Merge branch 'main' into camshaft/wireshark-4-0

.cargo/audit.toml

@@ -0,0 +1,15 @@
+[advisories]
+ignore = [
+  # `atty` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2021-0145",
+  # `atty` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2024-0375",
+  # ` proc-macro-error` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2024-0370",
+  # `ansi_term` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2021-0139"
+]

.clippy.toml

@@ -1 +1,3 @@
 msrv = "1.71.0"
+# // https://github.com/aws/s2n-quic/pull/2251
+too-many-arguments-threshold = 100

.gitattributes

@@ -1,2 +1,3 @@
 corpus.tar.gz filter=lfs diff=lfs merge=lfs -text
 *.ebpf filter=lfs diff=lfs merge=lfs -text
+*.pcapng filter=lfs diff=lfs merge=lfs -text

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,10 +1,13 @@
+### Release Summary:
+<!-- If this is a feature or bug that impacts customers and is significant enough to include in the "Summary" section of the next version release, please include a brief (1-2 sentences) description of the change. The audience of this summary is customers, not maintainers or reviewers. See https://github.com/aws/s2n-tls/releases/tag/v1.5.7 for an example. Otherwise, leave this section blank -->
+
 ### Resolved issues:
 
 resolves #ISSUE-NUMBER1, resolves #ISSUE-NUMBER2, etc.
 
 ### Description of changes: 
 
-<!-- Describe s2n-quic’s current behavior and how your code changes that behavior. If there are no issues this pr is resolving, explain why this change is necessary.-->
+<!-- Describe s2n-quic’s current behavior and how your code changes that behavior. If there are no issues this pr is resolving, explain why this change is necessary. If a callout is specific to a section of code, it might make more sense to leave a comment on your own PR file diff. -->
 
 ### Call-outs:
 
@@ -13,8 +16,9 @@ resolves #ISSUE-NUMBER1, resolves #ISSUE-NUMBER2, etc.
 ### Testing:
 
 <!--How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
-
+How can you convince your reviewers that this PR is safe and effective?
 Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed? -->
 
+
 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
 

.github/actions/duvet/README.md

@@ -16,11 +16,19 @@ Path to the output report generated in `report-script`. Defaults to `report.html
 
 ### `aws-access-key-id: ''`
 
-An AWS access key. The corresponding user must have S3 write permissions.
+Deprecated.  This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
 
 ### `aws-secret-access-key: ''`
 
-The AWS secret key.
+Deprecated.  This was previously used to authenticate with long lived IAM credentials. See [Configuring OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
+
+### `role-to-assume: ''`
+
+For Open ID Connect, the role attached to the IdP, in the form of an ARN. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+
+### `role-session-name: ''`
+
+For Open ID Connect, an arbitrary session name. Intended for use with [AWS](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
 
 ### `aws-s3-bucket-name: ''`
 
@@ -52,8 +60,8 @@ jobs:
         with:
           s2n-quic-dir: ./s2n-quic
           report-script: compliance/generate_report.sh
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::123456789:role/GitHubOIDCRole
+          role-session-name: GithubActionSession
           aws-s3-bucket-name: s2n-tls-ci-artifacts
           aws-s3-region: us-west-2
           cdn: https://d3fqnyekunr9xg.cloudfront.net

.github/actions/duvet/action.yml

@@ -7,11 +7,11 @@ inputs:
   report-path:
     description: 'Path to generated Duvet report output'
     required: false
-  aws-access-key-id:
-    description: 'AWS access key ID with S3 permissions'
+  role-to-assume:
+    description: 'Role to assume for OpenID Connect'
     required: true
-  aws-secret-access-key:
-    description: 'AWS secret key'
+  role-session-name:
+    description: 'Role session name for OpenID Connect'
     required: true
   aws-s3-bucket-name:
     description: 'Destination S3 bucket name for duvet reports'
@@ -46,11 +46,11 @@ runs:
       shell: bash
       run: ${{ inputs.report-script }} ${{ github.sha }}
 
-    - uses: aws-actions/configure-aws-credentials@v1.6.1
+    - uses: aws-actions/configure-aws-credentials@v4.0.2
       if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
       with:
-        aws-access-key-id: ${{ inputs.aws-access-key-id }}
-        aws-secret-access-key: ${{ inputs.aws-secret-access-key}}
+        role-to-assume: ${{ inputs.role-to-assume}}
+        role-session-name: ${{ inputs.role-session-name}}
         aws-region: ${{ inputs.aws-s3-region }}
 
     - name: Upload to S3

.github/config/cargo-deny.toml

@@ -1,10 +1,18 @@
 [advisories]
-vulnerability = "deny"
-unmaintained = "deny"
-notice = "deny"
 yanked = "deny"
 ignore = [
-    "RUSTSEC-2021-0139", # criterion, structopt, and tracing-subscriber (test dependencies) use ansi_term
+  # `atty` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2021-0145",
+  # `atty` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2024-0375",
+  # ` proc-macro-error` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2024-0370",
+  # `ansi_term` is a dependency of `structopt` and only used in s2n-quic-qns and s2n-quic-sim
+  # https://github.com/aws/s2n-quic/issues/2324
+  "RUSTSEC-2021-0139"
 ]
 
 [bans]
@@ -15,7 +23,6 @@ skip-tree = [
     { name = "cuckoofilter" },
 
     # all of these are going to be just test dependencies
-    { name = "aes-gcm" },
     { name = "bach" },
     { name = "bolero" },
     { name = "criterion" },
@@ -30,28 +37,24 @@ skip-tree = [
 ]
 
 [sources]
-allow-git = [
-    "https://github.com/camshaft/aya", # TODO: Remove once aya supports XdpMaps - https://github.com/aya-rs/aya/pull/527
-]
 unknown-registry = "deny"
 unknown-git = "deny"
 
 [licenses]
-unlicensed = "deny"
-allow-osi-fsf-free = "neither"
-copyleft = "deny"
 confidence-threshold = 0.9
 # ignore licenses for private crates
 private = { ignore = true }
 allow = [
     "Apache-2.0",
     "BSD-2-Clause",
     "BSD-3-Clause",
+    "CC0-1.0",
     "ISC",
     "MIT",
     "OpenSSL",
     "Unicode-DFS-2016",
     "Zlib",
+    "Unicode-3.0",
 ]
 
 [[licenses.clarify]]

.github/config/typos.toml

@@ -25,5 +25,5 @@ extend-exclude = [
     "*.der",
     "*.pem",
     "**/specs/**/*",
-    "common/duvet/www/public/script.js",
+    "**/wireshark_sys*",
 ]