aws · goatgoose · Oct 17, 2025 · Oct 31, 2025 · Oct 31, 2025 · dougch
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -34,6 +34,10 @@ option(S2N_STACKTRACE "Enables stacktrace functionality in s2n-tls. Note that th
 only available on platforms that support execinfo." ON)
 option(S2N_OVERRIDE_LIBCRYPTO_RAND_ENGINE "Allow s2n-tls to override the libcrypto random implementation with the custom
 s2n-tls implementation, when appropriate. Disabling this flag is not recommended. See docs/BUILD.md for details." ON)
+option(S2N_ENFORCE_PROPER_LIBCRYPTO_FEATURE_PROBE "Assert that the feature probes are able to link to the libcrypto and
+properly probe for feature support. If the feature probes are unable to properly probe for support, the build will
+fail. This option ensures that s2n-tls doesn't silently build without properly probing for the support of important
+features, such as TLS 1.3 support." OFF)
 option(COVERAGE "Enable profiling collection for code coverage calculation" OFF)
 option(BUILD_TESTING "Build tests for s2n-tls. By default only unit tests are built." ON)
 option(S2N_INTEG_TESTS "Enable the integrationv2 tests" OFF)
@@ -352,6 +356,8 @@ function(feature_probe PROBE_NAME)
 
     # Set the flags that we used for the probe
     set(${PROBE_NAME}_FLAGS ${PROBE_FLAGS} PARENT_SCOPE)
+
+    set(${PROBE_NAME}_OUTPUT "${TRY_COMPILE_OUTPUT}" PARENT_SCOPE)
 endfunction()
 
 # Iterate over all of the features and try to compile them
@@ -362,6 +368,13 @@ foreach(file ${FEATURE_SRCS})
     feature_probe(${feature_name})
 endforeach()
 
+# Ensure that the feature probes were able to properly link to the libcrypto.
+if(S2N_ENFORCE_PROPER_LIBCRYPTO_FEATURE_PROBE AND NOT S2N_LIBCRYPTO_SANITY_PROBE)
+    message(FATAL_ERROR "A sanity-check libcrypto feature probe failed, which indicates that other
+    feature probes were likely unable to probe the libcrypto for its supported features:
+    ${S2N_LIBCRYPTO_SANITY_PROBE_OUTPUT}")
+endif()
+
 # FreeBSD might need to link to execinfo explicitly
 if(NOT S2N_EXECINFO_AVAILABLE AND CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
     feature_probe(S2N_EXECINFO_AVAILABLE LINK_LIBRARIES execinfo)

@@ -89,7 +89,8 @@ run_integration_v2_tests() {
 run_unit_tests() {
     cmake . -Bbuild \
             -DCMAKE_PREFIX_PATH=$LIBCRYPTO_ROOT \
-            -DBUILD_SHARED_LIBS=on
+            -DBUILD_SHARED_LIBS=on \
+            -DS2N_ENFORCE_PROPER_LIBCRYPTO_FEATURE_PROBE=1
     cmake --build ./build -- -j $(nproc)
     test_linked_libcrypto ./build/bin/s2nc
     cmake --build build/ --target test -- ARGS="-L unit --output-on-failure -j $(nproc)"

diff --git a/nix/shell.sh b/nix/shell.sh
@@ -52,6 +52,7 @@ function configure {(set -e
           -DBUILD_SHARED_LIBS=ON \
           -DCMAKE_C_COMPILER="$CC" \
           -DCMAKE_CXX_COMPILER="$CXX" \
+          -DS2N_ENFORCE_PROPER_LIBCRYPTO_FEATURE_PROBE=ON \
           "$S2N_CMAKE_OPTIONS" \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo
 )}

diff --git a/tests/features/S2N_LIBCRYPTO_SANITY_PROBE.c b/tests/features/S2N_LIBCRYPTO_SANITY_PROBE.c
@@ -0,0 +1,26 @@
+/*
+* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License").
+* You may not use this file except in compliance with the License.
+* A copy of the License is located at
+*
+*  http://aws.amazon.com/apache2.0
+*
+* or in the "license" file accompanying this file. This file is distributed
+* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+* express or implied. See the License for the specific language governing
+* permissions and limitations under the License.
+*/
+
+#include <openssl/err.h>
+
+int main()
+{
+    /* A function that's known to exist in all OpenSSL versions and forks is used as a sanity check
+     * to make sure the libcrypto has been properly linked.
+     */
+    unsigned long error = ERR_get_error();
+
+    return 0;
+}
diff --git a/tests/features/S2N_LIBCRYPTO_SANITY_PROBE.flags b/tests/features/S2N_LIBCRYPTO_SANITY_PROBE.flags