* compatible forks of OpenSSL, detecting OpenSSL is done by checking the
* absence of other libcrypto variants.
*
* Note: This check needs to be updated if s2n-tls adds support for a new
* libcrypto in the future.
*/
bool s2n_libcrypto_is_openssl()
{
bool is_other_libcrypto_variant =
s2n_libcrypto_is_boringssl() || s2n_libcrypto_is_libressl() || s2n_libcrypto_is_awslc();

return !is_other_libcrypto_variant;
}

bool s2n_libcrypto_is_awslc()
{
#if defined(OPENSSL_IS_AWSLC)
Expand Down
1 change: 1 addition & 0 deletions crypto/s2n_openssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@
#define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0
#endif

bool s2n_libcrypto_is_openssl();
bool s2n_libcrypto_is_awslc();
bool s2n_libcrypto_is_boringssl();
bool s2n_libcrypto_is_libressl();
38 changes: 24 additions & 14 deletions tests/unit/s2n_openssl_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,31 @@ int main(int argc, char** argv)
{
BEGIN_TEST();

const char* env_libcrypto = getenv("S2N_LIBCRYPTO");
if (env_libcrypto == NULL) {
END_TEST();
}
{
const char* env_libcrypto = getenv("S2N_LIBCRYPTO");
if (env_libcrypto == NULL) {
END_TEST();
}

if (strcmp(env_libcrypto, "boringssl") == 0) {
EXPECT_FALSE(s2n_libcrypto_is_awslc());
EXPECT_TRUE(s2n_libcrypto_is_boringssl());
} else if (strstr(env_libcrypto, "awslc") != NULL) {
EXPECT_TRUE(s2n_libcrypto_is_awslc());
EXPECT_FALSE(s2n_libcrypto_is_boringssl());
} else {
EXPECT_FALSE(s2n_libcrypto_is_awslc());
EXPECT_FALSE(s2n_libcrypto_is_boringssl());
}
if (strcmp(env_libcrypto, "boringssl") == 0) {
EXPECT_FALSE(s2n_libcrypto_is_awslc());
EXPECT_TRUE(s2n_libcrypto_is_boringssl());
} else if (strstr(env_libcrypto, "awslc") != NULL) {
EXPECT_TRUE(s2n_libcrypto_is_awslc());
EXPECT_FALSE(s2n_libcrypto_is_boringssl());
} else {
EXPECT_FALSE(s2n_libcrypto_is_awslc());
EXPECT_FALSE(s2n_libcrypto_is_boringssl());
}
};

{
if (s2n_libcrypto_is_openssl()) {
EXPECT_FALSE(s2n_libcrypto_is_awslc());
EXPECT_FALSE(s2n_libcrypto_is_boringssl());
EXPECT_FALSE(s2n_libcrypto_is_libressl());
}
};

END_TEST();
}
2 changes: 1 addition & 1 deletion tests/unit/s2n_pq_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ int main()

#if defined(OPENSSL_IS_AWSLC) && defined(AWSLC_API_VERSION)
/* If using non-FIPS AWS-LC >= v1.6 (API vers. 21), expect Kyber512 KEM from AWS-LC */
if (!s2n_libcrypto_is_fips() && AWSLC_API_VERSION >= 21) {
if (!s2n_is_in_fips_mode() && AWSLC_API_VERSION >= 21) {
EXPECT_TRUE(s2n_libcrypto_supports_evp_kem());
}
#endif
Expand Down
3 changes: 3 additions & 0 deletions utils/s2n_random.c
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@
#include <errno.h>
#include <limits.h>
#include <openssl/engine.h>
/* LibreSSL requires <openssl/rand.h> include.
* https://github.com/aws/s2n-tls/issues/153#issuecomment-129651643
*/
#include <openssl/rand.h>
#include <pthread.h>
#include <stdint.h>
Expand Down

0 comments on commit 5dfe535

Please sign in to comment.