No longer override rand for BoringSSL users

BoringSSL does not support overriding libcrypto's rand method, this change disabled it in the case of using BoingSSL. This change also adds a new yellow "Skipped" status for tests that are skipped (as they now are for the override case). This change also removes the OCSP validation, as BoringSSL doesn't support this either. We can treat it as a blob until we add our own ASN.1 parsing.
aws · Mar 5, 2015 · c2443ed · c2443ed
1 parent 903fdf2
commit c2443ed
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 19 deletions.
diff --git a/tests/s2n_test.h b/tests/s2n_test.h
@@ -30,10 +30,20 @@
 
 #define BEGIN_TEST()  int test_count = 0; { fprintf(stdout, "Running %-50s ... ", __FILE__); }
 #define END_TEST()  { if (isatty(fileno(stdout))) { \
-                            fprintf(stdout, "\033[32;1mPASSED\033[0m %10d tests\n", test_count ); \
+                            if (test_count) { \
+                                fprintf(stdout, "\033[32;1mPASSED\033[0m %10d tests\n", test_count ); \
+                            }\
+                            else {\
+                                fprintf(stdout, "\033[33;1mSKIPPED\033[0m       ALL tests\n" ); \
+                            }\
                        } \
                        else { \
-                            fprintf(stdout, "PASSED %10d tests\n", test_count ); \
+                            if (test_count) { \
+                                fprintf(stdout, "PASSED %10d tests\n", test_count ); \
+                            }\
+                            else {\
+                                fprintf(stdout, "SKIPPED       ALL tests\n" ); \
+                            }\
                        } \
                        return 0;\
                     }

diff --git a/tests/unit/s2n_override_openssl_random_test.c b/tests/unit/s2n_override_openssl_random_test.c
@@ -21,6 +21,8 @@
 #include "utils/s2n_blob.h"
 #include <s2n.h>
 
+#if !defined(OPENSSL_IS_BORINGSSL)
+
 static uint8_t dhparams[] =
     "-----BEGIN DH PARAMETERS-----\n"
     "MIIBCAKCAQEAy1+hVWCfNQoPB+NA733IVOONl8fCumiz9zdRRu1hzVa2yvGseUSq\n"
@@ -72,6 +74,7 @@ RAND_METHOD mock_openssl_rand_method = {
     .status = mock_openssl_compat_status
 };
 
+
 int main(int argc, char **argv)
 {
     struct s2n_stuffer dhparams_in, dhparams_out;
@@ -109,3 +112,15 @@ int main(int argc, char **argv)
 
     END_TEST();
 }
+
+#else /* defined(OPENSSL_IS_BORINGSSL) */
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+
+    END_TEST();
+}
+
+#endif
+
diff --git a/tls/s2n_config.c b/tls/s2n_config.c
@@ -24,8 +24,6 @@
 #include "utils/s2n_safety.h"
 #include "utils/s2n_mem.h"
 
-#include <openssl/ocsp.h>
-
 /* s2n's list of cipher suites, in order of preference, as of 2014-06-01 */
 uint8_t wire_format_20140601[] =
     { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
@@ -212,15 +210,6 @@ int s2n_config_set_status_request_type(struct s2n_config *config, s2n_status_req
     return 0;
 }
 
-static int s2n_config_is_ocsp_response(const uint8_t *data, uint32_t length)
-{
-    OCSP_RESPONSE *rsp = d2i_OCSP_RESPONSE(NULL, &data, length);
-    notnull_check(rsp);
-    OCSP_RESPONSE_free(rsp);
-
-    return 0;
-}
-
 int s2n_config_add_cert_chain_and_key_with_status(struct s2n_config *config,
         char *cert_chain_pem, char *private_key_pem, const uint8_t *status, uint32_t length)
 {
@@ -282,8 +271,6 @@ int s2n_config_add_cert_chain_and_key_with_status(struct s2n_config *config,
     config->cert_and_key_pairs->chain_size = chain_size;
 
     if (status && length > 0) {
-        GUARD(s2n_config_is_ocsp_response(status, length));
-
         GUARD(s2n_alloc(&config->cert_and_key_pairs->ocsp_status, length));
         memcpy_check(config->cert_and_key_pairs->ocsp_status.data, status, length);
     }

diff --git a/utils/s2n_random.c b/utils/s2n_random.c
@@ -35,7 +35,6 @@
 #define ENTROPY_SOURCE "/dev/urandom"
 
 static int entropy_fd = -1;
-static const RAND_METHOD *original_rand_method;
 
 int s2n_get_random_data(uint8_t *data, uint32_t n)
 {
@@ -106,6 +105,9 @@ int s2n_random(int max)
     return -1;
 }
 
+#ifndef OPENSSL_IS_BORINGSSL
+static const RAND_METHOD *original_rand_method;
+
 int openssl_compat_rand(unsigned char *buf, int num)
 {
     int r = s2n_get_random_data(buf, num);
@@ -143,6 +145,7 @@ RAND_METHOD s2n_openssl_rand_method = {
     .pseudorand = openssl_compat_rand,
     .status = openssl_compat_status
 };
+#endif
 
 int s2n_init()
 {
@@ -151,13 +154,15 @@ int s2n_init()
         S2N_ERROR(S2N_ERR_OPEN_RANDOM);
     }
 
+    /* Create the CBC masks */
+    GUARD(s2n_cbc_masks_init());
+
+#ifndef OPENSSL_IS_BORINGSSL
     original_rand_method = RAND_get_rand_method();
 
     /* Over-ride OpenSSL's PRNG. NOTE: there is a unit test to validate that this works */
     RAND_set_rand_method(&s2n_openssl_rand_method);
-
-    /* Create the CBC masks */
-    GUARD(s2n_cbc_masks_init());
+#endif
 
     return 0;
 }
@@ -170,8 +175,10 @@ int s2n_cleanup()
 
     GUARD(close(entropy_fd));
 
+#ifndef OPENSSL_IS_BORINGSSL
     /* Restore OpenSSL's original random methods */
     RAND_set_rand_method(original_rand_method);
+#endif
 
     return 0;
 }