aws-crt 0.1.9 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/auth.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/aws_imds_client.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/credentials.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/aws_signing.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/credentials_utils.h +2 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/signing_config.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/auth.c +3 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_imds_client.c +146 -63
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_signing.c +41 -19
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_imds.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_utils.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/signable_http_request.c +2 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/signing_config.c +25 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/CMakeLists.txt +3 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/aws_imds_client_test.c +197 -31
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_imds_tests.c +16 -18
- data/aws-crt-ffi/crt/aws-c-auth/tests/sigv4_signing_tests.c +3 -1
- data/aws-crt-ffi/crt/aws-c-cal/include/aws/cal/private/opensslcrypto_common.h +22 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/darwin/commoncrypto_aes.c +46 -17
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_aes.c +1 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_platform_init.c +7 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_rsa.c +59 -2
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/opensslcrypto_ecc.c +1 -0
- data/aws-crt-ffi/crt/aws-c-common/CMakeLists.txt +13 -1
- data/aws-crt-ffi/crt/aws-c-common/THIRD-PARTY-LICENSES.txt +28 -7
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/CMakeLists.txt +18 -0
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/print_system_info.c +48 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/allocator.h +23 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/byte_buf.h +12 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/cross_process_lock.h +35 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/hash_table.h +1 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/priority_queue.h +24 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/private/system_info_priv.h +37 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_info.h +47 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_resource_util.h +30 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/testing/aws_test_harness.h +3 -2
- data/aws-crt-ffi/crt/aws-c-common/source/allocator.c +64 -13
- data/aws-crt-ffi/crt/aws-c-common/source/android/logging.c +14 -0
- data/aws-crt-ffi/crt/aws-c-common/source/common.c +3 -3
- data/aws-crt-ffi/crt/aws-c-common/source/file.c +96 -35
- data/aws-crt-ffi/crt/aws-c-common/source/linux/system_info.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/memtrace.c +10 -3
- data/aws-crt-ffi/crt/aws-c-common/source/platform_fallback_stubs/system_info.c +21 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/cross_process_lock.c +141 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_info.c +1 -1
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_resource_utils.c +32 -0
- data/aws-crt-ffi/crt/aws-c-common/source/priority_queue.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/system_info.c +80 -0
- data/aws-crt-ffi/crt/aws-c-common/source/task_scheduler.c +2 -2
- data/aws-crt-ffi/crt/aws-c-common/source/windows/cross_process_lock.c +93 -0
- data/aws-crt-ffi/crt/aws-c-common/source/windows/system_resource_utils.c +31 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/CMakeLists.txt +16 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/alloc_test.c +83 -22
- data/aws-crt-ffi/crt/aws-c-common/tests/cross_process_lock_tests.c +116 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/file_test.c +103 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/priority_queue_test.c +36 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_info_tests.c +19 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_resource_util_test.c +37 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection.h +9 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/http.h +1 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_impl.h +5 -4
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_manager_system_vtable.h +10 -18
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/proxy_impl.h +5 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/request_response_impl.h +5 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/request_response.h +10 -0
- data/aws-crt-ffi/crt/aws-c-http/source/connection.c +5 -2
- data/aws-crt-ffi/crt/aws-c-http/source/connection_manager.c +22 -21
- data/aws-crt-ffi/crt/aws-c-http/source/h1_connection.c +102 -17
- data/aws-crt-ffi/crt/aws-c-http/source/h1_stream.c +1 -0
- data/aws-crt-ffi/crt/aws-c-http/source/http.c +3 -0
- data/aws-crt-ffi/crt/aws-c-http/source/proxy_connection.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt +2 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_manager.c +18 -18
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_client.c +111 -1
- data/aws-crt-ffi/crt/aws-c-http/tests/test_proxy.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/test_stream_manager.c +2 -2
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/retry_strategy.h +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/exponential_backoff_retry_strategy.c +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_tls_op_handler.c +2 -4
- data/aws-crt-ffi/crt/aws-lc/CMakeLists.txt +16 -8
- data/aws-crt-ffi/crt/aws-lc/cmake/go.cmake +6 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/CMakeLists.txt +6 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_time.c +34 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_utctm.c +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/asn1_test.cc +41 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_mem.c +6 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_test.cc +152 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/connect.c +6 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/fd.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/file.c +20 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket_helper.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/blake2/blake2.c +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbb.c +13 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbs.c +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/asm/chacha-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha.c +49 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha_test.cc +110 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/internal.h +8 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/compiler_test.cc +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/conf/conf_test.cc +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/crypto_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519.c +189 -108
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519_nohw.c +78 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/ed25519_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/internal.h +24 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/spake25519.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/x25519_test.cc +80 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/decrepit/evp/evp_do_all.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_extra.c +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_test.cc +110 -45
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/dsa_test.cc +8 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/internal.h +18 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/dynamic_loading_test.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/ec_derive.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/hash_to_curve.c +6 -18
- data/aws-crt-ffi/crt/aws-lc/crypto/endian_test.cc +308 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/err/ssl.errordata +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_extra_test.cc +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_test.cc +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_tests.txt +25 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_ec_asn1.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_kem.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_rsa_asn1.c +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/print.c +7 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/scrypt.c +13 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/CMakeLists.txt +13 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/aes/aes_nohw.c +18 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bcm.c +12 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_assert_test.cc +77 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_test.cc +30 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bytes.c +112 -22
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/div.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/exponentiation.c +54 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/gcd.c +5 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/internal.h +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery.c +4 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery_inv.c +51 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/cipher/aead.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digest.c +29 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digests.c +89 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/internal.h +4 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec.c +19 -36
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_key.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_montgomery.c +9 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_test.cc +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/internal.h +17 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p224-64.c +5 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256-nistz.c +8 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256.c +9 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p384.c +33 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p521.c +14 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/scalar.c +26 -24
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/simple_mul.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/wnaf.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ecdsa/ecdsa.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/evp.c +43 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/p_ec.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/hmac/hmac.c +3 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/modes/xts.c +26 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/cpu_jitter_test.cc +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/internal.h +20 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/rand.c +10 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/urandom.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/internal.h +59 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/padding.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa.c +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa_impl.c +51 -60
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator.c +5 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator_test.cc +205 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/internal.h +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3.c +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3_test.cc +115 -110
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha512.c +55 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sshkdf/sshkdf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_test.cc +12 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_tests.txt +10 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hrss/asm/poly_rq_mul.S +2 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/impl_dispatch_test.cc +9 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/internal.h +90 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/kem/kem.c +28 -27
- data/aws-crt-ffi/crt/aws-lc/crypto/kyber/kem_kyber.h +14 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_dat.h +52 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_mac.num +5 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/objects.txt +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/arm-xlate.pl +3 -14
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/ppc-xlate.pl +1 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86_64-xlate.pl +4 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86asm.pl +4 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/poly1305/poly1305_arm_asm.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/deterministic.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/fuchsia.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/rand_test.cc +0 -63
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/windows.c +41 -19
- data/aws-crt-ffi/crt/aws-lc/crypto/rsa_extra/rsa_test.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash_test.cc +5 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/stack/stack.c +68 -46
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/pmbtoken.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/voprf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/by_dir.c +0 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/internal.h +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_lu.c +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_test.cc +87 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_trs.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_vfy.c +35 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_lib.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_purp.c +4 -6
- data/aws-crt-ffi/crt/aws-lc/generated-src/crypto_test_data.cc +179 -151
- data/aws-crt-ffi/crt/aws-lc/generated-src/err_data.c +353 -349
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/bn-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/test/trampoline-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/test/trampoline-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/bn-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/co-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/md5-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha1-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/bn-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/co-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/md5-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha1-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/go.mod +4 -4
- data/aws-crt-ffi/crt/aws-lc/go.sum +8 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/aead.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/arm_arch.h +4 -119
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asm_base.h +185 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asn1.h +5 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/base.h +31 -134
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bio.h +30 -18
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bn.h +0 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/chacha.h +6 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/cipher.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/digest.h +9 -6
- data/aws-crt-ffi/crt/aws-lc/include/openssl/dsa.h +0 -21
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ec.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/err.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/evp.h +8 -5
- data/aws-crt-ffi/crt/aws-lc/include/openssl/nid.h +21 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/rsa.h +1 -65
- data/aws-crt-ffi/crt/aws-lc/include/openssl/sha.h +22 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ssl.h +121 -13
- data/aws-crt-ffi/crt/aws-lc/include/openssl/stack.h +229 -208
- data/aws-crt-ffi/crt/aws-lc/include/openssl/target.h +166 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509.h +30 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509v3.h +6 -4
- data/aws-crt-ffi/crt/aws-lc/sources.cmake +2 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/extensions.cc +12 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/handshake_server.cc +28 -18
- data/aws-crt-ffi/crt/aws-lc/ssl/internal.h +41 -6
- data/aws-crt-ffi/crt/aws-lc/ssl/s3_both.cc +9 -17
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_cipher.cc +13 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_key_share.cc +542 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_lib.cc +35 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_test.cc +1847 -14
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_x509.cc +128 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/PORTING.md +10 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/test/bssl_shim.cc +133 -77
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshake_util.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshaker.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_client.go +6 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_messages.go +894 -1042
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_server.go +24 -23
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/prf.go +6 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/runner.go +56 -55
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/shim_dispatcher.go +188 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/ticket.go +37 -39
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.cc +59 -24
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.h +3 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/tls13_server.cc +10 -11
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/app.py +4 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/{aws_lc_mac_arm_ci_stack.py → aws_lc_ec2_test_framework_ci_stack.py} +13 -29
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml +43 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/common_posix_setup.sh +10 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/amazonlinux-2023_base/Dockerfile +5 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/ubuntu-22.04_base/Dockerfile +19 -3
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/amazonlinux-2_gcc-7x-intel-sde/Dockerfile +5 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/build_images.sh +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/push_images.sh +2 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-20.04_clang-10x_formal-verification/create_image.sh +1 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_base/Dockerfile +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_clang-14x-sde/Dockerfile +42 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/vs2017/Dockerfile +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/windows_base/Dockerfile +3 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/README.md +12 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/nginx_patch/aws-lc-nginx.patch +68 -23
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_crt_integration.sh +27 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_monit_integration.sh +56 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/sslproxy_patch/aws-lc-sslproxy.patch +2 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_ec2_test_framework.sh +135 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_fips_tests.sh +14 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde.sh +4 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde_asan.sh +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_windows_tests.bat +39 -3
- data/aws-crt-ffi/crt/aws-lc/third_party/fiat/README.md +21 -6
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519.S +284 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519_alt.S +210 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_mod_n25519.S +186 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_neg_p25519.S +65 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_alt.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte_alt.S +1043 -354
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode.S +700 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode_alt.S +563 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_encode.S +131 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase.S +9626 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase_alt.S +9468 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble.S +3157 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble_alt.S +2941 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p384/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p521/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h +34 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519.S +219 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519_alt.S +245 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_mod_n25519.S +228 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_neg_p25519.S +86 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519_alt.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base.S +1344 -400
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base_alt.S +1348 -402
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode.S +670 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode_alt.S +751 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_encode.S +81 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase.S +9910 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase_alt.S +9986 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble.S +3619 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble_alt.S +3736 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.json +1978 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.txt +1403 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.json +1993 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.txt +1416 -0
- data/aws-crt-ffi/crt/aws-lc/tool/digest.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/tool/internal.h +1 -0
- data/aws-crt-ffi/crt/aws-lc/tool/speed.cc +53 -6
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.go +43 -12
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.json +13 -5
- data/aws-crt-ffi/crt/aws-lc/util/bot/DEPS +4 -4
- data/aws-crt-ffi/crt/aws-lc/util/bot/update_clang.py +8 -2
- data/aws-crt-ffi/crt/aws-lc/util/codecov-ci.sh +82 -0
- data/aws-crt-ffi/crt/aws-lc/util/convert_wycheproof/convert_wycheproof.go +7 -5
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/ACVP.md +7 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/hash.go +24 -9
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/rsa.go +3 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/subprocess.go +15 -10
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/sha512-224-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-128-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-256-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/main.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/modulewrapper.cc +144 -1
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/delocate.go +9 -3
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/in.s +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/out.s +11 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/inject_hash/inject_hash.go +13 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/test-break-kat.sh +2 -0
- data/aws-crt-ffi/crt/aws-lc/util/testconfig/testconfig.go +2 -1
- data/aws-crt-ffi/crt/s2n/api/s2n.h +9 -5
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/handshake.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/resumption.rs +14 -14
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/throughput.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/harness.rs +106 -102
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/openssl.rs +24 -20
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/rustls.rs +28 -24
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/s2n_tls.rs +52 -50
- data/aws-crt-ffi/crt/s2n/bindings/rust/generate/Cargo.toml +1 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/integration/Cargo.toml +3 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/src/connection.rs +9 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/templates/Cargo.template +2 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/tests/cbmc/sources/make_common_datastructures.c +9 -2
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_client_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_tls13_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_auth_selection_test.c +19 -9
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_auth_handshake_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_cert_verify_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_test.c +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_signature_algorithms_extension_test.c +4 -5
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_protocol_versions_test.c +390 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_test.c +8 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_handshake_test.c +2 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_quic_support_io_test.c +106 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_security_policies_test.c +6 -2
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_offload_signing_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_session_resumption_test.c +135 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_new_session_ticket_test.c +32 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_signature_algorithms_extension_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_signature_algorithms_test.c +307 -283
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_request_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_verify_test.c +18 -17
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_x509_validator_test.c +125 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.c +43 -11
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.h +3 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_server_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_auth_selection.c +4 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_cert_verify.c +7 -10
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_hello.c +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c +75 -14
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake.h +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.h +1 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.c +29 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.h +5 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.c +40 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.h +4 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_cert_request.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_hello.c +0 -3
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_key_exchange.c +8 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_new_session_ticket.c +8 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.c +111 -72
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.h +11 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.c +9 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.h +2 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_certificate_verify.c +12 -18
- data/aws-crt-ffi/crt/s2n/tls/s2n_x509_validator.c +7 -7
- data/aws-crt-ffi/src/api.h +1 -0
- data/lib/aws-crt/native.rb +1 -1
- metadata +68 -5
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/m1_tests_ssm_document.yaml +0 -34
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_m1_ec2_instance.sh +0 -96
|
@@ -69,7 +69,7 @@ int main(int argc, char **argv)
|
|
|
69
69
|
EXPECT_TRUE(s2n_stuffer_data_available(&client_conn->handshake.io) > 0);
|
|
70
70
|
EXPECT_SUCCESS(s2n_tls13_cert_req_recv(client_conn));
|
|
71
71
|
|
|
72
|
-
|
|
72
|
+
EXPECT_TRUE(client_conn->handshake_params.server_sig_hash_algs.len > 0);
|
|
73
73
|
|
|
74
74
|
EXPECT_SUCCESS(s2n_connection_free(client_conn));
|
|
75
75
|
EXPECT_SUCCESS(s2n_connection_free(server_conn));
|
|
@@ -77,8 +77,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
77
77
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
78
78
|
EXPECT_SUCCESS(s2n_connection_set_config(sending_conn, config));
|
|
79
79
|
sending_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
80
|
-
sending_conn->handshake_params.
|
|
81
|
-
sending_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
80
|
+
sending_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
81
|
+
sending_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
82
82
|
sending_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
83
83
|
sending_conn->actual_protocol_version = S2N_TLS13;
|
|
84
84
|
|
|
@@ -160,8 +160,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
160
160
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
161
161
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
162
162
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
163
|
-
verifying_conn->handshake_params.
|
|
164
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
163
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
164
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
165
165
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
166
166
|
|
|
167
167
|
EXPECT_SUCCESS(s2n_blob_init(&b, (uint8_t *) cert_chain_pem, strlen(cert_chain_pem) + 1));
|
|
@@ -229,8 +229,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
229
229
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
230
230
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
231
231
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
232
|
-
verifying_conn->handshake_params.
|
|
233
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
232
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
233
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
234
234
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
235
235
|
|
|
236
236
|
EXPECT_SUCCESS(s2n_blob_init(&b, (uint8_t *) cert_chain_pem, strlen(cert_chain_pem) + 1));
|
|
@@ -299,8 +299,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
299
299
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
300
300
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
301
301
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
302
|
-
verifying_conn->handshake_params.
|
|
303
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
302
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
303
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
304
304
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
305
305
|
verifying_conn->actual_protocol_version = S2N_TLS13;
|
|
306
306
|
|
|
@@ -328,17 +328,18 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
328
328
|
EXPECT_SUCCESS(s2n_hash_init(&verifying_conn->handshake.hashes->sha256, S2N_HASH_SHA256));
|
|
329
329
|
EXPECT_SUCCESS(s2n_hash_update(&verifying_conn->handshake.hashes->sha256, hello, strlen((char *) hello)));
|
|
330
330
|
|
|
331
|
-
/* In this case it doesn't matter if we use
|
|
332
|
-
verifying_conn->handshake_params.
|
|
333
|
-
|
|
331
|
+
/* In this case it doesn't matter if we use server_cert_sig_scheme or client_cert_sig_scheme as they are currently equal */
|
|
332
|
+
struct s2n_signature_scheme test_scheme = *verifying_conn->handshake_params.server_cert_sig_scheme;
|
|
333
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &test_scheme;
|
|
334
|
+
test_scheme.hash_alg = S2N_HASH_SHA1;
|
|
335
|
+
EXPECT_FAILURE(s2n_tls13_cert_read_and_verify_signature(verifying_conn,
|
|
336
|
+
verifying_conn->handshake_params.server_cert_sig_scheme));
|
|
334
337
|
|
|
335
338
|
/* send and receive with mismatched signature algs */
|
|
336
|
-
verifying_conn->handshake_params.
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
verifying_conn->handshake_params.client_cert_sig_scheme.sig_alg = S2N_SIGNATURE_ECDSA;
|
|
341
|
-
verifying_conn->handshake_params.client_cert_sig_scheme.iana_value = 0xFFFF;
|
|
339
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &test_scheme;
|
|
340
|
+
test_scheme.hash_alg = S2N_HASH_SHA256;
|
|
341
|
+
test_scheme.sig_alg = S2N_SIGNATURE_ECDSA;
|
|
342
|
+
test_scheme.iana_value = 0xFFFF;
|
|
342
343
|
|
|
343
344
|
EXPECT_SUCCESS(s2n_hash_init(&verifying_conn->handshake.hashes->sha256, S2N_HASH_SHA256));
|
|
344
345
|
EXPECT_SUCCESS(s2n_hash_update(&verifying_conn->handshake.hashes->sha256, hello, strlen((char *) hello)));
|
|
@@ -16,6 +16,8 @@
|
|
|
16
16
|
#include "s2n_test.h"
|
|
17
17
|
#include "testlib/s2n_testlib.h"
|
|
18
18
|
|
|
19
|
+
DEFINE_POINTER_CLEANUP_FUNC(X509 *, X509_free);
|
|
20
|
+
|
|
19
21
|
static int mock_time(void *data, uint64_t *timestamp)
|
|
20
22
|
{
|
|
21
23
|
*timestamp = *(uint64_t *) data;
|
|
@@ -1970,5 +1972,128 @@ int main(int argc, char **argv)
|
|
|
1970
1972
|
};
|
|
1971
1973
|
};
|
|
1972
1974
|
|
|
1975
|
+
/* Ensure that non-root certificates added to the trust store are trusted */
|
|
1976
|
+
{
|
|
1977
|
+
const char *non_root_cert_path = S2N_RSA_2048_PKCS1_LEAF_CERT;
|
|
1978
|
+
|
|
1979
|
+
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
|
|
1980
|
+
/* Ensure that the test certificate isn't self-signed, and is therefore not a root.
|
|
1981
|
+
*
|
|
1982
|
+
* The X509_get_extension_flags API wasn't added to OpenSSL until 1.1.0.
|
|
1983
|
+
*/
|
|
1984
|
+
{
|
|
1985
|
+
const char *non_root_key_path = S2N_RSA_2048_PKCS1_KEY;
|
|
1986
|
+
|
|
1987
|
+
DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
|
|
1988
|
+
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, non_root_cert_path, non_root_key_path));
|
|
1989
|
+
struct s2n_cert *cert = NULL;
|
|
1990
|
+
EXPECT_SUCCESS(s2n_cert_chain_get_cert(chain_and_key, &cert, 0));
|
|
1991
|
+
EXPECT_NOT_NULL(cert);
|
|
1992
|
+
|
|
1993
|
+
/* Use the s2n_cert to convert the PEM to ASN.1. */
|
|
1994
|
+
const uint8_t *asn1_data = NULL;
|
|
1995
|
+
uint32_t asn1_len = 0;
|
|
1996
|
+
EXPECT_SUCCESS(s2n_cert_get_der(cert, &asn1_data, &asn1_len));
|
|
1997
|
+
EXPECT_NOT_NULL(asn1_data);
|
|
1998
|
+
|
|
1999
|
+
/* Parse the ASN.1 data with the libcrypto */
|
|
2000
|
+
DEFER_CLEANUP(X509 *x509 = d2i_X509(NULL, &asn1_data, asn1_len), X509_free_pointer);
|
|
2001
|
+
EXPECT_NOT_NULL(x509);
|
|
2002
|
+
|
|
2003
|
+
/* Ensure that the self-signed flag isn't set */
|
|
2004
|
+
uint32_t extension_flags = X509_get_extension_flags(x509);
|
|
2005
|
+
EXPECT_EQUAL(extension_flags & EXFLAG_SS, 0);
|
|
2006
|
+
}
|
|
2007
|
+
#endif
|
|
2008
|
+
|
|
2009
|
+
/* Test s2n_config_set_verification_ca_location */
|
|
2010
|
+
{
|
|
2011
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2012
|
+
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, non_root_cert_path, NULL));
|
|
2013
|
+
|
|
2014
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2015
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2016
|
+
|
|
2017
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2018
|
+
EXPECT_NOT_NULL(connection);
|
|
2019
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2020
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2021
|
+
|
|
2022
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2023
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2024
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2025
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2026
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2027
|
+
|
|
2028
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2029
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2030
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2031
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2032
|
+
&public_key_out));
|
|
2033
|
+
}
|
|
2034
|
+
|
|
2035
|
+
/* Test s2n_config_add_pem_to_trust_store */
|
|
2036
|
+
{
|
|
2037
|
+
char non_root_cert_pem[S2N_MAX_TEST_PEM_SIZE] = { 0 };
|
|
2038
|
+
EXPECT_SUCCESS(s2n_read_test_pem(non_root_cert_path, non_root_cert_pem, S2N_MAX_TEST_PEM_SIZE));
|
|
2039
|
+
|
|
2040
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2041
|
+
EXPECT_SUCCESS(s2n_config_add_pem_to_trust_store(config, non_root_cert_pem));
|
|
2042
|
+
|
|
2043
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2044
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2045
|
+
|
|
2046
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2047
|
+
EXPECT_NOT_NULL(connection);
|
|
2048
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2049
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2050
|
+
|
|
2051
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2052
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2053
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2054
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2055
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2056
|
+
|
|
2057
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2058
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2059
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2060
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2061
|
+
&public_key_out));
|
|
2062
|
+
}
|
|
2063
|
+
|
|
2064
|
+
/* Test system trust store
|
|
2065
|
+
*
|
|
2066
|
+
* This test uses the SSL_CERT_FILE environment variable to override the system trust store
|
|
2067
|
+
* location, which isn't supported by LibreSSL.
|
|
2068
|
+
*/
|
|
2069
|
+
if (!s2n_libcrypto_is_libressl()) {
|
|
2070
|
+
/* Override the system cert file with the non-root test cert. */
|
|
2071
|
+
EXPECT_SUCCESS(setenv("SSL_CERT_FILE", non_root_cert_path, 1));
|
|
2072
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2073
|
+
|
|
2074
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2075
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2076
|
+
|
|
2077
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2078
|
+
EXPECT_NOT_NULL(connection);
|
|
2079
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2080
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2081
|
+
|
|
2082
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2083
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2084
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2085
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2086
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2087
|
+
|
|
2088
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2089
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2090
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2091
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2092
|
+
&public_key_out));
|
|
2093
|
+
|
|
2094
|
+
EXPECT_SUCCESS(unsetenv("SSL_CERT_FILE"));
|
|
2095
|
+
}
|
|
2096
|
+
}
|
|
2097
|
+
|
|
1973
2098
|
END_TEST();
|
|
1974
2099
|
}
|
|
@@ -24,12 +24,13 @@
|
|
|
24
24
|
#include "utils/s2n_safety.h"
|
|
25
25
|
|
|
26
26
|
static bool s2n_client_signature_algorithms_should_send(struct s2n_connection *conn);
|
|
27
|
+
static int s2n_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
27
28
|
static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
28
29
|
|
|
29
30
|
const s2n_extension_type s2n_client_signature_algorithms_extension = {
|
|
30
31
|
.iana_value = TLS_EXTENSION_SIGNATURE_ALGORITHMS,
|
|
31
32
|
.is_response = false,
|
|
32
|
-
.send =
|
|
33
|
+
.send = s2n_client_signature_algorithms_send,
|
|
33
34
|
.recv = s2n_client_signature_algorithms_recv,
|
|
34
35
|
.should_send = s2n_client_signature_algorithms_should_send,
|
|
35
36
|
.if_missing = s2n_extension_noop_if_missing,
|
|
@@ -40,6 +41,12 @@ static bool s2n_client_signature_algorithms_should_send(struct s2n_connection *c
|
|
|
40
41
|
return s2n_connection_get_protocol_version(conn) >= S2N_TLS12;
|
|
41
42
|
}
|
|
42
43
|
|
|
44
|
+
static int s2n_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
45
|
+
{
|
|
46
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithms_supported_list_send(conn, extension));
|
|
47
|
+
return S2N_SUCCESS;
|
|
48
|
+
}
|
|
49
|
+
|
|
43
50
|
static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
44
51
|
{
|
|
45
52
|
return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.client_sig_hash_algs);
|
|
@@ -74,7 +74,8 @@ static int s2n_client_supported_versions_send(struct s2n_connection *conn, struc
|
|
|
74
74
|
return S2N_SUCCESS;
|
|
75
75
|
}
|
|
76
76
|
|
|
77
|
-
|
|
77
|
+
int s2n_extensions_client_supported_versions_process(struct s2n_connection *conn, struct s2n_stuffer *extension,
|
|
78
|
+
uint8_t *client_protocol_version_out, uint8_t *actual_protocol_version_out)
|
|
78
79
|
{
|
|
79
80
|
uint8_t highest_supported_version = conn->server_protocol_version;
|
|
80
81
|
uint8_t minimum_supported_version = s2n_unknown_protocol_version;
|
|
@@ -85,8 +86,8 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
85
86
|
S2N_ERROR_IF(size_of_version_list != s2n_stuffer_data_available(extension), S2N_ERR_BAD_MESSAGE);
|
|
86
87
|
S2N_ERROR_IF(size_of_version_list % S2N_TLS_PROTOCOL_VERSION_LEN != 0, S2N_ERR_BAD_MESSAGE);
|
|
87
88
|
|
|
88
|
-
|
|
89
|
-
|
|
89
|
+
uint8_t client_protocol_version = s2n_unknown_protocol_version;
|
|
90
|
+
uint8_t actual_protocol_version = s2n_unknown_protocol_version;
|
|
90
91
|
|
|
91
92
|
for (int i = 0; i < size_of_version_list; i += S2N_TLS_PROTOCOL_VERSION_LEN) {
|
|
92
93
|
uint8_t client_version_parts[S2N_TLS_PROTOCOL_VERSION_LEN];
|
|
@@ -101,7 +102,7 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
101
102
|
|
|
102
103
|
uint16_t client_version = (client_version_parts[0] * 10) + client_version_parts[1];
|
|
103
104
|
|
|
104
|
-
|
|
105
|
+
client_protocol_version = MAX(client_version, client_protocol_version);
|
|
105
106
|
|
|
106
107
|
if (client_version > highest_supported_version) {
|
|
107
108
|
continue;
|
|
@@ -113,27 +114,58 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
113
114
|
|
|
114
115
|
/* We ignore the client's preferred order and instead choose
|
|
115
116
|
* the highest version that both client and server support. */
|
|
116
|
-
|
|
117
|
+
actual_protocol_version = MAX(client_version, actual_protocol_version);
|
|
117
118
|
}
|
|
118
119
|
|
|
119
|
-
|
|
120
|
-
|
|
120
|
+
*client_protocol_version_out = client_protocol_version;
|
|
121
|
+
*actual_protocol_version_out = actual_protocol_version;
|
|
121
122
|
|
|
122
123
|
return S2N_SUCCESS;
|
|
123
124
|
}
|
|
124
125
|
|
|
125
|
-
static
|
|
126
|
+
static S2N_RESULT s2n_client_supported_versions_recv_impl(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
126
127
|
{
|
|
128
|
+
RESULT_ENSURE_REF(conn);
|
|
129
|
+
RESULT_ENSURE_REF(extension);
|
|
130
|
+
|
|
131
|
+
RESULT_GUARD_POSIX(s2n_extensions_client_supported_versions_process(conn, extension, &conn->client_protocol_version,
|
|
132
|
+
&conn->actual_protocol_version));
|
|
133
|
+
|
|
134
|
+
RESULT_ENSURE(conn->client_protocol_version != s2n_unknown_protocol_version, S2N_ERR_UNKNOWN_PROTOCOL_VERSION);
|
|
135
|
+
RESULT_ENSURE(conn->actual_protocol_version != s2n_unknown_protocol_version, S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
|
|
136
|
+
|
|
137
|
+
return S2N_RESULT_OK;
|
|
138
|
+
}
|
|
139
|
+
|
|
140
|
+
static int s2n_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
141
|
+
{
|
|
142
|
+
/* For backwards compatibility, the supported versions extension isn't used for protocol
|
|
143
|
+
* version selection if the server doesn't support TLS 1.3. This ensures that TLS 1.2 servers
|
|
144
|
+
* experience no behavior change due to processing the TLS 1.3 extension. See
|
|
145
|
+
* https://github.com/aws/s2n-tls/issues/4240.
|
|
146
|
+
*
|
|
147
|
+
*= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.1
|
|
148
|
+
*= type=exception
|
|
149
|
+
*= reason=The client hello legacy version is used for version selection on TLS 1.2 servers for backwards compatibility
|
|
150
|
+
*# If this extension is present in the ClientHello, servers MUST NOT use
|
|
151
|
+
*# the ClientHello.legacy_version value for version negotiation and MUST
|
|
152
|
+
*# use only the "supported_versions" extension to determine client
|
|
153
|
+
*# preferences.
|
|
154
|
+
*/
|
|
127
155
|
if (s2n_connection_get_protocol_version(conn) < S2N_TLS13) {
|
|
128
156
|
return S2N_SUCCESS;
|
|
129
157
|
}
|
|
130
158
|
|
|
131
|
-
|
|
132
|
-
if (result
|
|
159
|
+
s2n_result result = s2n_client_supported_versions_recv_impl(conn, extension);
|
|
160
|
+
if (s2n_result_is_error(result)) {
|
|
161
|
+
conn->client_protocol_version = s2n_unknown_protocol_version;
|
|
162
|
+
conn->actual_protocol_version = s2n_unknown_protocol_version;
|
|
163
|
+
|
|
133
164
|
s2n_queue_reader_unsupported_protocol_version_alert(conn);
|
|
134
165
|
POSIX_ENSURE(s2n_errno != S2N_ERR_SAFETY, S2N_ERR_BAD_MESSAGE);
|
|
135
166
|
}
|
|
136
|
-
|
|
167
|
+
POSIX_GUARD_RESULT(result);
|
|
168
|
+
|
|
137
169
|
return S2N_SUCCESS;
|
|
138
170
|
}
|
|
139
171
|
|
|
@@ -20,6 +20,9 @@
|
|
|
20
20
|
|
|
21
21
|
extern const s2n_extension_type s2n_client_supported_versions_extension;
|
|
22
22
|
|
|
23
|
+
int s2n_extensions_client_supported_versions_process(struct s2n_connection *conn, struct s2n_stuffer *extension,
|
|
24
|
+
uint8_t *client_protocol_version_out, uint8_t *actual_protocol_version_out);
|
|
25
|
+
|
|
23
26
|
/* Old-style extension functions -- remove after extensions refactor is complete */
|
|
24
27
|
int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
25
28
|
int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn);
|
|
@@ -24,17 +24,24 @@
|
|
|
24
24
|
#include "tls/s2n_tls_parameters.h"
|
|
25
25
|
#include "utils/s2n_safety.h"
|
|
26
26
|
|
|
27
|
+
static int s2n_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
27
28
|
static int s2n_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
28
29
|
|
|
29
30
|
const s2n_extension_type s2n_server_signature_algorithms_extension = {
|
|
30
31
|
.iana_value = TLS_EXTENSION_SIGNATURE_ALGORITHMS,
|
|
31
32
|
.is_response = false,
|
|
32
|
-
.send =
|
|
33
|
+
.send = s2n_signature_algorithms_send,
|
|
33
34
|
.recv = s2n_signature_algorithms_recv,
|
|
34
35
|
.should_send = s2n_extension_always_send,
|
|
35
36
|
.if_missing = s2n_extension_error_if_missing,
|
|
36
37
|
};
|
|
37
38
|
|
|
39
|
+
static int s2n_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
40
|
+
{
|
|
41
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithms_supported_list_send(conn, extension));
|
|
42
|
+
return S2N_SUCCESS;
|
|
43
|
+
}
|
|
44
|
+
|
|
38
45
|
static int s2n_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
39
46
|
{
|
|
40
47
|
return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.server_sig_hash_algs);
|
|
@@ -221,9 +221,11 @@ int s2n_is_cert_type_valid_for_auth(struct s2n_connection *conn, s2n_pkey_type c
|
|
|
221
221
|
int s2n_select_certs_for_server_auth(struct s2n_connection *conn, struct s2n_cert_chain_and_key **chosen_certs)
|
|
222
222
|
{
|
|
223
223
|
POSIX_ENSURE_REF(conn);
|
|
224
|
+
POSIX_ENSURE_REF(conn->handshake_params.server_cert_sig_scheme);
|
|
225
|
+
s2n_signature_algorithm sig_alg = conn->handshake_params.server_cert_sig_scheme->sig_alg;
|
|
224
226
|
|
|
225
|
-
s2n_pkey_type cert_type;
|
|
226
|
-
POSIX_GUARD(s2n_get_cert_type_for_sig_alg(
|
|
227
|
+
s2n_pkey_type cert_type = 0;
|
|
228
|
+
POSIX_GUARD(s2n_get_cert_type_for_sig_alg(sig_alg, &cert_type));
|
|
227
229
|
|
|
228
230
|
*chosen_certs = s2n_get_compatible_cert_chain_and_key(conn, cert_type);
|
|
229
231
|
S2N_ERROR_IF(*chosen_certs == NULL, S2N_ERR_CERT_TYPE_UNSUPPORTED);
|
|
@@ -32,14 +32,10 @@ int s2n_client_cert_verify_recv(struct s2n_connection *conn)
|
|
|
32
32
|
POSIX_ENSURE_REF(hashes);
|
|
33
33
|
|
|
34
34
|
struct s2n_stuffer *in = &conn->handshake.io;
|
|
35
|
-
struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
|
|
36
35
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
/* Verify the SigScheme picked by the Client was in the preference list we sent (or is the default SigScheme) */
|
|
41
|
-
POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, chosen_sig_scheme));
|
|
42
|
-
}
|
|
36
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
|
|
37
|
+
const struct s2n_signature_scheme *chosen_sig_scheme = conn->handshake_params.client_cert_sig_scheme;
|
|
38
|
+
POSIX_ENSURE_REF(chosen_sig_scheme);
|
|
43
39
|
|
|
44
40
|
uint16_t signature_size;
|
|
45
41
|
struct s2n_blob signature = { 0 };
|
|
@@ -70,12 +66,13 @@ int s2n_client_cert_verify_send(struct s2n_connection *conn)
|
|
|
70
66
|
S2N_ASYNC_PKEY_GUARD(conn);
|
|
71
67
|
struct s2n_stuffer *out = &conn->handshake.io;
|
|
72
68
|
|
|
73
|
-
struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
|
|
74
69
|
if (conn->actual_protocol_version < S2N_TLS12) {
|
|
75
|
-
POSIX_GUARD(s2n_choose_default_sig_scheme(conn,
|
|
70
|
+
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.client_cert_sig_scheme, S2N_CLIENT));
|
|
76
71
|
} else {
|
|
77
|
-
POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.client_cert_sig_scheme
|
|
72
|
+
POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.client_cert_sig_scheme->iana_value));
|
|
78
73
|
}
|
|
74
|
+
const struct s2n_signature_scheme *chosen_sig_scheme = conn->handshake_params.client_cert_sig_scheme;
|
|
75
|
+
POSIX_ENSURE_REF(chosen_sig_scheme);
|
|
79
76
|
|
|
80
77
|
/* Use a copy of the hash state since the verify digest computation may modify the running hash state we need later. */
|
|
81
78
|
struct s2n_hash_state *hash_state = &hashes->hash_workspace;
|
|
@@ -598,7 +598,7 @@ int s2n_process_client_hello(struct s2n_connection *conn)
|
|
|
598
598
|
/* And set the signature and hash algorithm used for key exchange signatures */
|
|
599
599
|
POSIX_GUARD(s2n_choose_sig_scheme_from_peer_preference_list(conn,
|
|
600
600
|
&conn->handshake_params.client_sig_hash_algs,
|
|
601
|
-
&conn->handshake_params.
|
|
601
|
+
&conn->handshake_params.server_cert_sig_scheme));
|
|
602
602
|
|
|
603
603
|
/* And finally, set the certs specified by the final auth + sig_alg combo. */
|
|
604
604
|
POSIX_GUARD(s2n_select_certs_for_server_auth(conn, &conn->handshake_params.our_chain_and_key));
|
|
@@ -833,7 +833,7 @@ int s2n_sslv2_client_hello_recv(struct s2n_connection *conn)
|
|
|
833
833
|
POSIX_GUARD(s2n_conn_find_name_matching_certs(conn));
|
|
834
834
|
|
|
835
835
|
POSIX_GUARD(s2n_set_cipher_as_sslv2_server(conn, client_hello->cipher_suites.data, client_hello->cipher_suites.size / S2N_SSLv2_CIPHER_SUITE_LEN));
|
|
836
|
-
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.
|
|
836
|
+
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.server_cert_sig_scheme, S2N_SERVER));
|
|
837
837
|
POSIX_GUARD(s2n_select_certs_for_server_auth(conn, &conn->handshake_params.our_chain_and_key));
|
|
838
838
|
|
|
839
839
|
S2N_ERROR_IF(session_id_length > s2n_stuffer_data_available(in), S2N_ERR_BAD_MESSAGE);
|
|
@@ -32,6 +32,7 @@
|
|
|
32
32
|
#include "crypto/s2n_openssl_x509.h"
|
|
33
33
|
#include "error/s2n_errno.h"
|
|
34
34
|
#include "tls/extensions/s2n_client_server_name.h"
|
|
35
|
+
#include "tls/extensions/s2n_client_supported_versions.h"
|
|
35
36
|
#include "tls/s2n_alerts.h"
|
|
36
37
|
#include "tls/s2n_cipher_suites.h"
|
|
37
38
|
#include "tls/s2n_handshake.h"
|
|
@@ -557,6 +558,8 @@ int s2n_connection_wipe(struct s2n_connection *conn)
|
|
|
557
558
|
conn->secure = secure;
|
|
558
559
|
conn->client = conn->initial;
|
|
559
560
|
conn->server = conn->initial;
|
|
561
|
+
conn->handshake_params.client_cert_sig_scheme = &s2n_null_sig_scheme;
|
|
562
|
+
conn->handshake_params.server_cert_sig_scheme = &s2n_null_sig_scheme;
|
|
560
563
|
|
|
561
564
|
POSIX_GUARD_RESULT(s2n_psk_parameters_init(&conn->psk_params));
|
|
562
565
|
conn->server_keying_material_lifetime = ONE_WEEK_IN_SEC;
|
|
@@ -617,17 +620,17 @@ int s2n_connection_set_send_cb(struct s2n_connection *conn, s2n_send_fn send)
|
|
|
617
620
|
return S2N_SUCCESS;
|
|
618
621
|
}
|
|
619
622
|
|
|
620
|
-
int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **
|
|
623
|
+
int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **cert_chain_out, uint32_t *cert_chain_len)
|
|
621
624
|
{
|
|
622
625
|
POSIX_ENSURE_REF(conn);
|
|
623
|
-
POSIX_ENSURE_REF(
|
|
626
|
+
POSIX_ENSURE_REF(cert_chain_out);
|
|
624
627
|
POSIX_ENSURE_REF(cert_chain_len);
|
|
625
628
|
POSIX_ENSURE_REF(conn->handshake_params.client_cert_chain.data);
|
|
626
629
|
|
|
627
|
-
*
|
|
630
|
+
*cert_chain_out = conn->handshake_params.client_cert_chain.data;
|
|
628
631
|
*cert_chain_len = conn->handshake_params.client_cert_chain.size;
|
|
629
632
|
|
|
630
|
-
return
|
|
633
|
+
return S2N_SUCCESS;
|
|
631
634
|
}
|
|
632
635
|
|
|
633
636
|
int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences)
|
|
@@ -936,10 +939,58 @@ const char *s2n_connection_get_kem_group_name(struct s2n_connection *conn)
|
|
|
936
939
|
return conn->kex_params.client_kem_group_params.kem_group->name;
|
|
937
940
|
}
|
|
938
941
|
|
|
942
|
+
static S2N_RESULT s2n_connection_get_client_supported_version(struct s2n_connection *conn,
|
|
943
|
+
uint8_t *client_supported_version)
|
|
944
|
+
{
|
|
945
|
+
RESULT_ENSURE_REF(conn);
|
|
946
|
+
RESULT_ENSURE_EQ(conn->mode, S2N_SERVER);
|
|
947
|
+
|
|
948
|
+
struct s2n_client_hello *client_hello = s2n_connection_get_client_hello(conn);
|
|
949
|
+
RESULT_ENSURE_REF(client_hello);
|
|
950
|
+
|
|
951
|
+
s2n_parsed_extension *supported_versions_extension = NULL;
|
|
952
|
+
RESULT_GUARD_POSIX(s2n_client_hello_get_parsed_extension(S2N_EXTENSION_SUPPORTED_VERSIONS, &client_hello->extensions,
|
|
953
|
+
&supported_versions_extension));
|
|
954
|
+
RESULT_ENSURE_REF(supported_versions_extension);
|
|
955
|
+
|
|
956
|
+
struct s2n_stuffer supported_versions_stuffer = { 0 };
|
|
957
|
+
RESULT_GUARD_POSIX(s2n_stuffer_init_written(&supported_versions_stuffer, &supported_versions_extension->extension));
|
|
958
|
+
|
|
959
|
+
uint8_t client_protocol_version = s2n_unknown_protocol_version;
|
|
960
|
+
uint8_t actual_protocol_version = s2n_unknown_protocol_version;
|
|
961
|
+
RESULT_GUARD_POSIX(s2n_extensions_client_supported_versions_process(conn, &supported_versions_stuffer,
|
|
962
|
+
&client_protocol_version, &actual_protocol_version));
|
|
963
|
+
|
|
964
|
+
RESULT_ENSURE_NE(client_protocol_version, s2n_unknown_protocol_version);
|
|
965
|
+
|
|
966
|
+
*client_supported_version = client_protocol_version;
|
|
967
|
+
|
|
968
|
+
return S2N_RESULT_OK;
|
|
969
|
+
}
|
|
970
|
+
|
|
939
971
|
int s2n_connection_get_client_protocol_version(struct s2n_connection *conn)
|
|
940
972
|
{
|
|
941
973
|
POSIX_ENSURE_REF(conn);
|
|
942
974
|
|
|
975
|
+
/* For backwards compatibility, the client_protocol_version field isn't updated via the
|
|
976
|
+
* supported versions extension on TLS 1.2 servers. See
|
|
977
|
+
* https://github.com/aws/s2n-tls/issues/4240.
|
|
978
|
+
*
|
|
979
|
+
* The extension is processed here to ensure that TLS 1.2 servers report the same client
|
|
980
|
+
* protocol version to applications as TLS 1.3 servers.
|
|
981
|
+
*/
|
|
982
|
+
if (conn->mode == S2N_SERVER && conn->server_protocol_version <= S2N_TLS12) {
|
|
983
|
+
uint8_t client_supported_version = s2n_unknown_protocol_version;
|
|
984
|
+
s2n_result result = s2n_connection_get_client_supported_version(conn, &client_supported_version);
|
|
985
|
+
|
|
986
|
+
/* If the extension wasn't received, or if a client protocol version couldn't be determined
|
|
987
|
+
* after processing the extension, the extension is ignored.
|
|
988
|
+
*/
|
|
989
|
+
if (s2n_result_is_ok(result)) {
|
|
990
|
+
return client_supported_version;
|
|
991
|
+
}
|
|
992
|
+
}
|
|
993
|
+
|
|
943
994
|
return conn->client_protocol_version;
|
|
944
995
|
}
|
|
945
996
|
|
|
@@ -1404,7 +1455,8 @@ int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct
|
|
|
1404
1455
|
return S2N_SUCCESS;
|
|
1405
1456
|
}
|
|
1406
1457
|
|
|
1407
|
-
static S2N_RESULT s2n_signature_scheme_to_tls_iana(struct s2n_signature_scheme *sig_scheme,
|
|
1458
|
+
static S2N_RESULT s2n_signature_scheme_to_tls_iana(const struct s2n_signature_scheme *sig_scheme,
|
|
1459
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1408
1460
|
{
|
|
1409
1461
|
RESULT_ENSURE_REF(sig_scheme);
|
|
1410
1462
|
RESULT_ENSURE_REF(converted_scheme);
|
|
@@ -1439,26 +1491,31 @@ static S2N_RESULT s2n_signature_scheme_to_tls_iana(struct s2n_signature_scheme *
|
|
|
1439
1491
|
return S2N_RESULT_OK;
|
|
1440
1492
|
}
|
|
1441
1493
|
|
|
1442
|
-
int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn,
|
|
1494
|
+
int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn,
|
|
1495
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1443
1496
|
{
|
|
1444
1497
|
POSIX_ENSURE_REF(conn);
|
|
1445
1498
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1446
1499
|
|
|
1447
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1500
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1501
|
+
conn->handshake_params.server_cert_sig_scheme, converted_scheme));
|
|
1448
1502
|
|
|
1449
1503
|
return S2N_SUCCESS;
|
|
1450
1504
|
}
|
|
1451
1505
|
|
|
1452
|
-
int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn,
|
|
1506
|
+
int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn,
|
|
1507
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1453
1508
|
{
|
|
1454
1509
|
POSIX_ENSURE_REF(conn);
|
|
1455
1510
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1456
1511
|
|
|
1457
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1512
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1513
|
+
conn->handshake_params.client_cert_sig_scheme, converted_scheme));
|
|
1458
1514
|
return S2N_SUCCESS;
|
|
1459
1515
|
}
|
|
1460
1516
|
|
|
1461
|
-
static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(struct s2n_signature_scheme *sig_scheme,
|
|
1517
|
+
static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(const struct s2n_signature_scheme *sig_scheme,
|
|
1518
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1462
1519
|
{
|
|
1463
1520
|
RESULT_ENSURE_REF(sig_scheme);
|
|
1464
1521
|
RESULT_ENSURE_REF(converted_scheme);
|
|
@@ -1484,22 +1541,26 @@ static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(struct s2n_signatu
|
|
|
1484
1541
|
return S2N_RESULT_OK;
|
|
1485
1542
|
}
|
|
1486
1543
|
|
|
1487
|
-
int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn,
|
|
1544
|
+
int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn,
|
|
1545
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1488
1546
|
{
|
|
1489
1547
|
POSIX_ENSURE_REF(conn);
|
|
1490
1548
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1491
1549
|
|
|
1492
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1550
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1551
|
+
conn->handshake_params.server_cert_sig_scheme, converted_scheme));
|
|
1493
1552
|
|
|
1494
1553
|
return S2N_SUCCESS;
|
|
1495
1554
|
}
|
|
1496
1555
|
|
|
1497
|
-
int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn,
|
|
1556
|
+
int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn,
|
|
1557
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1498
1558
|
{
|
|
1499
1559
|
POSIX_ENSURE_REF(conn);
|
|
1500
1560
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1501
1561
|
|
|
1502
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1562
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1563
|
+
conn->handshake_params.client_cert_sig_scheme, converted_scheme));
|
|
1503
1564
|
|
|
1504
1565
|
return S2N_SUCCESS;
|
|
1505
1566
|
}
|
|
@@ -104,12 +104,12 @@ struct s2n_handshake_parameters {
|
|
|
104
104
|
/* Signature/hash algorithm pairs offered by the client in the signature_algorithms extension */
|
|
105
105
|
struct s2n_sig_scheme_list client_sig_hash_algs;
|
|
106
106
|
/* Signature scheme chosen by the server */
|
|
107
|
-
struct s2n_signature_scheme
|
|
107
|
+
const struct s2n_signature_scheme *server_cert_sig_scheme;
|
|
108
108
|
|
|
109
109
|
/* Signature/hash algorithm pairs offered by the server in the certificate request */
|
|
110
110
|
struct s2n_sig_scheme_list server_sig_hash_algs;
|
|
111
111
|
/* Signature scheme chosen by the client */
|
|
112
|
-
struct s2n_signature_scheme client_cert_sig_scheme;
|
|
112
|
+
const struct s2n_signature_scheme *client_cert_sig_scheme;
|
|
113
113
|
|
|
114
114
|
/* The cert chain we will send the peer. */
|
|
115
115
|
struct s2n_cert_chain_and_key *our_chain_and_key;
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
#include "tls/s2n_tls.h"
|
|
22
22
|
#include "utils/s2n_safety.h"
|
|
23
23
|
|
|
24
|
-
|
|
24
|
+
S2N_RESULT s2n_post_handshake_process(struct s2n_connection *conn, struct s2n_stuffer *in, uint8_t message_type)
|
|
25
25
|
{
|
|
26
26
|
RESULT_ENSURE_REF(conn);
|
|
27
27
|
|