aws-crt 0.1.9 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/auth.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/aws_imds_client.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/credentials.h +5 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/aws_signing.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/private/credentials_utils.h +2 -0
- data/aws-crt-ffi/crt/aws-c-auth/include/aws/auth/signing_config.h +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/auth.c +3 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_imds_client.c +146 -63
- data/aws-crt-ffi/crt/aws-c-auth/source/aws_signing.c +41 -19
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_provider_imds.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/credentials_utils.c +1 -0
- data/aws-crt-ffi/crt/aws-c-auth/source/signable_http_request.c +2 -1
- data/aws-crt-ffi/crt/aws-c-auth/source/signing_config.c +25 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/CMakeLists.txt +3 -0
- data/aws-crt-ffi/crt/aws-c-auth/tests/aws_imds_client_test.c +197 -31
- data/aws-crt-ffi/crt/aws-c-auth/tests/credentials_provider_imds_tests.c +16 -18
- data/aws-crt-ffi/crt/aws-c-auth/tests/sigv4_signing_tests.c +3 -1
- data/aws-crt-ffi/crt/aws-c-cal/include/aws/cal/private/opensslcrypto_common.h +22 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/darwin/commoncrypto_aes.c +46 -17
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_aes.c +1 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_platform_init.c +7 -0
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/openssl_rsa.c +59 -2
- data/aws-crt-ffi/crt/aws-c-cal/source/unix/opensslcrypto_ecc.c +1 -0
- data/aws-crt-ffi/crt/aws-c-common/CMakeLists.txt +13 -1
- data/aws-crt-ffi/crt/aws-c-common/THIRD-PARTY-LICENSES.txt +28 -7
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/CMakeLists.txt +18 -0
- data/aws-crt-ffi/crt/aws-c-common/bin/system_info/print_system_info.c +48 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/allocator.h +23 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/byte_buf.h +12 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/cross_process_lock.h +35 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/hash_table.h +1 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/priority_queue.h +24 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/private/system_info_priv.h +37 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_info.h +47 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/common/system_resource_util.h +30 -0
- data/aws-crt-ffi/crt/aws-c-common/include/aws/testing/aws_test_harness.h +3 -2
- data/aws-crt-ffi/crt/aws-c-common/source/allocator.c +64 -13
- data/aws-crt-ffi/crt/aws-c-common/source/android/logging.c +14 -0
- data/aws-crt-ffi/crt/aws-c-common/source/common.c +3 -3
- data/aws-crt-ffi/crt/aws-c-common/source/file.c +96 -35
- data/aws-crt-ffi/crt/aws-c-common/source/linux/system_info.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/memtrace.c +10 -3
- data/aws-crt-ffi/crt/aws-c-common/source/platform_fallback_stubs/system_info.c +21 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/cross_process_lock.c +141 -0
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_info.c +1 -1
- data/aws-crt-ffi/crt/aws-c-common/source/posix/system_resource_utils.c +32 -0
- data/aws-crt-ffi/crt/aws-c-common/source/priority_queue.c +24 -0
- data/aws-crt-ffi/crt/aws-c-common/source/system_info.c +80 -0
- data/aws-crt-ffi/crt/aws-c-common/source/task_scheduler.c +2 -2
- data/aws-crt-ffi/crt/aws-c-common/source/windows/cross_process_lock.c +93 -0
- data/aws-crt-ffi/crt/aws-c-common/source/windows/system_resource_utils.c +31 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/CMakeLists.txt +16 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/alloc_test.c +83 -22
- data/aws-crt-ffi/crt/aws-c-common/tests/cross_process_lock_tests.c +116 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/file_test.c +103 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/priority_queue_test.c +36 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_info_tests.c +19 -0
- data/aws-crt-ffi/crt/aws-c-common/tests/system_resource_util_test.c +37 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/connection.h +9 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/http.h +1 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_impl.h +5 -4
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/connection_manager_system_vtable.h +10 -18
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/proxy_impl.h +5 -1
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/private/request_response_impl.h +5 -0
- data/aws-crt-ffi/crt/aws-c-http/include/aws/http/request_response.h +10 -0
- data/aws-crt-ffi/crt/aws-c-http/source/connection.c +5 -2
- data/aws-crt-ffi/crt/aws-c-http/source/connection_manager.c +22 -21
- data/aws-crt-ffi/crt/aws-c-http/source/h1_connection.c +102 -17
- data/aws-crt-ffi/crt/aws-c-http/source/h1_stream.c +1 -0
- data/aws-crt-ffi/crt/aws-c-http/source/http.c +3 -0
- data/aws-crt-ffi/crt/aws-c-http/source/proxy_connection.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/CMakeLists.txt +2 -0
- data/aws-crt-ffi/crt/aws-c-http/tests/test_connection_manager.c +18 -18
- data/aws-crt-ffi/crt/aws-c-http/tests/test_h1_client.c +111 -1
- data/aws-crt-ffi/crt/aws-c-http/tests/test_proxy.c +2 -2
- data/aws-crt-ffi/crt/aws-c-http/tests/test_stream_manager.c +2 -2
- data/aws-crt-ffi/crt/aws-c-io/include/aws/io/retry_strategy.h +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/exponential_backoff_retry_strategy.c +1 -1
- data/aws-crt-ffi/crt/aws-c-io/source/pkcs11_tls_op_handler.c +2 -4
- data/aws-crt-ffi/crt/aws-lc/CMakeLists.txt +16 -8
- data/aws-crt-ffi/crt/aws-lc/cmake/go.cmake +6 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/CMakeLists.txt +6 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_time.c +34 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/a_utctm.c +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/asn1/asn1_test.cc +41 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_mem.c +6 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/bio_test.cc +152 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/connect.c +6 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/fd.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/file.c +20 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/bio/socket_helper.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/blake2/blake2.c +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbb.c +13 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/bytestring/cbs.c +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/asm/chacha-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha.c +49 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/chacha_test.cc +110 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/chacha/internal.h +8 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/compiler_test.cc +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/conf/conf_test.cc +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/crypto_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519.c +189 -108
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/curve25519_nohw.c +78 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/ed25519_test.cc +9 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/internal.h +24 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/spake25519.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/curve25519/x25519_test.cc +80 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/decrepit/evp/evp_do_all.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_extra.c +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/digest_extra/digest_test.cc +110 -45
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/dsa_test.cc +8 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/dsa/internal.h +18 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/dynamic_loading_test.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/ec_derive.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/ec_extra/hash_to_curve.c +6 -18
- data/aws-crt-ffi/crt/aws-lc/crypto/endian_test.cc +308 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/err/ssl.errordata +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_extra_test.cc +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_test.cc +11 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/evp_tests.txt +25 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_ec_asn1.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_kem.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/p_rsa_asn1.c +1 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/print.c +7 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/evp_extra/scrypt.c +13 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/CMakeLists.txt +13 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/aes/aes_nohw.c +18 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bcm.c +12 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_assert_test.cc +77 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bn_test.cc +30 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/bytes.c +112 -22
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/div.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/exponentiation.c +54 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/gcd.c +5 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/internal.h +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery.c +4 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/bn/montgomery_inv.c +51 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/cipher/aead.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digest.c +29 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/digests.c +89 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/digest/internal.h +4 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec.c +19 -36
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_key.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_montgomery.c +9 -7
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/ec_test.cc +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/internal.h +17 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p224-64.c +5 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256-nistz.c +8 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p256.c +9 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p384.c +33 -16
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/p521.c +14 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/scalar.c +26 -24
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/simple_mul.c +8 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ec/wnaf.c +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/ecdsa/ecdsa.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/evp.c +43 -12
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/evp/p_ec.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/hmac/hmac.c +3 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/modes/xts.c +26 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/cpu_jitter_test.cc +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/internal.h +20 -11
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/rand.c +10 -10
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rand/urandom.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/internal.h +59 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/padding.c +9 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa.c +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/rsa/rsa_impl.c +51 -60
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator.c +5 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/service_indicator/service_indicator_test.cc +205 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv8.pl +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/internal.h +8 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3.c +37 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha3_test.cc +115 -110
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sha/sha512.c +55 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/fipsmodule/sshkdf/sshkdf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_test.cc +12 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hmac_extra/hmac_tests.txt +10 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/hrss/asm/poly_rq_mul.S +2 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/impl_dispatch_test.cc +9 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/internal.h +90 -8
- data/aws-crt-ffi/crt/aws-lc/crypto/kem/kem.c +28 -27
- data/aws-crt-ffi/crt/aws-lc/crypto/kyber/kem_kyber.h +14 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_dat.h +52 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/obj_mac.num +5 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/obj/objects.txt +7 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/arm-xlate.pl +3 -14
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/ppc-xlate.pl +1 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86_64-xlate.pl +4 -15
- data/aws-crt-ffi/crt/aws-lc/crypto/perlasm/x86asm.pl +4 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/poly1305/poly1305_arm_asm.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/deterministic.c +4 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/fuchsia.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/rand_test.cc +0 -63
- data/aws-crt-ffi/crt/aws-lc/crypto/rand_extra/windows.c +41 -19
- data/aws-crt-ffi/crt/aws-lc/crypto/rsa_extra/rsa_test.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash.c +12 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/siphash/siphash_test.cc +5 -5
- data/aws-crt-ffi/crt/aws-lc/crypto/stack/stack.c +68 -46
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/pmbtoken.c +4 -4
- data/aws-crt-ffi/crt/aws-lc/crypto/trust_token/voprf.c +2 -2
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/by_dir.c +0 -6
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/internal.h +4 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_lu.c +33 -9
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_test.cc +87 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_trs.c +1 -1
- data/aws-crt-ffi/crt/aws-lc/crypto/x509/x509_vfy.c +35 -13
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_lib.c +2 -0
- data/aws-crt-ffi/crt/aws-lc/crypto/x509v3/v3_purp.c +4 -6
- data/aws-crt-ffi/crt/aws-lc/generated-src/crypto_test_data.cc +179 -151
- data/aws-crt-ffi/crt/aws-lc/generated-src/err_data.c +353 -349
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/ios-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/bn-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-aarch64/crypto/test/trampoline-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/chacha/chacha-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghash-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/fipsmodule/vpaes-armv7.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-arm/crypto/test/trampoline-armv4.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-ppc64le/crypto/test/trampoline-ppc.S +1 -5
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/bn-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/co-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/md5-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha1-586.S +4 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/linux-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/chacha/chacha-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/aesni-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/bn-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/co-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-ssse3-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/ghash-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/md5-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha1-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha256-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/sha512-586.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/vpaes-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/fipsmodule/x86-mont.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86/crypto/test/trampoline-x86.S +3 -12
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/chacha/chacha-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/aesni-sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/aesni-xts-avx512.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/ghash-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/md5-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rdrand-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/rsaz-avx2.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha1-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha256-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/sha512-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/vpaes-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/fipsmodule/x86_64-mont5.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/mac-x86_64/crypto/test/trampoline-x86_64.S +2 -11
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/chacha/chacha-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-unroll8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/armv8-mont.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/bn-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/ghashv8-armx.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/keccak1600-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/md5-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha1-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha256-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/sha512-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/fipsmodule/vpaes-armv8.S +3 -13
- data/aws-crt-ffi/crt/aws-lc/generated-src/win-aarch64/crypto/test/trampoline-armv8.S +4 -14
- data/aws-crt-ffi/crt/aws-lc/go.mod +4 -4
- data/aws-crt-ffi/crt/aws-lc/go.sum +8 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/aead.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/arm_arch.h +4 -119
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asm_base.h +185 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/asn1.h +5 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/base.h +31 -134
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bio.h +30 -18
- data/aws-crt-ffi/crt/aws-lc/include/openssl/bn.h +0 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/chacha.h +6 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/cipher.h +2 -2
- data/aws-crt-ffi/crt/aws-lc/include/openssl/digest.h +9 -6
- data/aws-crt-ffi/crt/aws-lc/include/openssl/dsa.h +0 -21
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ec.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/err.h +1 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/evp.h +8 -5
- data/aws-crt-ffi/crt/aws-lc/include/openssl/nid.h +21 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/rsa.h +1 -65
- data/aws-crt-ffi/crt/aws-lc/include/openssl/sha.h +22 -1
- data/aws-crt-ffi/crt/aws-lc/include/openssl/ssl.h +121 -13
- data/aws-crt-ffi/crt/aws-lc/include/openssl/stack.h +229 -208
- data/aws-crt-ffi/crt/aws-lc/include/openssl/target.h +166 -0
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509.h +30 -10
- data/aws-crt-ffi/crt/aws-lc/include/openssl/x509v3.h +6 -4
- data/aws-crt-ffi/crt/aws-lc/sources.cmake +2 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/extensions.cc +12 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/handshake_server.cc +28 -18
- data/aws-crt-ffi/crt/aws-lc/ssl/internal.h +41 -6
- data/aws-crt-ffi/crt/aws-lc/ssl/s3_both.cc +9 -17
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_cipher.cc +13 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_key_share.cc +542 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_lib.cc +35 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_test.cc +1847 -14
- data/aws-crt-ffi/crt/aws-lc/ssl/ssl_x509.cc +128 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/PORTING.md +10 -7
- data/aws-crt-ffi/crt/aws-lc/ssl/test/bssl_shim.cc +133 -77
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshake_util.cc +3 -3
- data/aws-crt-ffi/crt/aws-lc/ssl/test/handshaker.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_client.go +6 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_messages.go +894 -1042
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/handshake_server.go +24 -23
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/prf.go +6 -5
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/runner.go +56 -55
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/shim_dispatcher.go +188 -0
- data/aws-crt-ffi/crt/aws-lc/ssl/test/runner/ticket.go +37 -39
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.cc +59 -24
- data/aws-crt-ffi/crt/aws-lc/ssl/test/test_config.h +3 -2
- data/aws-crt-ffi/crt/aws-lc/ssl/tls13_server.cc +10 -11
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/app.py +4 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/{aws_lc_mac_arm_ci_stack.py → aws_lc_ec2_test_framework_ci_stack.py} +13 -29
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/general_test_run_ssm_document.yaml +43 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/common_posix_setup.sh +10 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/amazonlinux-2023_base/Dockerfile +5 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-aarch/ubuntu-22.04_base/Dockerfile +19 -3
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/amazonlinux-2_gcc-7x-intel-sde/Dockerfile +5 -4
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/build_images.sh +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/push_images.sh +2 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-20.04_clang-10x_formal-verification/create_image.sh +1 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_base/Dockerfile +1 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/linux-x86/ubuntu-22.04_clang-14x-sde/Dockerfile +42 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/vs2017/Dockerfile +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/docker_images/windows/windows_base/Dockerfile +3 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/README.md +12 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/nginx_patch/aws-lc-nginx.patch +68 -23
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_crt_integration.sh +27 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/run_monit_integration.sh +56 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/integration/sslproxy_patch/aws-lc-sslproxy.patch +2 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_ec2_test_framework.sh +135 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_fips_tests.sh +14 -2
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde.sh +4 -1
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_tests_with_sde_asan.sh +14 -0
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_windows_tests.bat +39 -3
- data/aws-crt-ffi/crt/aws-lc/third_party/fiat/README.md +21 -6
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519.S +284 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_madd_n25519_alt.S +210 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_mod_n25519.S +186 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/bignum_neg_p25519.S +65 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519_byte_alt.S +1043 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_alt.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte.S +1042 -352
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/curve25519_x25519base_byte_alt.S +1043 -354
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode.S +700 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_decode_alt.S +563 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_encode.S +131 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase.S +9626 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmulbase_alt.S +9468 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble.S +3157 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/curve25519/edwards25519_scalarmuldouble_alt.S +2941 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p384/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/arm/p521/Makefile +1 -1
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/include/s2n-bignum_aws-lc.h +34 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519.S +219 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_madd_n25519_alt.S +245 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_mod_n25519.S +228 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/bignum_neg_p25519.S +86 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519_alt.S +1350 -407
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base.S +1344 -400
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/curve25519_x25519base_alt.S +1348 -402
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode.S +670 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_decode_alt.S +751 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_encode.S +81 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase.S +9910 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmulbase_alt.S +9986 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble.S +3619 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/s2n-bignum/x86_att/curve25519/edwards25519_scalarmuldouble_alt.S +3736 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.json +1978 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_224_test.txt +1403 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.json +1993 -0
- data/aws-crt-ffi/crt/aws-lc/third_party/wycheproof_testvectors/hmac_sha512_256_test.txt +1416 -0
- data/aws-crt-ffi/crt/aws-lc/tool/digest.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/tool/internal.h +1 -0
- data/aws-crt-ffi/crt/aws-lc/tool/speed.cc +53 -6
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.go +43 -12
- data/aws-crt-ffi/crt/aws-lc/util/all_tests.json +13 -5
- data/aws-crt-ffi/crt/aws-lc/util/bot/DEPS +4 -4
- data/aws-crt-ffi/crt/aws-lc/util/bot/update_clang.py +8 -2
- data/aws-crt-ffi/crt/aws-lc/util/codecov-ci.sh +82 -0
- data/aws-crt-ffi/crt/aws-lc/util/convert_wycheproof/convert_wycheproof.go +7 -5
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/ACVP.md +7 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/hash.go +24 -9
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/rsa.go +3 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/subprocess/subprocess.go +15 -10
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/expected/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/sha512-224-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-128-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/sha-tests/shake-256-tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/tests.json +1 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/HMAC-SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHA2-512-224.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-128.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/acvptool/test/vectors/SHAKE-256.bz2 +0 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/main.cc +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/acvp/modulewrapper/modulewrapper.cc +144 -1
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/delocate.go +9 -3
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/in.s +4 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/delocate/testdata/aarch64-Basic/out.s +11 -0
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/inject_hash/inject_hash.go +13 -4
- data/aws-crt-ffi/crt/aws-lc/util/fipstools/test-break-kat.sh +2 -0
- data/aws-crt-ffi/crt/aws-lc/util/testconfig/testconfig.go +2 -1
- data/aws-crt-ffi/crt/s2n/api/s2n.h +9 -5
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/handshake.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/resumption.rs +14 -14
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/benches/throughput.rs +9 -6
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/harness.rs +106 -102
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/openssl.rs +24 -20
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/rustls.rs +28 -24
- data/aws-crt-ffi/crt/s2n/bindings/rust/bench/src/s2n_tls.rs +52 -50
- data/aws-crt-ffi/crt/s2n/bindings/rust/generate/Cargo.toml +1 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/integration/Cargo.toml +3 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls/src/connection.rs +9 -0
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-sys/templates/Cargo.template +2 -1
- data/aws-crt-ffi/crt/s2n/bindings/rust/s2n-tls-tokio/Cargo.toml +2 -2
- data/aws-crt-ffi/crt/s2n/tests/cbmc/sources/make_common_datastructures.c +9 -2
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_client_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/fuzz/s2n_tls13_cert_verify_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_version_negotiation.py +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_auth_selection_test.c +19 -9
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_auth_handshake_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_cert_verify_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_recv_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_hello_test.c +4 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_client_signature_algorithms_extension_test.c +4 -5
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_protocol_versions_test.c +390 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_connection_test.c +8 -4
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_handshake_test.c +2 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_quic_support_io_test.c +106 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_security_policies_test.c +6 -2
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_offload_signing_test.c +3 -3
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_self_talk_session_resumption_test.c +135 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_new_session_ticket_test.c +32 -0
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_server_signature_algorithms_extension_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_signature_algorithms_test.c +307 -283
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_request_test.c +1 -1
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_tls13_cert_verify_test.c +18 -17
- data/aws-crt-ffi/crt/s2n/tests/unit/s2n_x509_validator_test.c +125 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.c +43 -11
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_client_supported_versions.h +3 -0
- data/aws-crt-ffi/crt/s2n/tls/extensions/s2n_server_signature_algorithms.c +8 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_auth_selection.c +4 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_cert_verify.c +7 -10
- data/aws-crt-ffi/crt/s2n/tls/s2n_client_hello.c +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_connection.c +75 -14
- data/aws-crt-ffi/crt/s2n/tls/s2n_handshake.h +2 -2
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_post_handshake.h +1 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.c +29 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_quic_support.h +5 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.c +40 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_security_policies.h +4 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_cert_request.c +1 -1
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_hello.c +0 -3
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_key_exchange.c +8 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_server_new_session_ticket.c +8 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.c +111 -72
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_algorithms.h +11 -9
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.c +9 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_signature_scheme.h +2 -0
- data/aws-crt-ffi/crt/s2n/tls/s2n_tls13_certificate_verify.c +12 -18
- data/aws-crt-ffi/crt/s2n/tls/s2n_x509_validator.c +7 -7
- data/aws-crt-ffi/src/api.h +1 -0
- data/lib/aws-crt/native.rb +1 -1
- metadata +68 -5
- data/aws-crt-ffi/crt/aws-lc/tests/ci/cdk/cdk/ssm/m1_tests_ssm_document.yaml +0 -34
- data/aws-crt-ffi/crt/aws-lc/tests/ci/run_m1_ec2_instance.sh +0 -96
|
@@ -31,3 +31,4 @@ struct s2n_post_handshake {
|
|
|
31
31
|
S2N_RESULT s2n_post_handshake_recv(struct s2n_connection *conn);
|
|
32
32
|
int s2n_post_handshake_send(struct s2n_connection *conn, s2n_blocked_status *blocked);
|
|
33
33
|
S2N_RESULT s2n_post_handshake_write_records(struct s2n_connection *conn, s2n_blocked_status *blocked);
|
|
34
|
+
S2N_RESULT s2n_post_handshake_process(struct s2n_connection *conn, struct s2n_stuffer *in, uint8_t message_type);
|
|
@@ -90,6 +90,35 @@ int s2n_connection_set_secret_callback(struct s2n_connection *conn, s2n_secret_c
|
|
|
90
90
|
return S2N_SUCCESS;
|
|
91
91
|
}
|
|
92
92
|
|
|
93
|
+
/* Currently we need an API that quic can call to process post-handshake messages. Ideally
|
|
94
|
+
* we could re-use the s2n_recv API but that function needs to be refactored to support quic.
|
|
95
|
+
* For now we just call this API.
|
|
96
|
+
*/
|
|
97
|
+
int s2n_recv_quic_post_handshake_message(struct s2n_connection *conn, s2n_blocked_status *blocked)
|
|
98
|
+
{
|
|
99
|
+
POSIX_ENSURE_REF(conn);
|
|
100
|
+
|
|
101
|
+
*blocked = S2N_BLOCKED_ON_READ;
|
|
102
|
+
|
|
103
|
+
uint8_t message_type = 0;
|
|
104
|
+
/* This function uses the stuffer conn->handshake.io to read in the header. This stuffer is also used
|
|
105
|
+
* for sending post-handshake messages. This could cause a concurrency issue if we start both sending
|
|
106
|
+
* and receiving post-handshake messages while quic is enabled. Currently there's no post-handshake
|
|
107
|
+
* message that is both sent and received in quic (servers only send session tickets
|
|
108
|
+
* and clients only receive session tickets.) Therefore it is safe for us
|
|
109
|
+
* to use the stuffer here.
|
|
110
|
+
*/
|
|
111
|
+
POSIX_GUARD_RESULT(s2n_quic_read_handshake_message(conn, &message_type));
|
|
112
|
+
|
|
113
|
+
/* The only post-handshake messages we support from QUIC currently are session tickets */
|
|
114
|
+
POSIX_ENSURE(message_type == TLS_SERVER_NEW_SESSION_TICKET, S2N_ERR_UNSUPPORTED_WITH_QUIC);
|
|
115
|
+
POSIX_GUARD_RESULT(s2n_post_handshake_process(conn, &conn->in, message_type));
|
|
116
|
+
|
|
117
|
+
*blocked = S2N_NOT_BLOCKED;
|
|
118
|
+
|
|
119
|
+
return S2N_SUCCESS;
|
|
120
|
+
}
|
|
121
|
+
|
|
93
122
|
/* When using QUIC, S2N reads unencrypted handshake messages instead of encrypted records.
|
|
94
123
|
* This method sets up the S2N input buffers to match the results of using s2n_read_full_record.
|
|
95
124
|
*/
|
|
@@ -89,3 +89,8 @@ S2N_API int s2n_connection_set_secret_callback(struct s2n_connection *conn, s2n_
|
|
|
89
89
|
* not relied on for production logic.
|
|
90
90
|
*/
|
|
91
91
|
S2N_API int s2n_error_get_alert(int error, uint8_t *alert);
|
|
92
|
+
|
|
93
|
+
/* Attempts to read and process a post-handshake message from QUIC. This function
|
|
94
|
+
* should be called when post-handshake messages in QUIC have been received.
|
|
95
|
+
*/
|
|
96
|
+
S2N_API int s2n_recv_quic_post_handshake_message(struct s2n_connection *conn, s2n_blocked_status *blocked);
|
|
@@ -615,6 +615,42 @@ const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01 = {
|
|
|
615
615
|
.ecc_preferences = &s2n_ecc_preferences_20201021,
|
|
616
616
|
};
|
|
617
617
|
|
|
618
|
+
/* Same as security_policy_pq_tls_1_2_2023_04_07, but with updated KEM prefs */
|
|
619
|
+
const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07 = {
|
|
620
|
+
.minimum_protocol_version = S2N_TLS12,
|
|
621
|
+
.cipher_preferences = &cipher_preferences_pq_tls_1_1_2021_05_21,
|
|
622
|
+
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
|
|
623
|
+
.signature_preferences = &s2n_signature_preferences_20200207,
|
|
624
|
+
.ecc_preferences = &s2n_ecc_preferences_20200310,
|
|
625
|
+
};
|
|
626
|
+
|
|
627
|
+
/* Same as security_policy_pq_tls_1_2_2023_04_08, but with updated KEM prefs */
|
|
628
|
+
const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08 = {
|
|
629
|
+
.minimum_protocol_version = S2N_TLS12,
|
|
630
|
+
.cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_22,
|
|
631
|
+
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
|
|
632
|
+
.signature_preferences = &s2n_signature_preferences_20200207,
|
|
633
|
+
.ecc_preferences = &s2n_ecc_preferences_20200310,
|
|
634
|
+
};
|
|
635
|
+
|
|
636
|
+
/* Same as security_policy_pq_tls_1_2_2023_04_09, but with updated KEM prefs */
|
|
637
|
+
const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09 = {
|
|
638
|
+
.minimum_protocol_version = S2N_TLS12,
|
|
639
|
+
.cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_24,
|
|
640
|
+
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
|
|
641
|
+
.signature_preferences = &s2n_signature_preferences_20200207,
|
|
642
|
+
.ecc_preferences = &s2n_ecc_preferences_20200310,
|
|
643
|
+
};
|
|
644
|
+
|
|
645
|
+
/* Same as security_policy_pq_tls_1_2_2023_04_10, but with updated KEM prefs */
|
|
646
|
+
const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10 = {
|
|
647
|
+
.minimum_protocol_version = S2N_TLS12,
|
|
648
|
+
.cipher_preferences = &cipher_preferences_pq_tls_1_0_2021_05_26,
|
|
649
|
+
.kem_preferences = &kem_preferences_pq_tls_1_3_2023_06,
|
|
650
|
+
.signature_preferences = &s2n_signature_preferences_20200207,
|
|
651
|
+
.ecc_preferences = &s2n_ecc_preferences_20200310,
|
|
652
|
+
};
|
|
653
|
+
|
|
618
654
|
const struct s2n_security_policy security_policy_kms_fips_tls_1_2_2018_10 = {
|
|
619
655
|
.minimum_protocol_version = S2N_TLS12,
|
|
620
656
|
.cipher_preferences = &cipher_preferences_kms_fips_tls_1_2_2018_10,
|
|
@@ -960,6 +996,10 @@ struct s2n_security_policy_selection security_policy_selection[] = {
|
|
|
960
996
|
{ .version = "PQ-TLS-1-2-2023-04-09", .security_policy = &security_policy_pq_tls_1_2_2023_04_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
961
997
|
{ .version = "PQ-TLS-1-2-2023-04-10", .security_policy = &security_policy_pq_tls_1_2_2023_04_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
962
998
|
{ .version = "PQ-TLS-1-3-2023-06-01", .security_policy = &security_policy_pq_tls_1_3_2023_06_01, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
999
|
+
{ .version = "PQ-TLS-1-2-2023-10-07", .security_policy = &security_policy_pq_tls_1_2_2023_10_07, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
1000
|
+
{ .version = "PQ-TLS-1-2-2023-10-08", .security_policy = &security_policy_pq_tls_1_2_2023_10_08, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
1001
|
+
{ .version = "PQ-TLS-1-2-2023-10-09", .security_policy = &security_policy_pq_tls_1_2_2023_10_09, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
1002
|
+
{ .version = "PQ-TLS-1-2-2023-10-10", .security_policy = &security_policy_pq_tls_1_2_2023_10_10, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
963
1003
|
{ .version = "20140601", .security_policy = &security_policy_20140601, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
964
1004
|
{ .version = "20141001", .security_policy = &security_policy_20141001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
965
1005
|
{ .version = "20150202", .security_policy = &security_policy_20150202, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
|
|
@@ -151,6 +151,10 @@ extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_08;
|
|
|
151
151
|
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_09;
|
|
152
152
|
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_04_10;
|
|
153
153
|
extern const struct s2n_security_policy security_policy_pq_tls_1_3_2023_06_01;
|
|
154
|
+
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_07;
|
|
155
|
+
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_08;
|
|
156
|
+
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_09;
|
|
157
|
+
extern const struct s2n_security_policy security_policy_pq_tls_1_2_2023_10_10;
|
|
154
158
|
|
|
155
159
|
extern const struct s2n_security_policy security_policy_cloudfront_upstream;
|
|
156
160
|
extern const struct s2n_security_policy security_policy_cloudfront_upstream_tls10;
|
|
@@ -172,7 +172,7 @@ int s2n_cert_req_send(struct s2n_connection *conn)
|
|
|
172
172
|
}
|
|
173
173
|
|
|
174
174
|
if (conn->actual_protocol_version == S2N_TLS12) {
|
|
175
|
-
|
|
175
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithms_supported_list_send(conn, out));
|
|
176
176
|
}
|
|
177
177
|
|
|
178
178
|
/* RFC 5246 7.4.4 - If the certificate_authorities list is empty, then the
|
|
@@ -286,9 +286,6 @@ int s2n_server_hello_recv(struct s2n_connection *conn)
|
|
|
286
286
|
POSIX_GUARD(s2n_prf_key_expansion(conn));
|
|
287
287
|
}
|
|
288
288
|
|
|
289
|
-
/* Choose a default signature scheme */
|
|
290
|
-
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &conn->handshake_params.conn_sig_scheme, S2N_SERVER));
|
|
291
|
-
|
|
292
289
|
/* Update the required hashes for this connection */
|
|
293
290
|
POSIX_GUARD(s2n_conn_update_required_handshake_hashes(conn));
|
|
294
291
|
|
|
@@ -48,12 +48,9 @@ int s2n_server_key_recv(struct s2n_connection *conn)
|
|
|
48
48
|
struct s2n_kex_raw_server_data kex_data = { 0 };
|
|
49
49
|
POSIX_GUARD_RESULT(s2n_kex_server_key_recv_read_data(key_exchange, conn, &data_to_verify, &kex_data));
|
|
50
50
|
|
|
51
|
-
|
|
52
|
-
struct s2n_signature_scheme *active_sig_scheme =
|
|
53
|
-
|
|
54
|
-
/* Verify the SigScheme picked by the Server was in the preference list we sent (or is the default SigScheme) */
|
|
55
|
-
POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, in, active_sig_scheme));
|
|
56
|
-
}
|
|
51
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, in));
|
|
52
|
+
const struct s2n_signature_scheme *active_sig_scheme = conn->handshake_params.server_cert_sig_scheme;
|
|
53
|
+
POSIX_ENSURE_REF(active_sig_scheme);
|
|
57
54
|
|
|
58
55
|
/* FIPS specifically allows MD5 for <TLS1.2 */
|
|
59
56
|
if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) {
|
|
@@ -257,6 +254,8 @@ int s2n_server_key_send(struct s2n_connection *conn)
|
|
|
257
254
|
|
|
258
255
|
struct s2n_hash_state *signature_hash = &conn->handshake.hashes->hash_workspace;
|
|
259
256
|
const struct s2n_kex *key_exchange = conn->secure->cipher_suite->key_exchange_alg;
|
|
257
|
+
const struct s2n_signature_scheme *sig_scheme = conn->handshake_params.server_cert_sig_scheme;
|
|
258
|
+
POSIX_ENSURE_REF(sig_scheme);
|
|
260
259
|
struct s2n_stuffer *out = &conn->handshake.io;
|
|
261
260
|
struct s2n_blob data_to_sign = { 0 };
|
|
262
261
|
|
|
@@ -265,7 +264,7 @@ int s2n_server_key_send(struct s2n_connection *conn)
|
|
|
265
264
|
|
|
266
265
|
/* Add common signature data */
|
|
267
266
|
if (conn->actual_protocol_version == S2N_TLS12) {
|
|
268
|
-
POSIX_GUARD(s2n_stuffer_write_uint16(out,
|
|
267
|
+
POSIX_GUARD(s2n_stuffer_write_uint16(out, sig_scheme->iana_value));
|
|
269
268
|
}
|
|
270
269
|
|
|
271
270
|
/* FIPS specifically allows MD5 for <TLS1.2 */
|
|
@@ -274,14 +273,14 @@ int s2n_server_key_send(struct s2n_connection *conn)
|
|
|
274
273
|
}
|
|
275
274
|
|
|
276
275
|
/* Add the random data to the hash */
|
|
277
|
-
POSIX_GUARD(s2n_hash_init(signature_hash,
|
|
276
|
+
POSIX_GUARD(s2n_hash_init(signature_hash, sig_scheme->hash_alg));
|
|
278
277
|
POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.client_random, S2N_TLS_RANDOM_DATA_LEN));
|
|
279
278
|
POSIX_GUARD(s2n_hash_update(signature_hash, conn->handshake_params.server_random, S2N_TLS_RANDOM_DATA_LEN));
|
|
280
279
|
|
|
281
280
|
/* Add KEX specific data to the hash */
|
|
282
281
|
POSIX_GUARD(s2n_hash_update(signature_hash, data_to_sign.data, data_to_sign.size));
|
|
283
282
|
|
|
284
|
-
S2N_ASYNC_PKEY_SIGN(conn,
|
|
283
|
+
S2N_ASYNC_PKEY_SIGN(conn, sig_scheme->sig_alg, signature_hash,
|
|
285
284
|
s2n_server_key_send_write_signature);
|
|
286
285
|
}
|
|
287
286
|
|
|
@@ -126,6 +126,14 @@ S2N_RESULT s2n_tls13_server_nst_send(struct s2n_connection *conn, s2n_blocked_st
|
|
|
126
126
|
return S2N_RESULT_OK;
|
|
127
127
|
}
|
|
128
128
|
|
|
129
|
+
/* Legacy behavior is that the s2n server sends a NST even if the client did not indicate support
|
|
130
|
+
* for resumption or does not support the psk_dhe_ke mode. This is potentially wasteful so we
|
|
131
|
+
* choose to not extend this behavior to QUIC.
|
|
132
|
+
*/
|
|
133
|
+
if (conn->quic_enabled && conn->psk_params.psk_ke_mode != S2N_PSK_DHE_KE) {
|
|
134
|
+
return S2N_RESULT_OK;
|
|
135
|
+
}
|
|
136
|
+
|
|
129
137
|
/* No-op if all tickets already sent.
|
|
130
138
|
* Clean up the stuffer used for the ticket to conserve memory. */
|
|
131
139
|
if (conn->tickets_to_send == conn->tickets_sent) {
|
|
@@ -26,49 +26,66 @@
|
|
|
26
26
|
#include "tls/s2n_signature_scheme.h"
|
|
27
27
|
#include "utils/s2n_safety.h"
|
|
28
28
|
|
|
29
|
-
static
|
|
29
|
+
static S2N_RESULT s2n_signature_scheme_validate_for_send(struct s2n_connection *conn,
|
|
30
|
+
const struct s2n_signature_scheme *scheme)
|
|
30
31
|
{
|
|
31
|
-
|
|
32
|
+
RESULT_ENSURE_REF(conn);
|
|
32
33
|
|
|
33
|
-
/*
|
|
34
|
-
|
|
34
|
+
/* If no protocol has been negotiated yet, the actual_protocol_version will
|
|
35
|
+
* be equivalent to the client_protocol_version and represent the highest
|
|
36
|
+
* version supported.
|
|
37
|
+
*/
|
|
38
|
+
RESULT_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version);
|
|
35
39
|
|
|
36
40
|
/* QUIC only supports TLS1.3 */
|
|
37
41
|
if (s2n_connection_is_quic_enabled(conn) && scheme->maximum_protocol_version) {
|
|
38
|
-
|
|
42
|
+
RESULT_ENSURE_GTE(scheme->maximum_protocol_version, S2N_TLS13);
|
|
39
43
|
}
|
|
40
44
|
|
|
41
45
|
if (!s2n_is_rsa_pss_signing_supported()) {
|
|
42
|
-
|
|
46
|
+
RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_RSAE);
|
|
43
47
|
}
|
|
44
48
|
|
|
45
49
|
if (!s2n_is_rsa_pss_certs_supported()) {
|
|
46
|
-
|
|
50
|
+
RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
|
|
47
51
|
}
|
|
48
52
|
|
|
49
|
-
return
|
|
53
|
+
return S2N_RESULT_OK;
|
|
50
54
|
}
|
|
51
55
|
|
|
52
|
-
static
|
|
56
|
+
static bool s2n_signature_scheme_is_valid_for_send(struct s2n_connection *conn,
|
|
57
|
+
const struct s2n_signature_scheme *scheme)
|
|
53
58
|
{
|
|
54
|
-
|
|
55
|
-
|
|
59
|
+
return s2n_result_is_ok(s2n_signature_scheme_validate_for_send(conn, scheme));
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
static S2N_RESULT s2n_signature_scheme_validate_for_recv(struct s2n_connection *conn,
|
|
63
|
+
const struct s2n_signature_scheme *scheme)
|
|
64
|
+
{
|
|
65
|
+
RESULT_ENSURE_REF(scheme);
|
|
66
|
+
RESULT_ENSURE_REF(conn);
|
|
56
67
|
|
|
57
|
-
|
|
68
|
+
RESULT_GUARD(s2n_signature_scheme_validate_for_send(conn, scheme));
|
|
58
69
|
|
|
59
70
|
if (scheme->maximum_protocol_version != S2N_UNKNOWN_PROTOCOL_VERSION) {
|
|
60
|
-
|
|
71
|
+
RESULT_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version);
|
|
61
72
|
}
|
|
62
73
|
|
|
63
|
-
|
|
74
|
+
RESULT_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION);
|
|
64
75
|
if (conn->actual_protocol_version >= S2N_TLS13) {
|
|
65
|
-
|
|
66
|
-
|
|
76
|
+
RESULT_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1);
|
|
77
|
+
RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA);
|
|
67
78
|
} else {
|
|
68
|
-
|
|
79
|
+
RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
|
|
69
80
|
}
|
|
70
81
|
|
|
71
|
-
return
|
|
82
|
+
return S2N_RESULT_OK;
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
static bool s2n_signature_scheme_is_valid_for_recv(struct s2n_connection *conn,
|
|
86
|
+
const struct s2n_signature_scheme *scheme)
|
|
87
|
+
{
|
|
88
|
+
return s2n_result_is_ok(s2n_signature_scheme_validate_for_recv(conn, scheme));
|
|
72
89
|
}
|
|
73
90
|
|
|
74
91
|
static int s2n_is_signature_scheme_usable(struct s2n_connection *conn, const struct s2n_signature_scheme *candidate)
|
|
@@ -76,14 +93,14 @@ static int s2n_is_signature_scheme_usable(struct s2n_connection *conn, const str
|
|
|
76
93
|
POSIX_ENSURE_REF(conn);
|
|
77
94
|
POSIX_ENSURE_REF(candidate);
|
|
78
95
|
|
|
79
|
-
|
|
96
|
+
POSIX_GUARD_RESULT(s2n_signature_scheme_validate_for_recv(conn, candidate));
|
|
80
97
|
POSIX_GUARD(s2n_is_sig_scheme_valid_for_auth(conn, candidate));
|
|
81
98
|
|
|
82
99
|
return S2N_SUCCESS;
|
|
83
100
|
}
|
|
84
101
|
|
|
85
102
|
static int s2n_choose_sig_scheme(struct s2n_connection *conn, struct s2n_sig_scheme_list *peer_wire_prefs,
|
|
86
|
-
struct s2n_signature_scheme
|
|
103
|
+
const struct s2n_signature_scheme **chosen_scheme_out)
|
|
87
104
|
{
|
|
88
105
|
POSIX_ENSURE_REF(conn);
|
|
89
106
|
POSIX_ENSURE_REF(conn->secure);
|
|
@@ -105,7 +122,7 @@ static int s2n_choose_sig_scheme(struct s2n_connection *conn, struct s2n_sig_sch
|
|
|
105
122
|
uint16_t their_iana_val = peer_wire_prefs->iana_list[j];
|
|
106
123
|
|
|
107
124
|
if (candidate->iana_value == their_iana_val) {
|
|
108
|
-
*chosen_scheme_out =
|
|
125
|
+
*chosen_scheme_out = candidate;
|
|
109
126
|
return S2N_SUCCESS;
|
|
110
127
|
}
|
|
111
128
|
}
|
|
@@ -116,7 +133,8 @@ static int s2n_choose_sig_scheme(struct s2n_connection *conn, struct s2n_sig_sch
|
|
|
116
133
|
}
|
|
117
134
|
|
|
118
135
|
/* similar to s2n_choose_sig_scheme() without matching client's preference */
|
|
119
|
-
int s2n_tls13_default_sig_scheme(struct s2n_connection *conn,
|
|
136
|
+
int s2n_tls13_default_sig_scheme(struct s2n_connection *conn,
|
|
137
|
+
const struct s2n_signature_scheme **chosen_scheme_out)
|
|
120
138
|
{
|
|
121
139
|
POSIX_ENSURE_REF(conn);
|
|
122
140
|
POSIX_ENSURE_REF(conn->secure);
|
|
@@ -135,40 +153,81 @@ int s2n_tls13_default_sig_scheme(struct s2n_connection *conn, struct s2n_signatu
|
|
|
135
153
|
continue;
|
|
136
154
|
}
|
|
137
155
|
|
|
138
|
-
*chosen_scheme_out =
|
|
156
|
+
*chosen_scheme_out = candidate;
|
|
139
157
|
return S2N_SUCCESS;
|
|
140
158
|
}
|
|
141
159
|
|
|
142
160
|
POSIX_BAIL(S2N_ERR_INVALID_SIGNATURE_SCHEME);
|
|
143
161
|
}
|
|
144
162
|
|
|
145
|
-
|
|
146
|
-
struct s2n_signature_scheme
|
|
163
|
+
static S2N_RESULT s2n_signature_algorithms_get_legacy_default(struct s2n_connection *conn,
|
|
164
|
+
const struct s2n_signature_scheme **default_sig_scheme)
|
|
165
|
+
{
|
|
166
|
+
RESULT_ENSURE_REF(conn);
|
|
167
|
+
RESULT_ENSURE_REF(default_sig_scheme);
|
|
168
|
+
|
|
169
|
+
s2n_authentication_method auth_method = 0;
|
|
170
|
+
if (conn->mode == S2N_SERVER) {
|
|
171
|
+
RESULT_GUARD_POSIX(s2n_get_auth_method_for_cert_type(
|
|
172
|
+
conn->handshake_params.client_cert_pkey_type, &auth_method));
|
|
173
|
+
} else {
|
|
174
|
+
RESULT_ENSURE_REF(conn->secure);
|
|
175
|
+
RESULT_ENSURE_REF(conn->secure->cipher_suite);
|
|
176
|
+
auth_method = conn->secure->cipher_suite->auth_method;
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
if (auth_method == S2N_AUTHENTICATION_ECDSA) {
|
|
180
|
+
*default_sig_scheme = &s2n_ecdsa_sha1;
|
|
181
|
+
} else {
|
|
182
|
+
*default_sig_scheme = &s2n_rsa_pkcs1_md5_sha1;
|
|
183
|
+
}
|
|
184
|
+
return S2N_RESULT_OK;
|
|
185
|
+
}
|
|
186
|
+
|
|
187
|
+
S2N_RESULT s2n_signature_algorithm_recv(struct s2n_connection *conn, struct s2n_stuffer *in)
|
|
147
188
|
{
|
|
148
|
-
|
|
149
|
-
|
|
189
|
+
RESULT_ENSURE_REF(conn);
|
|
190
|
+
|
|
191
|
+
const struct s2n_signature_scheme **chosen_sig_scheme = NULL;
|
|
192
|
+
if (conn->mode == S2N_SERVER) {
|
|
193
|
+
chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
|
|
194
|
+
} else {
|
|
195
|
+
chosen_sig_scheme = &conn->handshake_params.server_cert_sig_scheme;
|
|
196
|
+
}
|
|
197
|
+
|
|
198
|
+
/* Before TLS1.2, signature algorithms were fixed instead of negotiated */
|
|
199
|
+
if (conn->actual_protocol_version < S2N_TLS12) {
|
|
200
|
+
return s2n_signature_algorithms_get_legacy_default(conn, chosen_sig_scheme);
|
|
201
|
+
}
|
|
202
|
+
|
|
203
|
+
uint16_t iana_value = 0;
|
|
204
|
+
RESULT_ENSURE(s2n_stuffer_read_uint16(in, &iana_value) == S2N_SUCCESS,
|
|
205
|
+
S2N_ERR_BAD_MESSAGE);
|
|
150
206
|
|
|
151
207
|
const struct s2n_signature_preferences *signature_preferences = NULL;
|
|
152
|
-
|
|
153
|
-
|
|
208
|
+
RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
|
|
209
|
+
RESULT_ENSURE_REF(signature_preferences);
|
|
154
210
|
|
|
155
211
|
for (size_t i = 0; i < signature_preferences->count; i++) {
|
|
156
212
|
const struct s2n_signature_scheme *candidate = signature_preferences->signature_schemes[i];
|
|
157
213
|
|
|
158
|
-
if (
|
|
214
|
+
if (candidate->iana_value != iana_value) {
|
|
159
215
|
continue;
|
|
160
216
|
}
|
|
161
217
|
|
|
162
|
-
if (candidate
|
|
163
|
-
|
|
164
|
-
return S2N_SUCCESS;
|
|
218
|
+
if (!s2n_signature_scheme_is_valid_for_recv(conn, candidate)) {
|
|
219
|
+
continue;
|
|
165
220
|
}
|
|
221
|
+
|
|
222
|
+
*chosen_sig_scheme = candidate;
|
|
223
|
+
return S2N_RESULT_OK;
|
|
166
224
|
}
|
|
167
225
|
|
|
168
|
-
|
|
226
|
+
RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_SCHEME);
|
|
169
227
|
}
|
|
170
228
|
|
|
171
|
-
int s2n_choose_default_sig_scheme(struct s2n_connection *conn,
|
|
229
|
+
int s2n_choose_default_sig_scheme(struct s2n_connection *conn,
|
|
230
|
+
const struct s2n_signature_scheme **sig_scheme_out, s2n_mode signer)
|
|
172
231
|
{
|
|
173
232
|
POSIX_ENSURE_REF(conn);
|
|
174
233
|
POSIX_ENSURE_REF(conn->secure);
|
|
@@ -194,7 +253,7 @@ int s2n_choose_default_sig_scheme(struct s2n_connection *conn, struct s2n_signat
|
|
|
194
253
|
|
|
195
254
|
if (conn->actual_protocol_version < S2N_TLS12) {
|
|
196
255
|
/* Before TLS1.2, signature algorithms were fixed, not chosen / negotiated. */
|
|
197
|
-
*sig_scheme_out =
|
|
256
|
+
*sig_scheme_out = default_sig_scheme;
|
|
198
257
|
return S2N_SUCCESS;
|
|
199
258
|
} else {
|
|
200
259
|
/* If we attempt to negotiate a default in TLS1.2, we should ensure that
|
|
@@ -205,7 +264,7 @@ int s2n_choose_default_sig_scheme(struct s2n_connection *conn, struct s2n_signat
|
|
|
205
264
|
POSIX_ENSURE_REF(signature_preferences);
|
|
206
265
|
for (size_t i = 0; i < signature_preferences->count; i++) {
|
|
207
266
|
if (signature_preferences->signature_schemes[i]->iana_value == default_sig_scheme->iana_value) {
|
|
208
|
-
*sig_scheme_out =
|
|
267
|
+
*sig_scheme_out = default_sig_scheme;
|
|
209
268
|
return S2N_SUCCESS;
|
|
210
269
|
}
|
|
211
270
|
}
|
|
@@ -214,22 +273,19 @@ int s2n_choose_default_sig_scheme(struct s2n_connection *conn, struct s2n_signat
|
|
|
214
273
|
* is actually necessary.
|
|
215
274
|
* If no valid default exists, set an unusable, invalid empty scheme.
|
|
216
275
|
*/
|
|
217
|
-
*sig_scheme_out =
|
|
218
|
-
.hash_alg = S2N_HASH_NONE,
|
|
219
|
-
.sig_alg = S2N_SIGNATURE_ANONYMOUS,
|
|
220
|
-
};
|
|
276
|
+
*sig_scheme_out = &s2n_null_sig_scheme;
|
|
221
277
|
return S2N_SUCCESS;
|
|
222
278
|
}
|
|
223
|
-
|
|
224
279
|
}
|
|
225
280
|
|
|
226
|
-
int s2n_choose_sig_scheme_from_peer_preference_list(struct s2n_connection *conn,
|
|
227
|
-
struct
|
|
281
|
+
int s2n_choose_sig_scheme_from_peer_preference_list(struct s2n_connection *conn,
|
|
282
|
+
struct s2n_sig_scheme_list *peer_wire_prefs,
|
|
283
|
+
const struct s2n_signature_scheme **sig_scheme_out)
|
|
228
284
|
{
|
|
229
285
|
POSIX_ENSURE_REF(conn);
|
|
230
286
|
POSIX_ENSURE_REF(sig_scheme_out);
|
|
231
287
|
|
|
232
|
-
struct s2n_signature_scheme chosen_scheme =
|
|
288
|
+
const struct s2n_signature_scheme *chosen_scheme = &s2n_null_sig_scheme;
|
|
233
289
|
if (conn->actual_protocol_version < S2N_TLS13) {
|
|
234
290
|
POSIX_GUARD(s2n_choose_default_sig_scheme(conn, &chosen_scheme, conn->mode));
|
|
235
291
|
} else {
|
|
@@ -247,42 +303,25 @@ int s2n_choose_sig_scheme_from_peer_preference_list(struct s2n_connection *conn,
|
|
|
247
303
|
return S2N_SUCCESS;
|
|
248
304
|
}
|
|
249
305
|
|
|
250
|
-
|
|
306
|
+
S2N_RESULT s2n_signature_algorithms_supported_list_send(struct s2n_connection *conn, struct s2n_stuffer *out)
|
|
251
307
|
{
|
|
252
308
|
const struct s2n_signature_preferences *signature_preferences = NULL;
|
|
253
|
-
|
|
254
|
-
|
|
309
|
+
RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
|
|
310
|
+
RESULT_ENSURE_REF(signature_preferences);
|
|
255
311
|
|
|
256
|
-
|
|
312
|
+
struct s2n_stuffer_reservation size = { 0 };
|
|
313
|
+
RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(out, &size));
|
|
257
314
|
|
|
258
315
|
for (size_t i = 0; i < signature_preferences->count; i++) {
|
|
259
316
|
const struct s2n_signature_scheme *const scheme = signature_preferences->signature_schemes[i];
|
|
260
|
-
|
|
261
|
-
|
|
317
|
+
RESULT_ENSURE_REF(scheme);
|
|
318
|
+
if (s2n_signature_scheme_is_valid_for_send(conn, scheme)) {
|
|
319
|
+
RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(out, scheme->iana_value));
|
|
262
320
|
}
|
|
263
321
|
}
|
|
322
|
+
RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&size));
|
|
264
323
|
|
|
265
|
-
return
|
|
266
|
-
}
|
|
267
|
-
|
|
268
|
-
int s2n_supported_sig_scheme_list_size(struct s2n_connection *conn)
|
|
269
|
-
{
|
|
270
|
-
return s2n_supported_sig_schemes_count(conn) * TLS_SIGNATURE_SCHEME_LEN;
|
|
271
|
-
}
|
|
272
|
-
|
|
273
|
-
int s2n_supported_sig_schemes_count(struct s2n_connection *conn)
|
|
274
|
-
{
|
|
275
|
-
const struct s2n_signature_preferences *signature_preferences = NULL;
|
|
276
|
-
POSIX_GUARD(s2n_connection_get_signature_preferences(conn, &signature_preferences));
|
|
277
|
-
POSIX_ENSURE_REF(signature_preferences);
|
|
278
|
-
|
|
279
|
-
uint8_t count = 0;
|
|
280
|
-
for (size_t i = 0; i < signature_preferences->count; i++) {
|
|
281
|
-
if (0 == s2n_signature_scheme_valid_to_offer(conn, signature_preferences->signature_schemes[i])) {
|
|
282
|
-
count++;
|
|
283
|
-
}
|
|
284
|
-
}
|
|
285
|
-
return count;
|
|
324
|
+
return S2N_RESULT_OK;
|
|
286
325
|
}
|
|
287
326
|
|
|
288
327
|
int s2n_recv_supported_sig_scheme_list(struct s2n_stuffer *in, struct s2n_sig_scheme_list *sig_hash_algs)
|
|
@@ -28,15 +28,17 @@ struct s2n_sig_scheme_list {
|
|
|
28
28
|
uint8_t len;
|
|
29
29
|
};
|
|
30
30
|
|
|
31
|
-
int s2n_choose_default_sig_scheme(struct s2n_connection *conn,
|
|
32
|
-
|
|
31
|
+
int s2n_choose_default_sig_scheme(struct s2n_connection *conn,
|
|
32
|
+
const struct s2n_signature_scheme **sig_scheme_out, s2n_mode signer);
|
|
33
|
+
int s2n_tls13_default_sig_scheme(struct s2n_connection *conn,
|
|
34
|
+
const struct s2n_signature_scheme **sig_scheme_out);
|
|
33
35
|
|
|
34
|
-
int s2n_choose_sig_scheme_from_peer_preference_list(struct s2n_connection *conn,
|
|
35
|
-
struct
|
|
36
|
-
|
|
37
|
-
|
|
36
|
+
int s2n_choose_sig_scheme_from_peer_preference_list(struct s2n_connection *conn,
|
|
37
|
+
struct s2n_sig_scheme_list *sig_hash_algs,
|
|
38
|
+
const struct s2n_signature_scheme **sig_scheme_out);
|
|
39
|
+
|
|
40
|
+
S2N_RESULT s2n_signature_algorithm_recv(struct s2n_connection *conn, struct s2n_stuffer *in);
|
|
38
41
|
|
|
39
42
|
int s2n_recv_supported_sig_scheme_list(struct s2n_stuffer *in, struct s2n_sig_scheme_list *sig_hash_algs);
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
int s2n_supported_sig_scheme_list_size(struct s2n_connection *conn);
|
|
43
|
+
S2N_RESULT s2n_signature_algorithms_supported_list_send(struct s2n_connection *conn,
|
|
44
|
+
struct s2n_stuffer *out);
|
|
@@ -22,6 +22,15 @@
|
|
|
22
22
|
#include "tls/s2n_connection.h"
|
|
23
23
|
#include "utils/s2n_safety.h"
|
|
24
24
|
|
|
25
|
+
const struct s2n_signature_scheme s2n_null_sig_scheme = {
|
|
26
|
+
.iana_value = 0,
|
|
27
|
+
.hash_alg = S2N_HASH_NONE,
|
|
28
|
+
.sig_alg = S2N_SIGNATURE_ANONYMOUS,
|
|
29
|
+
.libcrypto_nid = 0,
|
|
30
|
+
.signature_curve = NULL,
|
|
31
|
+
.maximum_protocol_version = 0,
|
|
32
|
+
};
|
|
33
|
+
|
|
25
34
|
/* RSA PKCS1 */
|
|
26
35
|
const struct s2n_signature_scheme s2n_rsa_pkcs1_md5_sha1 = {
|
|
27
36
|
.iana_value = TLS_SIGNATURE_SCHEME_PRIVATE_INTERNAL_RSA_PKCS1_MD5_SHA1,
|
|
@@ -39,6 +39,8 @@ struct s2n_signature_preferences {
|
|
|
39
39
|
const struct s2n_signature_scheme *const *signature_schemes;
|
|
40
40
|
};
|
|
41
41
|
|
|
42
|
+
extern const struct s2n_signature_scheme s2n_null_sig_scheme;
|
|
43
|
+
|
|
42
44
|
/* RSA PKCS1 */
|
|
43
45
|
/* s2n_rsa_pkcs1_md5_sha1 is not in any preference list, but it is needed since it's the default for TLS 1.0 and 1.1 if
|
|
44
46
|
* no SignatureScheme is sent. */
|
|
@@ -49,12 +49,12 @@ const uint8_t S2N_CLIENT_CERT_VERIFY_CONTEXT[] = { 0x54, 0x4c, 0x53, 0x20, 0x31,
|
|
|
49
49
|
0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00 };
|
|
50
50
|
|
|
51
51
|
static int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
|
|
52
|
-
struct s2n_signature_scheme *chosen_sig_scheme);
|
|
52
|
+
const struct s2n_signature_scheme *chosen_sig_scheme);
|
|
53
53
|
static int s2n_tls13_write_signature(struct s2n_connection *conn, struct s2n_blob *signature);
|
|
54
54
|
static int s2n_tls13_generate_unsigned_cert_verify_content(struct s2n_connection *conn,
|
|
55
55
|
struct s2n_stuffer *unsigned_content, s2n_mode mode);
|
|
56
56
|
static int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
|
|
57
|
-
struct s2n_signature_scheme *chosen_sig_scheme);
|
|
57
|
+
const struct s2n_signature_scheme *chosen_sig_scheme);
|
|
58
58
|
static uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode);
|
|
59
59
|
|
|
60
60
|
int s2n_tls13_cert_verify_send(struct s2n_connection *conn)
|
|
@@ -63,16 +63,17 @@ int s2n_tls13_cert_verify_send(struct s2n_connection *conn)
|
|
|
63
63
|
|
|
64
64
|
if (conn->mode == S2N_SERVER) {
|
|
65
65
|
/* Write digital signature */
|
|
66
|
-
POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn,
|
|
66
|
+
POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.server_cert_sig_scheme));
|
|
67
67
|
} else {
|
|
68
68
|
/* Write digital signature */
|
|
69
|
-
POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn,
|
|
69
|
+
POSIX_GUARD(s2n_tls13_write_cert_verify_signature(conn, conn->handshake_params.client_cert_sig_scheme));
|
|
70
70
|
}
|
|
71
71
|
|
|
72
72
|
return 0;
|
|
73
73
|
}
|
|
74
74
|
|
|
75
|
-
int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
|
|
75
|
+
int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
|
|
76
|
+
const struct s2n_signature_scheme *chosen_sig_scheme)
|
|
76
77
|
{
|
|
77
78
|
POSIX_ENSURE_REF(conn->handshake_params.our_chain_and_key);
|
|
78
79
|
|
|
@@ -144,28 +145,21 @@ uint8_t s2n_tls13_cert_verify_header_length(s2n_mode mode)
|
|
|
144
145
|
|
|
145
146
|
int s2n_tls13_cert_verify_recv(struct s2n_connection *conn)
|
|
146
147
|
{
|
|
148
|
+
POSIX_GUARD_RESULT(s2n_signature_algorithm_recv(conn, &conn->handshake.io));
|
|
149
|
+
/* Read the rest of the signature and verify */
|
|
147
150
|
if (conn->mode == S2N_SERVER) {
|
|
148
|
-
/* Read the algorithm and update sig_scheme */
|
|
149
|
-
POSIX_GUARD(s2n_get_and_validate_negotiated_signature_scheme(conn, &conn->handshake.io,
|
|
150
|
-
&conn->handshake_params.client_cert_sig_scheme));
|
|
151
|
-
|
|
152
|
-
/* Read the rest of the signature and verify */
|
|
153
151
|
POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
|
|
154
|
-
|
|
152
|
+
conn->handshake_params.client_cert_sig_scheme));
|
|
155
153
|
} else {
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
&conn->handshake_params.conn_sig_scheme));
|
|
159
|
-
|
|
160
|
-
/* Read the rest of the signature and verify */
|
|
161
|
-
POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn, &conn->handshake_params.conn_sig_scheme));
|
|
154
|
+
POSIX_GUARD(s2n_tls13_cert_read_and_verify_signature(conn,
|
|
155
|
+
conn->handshake_params.server_cert_sig_scheme));
|
|
162
156
|
}
|
|
163
157
|
|
|
164
158
|
return 0;
|
|
165
159
|
}
|
|
166
160
|
|
|
167
161
|
int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
|
|
168
|
-
struct s2n_signature_scheme *chosen_sig_scheme)
|
|
162
|
+
const struct s2n_signature_scheme *chosen_sig_scheme)
|
|
169
163
|
{
|
|
170
164
|
struct s2n_stuffer *in = &conn->handshake.io;
|
|
171
165
|
DEFER_CLEANUP(struct s2n_blob signed_content = { 0 }, s2n_free);
|