fix: mark chachapoly as unavailable with openssl-3.0-fips

aws · Mar 6, 2025 · ccfc980 · ccfc980
1 parent 2c0f038
commit ccfc980
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/codebuild/spec/buildspec_openssl3fips.yml b/codebuild/spec/buildspec_openssl3fips.yml
@@ -35,7 +35,4 @@ phases:
     commands:
       - export CTEST_PARALLEL_LEVEL=$(nproc)
       # openssl3fips is still a work-in-progress. Not all tests pass.
-      - make -C build test -- ARGS="-R 's2n_build_test|s2n_fips_test'"
-      - make -C build test -- ARGS="-R 's2n_hash_test|s2n_hash_all_algs_test|s2n_openssl_test|s2n_init_test'"
-      - make -C build test -- ARGS="-R 's2n_evp_signing_test'"
-      - make -C build test -- ARGS="-R 's2n_tls_prf_test|s2n_tls_hybrid_prf_test'"
+      - make -C build test -- ARGS="-E 's2n_self_talk_offload_signing_test'"
diff --git a/crypto/s2n_aead_cipher_chacha20_poly1305.c b/crypto/s2n_aead_cipher_chacha20_poly1305.c
@@ -16,6 +16,7 @@
 #include <openssl/evp.h>
 
 #include "crypto/s2n_cipher.h"
+#include "crypto/s2n_libcrypto.h"
 #include "crypto/s2n_openssl.h"
 #include "tls/s2n_crypto.h"
 #include "utils/s2n_blob.h"
@@ -37,7 +38,11 @@
 static bool s2n_aead_chacha20_poly1305_available(void)
 {
 #if defined(S2N_CHACHA20_POLY1305_AVAILABLE_OSSL) || defined(S2N_CHACHA20_POLY1305_AVAILABLE_BSSL_AWSLC)
-    return true;
+    /* We could support ChaChaPoly with openssl-3.0-fips,
+     * but it would require more branching and logic to fetch a non-fips EVP_CIPHER.
+     * For now, just consider ChaChaPoly unsupported by openssl-3.0-fips.
+     */
+    return !s2n_libcrypto_is_openssl_fips();
 #else
     return false;
 #endif