s2n_fips.c 1.9 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
  1. /*
  2. * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License").
  5. * You may not use this file except in compliance with the License.
  6. * A copy of the License is located at
  7. *
  8. * http://aws.amazon.com/apache2.0
  9. *
  10. * or in the "license" file accompanying this file. This file is distributed
  11. * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  12. * express or implied. See the License for the specific language governing
  13. * permissions and limitations under the License.
  14. */
  15. #include "crypto/s2n_fips.h"
  16. #include <openssl/crypto.h>
  17. #if defined(S2N_INTERN_LIBCRYPTO) && defined(OPENSSL_FIPS)
  18. #error "Interning with OpenSSL fips-validated libcrypto is not currently supported. See https://github.com/aws/s2n-tls/issues/2741"
  19. #endif
  20. static int s2n_fips_mode = 0;
  21. /* FIPS mode can be checked if OpenSSL was configured and built for FIPS which then defines OPENSSL_FIPS.
  22. *
  23. * AWS-LC always defines FIPS_mode() that you can call and check what the library was built with. It does not define
  24. * a public OPENSSL_FIPS/AWSLC_FIPS macro that we can (or need to) check here
  25. *
  26. * Safeguard with macro's, for example because Libressl dosn't define
  27. * FIPS_mode() by default.
  28. *
  29. * Note: FIPS_mode() does not change the FIPS state of libcrypto. This only returns the current state. Applications
  30. * using s2n must call FIPS_mode_set(1) prior to s2n_init.
  31. * */
  32. bool s2n_libcrypto_is_fips(void)
  33. {
  34. #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
  35. if (FIPS_mode() == 1) {
  36. return true;
  37. }
  38. #endif
  39. return false;
  40. }
  41. int s2n_fips_init(void)
  42. {
  43. s2n_fips_mode = 0;
  44. if (s2n_libcrypto_is_fips()) {
  45. s2n_fips_mode = 1;
  46. }
  47. return 0;
  48. }
  49. /* Return 1 if FIPS mode is enabled, 0 otherwise. FIPS mode must be enabled prior to calling s2n_init(). */
  50. int s2n_is_in_fips_mode(void)
  51. {
  52. return s2n_fips_mode;
  53. }