Merge branch 'main' into ktls_tls13_1

aws · Dec 12, 2023 · 7702d6c · 7702d6c
2 parents f98c927 + 72aa95d
commit 7702d6c
Show file tree

Hide file tree

Showing 16 changed files with 71 additions and 41 deletions.
diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml
@@ -78,7 +78,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v3
       - name: pep8 exp
-        uses: harrisonkaiser/autopep8_action@python-latest
+        uses: lrstewart/autopep8_action@python-latest
         with:
           dry: true
           checkpath: ./tests/integrationv2/*.py

diff --git a/.github/workflows/ci_rust.yml b/.github/workflows/ci_rust.yml
@@ -59,6 +59,29 @@ jobs:
           ./generate.sh
           ldd target/debug/integration | grep libs2n.so
 
+  # our benchmark testing includes interop tests between s2n-tls, rustls, and
+  # openssl
+  harness-interop-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions-rs/toolchain@v1
+        id: toolchain
+        with:
+          toolchain: stable
+          override: true
+
+      - name: generate bindings
+        run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      - name: generate test certs
+        run: ${{env.ROOT_PATH}}/bench/scripts/generate-certs.sh
+
+      - name: bench tests
+        working-directory: ${{env.ROOT_PATH}}/bench
+        run: cargo test
+
   generate-openssl-102:
     runs-on: ubuntu-latest
     steps:

diff --git a/bindings/rust/bench/scripts/generate-certs.sh b/bindings/rust/bench/scripts/generate-certs.sh
@@ -11,6 +11,7 @@
 set -e
 
 # go to directory certs are located
+mkdir -p "$(dirname "$0")"/../certs
 pushd "$(dirname "$0")"/../certs > /dev/null
 
 # Generates certs with given algorithms and bits in $1$2/, ex. ec384/

diff --git a/bindings/rust/bench/src/s2n_tls.rs b/bindings/rust/bench/src/s2n_tls.rs
@@ -29,10 +29,10 @@ use std::{
 
 /// Custom callback for verifying hostnames. Rustls requires checking hostnames,
 /// so this is to make a fair comparison
-struct HostNameHandler<'a> {
-    expected_server_name: &'a str,
+struct HostNameHandler {
+    expected_server_name: &'static str,
 }
-impl VerifyHostNameCallback for HostNameHandler<'_> {
+impl VerifyHostNameCallback for HostNameHandler {
     fn verify_host_name(&self, hostname: &str) -> bool {
         self.expected_server_name == hostname
     }

diff --git a/bindings/rust/generate.sh b/bindings/rust/generate.sh
@@ -38,6 +38,11 @@ pushd generate
 cargo run -- ../s2n-tls-sys
 popd
 
+if [ "$1" == "--skip-tests" ]; then
+    echo "skipping tests"
+    exit;
+fi;
+
 # make sure everything builds and passes sanity checks
 pushd s2n-tls-sys
 cargo test

diff --git a/bindings/rust/s2n-tls-sys/templates/Cargo.template b/bindings/rust/s2n-tls-sys/templates/Cargo.template
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.0.41"
+version = "0.1.0"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-tokio"
 description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
-version = "0.0.41"
+version = "0.1.0"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -15,7 +15,7 @@ default = []
 errno = { version = "0.3" }
 libc = { version = "0.2" }
 pin-project-lite = { version = "0.2" }
-s2n-tls = { version = "=0.0.41", path = "../s2n-tls" }
+s2n-tls = { version = "=0.1.0", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]

diff --git a/bindings/rust/s2n-tls/Cargo.toml b/bindings/rust/s2n-tls/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.0.41"
+version = "0.1.0"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -19,7 +19,7 @@ testing = ["bytes"]
 bytes = { version = "1", optional = true }
 errno = { version = "0.3" }
 libc = "0.2"
-s2n-tls-sys = { version = "=0.0.41", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.1.0", path = "../s2n-tls-sys", features = ["internal"] }
 pin-project-lite = "0.2"
 hex = "0.4"
 

diff --git a/tests/unit/s2n_key_update_threads_test.c b/tests/unit/s2n_key_update_threads_test.c
@@ -106,13 +106,7 @@ static S2N_RESULT s2n_send_and_recv_random_data(struct s2n_connection *conn)
 static S2N_RESULT s2n_sanity_check_key_updates_sent(struct s2n_connection *conn)
 {
     struct s2n_blob seq_num_blob = { 0 };
-    if (conn->mode == S2N_CLIENT) {
-        RESULT_GUARD_POSIX(s2n_blob_init(&seq_num_blob, conn->secure->client_sequence_number,
-                sizeof(conn->secure->client_sequence_number)));
-    } else {
-        RESULT_GUARD_POSIX(s2n_blob_init(&seq_num_blob, conn->secure->server_sequence_number,
-                sizeof(conn->secure->server_sequence_number)));
-    }
+    RESULT_GUARD(s2n_connection_get_sequence_number(conn, conn->mode, &seq_num_blob));
 
     uint64_t seq_num = 0;
     RESULT_GUARD_POSIX(s2n_sequence_number_to_uint64(&seq_num_blob, &seq_num));

diff --git a/tls/s2n_connection.c b/tls/s2n_connection.c
@@ -1666,3 +1666,26 @@ S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const s
     *cipher = conn->secure->cipher_suite->record_alg->cipher;
     return S2N_RESULT_OK;
 }
+
+S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
+        s2n_mode mode, struct s2n_blob *seq_num)
+{
+    RESULT_ENSURE_REF(conn);
+    RESULT_ENSURE_REF(seq_num);
+    RESULT_ENSURE_REF(conn->secure);
+
+    switch (mode) {
+        case S2N_CLIENT:
+            RESULT_GUARD_POSIX(s2n_blob_init(seq_num, conn->secure->client_sequence_number,
+                    sizeof(conn->secure->client_sequence_number)));
+            break;
+        case S2N_SERVER:
+            RESULT_GUARD_POSIX(s2n_blob_init(seq_num, conn->secure->server_sequence_number,
+                    sizeof(conn->secure->server_sequence_number)));
+            break;
+        default:
+            RESULT_BAIL(S2N_ERR_SAFETY);
+    }
+
+    return S2N_RESULT_OK;
+}
diff --git a/tls/s2n_connection.h b/tls/s2n_connection.h
@@ -422,3 +422,5 @@ int s2n_connection_get_peer_cert_chain(const struct s2n_connection *conn, struct
 uint8_t s2n_connection_get_protocol_version(const struct s2n_connection *conn);
 S2N_RESULT s2n_connection_set_max_fragment_length(struct s2n_connection *conn, uint16_t length);
 S2N_RESULT s2n_connection_get_secure_cipher(struct s2n_connection *conn, const struct s2n_cipher **cipher);
+S2N_RESULT s2n_connection_get_sequence_number(struct s2n_connection *conn,
+        s2n_mode mode, struct s2n_blob *seq_num);
diff --git a/tls/s2n_key_update.c b/tls/s2n_key_update.c
@@ -67,12 +67,7 @@ int s2n_key_update_send(struct s2n_connection *conn, s2n_blocked_status *blocked
     POSIX_ENSURE_GTE(conn->actual_protocol_version, S2N_TLS13);
 
     struct s2n_blob sequence_number = { 0 };
-    if (conn->mode == S2N_CLIENT) {
-        POSIX_GUARD(s2n_blob_init(&sequence_number, conn->secure->client_sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
-    } else {
-        POSIX_GUARD(s2n_blob_init(&sequence_number, conn->secure->server_sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
-    }
-
+    POSIX_GUARD_RESULT(s2n_connection_get_sequence_number(conn, conn->mode, &sequence_number));
     POSIX_GUARD(s2n_check_record_limit(conn, &sequence_number));
 
     if (s2n_atomic_flag_test(&conn->key_update_pending)) {

diff --git a/tls/s2n_ktls.c b/tls/s2n_ktls.c
@@ -175,15 +175,12 @@ static S2N_RESULT s2n_ktls_crypto_info_init(struct s2n_connection *conn, s2n_ktl
         inputs.key = key_material.client_key;
         RESULT_GUARD_POSIX(s2n_blob_init(&inputs.iv,
                 secure->client_implicit_iv, sizeof(secure->client_implicit_iv)));
-        RESULT_GUARD_POSIX(s2n_blob_init(&inputs.seq,
-                secure->client_sequence_number, sizeof(secure->client_sequence_number)));
     } else {
         inputs.key = key_material.server_key;
         RESULT_GUARD_POSIX(s2n_blob_init(&inputs.iv,
                 secure->server_implicit_iv, sizeof(secure->server_implicit_iv)));
-        RESULT_GUARD_POSIX(s2n_blob_init(&inputs.seq,
-                secure->server_sequence_number, sizeof(secure->server_sequence_number)));
     }
+    RESULT_GUARD(s2n_connection_get_sequence_number(conn, key_mode, &inputs.seq));
 
     const struct s2n_cipher *cipher = NULL;
     RESULT_GUARD(s2n_connection_get_secure_cipher(conn, &cipher));

diff --git a/tls/s2n_tls13_handshake.c b/tls/s2n_tls13_handshake.c
@@ -24,11 +24,7 @@ static int s2n_zero_sequence_number(struct s2n_connection *conn, s2n_mode mode)
     POSIX_ENSURE_REF(conn);
     POSIX_ENSURE_REF(conn->secure);
     struct s2n_blob sequence_number = { 0 };
-    if (mode == S2N_CLIENT) {
-        POSIX_GUARD(s2n_blob_init(&sequence_number, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number)));
-    } else {
-        POSIX_GUARD(s2n_blob_init(&sequence_number, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number)));
-    }
+    POSIX_GUARD_RESULT(s2n_connection_get_sequence_number(conn, mode, &sequence_number));
     POSIX_GUARD(s2n_blob_zero(&sequence_number));
     return S2N_SUCCESS;
 }

diff --git a/tls/s2n_tls13_key_schedule.c b/tls/s2n_tls13_key_schedule.c
@@ -37,13 +37,7 @@ static S2N_RESULT s2n_zero_sequence_number(struct s2n_connection *conn, s2n_mode
     RESULT_ENSURE_REF(conn);
     RESULT_ENSURE_REF(conn->secure);
     struct s2n_blob sequence_number = { 0 };
-    if (mode == S2N_CLIENT) {
-        RESULT_GUARD_POSIX(s2n_blob_init(&sequence_number,
-                conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number)));
-    } else {
-        RESULT_GUARD_POSIX(s2n_blob_init(&sequence_number,
-                conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number)));
-    }
+    RESULT_GUARD(s2n_connection_get_sequence_number(conn, mode, &sequence_number));
     RESULT_GUARD_POSIX(s2n_blob_zero(&sequence_number));
     return S2N_RESULT_OK;
 }

diff --git a/utils/s2n_random.c b/utils/s2n_random.c
@@ -613,14 +613,14 @@ static int s2n_rand_rdrand_impl(void *data, uint32_t size)
             __asm__ __volatile__(
                     ".byte 0x0f, 0xc7, 0xf0;\n"
                     "setc %b1;\n"
-                    : "=a"(output.i386_fields.u_low), "=qm"(success_low)
+                    : "=&a"(output.i386_fields.u_low), "=qm"(success_low)
                     :
                     : "cc");
 
             __asm__ __volatile__(
                     ".byte 0x0f, 0xc7, 0xf0;\n"
                     "setc %b1;\n"
-                    : "=a"(output.i386_fields.u_high), "=qm"(success_high)
+                    : "=&a"(output.i386_fields.u_high), "=qm"(success_high)
                     :
                     : "cc");
             /* cppcheck-suppress knownConditionTrueFalse */
@@ -644,7 +644,7 @@ static int s2n_rand_rdrand_impl(void *data, uint32_t size)
             __asm__ __volatile__(
                     ".byte 0x48, 0x0f, 0xc7, 0xf0;\n"
                     "setc %b1;\n"
-                    : "=a"(output.u64), "=qm"(success)
+                    : "=&a"(output.u64), "=qm"(success)
                     :
                     : "cc");
     #endif /* defined(__i386__) */