chore: move hyper to a newer MSRV

.github/workflows/ci_rust.yml

@@ -12,7 +12,10 @@ env:
   # Pin the nightly toolchain to prevent breakage.
   # This should be occasionally updated.
   RUST_NIGHTLY_TOOLCHAIN: nightly-2024-12-01
-  ROOT_PATH: bindings/rust
+  # Extended support MSRV
+  ROOT_PATH: bindings/rust/extended
+  # Standard support MSRV
+  STANDARD_PATH: bindings/rust/standard
   EXAMPLE_WORKSPACE: bindings/rust-examples
   PCAP_TEST_PATH: tests/pcap
 
@@ -49,6 +52,11 @@ jobs:
         working-directory: ${{env.ROOT_PATH}}
         run: cargo test
 
+      # Test the standard workspace
+      - name: Standard Workspace Tests
+        working-directory: ${{env.STANDARD_PATH}}
+        run: cargo test
+
       - name: "Feature Tests: Fingerprint, kTLS, QUIC, and PQ"
         working-directory: ${{env.ROOT_PATH}}
         # Test all features except for FIPS, which is tested separately.
@@ -59,7 +67,7 @@ jobs:
         run: cargo test --features unstable-renegotiate
 
       - name: Network-enabled integration tests
-        working-directory: ${{env.ROOT_PATH}}/integration
+        working-directory: ${{env.STANDARD_PATH}}/integration
         # no-default-features is used because network tests are hidden behind a
         # default "negative" feature. This is because we don't want network tests
         # invoked on the `cargo test --all-features` pattern.
@@ -83,7 +91,7 @@ jobs:
 
           cd ${{env.ROOT_PATH}}
           ./generate.sh
-          ldd target/debug/integration | grep libs2n.so
+          ldd standard/target/debug/integration | grep libs2n.so
 
   # our benchmark testing includes interop tests between s2n-tls, rustls, and
   # openssl
@@ -102,7 +110,7 @@ jobs:
         run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
 
       - name: bench tests
-        working-directory: ${{env.ROOT_PATH}}/bench
+        working-directory: ${{env.STANDARD_PATH}}/bench
         run: cargo test
 
   s2n-tls-binding-examples:

.github/workflows/dependencies.yml

@@ -18,7 +18,7 @@ on:
     - cron: "0 18 * * *"
 
 env:
-  ROOT_PATH: bindings/rust
+  ROOT_PATH: bindings/rust/extended
 
 jobs:
   audit:

.github/workflows/regression_ci.yml

@@ -14,6 +14,9 @@ on:
     types: [checks_requested]
     branches: [main]
 
+env:
+  ROOT_PATH: bindings/rust/extended
+
 jobs:
   regression-test:
     runs-on: ubuntu-latest
@@ -54,7 +57,7 @@ jobs:
 
       # Generate bindings for main branch
       - name: Generate bindings (mainline)
-        run: ${{env.ROOT_PATH}}bindings/rust/generate.sh --skip-tests
+        run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
 
       # Run performance tests using Valgrind for main branch
       - name: Run scalar performance test (mainline)
@@ -68,7 +71,7 @@ jobs:
 
       # Generate bindings for PR branch
       - name: Generate bindings (PR branch)
-        run: ${{env.ROOT_PATH}}bindings/rust/generate.sh --skip-tests
+        run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
 
       # Run performance tests using Valgrind for PR branch
       - name: Run scalar performance test (PR branch)

bindings/rust/README.md → bindings/README.md

@@ -17,15 +17,30 @@ In order to generate rust bindings for s2n-tls, you need to have the following i
 Generating rust bindings can be accomplished by running the `generate.sh` script:
 
 ```
-$ ./bindings/rust/generate.sh
+$ ./bindings/rust/extended/generate.sh
 ```
 
 This script generates the low-level bindings in the crate `s2n-tls-sys`, which is used by the `s2n-tls` crate to provide higher-level bindings.
 See [s2n-tls-sys](https://github.com/aws/s2n-tls/blob/main/bindings/rust/s2n-tls-sys/README.md) for more information on `s2n-tls-sys` crate.
 
 ## Minimum Supported Rust Version (MSRV)
 
-`s2n-tls` will maintain a rolling MSRV (minimum supported rust version) policy of at least 6 months. The current s2n-quic version is not guaranteed to build on Rust versions earlier than the MSRV.
+There are three workspaces, with slightly different MSRV policies, to keep broad support for the bindings, while allowing newer MSRV for integrations, like `s2n-tls-hyper`.
+
+### Extended
+
+The current MSRV for `s2n-tls`, `s2n-tls-sys` and `s2n-tls-tokio` is [1.63.0][msrv-url].
+
+### Standard
+
+We will maintain a rolling MSRV (minimum supported rust version) policy of at least 6 months. The current s2n-quic version is not guaranteed to build on Rust versions earlier than the MSRV.
+
+The current MSRV for the standard workspace is [1.74.0][msrv-url].
+
+### Rust Examples
+
+The current MSRV for the Rust Examples workspace is [stable][msrv-url].
+
+
 
-The current MSRV is [1.63.0][msrv-url].
 

bindings/rust-examples/client-hello-config-resolution/Cargo.toml

@@ -8,6 +8,6 @@ edition.workspace = true
 
 [dependencies]
 clap = { version = "4", features = ["derive"] }
-s2n-tls = { path = "../../rust/s2n-tls" }
-s2n-tls-tokio = { path = "../../rust/s2n-tls-tokio" }
+s2n-tls = { path = "../../rust/extended/s2n-tls" }
+s2n-tls-tokio = { path = "../../rust/extended/s2n-tls-tokio" }
 tokio = { version = "1", features = ["full"] }

bindings/rust-examples/tokio-server-client/Cargo.toml

@@ -7,7 +7,7 @@ license.workspace = true
 edition.workspace = true
 
 [dependencies]
-s2n-tls = { path = "../../rust/s2n-tls" }
-s2n-tls-tokio = { path = "../../rust/s2n-tls-tokio" }
+s2n-tls = { path = "../../rust/extended/s2n-tls" }
+s2n-tls-tokio = { path = "../../rust/extended/s2n-tls-tokio" }
 tokio = { version = "1", features = ["full"] }
 clap = { version = "4", features = ["derive"] }

bindings/rust/Cargo.toml → bindings/rust/extended/Cargo.toml

@@ -1,10 +1,8 @@
 [workspace]
 members = [
-    "integration",
     "s2n-tls",
     "s2n-tls-sys",
-    "s2n-tls-tokio",
-    "s2n-tls-hyper",
+    "s2n-tls-tokio"
 ]
 # generate can't be included in the workspace because of a bootstrapping problem
 # s2n-tls-sys/Cargo.toml (part of the workspace) is generated by

bindings/rust/generate.sh → bindings/rust/extended/generate.sh

@@ -16,21 +16,21 @@ mkdir -p s2n-tls-sys/src/features
 # we copy the C sources into the `lib` directory so they get published in the
 # actual crate artifact.
 cp -r \
-  ../../api \
-  ../../crypto \
-  ../../error \
-  ../../stuffer \
-  ../../tls \
-  ../../utils \
+  ../../../api \
+  ../../../crypto \
+  ../../../error \
+  ../../../stuffer \
+  ../../../tls \
+  ../../../utils \
   s2n-tls-sys/lib/
 
 cp -r \
-  ../../tests/features \
+  ../../../tests/features \
   s2n-tls-sys/lib/tests/
 
 cp -r \
-  ../../CMakeLists.txt \
-  ../../cmake \
+  ../../../CMakeLists.txt \
+  ../../../cmake \
   s2n-tls-sys/lib/
 
 # generate the bindings modules from the copied sources
@@ -52,7 +52,7 @@ cargo publish --dry-run --allow-dirty
 cargo publish --dry-run --allow-dirty --all-features
 popd
 
-pushd integration
+pushd ../standard/integration
 cargo run
 popd
 

bindings/rust/s2n-tls/src/testing.rs → bindings/rust/extended/s2n-tls/src/testing.rs

@@ -97,7 +97,7 @@ impl Default for CertKeyPair {
 impl CertKeyPair {
     /// This is the directory holding all of the pems used for s2n-tls unit tests
     const TEST_PEMS_PATH: &'static str =
-        concat!(env!("CARGO_MANIFEST_DIR"), "/../../../tests/pems/");
+        concat!(env!("CARGO_MANIFEST_DIR"), "/../../../../tests/pems/");
 
     /// Create a test CertKeyPair
     /// * `prefix`: The *relative* prefix from the s2n-tls/tests/pems/ folder.

bindings/rust/standard/Cargo.toml

@@ -0,0 +1,6 @@
+[workspace]
+members = [
+    "bench",
+    "integration",
+    "s2n-tls-hyper"
+]

bindings/rust/bench/Cargo.toml → bindings/rust/standard/bench/Cargo.toml

@@ -4,7 +4,7 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-s2n-tls = { path = "../s2n-tls" }
+s2n-tls = { path = "../../extended/s2n-tls" }
 errno = "0.3"
 libc = "0.2"
 strum = { version = "0.25", features = ["derive"] }
@@ -14,7 +14,7 @@ openssl = { version = "0.10", features = ["vendored"] }
 
 [dev-dependencies]
 criterion = "0.5"
-pprof = { version = "0.12", features = ["criterion", "flamegraph"] }
+pprof = { version = "0.14", features = ["criterion", "flamegraph"] }
 # env_logger and log are used to enable logging for rustls, which can help with
 # debugging interop failures
 env_logger = "0.10"

bindings/rust/standard/bench/certs/ecdsa256

@@ -0,0 +1 @@
+../../../../../tests/pems/permutations/ec_ecdsa_p256_sha256

bindings/rust/standard/bench/certs/ecdsa384

@@ -0,0 +1 @@
+../../../../../tests/pems/permutations/ec_ecdsa_p384_sha384

bindings/rust/standard/bench/certs/readme.md

@@ -0,0 +1,9 @@
+This folder actually just contains symlinks to the files in s2n-tls/test/pems/permutations
+
+```
+ln -s ../../../../../tests/pems/permutations/ec_ecdsa_p256_sha256 ecdsa256
+ln -s ../../../../../tests/pems/permutations/ec_ecdsa_p384_sha384 ecdsa384
+ln -s ../../../../../tests/pems/permutations/rsae_pkcs_2048_sha256 rsa2048
+ln -s ../../../../../tests/pems/permutations/rsae_pkcs_3072_sha384 rsa3072
+ln -s ../../../../../tests/pems/permutations/rsae_pkcs_4096_sha384 rsa4096
+```

bindings/rust/standard/bench/certs/rsa2048

@@ -0,0 +1 @@
+../../../../../tests/pems/permutations/rsae_pkcs_2048_sha256

bindings/rust/standard/bench/certs/rsa3072

@@ -0,0 +1 @@
+../../../../../tests/pems/permutations/rsae_pkcs_3072_sha384

bindings/rust/standard/bench/certs/rsa4096

@@ -0,0 +1 @@
+../../../../../tests/pems/permutations/rsae_pkcs_4096_sha384

bindings/rust/standard/certs/cert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCAdOgAwIBAgIUTihKtj/RM4hq5r9fmryUGwDlYC4wCgYIKoZIzj0EAwIw
+azELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMQ4wDAYDVQQHDAVUZW1wZTEPMA0G
+A1UECgwGQW1hem9uMRowGAYDVQQLDBFBbWF6b25XZWJTZXJ2aWNlczESMBAGA1UE
+AwwJbG9jYWxob3N0MCAXDTIzMDUyNDA2MjYyN1oYDzIxMjMwNDMwMDYyNjI3WjBr
+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQVoxDjAMBgNVBAcMBVRlbXBlMQ8wDQYD
+VQQKDAZBbWF6b24xGjAYBgNVBAsMEUFtYXpvbldlYlNlcnZpY2VzMRIwEAYDVQQD
+DAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4be8OVofY925i
+AVfv2brqeJF55DeUSP3Q1cUI3QhPxw8ZFBTg25rnYsbpGQBsW1iSmE6v1YHGlmf5
+mAbhoAKJo1MwUTAdBgNVHQ4EFgQUCpoWu/Qw0+c9wyejGR0n16FNofwwHwYDVR0j
+BBgwFoAUCpoWu/Qw0+c9wyejGR0n16FNofwwDwYDVR0TAQH/BAUwAwEB/zAKBggq
+hkjOPQQDAgNHADBEAiBdYxkSxWkqaY6fv4QhNVPX8pNysB02lHBoLR2yVFf7MwIg
+f+86G4gdpIi8tGO7Q217BAIpsWwCMrYw7O41ltGHOog=
+-----END CERTIFICATE-----

bindings/rust/standard/certs/cert_localhost_ipv6.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIUT1hXpXZFhpbeq6UkbqlnOKAeUoowDQYJKoZIhvcNAQEL
+BQAwbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24x
+DzANBgNVBAoMBkFtYXpvbjEaMBgGA1UECwwRQW1hem9uV2ViU2VydmljZXMxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDAgFw0yNDExMjYwNDUyNDdaGA8yMTI0MTEwMjA0NTI0
+N1owbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQHDAZCb3N0b24x
+DzANBgNVBAoMBkFtYXpvbjEaMBgGA1UECwwRQW1hem9uV2ViU2VydmljZXMxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKE6vnPsBDz69ET25yWSikTchned2PvOzZ9zOd7jtQM7A504jHGMOoyXsZaLF+R2
+6M4Fo/7sWQfPImbrfDELIGoZo9V/DbJoETgmEsE6rSj2poEF46ZbNWa0THBNko0O
+q3zgpwPmUPtPTF3QHH0JC/Kbm7V9S4yVx4Qit7GSPUr9Cgj3MJF6MAZqi29LpgSK
+uMQ1bf6T9t6F5hNH3A4T5dfjtjcQczDhbnkKCUFa8DbOR+5vecQQjI6vJoK3suIU
+xS4U6rNRhLYL+grswpqVh2AXI3qsl12jhcer7hbRovRM8MQkDCPnLDb9Chm2zVWW
+5HgkUbtsZrpldrWoVdNihqUCAwEAAaNwMG4wHQYDVR0OBBYEFE6+x/LP/KNspKSj
+uOY77KG+u/eAMB8GA1UdIwQYMBaAFE6+x/LP/KNspKSjuOY77KG+u/eAMA8GA1Ud
+EwEB/wQFMAMBAf8wGwYDVR0RBBQwEocQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG
+9w0BAQsFAAOCAQEAE//QpOTdTJfc2OM+/kilicGx/PiV3WjiqoaeQo6uUd7cD7wD
+6JuXABtUSndfkxryeQzKQmq2KBedbQCOKnt/OeY0yMqCxbws3l3H+uwPwwAACIUn
+3e5+RtotiQQBreSiHJJ6omFpd+cyvluZwZ20t3dhlgGU5NUN3zcHkdc8hGpaxtfJ
+AaunssA40QcjQFQYI8ADTiQHW20rZcsVRKkwRkNVps/vMDpLBCyBp96xhTAtkoDH
+Xs/Zi1bJiJ8xw3TkDeJFShpP+cQPYHI36qWqNjTei9eHrNX8sNFAdNZVyitoZ3/W
+FrPdms/ivlvgQbWWB3EKxD+PsQXoYvjkGhMNmg==
+-----END CERTIFICATE-----

bindings/rust/standard/certs/cert_rsa.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqzCCA5OgAwIBAgIUPecTUedBPhAjrzsM16hwH5f/8HswDQYJKoZIhvcNAQEL
+BQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkFaMQ4wDAYDVQQHDAVUZW1wZTEN
+MAsGA1UECgwETWFhczEVMBMGA1UECwwMQmlvQ29tcHV0aW5nMRIwEAYDVQQDDAls
+b2NhbGhvc3QwIBcNMjMwNTI0MDYyNjI3WhgPMjEyMzA0MzAwNjI2MjdaMGQxCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIDAJBWjEOMAwGA1UEBwwFVGVtcGUxDTALBgNVBAoM
+BE1hYXMxFTATBgNVBAsMDEJpb0NvbXB1dGluZzESMBAGA1UEAwwJbG9jYWxob3N0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnflx61sSH4pF9AmdOR3r
+ilFM9Z1RIZ4aZXk5Dov9UP4KykCIFC12I7wryyKHH5PoKjKKtYW+4G/lAOw/O7kP
+6oDfbcQbH3E5LCT7k2a+tOwxywxmsQFpK/YCicKxkFvbKqfbb+S5U9CZ9Rmx3jGh
+FldIVXYrkdq2AfFu7U0BB5rdDQLBx1GAZjtmDjP9dpPe0GuukInHqaogO9d08x2O
+3WN3grxdj2NN0tjaR6/S+a1L4vwcybJ5UZ8Zq8Bd41YR6uPNJSjABcXHXAlxR83t
+ENNRKl8m8uP4SqFgpmFBHHmXviyVirZRpVudWG2Zkk6WSTj+cwDlcXYucVO6cmkS
+/FQsslXn2YAYDiSsuthl4UGTXyWbxskAwx65ERHZ2CwOix6TIKxB0lOGVIuoT7Hj
+q6gqFRxrjAQwUk76z+j/NFwZhAe0b5G0uyHcgPuaJMI9BpzvwpqgMNSMlbeH8rd3
+LsLOeCFrVcQzrYqS/aLB/FRE7QxkZutuRgAG5N3sBhxJNizROBzCd+zUEpJi2ZgH
+eFstYAL4sXEh4m/7uXxMROO9rFqpZXiYocYipfddjjZ6NF3RIIfQG/Ubydm2YJe5
+s3o3Q2nGuBY6l0KXJvq1uX3B5JmFcVr0eiWbZ4UZioJbZ40JEUx7ECNZqooC7QjT
+EeQZXwEfvUotP5lvAFEFK5MCAwEAAaNTMFEwHQYDVR0OBBYEFFRIP81Ul8Um6h8u
+ru05X1QGuPceMB8GA1UdIwQYMBaAFFRIP81Ul8Um6h8uru05X1QGuPceMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAIBDHQC3LfuH1YVieC0100IV
+4tpSiQ63n5TItLRPxpPMjohAC1ZggQjU1/rVeBkP/x2dBQFgPpRXBFye9iavUVBt
+xXj06Rm8kdLwF3KZHECDQArztdYqogmvXtxx5WA23nhua5NwUV6jM5i7EV7d/Bcp
++wGZKaze6fBR4Wh9FkIh9HG2tIOgJibLI33JAFjxkdY6bYoqDSUzlKZmUCMpxrXF
+Zg/vYhBnBss2uvF9Ce+6Nedxgourjyma6MiH7QPwMM3Cr1rWTnG5C7MBhm4Q13Xr
+LeaOayTE2JChXwyXqBjrctPs5GCbAJJFovQphyJhxNTXzHxMRu4MBCl3jFT2lzIi
+r6DkgoQ3tuy5C3i4ZWNZUjqFrCu1uIeGYb9x+Wzv9/i370juF+aO5zJC3mp8bKsU
+zdFQE8/q9ltuiazueCGPkFoVEVmLFICIckV6q+zh/ahXcdbSf8JxDGXElXhDK6Z3
+2axo2m5f/x77FREZCmyVA9I8fYDo3A7srGgkwMc+isdrbzytSC2KKo4/XnpvIRWo
+vvKKslTzyaMoSv3i9qj23kWowRKqrguCs0wG1d7QiCRdEAsFO+MZPzsde5zKqcQ1
+AC8kSUZrFRjFfZfc0JAB7pI6BSlVwzVItdIdlA9jzEZr2c7430djTyidyTKiWj3D
+FkfWZeLWo9l/1vC+Qyeo
+-----END CERTIFICATE-----

bindings/rust/standard/certs/generate.sh

@@ -0,0 +1,27 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# This script will generate all of the certs used for examples and tests in
+# the rust bindings crates.
+
+# Used for TLS 1.2 connections.
+echo "generating rsa key and cert"
+openssl req -x509 -newkey rsa:4096 -keyout key_rsa.pem -out cert_rsa.pem -sha256 -days 36500 -nodes -subj "/C=US/ST=AZ/L=Tempe/O=Maas/OU=BioComputing/CN=localhost"
+
+
+# Used for TLS 1.3 connections.
+echo "generating ec key and cert"
+openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/C=US/ST=AZ/L=Tempe/O=Amazon/OU=AmazonWebServices/CN=localhost"
+
+
+# Used for testing IPv6. Includes the localhost IPv6 address as a SAN.
+echo "generating localhost IPv6 key and cert"
+openssl req -x509 \
+    -newkey rsa:2048 \
+    -keyout key_localhost_ipv6.pem \
+    -out cert_localhost_ipv6.pem \
+    -sha256 \
+    -days 36500 \
+    -nodes \
+    -subj "/C=US/ST=MA/L=Boston/O=Amazon/OU=AmazonWebServices/CN=localhost" \
+    -addext "subjectAltName = IP:0:0:0:0:0:0:0:1"

bindings/rust/standard/certs/key.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg7CYotHO5H76smTyL
+DHb6esNVfzBEDAi+vZMvtM2SItahRANCAAS4be8OVofY925iAVfv2brqeJF55DeU
+SP3Q1cUI3QhPxw8ZFBTg25rnYsbpGQBsW1iSmE6v1YHGlmf5mAbhoAKJ
+-----END PRIVATE KEY-----