From 910665bebad1856f1799d627acb3b85584c46ee3 Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Wed, 12 Feb 2025 21:05:19 -0800 Subject: [PATCH] fix: don't enable custom random for openssl fips (#5093) Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com> --- tests/unit/s2n_openssl_test.c | 8 ++++++++ utils/s2n_random.c | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/unit/s2n_openssl_test.c b/tests/unit/s2n_openssl_test.c index d48cc8b4bd9..e2f8d61183d 100644 --- a/tests/unit/s2n_openssl_test.c +++ b/tests/unit/s2n_openssl_test.c @@ -16,6 +16,7 @@ #include "crypto/s2n_openssl.h" #include "s2n_test.h" +#include "utils/s2n_random.h" int main(int argc, char** argv) { @@ -53,5 +54,12 @@ int main(int argc, char** argv) FAIL_MSG("Testing with an unexpected libcrypto."); } + /* Ensure that custom rand is not enabled for OpenSSL 1.0.2 Fips to match + * historical behavior + */ + if (strcmp("openssl-1.0.2-fips", env_libcrypto) == 0) { + EXPECT_FALSE(s2n_supports_custom_rand()); + } + END_TEST(); } diff --git a/utils/s2n_random.c b/utils/s2n_random.c index 233a76b3060..bb7280f74dd 100644 --- a/utils/s2n_random.c +++ b/utils/s2n_random.c @@ -554,7 +554,9 @@ static int s2n_rand_init_cb_impl(void) bool s2n_supports_custom_rand(void) { -#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) +#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) || defined(OPENSSL_FIPS) + /* OpenSSL 1.0.2-fips is excluded to match historical behavior */ + /* OPENSSL_FIPS is only defined for 1.0.2-fips, not 3.x-fips */ return false; #else return s2n_libcrypto_is_openssl() && !s2n_is_in_fips_mode();