aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_sslyze.py

@@ -1,12 +1,14 @@
 import pytest
 import sslyze
 import abc
+from enum import Enum, auto
 
 from configuration import available_ports, ALL_TEST_CIPHERS, ALL_TEST_CERTS
 from common import ProviderOptions, Protocols, Cipher, Ciphers, Certificates, Curves
 from fixtures import managed_process
 from providers import S2N
 from utils import get_parameter_name, invalid_test_parameters
+from global_flags import get_flag, S2N_PROVIDER_VERSION, S2N_FIPS_MODE
 
 HOST = "127.0.0.1"
 
@@ -31,7 +33,7 @@ SSLYZE_SCANS_TO_TEST = {
 
 CERTS_TO_TEST = [
     cert for cert in ALL_TEST_CERTS if cert.name not in {
-        "RSA_PSS_2048_SHA256"  # sslyze errors when given an RSA PSS cert
+        "RSA_PSS_2048_SHA256"  # SSLyze errors when given an RSA PSS cert
     }
 ]
 
@@ -67,7 +69,7 @@ class CipherSuitesVerifier(ScanVerifier):
         ]
 
         for cipher in rejected_ciphers:
-            # if a cipher is rejected, it should be an invalid test parameter in combination with the
+            # If a cipher is rejected, it should be an invalid test parameter in combination with the
             # protocol/provider/cert, otherwise it should have been accepted
             assert invalid_test_parameters(
                 protocol=self.protocol,
@@ -92,7 +94,7 @@ class EllipticCurveVerifier(ScanVerifier):
         ]
 
         for curve in rejected_curves:
-            # if a curve is rejected, it should be an invalid test parameter in combination with the
+            # If a curve is rejected, it should be an invalid test parameter in combination with the
             # protocol/provider/cert, otherwise it should have been accepted
             assert invalid_test_parameters(
                 protocol=self.protocol,
@@ -113,7 +115,7 @@ class RobotVerifier(ScanVerifier):
 class SessionResumptionVerifier(ScanVerifier):
     def assert_scan_success(self):
         if self.protocol == Protocols.TLS13:
-            pass  # sslyze does not support session resumption scans for tls 1.3
+            pass  # SSLyze does not support session resumption scans for tls 1.3
         else:
             assert self.scan_result.tls_ticket_resumption_result == sslyze.TlsResumptionSupportEnum.FULLY_SUPPORTED
 
@@ -177,8 +179,10 @@ def validate_scan_result(scan_attempt, protocol, certificate=None):
 def get_scan_attempts(scan_results):
     # scan_results (sslyze.AllScanCommandsAttempts) is an object containing parameters mapped to scan attempts. convert
     # this to a list containing just scan attempts, and then filter out tests that were not scheduled.
-    scan_attribute_names = [attr_name for attr_name in dir(scan_results) if not attr_name.startswith("__")]
-    scan_attempts = [getattr(scan_results, attr_name) for attr_name in scan_attribute_names]
+    scan_attribute_names = [attr_name for attr_name in dir(
+        scan_results) if not attr_name.startswith("__")]
+    scan_attempts = [getattr(scan_results, attr_name)
+                     for attr_name in scan_attribute_names]
     scan_attempts = [
         scan_attempt for scan_attempt in scan_attempts
         if scan_attempt.status != sslyze.ScanCommandAttemptStatusEnum.NOT_SCHEDULED
@@ -209,9 +213,31 @@ def run_sslyze_scan(host, port, scans):
     return scanner.get_results()
 
 
+def invalid_sslyze_scan_parameters(*args, **kwargs):
+    scan_command = kwargs["scan_command"]
+    protocol = kwargs["protocol"]
+
+    # BUG_IN_SSLYZE error in TLS compression and session renegotiation scans
+    # in fips libcryptos when TLS version < 1.3
+    if "fips" in get_flag(S2N_PROVIDER_VERSION) and protocol != Protocols.TLS13:
+        if scan_command in [
+            sslyze.ScanCommand.TLS_COMPRESSION,
+            sslyze.ScanCommand.SESSION_RENEGOTIATION
+        ]:
+            return True
+    # BUG_IN_SSLYZE error for session resumption scan with openssl 1.0.2 fips
+    if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
+        if scan_command == sslyze.ScanCommand.SESSION_RESUMPTION:
+            return True
+
+    return invalid_test_parameters(*args, **kwargs)
+
+
+@pytest.mark.uncollect_if(func=invalid_sslyze_scan_parameters)
 @pytest.mark.parametrize("protocol", PROTOCOLS_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("scan_command", SSLYZE_SCANS_TO_TEST, ids=get_parameter_name)
-def test_sslyze_scans(managed_process, protocol, scan_command):
+@pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
+def test_sslyze_scans(managed_process, protocol, scan_command, provider):
     port = next(available_ports)
 
     server_options = ProviderOptions(
@@ -222,9 +248,10 @@ def test_sslyze_scans(managed_process, protocol, scan_command):
         extra_flags=["--parallelize"]
     )
 
-    # test 1.3 exclusively
+    # Test 1.3 exclusively
     if protocol == Protocols.TLS13:
-        server_options.cipher = Cipher("test_all_tls13", Protocols.TLS13, False, False, s2n=True)
+        server_options.cipher = Cipher(
+            "test_all_tls13", Protocols.TLS13, False, False, s2n=True)
 
     if scan_command == sslyze.ScanCommand.SESSION_RESUMPTION:
         server_options.reconnect = True,
@@ -235,7 +262,7 @@ def test_sslyze_scans(managed_process, protocol, scan_command):
         server_options.use_session_ticket = True
         server_options.extra_flags.extend([
             "--max-early-data", "65535",
-            "--https-server"  # early data scan sends http requests
+            "--https-server"  # Early data scan sends http requests
         ])
 
     server = managed_process(S2N, server_options, timeout=30)
@@ -253,9 +280,54 @@ def test_sslyze_scans(managed_process, protocol, scan_command):
     server.kill()
 
 
+class CertificateScan(Enum):
+    CIPHER_SUITE_SCAN = auto()
+    ELLIPTIC_CURVE_SCAN = auto()
+
+
+def invalid_certificate_scans_parameters(*args, **kwargs):
+    certificate = kwargs["certificate"]
+    certificate_scan = kwargs["certificate_scan"]
+    protocol = kwargs["protocol"]
+
+    if certificate_scan == CertificateScan.CIPHER_SUITE_SCAN:
+        if "openssl-1.0.2" in get_flag(S2N_PROVIDER_VERSION):
+            # SSLyze scan results in rejected ciphers that should have been accepted
+            # for TLS 1.2
+            if protocol == Protocols.TLS12:
+                return True
+        if "fips" in get_flag(S2N_PROVIDER_VERSION):
+            # BUG_IN_SSLYZE / TLS version supported assertion failures for ECDSA scans
+            # in SSLv3 and RSA with TLS version < 1.2 with fips libcryptos
+            if "ECDSA" in certificate.name and protocol == Protocols.SSLv3:
+                return True
+            if "RSA" in certificate.name and protocol in [
+                Protocols.SSLv3,
+                Protocols.TLS10,
+                Protocols.TLS11
+            ]:
+                return True
+    elif certificate_scan == CertificateScan.ELLIPTIC_CURVE_SCAN:
+        # SSLyze curves scan errors when given ECDSA certs
+        if "ECDSA" in certificate.name:
+            return True
+
+        # SSLyze curves scan fails to validate with openssl 1.0.2 fips
+        if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
+            return True
+
+    return invalid_test_parameters(*args, **kwargs)
+
+
+@pytest.mark.uncollect_if(func=invalid_certificate_scans_parameters)
 @pytest.mark.parametrize("protocol", PROTOCOLS_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", CERTS_TO_TEST, ids=get_parameter_name)
-def test_sslyze_certificate_scans(managed_process, protocol, certificate):
+@pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("certificate_scan", [
+    CertificateScan.CIPHER_SUITE_SCAN,
+    CertificateScan.ELLIPTIC_CURVE_SCAN
+], ids=lambda certificate_scan: certificate_scan.name)
+def test_sslyze_certificate_scans(managed_process, protocol, certificate, provider, certificate_scan):
     port = next(available_ports)
 
     server_options = ProviderOptions(
@@ -270,13 +342,12 @@ def test_sslyze_certificate_scans(managed_process, protocol, certificate):
     )
     server = managed_process(S2N, server_options, timeout=30)
 
-    scans = [CIPHER_SUITE_SCANS.get(protocol.value)]
-
-    # sslyze curves scan errors when given ECDSA certs
-    if "ECDSA" not in certificate.name:
-        scans.append(sslyze.ScanCommand.ELLIPTIC_CURVES)
+    scan = {
+        CertificateScan.CIPHER_SUITE_SCAN: CIPHER_SUITE_SCANS.get(protocol.value),
+        CertificateScan.ELLIPTIC_CURVE_SCAN: sslyze.ScanCommand.ELLIPTIC_CURVES
+    }.get(certificate_scan)
 
-    scan_attempt_results = run_sslyze_scan(HOST, port, scans)
+    scan_attempt_results = run_sslyze_scan(HOST, port, [scan])
 
     for scan_attempt_result in scan_attempt_results:
         assert_scan_result_completed(scan_attempt_result)

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py

@@ -4,17 +4,39 @@ import pytest
 from configuration import available_ports, ALL_TEST_CIPHERS, ALL_TEST_CURVES, ALL_TEST_CERTS
 from common import ProviderOptions, Protocols, data_bytes
 from fixtures import managed_process
-from providers import Provider, S2N, OpenSSL
-from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, get_expected_openssl_version, to_bytes
+from providers import Provider, S2N, OpenSSL, GnuTLS
+from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, get_expected_openssl_version, \
+    to_bytes, get_expected_gnutls_version
 
 
-@pytest.mark.uncollect_if(func=invalid_test_parameters)
+def test_nothing():
+    """
+    Sometimes the version negotiation test parameters in combination with the s2n
+    libcrypto results in no test cases existing. In this case, pass a nothing test to
+    avoid marking the entire codebuild run as failed.
+    """
+    assert True
+
+
+def invalid_version_negotiation_test_parameters(*args, **kwargs):
+    # Since s2nd/s2nc will always be using TLS 1.3, make sure the libcrypto is compatible
+    if invalid_test_parameters(**{
+        "provider": S2N,
+        "protocol": Protocols.TLS13
+    }):
+        return True
+
+    return invalid_test_parameters(*args, **kwargs)
+
+
+@pytest.mark.uncollect_if(func=invalid_version_negotiation_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS12, Protocols.TLS11, Protocols.TLS10], ids=get_parameter_name)
-@pytest.mark.parametrize("provider", [S2N, OpenSSL], ids=get_parameter_name)
-def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, provider, certificate):
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, certificate, protocol, provider, other_provider):
     port = next(available_ports)
 
     random_bytes = data_bytes(24)
@@ -25,7 +47,8 @@ def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
         curve=curve,
         data_to_send=random_bytes,
         insecure=True,
-        protocol=Protocols.TLS13)
+        protocol=Protocols.TLS13
+    )
 
     server_options = copy.copy(client_options)
     server_options.data_to_send = None
@@ -34,7 +57,12 @@ def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
     server_options.cert = certificate.cert
     server_options.protocol = protocol
 
-    server = managed_process(provider, server_options, timeout=5)
+    kill_marker = None
+    if provider == GnuTLS:
+        kill_marker = random_bytes
+
+    server = managed_process(provider, server_options,
+                             timeout=5, kill_marker=kill_marker)
     client = managed_process(S2N, client_options, timeout=5)
 
     client_version = get_expected_s2n_version(Protocols.TLS13, provider)
@@ -42,8 +70,10 @@ def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
 
     for results in client.get_results():
         results.assert_success()
-        assert to_bytes("Client protocol version: {}".format(client_version)) in results.stdout
-        assert to_bytes("Actual protocol version: {}".format(actual_version)) in results.stdout
+        assert to_bytes("Client protocol version: {}".format(
+            client_version)) in results.stdout
+        assert to_bytes("Actual protocol version: {}".format(
+            actual_version)) in results.stdout
 
     for results in server.get_results():
         results.assert_success()
@@ -51,19 +81,25 @@ def test_s2nc_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
             # The server is only TLS12, so it reads the version from the CLIENT_HELLO, which is never above TLS12
             # This check only cares about S2N. Trying to maintain expected output of other providers doesn't
             # add benefit to whether the S2N client was able to negotiate a lower TLS version.
-            assert to_bytes("Client protocol version: {}".format(actual_version)) in results.stdout
-            assert to_bytes("Actual protocol version: {}".format(actual_version)) in results.stdout
+            assert to_bytes("Client protocol version: {}".format(
+                actual_version)) in results.stdout
+            assert to_bytes("Actual protocol version: {}".format(
+                actual_version)) in results.stdout
 
-        assert random_bytes in results.stdout
+        assert any([
+            random_bytes[1:] in stream 
+            for stream in results.output_streams()
+        ])
 
 
-@pytest.mark.uncollect_if(func=invalid_test_parameters)
+@pytest.mark.uncollect_if(func=invalid_version_negotiation_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS12, Protocols.TLS11, Protocols.TLS10], ids=get_parameter_name)
-@pytest.mark.parametrize("provider", [S2N, OpenSSL], ids=get_parameter_name)
-def test_s2nd_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, provider, certificate):
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+def test_s2nd_tls13_negotiates_tls12(managed_process, cipher, curve, certificate, protocol, provider, other_provider):
     port = next(available_ports)
 
     random_bytes = data_bytes(24)
@@ -74,7 +110,8 @@ def test_s2nd_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
         curve=curve,
         data_to_send=random_bytes,
         insecure=True,
-        protocol=protocol)
+        protocol=protocol
+    )
 
     server_options = copy.copy(client_options)
     server_options.data_to_send = None
@@ -95,16 +132,28 @@ def test_s2nd_tls13_negotiates_tls12(managed_process, cipher, curve, protocol, p
         results.assert_success()
         if provider is S2N:
             # The client will get the server version from the SERVER HELLO, which will be the negotiated version
-            assert to_bytes("Server protocol version: {}".format(actual_version)) in results.stdout
-            assert to_bytes("Actual protocol version: {}".format(actual_version)) in results.stdout
+            assert to_bytes("Server protocol version: {}".format(
+                actual_version)) in results.stdout
+            assert to_bytes("Actual protocol version: {}".format(
+                actual_version)) in results.stdout
         elif provider is OpenSSL:
             # This check cares about other providers because we want to know that they did negotiate the version
             # that our S2N server intended to negotiate.
             openssl_version = get_expected_openssl_version(protocol)
-            assert to_bytes("Protocol  : {}".format(openssl_version)) in results.stdout
+            assert to_bytes("Protocol  : {}".format(
+                openssl_version)) in results.stdout
+        elif provider is GnuTLS:
+            gnutls_version = get_expected_gnutls_version(protocol)
+            assert to_bytes(f"Version: {gnutls_version}") in results.stdout
 
     for results in server.get_results():
         results.assert_success()
-        assert to_bytes("Server protocol version: {}".format(server_version)) in results.stdout
-        assert to_bytes("Actual protocol version: {}".format(actual_version)) in results.stdout
-        assert random_bytes in results.stdout
+        assert (
+            to_bytes("Server protocol version: {}".format(server_version)) 
+            in results.stdout
+        )
+        assert (
+            to_bytes("Actual protocol version: {}".format(actual_version)) 
+            in results.stdout
+        )
+        assert random_bytes[1:] in results.stdout

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_well_known_endpoints.py

@@ -22,8 +22,8 @@ ENDPOINTS = [
     "rsa2048.badssl.com",
     "rsa4096.badssl.com",
     "sha256.badssl.com",
-    "sha384.badssl.com",
-    "sha512.badssl.com",
+    # "sha384.badssl.com",
+    # "sha512.badssl.com",
     "tls-v1-0.badssl.com",
     "tls-v1-1.badssl.com",
     "tls-v1-2.badssl.com",
@@ -109,7 +109,8 @@ def test_well_known_endpoints(managed_process, protocol, endpoint, provider, cip
 
     # expect_stderr=True because S2N sometimes receives OCSP responses:
     # https://github.com/aws/s2n-tls/blob/14ed186a13c1ffae7fbb036ed5d2849ce7c17403/bin/echo.c#L180-L184
-    client = managed_process(provider, client_options, timeout=5, expect_stderr=True)
+    client = managed_process(provider, client_options,
+                             timeout=5, expect_stderr=True)
 
     expected_result = EXPECTED_RESULTS.get((endpoint, cipher), None)
 

data/aws-crt-ffi/crt/s2n/tests/integrationv2/tox.ini

@@ -11,6 +11,7 @@ deps =
     pytest==5.3.5
     pytest-xdist==1.34.0
     sslyze==5.0.2
+    pytest-rerunfailures
 commands =
     pytest -n 2 --cache-clear -rpfsq \
         --provider-version={env:S2N_LIBCRYPTO} \

data/aws-crt-ffi/crt/s2n/tests/integrationv2/utils.py

@@ -1,5 +1,6 @@
 from common import Protocols, Curves, Ciphers
 from providers import S2N, OpenSSL
+from global_flags import get_flag, S2N_FIPS_MODE, S2N_PROVIDER_VERSION
 
 
 def to_bytes(val):
@@ -23,16 +24,21 @@ def get_expected_s2n_version(protocol, provider):
 
 
 def get_expected_openssl_version(protocol):
-    if protocol == Protocols.TLS13:
-        version = 'TLSv1.3'
-    elif protocol == Protocols.TLS12:
-        version = 'TLSv1.2'
-    elif protocol == Protocols.TLS11:
-        version = 'TLSv1.1'
-    elif protocol == Protocols.TLS10:
-        version = 'TLSv1'
+    return {
+        Protocols.TLS10.value: "TLSv1",
+        Protocols.TLS11.value: "TLSv1.1",
+        Protocols.TLS12.value: "TLSv1.2",
+        Protocols.TLS13.value: "TLSv1.3"
+    }.get(protocol.value)
 
-    return version
+
+def get_expected_gnutls_version(protocol):
+    return {
+        Protocols.TLS10.value: "TLS1.0",
+        Protocols.TLS11.value: "TLS1.1",
+        Protocols.TLS12.value: "TLS1.2",
+        Protocols.TLS13.value: "TLS1.3"
+    }.get(protocol.value)
 
 
 def get_parameter_name(item):
@@ -49,10 +55,14 @@ def invalid_test_parameters(*args, **kwargs):
     """
     protocol = kwargs.get('protocol')
     provider = kwargs.get('provider')
+    other_provider = kwargs.get('other_provider')
     certificate = kwargs.get('certificate')
     client_certificate = kwargs.get('client_certificate')
     cipher = kwargs.get('cipher')
     curve = kwargs.get('curve')
+    signature = kwargs.get('signature')
+
+    providers = [provider_ for provider_ in [provider, other_provider] if provider_]
 
     # Only TLS1.3 supports RSA-PSS-PSS certificates
     # (Earlier versions support RSA-PSS signatures, just via RSA-PSS-RSAE)
@@ -62,8 +72,21 @@ def invalid_test_parameters(*args, **kwargs):
         if certificate and certificate.algorithm == 'RSAPSS':
             return True
 
-    if provider is not None and not provider.supports_protocol(protocol):
-        return True
+    for provider_ in providers:
+        if not provider_.supports_protocol(protocol):
+            return True
+
+    if provider is not None and other_provider is not None:
+        if issubclass(provider, S2N) and issubclass(other_provider, S2N):
+            # If s2n is built with openssl-1.0.2-fips, and the cert is not ECDSA, it can't connect to itself
+            if certificate is not None:
+                if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION) and "ECDSA" not in certificate.name:
+                    return True
+
+            # If s2n is built with awslc and TLS version is < 1.3, it can't connect to itself
+            if protocol is not None:
+                if "awslc-fips" in get_flag(S2N_PROVIDER_VERSION) and protocol != Protocols.TLS13:
+                    return True
 
     if cipher is not None:
         # If the selected protocol doesn't allow the cipher, don't test
@@ -76,14 +99,21 @@ def invalid_test_parameters(*args, **kwargs):
             if protocol is Protocols.TLS13 and cipher.min_version < protocol:
                 return True
 
-        if provider is not None and not provider.supports_cipher(cipher, with_curve=curve):
-            return True
+        for provider_ in providers:
+            if not provider_.supports_cipher(cipher, with_curve=curve):
+                return True
+
+        if get_flag(S2N_FIPS_MODE):
+            if not cipher.fips:
+                return True
 
     # If we are using a cipher that depends on a specific certificate algorithm
     # deselect the test if the wrong certificate is used.
     if certificate is not None:
-        if protocol is not None and provider.supports_protocol(protocol, with_cert=certificate) is False:
-            return True
+        if protocol is not None:
+            for provider_ in providers:
+                if provider_.supports_protocol(protocol, with_cert=certificate) is False:
+                    return True
         if cipher is not None and certificate.compatible_with_cipher(cipher) is False:
             return True
 
@@ -99,4 +129,9 @@ def invalid_test_parameters(*args, **kwargs):
         if protocol is not None and curve.min_protocol > protocol:
             return True
 
+    if signature is not None:
+        for provider_ in providers:
+            if provider_.supports_signature(signature) is False:
+                return True
+
     return False

data/aws-crt-ffi/crt/s2n/tests/litani/CHANGELOG

@@ -1,6 +1,137 @@
                               CHANGELOG
                               `````````
 
+Version 1.22.0 -- 2022-03-15
+----------------------------
+- Print out stderr when a job fails
+  The entire buffered stderr of a job that fails will now be printed to
+  the terminal after the failing command line. This is to help users
+  quickly debug these jobs without viewing the HTML report.
+
+  This commit fixes #131.
+
+- Fix content colour in dark mode
+
+  Previously, some content would appear in a dark colour in dark mode
+  because the "color" property was set in the .content class for light
+  mode but the <body> element for dark mode.
+
+- Rebuild run graph in transform jobs
+
+  After receiving user input in transform jobs, discard old jobs and make
+  a new run graph using the jobs received on stdin. This makes it so that
+  running add-job in parallel with transform-jobs will fail.
+
+- Add ids to sections on HTML dashboard
+
+  Every major section on the HTML dashboard now has an "id" attribute,
+  making it possible to link to those sections. Prior to this commit, it
+  was not possible to link to specific graphs on the front page, for
+  example. This PR also introduces a CONTRIBUTING.md file that contains
+  guidance to continue this pattern.
+
+- Do not run litani tests if 'no-test' label is set
+
+- Fix space in release script
+
+- Tell release engineer to push develop and release
+
+  Previously, following the instructions would only push the release
+  branch to origin, not the develop branch.
+
+- Fix run-tests workflow file name
+
+
+Version 1.21.0 -- 2022-03-04
+----------------------------
+- Add release script
+  This commit adds a script that creates a new release when run. It takes
+  the following actions:
+
+  - Update the version number in lib/litani.py;
+  - Generate a changelog and prompt the user to edit it;
+  - Merge the release branch into develop, using the changelog for the
+    merge commit;
+  - Tag the release;
+  - Create a new release candidate on the develop branch.
+
+- Litani's homebrew formula is now released on homebrew-core
+
+- Add --out-file flag to litani-dump-run
+
+  With this commit, users can now dump run files to a file instead
+  by passing --out-file flag with the file path to litani dump-run.
+
+- Add run-tests workflow
+  This commit runs Litani's test suite on PRs with label 'test'.
+
+- Render rich output in dashboard, pipeline pages
+
+  This feature allows users to render custom HTML data onto the HTML
+  dashboard, allowing Litani jobs to display their results through tables,
+  graphs, and other HTML format. This can be done both for the front page
+  or on the pipeline page.
+
+  The intention is that individual litani jobs can be used to measure
+  metrics, and then print those metrics out in an easily-viewable format.
+  Jobs that calculate metrics for the entire run can present those metrics
+  as a graph on the front page. Jobs that calculate metrics for a single
+  pipeline (or proof) can display the result on the pipeline page.
+
+  Users use this feature by adding a tag to a litani job, using the --tags
+  flag. If a job is tagged with front-page-text, Litani will render the
+  job's output onto the front page, in its own section. A tag of
+  literal-stdout will make Litani render the job's output onto the
+  pipeline page, but without any HTML escaping.
+
+- Add workflow to update gh-pages on release
+
+- Sort pipelines by status and then name.
+
+  The order with which pipelines appear in both the HTML dashboard is
+  the same as the order with which they appear in the run.json. An e2e
+  test was added to ensure that the order is indeed the intended one.
+
+
+Version 1.20.0 -- 2022-02-11
+----------------------------
+
+This release introduces workflows for Litani that use GitHub Actions. It
+additionally contains bug fixes.
+
+- Workflow were added, which will create a Debian package as well as a PR
+  against the aws/homebrew-tap repository in order to update the brew formula.
+
+Bug fixes:
+
+- Prevent file extension from appearing twice in dot dependency diagram.
+- Litani dump-run will dump the latest run, if no build is concurrently running.
+- Update doc, examples for transform-jobs command.
+
+
+Version 1.19.0 -- 2022-02--01
+----------------------------
+
+- Change man page extension from .roff to its chapter. 
+
+  This commit is in preparation for Litani to be installed on users'
+  systems, where the man pages need to be installed in the correct
+  location and have the correct prefix in order for the man program to
+  find them.
+
+- Inform user that jobs must be added in order for Litani to run a build
+
+
+Version 1.18.0 -- 2022-01-24
+----------------------------
+
+- Add new transform-jobs command
+- Add --fast option to Litani test suite
+- Add --output-dir flag to Litani test suite
+- Litani will no longer print errors when not connected to a tty device
+- Add documentation for new flags
+
+
 Version 1.17.0 -- 2022-01-10
 ----------------------------
 

data/aws-crt-ffi/crt/s2n/tests/litani/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+Contributing
+============
+
+Thank you for contributing to Litani! This document collects some coding and
+process guidelines.
+
+
+### HTML Dashboard
+
+- Please test your changes with both light and dark mode, and with a range of
+  browser widths.
+- Almost all top-level divs should have an id attribute; this makes it easy to
+  link to specific information.
+- We prefer to inline all assets (CSS, images) onto the page so that it's easy
+  to send single, self-contained pages around. For this reason, please try to
+  keep SVGs small.