refactor(bin): remove references to FIPS_mode_set (#5026)

aws · Jan 14, 2025 · e6949fd · e6949fd
1 parent 0673015
commit e6949fd
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 42 deletions.
diff --git a/bin/s2nc.c b/bin/s2nc.c
@@ -569,23 +569,6 @@ int main(int argc, char *const *argv)
         exit(1);
     }
 
-    if (fips_mode) {
-#ifndef S2N_INTERN_LIBCRYPTO
-    #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
-        if (FIPS_mode_set(1) == 0) {
-            unsigned long fips_rc = ERR_get_error();
-            char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */
-            fprintf(stderr, "s2nc failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf));
-            exit(1);
-        }
-        printf("s2nc entered FIPS mode\n");
-    #else
-        fprintf(stderr, "Error entering FIPS mode. s2nc was not built against a FIPS-capable libcrypto.\n");
-        exit(1);
-    #endif
-#endif
-    }
-
     if (prefer_low_latency && prefer_throughput) {
         fprintf(stderr, "prefer-throughput and prefer-low-latency options are mutually exclusive\n");
         exit(1);
@@ -594,6 +577,16 @@ int main(int argc, char *const *argv)
     GUARD_EXIT(s2n_init(), "Error running s2n_init()");
     printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
 
+    if (fips_mode) {
+        s2n_fips_mode mode = 0;
+        GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode");
+        if (mode != S2N_FIPS_MODE_ENABLED) {
+            fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n");
+            exit(1);
+        }
+        printf("s2nc entered FIPS mode\n");
+    }
+
     if ((r = getaddrinfo(host, port, &hints, &ai_list)) != 0) {
         fprintf(stderr, "error: %s\n", gai_strerror(r));
         exit(1);

diff --git a/bin/s2nd.c b/bin/s2nd.c
@@ -548,26 +548,19 @@ int main(int argc, char *const *argv)
         exit(1);
     }
 
+    GUARD_EXIT(s2n_init(), "Error running s2n_init()");
+    printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
+
     if (fips_mode) {
-#ifndef S2N_INTERN_LIBCRYPTO
-    #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
-        if (FIPS_mode_set(1) == 0) {
-            unsigned long fips_rc = ERR_get_error();
-            char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */
-            fprintf(stderr, "s2nd failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf));
+        s2n_fips_mode mode = 0;
+        GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode");
+        if (mode != S2N_FIPS_MODE_ENABLED) {
+            fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n");
             exit(1);
         }
         printf("s2nd entered FIPS mode\n");
-    #else
-        fprintf(stderr, "Error entering FIPS mode. s2nd was not built against a FIPS-capable libcrypto.\n");
-        exit(1);
-    #endif
-#endif
     }
 
-    GUARD_EXIT(s2n_init(), "Error running s2n_init()");
-    printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
-
     printf("Listening on %s:%s\n", host, port);
 
     struct s2n_config *config = s2n_config_new();

diff --git a/crypto/s2n_fips.c b/crypto/s2n_fips.c
@@ -30,19 +30,14 @@ static bool s2n_fips_mode_enabled = false;
  *
  * This method indicates the state of the libcrypto, NOT the state
  * of s2n-tls and should ONLY be called during library initialization (i.e.
- * s2n_init()). For example, if s2n-tls is using Openssl and FIPS_mode_set(1)
- * is called after s2n_init() is called, then this method will return true
- * while s2n_is_in_fips_mode() will return false and s2n-tls will not operate
+ * s2n_init()). This distinction is important because in the past,
+ * if s2n-tls was using Openssl-1.0.2-fips and FIPS_mode_set(1)
+ * was called after s2n_init() was called, then this method would return true
+ * while s2n_is_in_fips_mode() would return false and s2n-tls would not operate
  * in FIPS mode.
  *
  * For AWS-LC, the FIPS_mode() method is always defined. If AWS-LC was built to
  * support FIPS, FIPS_mode() always returns 1.
- *
- * For OpenSSL, OPENSSL_FIPS is defined if the libcrypto was built to support
- * FIPS. The FIPS_mode() method is only present if OPENSSL_FIPS is defined, and
- * only returns 1 if FIPS_mode_set(1) was used to enable FIPS mode.
- * Applications wanting to enable FIPS mode with OpenSSL must call
- * FIPS_mode_set(1) prior to calling s2n_init().
  */
 bool s2n_libcrypto_is_fips(void)
 {

diff --git a/docs/usage-guide/topics/ch02-initialization.md b/docs/usage-guide/topics/ch02-initialization.md
@@ -7,8 +7,6 @@ Initialization can be modified by calling `s2n_crypto_disable_init()` or `s2n_di
 
 An application can override s2n-tls’s internal memory management by calling `s2n_mem_set_callbacks()` before calling `s2n_init()`.
 
-If you are trying to use FIPS mode, you must enable FIPS in your libcrypto library (probably by calling `FIPS_mode_set(1)`) before calling `s2n_init()`.
-
 ## Teardown
 ### Thread-local Memory
 We recommend calling `s2n_cleanup()` from every thread created after `s2n_init()` to ensure there are no memory leaks. s2n-tls has thread-local memory that it attempts to clean up automatically at thread-exit. However, this is done using pthread destructors and may not work if you are using a threads library other than pthreads.