aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/aws-c-io/CMakeLists.txt

@@ -190,6 +190,10 @@ if (BYO_CRYPTO)
     target_compile_definitions(${PROJECT_NAME} PUBLIC "-DBYO_CRYPTO")
 endif()
 
+if (USE_S2N)
+    target_compile_definitions(${PROJECT_NAME} PRIVATE "-DUSE_S2N")
+endif()
+
 if (BUILD_RELOCATABLE_BINARIES)
     target_compile_definitions(${PROJECT_NAME} PRIVATE "-DCOMPAT_MODE")
 endif()

data/aws-crt-ffi/crt/aws-c-io/builder.json

@@ -2,11 +2,12 @@
     "name": "aws-c-io",
     "upstream": [
         { "name": "aws-c-common" },
+        { "name": "aws-c-cal" },
         {
             "name": "s2n",
+            "revision": "v1.3.11",
             "targets": ["linux", "android"]
-        },
-        { "name": "aws-c-cal" }
+        }
     ],
     "downstream": [
         { "name": "aws-c-mqtt" },

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/channel.h

@@ -279,11 +279,32 @@ struct aws_io_message *aws_channel_acquire_message_from_pool(
  * This is the ideal way to move a task into the correct thread. It's also handy for context switches.
  * This function is safe to call from any thread.
  *
+ * If called from the channel's event loop, the task will get directly added to the run-now list.
+ * If called from outside the channel's event loop, the task will go into a cross-thread task queue.
+ *
+ * If tasks must be serialized relative to some source synchronization, you may not want to use this API
+ * because tasks submitted from the event loop thread can "jump ahead" of tasks submitted from external threads
+ * due to this optimization.  If this is a problem, you can either refactor your submission logic or use
+ * the aws_channel_schedule_task_now_serialized variant which does not perform this optimization.
+ *
  * The task should not be cleaned up or modified until its function is executed.
  */
 AWS_IO_API
 void aws_channel_schedule_task_now(struct aws_channel *channel, struct aws_channel_task *task);
 
+/**
+ * Schedules a task to run on the event loop as soon as possible.
+ *
+ * This variant always uses the cross thread queue rather than conditionally skipping it when already in
+ * the destination event loop.  While not "optimal", this allows us to serialize task execution no matter where
+ * the task was submitted from: if you are submitting tasks from a critical section, the serialized order that you
+ * submit is guaranteed to be the order that they execute on the event loop.
+ *
+ * The task should not be cleaned up or modified until its function is executed.
+ */
+AWS_IO_API
+void aws_channel_schedule_task_now_serialized(struct aws_channel *channel, struct aws_channel_task *task);
+
 /**
  * Schedules a task to run on the event loop at the specified time.
  * This is the ideal way to move a task into the correct thread. It's also handy for context switches.

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/io.h

@@ -240,6 +240,9 @@ enum aws_io_errors {
 
     AWS_ERROR_IO_PINNED_EVENT_LOOP_MISMATCH,
 
+    AWS_ERROR_PKCS11_ENCODING_ERROR,
+    AWS_IO_TLS_ERROR_DEFAULT_TRUST_STORE_NOT_FOUND,
+
     AWS_IO_ERROR_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_IO_PACKAGE_ID),
     AWS_IO_INVALID_FILE_HANDLE = AWS_ERROR_INVALID_FILE_HANDLE,
 };

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/socket.h

@@ -176,6 +176,12 @@ AWS_IO_API int aws_socket_connect(
  */
 AWS_IO_API int aws_socket_bind(struct aws_socket *socket, const struct aws_socket_endpoint *local_endpoint);
 
+/**
+ * Get the local address which the socket is bound to.
+ * Raises an error if no address is bound.
+ */
+AWS_IO_API int aws_socket_get_bound_address(const struct aws_socket *socket, struct aws_socket_endpoint *out_address);
+
 /**
  * TCP, LOCAL and VSOCK only. Sets up the socket to listen on the address bound to in `aws_socket_bind()`.
  */

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/stream.h

@@ -6,6 +6,7 @@
  * SPDX-License-Identifier: Apache-2.0.
  */
 
+#include <aws/common/ref_count.h>
 #include <aws/io/io.h>
 
 struct aws_input_stream;
@@ -38,17 +39,46 @@ struct aws_input_stream_vtable {
     int (*read)(struct aws_input_stream *stream, struct aws_byte_buf *dest);
     int (*get_status)(struct aws_input_stream *stream, struct aws_stream_status *status);
     int (*get_length)(struct aws_input_stream *stream, int64_t *out_length);
-    void (*destroy)(struct aws_input_stream *stream);
+
+    /**
+     * Optional.
+     * If not set, the default aws_ref_count_acquire/release will be used.
+     * Set for high level language binding that has its own refcounting implementation and needs to be kept alive from
+     * C.
+     * If set, ref_count member will not be used.
+     */
+    void (*acquire)(struct aws_input_stream *stream);
+    void (*release)(struct aws_input_stream *stream);
 };
 
+/**
+ * Base class for input streams.
+ * Note: when you implement one input stream, the ref_count needs to be initialized to clean up the resource when
+ * reaches to zero.
+ */
 struct aws_input_stream {
-    struct aws_allocator *allocator;
+    /* point to the impl only set if needed. */
     void *impl;
-    struct aws_input_stream_vtable *vtable;
+    const struct aws_input_stream_vtable *vtable;
+    struct aws_ref_count ref_count;
 };
 
 AWS_EXTERN_C_BEGIN
 
+/**
+ * Increments the reference count on the input stream, allowing the caller to take a reference to it.
+ *
+ * Returns the same input stream passed in.
+ */
+AWS_IO_API struct aws_input_stream *aws_input_stream_acquire(struct aws_input_stream *stream);
+
+/**
+ * Decrements a input stream's ref count.  When the ref count drops to zero, the input stream will be destroyed.
+ *
+ * Returns NULL always.
+ */
+AWS_IO_API struct aws_input_stream *aws_input_stream_release(struct aws_input_stream *stream);
+
 /*
  * Seek to a position within a stream; analagous to fseek() and its relatives
  */
@@ -72,8 +102,8 @@ AWS_IO_API int aws_input_stream_get_status(struct aws_input_stream *stream, stru
  */
 AWS_IO_API int aws_input_stream_get_length(struct aws_input_stream *stream, int64_t *out_length);
 
-/*
- * Tears down the stream
+/* DEPRECATED
+ * Tears down the stream. Equivalent to aws_input_stream_release()
  */
 AWS_IO_API void aws_input_stream_destroy(struct aws_input_stream *stream);
 

data/aws-crt-ffi/crt/aws-c-io/include/aws/io/tls_channel_handler.h

@@ -24,16 +24,57 @@ enum aws_tls_versions {
 
 enum aws_tls_cipher_pref {
     AWS_IO_TLS_CIPHER_PREF_SYSTEM_DEFAULT = 0,
-    AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2019_06 = 1,
-    AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2019_11 = 2,
-    AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02 = 3,
-    AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02 = 4,
-    AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07 = 5,
+
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2019_06 = 1,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2019_11 = 2,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_02 = 3,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_SIKE_TLSv1_0_2020_02 = 4,
+    /* Deprecated */ AWS_IO_TLS_CIPHER_PREF_KMS_PQ_TLSv1_0_2020_07 = 5,
+
+    /*
+     * This TLS cipher preference list contains post-quantum key exchange algorithms that have been submitted to NIST
+     * for potential future standardization. Support for this preference list, or PQ algorithms present in it, may be
+     * removed at any time in the future. PQ algorithms in this preference list will be used in hybrid mode, and always
+     * combined with a classical ECDHE key exchange.
+     */
     AWS_IO_TLS_CIPHER_PREF_PQ_TLSv1_0_2021_05 = 6,
 
     AWS_IO_TLS_CIPHER_PREF_END_RANGE = 0xFFFF
 };
 
+/**
+ * The hash algorithm of a TLS private key operation. Any custom private key operation handlers are expected to perform
+ * operations on the input TLS data using the correct hash algorithm or fail the operation.
+ */
+enum aws_tls_hash_algorithm {
+    AWS_TLS_HASH_UNKNOWN,
+    AWS_TLS_HASH_SHA1,
+    AWS_TLS_HASH_SHA224,
+    AWS_TLS_HASH_SHA256,
+    AWS_TLS_HASH_SHA384,
+    AWS_TLS_HASH_SHA512,
+};
+
+/**
+ * The signature of a TLS private key operation. Any custom private key operation handlers are expected to perform
+ * operations on the input TLS data using the correct signature algorithm or fail the operation.
+ */
+enum aws_tls_signature_algorithm {
+    AWS_TLS_SIGNATURE_UNKNOWN,
+    AWS_TLS_SIGNATURE_RSA,
+    AWS_TLS_SIGNATURE_ECDSA,
+};
+
+/**
+ * The TLS private key operation that needs to be performed by a custom private key operation handler when making
+ * a connection using mutual TLS.
+ */
+enum aws_tls_key_operation_type {
+    AWS_TLS_KEY_OPERATION_UNKNOWN,
+    AWS_TLS_KEY_OPERATION_SIGN,
+    AWS_TLS_KEY_OPERATION_DECRYPT,
+};
+
 struct aws_tls_ctx {
     struct aws_allocator *alloc;
     void *impl;
@@ -94,6 +135,13 @@ struct aws_tls_connection_options {
     uint32_t timeout_ms;
 };
 
+/**
+ * A struct containing all of the data needed for a private key operation when
+ * making a mutual TLS connection. This struct contains the data that needs
+ * to be operated on, like performing a sign operation or a decrypt operation.
+ */
+struct aws_tls_key_operation;
+
 struct aws_tls_ctx_options {
     struct aws_allocator *allocator;
 
@@ -193,17 +241,13 @@ struct aws_tls_ctx_options {
     void *ctx_options_extension;
 
     /**
-     * Set if using PKCS#11 for private key operations.
-     * See aws_tls_ctx_pkcs11_options for more details.
+     * Set if using custom private key operations.
+     * See aws_custom_key_op_handler for more details
+     *
+     * Note: Custom key operations (and PKCS#11 integration) hasn't been tested with TLS 1.3, so don't use
+     * cipher preferences that allow TLS 1.3. If this is set, we will always use non TLS 1.3 preferences.
      */
-    struct {
-        struct aws_pkcs11_lib *lib;                  /* required */
-        struct aws_string *user_pin;                 /* NULL if token uses "protected authentication path" */
-        struct aws_string *token_label;              /* optional */
-        struct aws_string *private_key_object_label; /* optional */
-        uint64_t slot_id;                            /* optional */
-        bool has_slot_id;
-    } pkcs11;
+    struct aws_custom_key_op_handler *custom_key_op_handler;
 };
 
 struct aws_tls_negotiated_protocol_message {
@@ -295,6 +339,81 @@ AWS_IO_API int aws_tls_ctx_options_init_client_mtls(
     const struct aws_byte_cursor *cert,
     const struct aws_byte_cursor *pkey);
 
+/**
+ * vtable for aws_custom_key_op_handler.
+ */
+struct aws_custom_key_op_handler_vtable {
+    /**
+     * Called when the a TLS handshake has an operation it needs the custom key operation handler to perform.
+     * NOTE: You must call aws_tls_key_operation_complete() or aws_tls_key_operation_complete_with_error()
+     * otherwise the TLS handshake will stall the TLS connection indefinitely and leak memory.
+     */
+    void (*on_key_operation)(struct aws_custom_key_op_handler *key_op_handler, struct aws_tls_key_operation *operation);
+};
+
+/**
+ * The custom key operation that is used when performing a mutual TLS handshake. This can
+ * be extended to provide custom private key operations, like PKCS11 or similar.
+ */
+struct aws_custom_key_op_handler {
+    /**
+     * A void* intended to be populated with a reference to whatever class is extending this class. For example,
+     * if you have extended aws_custom_key_op_handler with a custom struct, you would put a pointer to this struct
+     * to *impl so you can retrieve it back in the vtable functions.
+     */
+    void *impl;
+
+    /**
+     * A vtable containing all of the functions the aws_custom_key_op_handler implements. Is intended to be extended.
+     * NOTE: Use "aws_custom_key_op_handler_<func>" to access vtable functions.
+     */
+    const struct aws_custom_key_op_handler_vtable *vtable;
+
+    /**
+     * A reference count for handling memory usage.
+     * Use aws_custom_key_op_handler_acquire and aws_custom_key_op_handler_release to increase/decrease count.
+     */
+    struct aws_ref_count ref_count;
+};
+
+/**
+ * Increases the reference count for the passed-in aws_custom_key_op_handler and returns it.
+ */
+AWS_IO_API struct aws_custom_key_op_handler *aws_custom_key_op_handler_acquire(
+    struct aws_custom_key_op_handler *key_op_handler);
+
+/**
+ * Decreases the reference count for the passed-in aws_custom_key_op_handler and returns NULL.
+ */
+AWS_IO_API struct aws_custom_key_op_handler *aws_custom_key_op_handler_release(
+    struct aws_custom_key_op_handler *key_op_handler);
+
+/**
+ * Calls the on_key_operation vtable function. See aws_custom_key_op_handler_vtable for function details.
+ */
+AWS_IO_API void aws_custom_key_op_handler_perform_operation(
+    struct aws_custom_key_op_handler *key_op_handler,
+    struct aws_tls_key_operation *operation);
+
+/**
+ * Initializes options for use with mutual TLS in client mode,
+ * where private key operations are handled by custom code.
+ *
+ * Note: cert_file_contents will be copied into a new buffer after this
+ * function is called, so you do not need to keep that data alive
+ * after calling this function.
+ *
+ * @param options               aws_tls_ctx_options to be initialized.
+ * @param allocator             Allocator to use.
+ * @param custom                Options for custom key operations.
+ * @param cert_file_contents    The contents of a certificate file.
+ */
+AWS_IO_API int aws_tls_ctx_options_init_client_mtls_with_custom_key_operations(
+    struct aws_tls_ctx_options *options,
+    struct aws_allocator *allocator,
+    struct aws_custom_key_op_handler *custom,
+    const struct aws_byte_cursor *cert_file_contents);
+
 /**
  * This struct exists as a graceful way to pass many arguments when
  * calling init-with-pkcs11 functions on aws_tls_ctx_options (this also makes
@@ -698,6 +817,65 @@ AWS_IO_API struct aws_byte_buf aws_tls_handler_protocol(struct aws_channel_handl
  */
 AWS_IO_API struct aws_byte_buf aws_tls_handler_server_name(struct aws_channel_handler *handler);
 
+/**************************** TLS KEY OPERATION *******************************/
+
+/* Note: Currently this assumes the user knows what key is being used for key/cert pairs
+         but s2n supports multiple cert/key pairs. This functionality is not used in the
+         CRT currently, but in the future, we may need to implement this */
+
+/**
+ * Complete a successful TLS private key operation by providing its output.
+ * The output is copied into the TLS connection.
+ * The operation is freed by this call.
+ *
+ * You MUST call this or aws_tls_key_operation_complete_with_error().
+ * Failure to do so will stall the TLS connection indefinitely and leak memory.
+ */
+AWS_IO_API
+void aws_tls_key_operation_complete(struct aws_tls_key_operation *operation, struct aws_byte_cursor output);
+
+/**
+ * Complete an failed TLS private key operation.
+ * The TLS connection will fail.
+ * The operation is freed by this call.
+ *
+ * You MUST call this or aws_tls_key_operation_complete().
+ * Failure to do so will stall the TLS connection indefinitely and leak memory.
+ */
+AWS_IO_API
+void aws_tls_key_operation_complete_with_error(struct aws_tls_key_operation *operation, int error_code);
+
+/**
+ * Returns the input data that needs to be operated on by the custom key operation.
+ */
+AWS_IO_API
+struct aws_byte_cursor aws_tls_key_operation_get_input(const struct aws_tls_key_operation *operation);
+
+/**
+ * Returns the type of operation that needs to be performed by the custom key operation.
+ * If the implementation cannot perform the operation,
+ * use aws_tls_key_operation_complete_with_error() to preventing stalling the TLS connection.
+ */
+AWS_IO_API
+enum aws_tls_key_operation_type aws_tls_key_operation_get_type(const struct aws_tls_key_operation *operation);
+
+/**
+ * Returns the algorithm the operation is expected to be operated with.
+ * If the implementation does not support the signature algorithm,
+ * use aws_tls_key_operation_complete_with_error() to preventing stalling the TLS connection.
+ */
+AWS_IO_API
+enum aws_tls_signature_algorithm aws_tls_key_operation_get_signature_algorithm(
+    const struct aws_tls_key_operation *operation);
+
+/**
+ * Returns the algorithm the operation digest is signed with.
+ * If the implementation does not support the digest algorithm,
+ * use aws_tls_key_operation_complete_with_error() to preventing stalling the TLS connection.
+ */
+AWS_IO_API
+enum aws_tls_hash_algorithm aws_tls_key_operation_get_digest_algorithm(const struct aws_tls_key_operation *operation);
+
 /********************************* Misc TLS related *********************************/
 
 /*
@@ -710,6 +888,24 @@ AWS_IO_API int aws_channel_setup_client_tls(
     struct aws_channel_slot *right_of_slot,
     struct aws_tls_connection_options *tls_options);
 
+/**
+ * Given enum, return string like: AWS_TLS_HASH_SHA256 -> "SHA256"
+ */
+AWS_IO_API
+const char *aws_tls_hash_algorithm_str(enum aws_tls_hash_algorithm hash);
+
+/**
+ * Given enum, return string like: AWS_TLS_SIGNATURE_RSA -> "RSA"
+ */
+AWS_IO_API
+const char *aws_tls_signature_algorithm_str(enum aws_tls_signature_algorithm signature);
+
+/**
+ * Given enum, return string like: AWS_TLS_SIGNATURE_RSA -> "RSA"
+ */
+AWS_IO_API
+const char *aws_tls_key_operation_type_str(enum aws_tls_key_operation_type operation_type);
+
 AWS_EXTERN_C_END
 
 #endif /* AWS_IO_TLS_CHANNEL_HANDLER_H */

data/aws-crt-ffi/crt/aws-c-io/source/channel.c

@@ -540,46 +540,39 @@ void aws_channel_task_init(
     channel_task->type_tag = type_tag;
 }
 
-/* Common functionality for scheduling "now" and "future" tasks.
- * For "now" tasks, pass 0 for `run_at_nanos` */
-static void s_register_pending_task(
+static void s_register_pending_task_in_event_loop(
     struct aws_channel *channel,
     struct aws_channel_task *channel_task,
     uint64_t run_at_nanos) {
 
-    /* Reset every property on channel task other than user's fn & arg.*/
-    aws_task_init(&channel_task->wrapper_task, s_channel_task_run, channel, channel_task->type_tag);
-    channel_task->wrapper_task.timestamp = run_at_nanos;
-    aws_linked_list_node_reset(&channel_task->node);
+    AWS_LOGF_TRACE(
+        AWS_LS_IO_CHANNEL,
+        "id=%p: scheduling task with wrapper task id %p.",
+        (void *)channel,
+        (void *)&channel_task->wrapper_task);
 
-    if (aws_channel_thread_is_callers_thread(channel)) {
-        AWS_LOGF_TRACE(
+    /* If channel is shut down, run task immediately as canceled */
+    if (channel->channel_state == AWS_CHANNEL_SHUT_DOWN) {
+        AWS_LOGF_DEBUG(
             AWS_LS_IO_CHANNEL,
-            "id=%p: scheduling task with wrapper task id %p.",
+            "id=%p: Running %s channel task immediately as canceled due to shut down channel",
             (void *)channel,
-            (void *)&channel_task->wrapper_task);
-
-        /* If channel is shut down, run task immediately as canceled */
-        if (channel->channel_state == AWS_CHANNEL_SHUT_DOWN) {
-            AWS_LOGF_DEBUG(
-                AWS_LS_IO_CHANNEL,
-                "id=%p: Running %s channel task immediately as canceled due to shut down channel",
-                (void *)channel,
-                channel_task->type_tag);
-            channel_task->task_fn(channel_task, channel_task->arg, AWS_TASK_STATUS_CANCELED);
-            return;
-        }
-
-        aws_linked_list_push_back(&channel->channel_thread_tasks.list, &channel_task->node);
-        if (run_at_nanos == 0) {
-            aws_event_loop_schedule_task_now(channel->loop, &channel_task->wrapper_task);
-        } else {
-            aws_event_loop_schedule_task_future(
-                channel->loop, &channel_task->wrapper_task, channel_task->wrapper_task.timestamp);
-        }
+            channel_task->type_tag);
+        channel_task->task_fn(channel_task, channel_task->arg, AWS_TASK_STATUS_CANCELED);
         return;
     }
 
+    aws_linked_list_push_back(&channel->channel_thread_tasks.list, &channel_task->node);
+    if (run_at_nanos == 0) {
+        aws_event_loop_schedule_task_now(channel->loop, &channel_task->wrapper_task);
+    } else {
+        aws_event_loop_schedule_task_future(
+            channel->loop, &channel_task->wrapper_task, channel_task->wrapper_task.timestamp);
+    }
+}
+
+static void s_register_pending_task_cross_thread(struct aws_channel *channel, struct aws_channel_task *channel_task) {
+
     AWS_LOGF_TRACE(
         AWS_LS_IO_CHANNEL,
         "id=%p: scheduling task with wrapper task id %p from "
@@ -609,10 +602,43 @@ static void s_register_pending_task(
     }
 }
 
+static void s_reset_pending_channel_task(
+    struct aws_channel *channel,
+    struct aws_channel_task *channel_task,
+    uint64_t run_at_nanos) {
+
+    /* Reset every property on channel task other than user's fn & arg.*/
+    aws_task_init(&channel_task->wrapper_task, s_channel_task_run, channel, channel_task->type_tag);
+    channel_task->wrapper_task.timestamp = run_at_nanos;
+    aws_linked_list_node_reset(&channel_task->node);
+}
+
+/* Common functionality for scheduling "now" and "future" tasks.
+ * For "now" tasks, pass 0 for `run_at_nanos` */
+static void s_register_pending_task(
+    struct aws_channel *channel,
+    struct aws_channel_task *channel_task,
+    uint64_t run_at_nanos) {
+
+    s_reset_pending_channel_task(channel, channel_task, run_at_nanos);
+
+    if (aws_channel_thread_is_callers_thread(channel)) {
+        s_register_pending_task_in_event_loop(channel, channel_task, run_at_nanos);
+    } else {
+        s_register_pending_task_cross_thread(channel, channel_task);
+    }
+}
+
 void aws_channel_schedule_task_now(struct aws_channel *channel, struct aws_channel_task *task) {
     s_register_pending_task(channel, task, 0);
 }
 
+void aws_channel_schedule_task_now_serialized(struct aws_channel *channel, struct aws_channel_task *task) {
+
+    s_reset_pending_channel_task(channel, task, 0);
+    s_register_pending_task_cross_thread(channel, task);
+}
+
 void aws_channel_schedule_task_future(
     struct aws_channel *channel,
     struct aws_channel_task *task,

data/aws-crt-ffi/crt/aws-c-io/source/darwin/secure_transport_tls_channel_handler.c

@@ -1096,28 +1096,4 @@ struct aws_tls_ctx *aws_tls_client_ctx_new(struct aws_allocator *alloc, const st
     return s_tls_ctx_new(alloc, options);
 }
 
-void aws_tls_ctx_destroy(struct aws_tls_ctx *ctx) {
-
-    if (ctx == NULL) {
-        return;
-    }
-
-    struct secure_transport_ctx *secure_transport_ctx = ctx->impl;
-
-    if (secure_transport_ctx->certs) {
-        aws_release_identity(secure_transport_ctx->certs);
-    }
-
-    if (secure_transport_ctx->ca_cert) {
-        aws_release_certificates(secure_transport_ctx->ca_cert);
-    }
-
-    if (secure_transport_ctx->alpn_list) {
-        aws_string_destroy(secure_transport_ctx->alpn_list);
-    }
-
-    CFRelease(secure_transport_ctx->wrapped_allocator);
-    aws_mem_release(secure_transport_ctx->ctx.alloc, secure_transport_ctx);
-}
-
 #pragma clang diagnostic pop

data/aws-crt-ffi/crt/aws-c-io/source/io.c

@@ -278,6 +278,15 @@ static struct aws_error_info s_errors[] = {
     AWS_DEFINE_ERROR_INFO_IO(
         AWS_ERROR_IO_PINNED_EVENT_LOOP_MISMATCH,
         "A connection was requested on an event loop that is not associated with the client bootstrap's event loop group."),
+
+    AWS_DEFINE_ERROR_INFO_IO(
+       AWS_ERROR_PKCS11_ENCODING_ERROR,
+       "A PKCS#11 (Cryptoki) library function was unable to ASN.1 (DER) encode a data structure. See log for more details."),
+    AWS_DEFINE_ERROR_INFO_IO(
+       AWS_IO_TLS_ERROR_DEFAULT_TRUST_STORE_NOT_FOUND,
+        "Default TLS trust store not found on this system."
+        " Trusted CA certificates must be installed,"
+        " or \"override default trust store\" must be used while creating the TLS context."),
 };
 /* clang-format on */