aws-crt 0.1.9 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/auth.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/aws_imds_client.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/credentials.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/aws_signing.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/credentials_utils.h +2 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/signing_config.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/auth.c +3 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_imds_client.c +146 -63
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_signing.c +41 -19
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_imds.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_utils.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/signable_http_request.c +2 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/signing_config.c +25 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/CMakeLists.txt +3 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/aws_imds_client_test.c +197 -31
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_imds_tests.c +16 -18
- data/aws-crt-ffi/crt/aws-c-auth/tests/sigv4_signing_tests.c +3 -1
- data/aws-crt-ffi/crt/aws-c-cal/include/aws/cal/private/opensslcrypto_common.h +22 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/darwin/commoncrypto_aes.c +46 -17
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_aes.c +1 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_platform_init.c +7 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_rsa.c +59 -2
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/opensslcrypto_ecc.c +1 -0
- data/aws-crt-ffi/crt/aws-c-common/CMakeLists.txt +13 -1
- data/aws-crt-ffi/crt/aws-c-common/THIRD-PARTY-LICENSES.txt +28 -7
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/CMakeLists.txt +18 -0
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/print_system_info.c +48 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/allocator.h +23 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/byte_buf.h +12 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/cross_process_lock.h +35 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/hash_table.h +1 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/priority_queue.h +24 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/private/system_info_priv.h +37 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_info.h +47 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_resource_util.h +30 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/testing/aws_test_harness.h +3 -2
- data/aws-crt-ffi/crt/aws-c-common/source/allocator.c +64 -13
- data/aws-crt-ffi/crt/aws-c-common/source/android/logging.c +14 -0
- data/aws-crt-ffi/crt/aws-c-common/source/common.c +3 -3
- data/aws-crt-ffi/crt/aws-c-common/source/file.c +96 -35
- data/aws-crt-ffi/crt/aws-c-common/source/linux/system_info.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/memtrace.c +10 -3
- data/aws-crt-ffi/crt/aws-c-common/source/platform_fallback_stubs/system_info.c +21 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/cross_process_lock.c +141 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_info.c +1 -1
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_resource_utils.c +32 -0
- data/aws-crt-ffi/crt/aws-c-common/source/priority_queue.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/system_info.c +80 -0
- data/aws-crt-ffi/crt/aws-c-common/source/task_scheduler.c +2 -2
- data/aws-crt-ffi/crt/aws-c-common/source/windows/cross_process_lock.c +93 -0
- data/aws-crt-ffi/crt/aws-c-common/source/windows/system_resource_utils.c +31 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/CMakeLists.txt +16 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/alloc_test.c +83 -22
- data/aws-crt-ffi/crt/aws-c-common/tests/cross_process_lock_tests.c +116 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/file_test.c +103 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/priority_queue_test.c +36 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_info_tests.c +19 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_resource_util_test.c +37 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection.h +9 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/http.h +1 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_impl.h +5 -4
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_manager_system_vtable.h +10 -18
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/proxy_impl.h +5 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/request_response_impl.h +5 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/request_response.h +10 -0
- data/aws-crt-ffi/crt/aws-c-http/source/connection.c +5 -2
- data/aws-crt-ffi/crt/aws-c-http/source/connection_manager.c +22 -21
- data/aws-crt-ffi/crt/aws-c-http/source/h1_connection.c +102 -17
- data/aws-crt-ffi/crt/aws-c-http/source/h1_stream.c +1 -0
- data/aws-crt-ffi/crt/aws-c-http/source/http.c +3 -0
- data/aws-crt-ffi/crt/aws-c-http/source/proxy_connection.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt +2 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_manager.c +18 -18
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_client.c +111 -1
- data/aws-crt-ffi/crt/aws-c-http/tests/test_proxy.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/test_stream_manager.c +2 -2
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/retry_strategy.h +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/exponential_backoff_retry_strategy.c +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_tls_op_handler.c +2 -4
- data/aws-crt-ffi/crt/aws-lc/CMakeLists.txt +16 -8
- data/aws-crt-ffi/crt/aws-lc/cmake/go.cmake +6 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/CMakeLists.txt +6 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_time.c +34 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_utctm.c +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/asn1_test.cc +41 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_mem.c +6 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_test.cc +152 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/connect.c +6 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/fd.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/file.c +20 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket_helper.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/blake2/blake2.c +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbb.c +13 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbs.c +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/asm/chacha-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha.c +49 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha_test.cc +110 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/internal.h +8 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/compiler_test.cc +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/conf/conf_test.cc +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/crypto_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519.c +189 -108
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519_nohw.c +78 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/ed25519_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/internal.h +24 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/spake25519.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/x25519_test.cc +80 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/decrepit/evp/evp_do_all.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_extra.c +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_test.cc +110 -45
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/dsa_test.cc +8 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/internal.h +18 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/dynamic_loading_test.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/ec_derive.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/hash_to_curve.c +6 -18
- data/aws-crt-ffi/crt/aws-lc/crypto/endian_test.cc +308 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/err/ssl.errordata +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_extra_test.cc +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_test.cc +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_tests.txt +25 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_ec_asn1.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_kem.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_rsa_asn1.c +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/print.c +7 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/scrypt.c +13 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/CMakeLists.txt +13 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/aes/aes_nohw.c +18 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bcm.c +12 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_assert_test.cc +77 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_test.cc +30 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bytes.c +112 -22
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/div.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/exponentiation.c +54 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/gcd.c +5 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/internal.h +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery.c +4 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery_inv.c +51 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/cipher/aead.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digest.c +29 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digests.c +89 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/internal.h +4 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec.c +19 -36
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_key.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_montgomery.c +9 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_test.cc +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/internal.h +17 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p224-64.c +5 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256-nistz.c +8 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256.c +9 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p384.c +33 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p521.c +14 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/scalar.c +26 -24
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/simple_mul.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/wnaf.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ecdsa/ecdsa.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/evp.c +43 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/p_ec.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/hmac/hmac.c +3 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/modes/xts.c +26 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/cpu_jitter_test.cc +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/internal.h +20 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/rand.c +10 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/urandom.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/internal.h +59 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/padding.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa.c +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa_impl.c +51 -60
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator.c +5 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator_test.cc +205 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/internal.h +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3.c +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3_test.cc +115 -110
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha512.c +55 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sshkdf/sshkdf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_test.cc +12 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_tests.txt +10 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hrss/asm/poly_rq_mul.S +2 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/impl_dispatch_test.cc +9 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/internal.h +90 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/kem/kem.c +28 -27
- data/aws-crt-ffi/crt/aws-lc/crypto/kyber/kem_kyber.h +14 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_dat.h +52 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_mac.num +5 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/objects.txt +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/arm-xlate.pl +3 -14
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/ppc-xlate.pl +1 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86_64-xlate.pl +4 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86asm.pl +4 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/poly1305/poly1305_arm_asm.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/deterministic.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/fuchsia.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/rand_test.cc +0 -63
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/windows.c +41 -19
- data/aws-crt-ffi/crt/aws-lc/crypto/rsa_extra/rsa_test.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash_test.cc +5 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/stack/stack.c +68 -46
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/pmbtoken.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/voprf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/by_dir.c +0 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/internal.h +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_lu.c +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_test.cc +87 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_trs.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_vfy.c +35 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_lib.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_purp.c +4 -6
- data/aws-crt-ffi/crt/aws-lc/generated-src/crypto_test_data.cc +179 -151
- data/aws-crt-ffi/crt/aws-lc/generated-src/err_data.c +353 -349
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/bn-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/test/trampoline-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/test/trampoline-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/bn-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/co-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/md5-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha1-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/bn-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/co-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/md5-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha1-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/go.mod +4 -4
- data/aws-crt-ffi/crt/aws-lc/go.sum +8 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/aead.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/arm_arch.h +4 -119
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asm_base.h +185 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asn1.h +5 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/base.h +31 -134
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bio.h +30 -18
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bn.h +0 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/chacha.h +6 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/cipher.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/digest.h +9 -6
- data/aws-crt-ffi/crt/aws-lc/include/openssl/dsa.h +0 -21
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ec.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/err.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/evp.h +8 -5
- data/aws-crt-ffi/crt/aws-lc/include/openssl/nid.h +21 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/rsa.h +1 -65
- data/aws-crt-ffi/crt/aws-lc/include/openssl/sha.h +22 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ssl.h +121 -13
- data/aws-crt-ffi/crt/aws-lc/include/openssl/stack.h +229 -208
- data/aws-crt-ffi/crt/aws-lc/include/openssl/target.h +166 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509.h +30 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509v3.h +6 -4
- data/aws-crt-ffi/crt/aws-lc/sources.cmake +2 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/extensions.cc +12 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/handshake_server.cc +28 -18
- data/aws-crt-ffi/crt/aws-lc/ssl/internal.h +41 -6
- data/aws-crt-ffi/crt/aws-lc/ssl/s3_both.cc +9 -17
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_cipher.cc +13 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_key_share.cc +542 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_lib.cc +35 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_test.cc +1847 -14
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_x509.cc +128 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/PORTING.md +10 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/test/bssl_shim.cc +133 -77
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshake_util.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshaker.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_client.go +6 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_messages.go +894 -1042
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_server.go +24 -23
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/prf.go +6 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/runner.go +56 -55
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/shim_dispatcher.go +188 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/ticket.go +37 -39
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.cc +59 -24
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.h +3 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/tls13_server.cc +10 -11
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/app.py +4 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/{aws_lc_mac_arm_ci_stack.py → aws_lc_ec2_test_framework_ci_stack.py} +13 -29
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml +43 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/common_posix_setup.sh +10 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/amazonlinux-2023_base/Dockerfile +5 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/ubuntu-22.04_base/Dockerfile +19 -3
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/amazonlinux-2_gcc-7x-intel-sde/Dockerfile +5 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/build_images.sh +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/push_images.sh +2 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-20.04_clang-10x_formal-verification/create_image.sh +1 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_base/Dockerfile +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_clang-14x-sde/Dockerfile +42 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/vs2017/Dockerfile +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/windows_base/Dockerfile +3 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/README.md +12 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/nginx_patch/aws-lc-nginx.patch +68 -23
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_crt_integration.sh +27 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_monit_integration.sh +56 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/sslproxy_patch/aws-lc-sslproxy.patch +2 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_ec2_test_framework.sh +135 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_fips_tests.sh +14 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde.sh +4 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde_asan.sh +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_windows_tests.bat +39 -3
- data/aws-crt-ffi/crt/aws-lc/third_party/fiat/README.md +21 -6
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519.S +284 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519_alt.S +210 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_mod_n25519.S +186 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_neg_p25519.S +65 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_alt.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte_alt.S +1043 -354
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode.S +700 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode_alt.S +563 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_encode.S +131 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase.S +9626 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase_alt.S +9468 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble.S +3157 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble_alt.S +2941 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p384/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p521/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h +34 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519.S +219 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519_alt.S +245 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_mod_n25519.S +228 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_neg_p25519.S +86 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519_alt.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base.S +1344 -400
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base_alt.S +1348 -402
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode.S +670 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode_alt.S +751 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_encode.S +81 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase.S +9910 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase_alt.S +9986 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble.S +3619 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble_alt.S +3736 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.json +1978 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.txt +1403 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.json +1993 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.txt +1416 -0
- data/aws-crt-ffi/crt/aws-lc/tool/digest.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/tool/internal.h +1 -0
- data/aws-crt-ffi/crt/aws-lc/tool/speed.cc +53 -6
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.go +43 -12
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.json +13 -5
- data/aws-crt-ffi/crt/aws-lc/util/bot/DEPS +4 -4
- data/aws-crt-ffi/crt/aws-lc/util/bot/update_clang.py +8 -2
- data/aws-crt-ffi/crt/aws-lc/util/codecov-ci.sh +82 -0
- data/aws-crt-ffi/crt/aws-lc/util/convert_wycheproof/convert_wycheproof.go +7 -5
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/ACVP.md +7 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/hash.go +24 -9
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/rsa.go +3 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/subprocess.go +15 -10
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/sha512-224-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-128-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-256-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/main.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/modulewrapper.cc +144 -1
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/delocate.go +9 -3
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/in.s +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/out.s +11 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/inject_hash/inject_hash.go +13 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/test-break-kat.sh +2 -0
- data/aws-crt-ffi/crt/aws-lc/util/testconfig/testconfig.go +2 -1
- data/aws-crt-ffi/crt/s2n/api/s2n.h +9 -5
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/handshake.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/resumption.rs +14 -14
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/throughput.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/harness.rs +106 -102
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/openssl.rs +24 -20
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/rustls.rs +28 -24
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/s2n_tls.rs +52 -50
- data/aws-crt-ffi/crt/s2n/bindings/rust/generate/Cargo.toml +1 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/integration/Cargo.toml +3 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/src/connection.rs +9 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/templates/Cargo.template +2 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/tests/cbmc/sources/make_common_datastructures.c +9 -2
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_client_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_tls13_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_auth_selection_test.c +19 -9
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_auth_handshake_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_cert_verify_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_test.c +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_signature_algorithms_extension_test.c +4 -5
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_protocol_versions_test.c +390 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_test.c +8 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_handshake_test.c +2 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_quic_support_io_test.c +106 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_security_policies_test.c +6 -2
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_offload_signing_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_session_resumption_test.c +135 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_new_session_ticket_test.c +32 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_signature_algorithms_extension_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_signature_algorithms_test.c +307 -283
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_request_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_verify_test.c +18 -17
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_x509_validator_test.c +125 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.c +43 -11
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.h +3 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_server_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_auth_selection.c +4 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_cert_verify.c +7 -10
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_hello.c +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c +75 -14
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake.h +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.h +1 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.c +29 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.h +5 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.c +40 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.h +4 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_cert_request.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_hello.c +0 -3
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_key_exchange.c +8 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_new_session_ticket.c +8 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.c +111 -72
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.h +11 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.c +9 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.h +2 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_certificate_verify.c +12 -18
- data/aws-crt-ffi/crt/s2n/tls/s2n_x509_validator.c +7 -7
- data/aws-crt-ffi/src/api.h +1 -0
- data/lib/aws-crt/native.rb +1 -1
- metadata +68 -5
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/m1_tests_ssm_document.yaml +0 -34
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_m1_ec2_instance.sh +0 -96
|
@@ -69,7 +69,7 @@ int main(int argc, char **argv)
|
|
|
69
69
|
EXPECT_TRUE(s2n_stuffer_data_available(&client_conn->handshake.io) > 0);
|
|
70
70
|
EXPECT_SUCCESS(s2n_tls13_cert_req_recv(client_conn));
|
|
71
71
|
|
|
72
|
-
|
|
72
|
+
EXPECT_TRUE(client_conn->handshake_params.server_sig_hash_algs.len > 0);
|
|
73
73
|
|
|
74
74
|
EXPECT_SUCCESS(s2n_connection_free(client_conn));
|
|
75
75
|
EXPECT_SUCCESS(s2n_connection_free(server_conn));
|
|
@@ -77,8 +77,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
77
77
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
78
78
|
EXPECT_SUCCESS(s2n_connection_set_config(sending_conn, config));
|
|
79
79
|
sending_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
80
|
-
sending_conn->handshake_params.
|
|
81
|
-
sending_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
80
|
+
sending_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
81
|
+
sending_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
82
82
|
sending_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
83
83
|
sending_conn->actual_protocol_version = S2N_TLS13;
|
|
84
84
|
|
|
@@ -160,8 +160,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
160
160
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
161
161
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
162
162
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
163
|
-
verifying_conn->handshake_params.
|
|
164
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
163
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
164
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
165
165
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
166
166
|
|
|
167
167
|
EXPECT_SUCCESS(s2n_blob_init(&b, (uint8_t *) cert_chain_pem, strlen(cert_chain_pem) + 1));
|
|
@@ -229,8 +229,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
229
229
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
230
230
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
231
231
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
232
|
-
verifying_conn->handshake_params.
|
|
233
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
232
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
233
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
234
234
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
235
235
|
|
|
236
236
|
EXPECT_SUCCESS(s2n_blob_init(&b, (uint8_t *) cert_chain_pem, strlen(cert_chain_pem) + 1));
|
|
@@ -299,8 +299,8 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
299
299
|
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert_chain));
|
|
300
300
|
EXPECT_SUCCESS(s2n_connection_set_config(verifying_conn, config));
|
|
301
301
|
verifying_conn->handshake_params.our_chain_and_key = cert_chain;
|
|
302
|
-
verifying_conn->handshake_params.
|
|
303
|
-
verifying_conn->handshake_params.client_cert_sig_scheme = sig_scheme;
|
|
302
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &sig_scheme;
|
|
303
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &sig_scheme;
|
|
304
304
|
verifying_conn->secure->cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
|
|
305
305
|
verifying_conn->actual_protocol_version = S2N_TLS13;
|
|
306
306
|
|
|
@@ -328,17 +328,18 @@ int run_tests(const struct s2n_tls13_cert_verify_test *test_case, s2n_mode verif
|
|
|
328
328
|
EXPECT_SUCCESS(s2n_hash_init(&verifying_conn->handshake.hashes->sha256, S2N_HASH_SHA256));
|
|
329
329
|
EXPECT_SUCCESS(s2n_hash_update(&verifying_conn->handshake.hashes->sha256, hello, strlen((char *) hello)));
|
|
330
330
|
|
|
331
|
-
/* In this case it doesn't matter if we use
|
|
332
|
-
verifying_conn->handshake_params.
|
|
333
|
-
|
|
331
|
+
/* In this case it doesn't matter if we use server_cert_sig_scheme or client_cert_sig_scheme as they are currently equal */
|
|
332
|
+
struct s2n_signature_scheme test_scheme = *verifying_conn->handshake_params.server_cert_sig_scheme;
|
|
333
|
+
verifying_conn->handshake_params.server_cert_sig_scheme = &test_scheme;
|
|
334
|
+
test_scheme.hash_alg = S2N_HASH_SHA1;
|
|
335
|
+
EXPECT_FAILURE(s2n_tls13_cert_read_and_verify_signature(verifying_conn,
|
|
336
|
+
verifying_conn->handshake_params.server_cert_sig_scheme));
|
|
334
337
|
|
|
335
338
|
/* send and receive with mismatched signature algs */
|
|
336
|
-
verifying_conn->handshake_params.
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
verifying_conn->handshake_params.client_cert_sig_scheme.sig_alg = S2N_SIGNATURE_ECDSA;
|
|
341
|
-
verifying_conn->handshake_params.client_cert_sig_scheme.iana_value = 0xFFFF;
|
|
339
|
+
verifying_conn->handshake_params.client_cert_sig_scheme = &test_scheme;
|
|
340
|
+
test_scheme.hash_alg = S2N_HASH_SHA256;
|
|
341
|
+
test_scheme.sig_alg = S2N_SIGNATURE_ECDSA;
|
|
342
|
+
test_scheme.iana_value = 0xFFFF;
|
|
342
343
|
|
|
343
344
|
EXPECT_SUCCESS(s2n_hash_init(&verifying_conn->handshake.hashes->sha256, S2N_HASH_SHA256));
|
|
344
345
|
EXPECT_SUCCESS(s2n_hash_update(&verifying_conn->handshake.hashes->sha256, hello, strlen((char *) hello)));
|
|
@@ -16,6 +16,8 @@
|
|
|
16
16
|
#include "s2n_test.h"
|
|
17
17
|
#include "testlib/s2n_testlib.h"
|
|
18
18
|
|
|
19
|
+
DEFINE_POINTER_CLEANUP_FUNC(X509 *, X509_free);
|
|
20
|
+
|
|
19
21
|
static int mock_time(void *data, uint64_t *timestamp)
|
|
20
22
|
{
|
|
21
23
|
*timestamp = *(uint64_t *) data;
|
|
@@ -1970,5 +1972,128 @@ int main(int argc, char **argv)
|
|
|
1970
1972
|
};
|
|
1971
1973
|
};
|
|
1972
1974
|
|
|
1975
|
+
/* Ensure that non-root certificates added to the trust store are trusted */
|
|
1976
|
+
{
|
|
1977
|
+
const char *non_root_cert_path = S2N_RSA_2048_PKCS1_LEAF_CERT;
|
|
1978
|
+
|
|
1979
|
+
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
|
|
1980
|
+
/* Ensure that the test certificate isn't self-signed, and is therefore not a root.
|
|
1981
|
+
*
|
|
1982
|
+
* The X509_get_extension_flags API wasn't added to OpenSSL until 1.1.0.
|
|
1983
|
+
*/
|
|
1984
|
+
{
|
|
1985
|
+
const char *non_root_key_path = S2N_RSA_2048_PKCS1_KEY;
|
|
1986
|
+
|
|
1987
|
+
DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
|
|
1988
|
+
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, non_root_cert_path, non_root_key_path));
|
|
1989
|
+
struct s2n_cert *cert = NULL;
|
|
1990
|
+
EXPECT_SUCCESS(s2n_cert_chain_get_cert(chain_and_key, &cert, 0));
|
|
1991
|
+
EXPECT_NOT_NULL(cert);
|
|
1992
|
+
|
|
1993
|
+
/* Use the s2n_cert to convert the PEM to ASN.1. */
|
|
1994
|
+
const uint8_t *asn1_data = NULL;
|
|
1995
|
+
uint32_t asn1_len = 0;
|
|
1996
|
+
EXPECT_SUCCESS(s2n_cert_get_der(cert, &asn1_data, &asn1_len));
|
|
1997
|
+
EXPECT_NOT_NULL(asn1_data);
|
|
1998
|
+
|
|
1999
|
+
/* Parse the ASN.1 data with the libcrypto */
|
|
2000
|
+
DEFER_CLEANUP(X509 *x509 = d2i_X509(NULL, &asn1_data, asn1_len), X509_free_pointer);
|
|
2001
|
+
EXPECT_NOT_NULL(x509);
|
|
2002
|
+
|
|
2003
|
+
/* Ensure that the self-signed flag isn't set */
|
|
2004
|
+
uint32_t extension_flags = X509_get_extension_flags(x509);
|
|
2005
|
+
EXPECT_EQUAL(extension_flags & EXFLAG_SS, 0);
|
|
2006
|
+
}
|
|
2007
|
+
#endif
|
|
2008
|
+
|
|
2009
|
+
/* Test s2n_config_set_verification_ca_location */
|
|
2010
|
+
{
|
|
2011
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2012
|
+
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, non_root_cert_path, NULL));
|
|
2013
|
+
|
|
2014
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2015
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2016
|
+
|
|
2017
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2018
|
+
EXPECT_NOT_NULL(connection);
|
|
2019
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2020
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2021
|
+
|
|
2022
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2023
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2024
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2025
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2026
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2027
|
+
|
|
2028
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2029
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2030
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2031
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2032
|
+
&public_key_out));
|
|
2033
|
+
}
|
|
2034
|
+
|
|
2035
|
+
/* Test s2n_config_add_pem_to_trust_store */
|
|
2036
|
+
{
|
|
2037
|
+
char non_root_cert_pem[S2N_MAX_TEST_PEM_SIZE] = { 0 };
|
|
2038
|
+
EXPECT_SUCCESS(s2n_read_test_pem(non_root_cert_path, non_root_cert_pem, S2N_MAX_TEST_PEM_SIZE));
|
|
2039
|
+
|
|
2040
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2041
|
+
EXPECT_SUCCESS(s2n_config_add_pem_to_trust_store(config, non_root_cert_pem));
|
|
2042
|
+
|
|
2043
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2044
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2045
|
+
|
|
2046
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2047
|
+
EXPECT_NOT_NULL(connection);
|
|
2048
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2049
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2050
|
+
|
|
2051
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2052
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2053
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2054
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2055
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2056
|
+
|
|
2057
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2058
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2059
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2060
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2061
|
+
&public_key_out));
|
|
2062
|
+
}
|
|
2063
|
+
|
|
2064
|
+
/* Test system trust store
|
|
2065
|
+
*
|
|
2066
|
+
* This test uses the SSL_CERT_FILE environment variable to override the system trust store
|
|
2067
|
+
* location, which isn't supported by LibreSSL.
|
|
2068
|
+
*/
|
|
2069
|
+
if (!s2n_libcrypto_is_libressl()) {
|
|
2070
|
+
/* Override the system cert file with the non-root test cert. */
|
|
2071
|
+
EXPECT_SUCCESS(setenv("SSL_CERT_FILE", non_root_cert_path, 1));
|
|
2072
|
+
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
|
|
2073
|
+
|
|
2074
|
+
DEFER_CLEANUP(struct s2n_x509_validator validator = { 0 }, s2n_x509_validator_wipe);
|
|
2075
|
+
EXPECT_SUCCESS(s2n_x509_validator_init(&validator, &config->trust_store, 0));
|
|
2076
|
+
|
|
2077
|
+
DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
|
|
2078
|
+
EXPECT_NOT_NULL(connection);
|
|
2079
|
+
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
|
|
2080
|
+
EXPECT_SUCCESS(s2n_set_server_name(connection, "s2nTestServer"));
|
|
2081
|
+
|
|
2082
|
+
DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
|
|
2083
|
+
EXPECT_OK(s2n_test_cert_chain_data_from_pem(connection, non_root_cert_path, &cert_chain_stuffer));
|
|
2084
|
+
uint32_t chain_len = s2n_stuffer_data_available(&cert_chain_stuffer);
|
|
2085
|
+
uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
|
|
2086
|
+
EXPECT_NOT_NULL(chain_data);
|
|
2087
|
+
|
|
2088
|
+
DEFER_CLEANUP(struct s2n_pkey public_key_out = { 0 }, s2n_pkey_free);
|
|
2089
|
+
EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
|
|
2090
|
+
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
|
|
2091
|
+
EXPECT_OK(s2n_x509_validator_validate_cert_chain(&validator, connection, chain_data, chain_len, &pkey_type,
|
|
2092
|
+
&public_key_out));
|
|
2093
|
+
|
|
2094
|
+
EXPECT_SUCCESS(unsetenv("SSL_CERT_FILE"));
|
|
2095
|
+
}
|
|
2096
|
+
}
|
|
2097
|
+
|
|
1973
2098
|
END_TEST();
|
|
1974
2099
|
}
|
|
@@ -24,12 +24,13 @@
|
|
|
24
24
|
#include "utils/s2n_safety.h"
|
|
25
25
|
|
|
26
26
|
static bool s2n_client_signature_algorithms_should_send(struct s2n_connection *conn);
|
|
27
|
+
static int s2n_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
27
28
|
static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
28
29
|
|
|
29
30
|
const s2n_extension_type s2n_client_signature_algorithms_extension = {
|
|
30
31
|
.iana_value = TLS_EXTENSION_SIGNATURE_ALGORITHMS,
|
|
31
32
|
.is_response = false,
|
|
32
|
-
.send =
|
|
33
|
+
.send = s2n_client_signature_algorithms_send,
|
|
33
34
|
.recv = s2n_client_signature_algorithms_recv,
|
|
34
35
|
.should_send = s2n_client_signature_algorithms_should_send,
|
|
35
36
|
.if_missing = s2n_extension_noop_if_missing,
|
|
@@ -40,6 +41,12 @@ static bool s2n_client_signature_algorithms_should_send(struct s2n_connection *c
|
|
|
40
41
|
return s2n_connection_get_protocol_version(conn) >= S2N_TLS12;
|
|
41
42
|
}
|
|
42
43
|
|
|
44
|
+
static int s2n_client_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
45
|
+
{
|
|
46
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithms_supported_list_send(conn, extension));
|
|
47
|
+
return S2N_SUCCESS;
|
|
48
|
+
}
|
|
49
|
+
|
|
43
50
|
static int s2n_client_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
44
51
|
{
|
|
45
52
|
return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.client_sig_hash_algs);
|
|
@@ -74,7 +74,8 @@ static int s2n_client_supported_versions_send(struct s2n_connection *conn, struc
|
|
|
74
74
|
return S2N_SUCCESS;
|
|
75
75
|
}
|
|
76
76
|
|
|
77
|
-
|
|
77
|
+
int s2n_extensions_client_supported_versions_process(struct s2n_connection *conn, struct s2n_stuffer *extension,
|
|
78
|
+
uint8_t *client_protocol_version_out, uint8_t *actual_protocol_version_out)
|
|
78
79
|
{
|
|
79
80
|
uint8_t highest_supported_version = conn->server_protocol_version;
|
|
80
81
|
uint8_t minimum_supported_version = s2n_unknown_protocol_version;
|
|
@@ -85,8 +86,8 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
85
86
|
S2N_ERROR_IF(size_of_version_list != s2n_stuffer_data_available(extension), S2N_ERR_BAD_MESSAGE);
|
|
86
87
|
S2N_ERROR_IF(size_of_version_list % S2N_TLS_PROTOCOL_VERSION_LEN != 0, S2N_ERR_BAD_MESSAGE);
|
|
87
88
|
|
|
88
|
-
|
|
89
|
-
|
|
89
|
+
uint8_t client_protocol_version = s2n_unknown_protocol_version;
|
|
90
|
+
uint8_t actual_protocol_version = s2n_unknown_protocol_version;
|
|
90
91
|
|
|
91
92
|
for (int i = 0; i < size_of_version_list; i += S2N_TLS_PROTOCOL_VERSION_LEN) {
|
|
92
93
|
uint8_t client_version_parts[S2N_TLS_PROTOCOL_VERSION_LEN];
|
|
@@ -101,7 +102,7 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
101
102
|
|
|
102
103
|
uint16_t client_version = (client_version_parts[0] * 10) + client_version_parts[1];
|
|
103
104
|
|
|
104
|
-
|
|
105
|
+
client_protocol_version = MAX(client_version, client_protocol_version);
|
|
105
106
|
|
|
106
107
|
if (client_version > highest_supported_version) {
|
|
107
108
|
continue;
|
|
@@ -113,27 +114,58 @@ static int s2n_extensions_client_supported_versions_process(struct s2n_connectio
|
|
|
113
114
|
|
|
114
115
|
/* We ignore the client's preferred order and instead choose
|
|
115
116
|
* the highest version that both client and server support. */
|
|
116
|
-
|
|
117
|
+
actual_protocol_version = MAX(client_version, actual_protocol_version);
|
|
117
118
|
}
|
|
118
119
|
|
|
119
|
-
|
|
120
|
-
|
|
120
|
+
*client_protocol_version_out = client_protocol_version;
|
|
121
|
+
*actual_protocol_version_out = actual_protocol_version;
|
|
121
122
|
|
|
122
123
|
return S2N_SUCCESS;
|
|
123
124
|
}
|
|
124
125
|
|
|
125
|
-
static
|
|
126
|
+
static S2N_RESULT s2n_client_supported_versions_recv_impl(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
126
127
|
{
|
|
128
|
+
RESULT_ENSURE_REF(conn);
|
|
129
|
+
RESULT_ENSURE_REF(extension);
|
|
130
|
+
|
|
131
|
+
RESULT_GUARD_POSIX(s2n_extensions_client_supported_versions_process(conn, extension, &conn->client_protocol_version,
|
|
132
|
+
&conn->actual_protocol_version));
|
|
133
|
+
|
|
134
|
+
RESULT_ENSURE(conn->client_protocol_version != s2n_unknown_protocol_version, S2N_ERR_UNKNOWN_PROTOCOL_VERSION);
|
|
135
|
+
RESULT_ENSURE(conn->actual_protocol_version != s2n_unknown_protocol_version, S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED);
|
|
136
|
+
|
|
137
|
+
return S2N_RESULT_OK;
|
|
138
|
+
}
|
|
139
|
+
|
|
140
|
+
static int s2n_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
141
|
+
{
|
|
142
|
+
/* For backwards compatibility, the supported versions extension isn't used for protocol
|
|
143
|
+
* version selection if the server doesn't support TLS 1.3. This ensures that TLS 1.2 servers
|
|
144
|
+
* experience no behavior change due to processing the TLS 1.3 extension. See
|
|
145
|
+
* https://github.com/aws/s2n-tls/issues/4240.
|
|
146
|
+
*
|
|
147
|
+
*= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.1
|
|
148
|
+
*= type=exception
|
|
149
|
+
*= reason=The client hello legacy version is used for version selection on TLS 1.2 servers for backwards compatibility
|
|
150
|
+
*# If this extension is present in the ClientHello, servers MUST NOT use
|
|
151
|
+
*# the ClientHello.legacy_version value for version negotiation and MUST
|
|
152
|
+
*# use only the "supported_versions" extension to determine client
|
|
153
|
+
*# preferences.
|
|
154
|
+
*/
|
|
127
155
|
if (s2n_connection_get_protocol_version(conn) < S2N_TLS13) {
|
|
128
156
|
return S2N_SUCCESS;
|
|
129
157
|
}
|
|
130
158
|
|
|
131
|
-
|
|
132
|
-
if (result
|
|
159
|
+
s2n_result result = s2n_client_supported_versions_recv_impl(conn, extension);
|
|
160
|
+
if (s2n_result_is_error(result)) {
|
|
161
|
+
conn->client_protocol_version = s2n_unknown_protocol_version;
|
|
162
|
+
conn->actual_protocol_version = s2n_unknown_protocol_version;
|
|
163
|
+
|
|
133
164
|
s2n_queue_reader_unsupported_protocol_version_alert(conn);
|
|
134
165
|
POSIX_ENSURE(s2n_errno != S2N_ERR_SAFETY, S2N_ERR_BAD_MESSAGE);
|
|
135
166
|
}
|
|
136
|
-
|
|
167
|
+
POSIX_GUARD_RESULT(result);
|
|
168
|
+
|
|
137
169
|
return S2N_SUCCESS;
|
|
138
170
|
}
|
|
139
171
|
|
|
@@ -20,6 +20,9 @@
|
|
|
20
20
|
|
|
21
21
|
extern const s2n_extension_type s2n_client_supported_versions_extension;
|
|
22
22
|
|
|
23
|
+
int s2n_extensions_client_supported_versions_process(struct s2n_connection *conn, struct s2n_stuffer *extension,
|
|
24
|
+
uint8_t *client_protocol_version_out, uint8_t *actual_protocol_version_out);
|
|
25
|
+
|
|
23
26
|
/* Old-style extension functions -- remove after extensions refactor is complete */
|
|
24
27
|
int s2n_extensions_client_supported_versions_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
25
28
|
int s2n_extensions_client_supported_versions_size(struct s2n_connection *conn);
|
|
@@ -24,17 +24,24 @@
|
|
|
24
24
|
#include "tls/s2n_tls_parameters.h"
|
|
25
25
|
#include "utils/s2n_safety.h"
|
|
26
26
|
|
|
27
|
+
static int s2n_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
27
28
|
static int s2n_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);
|
|
28
29
|
|
|
29
30
|
const s2n_extension_type s2n_server_signature_algorithms_extension = {
|
|
30
31
|
.iana_value = TLS_EXTENSION_SIGNATURE_ALGORITHMS,
|
|
31
32
|
.is_response = false,
|
|
32
|
-
.send =
|
|
33
|
+
.send = s2n_signature_algorithms_send,
|
|
33
34
|
.recv = s2n_signature_algorithms_recv,
|
|
34
35
|
.should_send = s2n_extension_always_send,
|
|
35
36
|
.if_missing = s2n_extension_error_if_missing,
|
|
36
37
|
};
|
|
37
38
|
|
|
39
|
+
static int s2n_signature_algorithms_send(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
40
|
+
{
|
|
41
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithms_supported_list_send(conn, extension));
|
|
42
|
+
return S2N_SUCCESS;
|
|
43
|
+
}
|
|
44
|
+
|
|
38
45
|
static int s2n_signature_algorithms_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
|
|
39
46
|
{
|
|
40
47
|
return s2n_recv_supported_sig_scheme_list(extension, &conn->handshake_params.server_sig_hash_algs);
|
|
@@ -221,9 +221,11 @@ int s2n_is_cert_type_valid_for_auth(struct s2n_connection *conn, s2n_pkey_type c
|
|
|
221
221
|
int s2n_select_certs_for_server_auth(struct s2n_connection *conn, struct s2n_cert_chain_and_key **chosen_certs)
|
|
222
222
|
{
|
|
223
223
|
POSIX_ENSURE_REF(conn);
|
|
224
|
+
POSIX_ENSURE_REF(conn->handshake_params.server_cert_sig_scheme);
|
|
225
|
+
s2n_signature_algorithm sig_alg = conn->handshake_params.server_cert_sig_scheme->sig_alg;
|
|
224
226
|
|
|
225
|
-
s2n_pkey_type cert_type;
|
|
226
|
-
POSIX_GUARD(s2n_get_cert_type_for_sig_alg(
|
|
227
|
+
s2n_pkey_type cert_type = 0;
|
|
228
|
+
POSIX_GUARD(s2n_get_cert_type_for_sig_alg(sig_alg, &cert_type));
|
|
227
229
|
|
|
228
230
|
*chosen_certs = s2n_get_compatible_cert_chain_and_key(conn, cert_type);
|
|
229
231
|
S2N_ERROR_IF(*chosen_certs == NULL, S2N_ERR_CERT_TYPE_UNSUPPORTED);
|
|
@@ -32,14 +32,10 @@ int s2n_client_cert_verify_recv(struct s2n_connection *conn)
|
|
|
32
32
|
POSIX_ENSURE_REF(hashes);
|
|
33
33
|
|
|
34
34
|
struct s2n_stuffer *in = &conn->handshake.io;
|
|
35
|
-
struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
|
|
36
35
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
/* Verify the SigScheme picked by the Client was in the preference list we sent (or is the default SigScheme) */
|
|
41
|
-
POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, chosen_sig_scheme));
|
|
42
|
-
}
|
|
36
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
|
|
37
|
+
const struct s2n_signature_scheme *chosen_sig_scheme = conn->handshake_params.client_cert_sig_scheme;
|
|
38
|
+
POSIX_ENSURE_REF(chosen_sig_scheme);
|
|
43
39
|
|
|
44
40
|
uint16_t signature_size;
|
|
45
41
|
struct s2n_blob signature = { 0 };
|
|
@@ -70,12 +66,13 @@ int s2n_client_cert_verify_send(struct s2n_connection *conn)
|
|
|
70
66
|
S2N_ASYNC_PKEY_GUARD(conn);
|
|
71
67
|
struct s2n_stuffer *out = &conn->handshake.io;
|
|
72
68
|
|
|
73
|
-
struct s2n_signature_scheme *chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
|
|
74
69
|
if (conn->actual_protocol_version < S2N_TLS12) {
|
|
75
|
-
POSIX_GUARD(s2n_choose_default_sig_scheme(conn,
|
|
70
|
+
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.client_cert_sig_scheme, S2N_CLIENT));
|
|
76
71
|
} else {
|
|
77
|
-
POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.client_cert_sig_scheme
|
|
72
|
+
POSIX_GUARD(s2n_stuffer_write_uint16(out, conn->handshake_params.client_cert_sig_scheme->iana_value));
|
|
78
73
|
}
|
|
74
|
+
const struct s2n_signature_scheme *chosen_sig_scheme = conn->handshake_params.client_cert_sig_scheme;
|
|
75
|
+
POSIX_ENSURE_REF(chosen_sig_scheme);
|
|
79
76
|
|
|
80
77
|
/* Use a copy of the hash state since the verify digest computation may modify the running hash state we need later. */
|
|
81
78
|
struct s2n_hash_state *hash_state = &hashes->hash_workspace;
|
|
@@ -598,7 +598,7 @@ int s2n_process_client_hello(struct s2n_connection *conn)
|
|
|
598
598
|
/* And set the signature and hash algorithm used for key exchange signatures */
|
|
599
599
|
POSIX_GUARD(s2n_choose_sig_scheme_from_peer_preference_list(conn,
|
|
600
600
|
&conn->handshake_params.client_sig_hash_algs,
|
|
601
|
-
&conn->handshake_params.
|
|
601
|
+
&conn->handshake_params.server_cert_sig_scheme));
|
|
602
602
|
|
|
603
603
|
/* And finally, set the certs specified by the final auth + sig_alg combo. */
|
|
604
604
|
POSIX_GUARD(s2n_select_certs_for_server_auth(conn, &conn->handshake_params.our_chain_and_key));
|
|
@@ -833,7 +833,7 @@ int s2n_sslv2_client_hello_recv(struct s2n_connection *conn)
|
|
|
833
833
|
POSIX_GUARD(s2n_conn_find_name_matching_certs(conn));
|
|
834
834
|
|
|
835
835
|
POSIX_GUARD(s2n_set_cipher_as_sslv2_server(conn, client_hello->cipher_suites.data, client_hello->cipher_suites.size / S2N_SSLv2_CIPHER_SUITE_LEN));
|
|
836
|
-
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.
|
|
836
|
+
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.server_cert_sig_scheme, S2N_SERVER));
|
|
837
837
|
POSIX_GUARD(s2n_select_certs_for_server_auth(conn, &conn->handshake_params.our_chain_and_key));
|
|
838
838
|
|
|
839
839
|
S2N_ERROR_IF(session_id_length > s2n_stuffer_data_available(in), S2N_ERR_BAD_MESSAGE);
|
|
@@ -32,6 +32,7 @@
|
|
|
32
32
|
#include "crypto/s2n_openssl_x509.h"
|
|
33
33
|
#include "error/s2n_errno.h"
|
|
34
34
|
#include "tls/extensions/s2n_client_server_name.h"
|
|
35
|
+
#include "tls/extensions/s2n_client_supported_versions.h"
|
|
35
36
|
#include "tls/s2n_alerts.h"
|
|
36
37
|
#include "tls/s2n_cipher_suites.h"
|
|
37
38
|
#include "tls/s2n_handshake.h"
|
|
@@ -557,6 +558,8 @@ int s2n_connection_wipe(struct s2n_connection *conn)
|
|
|
557
558
|
conn->secure = secure;
|
|
558
559
|
conn->client = conn->initial;
|
|
559
560
|
conn->server = conn->initial;
|
|
561
|
+
conn->handshake_params.client_cert_sig_scheme = &s2n_null_sig_scheme;
|
|
562
|
+
conn->handshake_params.server_cert_sig_scheme = &s2n_null_sig_scheme;
|
|
560
563
|
|
|
561
564
|
POSIX_GUARD_RESULT(s2n_psk_parameters_init(&conn->psk_params));
|
|
562
565
|
conn->server_keying_material_lifetime = ONE_WEEK_IN_SEC;
|
|
@@ -617,17 +620,17 @@ int s2n_connection_set_send_cb(struct s2n_connection *conn, s2n_send_fn send)
|
|
|
617
620
|
return S2N_SUCCESS;
|
|
618
621
|
}
|
|
619
622
|
|
|
620
|
-
int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **
|
|
623
|
+
int s2n_connection_get_client_cert_chain(struct s2n_connection *conn, uint8_t **cert_chain_out, uint32_t *cert_chain_len)
|
|
621
624
|
{
|
|
622
625
|
POSIX_ENSURE_REF(conn);
|
|
623
|
-
POSIX_ENSURE_REF(
|
|
626
|
+
POSIX_ENSURE_REF(cert_chain_out);
|
|
624
627
|
POSIX_ENSURE_REF(cert_chain_len);
|
|
625
628
|
POSIX_ENSURE_REF(conn->handshake_params.client_cert_chain.data);
|
|
626
629
|
|
|
627
|
-
*
|
|
630
|
+
*cert_chain_out = conn->handshake_params.client_cert_chain.data;
|
|
628
631
|
*cert_chain_len = conn->handshake_params.client_cert_chain.size;
|
|
629
632
|
|
|
630
|
-
return
|
|
633
|
+
return S2N_SUCCESS;
|
|
631
634
|
}
|
|
632
635
|
|
|
633
636
|
int s2n_connection_get_cipher_preferences(struct s2n_connection *conn, const struct s2n_cipher_preferences **cipher_preferences)
|
|
@@ -936,10 +939,58 @@ const char *s2n_connection_get_kem_group_name(struct s2n_connection *conn)
|
|
|
936
939
|
return conn->kex_params.client_kem_group_params.kem_group->name;
|
|
937
940
|
}
|
|
938
941
|
|
|
942
|
+
static S2N_RESULT s2n_connection_get_client_supported_version(struct s2n_connection *conn,
|
|
943
|
+
uint8_t *client_supported_version)
|
|
944
|
+
{
|
|
945
|
+
RESULT_ENSURE_REF(conn);
|
|
946
|
+
RESULT_ENSURE_EQ(conn->mode, S2N_SERVER);
|
|
947
|
+
|
|
948
|
+
struct s2n_client_hello *client_hello = s2n_connection_get_client_hello(conn);
|
|
949
|
+
RESULT_ENSURE_REF(client_hello);
|
|
950
|
+
|
|
951
|
+
s2n_parsed_extension *supported_versions_extension = NULL;
|
|
952
|
+
RESULT_GUARD_POSIX(s2n_client_hello_get_parsed_extension(S2N_EXTENSION_SUPPORTED_VERSIONS, &client_hello->extensions,
|
|
953
|
+
&supported_versions_extension));
|
|
954
|
+
RESULT_ENSURE_REF(supported_versions_extension);
|
|
955
|
+
|
|
956
|
+
struct s2n_stuffer supported_versions_stuffer = { 0 };
|
|
957
|
+
RESULT_GUARD_POSIX(s2n_stuffer_init_written(&supported_versions_stuffer, &supported_versions_extension->extension));
|
|
958
|
+
|
|
959
|
+
uint8_t client_protocol_version = s2n_unknown_protocol_version;
|
|
960
|
+
uint8_t actual_protocol_version = s2n_unknown_protocol_version;
|
|
961
|
+
RESULT_GUARD_POSIX(s2n_extensions_client_supported_versions_process(conn, &supported_versions_stuffer,
|
|
962
|
+
&client_protocol_version, &actual_protocol_version));
|
|
963
|
+
|
|
964
|
+
RESULT_ENSURE_NE(client_protocol_version, s2n_unknown_protocol_version);
|
|
965
|
+
|
|
966
|
+
*client_supported_version = client_protocol_version;
|
|
967
|
+
|
|
968
|
+
return S2N_RESULT_OK;
|
|
969
|
+
}
|
|
970
|
+
|
|
939
971
|
int s2n_connection_get_client_protocol_version(struct s2n_connection *conn)
|
|
940
972
|
{
|
|
941
973
|
POSIX_ENSURE_REF(conn);
|
|
942
974
|
|
|
975
|
+
/* For backwards compatibility, the client_protocol_version field isn't updated via the
|
|
976
|
+
* supported versions extension on TLS 1.2 servers. See
|
|
977
|
+
* https://github.com/aws/s2n-tls/issues/4240.
|
|
978
|
+
*
|
|
979
|
+
* The extension is processed here to ensure that TLS 1.2 servers report the same client
|
|
980
|
+
* protocol version to applications as TLS 1.3 servers.
|
|
981
|
+
*/
|
|
982
|
+
if (conn->mode == S2N_SERVER && conn->server_protocol_version <= S2N_TLS12) {
|
|
983
|
+
uint8_t client_supported_version = s2n_unknown_protocol_version;
|
|
984
|
+
s2n_result result = s2n_connection_get_client_supported_version(conn, &client_supported_version);
|
|
985
|
+
|
|
986
|
+
/* If the extension wasn't received, or if a client protocol version couldn't be determined
|
|
987
|
+
* after processing the extension, the extension is ignored.
|
|
988
|
+
*/
|
|
989
|
+
if (s2n_result_is_ok(result)) {
|
|
990
|
+
return client_supported_version;
|
|
991
|
+
}
|
|
992
|
+
}
|
|
993
|
+
|
|
943
994
|
return conn->client_protocol_version;
|
|
944
995
|
}
|
|
945
996
|
|
|
@@ -1404,7 +1455,8 @@ int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct
|
|
|
1404
1455
|
return S2N_SUCCESS;
|
|
1405
1456
|
}
|
|
1406
1457
|
|
|
1407
|
-
static S2N_RESULT s2n_signature_scheme_to_tls_iana(struct s2n_signature_scheme *sig_scheme,
|
|
1458
|
+
static S2N_RESULT s2n_signature_scheme_to_tls_iana(const struct s2n_signature_scheme *sig_scheme,
|
|
1459
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1408
1460
|
{
|
|
1409
1461
|
RESULT_ENSURE_REF(sig_scheme);
|
|
1410
1462
|
RESULT_ENSURE_REF(converted_scheme);
|
|
@@ -1439,26 +1491,31 @@ static S2N_RESULT s2n_signature_scheme_to_tls_iana(struct s2n_signature_scheme *
|
|
|
1439
1491
|
return S2N_RESULT_OK;
|
|
1440
1492
|
}
|
|
1441
1493
|
|
|
1442
|
-
int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn,
|
|
1494
|
+
int s2n_connection_get_selected_digest_algorithm(struct s2n_connection *conn,
|
|
1495
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1443
1496
|
{
|
|
1444
1497
|
POSIX_ENSURE_REF(conn);
|
|
1445
1498
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1446
1499
|
|
|
1447
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1500
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1501
|
+
conn->handshake_params.server_cert_sig_scheme, converted_scheme));
|
|
1448
1502
|
|
|
1449
1503
|
return S2N_SUCCESS;
|
|
1450
1504
|
}
|
|
1451
1505
|
|
|
1452
|
-
int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn,
|
|
1506
|
+
int s2n_connection_get_selected_client_cert_digest_algorithm(struct s2n_connection *conn,
|
|
1507
|
+
s2n_tls_hash_algorithm *converted_scheme)
|
|
1453
1508
|
{
|
|
1454
1509
|
POSIX_ENSURE_REF(conn);
|
|
1455
1510
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1456
1511
|
|
|
1457
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1512
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_tls_iana(
|
|
1513
|
+
conn->handshake_params.client_cert_sig_scheme, converted_scheme));
|
|
1458
1514
|
return S2N_SUCCESS;
|
|
1459
1515
|
}
|
|
1460
1516
|
|
|
1461
|
-
static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(struct s2n_signature_scheme *sig_scheme,
|
|
1517
|
+
static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(const struct s2n_signature_scheme *sig_scheme,
|
|
1518
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1462
1519
|
{
|
|
1463
1520
|
RESULT_ENSURE_REF(sig_scheme);
|
|
1464
1521
|
RESULT_ENSURE_REF(converted_scheme);
|
|
@@ -1484,22 +1541,26 @@ static S2N_RESULT s2n_signature_scheme_to_signature_algorithm(struct s2n_signatu
|
|
|
1484
1541
|
return S2N_RESULT_OK;
|
|
1485
1542
|
}
|
|
1486
1543
|
|
|
1487
|
-
int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn,
|
|
1544
|
+
int s2n_connection_get_selected_signature_algorithm(struct s2n_connection *conn,
|
|
1545
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1488
1546
|
{
|
|
1489
1547
|
POSIX_ENSURE_REF(conn);
|
|
1490
1548
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1491
1549
|
|
|
1492
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1550
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1551
|
+
conn->handshake_params.server_cert_sig_scheme, converted_scheme));
|
|
1493
1552
|
|
|
1494
1553
|
return S2N_SUCCESS;
|
|
1495
1554
|
}
|
|
1496
1555
|
|
|
1497
|
-
int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn,
|
|
1556
|
+
int s2n_connection_get_selected_client_cert_signature_algorithm(struct s2n_connection *conn,
|
|
1557
|
+
s2n_tls_signature_algorithm *converted_scheme)
|
|
1498
1558
|
{
|
|
1499
1559
|
POSIX_ENSURE_REF(conn);
|
|
1500
1560
|
POSIX_ENSURE_REF(converted_scheme);
|
|
1501
1561
|
|
|
1502
|
-
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1562
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_to_signature_algorithm(
|
|
1563
|
+
conn->handshake_params.client_cert_sig_scheme, converted_scheme));
|
|
1503
1564
|
|
|
1504
1565
|
return S2N_SUCCESS;
|
|
1505
1566
|
}
|
|
@@ -104,12 +104,12 @@ struct s2n_handshake_parameters {
|
|
|
104
104
|
/* Signature/hash algorithm pairs offered by the client in the signature_algorithms extension */
|
|
105
105
|
struct s2n_sig_scheme_list client_sig_hash_algs;
|
|
106
106
|
/* Signature scheme chosen by the server */
|
|
107
|
-
struct s2n_signature_scheme
|
|
107
|
+
const struct s2n_signature_scheme *server_cert_sig_scheme;
|
|
108
108
|
|
|
109
109
|
/* Signature/hash algorithm pairs offered by the server in the certificate request */
|
|
110
110
|
struct s2n_sig_scheme_list server_sig_hash_algs;
|
|
111
111
|
/* Signature scheme chosen by the client */
|
|
112
|
-
struct s2n_signature_scheme client_cert_sig_scheme;
|
|
112
|
+
const struct s2n_signature_scheme *client_cert_sig_scheme;
|
|
113
113
|
|
|
114
114
|
/* The cert chain we will send the peer. */
|
|
115
115
|
struct s2n_cert_chain_and_key *our_chain_and_key;
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
#include "tls/s2n_tls.h"
|
|
22
22
|
#include "utils/s2n_safety.h"
|
|
23
23
|
|
|
24
|
-
|
|
24
|
+
S2N_RESULT s2n_post_handshake_process(struct s2n_connection *conn, struct s2n_stuffer *in, uint8_t message_type)
|
|
25
25
|
{
|
|
26
26
|
RESULT_ENSURE_REF(conn);
|
|
27
27
|
|