Merge branch 'main' into dependabot/github_actions/dot-github/workflo…

…ws/aws-actions/configure-aws-credentials-4.0.2

.github/workflows/bench.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read  # This is required for actions/checkout
       id-token: write # This is required for requesting the JWT
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup Python
         uses: actions/setup-python@v1

.github/workflows/ci_compliance.yml

@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone s2n-tls
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Clone s2n-quic
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: aws/s2n-quic
           path: ./s2n-quic

.github/workflows/ci_freebsd.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     name: CI FreeBSD
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Build and test in FreeBSD
         id: test
         uses: vmactions/freebsd-vm@v1

.github/workflows/ci_linting.yml

@@ -15,7 +15,7 @@ jobs:
     env:
       CPPCHECK_INSTALL_DIR: test-deps/cppcheck
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -38,7 +38,7 @@ jobs:
   headers:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -49,7 +49,7 @@ jobs:
   simple-mistakes:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -60,7 +60,7 @@ jobs:
   comments:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup
         run: source ./codebuild/bin/s2n_setup_env.sh
@@ -76,7 +76,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Run autopep8
         id: autopep8
         uses: peter-evans/autopep8@v2
@@ -90,7 +90,7 @@ jobs:
   clang-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: clang-format check
         uses: harrisonkaiser/clang-format-action@verbose
         with:
@@ -100,7 +100,7 @@ jobs:
     # The nix develop changes contain broken nixpkg dependenecies; the allow/impure flags workaround this.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: nixbuild/nix-quick-install-action@v29
         with:
           nix_conf: experimental-features = nix-command flakes
@@ -109,7 +109,7 @@ jobs:
   nixfmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: nixbuild/nix-quick-install-action@v29
         with:
           nix_conf: experimental-features = nix-command flakes

.github/workflows/ci_rust.yml

@@ -24,7 +24,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macOS-latest]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -87,7 +87,7 @@ jobs:
   harness-interop-tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -105,7 +105,7 @@ jobs:
   s2n-tls-binding-examples:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -123,7 +123,7 @@ jobs:
   generate-openssl-102:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         id: toolchain
@@ -174,7 +174,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, macOS-latest]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -213,7 +213,7 @@ jobs:
   rustfmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -237,7 +237,7 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -267,7 +267,7 @@ jobs:
   msrv:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
       # Enforce crate msrv matches rust-toolchain
@@ -283,7 +283,7 @@ jobs:
   pcaps:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

.github/workflows/codeql.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

.github/workflows/dashboard.yml

@@ -12,9 +12,9 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check out GitHub Pages branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: 'gh-pages'
 

.github/workflows/docs.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Create Documentation
         run: |
             .github/s2n_doxygen.sh

.github/workflows/gha_osx_tests.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout Dependencies
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Prebuild
         run: |

.github/workflows/private_sync.yml

@@ -9,7 +9,7 @@ jobs:
     if: contains(github.repository, 'aws/s2n-tls')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
           fetch-depth: 0

.github/workflows/proof_ci.yaml

@@ -32,7 +32,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Check out repository and submodules recursively
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: 'recursive'
       - name: Parse config file

bindings/rust/README.md

@@ -20,6 +20,9 @@ Generating rust bindings can be accomplished by running the `generate.sh` script
 $ ./bindings/rust/generate.sh
 ```
 
+This script generates the low-level bindings in the crate `s2n-tls-sys`, which is used by the `s2n-tls` crate to provide higher-level bindings.
+See [s2n-tls-sys](https://github.com/aws/s2n-tls/blob/main/bindings/rust/s2n-tls-sys/README.md) for more information on `s2n-tls-sys` crate.
+
 ## Minimum Supported Rust Version (MSRV)
 
 `s2n-tls` will maintain a rolling MSRV (minimum supported rust version) policy of at least 6 months. The current s2n-quic version is not guaranteed to build on Rust versions earlier than the MSRV.

bindings/rust/s2n-tls-sys/README.md

@@ -1,3 +1,37 @@
-This crates provides low level rust bindings for [s2n-tls](https://github.com/aws/s2n-tls) which are autogenerated with [bindgen](https://github.com/rust-lang/rust-bindgen)
+This crate provides low level rust bindings for [s2n-tls](https://github.com/aws/s2n-tls) which are autogenerated with [bindgen](https://github.com/rust-lang/rust-bindgen)
 
-This crate is not intended for direct consumption by end consumers. Interested developers should instead look at the [s2n-tls](https://crates.io/crates/s2n-tls) or [s2n-tls-tokio](https://crates.io/crates/s2n-tls-tokio) crates. These  provide higher-level, more ergonomic bindings than the `s2n-tls-sys` crate.
+This crate is not intended for direct consumption by end consumers. Interested developers should instead look at the [s2n-tls](https://crates.io/crates/s2n-tls) or [s2n-tls-tokio](https://crates.io/crates/s2n-tls-tokio) crates. These provide higher-level, more ergonomic bindings than the `s2n-tls-sys` crate.
+
+The `s2n-tls-sys` bindings crate contains the raw C code of `s2n-tls`. By default, it follows this build process:
+
+1. Use the system C compiler to build `libs2n.a`
+2. Link the built `libs2n.a` to the Rust bindings
+3. Link against `aws-lc` through the `aws-lc-rs` crate
+
+## Bring your own libs2n with `s2n-tls-sys` crate
+
+You can customize above build process to use your own pre-built libs2n. This is useful if you want the bindings to be built with a non-default libcrypto. Currently, the default libcrypto when generating rust bindings is `aws-lc`. Here's how you can do that:
+
+1. Clone [s2n-tls](https://github.com/aws/s2n-tls) and compile your preferred configuration of s2n-tls.
+
+You may choose to link against a specific libcrypto at this step. For more information, see [Building with a specific libcrypto](https://github.com/aws/s2n-tls/blob/main/docs/BUILD.md#building-with-a-specific-libcrypto).
+Also see [Building s2n-tls](https://github.com/aws/s2n-tls/blob/main/docs/BUILD.md#building-s2n-tls) for further guidance on configuring s2n-tls for your own use case.
+
+2. `cd` into your rust project and set environment variables to your libs2n artifacts. 
+
+This tells the bindings to link to pre-built libs2n when running the build script for s2n-tls-sys
+```
+export S2N_TLS_LIB_DIR=<PATH_TO_ROOT_OF_S2N_TLS>/build/lib
+export S2N_TLS_INCLUDE_DIR=<PATH_TO_ROOT_OF_S2N_TLS>/api
+export LD_LIBRARY_PATH=$S2N_TLS_LIB_DIR:$LD_LIBRARY_PATH
+```
+
+`S2N_TLS_LIB_DIR` points to the folder containing `libs2n.a`/`libs2n.so` artifact that you would like s2n-tls-sys to link against.
+`S2N_TLS_INCLUDE_DIR` points to the folder containing header files for `libs2n.a`/`libs2n.so` artifact.
+`LD_LIBRARY_PATH` adds the path to `libs2n.a`/`libs2n.so` artifact for dynamic linker's search path.
+
+3. Build your project. This triggers the build script for s2n-tls-sys
+
+```
+cargo build
+```

codebuild/spec/buildspec_al2023_ktls.yml

@@ -0,0 +1,26 @@
+---
+# This is designed to work with CodeBuild's reserved instances fleet and curated Ec2 AMI for AL2023.
+version: 0.2
+env:
+  variables:
+    NIX_CACHE_BUCKET: "s3://s2n-tls-nixcachebucket-x86-64?region=us-west-2"
+    S2N_KTLS_TESTING_EXPECTED: 1
+phases:
+  install:
+    commands:
+      - yum update -y; yum upgrade -y
+  pre_build:
+    commands:
+      # Nix is installed, but intentionally not setup for root, fix that
+      - cp -aR /home/nix/.nix-profile ~/; chown -R root /root/.nix-profile; export PATH=$HOME/.nix-profile/bin:$PATH
+      # Turn on flakes
+      - mkdir -p ~/.config/nix; echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+      # Populate the store from the nix cache
+      - nix copy --from $NIX_CACHE_BUCKET --all  --no-check-sigs
+      # Load the TLS kernel module
+      - sudo modprobe tls
+      - echo "Checking that the TLS kernel mod loaded..."; test $(sudo lsmod|grep -c tls) = 1
+  build:
+    commands:
+      - nix develop .#openssl111 --command bash -c  'source ./nix/shell.sh && clean && configure && unit'
+      - S2N_CMAKE_OPTIONS="-DASAN=ON" nix develop .#openssl111 --command bash -c  'source ./nix/shell.sh && clean && configure && unit'

codebuild/spec/buildspec_generalbatch.yml

@@ -388,17 +388,3 @@ batch:
         privileged-mode: true
         compute-type: BUILD_GENERAL1_LARGE
         image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild
-    - identifier: ktls
-      buildspec: codebuild/spec/buildspec_ktls.yml
-      env:
-        compute-type: BUILD_GENERAL1_LARGE
-        image: aws/codebuild/standard:7.0
-        privileged-mode: true
-    - identifier: ktlsASAN
-      buildspec: codebuild/spec/buildspec_ktls.yml
-      env:
-        compute-type: BUILD_GENERAL1_LARGE
-        image: aws/codebuild/standard:7.0
-        privileged-mode: true
-        variables:
-            S2N_CMAKE_OPTIONS: "-DASAN=ON"

tests/unit/s2n_alerts_protocol_test.c

@@ -270,8 +270,8 @@ int main(int argc, char **argv)
                 case S2N_ERR_CERT_UNTRUSTED:
                     EXPECT_SUCCESS(s2n_connection_set_config(client, untrusted_config));
 
-                    EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server, client),
-                            S2N_ERR_CERT_UNTRUSTED);
+                    EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server, client),
+                            S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN);
 
                     failed_conn = client;
                     closed_conn = server;

tests/unit/s2n_mutual_auth_test.c

@@ -369,8 +369,8 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_set_io_pair(client_conn, &io_pair));
             EXPECT_SUCCESS(s2n_connection_set_io_pair(server_conn, &io_pair));
 
-            EXPECT_FAILURE_WITH_ERRNO(s2n_negotiate_test_server_and_client(server_conn, client_conn),
-                    S2N_ERR_CERT_UNTRUSTED);
+            EXPECT_FAILURE_WITH_ALERT(s2n_negotiate_test_server_and_client(server_conn, client_conn),
+                    S2N_ERR_CERT_UNTRUSTED, S2N_TLS_ALERT_CERTIFICATE_UNKNOWN);
 
             /* Ensure that a client certificate was received on the server, indicating that the
              * validation error occurred when processing the client's certificate, rather than the