address pr feedback

* just add condition to preprocessor
aws · Feb 8, 2025 · e57ef7d · e57ef7d
1 parent 0202407
commit e57ef7d
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 10 deletions.
diff --git a/crypto/s2n_libcrypto.h b/crypto/s2n_libcrypto.h
@@ -21,4 +21,3 @@ uint64_t s2n_libcrypto_awslc_api_version(void);
 S2N_RESULT s2n_libcrypto_validate_runtime(void);
 const char *s2n_libcrypto_get_version_name(void);
 bool s2n_libcrypto_supports_flag_no_check_time();
-bool s2n_libcrypto_is_openssl_fips(void);
diff --git a/tests/unit/s2n_override_openssl_random_test.c b/tests/unit/s2n_override_openssl_random_test.c
@@ -69,6 +69,14 @@ int main(int argc, char **argv)
 
     BEGIN_TEST();
 
+    const char *s2n_libcrypto = getenv("S2N_LIBCRYPTO");
+    if (s2n_libcrypto && strcmp("openssl-1.0.2-fips", s2n_libcrypto) == 0) {
+        /* Ensure that custom rand is not enabled for OpenSSL 1.0.2 Fips to match
+         * historical behavior 
+         */
+        EXPECT_FALSE(s2n_supports_custom_rand());
+    }
+
     if (!s2n_supports_custom_rand()) {
         /* Skip when custom rand is not supported */
         END_TEST();

diff --git a/tests/unit/s2n_random_test.c b/tests/unit/s2n_random_test.c
@@ -795,7 +795,8 @@ static int s2n_random_rand_bytes_after_cleanup_cb(struct random_test_case *test_
 
 static int s2n_random_rand_bytes_before_init(struct random_test_case *test_case)
 {
-    if (s2n_supports_custom_rand()) {
+    /* s2n_libcrypto_is_fips() is used since we are testing `s2n_init()` */
+    if (s2n_supports_custom_rand() && !s2n_libcrypto_is_fips()) {
         /* Calling RAND_bytes will set a global random method */
         unsigned char rndbytes[16] = { 0 };
         EXPECT_EQUAL(RAND_bytes(rndbytes, sizeof(rndbytes)), 1);

diff --git a/utils/s2n_random.c b/utils/s2n_random.c
@@ -555,16 +555,12 @@ static int s2n_rand_init_cb_impl(void)
 
 bool s2n_supports_custom_rand(void)
 {
-#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE)
+#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) || defined(OPENSSL_FIPS)
+    /* OpenSSL 1.0.2-fips is excluded to match historical behavior */
+    /* OPENSSL_FIPS is only defined for 1.0.2-fips, not 3.x-fips*/
     return false;
 #else
-    /* AWS-LC-FIPS supports custom rand unless s2n-tls is in FIPS mode */
-    /* OpenSSL-FIPS never supports custom rand, regardless of mode */
-    /* OpenSSL non-fips always supports custom rand */
-    /* other libcryptos never support custom rand */
-    bool awslc_fips_with_fips_enabled = s2n_libcrypto_is_awslc() && s2n_is_in_fips_mode();
-    bool disable_for_fips = s2n_libcrypto_is_openssl_fips() || awslc_fips_with_fips_enabled;
-    return s2n_libcrypto_is_openssl() && !disable_for_fips;
+    return s2n_libcrypto_is_openssl() && !s2n_is_in_fips_mode();
 #endif
 }