fix: don't enable custom random for openssl fips (#5093)

Co-authored-by: Sam Clark <[email protected]>
aws · Feb 13, 2025 · 910665b · 910665b
1 parent 18adf02
commit 910665b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/tests/unit/s2n_openssl_test.c b/tests/unit/s2n_openssl_test.c
@@ -16,6 +16,7 @@
 #include "crypto/s2n_openssl.h"
 
 #include "s2n_test.h"
+#include "utils/s2n_random.h"
 
 int main(int argc, char** argv)
 {
@@ -53,5 +54,12 @@ int main(int argc, char** argv)
         FAIL_MSG("Testing with an unexpected libcrypto.");
     }
 
+    /* Ensure that custom rand is not enabled for OpenSSL 1.0.2 Fips to match
+     * historical behavior 
+     */
+    if (strcmp("openssl-1.0.2-fips", env_libcrypto) == 0) {
+        EXPECT_FALSE(s2n_supports_custom_rand());
+    }
+
     END_TEST();
 }
diff --git a/utils/s2n_random.c b/utils/s2n_random.c
@@ -554,7 +554,9 @@ static int s2n_rand_init_cb_impl(void)
 
 bool s2n_supports_custom_rand(void)
 {
-#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE)
+#if !defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE) || defined(OPENSSL_FIPS)
+    /* OpenSSL 1.0.2-fips is excluded to match historical behavior */
+    /* OPENSSL_FIPS is only defined for 1.0.2-fips, not 3.x-fips */
     return false;
 #else
     return s2n_libcrypto_is_openssl() && !s2n_is_in_fips_mode();