Use a debug macro instead

crypto/fipsmodule/curve25519/curve25519.c

@@ -126,6 +126,8 @@ static void ed25519_keypair_pct(uint8_t public_key[ED25519_PUBLIC_KEY_LEN],
 
 void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
   uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]) {
+  // We have to avoid the self tests and digest function in ed25519_keypair_pct
+  // from updating the service indicator.
   FIPS_service_indicator_lock_state();
   boringssl_ensure_eddsa_self_test();
   SET_DIT_AUTO_RESET;

include/openssl/service_indicator.h

@@ -44,13 +44,19 @@ enum FIPSStatus {
 // |AWSLC_NOT_APPROVED| accordingly to the approved state of the service ran.
 // It is highly recommended that users of the service indicator use this macro
 // when interacting with the service indicator.
+//
+// This macro tests before != after to handle potential uint64_t rollover in
+// long-running applications that use the release build of AWS-LC. Debug builds
+// use an assert before + 1 == after to ensure in testing the service indicator
+// is operating as expected.
 #define CALL_SERVICE_AND_CHECK_APPROVED(approved, func)             \
   do {                                                              \
     (approved) = AWSLC_NOT_APPROVED;                                \
     int before = FIPS_service_indicator_before_call();              \
     func;                                                           \
     int after = FIPS_service_indicator_after_call();                \
-    if (before + 1 == after) {                                      \
+    if (before != after) {                                          \
+        assert(before + 1 == after);                                \
         (approved) = AWSLC_APPROVED;                                \
     }                                                               \
  }                                                                  \