feature: remove openssl-1.0.2-fips fips mode support (#5030)

aws · Jan 14, 2025 · fb77459 · fb77459
1 parent e79b1b9
commit fb77459
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/crypto/s2n_fips.c b/crypto/s2n_fips.c
@@ -52,6 +52,9 @@ bool s2n_libcrypto_is_fips(void)
 int s2n_fips_init(void)
 {
     s2n_fips_mode_enabled = s2n_libcrypto_is_fips();
+#if defined(OPENSSL_FIPS)
+    POSIX_ENSURE(!s2n_fips_mode_enabled, S2N_ERR_FIPS_MODE_UNSUPPORTED);
+#endif
     return S2N_SUCCESS;
 }
 

diff --git a/error/s2n_errno.c b/error/s2n_errno.c
@@ -313,7 +313,8 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_TOO_MANY_CAS, "Too many certificate authorities in trust store"); \
     ERR_ENTRY(S2N_ERR_BAD_HEX, "Could not parse malformed hex string"); \
     ERR_ENTRY(S2N_ERR_CONFIG_NULL_BEFORE_CH_CALLBACK, "Config set to NULL before client hello callback. This should not be possible outside of tests."); \
-    ERR_ENTRY(S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO, "The invoked s2n-tls API is not supported by the libcrypto") \
+    ERR_ENTRY(S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO, "The invoked s2n-tls API is not supported by the libcrypto"); \
+    ERR_ENTRY(S2N_ERR_FIPS_MODE_UNSUPPORTED, "FIPS mode is not supported for the libcrypto"); \
     /* clang-format on */
 
 #define ERR_STR_CASE(ERR, str) \

diff --git a/error/s2n_errno.h b/error/s2n_errno.h
@@ -331,6 +331,7 @@ typedef enum {
     S2N_ERR_INVALID_SERIALIZED_CONNECTION,
     S2N_ERR_TOO_MANY_CAS,
     S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO,
+    S2N_ERR_FIPS_MODE_UNSUPPORTED,
     S2N_ERR_T_USAGE_END,
 } s2n_error;