aws-crt 0.1.4 → 0.1.5

data/aws-crt-ffi/crt/aws-c-cal/source/windows/bcrypt_ecc.c

@@ -82,6 +82,10 @@ static size_t s_signature_length(const struct aws_ecc_key_pair *key_pair) {
     return s_der_overhead + aws_ecc_key_coordinate_byte_size_from_curve_name(key_pair->curve_name) * 2;
 }
 
+static bool s_trim_zeros_predicate(uint8_t value) {
+    return value == 0;
+}
+
 static int s_sign_message(
     const struct aws_ecc_key_pair *key_pair,
     const struct aws_byte_cursor *message,
@@ -124,8 +128,12 @@ static int s_sign_message(
 
     aws_der_encoder_begin_sequence(encoder);
     struct aws_byte_cursor integer_cur = aws_byte_cursor_from_array(temp_signature_buf.buffer, coordinate_len);
+    /* trim off the leading zero padding for DER encoding */
+    integer_cur = aws_byte_cursor_left_trim_pred(&integer_cur, s_trim_zeros_predicate);
     aws_der_encoder_write_integer(encoder, integer_cur);
     integer_cur = aws_byte_cursor_from_array(temp_signature_buf.buffer + coordinate_len, coordinate_len);
+    /* trim off the leading zero padding for DER encoding */
+    integer_cur = aws_byte_cursor_left_trim_pred(&integer_cur, s_trim_zeros_predicate);
     aws_der_encoder_write_integer(encoder, integer_cur);
     aws_der_encoder_end_sequence(encoder);
 

data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt

@@ -585,16 +585,17 @@ add_test_case(test_http_stats_split_across_gather_boundary)
 add_test_case(test_http_stats_pipelined)
 add_test_case(test_http_stats_multiple_requests_with_gap)
 
-add_test_case(h2_sm_sanity_check)
-add_test_case(h2_sm_mock_connection)
-add_test_case(h2_sm_mock_multiple_connections)
-add_test_case(h2_sm_mock_bad_connection_acquired)
-add_test_case(h2_sm_mock_connections_closed_before_request_made)
-add_test_case(h2_sm_mock_max_concurrent_streams_remote)
-add_test_case(h2_sm_mock_complete_stream)
-add_test_case(h2_sm_mock_ideal_num_streams)
-add_test_case(h2_sm_mock_large_ideal_num_streams)
-add_test_case(h2_sm_mock_goaway)
+# Tests that not make real connection but use TLS. So, still need to be marked as net test
+add_net_test_case(h2_sm_sanity_check)
+add_net_test_case(h2_sm_mock_connection)
+add_net_test_case(h2_sm_mock_multiple_connections)
+add_net_test_case(h2_sm_mock_bad_connection_acquired)
+add_net_test_case(h2_sm_mock_connections_closed_before_request_made)
+add_net_test_case(h2_sm_mock_max_concurrent_streams_remote)
+add_net_test_case(h2_sm_mock_complete_stream)
+add_net_test_case(h2_sm_mock_ideal_num_streams)
+add_net_test_case(h2_sm_mock_large_ideal_num_streams)
+add_net_test_case(h2_sm_mock_goaway)
 
 add_net_test_case(h2_sm_acquire_stream)
 add_net_test_case(h2_sm_acquire_stream_multiple_connections)

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/tls_channel_handler.h

@@ -379,6 +379,8 @@ AWS_IO_API int aws_tls_ctx_options_init_client_mtls_with_pkcs11(
     const struct aws_tls_ctx_pkcs11_options *pkcs11_options);
 
 /**
+ * @Deprecated
+ *
  * Sets a custom keychain path for storing the cert and pkey with mutual tls in client mode.
  *
  * NOTE: This only works on MacOS.

data/aws-crt-ffi/crt/aws-c-io/source/darwin/darwin_pki_utils.c

@@ -49,6 +49,12 @@ int aws_import_public_and_private_keys_to_identity(
     SecKeychainRef import_keychain = NULL;
 
     if (keychain_path) {
+#    pragma clang diagnostic push
+#    pragma clang diagnostic ignored "-Wdeprecated-declarations"
+        /* Starting in macOS 12, SecKeychainOpen() and SecKeychainUnlock() are marked as deprecated
+         * because "Custom keychain management is no longer supported".
+         * Disable compiler warnings for now, but consider removing support for keychain_path altogether */
+
         OSStatus keychain_status = SecKeychainOpen(aws_string_c_str(keychain_path), &import_keychain);
         if (keychain_status != errSecSuccess) {
             AWS_LOGF_ERROR(
@@ -67,6 +73,8 @@ int aws_import_public_and_private_keys_to_identity(
                 keychain_status);
             return AWS_OP_ERR;
         }
+#    pragma clang diagnostic pop
+
     } else {
         OSStatus keychain_status = SecKeychainCopyDefault(&import_keychain);
         if (keychain_status != errSecSuccess) {

data/aws-crt-ffi/crt/aws-c-io/source/tls_channel_handler.c

@@ -221,6 +221,8 @@ int aws_tls_ctx_options_set_keychain_path(
     struct aws_byte_cursor *keychain_path_cursor) {
 
 #if defined(__APPLE__) && !defined(AWS_OS_IOS)
+    AWS_LOGF_WARN(AWS_LS_IO_TLS, "static: Keychain path is deprecated.");
+
     options->keychain_path = aws_string_new_from_cursor(options->allocator, keychain_path_cursor);
     if (!options->keychain_path) {
         return AWS_OP_ERR;

data/aws-crt-ffi/crt/aws-c-io/source/windows/windows_pki_utils.c

@@ -21,66 +21,96 @@
 #define CERT_HASH_STR_LEN 40
 #define CERT_HASH_LEN 20
 
-int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert_store, PCCERT_CONTEXT *certs) {
+/**
+ * Split system cert path into exactly three segments like:
+ * "CurrentUser\My\a11f8a9b5df5b98ba3508fbca575d09570e0d2c6"
+ *      -> ["CurrentUser", "My", "a11f8a9b5df5b98ba3508fbca575d09570e0d2c6"]
+ */
+static int s_split_system_cert_path(const char *cert_path, struct aws_byte_cursor out_splits[3]) {
+
+    struct aws_byte_cursor cert_path_cursor = aws_byte_cursor_from_c_str(cert_path);
+
+    struct aws_byte_cursor segment;
+    AWS_ZERO_STRUCT(segment);
+
+    for (size_t i = 0; i < 3; ++i) {
+        if (!aws_byte_cursor_next_split(&cert_path_cursor, '\\', &segment)) {
+            AWS_LOGF_ERROR(
+                AWS_LS_IO_PKI, "static: invalid certificate path '%s'. Expected additional '\\' separator.", cert_path);
+            return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
+        }
 
-    AWS_LOGF_INFO(AWS_LS_IO_PKI, "static: loading certificate at windows cert manager path %s.", cert_path);
-    char *location_of_next_segment = strchr(cert_path, '\\');
+        out_splits[i] = segment;
+    }
 
-    if (!location_of_next_segment) {
-        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: invalid certificate path %s.", cert_path);
+    if (aws_byte_cursor_next_split(&cert_path_cursor, '\\', &segment)) {
+        AWS_LOGF_ERROR(
+            AWS_LS_IO_PKI, "static: invalid certificate path '%s'. Too many '\\' separators found.", cert_path);
         return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
     }
 
-    size_t store_name_len = location_of_next_segment - cert_path;
-    DWORD store_val = 0;
+    return AWS_OP_SUCCESS;
+}
+
+int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert_store, PCCERT_CONTEXT *certs) {
+
+    AWS_LOGF_INFO(AWS_LS_IO_PKI, "static: loading certificate at windows cert manager path '%s'.", cert_path);
 
-    if (!strncmp(cert_path, "CurrentUser", store_name_len)) {
+    struct aws_byte_cursor segments[3];
+    if (s_split_system_cert_path(cert_path, segments)) {
+        return AWS_OP_ERR;
+    }
+    const struct aws_byte_cursor store_location = segments[0];
+    const struct aws_byte_cursor store_path_cursor = segments[1];
+    const struct aws_byte_cursor cert_hash_cursor = segments[2];
+
+    DWORD store_val = 0;
+    if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "CurrentUser")) {
         store_val = CERT_SYSTEM_STORE_CURRENT_USER;
-    } else if (!strncmp(cert_path, "LocalMachine", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "LocalMachine")) {
         store_val = CERT_SYSTEM_STORE_LOCAL_MACHINE;
-    } else if (!strncmp(cert_path, "CurrentService", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "CurrentService")) {
         store_val = CERT_SYSTEM_STORE_CURRENT_SERVICE;
-    } else if (!strncmp(cert_path, "Services", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "Services")) {
         store_val = CERT_SYSTEM_STORE_SERVICES;
-    } else if (!strncmp(cert_path, "Users", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "Users")) {
         store_val = CERT_SYSTEM_STORE_USERS;
-    } else if (!strncmp(cert_path, "CurrentUserGroupPolicy", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "CurrentUserGroupPolicy")) {
         store_val = CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY;
-    } else if (!strncmp(cert_path, "LocalMachineGroupPolicy", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "LocalMachineGroupPolicy")) {
         store_val = CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY;
-    } else if (!strncmp(cert_path, "LocalMachineEnterprise", store_name_len)) {
+    } else if (aws_byte_cursor_eq_c_str_ignore_case(&store_location, "LocalMachineEnterprise")) {
         store_val = CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE;
     } else {
         AWS_LOGF_ERROR(
-            AWS_LS_IO_PKI, "static: certificate path %s does not contain a valid cert store identifier.", cert_path);
+            AWS_LS_IO_PKI,
+            "static: invalid certificate path '%s'. System store location '" PRInSTR "' not recognized."
+            " Expected something like 'CurrentUser'.",
+            cert_path,
+            AWS_BYTE_CURSOR_PRI(store_location));
+
         return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
     }
 
     AWS_LOGF_DEBUG(AWS_LS_IO_PKI, "static: determined registry value for lookup as %d.", (int)store_val);
-    location_of_next_segment += 1;
-    char *store_path_start = location_of_next_segment;
-    location_of_next_segment = strchr(location_of_next_segment, '\\');
-
-    if (!location_of_next_segment) {
-        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: invalid certificate path %s.", cert_path);
-        return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
-    }
 
     /* The store_val value has to be only the path segment related to the physical store. Looking
        at the docs, 128 bytes should be plenty to store that segment.
        https://docs.microsoft.com/en-us/windows/desktop/SecCrypto/system-store-locations */
     char store_path[128] = {0};
-    AWS_FATAL_ASSERT(location_of_next_segment - store_path_start < sizeof(store_path));
-    memcpy(store_path, store_path_start, location_of_next_segment - store_path_start);
+    if (store_path_cursor.len >= sizeof(store_path)) {
+        AWS_LOGF_ERROR(AWS_LS_IO_PKI, "static: invalid certificate path '%s'. Store name is too long.", cert_path);
+        return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
+    }
+    memcpy(store_path, store_path_cursor.ptr, store_path_cursor.len);
 
-    location_of_next_segment += 1;
-    if (strlen(location_of_next_segment) != CERT_HASH_STR_LEN) {
+    if (cert_hash_cursor.len != CERT_HASH_STR_LEN) {
         AWS_LOGF_ERROR(
             AWS_LS_IO_PKI,
-            "static: invalid certificate path %s. %s should have been"
+            "static: invalid certificate path '%s'. '" PRInSTR "' should have been"
             " 40 bytes of hex encoded data",
             cert_path,
-            location_of_next_segment);
+            AWS_BYTE_CURSOR_PRI(cert_hash_cursor));
         return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
     }
 
@@ -90,7 +120,7 @@ int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert
     if (!*cert_store) {
         AWS_LOGF_ERROR(
             AWS_LS_IO_PKI,
-            "static: invalid certificate path %s. Failed to load cert store with error code %d",
+            "static: invalid certificate path '%s'. Failed to load cert store with error code %d",
             cert_path,
             (int)GetLastError());
         return aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
@@ -103,7 +133,7 @@ int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert
     };
 
     if (!CryptStringToBinaryA(
-            location_of_next_segment,
+            (LPCSTR)cert_hash_cursor.ptr, /* this is null-terminated, it's the last segment of c-str */
             CERT_HASH_STR_LEN,
             CRYPT_STRING_HEX,
             cert_hash.pbData,
@@ -112,9 +142,9 @@ int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert
             NULL)) {
         AWS_LOGF_ERROR(
             AWS_LS_IO_PKI,
-            "static: invalid certificate path %s. %s should have been a hex encoded string",
+            "static: invalid certificate path '%s'. '" PRInSTR "' should have been a hex encoded string",
             cert_path,
-            location_of_next_segment);
+            AWS_BYTE_CURSOR_PRI(cert_hash_cursor));
         aws_raise_error(AWS_ERROR_FILE_INVALID_PATH);
         goto on_error;
     }
@@ -125,7 +155,7 @@ int aws_load_cert_from_system_cert_store(const char *cert_path, HCERTSTORE *cert
     if (!*certs) {
         AWS_LOGF_ERROR(
             AWS_LS_IO_PKI,
-            "static: invalid certificate path %s. "
+            "static: invalid certificate path '%s'. "
             "The referenced certificate was not found in the certificate store, error code %d",
             cert_path,
             (int)GetLastError());

data/aws-crt-ffi/crt/s2n/CMakeLists.txt

@@ -275,6 +275,30 @@ try_compile(
         COMPILE_DEFINITIONS "-Werror"
 )
 
+# Determine if madvise() is available
+try_compile(
+        MADVISE_SUPPORTED
+        ${CMAKE_BINARY_DIR}
+        SOURCES "${CMAKE_CURRENT_LIST_DIR}/tests/features/madvise.c"
+        COMPILE_DEFINITIONS "-Werror"
+)
+
+# Determine if minherit() is available
+try_compile(
+        MINHERIT_SUPPORTED
+        ${CMAKE_BINARY_DIR}
+        SOURCES "${CMAKE_CURRENT_LIST_DIR}/tests/features/minherit.c"
+        COMPILE_DEFINITIONS "-Werror"
+)
+
+# Determine if clone() is available
+try_compile(
+        CLONE_SUPPORTED
+        ${CMAKE_BINARY_DIR}
+        SOURCES "${CMAKE_CURRENT_LIST_DIR}/tests/features/clone.c"
+        COMPILE_DEFINITIONS "-Werror"
+)
+
 if(APPLE)
     set(OS_LIBS c Threads::Threads)
 elseif(CMAKE_SYSTEM_NAME STREQUAL "FreeBSD")
@@ -436,6 +460,21 @@ if (__RESTRICT__SUPPORTED)
     target_compile_options(${PROJECT_NAME} PUBLIC -DS2N___RESTRICT__SUPPORTED)
 endif()
 
+if (MADVISE_SUPPORTED)
+    target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_MADVISE_SUPPORTED)
+    message(STATUS "madvise() support detected")
+endif()
+
+if (MINHERIT_SUPPORTED)
+    target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_MINHERIT_SUPPORTED)
+    message(STATUS "minherit() support detected")
+endif()
+
+if (CLONE_SUPPORTED)
+    target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_CLONE_SUPPORTED)
+    message(STATUS "clone() support detected")
+endif()
+
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules")
 
 #work around target differences
@@ -477,53 +516,60 @@ if (S2N_INTERN_LIBCRYPTO)
         message(FATAL_ERROR "libcrypto interning requires a static build of libcrypto.a to be available")
     endif()
 
+    # Don't call link_target_libraries here, just make sure the libcrypto include dir is in the path
+    include_directories("${crypto_INCLUDE_DIR}")
+
     add_custom_command(
         OUTPUT libcrypto.symbols
         COMMAND
           # copy the static version of libcrypto
-          cp ${crypto_STATIC_LIBRARY} libcrypto.a &&
+          cp ${crypto_STATIC_LIBRARY} s2n_libcrypto.a &&
           # dump all of the symbols and prefix them with `s2n$`
-          bash -c "nm libcrypto.a | awk '/ [A-Z] /{print $3\" s2n$\"$3}' | sort | uniq > libcrypto.symbols" &&
+          bash -c "nm s2n_libcrypto.a | awk '/ [A-Z] /{print $3\" s2n$\"$3}' | sort | uniq > libcrypto.symbols" &&
           # redefine the libcrypto libary symbols
-          objcopy --redefine-syms libcrypto.symbols libcrypto.a &&
-          rm -rf libcrypto &&
-          mkdir libcrypto &&
-          cd libcrypto &&
+          objcopy --redefine-syms libcrypto.symbols s2n_libcrypto.a &&
+          rm -rf s2n_libcrypto &&
+          mkdir s2n_libcrypto &&
+          cd s2n_libcrypto &&
           # extract libcrypto objects from the archive
-          ar x ../libcrypto.a &&
+          ar x ../s2n_libcrypto.a &&
           # rename all of the object files so we don't have any object name collisions
           bash -c "find . -name '*.o' -type f -print0 | xargs -0 -n1 -- basename | xargs -I{} mv {} s2n_crypto__{}"
         VERBATIM
     )
 
-    add_custom_target(libcrypto ALL
+    add_custom_target(s2n_libcrypto ALL
       DEPENDS libcrypto.symbols
     )
-    add_dependencies(${PROJECT_NAME} libcrypto)
+    add_dependencies(${PROJECT_NAME} s2n_libcrypto)
 
-    add_custom_command(
-        TARGET ${PROJECT_NAME} PRE_LINK
-        DEPENDS libcrypto.symbols
-        COMMAND
-        find ${CMAKE_CURRENT_BINARY_DIR}/CMakeFiles/${PROJECT_NAME}.dir -name '*.o' -exec objcopy --redefine-syms libcrypto.symbols {} \\\;
-    )
+    if ((BUILD_SHARED_LIBS AND BUILD_TESTING) OR NOT BUILD_SHARED_LIBS)
+        # if libcrypto needs to be interned, rewrite libcrypto references so use of internal functions will link correctly
+        add_custom_command(
+            TARGET ${PROJECT_NAME} PRE_LINK
+            COMMAND
+              find "${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${PROJECT_NAME}.dir" -name '*.c.o' -exec objcopy --redefine-syms libcrypto.symbols {} \\\;
+        )
+    endif()
 
     # copy the static libcrypto into the final artifact
     if (BUILD_SHARED_LIBS)
-        # if we're building for testing, we export the prefixed symbols so tests can link to them
         if (BUILD_TESTING)
-          set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS
-              "-Wl,--whole-archive libcrypto.a -Wl,--no-whole-archive")
+            # if we're building tests, we export the prefixed symbols so tests can link to them
+            set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS
+                "-Wl,--whole-archive s2n_libcrypto.a -Wl,--no-whole-archive")
         else()
-          set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS
-              "-Wl,--whole-archive libcrypto.a -Wl,--no-whole-archive -Wl,--exclude-libs=ALL")
+            # if we're not building tests, then just copy the original archive, unmodified
+            set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS
+                "-Wl,--whole-archive ${crypto_STATIC_LIBRARY} -Wl,--no-whole-archive -Wl,--exclude-libs=ALL")
         endif()
     else()
+        # add all of the prefixed symbols to the archive
         add_custom_command(
             TARGET ${PROJECT_NAME} POST_BUILD
             DEPENDS libcrypto.symbols
             COMMAND
-              bash -c "ar -r lib/libs2n.a libcrypto/*.o"
+              bash -c "ar -r lib/libs2n.a s2n_libcrypto/*.o"
             VERBATIM
         )
     endif()

data/aws-crt-ffi/crt/s2n/Makefile

@@ -157,6 +157,16 @@ DEV_VERSION ?= ubuntu_18.04_$(DEV_OPENSSL_VERSION)_gcc9
 dev:
 	@docker run -it --rm --ulimit memlock=-1 -v `pwd`:/home/s2n-dev/s2n $(DEV_IMAGE):$(DEV_VERSION)
 
+.PHONY : install
+install: bin libs
+	$(MAKE) -C bin install
+	$(MAKE) -C lib install
+
+.PHONY: uninstall
+uninstall:
+	$(MAKE) -C bin uninstall
+	$(MAKE) -C lib uninstall
+
 .PHONY : clean
 clean:
 	$(MAKE) -C pq-crypto clean

data/aws-crt-ffi/crt/s2n/bin/Makefile

@@ -25,3 +25,12 @@ s2nc: s2nc.c echo.c
 
 s2nd: s2nd.c echo.c
 	${CC} ${CFLAGS} s2nd.c echo.c https.c common.c -o s2nd ${LDFLAGS}
+
+$(bindir):
+	@mkdir -p $(bindir)
+
+install: s2nc s2nd $(bindir)
+	@cp s2n? $(bindir)
+
+uninstall:
+	@rm $(bindir)/s2n?

data/aws-crt-ffi/crt/s2n/bindings/rust/Makefile

@@ -0,0 +1,14 @@
+SHELL := /bin/bash
+
+all: s2n-tls-sys/src/api.rs target/release/deps/s2nc-%
+
+target/release/deps/s2nc-%:
+	cargo bench --no-run
+
+s2n-tls-sys/src/api.rs:
+	./generate.sh
+
+.PHONY: clean
+clean:
+	@cargo clean
+	@rm -f s2n-tls-sys/src/api.rs target/release/deps/s2nc-* target/release/deps/s2nd-*

data/aws-crt-ffi/crt/s2n/bindings/rust/integration/Cargo.toml

@@ -6,8 +6,8 @@ edition = "2018"
 publish = false
 
 [dependencies]
-s2n-tls = { version = "0.0.2", path = "../s2n-tls", features = ["testing"] }
-s2n-tls-sys = { version = "0.0.2", path = "../s2n-tls-sys" }
+s2n-tls = { path = "../s2n-tls", features = ["testing"] }
+s2n-tls-sys = { path = "../s2n-tls-sys" }
 criterion = { version = "0.3", features = ["html_reports"] }
 
 [[bench]]

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.0.2"
+version = "0.0.4"
 authors = ["AWS s2n"]
 edition = "2018"
 repository = "https://github.com/aws/s2n-tls"
@@ -17,8 +17,9 @@ testing = ["errno", "bytes"]
 bytes = { version = "1", optional = true }
 errno = { version = "0.2", optional = true }
 libc = "0.2"
-s2n-tls-sys = { version = "0.0.2", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.0.4", path = "../s2n-tls-sys", features = ["internal"] }
 
 [dev-dependencies]
 bytes = { version = "1" }
 errno = { version = "0.2" }
+futures-test = "0.3"