From e6949fd139d79b72815ec301aa9399a07fb925e5 Mon Sep 17 00:00:00 2001 From: Lindsay Stewart Date: Tue, 14 Jan 2025 12:54:51 -0800 Subject: [PATCH] refactor(bin): remove references to FIPS_mode_set (#5026) --- bin/s2nc.c | 27 +++++++------------ bin/s2nd.c | 21 +++++---------- crypto/s2n_fips.c | 13 +++------ .../usage-guide/topics/ch02-initialization.md | 2 -- 4 files changed, 21 insertions(+), 42 deletions(-) diff --git a/bin/s2nc.c b/bin/s2nc.c index ff15b66c887..64c9f930bbe 100644 --- a/bin/s2nc.c +++ b/bin/s2nc.c @@ -569,23 +569,6 @@ int main(int argc, char *const *argv) exit(1); } - if (fips_mode) { -#ifndef S2N_INTERN_LIBCRYPTO - #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - if (FIPS_mode_set(1) == 0) { - unsigned long fips_rc = ERR_get_error(); - char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */ - fprintf(stderr, "s2nc failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf)); - exit(1); - } - printf("s2nc entered FIPS mode\n"); - #else - fprintf(stderr, "Error entering FIPS mode. s2nc was not built against a FIPS-capable libcrypto.\n"); - exit(1); - #endif -#endif - } - if (prefer_low_latency && prefer_throughput) { fprintf(stderr, "prefer-throughput and prefer-low-latency options are mutually exclusive\n"); exit(1); @@ -594,6 +577,16 @@ int main(int argc, char *const *argv) GUARD_EXIT(s2n_init(), "Error running s2n_init()"); printf("libcrypto: %s\n", s2n_libcrypto_get_version_name()); + if (fips_mode) { + s2n_fips_mode mode = 0; + GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode"); + if (mode != S2N_FIPS_MODE_ENABLED) { + fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n"); + exit(1); + } + printf("s2nc entered FIPS mode\n"); + } + if ((r = getaddrinfo(host, port, &hints, &ai_list)) != 0) { fprintf(stderr, "error: %s\n", gai_strerror(r)); exit(1); diff --git a/bin/s2nd.c b/bin/s2nd.c index 08109807d79..cc1ba1ed460 100644 --- a/bin/s2nd.c +++ b/bin/s2nd.c @@ -548,26 +548,19 @@ int main(int argc, char *const *argv) exit(1); } + GUARD_EXIT(s2n_init(), "Error running s2n_init()"); + printf("libcrypto: %s\n", s2n_libcrypto_get_version_name()); + if (fips_mode) { -#ifndef S2N_INTERN_LIBCRYPTO - #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC) - if (FIPS_mode_set(1) == 0) { - unsigned long fips_rc = ERR_get_error(); - char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */ - fprintf(stderr, "s2nd failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf)); + s2n_fips_mode mode = 0; + GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode"); + if (mode != S2N_FIPS_MODE_ENABLED) { + fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n"); exit(1); } printf("s2nd entered FIPS mode\n"); - #else - fprintf(stderr, "Error entering FIPS mode. s2nd was not built against a FIPS-capable libcrypto.\n"); - exit(1); - #endif -#endif } - GUARD_EXIT(s2n_init(), "Error running s2n_init()"); - printf("libcrypto: %s\n", s2n_libcrypto_get_version_name()); - printf("Listening on %s:%s\n", host, port); struct s2n_config *config = s2n_config_new(); diff --git a/crypto/s2n_fips.c b/crypto/s2n_fips.c index 1b2c0307069..0e21c837b5a 100644 --- a/crypto/s2n_fips.c +++ b/crypto/s2n_fips.c @@ -30,19 +30,14 @@ static bool s2n_fips_mode_enabled = false; * * This method indicates the state of the libcrypto, NOT the state * of s2n-tls and should ONLY be called during library initialization (i.e. - * s2n_init()). For example, if s2n-tls is using Openssl and FIPS_mode_set(1) - * is called after s2n_init() is called, then this method will return true - * while s2n_is_in_fips_mode() will return false and s2n-tls will not operate + * s2n_init()). This distinction is important because in the past, + * if s2n-tls was using Openssl-1.0.2-fips and FIPS_mode_set(1) + * was called after s2n_init() was called, then this method would return true + * while s2n_is_in_fips_mode() would return false and s2n-tls would not operate * in FIPS mode. * * For AWS-LC, the FIPS_mode() method is always defined. If AWS-LC was built to * support FIPS, FIPS_mode() always returns 1. - * - * For OpenSSL, OPENSSL_FIPS is defined if the libcrypto was built to support - * FIPS. The FIPS_mode() method is only present if OPENSSL_FIPS is defined, and - * only returns 1 if FIPS_mode_set(1) was used to enable FIPS mode. - * Applications wanting to enable FIPS mode with OpenSSL must call - * FIPS_mode_set(1) prior to calling s2n_init(). */ bool s2n_libcrypto_is_fips(void) { diff --git a/docs/usage-guide/topics/ch02-initialization.md b/docs/usage-guide/topics/ch02-initialization.md index f4f60e6247b..7a05c27ddb1 100644 --- a/docs/usage-guide/topics/ch02-initialization.md +++ b/docs/usage-guide/topics/ch02-initialization.md @@ -7,8 +7,6 @@ Initialization can be modified by calling `s2n_crypto_disable_init()` or `s2n_di An application can override s2n-tls’s internal memory management by calling `s2n_mem_set_callbacks()` before calling `s2n_init()`. -If you are trying to use FIPS mode, you must enable FIPS in your libcrypto library (probably by calling `FIPS_mode_set(1)`) before calling `s2n_init()`. - ## Teardown ### Thread-local Memory We recommend calling `s2n_cleanup()` from every thread created after `s2n_init()` to ensure there are no memory leaks. s2n-tls has thread-local memory that it attempts to clean up automatically at thread-exit. However, this is done using pthread destructors and may not work if you are using a threads library other than pthreads.