Merge branch 'main' into moreawslcfips

.github/dependabot.yml

@@ -31,6 +31,7 @@ updates:
   # restricted-MSRV, so don't do batch updates
   - package-ecosystem: "cargo"
     directories:
-      - "/bindings/rust"
+      - "/bindings/rust/standard"
+      - "/bindings/rust/extended"
     schedule:
       interval: "daily"

.github/install_osx_dependencies.sh

@@ -26,4 +26,4 @@ brew_install_if_not_installed coreutils
 brew_install_if_not_installed cppcheck
 brew_install_if_not_installed pkg-config  # for gnutls compilation
 brew_install_if_not_installed ninja
-brew_install_if_not_installed openssl@1.1 # for libcrypto
+brew_install_if_not_installed openssl@3 # for libcrypto

.github/s2n_osx.sh

@@ -14,25 +14,25 @@
 # permissions and limitations under the License.
 #
 set -eu
-source codebuild/bin/s2n_setup_env.sh
 
+export S2N_LIBCRYPTO=openssl-3.4
 export CTEST_OUTPUT_ON_FAILURE=1
-BREWINSTLLPATH=$(brew --prefix openssl@1.1)
-OPENSSL_1_1_1_INSTALL_DIR="${BREWINSTLLPATH:-"/usr/local/Cellar/openssl@1.1/1.1.1?"}"
+BREWINSTLLPATH=$(brew --prefix openssl@3)
+OPENSSL_3_INSTALL_DIR="${BREWINSTLLPATH:-"/opt/homebrew/Cellar/openssl@3"}"
 
-echo "Using OpenSSL at $OPENSSL_1_1_1_INSTALL_DIR"
+echo "Using OpenSSL at $OPENSSL_3_INSTALL_DIR"
 # Build with debug symbols and a specific OpenSSL version
 cmake . -Bbuild -GNinja \
 -DCMAKE_BUILD_TYPE=Debug \
--DCMAKE_PREFIX_PATH=${OPENSSL_1_1_1_INSTALL_DIR} ..
+-DCMAKE_PREFIX_PATH=${OPENSSL_3_INSTALL_DIR} ..
 
 cmake --build ./build -j $(nproc)
 time CTEST_PARALLEL_LEVEL=$(nproc) ninja -C build test
 
 # Build shared library
 cmake . -Bbuild -GNinja \
 -DCMAKE_BUILD_TYPE=Debug \
--DCMAKE_PREFIX_PATH=${OPENSSL_1_1_1_INSTALL_DIR} .. \
+-DCMAKE_PREFIX_PATH=${OPENSSL_3_INSTALL_DIR} .. \
 -DBUILD_SHARED_LIBS=ON
 
 cmake --build ./build -j $(nproc)

.github/workflows/bench.yml

@@ -39,15 +39,16 @@ jobs:
         run: cargo criterion --message-format json > criterion_output.log
 
       - name: Configure AWS Credentials
-        if: github.event_name == 'push'
-        uses: aws-actions/[email protected]
+        # Only continue with the workflow to emit metrics on code that has been merged to main.
+        if: github.event_name != 'pull_request'
+        uses: aws-actions/[email protected]
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: s2ntlsghabenchsession
           aws-region: us-west-2
 
       - name: Emit CloudWatch metrics
-        if: github.event_name == 'push'
+        if: github.event_name != 'pull_request'
         run: |
           python3 .github/bin/criterion_to_cloudwatch.py \
             --criterion_output_path bindings/rust/standard/bench/criterion_output.log \

.github/workflows/ci_compliance.yml

@@ -31,6 +31,7 @@ jobs:
       - name: Run duvet action
         uses: ./s2n-quic/.github/actions/duvet
         with:
+          duvet-version: 0.3.0 # Pin until we fix parsing issues
           s2n-quic-dir: ./s2n-quic
           report-script: compliance/generate_report.sh
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole

.github/workflows/ci_freebsd.yml

@@ -1,6 +1,8 @@
 name: FreeBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

.github/workflows/ci_linting.yml

@@ -1,6 +1,8 @@
 ---
 name: Linters
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -72,20 +74,25 @@ jobs:
         run: |
           ./codebuild/bin/run_kwstyle.sh
           ./codebuild/bin/cpp_style_comment_linter.sh
-  pepeight:
+  ruff:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v4
-      - name: Run autopep8
-        id: autopep8
-        uses: peter-evans/autopep8@v2
-        with:
-          args: --diff --exit-code .
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run Ruff formatting check
+        working-directory: tests/integrationv2
+        id: ruff_format
+        run: uv run ruff format --check .
+        continue-on-error: true
+
       - name: Check exit code
-        if: steps.autopep8.outputs.exit-code != 0
+        if: steps.ruff_format.outcome == 'failure'
         run: |
-            echo "Run 'autopep8 --in-place .' to fix"
+            echo "Run 'ruff format .' to fix formatting issues"
             exit 1
   clang-format:
     runs-on: ubuntu-latest
@@ -142,7 +149,7 @@ jobs:
         with:
           route: GET /repos/{repo}/commits/{ref}/statuses?per_page=100
           repo: ${{ github.repository }}
-          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }}
+          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha || github.event.after }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: check start_codebuild.sh against statuses

.github/workflows/ci_openbsd.yml

@@ -1,6 +1,8 @@
 name: OpenBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -15,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build and test in OpenBSD
         id: test
-        uses: cross-platform-actions/action@v0.26.0
+        uses: cross-platform-actions/action@v0.27.0
         with:
           operating_system: openbsd
           architecture: x86-64

.github/workflows/ci_rust.yml

@@ -2,6 +2,8 @@
 name: Rust Bindings
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -304,9 +306,15 @@ jobs:
 
       - uses: camshaft/rust-cache@v1
 
+      - uses: SebRollen/[email protected]
+        id: read_toml
+        with:
+          file: '${{env.ROOT_PATH}}/rust-toolchain.toml'
+          field: 'toolchain.channel'
+
       # Enforce that clippy's msrv matches rust-toolchain
       - name: Check MSRV
-        run: grep $(cat ${{env.ROOT_PATH}}/rust-toolchain) ${{env.ROOT_PATH}}/.clippy.toml
+        run: grep "${{steps.read_toml.outputs.value}}" ${{env.ROOT_PATH}}/.clippy.toml
 
       # We don't need to format the generated files,
       # but if they don't exist other code breaks.
@@ -325,15 +333,22 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+
+      - uses: SebRollen/[email protected]
+        id: read_toml
+        with:
+          file: '${{env.ROOT_PATH}}/rust-toolchain.toml'
+          field: 'toolchain.channel'
+
       # Enforce crate msrv matches rust-toolchain
       - name: Check MSRV of s2n-tls
-        run: grep "rust-version = \"$(cat ${{env.ROOT_PATH}}/rust-toolchain)\"" ${{env.ROOT_PATH}}/s2n-tls/Cargo.toml
+        run: grep "rust-version = \"${{steps.read_toml.outputs.value}}\"" ${{env.ROOT_PATH}}/s2n-tls/Cargo.toml
 
       - name: Check MSRV of s2n-tls-sys
-        run: grep "rust-version = \"$(cat ${{env.ROOT_PATH}}/rust-toolchain)\"" ${{env.ROOT_PATH}}/s2n-tls-sys/templates/Cargo.template
+        run: grep "rust-version = \"${{steps.read_toml.outputs.value}}\"" ${{env.ROOT_PATH}}/s2n-tls-sys/templates/Cargo.template
 
       - name: Check MSRV of s2n-tokio
-        run: grep "rust-version = \"$(cat ${{env.ROOT_PATH}}/rust-toolchain)\"" ${{env.ROOT_PATH}}/s2n-tls-tokio/Cargo.toml
+        run: grep "rust-version = \"${{steps.read_toml.outputs.value}}\"" ${{env.ROOT_PATH}}/s2n-tls-tokio/Cargo.toml
 
   pcaps:
     runs-on: ubuntu-24.04
@@ -366,3 +381,77 @@ jobs:
       - name: Run tests
         working-directory: ${{env.PCAP_TEST_PATH}}
         run: cargo test --all-features
+
+  minimal-versions:
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        workspace-path:
+          - bindings/rust/extended
+          - bindings/rust/standard
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        id: toolchain
+        # minimal-versions is an unstable feature, and requires the nightly toolchain:
+        # https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#minimal-versions
+        run: |
+          rustup toolchain install ${{env.RUST_NIGHTLY_TOOLCHAIN}}
+          rustup override set ${{env.RUST_NIGHTLY_TOOLCHAIN}}
+
+      - uses: camshaft/rust-cache@v1
+
+      # cargo-minimal-versions requires cargo-hack:
+      # https://crates.io/crates/cargo-minimal-versions#user-content-prerequisites
+      - name: Install cargo-hack
+        uses: baptiste0928/[email protected]
+        with:
+          crate: cargo-hack
+
+      - name: Install cargo-minimal-versions
+        uses: baptiste0928/[email protected]
+        with:
+          crate: cargo-minimal-versions
+
+      - name: Generate
+        run: ./${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      - name: Test minimal versions
+        id: test-minimal-versions
+        working-directory: ${{matrix.workspace-path}}
+        run: |
+          cargo +${{env.RUST_NIGHTLY_TOOLCHAIN}} minimal-versions check --direct --ignore-private
+          cargo +${{env.RUST_NIGHTLY_TOOLCHAIN}} minimal-versions check --direct --ignore-private --all-features
+
+  # compare generated s2n-tls-sys/Cargo.toml with the existing one to check if it's up-to-date
+  # unstable features might be updated in the future, new Cargo.toml should be committed in this case
+  check-generated-cargo-toml:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        id: toolchain
+        run: |
+          rustup toolchain install stable
+          rustup override set stable
+
+      - uses: camshaft/rust-cache@v1
+
+      - name: Generate
+        run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      - name: Compare Cargo
+        working-directory: ${{env.ROOT_PATH}}/s2n-tls-sys
+        id: diff
+        run: git diff --exit-code Cargo.toml
+        continue-on-error: true
+
+      - name: Failure
+        if: steps.diff.outcome != 'success'
+        run: |
+          echo "A mismatch between the existing s2n-tls-sys/Cargo.toml and the Cargo.toml generated \
+          from s2n-tls-sys/templates/Cargo.template has been found. Please ensure that the committed \
+          Cargo.toml is up-to-date by regenerating it with ${{env.ROOT_PATH}}/generate.sh"
+          exit 1

.github/workflows/gha_osx_tests.yml

@@ -2,6 +2,8 @@
 name: macOS build and test S2n
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

.github/workflows/proof_ci.yaml

@@ -26,6 +26,8 @@ jobs:
   run_cbmc_proofs:
     runs-on: cbmc_ubuntu-latest_64-core
     name: run_cbmc_proofs
+    # The default timeout is 360 minutes
+    timeout-minutes: 60
     permissions:
       contents: read
       id-token: write

.github/workflows/seccomp.yml

@@ -1,5 +1,7 @@
 name: seccomp
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -20,10 +22,10 @@ jobs:
           sudo apt install libseccomp-dev
           # For aws-lc
           sudo apt install clang golang
-          
+
       - name: checkout s2n-tls
         uses: actions/checkout@v4
-        
+
       - name: checkout aws-lc
         uses: actions/checkout@v4
         with:

.github/workflows/usage_guide.yml

@@ -52,7 +52,7 @@ jobs:
           folder: docs/usage-guide/book
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4.1.0
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole