Merge branch 'main' into kms-pkey-offload

aws · Jan 15, 2025 · 5ccc130 · 5ccc130
2 parents d5137f5 + 46f2d74
commit 5ccc130
Show file tree

Hide file tree

Showing 62 changed files with 416 additions and 613 deletions.
diff --git a/.github/teams.yml b/.github/teams.yml
@@ -8,4 +8,5 @@ s2n-core:
   - '@jmayclin'
   - '@jouho'
   - '@boquan-fang'
-  - '@CarolYeh910'
+  - '@CarolYeh910'
+  - '@johubertj'
diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -1,6 +1,8 @@
 name: Benchmarking
 
 on:
+  pull_request:
+    branches: [main]
   push:
     branches: [main]
   schedule:
@@ -29,23 +31,25 @@ jobs:
           pip3 install "boto3[crt]"
 
       - name: Generate
-        working-directory: bindings/rust
+        working-directory: bindings/rust/extended
         run: ./generate.sh --skip-tests
 
       - name: Benchmark
-        working-directory: bindings/rust/bench
+        working-directory: bindings/rust/standard/bench
         run: cargo criterion --message-format json > criterion_output.log
 
       - name: Configure AWS Credentials
+        if: github.event_name == 'push'
         uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: s2ntlsghabenchsession
           aws-region: us-west-2
 
       - name: Emit CloudWatch metrics
+        if: github.event_name == 'push'
         run: |
           python3 .github/bin/criterion_to_cloudwatch.py \
-            --criterion_output_path bindings/rust/bench/criterion_output.log \
+            --criterion_output_path bindings/rust/standard/bench/criterion_output.log \
             --namespace s2n-tls-bench \
             --platform ${{ runner.os }}-${{ runner.arch }}
diff --git a/.github/workflows/ci_freebsd.yml b/.github/workflows/ci_freebsd.yml
@@ -1,6 +1,8 @@
 name: FreeBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml
@@ -1,6 +1,8 @@
 ---
 name: Linters
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -128,3 +130,45 @@ jobs:
           exit 1
       - name: Success
         run: echo "All nix files passed format check"
+
+  validate_start_codebuild_script:
+    name: validate start_codebuild.sh
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: pause
+        run: "sleep 120"
+      - name: retrieve statuses
+        id: get_statuses
+        uses: octokit/request-action@v2.x
+        with:
+          route: GET /repos/{repo}/commits/{ref}/statuses?per_page=100
+          repo: ${{ github.repository }}
+          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: check start_codebuild.sh against statuses
+        id: github_builds
+        run: |
+            from_github=$(
+                jq '.[] | .description' <<< '${{ steps.get_statuses.outputs.data }}' \
+                    | grep "for project" \
+                    | sed -r "s/^.*?for project (.*?)\"$/\1/" \
+                    | sort -u
+            )
+            if [ -z "$from_github" ]; then
+                echo "No codebuild job statuses!"
+                echo "You may need to kick off the codebuild jobs with" \
+                    "./codebuild/bin/start_codebuild.sh and then retry."
+                exit 1
+            fi
+            echo builds from github statuses:
+            printf "$from_github\n\n"
+            from_file=$(
+                source codebuild/bin/start_codebuild.sh > /dev/null \
+                || printf "%s\n" "${BUILDS[@]}" | cut -d" " -f1 | sort -u
+            )
+            echo builds from start_codebuild.sh:
+            printf "$from_file\n\n"
+            echo "diff output:"
+            diff <(echo "$from_github") <(echo "$from_file")
diff --git a/.github/workflows/ci_openbsd.yml b/.github/workflows/ci_openbsd.yml
@@ -1,6 +1,8 @@
 name: OpenBSD
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -2,6 +2,8 @@
 name: Rust Bindings
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

diff --git a/.github/workflows/dashboard.yml b/.github/workflows/dashboard.yml
@@ -74,7 +74,7 @@ jobs:
                 color: 'green'
               - type: 'number'
                 title: 'No review (external) last 14 days'
-                issue_query: 'repo:aws/s2n-tls is:open is:pr review:none -label:status/stale -label:s2n-core created:>{{ date("-14 days") }}'
+                issue_query: 'repo:aws/s2n-tls is:open is:pr comments:0 review:none -label:status/stale -label:s2n-core created:>{{ date("-14 days") }}'
                 color: 'red'
               - type: 'number'
                 title: 'PRs with changes requested (external)'

diff --git a/.github/workflows/gha_osx_tests.yml b/.github/workflows/gha_osx_tests.yml
@@ -2,6 +2,8 @@
 name: macOS build and test S2n
 
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:

diff --git a/.github/workflows/regression_ci.yml b/.github/workflows/regression_ci.yml
@@ -8,8 +8,6 @@ on:
   pull_request:
     branches:
       - main
-    paths-ignore:
-      - tests/regression/**
   merge_group:
     types: [checks_requested]
     branches: [main]

diff --git a/.github/workflows/seccomp.yml b/.github/workflows/seccomp.yml
@@ -1,5 +1,7 @@
 name: seccomp
 on:
+  push:
+    branches: [main]
   pull_request:
     branches: [main]
   merge_group:
@@ -20,10 +22,10 @@ jobs:
           sudo apt install libseccomp-dev
           # For aws-lc
           sudo apt install clang golang
-          
+
       - name: checkout s2n-tls
         uses: actions/checkout@v4
-        
+
       - name: checkout aws-lc
         uses: actions/checkout@v4
         with:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -101,11 +101,6 @@ else()
     set(OS_LIBS Threads::Threads dl rt)
 endif()
 
-# Compiling the unit tests rely on S2N_TEST_IN_FIPS_MODE to be set correctly
-if(S2N_FIPS)
-    add_definitions(-DS2N_TEST_IN_FIPS_MODE)
-endif()
-
 file(GLOB S2N_HEADERS
     ${API_HEADERS}
     ${API_UNSTABLE_HEADERS}
@@ -407,7 +402,7 @@ if (S2N_INTERN_LIBCRYPTO)
           # copy the static version of libcrypto
           cp ${crypto_STATIC_LIBRARY} s2n_libcrypto.a &&
           # dump all of the symbols and prefix them with `s2n$`
-          bash -c "${CMAKE_NM} s2n_libcrypto.a | awk '/ [A-Z] /{print $3\" s2n$\"$3}' | sort | uniq > libcrypto.symbols" &&
+          bash -c "${CMAKE_NM} s2n_libcrypto.a | awk '/ [A-Z] /{if ($3) print $3\" s2n$\"$3}' | sort | uniq > libcrypto.symbols" &&
           # redefine the libcrypto libary symbols
           ${CMAKE_OBJCOPY} --redefine-syms libcrypto.symbols s2n_libcrypto.a &&
           rm -rf s2n_libcrypto &&
@@ -640,7 +635,7 @@ if (BUILD_TESTING)
                         pytest
                         -x -n=${N} --reruns=2 --durations=10 --cache-clear -rpfsq
                         -o log_cli=true --log-cli-level=DEBUG --provider-version=$ENV{S2N_LIBCRYPTO}
-                        --fips-mode=0 ${test_file_path}
+                        ${test_file_path}
                         WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/tests/integrationv2
                 )
             else()
@@ -678,8 +673,10 @@ if (BUILD_TESTING)
         target_include_directories(fuzztest PUBLIC tests)
         target_link_libraries(fuzztest PUBLIC ${PROJECT_NAME})
 
-        # Set default values for fuzzing if not defined
-        if(NOT DEFINED FUZZ_TIMEOUT_SEC)
+        # Set default values for fuzzing
+        if(DEFINED ENV{FUZZ_TIMEOUT_SEC})
+            set(FUZZ_TIMEOUT_SEC $ENV{FUZZ_TIMEOUT_SEC})    
+        else()
             set(FUZZ_TIMEOUT_SEC 60)
         endif()
 

diff --git a/bin/s2nc.c b/bin/s2nc.c
@@ -569,23 +569,6 @@ int main(int argc, char *const *argv)
         exit(1);
     }
 
-    if (fips_mode) {
-#ifndef S2N_INTERN_LIBCRYPTO
-    #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
-        if (FIPS_mode_set(1) == 0) {
-            unsigned long fips_rc = ERR_get_error();
-            char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */
-            fprintf(stderr, "s2nc failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf));
-            exit(1);
-        }
-        printf("s2nc entered FIPS mode\n");
-    #else
-        fprintf(stderr, "Error entering FIPS mode. s2nc was not built against a FIPS-capable libcrypto.\n");
-        exit(1);
-    #endif
-#endif
-    }
-
     if (prefer_low_latency && prefer_throughput) {
         fprintf(stderr, "prefer-throughput and prefer-low-latency options are mutually exclusive\n");
         exit(1);
@@ -594,6 +577,16 @@ int main(int argc, char *const *argv)
     GUARD_EXIT(s2n_init(), "Error running s2n_init()");
     printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
 
+    if (fips_mode) {
+        s2n_fips_mode mode = 0;
+        GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode");
+        if (mode != S2N_FIPS_MODE_ENABLED) {
+            fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n");
+            exit(1);
+        }
+        printf("s2nc entered FIPS mode\n");
+    }
+
     if ((r = getaddrinfo(host, port, &hints, &ai_list)) != 0) {
         fprintf(stderr, "error: %s\n", gai_strerror(r));
         exit(1);

diff --git a/bin/s2nd.c b/bin/s2nd.c
@@ -548,26 +548,19 @@ int main(int argc, char *const *argv)
         exit(1);
     }
 
+    GUARD_EXIT(s2n_init(), "Error running s2n_init()");
+    printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
+
     if (fips_mode) {
-#ifndef S2N_INTERN_LIBCRYPTO
-    #if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
-        if (FIPS_mode_set(1) == 0) {
-            unsigned long fips_rc = ERR_get_error();
-            char ssl_error_buf[256]; /* Openssl claims you need no more than 120 bytes for error strings */
-            fprintf(stderr, "s2nd failed to enter FIPS mode with RC: %lu; String: %s\n", fips_rc, ERR_error_string(fips_rc, ssl_error_buf));
+        s2n_fips_mode mode = 0;
+        GUARD_EXIT(s2n_get_fips_mode(&mode), "Unable to retrieve FIPS mode");
+        if (mode != S2N_FIPS_MODE_ENABLED) {
+            fprintf(stderr, "FIPS mode not enabled: libcrypto does not support FIPS\n");
             exit(1);
         }
         printf("s2nd entered FIPS mode\n");
-    #else
-        fprintf(stderr, "Error entering FIPS mode. s2nd was not built against a FIPS-capable libcrypto.\n");
-        exit(1);
-    #endif
-#endif
     }
 
-    GUARD_EXIT(s2n_init(), "Error running s2n_init()");
-    printf("libcrypto: %s\n", s2n_libcrypto_get_version_name());
-
     printf("Listening on %s:%s\n", host, port);
 
     struct s2n_config *config = s2n_config_new();

diff --git a/bindings/rust/extended/s2n-tls/src/connection.rs b/bindings/rust/extended/s2n-tls/src/connection.rs
@@ -972,6 +972,7 @@ impl Connection {
         }
     }
 
+    #[deprecated = "PQ TLS 1.2 KEM Names are no longer supported. Use kem_group_name() to retrieve PQ TLS 1.3 Group name."]
     pub fn kem_name(&self) -> Option<&str> {
         let name_bytes = {
             let name = unsafe { s2n_connection_get_kem_name(self.connection.as_ptr()) };
@@ -1000,6 +1001,34 @@ impl Connection {
         }
     }
 
+    pub fn kem_group_name(&self) -> Option<&str> {
+        let name_bytes = {
+            let name = unsafe { s2n_connection_get_kem_group_name(self.connection.as_ptr()) };
+            if name.is_null() {
+                return None;
+            }
+            name
+        };
+
+        let name_str = unsafe {
+            // SAFETY: The data is null terminated because it is declared as a C
+            //         string literal.
+            // SAFETY: kem_name has a static lifetime because it lives on a const
+            //         struct s2n_kem with file scope.
+            const_str!(name_bytes)
+        };
+
+        match name_str {
+            Ok("NONE") => None,
+            Ok(name) => Some(name),
+            Err(_) => {
+                // Unreachable: This would indicate a non-utf-8 string literal in
+                // the s2n-tls C codebase.
+                None
+            }
+        }
+    }
+
     pub fn selected_curve(&self) -> Result<&str, Error> {
         let curve = unsafe { s2n_connection_get_curve(self.connection.as_ptr()).into_result()? };
         unsafe {

diff --git a/bindings/rust/extended/s2n-tls/src/testing/s2n_tls.rs b/bindings/rust/extended/s2n-tls/src/testing/s2n_tls.rs
@@ -28,28 +28,28 @@ mod tests {
     }
 
     #[test]
-    fn kem_name_retrieval() -> Result<(), Error> {
+    fn kem_group_name_retrieval() -> Result<(), Error> {
         // PQ isn't supported
         {
             let policy = Policy::from_version("20240501")?;
             let config = build_config(&policy)?;
             let mut pair = TestPair::from_config(&config);
 
-            // before negotiation, kem_name is none
-            assert!(pair.client.kem_name().is_none());
+            // before negotiation, kem_group_name is none
+            assert!(pair.client.kem_group_name().is_none());
 
             pair.handshake().unwrap();
-            assert!(pair.client.kem_name().is_none());
+            assert!(pair.client.kem_group_name().is_none());
         }
 
         // PQ is supported
         {
-            let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?;
+            let policy = Policy::from_version("default_pq")?;
             let config = build_config(&policy)?;
             let mut pair = TestPair::from_config(&config);
 
             pair.handshake().unwrap();
-            assert_eq!(pair.client.kem_name(), Some("kyber512r3"));
+            assert_eq!(pair.client.kem_group_name(), Some("X25519MLKEM768"));
         }
 
         Ok(())

diff --git a/bindings/rust/standard/bench/benches/resumption.rs b/bindings/rust/standard/bench/benches/resumption.rs
@@ -45,19 +45,18 @@ where
         bench_group.bench_function(format!("{:?}-{}", handshake, T::name()), |b| {
             b.iter_batched_ref(
                 || {
-                    let pair = TlsConnPair::<T, T>::new_bench_pair(
+                    let mut pair = TlsConnPair::<T, T>::new_bench_pair(
                         CryptoConfig::new(CipherSuite::default(), KXGroup::default(), sig_type),
                         handshake,
                     )
                     .unwrap();
-                    let (mut c, s) = pair.split();
-                    c.handshake().unwrap();
-                    s
+                    pair.client_mut().handshake().unwrap();
+                    pair
                 },
-                |server| {
+                |pair| {
                     // this represents the work that the server does during the
                     // first RTT
-                    server.handshake().unwrap()
+                    pair.server_mut().handshake().unwrap();
                 },
                 BatchSize::SmallInput,
             )