Merge branch 'main' into awslcfips_2024

aws · Feb 20, 2025 · f54070b · f54070b
2 parents a4d9e35 + 4ae43ec
commit f54070b
Show file tree

Hide file tree

Showing 95 changed files with 743 additions and 523 deletions.
diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -41,7 +41,7 @@ jobs:
       - name: Configure AWS Credentials
         # Only continue with the workflow to emit metrics on code that has been merged to main.
         if: github.event_name != 'pull_request'
-        uses: aws-actions/configure-aws-credentials@v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4.1.0
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: s2ntlsghabenchsession

diff --git a/.github/workflows/usage_guide.yml b/.github/workflows/usage_guide.yml
@@ -52,7 +52,7 @@ jobs:
           folder: docs/usage-guide/book
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4.1.0
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -32,6 +32,8 @@ loaded in an application with an otherwise conflicting libcrypto version." OFF)
 option(S2N_LTO, "Enables link time optimizations when building s2n-tls." OFF)
 option(S2N_STACKTRACE "Enables stacktrace functionality in s2n-tls. Note that this functionality is
 only available on platforms that support execinfo." ON)
+option(S2N_OVERRIDE_LIBCRYPTO_RAND_ENGINE "Allow s2n-tls to override the libcrypto random implementation with the custom
+s2n-tls implementation, when appropriate. Disabling this flag is not recommended. See docs/BUILD.md for details." ON)
 option(COVERAGE "Enable profiling collection for code coverage calculation" OFF)
 option(BUILD_TESTING "Build tests for s2n-tls. By default only unit tests are built." ON)
 option(S2N_INTEG_TESTS "Enable the integrationv2 tests" OFF)
@@ -247,6 +249,11 @@ if (COVERAGE)
     target_link_options(${PROJECT_NAME} PUBLIC -fprofile-instr-generate -fcoverage-mapping)
 endif()
 
+if (NOT S2N_OVERRIDE_LIBCRYPTO_RAND_ENGINE)
+    message(STATUS "Disabling libcrypto RAND engine override")
+    add_definitions(-DS2N_DISABLE_RAND_ENGINE_OVERRIDE)
+endif()
+
 # For interning, we need to find the static libcrypto library. Cmake configs
 # can branch on the variable BUILD_SHARED_LIBS to e.g. avoid having to define
 # multiple targets. An example is AWS-LC:

diff --git a/api/s2n.h b/api/s2n.h
@@ -1774,7 +1774,7 @@ S2N_API extern int s2n_connection_get_write_fd(struct s2n_connection *conn, int
 S2N_API extern int s2n_connection_use_corked_io(struct s2n_connection *conn);
 
 /**
- * Function pointer for a user provided send callback.
+ * Function pointer for a user provided recv callback.
  */
 typedef int s2n_recv_fn(void *io_context, uint8_t *buf, uint32_t len);
 

diff --git a/bindings/rust/extended/s2n-tls-sys/Cargo.toml b/bindings/rust/extended/s2n-tls-sys/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.12"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

diff --git a/bindings/rust/extended/s2n-tls-sys/templates/Cargo.template b/bindings/rust/extended/s2n-tls-sys/templates/Cargo.template
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.12"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

diff --git a/bindings/rust/extended/s2n-tls-tokio/Cargo.toml b/bindings/rust/extended/s2n-tls-tokio/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-tokio"
 description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
-version = "0.3.10"
+version = "0.3.12"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -16,11 +16,11 @@ errno = { version = "0.3" }
 # A minimum libc version of 0.2.121 is required by aws-lc-sys 0.14.0.
 libc = { version = "0.2.121" }
 pin-project-lite = { version = "0.2" }
-s2n-tls = { version = "=0.3.10", path = "../s2n-tls" }
+s2n-tls = { version = "=0.3.12", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]
 s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] }
-rand = { version = "0.8" }
+rand = { version = "0.9" }
 tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] }
 tokio-macros = "=2.3.0"
diff --git a/bindings/rust/extended/s2n-tls-tokio/tests/handshake.rs b/bindings/rust/extended/s2n-tls-tokio/tests/handshake.rs
@@ -62,7 +62,7 @@ async fn handshake_with_pool_multithread() -> Result<(), Box<dyn std::error::Err
         let server = server.clone();
         tasks.push_back(tokio::spawn(async move {
             // Start each handshake at a randomly determined time
-            let rand = rand::thread_rng().gen_range(0..50);
+            let rand = rand::rng().random_range(0..50);
             time::sleep(Duration::from_millis(rand)).await;
 
             let (server_stream, client_stream) = common::get_streams().await.unwrap();

diff --git a/bindings/rust/extended/s2n-tls/Cargo.toml b/bindings/rust/extended/s2n-tls/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.12"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -22,15 +22,13 @@ unstable-testing = []
 errno = { version = "0.3" }
 # A minimum libc version of 0.2.121 is required by aws-lc-sys 0.14.0.
 libc = "0.2.121"
-s2n-tls-sys = { version = "=0.3.10", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.3.12", path = "../s2n-tls-sys", features = ["internal"] }
 pin-project-lite = "0.2"
 hex = "0.4"
 
 [dev-dependencies]
 futures-test = "0.3"
-# The openssl crate broke MSRV with 0.10.67
-# TODO unpin this once fixed - https://github.com/sfackler/rust-openssl/issues/2317
-openssl = "<0.10.67"
+openssl = "0.10"
 openssl-sys = "0.9"
 foreign-types = "0.3"
 temp-env = "0.3"

diff --git a/bindings/rust/extended/s2n-tls/src/callbacks.rs b/bindings/rust/extended/s2n-tls/src/callbacks.rs
@@ -48,7 +48,7 @@ pub use pkey::*;
 /// callbacks were configured through the Rust bindings.
 pub(crate) unsafe fn with_context<F, T>(conn_ptr: *mut s2n_connection, action: F) -> T
 where
-    F: FnOnce(&mut Connection, &mut Context) -> T,
+    F: FnOnce(&mut Connection, &Context) -> T,
 {
     let raw = NonNull::new(conn_ptr).expect("connection should not be null");
     // Since this is a callback, it receives a pointer to the connection
@@ -57,8 +57,8 @@ where
     // We must make the connection `ManuallyDrop` before `action`, otherwise a panic
     // in `action` would cause the unwind mechanism to drop the connection.
     let mut conn = ManuallyDrop::new(Connection::from_raw(raw));
-    let mut config = conn.config().expect("config should not be null");
-    let context = config.context_mut();
+    let config = conn.config().expect("config should not be null");
+    let context = config.context();
     action(&mut conn, context)
 }