aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/build.rs

@@ -4,6 +4,56 @@
 use std::path::{Path, PathBuf};
 
 fn main() {
+    let external = External::default();
+    if external.is_enabled() {
+        external.link();
+    } else {
+        build_vendored();
+    }
+}
+
+fn env<N: AsRef<str>>(name: N) -> String {
+    option_env(name).expect("missing env var")
+}
+
+fn option_env<N: AsRef<str>>(name: N) -> Option<String> {
+    let name = name.as_ref();
+    eprintln!("cargo:rerun-if-env-changed={}", name);
+    std::env::var(name).ok()
+}
+
+struct FeatureDetector<'a> {
+    out_dir: &'a std::path::Path,
+}
+
+impl<'a> FeatureDetector<'a> {
+    pub fn new(out_dir: &'a Path) -> Self {
+        Self { out_dir }
+    }
+
+    pub fn supports(&self, name: &str) -> bool {
+        let out = self.out_dir.join("features").join(name);
+        let out = out.to_str().unwrap();
+
+        cc::Build::new()
+            .file(
+                std::path::Path::new("lib/tests/features")
+                    .join(name)
+                    .with_extension("c"),
+            )
+            // don't print anything
+            .cargo_metadata(false)
+            // make sure it doesn't warn
+            .warnings(true)
+            .debug(false)
+            // set the archiver to the `true` program, since we don't actually link anything
+            .archiver("true")
+            .try_compile(out)
+            .is_ok()
+    }
+}
+
+fn build_vendored() {
     let mut build = cc::Build::new();
 
     let pq = option_env("CARGO_FEATURE_PQ").is_some();
@@ -85,43 +135,47 @@ fn main() {
     println!("cargo:include={}", include_dir.display());
 }
 
-fn env<N: AsRef<str>>(name: N) -> String {
-    option_env(name).expect("missing env var")
+struct External {
+    lib_dir: Option<PathBuf>,
+    include_dir: Option<PathBuf>,
 }
 
-fn option_env<N: AsRef<str>>(name: N) -> Option<String> {
-    let name = name.as_ref();
-    eprintln!("cargo:rerun-if-env-changed={}", name);
-    std::env::var(name).ok()
-}
+impl Default for External {
+    fn default() -> Self {
+        let dir = option_env("S2N_TLS_DIR").map(PathBuf::from);
 
-struct FeatureDetector<'a> {
-    out_dir: &'a std::path::Path,
+        let lib_dir = option_env("S2N_TLS_LIB_DIR")
+            .map(PathBuf::from)
+            .or_else(|| dir.as_ref().map(|d| d.join("lib")));
+
+        let include_dir = option_env("S2N_TLS_INCLUDE_DIR")
+            .map(PathBuf::from)
+            .or_else(|| dir.as_ref().map(|d| d.join("include")));
+
+        Self {
+            lib_dir,
+            include_dir,
+        }
+    }
 }
 
-impl<'a> FeatureDetector<'a> {
-    pub fn new(out_dir: &'a Path) -> Self {
-        Self { out_dir }
+impl External {
+    fn is_enabled(&self) -> bool {
+        self.lib_dir.is_some()
     }
 
-    pub fn supports(&self, name: &str) -> bool {
-        let out = self.out_dir.join("features").join(name);
-        let out = out.to_str().unwrap();
+    fn link(&self) {
+        println!(
+            "cargo:rustc-link-search={}",
+            self.lib_dir.as_ref().unwrap().display()
+        );
+        println!("cargo:rustc-link-lib=s2n");
 
-        cc::Build::new()
-            .file(
-                std::path::Path::new("lib/tests/features")
-                    .join(name)
-                    .with_extension("c"),
-            )
-            // don't print anything
-            .cargo_metadata(false)
-            // make sure it doesn't warn
-            .warnings(true)
-            .debug(false)
-            // set the archiver to the `true` program, since we don't actually link anything
-            .archiver("true")
-            .try_compile(out)
-            .is_ok()
+        // tell rust we're linking with libcrypto
+        println!("cargo:rustc-link-lib=crypto");
+
+        if let Some(include_dir) = self.include_dir.as_ref() {
+            println!("cargo:include={}", include_dir.display());
+        }
     }
 }

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/src/lib.rs

@@ -1,17 +1,20 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+#[rustfmt::skip]
 mod api;
 
 pub use api::*;
 
 #[cfg(feature = "quic")]
+#[rustfmt::skip]
 mod quic;
 
 #[cfg(feature = "quic")]
 pub use quic::*;
 
 #[cfg(feature = "internal")]
+#[rustfmt::skip]
 mod internal;
 
 #[cfg(feature = "internal")]
@@ -37,4 +40,5 @@ pub mod s2n_tls_version {
 }
 
 #[cfg(test)]
+#[rustfmt::skip]
 mod tests;

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "s2n-tls-tokio"
+description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
+version = "0.0.1"
+authors = ["AWS s2n"]
+edition = "2018"
+repository = "https://github.com/aws/s2n-tls"
+license = "Apache-2.0"
+
+[features]
+default = []
+
+[dependencies]
+errno = { version = "0.2" }
+libc = { version = "0.2" }
+s2n-tls = { version = "0.0", path = "../s2n-tls" }
+tokio = { version = "1", features = ["net"] }
+
+[dev-dependencies]
+clap = { version = "3.1", features = ["derive"] }
+tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] }

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/certs/cert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLDCCAdGgAwIBAgIUPYYEnK24qDzz59IIDcNLc4P2H5swCgYIKoZIzj0EAwIw
+XzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMQ8w
+DQYDVQQKDAZBbWF6b24xDDAKBgNVBAsMA3MybjESMBAGA1UEAwwJbG9jYWxob3N0
+MCAXDTIwMTIwNDA3NDg1NloYDzIxMjAxMTEwMDc0ODU2WjBfMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUxDzANBgNVBAoMBkFtYXpv
+bjEMMAoGA1UECwwDczJuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAARhONnk1k68YnnabiHzf3AvlWwN93SOvdq6v1Grl3YEiGM1
+W8WFH7O4cxb+otlVlhhbPzaox4EVthLExJZumx8go2kwZzAdBgNVHQ4EFgQU0ip8
+rN6YlbtCUIueCOqfh3/J3KMwHwYDVR0jBBgwFoAU0ip8rN6YlbtCUIueCOqfh3/J
+3KMwDwYDVR0TAQH/BAUwAwEB/zAUBgNVHREEDTALggkxMjcuMC4wLjEwCgYIKoZI
+zj0EAwIDSQAwRgIhAJwlrxN5SDi2dC17ZPgajqZ8BZyOsNFE+gsobhMBUGN0AiEA
+6KFJgyPGBNdQqaczkNyBcutPGqEubuah5Me6faN4qqU=
+-----END CERTIFICATE-----

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/certs/key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIK4AEDQja7MDATqWWu4T0+iMFdSZH4y4+nuVzDX5ao8KoAoGCCqGSM49
+AwEHoUQDQgAEYTjZ5NZOvGJ52m4h839wL5VsDfd0jr3aur9Rq5d2BIhjNVvFhR+z
+uHMW/qLZVZYYWz82qMeBFbYSxMSWbpsfIA==
+-----END EC PRIVATE KEY-----

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/client.rs

@@ -0,0 +1,45 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use clap::Parser;
+use s2n_tls::raw::{config::Config, security::DEFAULT_TLS13};
+use s2n_tls_tokio::TlsConnector;
+use std::{error::Error, fs};
+use tokio::net::TcpStream;
+
+/// NOTE: this certificate is to be used for demonstration purposes only!
+const DEFAULT_CERT: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/examples/certs/cert.pem");
+
+#[derive(Parser, Debug)]
+struct Args {
+    #[clap(short, long, default_value_t = String::from(DEFAULT_CERT))]
+    trust: String,
+    addr: String,
+}
+
+async fn run_client(trust_pem: &[u8], addr: &str) -> Result<(), Box<dyn Error>> {
+    // Set up the configuration for new connections.
+    // Minimally you will need a trust store.
+    let mut config = Config::builder();
+    config.set_security_policy(&DEFAULT_TLS13)?;
+    config.trust_pem(trust_pem)?;
+
+    // Create the TlsConnector based on the configuration.
+    let client = TlsConnector::new(config.build()?);
+
+    // Connect to the server.
+    let stream = TcpStream::connect(addr).await?;
+    client.connect("localhost", stream).await?;
+
+    // TODO: echo
+
+    Ok(())
+}
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn Error>> {
+    let args = Args::parse();
+    let trust_pem = fs::read(args.trust)?;
+    run_client(&trust_pem, &args.addr).await?;
+    Ok(())
+}

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/examples/server.rs

@@ -0,0 +1,60 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use clap::Parser;
+use s2n_tls::raw::{config::Config, security::DEFAULT_TLS13};
+use s2n_tls_tokio::TlsAcceptor;
+use std::{error::Error, fs};
+use tokio::net::TcpListener;
+
+/// NOTE: this certificate and key are to be used for demonstration purposes only!
+const DEFAULT_CERT: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/examples/certs/cert.pem");
+const DEFAULT_KEY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/examples/certs/key.pem");
+
+#[derive(Parser, Debug)]
+struct Args {
+    #[clap(short, long, requires = "key", default_value_t = String::from(DEFAULT_CERT))]
+    cert: String,
+    #[clap(short, long, requires = "cert", default_value_t = String::from(DEFAULT_KEY))]
+    key: String,
+    #[clap(short, long, default_value_t = String::from("127.0.0.1:0"))]
+    addr: String,
+}
+
+async fn run_server(cert_pem: &[u8], key_pem: &[u8], addr: &str) -> Result<(), Box<dyn Error>> {
+    // Set up the configuration for new connections.
+    // Minimally you will need a certificate and private key.
+    let mut config = Config::builder();
+    config.set_security_policy(&DEFAULT_TLS13)?;
+    config.load_pem(cert_pem, key_pem)?;
+
+    // Create the TlsAcceptor based on the configuration.
+    let server = TlsAcceptor::new(config.build()?);
+
+    // Bind to an address and listen for connections.
+    // ":0" can be used to automatically assign a port.
+    let listener = TcpListener::bind(&addr).await?;
+    let addr = listener
+        .local_addr()
+        .map(|x| x.to_string())
+        .unwrap_or_else(|_| "UNKNOWN".to_owned());
+    println!("Listening on {}", addr);
+
+    loop {
+        // Wait for a client to connect.
+        let (stream, peer_addr) = listener.accept().await?;
+        println!("Connection from {:?}", peer_addr);
+        server.accept(stream).await?;
+
+        // TODO: echo
+    }
+}
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn Error>> {
+    let args = Args::parse();
+    let cert_pem = fs::read(args.cert)?;
+    let key_pem = fs::read(args.key)?;
+    run_server(&cert_pem, &key_pem, &args.addr).await?;
+    Ok(())
+}

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/src/lib.rs

@@ -0,0 +1,150 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use errno::{set_errno, Errno};
+use s2n_tls::raw::{
+    config::Config,
+    connection::Connection,
+    error::Error,
+    ffi::{s2n_mode, s2n_status_code},
+};
+use std::{
+    future::Future,
+    os::raw::{c_int, c_void},
+    pin::Pin,
+    task::{Context, Poll},
+};
+use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+
+pub struct TlsAcceptor {
+    config: Config,
+}
+
+impl TlsAcceptor {
+    pub fn new(config: Config) -> Self {
+        TlsAcceptor { config }
+    }
+
+    pub async fn accept<S>(&self, stream: S) -> Result<TlsStream<S>, Error>
+    where
+        S: AsyncRead + AsyncWrite + Unpin,
+    {
+        TlsStream::open(self.config.clone(), s2n_mode::SERVER, stream).await
+    }
+}
+
+pub struct TlsConnector {
+    config: Config,
+}
+
+impl TlsConnector {
+    pub fn new(config: Config) -> Self {
+        TlsConnector { config }
+    }
+
+    pub async fn connect<S>(&self, _domain: &str, stream: S) -> Result<TlsStream<S>, Error>
+    where
+        S: AsyncRead + AsyncWrite + Unpin,
+    {
+        TlsStream::open(self.config.clone(), s2n_mode::CLIENT, stream).await
+    }
+}
+
+struct TlsHandshake<'a, S> {
+    tls: &'a mut TlsStream<S>,
+}
+
+impl<S> Future for TlsHandshake<'_, S>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    type Output = Result<(), Error>;
+
+    fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
+        self.tls.with_io(|mut context| {
+            context.conn.set_waker(Some(cx.waker()))?;
+            context.conn.negotiate().map(|r| r.map(|_| ()))
+        })
+    }
+}
+
+pub struct TlsStream<S> {
+    conn: Connection,
+    stream: S,
+}
+
+impl<S> TlsStream<S>
+where
+    S: AsyncRead + AsyncWrite + Unpin,
+{
+    async fn open(config: Config, mode: s2n_mode::Type, stream: S) -> Result<Self, Error> {
+        let mut conn = Connection::new(mode);
+        conn.set_config(config)?;
+
+        let mut tls = TlsStream { conn, stream };
+        TlsHandshake { tls: &mut tls }.await?;
+        Ok(tls)
+    }
+
+    fn with_io<F>(&mut self, action: F) -> Poll<Result<(), Error>>
+    where
+        F: FnOnce(Pin<&mut Self>) -> Poll<Result<(), Error>>,
+    {
+        // Setting contexts on a connection is considered unsafe
+        // because the raw pointers provide no lifetime or memory guarantees.
+        // We protect against this by pinning the stream during the action
+        // and clearing the context afterwards.
+        unsafe {
+            let context = self as *mut Self as *mut c_void;
+
+            self.conn.set_receive_callback(Some(Self::recv_io_cb))?;
+            self.conn.set_send_callback(Some(Self::send_io_cb))?;
+            self.conn.set_receive_context(context)?;
+            self.conn.set_send_context(context)?;
+
+            let result = action(Pin::new(self));
+
+            self.conn.set_receive_callback(None)?;
+            self.conn.set_send_callback(None)?;
+            self.conn.set_receive_context(std::ptr::null_mut())?;
+            self.conn.set_send_context(std::ptr::null_mut())?;
+            result
+        }
+    }
+
+    fn poll_io<F>(ctx: *mut c_void, action: F) -> c_int
+    where
+        F: FnOnce(Pin<&mut S>, &mut Context) -> Poll<Result<usize, std::io::Error>>,
+    {
+        debug_assert_ne!(ctx, std::ptr::null_mut());
+        let tls = unsafe { &mut *(ctx as *mut Self) };
+
+        let mut async_context = Context::from_waker(tls.conn.waker().unwrap());
+        let stream = Pin::new(&mut tls.stream);
+
+        match action(stream, &mut async_context) {
+            Poll::Ready(Ok(len)) => len as c_int,
+            Poll::Pending => {
+                set_errno(Errno(libc::EWOULDBLOCK));
+                s2n_status_code::FAILURE
+            }
+            _ => s2n_status_code::FAILURE,
+        }
+    }
+
+    unsafe extern "C" fn recv_io_cb(ctx: *mut c_void, buf: *mut u8, len: u32) -> c_int {
+        Self::poll_io(ctx, |stream, async_context| {
+            let mut dest = ReadBuf::new(std::slice::from_raw_parts_mut(buf, len as usize));
+            stream
+                .poll_read(async_context, &mut dest)
+                .map_ok(|_| dest.filled().len())
+        })
+    }
+
+    unsafe extern "C" fn send_io_cb(ctx: *mut c_void, buf: *const u8, len: u32) -> c_int {
+        Self::poll_io(ctx, |stream, async_context| {
+            let src = std::slice::from_raw_parts(buf, len as usize);
+            stream.poll_write(async_context, src)
+        })
+    }
+}

data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/tests/handshake.rs

@@ -0,0 +1,51 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use s2n_tls::raw::{config::Config, error::Error, security::DEFAULT_TLS13};
+use s2n_tls_tokio::{TlsAcceptor, TlsConnector};
+use tokio::net::{TcpListener, TcpStream};
+
+/// NOTE: this certificate and key are used for testing purposes only!
+pub static CERT_PEM: &[u8] = include_bytes!(concat!(
+    env!("CARGO_MANIFEST_DIR"),
+    "/examples/certs/cert.pem"
+));
+pub static KEY_PEM: &[u8] = include_bytes!(concat!(
+    env!("CARGO_MANIFEST_DIR"),
+    "/examples/certs/key.pem"
+));
+
+async fn run_client(stream: TcpStream) -> Result<(), Error> {
+    let mut config = Config::builder();
+    config.set_security_policy(&DEFAULT_TLS13)?;
+    config.trust_pem(CERT_PEM)?;
+    unsafe {
+        config.disable_x509_verification()?;
+    }
+
+    let client = TlsConnector::new(config.build()?);
+    client.connect("localhost", stream).await?;
+    Ok(())
+}
+
+async fn run_server(stream: TcpStream) -> Result<(), Error> {
+    let mut config = Config::builder();
+    config.set_security_policy(&DEFAULT_TLS13)?;
+    config.load_pem(CERT_PEM, KEY_PEM)?;
+
+    let server = TlsAcceptor::new(config.build()?);
+    server.accept(stream).await?;
+    Ok(())
+}
+
+#[tokio::test]
+async fn handshake_basic() -> Result<(), Error> {
+    let localhost = "127.0.0.1".to_owned();
+    let listener = TcpListener::bind(format!("{}:0", localhost)).await.unwrap();
+    let addr = listener.local_addr().unwrap();
+    let client_stream = TcpStream::connect(&addr).await.unwrap();
+    let (server_stream, _) = listener.accept().await.unwrap();
+
+    tokio::try_join!(run_client(client_stream), run_server(server_stream))?;
+    Ok(())
+}