File s2n.changes of Package s2n
-------------------------------------------------------------------
Tue May 6 12:44:35 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.18
* build: add -Wa,-mbranches-within-32B-boundaries compiler flag (#5267)
* build(deps): bump JulienKode/team-labeler-action from 1.3.0 to 2.0.0
in /.github/workflows in the all-gha-updates group (#5252)
* refactor: remove unused hash methods (#5269)
* Add 20250414 security policy (#5253)
* feature: add support for configuring (but not yet using) ml-dsa certs (#5263)
* tests: add ml-dsa test certs from RFC (#5261)
* refactor: cleanup hash to better support multiple implementations (#5258)
* chore: bindings release 0.3.17 (#5260)
* chore: add new team member (#5259)
* ci: add awslcfips to nix jobs (#5205)
* chore(ci): revert nix installer pin (#5251)
-------------------------------------------------------------------
Wed Apr 23 12:43:13 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.17
* ci: use correct openssl version for updated AL2023 version (#5255)
* ci: pytest generate junit reports (#5235)
* feat: Expose `as_ptr()` for external build (#5229)
* doc: tainted stuffer reset operation (#5231)
* fix: make -fPIC flag private (#5227)
* Revert "ci: exclude new setuptools (#5215)" (#5226)
* refactor: remove legacy pkey impls (#5241)
* chore: bindings release 0.3.16 (#5242)
* fix: tainted handshake.io and add large client hello test (#5208)
* ci: rebalance integV2 testcases (#5232)
* chore: Fix new clippy warning (#5243)
* ci: pin nix installer to older version (#5245)
-------------------------------------------------------------------
Wed Apr 9 09:16:43 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.16
* ci: add ruff linting (#5182)
* feat(bindings): expose certificate match api (#5220)
* refactor: add evp pkey size/encrypt/decrypt methods (#5225)
* ci: add openssl-3.0-fips to general batch (#5207)
* refactor: implement match the same for all pkeys (#5224)
* ci: Fix cppcheck build (#5238)
* fix: tighten session ticket lifetime (#5217)
* refactor(bindings): use implicit linking for aws-lc (#5218)
* docs: fix openssl-3.0-fips provider requirements documentation (#5214)
* ci: add openssl-3.0-fips to valgrind (#5211)
* chore: bindings release 0.3.15 (#5221)
* feat: add s2n_connection_get_key_exchange_group (#5209)
* fix: Update README.md to include Rust bindings docs (#5212)
* ci: exclude new setuptools (#5215)
* Remove PQ TLS 1.2 from all Security Policies (#5194)
* chore: binding release 0.3.14 (#5210)
* chore: deprecate s2n_set (#5155)
* fix: handshake message length integer overflow in s2n_handshake_finish_header (#5206)
* ci: add openssl-3.0-fips to asan build properly (#5204)
* ci: add libcrypto openssl-3.0-fips to integ tests (#5202)
-------------------------------------------------------------------
Wed Apr 2 15:14:55 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.15
* feature: openssl-3.0-fips support (#5191)
* ci: defend against unset version number in awslc installer (#5195)
* fix: openssl-3.0-fips should use libcrypto HKDF (#5183)
* fix: remove unnecessary RC4 restriction (#5170)
* fix: openssl-3.0-fips should use separate private rand (#5184)
* ci: move openssl3fips build to existing asan build (#5181)
* chore: include Need By Date section in github issue template (#5187)
* ci: cleanup awslc-fips versioning (#5156)
* chore: bump linting action Ubuntu version (#5186)
* build(deps): update aws-lc-rs version to remove paste deps (#5192)
* test: fix self-talk pkey offload test for openssl-3.0-fips (#5175)
* test: reduce parameter selection (#5161)
* chore: add inline noqa suppression (#5159)
* ci: make start_codebuild.sh work for forks (#5178)
* test(integv2): add partial support for OpenSSL 3.0 provider (#5131)
* (docs): Improve PQ docs (#5173)
* ci: use ruff --diff instead of --check (#5177)
* chore: pin once_cell version to unblock the CI (#5174)
* fix(ruff): resolve linting errors detected by Ruff (#5140)
* fix: mark chachapoly as unavailable with openssl-3.0-fips (#5168)
* tests: fix flaky ja4 test (#5169)
* chore: update git blame ignore commit ID (#5164)
* style: fix redundant return (#5150)
* build(deps): bump nixbuild/nix-quick-install-action from 29 to 30
in /.github/workflows in the all-gha-updates group (#5153)
* refactor: add libcrypto PRF impl for openssl-3.0-fips (#5158)
* chore: binding release 0.3.13 (#5167)
* chore(ci): pin symbolic-common (#5166)
-------------------------------------------------------------------
Fri Mar 14 09:44:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.14
* tests: try to make s2n_mem_usage_test more useful (#5139)
* chore: git-blame-ignore ruff formatting (#5151)
* chore(bindings): change in rustup behavior (#5160)
* refactor: remove unused prf hmac impls (#5148)
* chore(ci): make the awslc fips install script version aware (#5100)
* fix: memory leak during STEK rotation (#5146)
* refactor: add alternative EVP signing method (#5141)
* refactor: cleanup prf header (#5144)
* feat(bindings): expose context on cert chain (#5132)
* Ruff Formatting and add to CI (#5138)
* chore(nix): Add aws-lc-fips 2022/4 (#5109)
* test(integv2): fixes to allow test_record_padding to partially run (#5099)
* build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap
in the all-cargo-updates group across 1 directory (#5087)
* tests: use sig schemes as source of truth for valid hash+sig algs (#5129)
- from version 1.5.13
* ci: always set values for command line defines (#5126)
* fix: update callback return value (#5136)
* refactor: always use EVP hashing (#5121)
* ci: add check for third-party-src in disable rand override buildspec (#5137)
* feat: add async cert validation support (#5110)
* chore: remove unused well-known-endpoints.py (#5127)
* fix(bindings): remove mutation behind Arc (#5124)
* chore: binding release 0.3.12 (#5128)
* refactor: use EVP_MD_fetch() if available (#5116)
* feat: Option to disable RAND engine override (#5108)
* fix(bindings): make Context borrow immutable (#5071)
* build(deps): update rand requirement (#5125)
* chore: fix a typo in API comments (#5123)
* bindings: unpin openssl crate from a specific patch version (#5120)
* refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (#5117)
* Add new security policy (20250211) (#5111)
* Revert "refactor: remove unused evp support for md5+sha1 (#5106)" (#5118)
* ci: add default provider to openssl-3.0-fips (#5114)
* fix: don't enable custom random for openssl fips (#5093)
* fix: allow b64 decoding using libcrypto for sidechannel resistance (#5103)
* refactor: remove unused evp support for md5+sha1 (#5106)
* refactor: remove s2n_hmac_is_available (#5104)
* build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0
in /.github/workflows in the all-gha-updates group across 1 directory (#5107)
* fix(integrationv2): Skip unsupported client auth tests (#5096)
* chore: bindings release 0.3.11 (#5098)
* chore: ktls buildspec (#5083)
* Fixed formatting for debugging statements (#5094)
* feat(bindings): add external psk apis (#5061)
* test: add minimal openssl-3.0-fips test (#5081)
- from version 1.5.12
* fix(ci): Allow validate_start_codebuild to run on pushes to main (#5080)
* fix: don't use DEPENDS with add_custom_command(TARGET) (#5074)
* fix: error for uninit psk, check for all-zero psk (#5084)
* fix: calculation of session ticket age (#5001)
* fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (#5076)
* fix(integration): Update PQ integration test expectations (#5082)
* ci: fix dependabot, commit & check Cargo.toml (#5065)
* docs(s2n-tls-hyper): Add hyper client/server example (#5069)
* docs(integv2): add architecture diagram (#5072)
* fix(bindings): prevent temp connection free after panic (#5067)
* ci: Emit benchmark metrics from scheduled runs (#5064)
* ci: change rust-toolchain format to toml (#5070)
* Revert "ci: remove openssl-1.0.2-fips builds (#4995)" (#5060)
* feat(bench): impl into for base config type (#5056)
* refactor: cleanup CBMC proofs after #5048 (#5058)
* ci: Adding integ tests back to integv2 (#5054)
* refactor: remove openssl-1.0.2-fips 'allow md5' logic (#5048)
* ci: pin duvet version (#5057)
* build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0
in /.github/workflows in the all-gha-updates group (#5053)
* chore: fix typos (#5052)
* chore: bump osx Openssl to latest (#5041)
* chore: bindings release for 0.3.10 (#5046)
* fix: initial config should not influence sslv2 (#4987)
* ci: add openssl-3.0-fips builds (#5037)
* Add Security Policy Deprecation API (#5034)
* docs: add C / s2n-tls-sys doc references to s2n-tls docs (#5012)
* test: add sslv2 client hello test w/ jvm (#5019)
* ci: add timeout for cbmc proof (#5038)
* fix(bindings): Specify correct minimum versions (#5028)
-------------------------------------------------------------------
Mon Feb 3 10:32:39 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.11
* fix: add build specs to copyright check (#5025)
* chore: run more checks on pushes to main (#4963)
* feature: remove openssl-1.0.2-fips fips mode support (#5030)
* tests: make integV2 locally runnable (#5029)
* chore: improve the dashboard comment query (#5016)
* refactor(bin): remove references to FIPS_mode_set (#5026)
* ci: improve output of validate_start_codebuild_script (#5031)
* chore: remove unused test utils (#5005)
* ci: keep start_codebuild.sh up-to-date (#5023)
* ci: commit integrationv2 small batch spec (#5020)
* fix(bindings/bench): Prevent IO from going out of scope (#5007)
* chore: remove unused imports (#5017)
* fix: don't prefix empty string when interning (#5015)
* Migrate PQ Python code to TLS 1.3 (#4999)
* ci: config logging for integration tests (#4751)
* ci: add script to help launch stuck codebuild jobs (#5004)
* chore(s2n-tls-hyper): Publish s2n-tls-hyper (#5000)
* chore: add new team member (#5006)
* Migrate PQ Rust code to TLS 1.3 (#4998)
* ci: remove S2N_TEST_IN_FIPS_MODE (#4994)
* ci: remove openssl-1.0.2-fips builds (#4995)
* ci: correctly read environment variable from CodeBuild
configuration for scheduled fuzz test (#4990)
* fix: add coverage for all ticket formats (#4997)
* ci: fix regression test paths (#4996)
* ci: run fuzz tests in parallel and generate coverage report (#4960)
* chore: move hyper to a newer MSRV (#4983)
* chore: remove toidiu from teams.yml (#4985)
* feat(s2n-tls-hyper): Allow plain HTTP connections (#4978)
* chore(binding): release 0.3.9 (#4982)
* refactor(bindings/bench): make harness own IO (#4847)
* refactor(s2n-tls-hyper): Add HttpsConnector builder (#4976)
-------------------------------------------------------------------
Tue Jan 7 10:19:36 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.10
* refactor(bench): remove historical benchmarks (#4940)
* fix: pem parsing detection of last cert errors (#4908)
* docs: specify s2n_blob growable conditions (#4943)
* chore(bindings): move tokio examples to dedicated folder (#4954)
* chore: fix GHA for merge-queue (#4973)
* chore(binding): release 0.3.8 (#4969)
* (chore): Installs Nix in AL2023 Buildspec (#4934)
* build(deps): bump the all-gha-updates group in /.github/workflows with 5 updates (#4961)
* feat(s2n-tls-hyper): Add support for negotiating HTTP/2 (#4924)
* tests: allow TLS1.2 with RSA-PSS certs in integ tests (#4949)
* ci: update CRT test ubuntu version to ubuntu24 (#4964)
* feat(bindings): enable application owned certs (#4937)
* ci: batch dependabot updates (#4959)
* ci(refactor): deprecate Omnibus (#4953)
* build(deps): bump actions/cache from 2.1.4 to 4.1.2 in /.github/workflows (#4928)
* build(deps): bump peaceiris/actions-gh-pages from 3 to 4 in /.github/workflows (#4921)
* build(deps): bump cross-platform-actions/action from 0.23.0 to 0.26.0 in /.github/workflows (#4951)
* build(deps): bump github/codeql-action from 2 to 3 in /.github/workflows (#4917)
* ci: add change directory to third-party-src logic (#4950)
* feat: TLS1.2 support for RSA-PSS certificates (#4927)
* feat: feature probe S2N_LIBCRYPTO_SUPPORTS_ENGINE (#4878)
* test(bindings): run unit tests under asan (#4948)
* ci(refactor): remove ASAN from Omnibus and GeneralBatch (#4946)
* ci(refactor): remove fuzz tests from Omnibus (#4945)
* refactor: add a s2n_libcrypto_is_openssl() helper function (#4930)
* fix(s2n-tls-hyper): Add proper IPv6 address formatting (#4938)
* ci: add openssl-1.0.2-fips to fuzz test (#4942)
* ci(refactor): remove Valgrind checks from omnibus and generalBatch (#4913)
* fix(bindings): address clippy issues from 1.83 (#4941)
* test: pin tests to explicit TLS 1.2/TLS 1.3 policy (#4926)
* (chore): Fixes team-label github action (#4935)
* chore: add new team member (#4939)
* upgrade cmake version to 3.9 (#4933)
* ci: add awslc-fips and openssl-1.0.2-fips to valgrind (#4912)
* chore(bindings): feature gate network testsa and relax http status assertions (#4907)
* chore: Ocsp timeout adjustment (#4866)
* build(deps): bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2 in /.github/workflows (#4892)
* test: expand s2n_record_read testing to both TLS1.3 and TLS1.2 (#4903)
* test: pin optional client auth test to a TLS 1.2 policy (#4914)
* feat: add alert mappings for certificate errors (#4919)
* doc: document generating bindings with prebuilt libs2n (#4872)
* ci: Move kTLS test out of GeneralBatch (#4904)
* build(deps): bump actions/checkout from 3 to 4 in /.github/workflows (#4888)
* test(s2n-tls-hyper): matching on s2n-tls error (#4906)
* build(deps): bump nixbuild/nix-quick-install-action from 21 to 29 in /.github/workflows (#4890)
* build(deps): bump JulienKode/team-labeler-action from 0.1.1 to 1.3 in /.github/workflows (#4889)
* tests: pin tests to a numbered TLS1.2 policy (#4905)
* test: remove load system certs functionality for s2n_default_tls13_config (#4897)
* doc: add information about s2n-tls software architecture (#4868)
* ci: grant dependabot status update permissions (#4898)
* ci: fixes for cargo audit (#4895)
* test(s2n-tls-hyper): Add localhost http tests (#4838)
* test: add rust well-known-endpoint tests (#4884)
* chore: bindings release 0.3.7 (#4894)
* chore: add a cargo audit action (#4862)
* ci: add open fds valgrind check (#4851)
-------------------------------------------------------------------
Thu Nov 21 11:11:40 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.9
* feat: Reworking cleanup behavior (#4871)
* chore: broaden use of flaky mark (#4865)
* chore: configure dependabot (#4861)
- from version 1.5.8
* fix: fix open AF_INET sockets in s2n_self_talk_ktls_test.c (#4852)
* chore: update github PR template (#4885)
* feat: add new security policy `20241106` (#4874)
* chore: remove unused benchmarks (#4869)
* ci: Clean dup source tree for CRT (#4882)
* ci: remove www.mozilla.com from well-known to unblock CI (#4880)
* fix: move prelude inclusion as PRIVATE (#4876)
* build: add s2n_prelude.h to consolidate defines (#4465)
* chore: bindings release 0.3.6 (#4867)
* doc: fix incorrect README references (#4863)
* fix: typo in comment of s2n_self_talk_tls13_test (#4864)
-------------------------------------------------------------------
Mon Nov 4 14:02:24 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.7
* fix: close all /dev/urandom open fds (#4835)
* docs: update fips documentation to specify supported libcrypto (#4857)
* fix(bindings): correct poll_flush implementation (#4859)
* feat: Adds cleanup_final (#4853)
* test(bindings): Consolidate test pems (#4858)
* chore: bindings release 0.3.5 (#4860)
* chore: grant duvet action more permissions (#4854)
* (feat): Adds certificate match metrics API (#4844)
-------------------------------------------------------------------
Thu Oct 24 12:58:26 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.6
* chore: Fix failing OIDC workflows; cleanup unused actions (#4848)
* chore(GHA): Update duvet arguments (#4850)
* chore: remove unused compile definition (#4815)
* Add new MLKEM TLS Policies (#4830)
* fix: fix opened AF_UNIX sockets that didn't call s2n_io_pair_close (#4833)
* bindings: pin openssl crate to 0.10.66 (#4849)
* chore: flip 2 GHAs to use short lived creds. (#4839)
* fix: fix s2n_io_pair_close_one_end (#4841)
* ci: Re-enable asan and ubsan for fuzz tests (#4840)
* fix: some open AF_UNIX sockets in forked child processes (#4834)
* Update FIPS rules for ML-KEM (#4829)
* ci: update ubuntu versions (#4828)
* Add initial support for MLKEM768 (without any new Security Policies) (#4816)
* chore: Adds print statements to help debug s2n_dynamic_load_test (#4836)
* ci: add more libcryptos for fuzz batch & follow cmake idioms (#4795)
* feature: bump cert authorities max size to 20kb (#4832)
* ci: Add ubuntu24 with a new cmake buildspec (#4824)
* Add ML-KEM Feature Probe and Test (#4823)
* docs: update stateful resumption doc (#4818)
* chore: remove make fuzz and AFL fuzz (#4808)
- from version 1.5.5
* chore: bump awslc(non FIPS) to 1.36.0 (#4821)
* chore: bindings release 0.3.4 (#4819)
* feat: add s2n_cleanup_thread (#4584)
* feat(bindings): add set receive buffering to the rust bindings (#4817)
- from version 1.5.4
* refactor: make s2n_array_len constant (#4801)
* feature(bindings): scheduled renegotiation via poll_recv (#4764)
* Update PQ code to be generic over EVP_KEM API's (#4810)
* refactor(bindings): add general bindings error context (#4811)
* ci: adding CTest memcheck to CodeBuild (#4776)
* Revert "test: disallow explict use of "default" policy in tests (#4750)" (#4812)
* ci: check for s2n_array_len in loop bounds (#4802)
* ci: use clang to build awslc (#4794)
* ci: run clippy on all features (#4809)
* docs: Update certificate loading documentation (#4790)
* test: only build requested unit tests in nix (#4770)
* refactor: clean up CMakelists.txt (#4779)
* fix: pem parsing should allow single dashes in comments (#4787)
* ci: use temporary directory for s2n_head build (#4771)
* fix(bindings): handle failures from wipe (#4798)
* fix: don't iterate over certs if not validating certs (#4797)
* ci: add buildspec file for scheduled fuzzing (#4763)
* Al2023 codebuild (#4756)
* test: disallow explict use of "default" policy in tests (#4750)
* chore: bindings release 0.3.3 (#4791)
* docs: clarify pre-TLS1.2 support (#4780)
* fix: update ja4 compliance (#4773)
* chore(bindings): pin unicode-width (#4785)
- from version 1.5.3
* ci: refactor fuzz buildspec (#4783)
* docs(bindings): example for Policy::from_version (#4731)
* test: refactor pcap test to use version from rtshark (#4774)
* test: use seccomp on handshake test (#4768)
* ci: use newer version of libFuzzer (#4762)
* test: avoid mutating static configs in tests (#4749)
* chore(bindings): release 0.3.2 (#4760)
* ci: Emit CloudWatch metrics from rust benchmarks (#4742)
* CI: enable fuzz test build with cmake (#4743)
* fix: update handling of ja4 alpn edge cases (#4755)
* fix(bindings): update cc and unpin jobserver (#4758)
* fix: add missing null-checks in s2n_connection.c (#4754)
- from version 1.5.2
* refactor: replace memcmp to s2n_constant_time_equals (#4709)
* tests(pcap): fix support for older tshark versions (#4744)
* refactor: move s2n_result functions inline (#4739)
* refactor: make s2n_stuffer_read_hex match s2n_stuffer_read (#4726)
* ci:Al2023 CodeBuild script (#4737)
* Update to CBMC 6.2.0 (#4746)
* docs: add test readme (#4718)
* tests(pcaps): download additional pcaps (#4728)
* ci: Add UBSAN test to the sanitizer (#4740)
* chore(integrationv2): add license header (#4732)
* fix: Cleanup libcrypto errors (#4733)
* fix(ci): update CBMC proofs' Makefile.common (#4703)
* ci: add separate license check (#4727)
* chore: cleanup old docker dev build (#4729)
* fix: resolve UBSAN violations in the codebase (#4722)
* refactor: minor fixes for common fingerprint code (#4712)
* tests: add JA4 pcap tests (#4714)
* fix: correct JA4 alpn parsing (#4721)
* chore: bump versions of aws-lc and aws-lc-fips (#4716)
* fix: Reorder PR and Mainline in Regression Test Runner (#4720)
* docs: Add a supported platforms section (#4695)
* chore(bindings): release 0.3.1 (#4719)
* test: add a harness for session resumption in regression test (#4706)
* fix(bindings): ConfigPool should always yield associated connections (#4708)
-------------------------------------------------------------------
Mon Aug 26 15:23:53 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.5.1
* Add performance regression tests in CI (#4701)
* feat: JA4 fingerprinting (#4669)
* Clarify s2nc/s2nd PQ output (#4702)
* fix: building for AL2 (#4679)
* ci(nix): Startup/configure apache for renegotiate test under nix (#4592)
* fix: Initial config influences client hello parsing (#4676)
* Add s2n_signature_preferences_20240521 (#4565)
* New s2n core member (#4707)
* Modify regression threshold to configurable percentage (#4698)
* chore: remove unused benchmarks (#4696)
* docs: add pq to usage guide (#4677)
- from version 1.5.0
* chore: Rust bindings bump v0.3.0 (#4697)
* Merge commit from fork
* fix: upload fuzz output to s3 when test fails (#4694)
* fix(ci): partially revert checking out head from current clone. (#4693)
* Enabling differential performance benchmarking (#4667)
* chore: document OpenSSL-FIPS restriction on RSA key size (#4654)
* ci: store fuzz artifacts in s3 (#4678)
* feat: Changes ticket encryption scheme to be nonce-reuse resistant (#4663)
* chore: Bump rust bindings to 0.2.11 (#4690)
* fix(bindings): enforce waker contract on `poll` operations (#4688)
* docs: update blinding docs (#4686)
* fix: zip corpus files before uploading to s3 (#4685)
* Adopt CBMC 6.1 and cbmc-viewer 3.9 (#4661)
* test(cbmc): add stuffer hex proofs (#4659)
* fix: don't fail for 0 blinding delay (#4671)
* chore(bindings): release 0.2.10 (#4683)
* feat(bindings): Add hyper compatibility crate (#4617)
* refactor: switch JA3 to use stuffer hex methods (#4662)
* fix: SSLv3 handshake with openssl-1.0.2-fips fails (#4644)
* feat(bindings): add renegotiate to the rust bindings (#4668)
* ci: move fuzz corpus to S3 (#4665)
* fix: default s2nc should accept default s2nd cert (#4670)
* fix: add missing corpus files for s2n_deserialize_resumption_state_test (#4672)
* refactor: clean up other hex methods (#4664)
* Set up regression benchmark for scalar performance (#4649)
* ci(nix): Setup a head build for the cross_compatibility integ test (#4567)
* fix: new clippy lints (#4666)
* fix: allow for clock skew in resumption (#4650)
* fix: Refactor some s2n_resume functions (#4648)
* fix: pin tokio-macros version (#4658)
* refactor: move stuffer hex methods out of testlib (#4653)
-------------------------------------------------------------------
Fri Jul 26 11:20:16 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.14.18
* chore: Bump Rust bindings v1.4.18 (#4656)
* fix: Removing new usage of memcmp (#4657)
* Merge commit from fork
* Update s2n_connection_get_kem_group_name() to
work with ClientHelloRetries (#4652)
* fix: avoid cert validation on connection_set_config (#4612)
* ci: add merge_group event to GHA workflow. (#4646)
* feat: Add API to gate session tickets to TLS1.3 only (#4645)
* feature: reusable fingerprinting interface (#4628)
* refactor(bindings/s2n-tls): finish test harness refactor (#4636)
* test(pcap): handle pcaps with tcp fragmentation (#4643)
* Refactor: change is_available return type to
bool in s2n_cipher struct (#4630)
* Refactor: change init and destroy_key return type to
S2N_RESULT in s2n_cipher struct (#4639)
* Refactor: change set/get_decryption_key return type to
S2N_RESULT in s2n_cipher struct (#4638)
* chore: document why SHA1 is the only supported hash algorithm
for cert_id generation in OCSP response (#4625)
* ci(nix): Add tshark to nix devshell (#4571)
* refactor: use feature probe for AEAD gate logic instead of
AWS-LC/BoringSSL macros (#4642)
* api(bindings/s2n-tls)!: remove public testing feature (#4623)
* chore(bindings): release 0.2.8 (#4635)
* feat(bindings/s2n-tls): add client_hello_version (#4609)
* fix: remove S2N_NO_PQ option (#4622)
* chore: fix CBMC proof summary count (#4627)
* refactor: separate out ja3 specific logic (#4578)
-------------------------------------------------------------------
Tue Jul 9 06:55:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.17
* bug: Fixing bash error (#4624)
* chore: make cbmc proof build more strict by adding -Werror flag (#4606)
* Perform 2-RTT Handshake to upgrade to PQ when possible (#4526)
* test(bindings/s2n-tls): refactor testing::s2n-tls tests (#4613)
* docs: add timeout note to blinding delay docs (#4621)
* docs: Add back suggested FIPS + TLS1.3 policy (#4605)
* ci: shallow clone musl repo (#4611)
* example(bindings): add async ConfigResolver (#4477)
* chore: use CBMC version 5.95.1 (#4586)
* s2n-tls rust binding: expose selected application protocol (#4599)
* test: add pcap testing crate (#4604)
* testing(bindings): add new test helper (#4596)
* chore(bindings): fix shebang in generate.sh (#4603)
* fix(s2n_session_ticket_test): correct clock mocking (#4602)
* Fix: update default cert chain for unit tests (#4582)
* refactor(binding): more accurate naming for const str helper (#4601)
* fix: error rather than empty cipher suites (#4597)
* chore: update s2n_stuffer_printf CBMC harness (#4531)
* ci(nix): Fix integ pq test in a devShell (#4576)
* feature: new compatibility-focused security policy preferring ECDSA (#4579)
* compliance: update generate_report.sh to point to compliance directory (#4588)
* ci: fix cppcheck errors (#4589)
* chore: cleanup duplicate duvet citations (#4587)
-------------------------------------------------------------------
Tue Jun 11 07:33:04 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.16
* Merge pull request from GHSA-52xf-5p2m-9wrv
* chore(bindings): release 0.2.7 (#4580)
* fix: Validate received signature algorithm in EVP verify (#4574)
* refactor: add try_compile feature probe for RSA-PSS signing (#4569)
* feat: Configurable blinding (#4562)
* docs: document s2n_cert_auth_type behavior (#4454)
* fix: init implicit iv for serialization feature (#4572)
* [Nix] adjust pytest retrys (#4558)
* fix: cert verify test fix (#4545)
* fix: update default security policies (#4523)
* feat(bindings): Associate an application context with a Connection (#4563)
* chore(bindings): version bump (#4566)
* Additional test cases for s2n_constant_time_equals() (#4559)
* test: backwards compatibility test for the serialization feature (#4548)
* chore(bench): upgrade rustls (#4554)
-------------------------------------------------------------------
Tue Jun 4 09:13:19 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.15
* bug(nix:corretto): use autoPatchelfHook on all systems and ignore als… (#4561)
* feat(bindings): Add API to check for resumption (#4552)
* fix: Send zero-length NST when session key is expired (#4532)
* feat: add key preferences to rfc9151 policy (#4540)
* chore: bindings release 0.2.5 (#4551)
* refactor: Avoid unnecessary s2n_hmac calls in s2n_record_write (#4539)
* feat: Modify s2nd/c to do serialization/deserialization (#4533)
-------------------------------------------------------------------
Mon May 13 09:20:33 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.14
* fix: Increase received signature scheme limit (#4544)
* fix: Fix a bug in tls1.3 code path (#4513)
* ci: grep for S2N_RESULT_ERR without setting s2n_errno (#4534)
* style(bindings): fix new clippy lints (#4536)
* bin: tool to print security policies (#4524)
* feat[bindings]: fips feature flag (#4527)
* feat: set certificate_authorities from trust store (#4509)
-------------------------------------------------------------------
Wed May 8 13:04:31 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.13
* chore(bindings): release 0.2.4 (#4530)
* nix gdb/lldb utils (#4460)
* binding: Add s2n_connection_get_session on the Connection (#4522)
* chore: update s2n-core team (#4520)
* fix: Python integ tests are flaky on arm (#4512)
* ci: Nix libcrypto helpers (#4422)
* ci: Remove actions-rs (#4514)
* chore(bindings): Pin `zeroize` to avoid MSRV increase (#4519)
* feat: add missing numbered security policies (#4511)
* docs(bindings): fix client hello doc tests (#4495)
* docs: add more warnings about security policy defaults (#4507)
* feat: add basic support for certificate_authorities (#4506)
* fix: Fix redundant code (#4504)
* chore: Rust bindings bump v1.4.12 (#4505)
* fix(sidetrail): Invalid stream cipher struct in proof wrapper (#4484)
* refactor: rename error + extension iana for consistency (#4503)
- from version 1.4.12
* feat: Serialization Rust APIs (#4493)
* refactor: combine TLS1.2 and TLS1.3 sig scheme representations (#4498)
* feat: Release C APIs for serialization (#4501)
* fix: Wipe conn->in on all record parse failures (#4499)
-------------------------------------------------------------------
Mon Apr 15 11:09:16 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.11
* chore(bindings): release 0.2.2 (#4497)
* feat(binding): add key update request api (#4469)
* tests: Serialization feature with post-handshake features (#4489)
* fix: add missing TLS1.3 p521 sig schemes (#4496)
* fix: correct broken early data test (#4494)
* fix: better errors for all client auth failures (#4492)
- from version 1.4.10
* feat: add s2n_peek_buffered (#4490)
* feat: reduce read syscalls to improve performance (#4485)
* feat: connection serialization (#4468)
* chore(bindings): release 0.2.1 (#4486)
* fix(bindings): print cargo commands to stdout (#4482)
-------------------------------------------------------------------
Thu Apr 4 11:31:02 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.9
* New TLS1.2-only variant of 20230317 policy (#4483)
* ci: add asan runs under gcc (#4402)
* fix: Adds non_exhaustive flag to FingerprintType
* fix: refactor rust bindings fingerprint methods (#4474)
* example(bindings): client hello cb example (#4385)
* feat: getter for TLS1.2 master secrets (#4470)
* bindings: ensure CFLAGS includes come after build script includes (#4475)
* bindings: mark Connection as Sync (#4467)
* Make S2N_CERT_AUTH_OPTIONAL the default for clients (#4390)
* fix(test): narrow valgrind suppressions (#4369)
* fix: pedantic memory leak in handshake test (#4463)
* chore(bindings): release 0.1.7 (#4462)
-------------------------------------------------------------------
Fri Mar 22 09:19:59 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.8
* feat: Add additional EC key validation for FIPS (#4452)
* refactor: UBSAN build and address out of bound reads (#4440)
* Add s2n_stuffer_shift (#4458)
* style: fix declarations without initial value (#4404)
* feat: Add FIPS mode getter API (#4450)
* remove unnecessary includes (#4451)
* refactor: clang-tidy null deref and undefined mod (#4436)
* refactor: make memmove vs memcpy behavior clearer (#4447)
* fix(bindings): Apply with_system_certs to Config builder (#4456)
- from version 1.4.7
* api: add key update request functionality (#4453)
* style: manual initial value fix (#4449)
- from version 1.4.6
* docs: Specify the return value of S2N_FAILURE for IO APIs (#4446)
* refactor: enforce stuffer return check (#4399)
* refactor: fix unread variable warnings (#4405)
* fix: Unsets global libcrypto rand (#4424)
* Relax HRR consistency requirements for second client hello (#4429)
* fix: prevent enabling ktls with a buffered record header fragment (#4426)
* feat: add cert key preferences (#4434)
* chore: bindings bump 0.1.6 (#4437)
* test: add cert chain with mixed key sizes (#4433)
* feat: apply cert signature preferences locally (#4407)
* docs: Extend license check to .rs files (#4428)
* fix(test): fix dangling pointers in cert verify test (#4430)
* Add Rust bindings for certificate chains (#4398)
- from version 1.4.5
* fix: parse fragmented sslv2 client hellos (#4425)
* chore(ci): Give OpenBSD CI job a performance boost (#4427)
* fix: s2n_shutdown should handle partial records (#4421)
* feat: Server name getter for client hello (#4396)
* refactor: zero static s2n_configs on cleanup (#4416)
* Removed unused dependencies (#4417)
* chore(bindings): release 0.1.5 (#4420)
* chore(bindings): release 0.1.4 (#4418)
* bindings: use aws-lc-rs instead of aws-lc-sys (#4415)
-------------------------------------------------------------------
Wed Feb 21 13:13:22 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.4
* allows cmake to force crypto linkage (#4383)
* refactor: consolidate record wiping (#4412)
* build: make CMake test flags more consistent with make (#4392)
* style(bindings): address new clippy lint (#4411)
* refactor: generalize cert sig preference handling (#4379)
* feat: More client hello getters (#4380)
* fix: only initialize default tls 1.3 config in tests (#4302)
* Check fd status before using urandom (#4352)
* utils: add map iteration iterator (#4377)
* chore(bindings): release (#4388)
* chore(bindings): bump aws-lc-sys (#4393)
* s2n-tls-tokio: use s2n_shutdown_send instead of s2n_shutdown (#4374)
* enforce result checking for blob and mem (#4389)
-------------------------------------------------------------------
Wed Feb 7 11:42:55 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.3
* ci: Disable broken rust dry-runs (#4384)
* Fix SSLv3 detection with AWS-LC (#4361)
* More specific error for unexpected cert request (#4381)
* test: Adds SSLv3 integ test (#4372)
* chore: add valgrind to nix develop (#4365)
* test: additional test certs (#4378)
* chore: bindings release 0.1.2 (#4376)
* test: add additional test certs (#4353)
* feature: Use S2N_FAST_INTEG_TESTS to run
pytest in parallel under nix (#4368)
* refactor: ossl x509 parsing (#4351)
-------------------------------------------------------------------
Fri Jan 26 12:20:42 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.2
* docs(bench): update docs to reflect aws-lc default (#4336)
* Fix initialization errors in unit tests (#4370)
* bindings: fix handling of s2n_shutdown errors (#4358)
* Fix s2n_shutdown + failed recv bug (#4350)
* Add new PQ TLS Policies (#4327)
* ktls: add method to track key updates (#4364)
* Move client hello parsing out of unstable (#4359)
* bindings: clean up blinding tests (#4356)
* ci: cmake asan buildspec (#4048)
* fix: stack-use-after-scope variable ordering (#4355)
* fix(bindings): remove optional cmake dependency (#4347)
* ktls: improve messaging around freed handshakes (#4346)
* bug: Fixes mdbook action (#4345)
* feat: Publishes mdbook to Github Pages (#4343)
* Add PQ integration tests between s2n and AWS-LC's libssl (#4267)
* chore: bindings release 0.1.1 (#4341)
* (feat): Adds API to allow s2n-quic to check for resumption (#4335)
* bindings: ensure CFLAGS includes come after libcrypto includes (#4338)
* Add FIPS security rule (#4315)
-------------------------------------------------------------------
Wed Jan 3 14:37:59 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.4.1
* bindings: match tcp EOF behavior (#4323)
* (docs): Reordered and moved usage guide into an mdbook (#4300)
* ktls: add method to enable TLS1.3 (#4331)
* ci: fix flaky interning test (#4334)
* Add CBMC proof for s2n_stuffer_printf (#4309)
* docs: remove gitter references (#4332)
* ktls: handle TLS1.3 key limits (#4318)
* ci: pin home crate to fix rust build (#4330)
* ci: switch autopep8 action (#4322)
* ci: ignore cbmc prereleases (#4328)
* ci: switch FreeBSD back to vmactions (#4326)
* ktls: add TLS1.3 support (#4314)
* ci: fix pep8 linting (#4319)
* cleanup: add getter for sequence number (#4317)
* Mark inline asm output as earlyclobber (#4310)
* bindings: release rust bindings 0.1.0 (#4313)
* ci: add workflow for rust bench crate (#4210)
* Enforce security rules on security policies (#4311)
* documentation: fix security policy table (#4304)
- from version 1.4.0
* Add basic "security rules" (#4298)
* Update CloudFront's upstream ECC Preference list (#4301)
* Bump AWS-LC version to v1.17.4 (#4303)
* Clean up selecting a signature algorithm (#4285)
* Remove s2n's internal Kyber512 implementation, and rely on
AWS-LC for Kyber support (#4283)
* feat: Adds ConnectionInitializer to Rust bindings (#4250)
* Remove NULLs in s2n_kex (#4293)
* feat(bindings): use aws-lc-sys instead of openssl-sys (#4290)
* fix: probe for all AES_GCM variants (#4295)
* ci: add mainline coverage job (#4288)
* bench: increase cert chain length (#4287)
* fix(bindings): enable session tickets after setting callback (#4292)
* fix(bindings): pin jobserver in more places and run cargo
publish --dry-run in generate.sh (#4255)
* bindings(rust): make callbacks Send + Sync (#4289)
* Add API to retrieve the supported groups for a security policy (#4273)
* test: Bump cross-platform actions to pull in fix for flaky BSD (#4278)
* test: remove blinding from unit tests (#4281)
* ci: update integ dependencies (#4261)
* ci: add additional p-384 test coverage (#4275)
* Detect KEM support at runtime (#4101)
* Bumped version to 0.41.0 (#4276)
* Change pkey parse methods to return s2n_result (#4271)
* Fixes failing FreeBSD build in CI (#4272)
- from version 1.3.56
* ci: Minor cppcheck speedup (#4268)
* fix: update permissions to allow dashboard to write to gh-pages. (#4228)
* Clean up receiving peer sig alg (#4259)
* Switch from vmactions to cross-platform-actions (#4266)
* Update get_client_cert_chain API documentation (#4260)
* Always apply the PARTIAL_CHAIN flag (#4258)
* Allow TLS 1.2 servers to report client versions from
the supported versions extension (#4249)
* Clean up sending supported sig algs (#4254)
* refactor(bench): remove non-generic connection logic (#4236)
* docs: remove extra security policy item (#4248)
* bindings: release 0.0.40 (#4251)
- from version 1.3.55
* Add new PQ TLS 1.3 policies (#4247)
* Switch sig schemes from copies to references (#4237)
* feat: Turns off automatic ticket creation for quic (#4239)
* chore: pin dependency to fix rust MSRV issues (#4243)
* feat: Processes post-handshake messages for quic (#4218)
* bindings: release 0.0.39 (#4235)
* Run clang-format (#4238)
- from version 1.3.54
* Merge pull request from GHSA-97r4-p6c4-5gv3
* ktls: support aes256 (#4227)
* ktls: forbid renegotiation (#4229)
* ci: add ktls + asan build (#4213)
* Add support for exporting symmetric keys from connections (#4230)
- from version 1.3.53
* ktls: make usable outside of tests (#4232)
* overwrite the random state key only if initialized (#4225)
* ci: Authorize requests to GitHub API (#4223)
- from version 1.3.52
* ktls: release APIs as unstable (#4217)
* Add API to retrieve parsed supported groups (#4216)
* docs: generate citations meta data and add CI check (#4205)
* feat: add s2n_strerror_source API (#4209)
* feat: send psk_ke_modes ext in first flight (#4177)
* ktls: clean up enable (#4212)
* Generalize io handling + add ktls EINTR handling (#4203)
* ktls: fix flaky test (#4214)
* docs: add rfc citations (#4202)
* build: use feature probes for CLOEXEC (#4206)
* Add asan support to cmake/nix (#4194)
* ktls: receive app data (#4201)
* docs: add citations for alert behavior (#4198)
* bindings: release 0.0.38 (#4196)
* ktls: recv alerts (#4199)
* Reduce allocs in ktls app data send (#4181)
* ktls: self-talk tests for send (#4189)
* ci: run duvet when commits are merged into main branch (#4197)
* ci: Upgrade asan to catch use after scope (#4192)
* ktls: add sendfile (#4186)
* Add test with ktls enabled to s2nGeneralBatch (#4190)
-------------------------------------------------------------------
Thu Sep 14 08:17:30 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.51
* Add API to disable certificate validity period validation (#4183)
* Commit buildspec for s2nGeneralBatch (#4188)
* ktls: Send alerts (#4185)
* Add AL2 test with system libcrypto (#4179)
* ci: buildspec for qemu ktls test (#4175)
* Add testlib to track memory allocations (#4180)
* ktls: Send app data (#4174)
* Small sendv doc fix (#4178)
* api: Add S2N_EXTENSION_SUPPORTED_VERSIONS as s2n_tls_extension_type (#4160)
* feat(benchmarks): Add session resumption support (#4173)
* bindings: Release 0.0.37 (#4172)
-------------------------------------------------------------------
Fri Sep 1 15:00:29 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.50
* Publish cert validation callback APIs and add documentation (#4161)
* kTLS: implement recvmsg (#4154)
* Fix clippy (#4166)
* Add cert validation callback (#4156)
* kTLS: implement sendmsg (#4147)
* Fix s2n_ecdsa_secp521r1_sha512 + improve integ ECDSA coverage (#4148)
* refactor and cleanup some ktls code (#4152)
* Call enable_session_tickets before adding a ticket key (#4150)
* kTLS: get and set control data on msghdr (#4146)
* Don't exit nix dev shell on integ test failure (#4149)
* docs(bench): update historical benching graphs and readme (#4136)
* Use client_hello.parsed as precondition for retrieving client_hello (#4144)
* bindings: release 0.0.36 (#4145)
* Update blocked status documentation (#4139)
* Make invalid chains available via get_client_cert_chain (#4134)
* Adds resumption functions to Rust bindings (#4114)
-------------------------------------------------------------------
Thu Aug 17 07:34:24 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.49
* ktls: mock send/recvmsg IO (#4109)
* test: ensure s2n_recv blocked status behavior doesn't change (#4127)
* Add additional Kyber768 tests (#4089)
* Prevent get_peer_cert_chain from modifying existing cert chain (#4135)
* Update build documentation (#4126)
* feat(bench): add different parameters for memory benching (#4125)
* feat(bench): add flamegraph generation to benchmarks
and reuse configs when benching (#4128)
* Add new Kyber768+ KEMs and security policy (#4034)
* fix(bench): fix throughput bench issues and add documentation (#4130)
* refactor(bench): unnest loops over parameters in handshake bench (#4129)
* ktls: self talk inet socket test (#4075)
* refactor(bench): feature cleanup for benches (#4120)
* refactor(bench): move around and update scripts in bench crate (#4115)
* Fix PR template styling (#4116)
* bindings: release 0.0.35 (#4122)
* refactor(bench): separate out client and server
connections in benching harness (#4113)
- from version 1.3.48
* Print error for 32bit test (#4107)
* ktls: set keys on socket and enable ktls (#4071)
* Trying to use an invalid ticket should not mutate state (#4110)
* fix: get_session behavior for TLS 1.3 (#4104)
* feat(bench): add different certificate signature algorithms to benchmarks (#4080)
* feat(bench): add memory bench with valgrind/massif (#4081)
* feat(bench): add historical performance benchmark (#4083)
* nix: pin corretto version (#4103)
* bindings: release 0.0.34 (#4096)
- from version 1.3.47
* Fix try_compile bug on gcc 4 (#4091)
* Fix clippy warnings (#4093)
* Generify Kyber files + functions over security parameters (#4087)
* Disabling sign compare check as debug build option, enabling
wsign-compare check and fixing 32bit build failures (#4061)
* ktls: config socket ULP (#4066)
* feat(bench): add throughput benchmarks (#4077)
* feat(bench): add mTLS to benchmarks (#4079)
* Fix pthread key cleanup with musl libc (#4085)
* feat: introduce s2n_key_material for handling key material info (#4047)
* Fix openssl-1.0.2k x509 validator test failure (#4084)
* bindings: release 0.0.33 (#4076)
* feat(bench): add openssl handshake to benchmarking (#4069)
* fix: Add implicit gcc flag to all feature probes (#4074)
* nix: skip the sslyze test on aarch64 (#4050)
* Adds new CRT policies (#4072)
* Add KeyUpdate threading test (#4059)
-------------------------------------------------------------------
Wed Jun 28 12:32:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.46
* Create new KMS TLS Policy with TLSv1.2 Minimum (#4068)
* bindings: do not enable OCSP when calling trust_location() (#4016)
* Fixes broken link in comment (#4060)
* Disable build flag for openssl102 nix aarch64-linux (#4045)
* Add rustls handshake to benchmarks (#4063)
* remove kTLS feature probe (#4064)
* Validate PRK output size in the libcrypto HKDF implementation (#4057)
* s2n-tls handshake benchmark (#4053)
* feat(bindings/s2n-tls): add ja-3 apis (#4009)
* Fix TSAN s2n_shutdown failures (#4055)
* Update nix corretto; make it platform aware. (#4043)
* Add ThreadSanitizer (#4046)
* feat: add checked return values diagnostic (#3798)
* Fix usage guide examples + enable testing of examples (#4044)
* Fix pthread leak (#4037)
* Add libcrypto HKDF implementation (#4035)
* ci: allow running multiple integ tests at once in nix devshell (#4029)
* Never send KeyUpdate message if <TLS1.3 (#4038)
* nix devShell with aws-lc (#4028)
* fix: ossl3 legacy provider mem leak (#4033)
* Add pre-TLS13 libcrypto PRF implementation (#4020)
* ci: typos config file (#4021)
* Refactor alerts to make behavior clear (#4019)
* bindings: release 0.0.32 (#4032)
* Fixes dynamic loading bug (#4024)
* build: make feature flags consistent (#3921)
-------------------------------------------------------------------
Sat Jun 10 02:49:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.45
* fix: improve compatibility with old Linux versions (#4027)
* Disable retry client random validation outside of tests (#4023)
* Only call getenv for integ test marker in s2n_init (#4025)
* Publish minimal s2n_config APIs and add documentation (#3972)
* Fix s2n_error_get_type mistake in usage guide (#4022)
* nix: add an Openssl102 nix devShell (#4014)
* fix(api/unstable): make all api methods visible (#4015)
* test(bindings/s2n-tls-tokio): fix tokio bindings close test (#4007)
* fix: open files with the O_CLOEXEC flag (#3989)
* feat(s2n-tls): X509 asn1 refactor (#4011)
* Add the libcrypto random generation implementation (#4004)
* nix: Use nixpkgs gnutls instead (#4013)
* nix: add a LibreSSL nix devShell (#4010)
* style: simplfy api for test utility (#4008)
* fix(s2nd): parse psk given to s2nd non-destructively (#4006)
* nix devShell with openssl3 (#3993)
* Upgrade OpenSSL model for CBMC proofs (#3978)
* Quoting RFC-4492 to verify behavior when supported_groups extension is not sent (#3998)
* docs: add notes on s2nc and s2nd usage (#4003)
* bindings: Add option to disable loading system certs (#3985)
* Update FAQ + add s2n_negotiate example to Usage Guide (#3984)
* test: add more x509 OCSP tests (#3970)
* ci: enable ossl3 tls13 tests (#3992)
* chore: bindings release 0.0.31 (#3997)
* Print Wire Bytes In and Out for s2nc (#3986)
* ci: nix devShell simplification (#3964)
* utils: Add a stale box to the GH dashboard; use an action for pushing pages (#3947)
- from version 1.3.44
* test: fix session-ticket, non-blocking-io tests on 32 bit (#3969)
* ci: add 32 bit buildspec (#3977)
* [ci]: Use custom library context for rc4 instead of global default context (#3980)
* s2n_rand_cleanup: be sure to unregister s2n RAND engine from libcrypto (#3966)
* docs: update clang-format and gdb documentation (#3967)
* Only LTO on GCC (#3968)
* style: clean up fuzz corpus (#3971)
* Add test for cipher selection with dh params (#3974)
* Add new API to perform half-close (#3952)
* Add API to create s2n_configs without loading system certs (#3950)
* chore: remove module.modulemap and allow customers to generate it themselves (#3961)
* chore: bindings release (#3956)
* Cover more situations where no close_notify is sent/received (#3957)
* Add logging for failed CRT tests (#3962)
* Fix end-of-data behavior (#3945)
- from version 1.3.43
* Fix expected negotiated version in client auth downgrade test (#3951)
* ci: Disable automatically closing stale PRs (#3946)
* add 32 bit cross-compile toolchain (#3924)
* ci: Add AWSLC-FIPS 2022 to CI (#3943)
* bindings: add verify_host_callback to the connection (#3925)
* Add basic half-close TLS1.3 behavior (#3932)
* Update IO section of Usage Guide (#3917)
* Don't send close_notify after an alert (#3942)
* Reinstate Kyber KEM check (#3905)
* Add test to verify TLS1.2 downgrade (#3939)
* Add github stale action (#3929)
* update security policy and rust binding documentation (#3906)
* Remove unnecessary flush (#3940)
* Adds FAQ doc (#3920)
* ci: Update AWSLC test dependency to v1.8.0 (#3938)
* Add note about server_name spec requirements (#3930)
* doc: Flesh out steps in nix readme. (#3923)
* Create new PQ TLS Policies with minimum of TLSv1.2 (#3927)
* Attempts to fix flakiness in session_ticket_test (#3913)
* test: Bump nix devShell python to 3.10 (#3914)
* chore(bindings): release 0.0.29 (#3919)
* test: add retry logic for well-known endpoints (#3918)
* docs: add compliance notes for RFC 6125 (#3915)
-------------------------------------------------------------------
Wed Apr 19 12:12:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.42
* CI: Restrict Nix integ test to 1 job (#3897)
* Don't set actual_protocol_version early when resuming a session (#3907)
* Expose curve details to rust bindings (#3912)
* Move secret type out of tls12/tls13 union (#3908)
* Appends S2N_API (#3910)
* chore: bump rust bindings (#3909)
* test: Nix s3 cache (#3904)
-------------------------------------------------------------------
Tue Apr 4 10:53:05 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.41
* fix: remove broken check in test (#3901)
- from version 1.3.40
* Rewrite of the PSK section in Usage Guide (#3864)
* test: cleanup after tests (#3831)
* ktls: feature probe test (#3869)
* Fixes some compiler warnings coming from tests (#3883)
* tokio-s2n-tls: Enable access to the IO instance from TcpStream (#3882)
* chore: bump rust bindings for 1.3.39 release (#3887)
* Migrate Kyber 512 to EVP KEM API (#3853)
* test: cleanup tests (#3832)
* test: Add missing packages to nix devShell (#3885)
* Document behavior of s2n_negotiate for a client with client auth (#3891)
* Switch OpenBSD CI job GH action to something more robust (#3877)
* Enable strict compile checks in unit test build (#3878)
* ci: enable valgrind pedantic check (#3886)
* Allow client hellos from raw bytes (#3871)
* Add new security policy (#3895)
- from version 1.3.39
* Removed codecov github status badge. (#3859)
* Add method to create Rust certs without private keys (#3860)
* Update s2n to latest revision of PQ Hybrid TLS 1.3 Draft RFC (#3800)
* chore: bump rust bindings version; crates msrv to 1.63.0 (#3863)
* ci: Check for msrv match between rust-toolchain an crates; make them match. (#3866)
* fix: disable defer cleanup in failure case in s2n_cert_chain_and_key_load_cns (#3870)
* tests: add checks for LTO+interning compatibility (#3839)
* Enforce that ENSURE and GUARD_OSSL use valid error codes (#3873)
- from version 1.3.38
* Add CMake targets for integration tests and switch CI to use them (#3776)
* ci: reduce the number of BSD artifacts (#3837)
* Enable -Wsign-Compare-check_v2-tests/unit (#3827)
* Add github trigger event for merge queue (#3836)
* Prevent auto-enabling OCSP requests for servers (#3830)
* Enable -Wsign-Compare-check_v3-tests/unit/ (#3828)
* Enable -Wsign-Compare-check_bin/_crypto/_stuffer/_utils/ (#3825)
* Enable -Wsign-Compare-check_v1-tests/ (#3826)
* Update s2n_libcrypto_validate_name_prefix to only
check the prefix of the libcrypto name (#3779)
* Enable -Wsign-Compare-check_tls/ (#3829)
* Add OCSP stapling for client auth (#3770)
* Enable -Wsign-Compare-check_CMakeLists (#3842)
* CI: pin AWS-LC versions #3846
* [bindings] Generalize async in preparation for pkey offloading (#3844)
* fix: use actual_protocol_version for session ID (#3845)
* Add JA3 to s2nd (#3838)
* filter do_not_merge label from Ready to merge (#3849)
* Remove unused s2n_config_client_hello_cb_enable_poll (#3850)
* Run integv2 tests with nix (#3824)
* ci: nix fmt action (#3834)
* Add CBMC proof-running GitHub Action (#3840)
* Upgrade OpenSSL model for CBMC proofs (#3857)
* Bump Rust MSRV for latest openssl-src. (#3858)
* Handle ASN.1 type detection errors (#3855)
* [bindings] Add private key callback (#3847)
-------------------------------------------------------------------
Fri Feb 17 10:17:45 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.37
* Make unstable fingerprint methods accessible (#3823)
* Clean up thread-local memory (#3771)
* bindings(rust): bump MSRV to 1.60.0 (#3833)
* Criterion delta (#3811)
* Add JA3 fingerprinting (#3817)
* Clarify that AWS-LC is also supported (#3821)
* Add unit test to check that the build's libcrypto
reflects the CI's intended libcrypto (#3774)
* Clarify SSLv2 ClientHellos (#3815)
* Bump rust bindings for 1.3.36 release (#3818)
* Add stuffer method for standard init process (#3814)
- from version 1.3.36
* ktls: rm kTLS request field on config (#3816)
* ktls: add ktls_supported field to s2n_cipher (#3806)
* Make test_install_shared_and_static easier to debug
* ktls: s2n_ktls_mode and building blocks (#3797)
* ci: Update OpenBSD's MEM_PER_CONNECTION, based on error message (#3791)
* s2n-tls nix flake (#3794)
* Updated rust bindings (#3802)
* Update omnibus fuzz image; remove fuzz job we're not running anymore in PR (#3796)
* Adds client hello section to usage guide (#3757)
* Integration test to check default signature algorithm behavior (#3719)
* Blob Initialization fix-Test_1 (#3790)
- from version 1.3.35
* fix: pass an empty string to host verify without usable identifiers (#3793)
* add code coverage support (#3759)
* ci: Enable CTEST_OUTPUT_ON_FAILURE on all targets (#3789)
* Enforce that clippy msrv matches rust-toolchain (#3787)
* Blob Initialization fix-Test (#3780)
* s2n_shutdown should ignore unread messages (#3769)
* Add min supported rust version for clippy (#3785)
- from version 1.3.34
* Initialize blobs and stuffers (#3783)
* s2n_shutdown: no not require response during handshake (#3772)
* ci: remove build-dashboard action from PR flow (#3764)
* ci: remove build-dashboard action from PR flow (#3764)
* Blob initialization fix-3 (#3768)
* Consolidate handshake and post-handshake record writing (#3750)
* Blob initialization fix-2 (#3762)
* Rename OCSP extensions (#3765)
* Record padding integration test (#3715)
* Adds check to ensure no switching between state machines (#3747)
* Clang format cleanup (#3767)
-------------------------------------------------------------------
Thu Jan 26 13:28:14 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.33
* ci: enable multicore builds for unit test (#3753)
* Blob initialization fix-1 (#3735)
* ci: upgrade checkout action (#3761)
* ci: Bump boringssl version (#3739)
* chore(ci): add CI workflow for OpenBSD (#3754)
* Remove unused extension functions (#3752)
* Repair build on OpenBSD (#3670)
* Criterion tests (#3534)
* Fragment large post-handshake records (#3741)
* Bump rust bindings for 1.3.32 release (#3746)
* ci: improve test name parsing for criterion (#3704)
* Ensure non-zero record protocol version (#3744)
* Add check to s2n_signature_scheme_valid_to_accept (#3728)
- from version 1.3.32
* ci: Fix libfuzzer path for third-party-src dir (#3742)
* added ecdhe_rsa_aes128 cipher to the tls_1_2_2017 policy (#3740)
* Intentionally disable fragmenting KeyUpdates (#3708)
* utils: guard POSIX signals with >S2N_FAILURE (#3733)
* Autopep8 updated CI and code (#3736)
* ci: CLean up integration v1 buildspecs (#3627)
* ci: Update fuzz buildspec to use pre-built image (#3604)
* Upgrade CBMC infrastructure (starter-kit 2.8.8) (#3731)
* quick fix (#3716)
* Update team members (#3640)
* fix: disable pthread_atfork fork detection on OpenBSD (#3712)
* Upgrade CBMC infrastructure (starter-kit 2.8) (#3727)
* Adds TLSv1.2_2017 security policy with ECDHE-{RSA,ECDSA}-AES256-SHA ciphers enabled (#3723)
* Fix s2n_record_write return value (#3722)
* Remove unnecessary "extern" from function declarations (#3726)
* Adds no-strict-prototypes (#3721)
* Clang-format `tests/unit/s2n_[l-r].*\.c` and enforce in CI (#3677)
* CBMC proofs: fix typing (#3718)
* ci: codebuid scripts for criterion (#3703)
* CBMC proofs: remove type-conflicting definition of s2n_calculate_stacktrace (#3714)
* Clang-format `tests/unit/s2n_s.*\.c` and enforce in CI (#3678)
* bindings bump (#3709)
* Fix sizes in s2n_resume_test (#3705)
- Drop patches for issues fixed upstream
* s2n_disable-werror.patch
-------------------------------------------------------------------
Wed Jan 4 13:17:13 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.31
* Clang format `tls/s2n_[a-h].*\.[ch]` and enforce in CI (#3681)
* tokio-s2n-tls: add poll_blinding and fix blinding on shutdown (#3700)
* Clang-format `crypto/` and enforce in CI (#3680)
* Clang-format `tls/s2n_[s-z].*\.[ch]` and enforce in CI (#3683)
* Clang-format `tests/unit/s2n_[t-z].*\.c` and enforce in CI (#3679)
* Clang format `tests/unit/s2n_[bc].*\.c` and enforce in CI (#3675)
* Clang-format `tests/unit/s2n_[d-k].*\.c` and enforce in CI (#3676)
* Add `CloudFront-TLS-1-2-2021-ChaCha20-Boosted` Security Policy w/ Docs Update (#3686)
* Fix FreeBSD minherit arg naming (#3694)
* Add config to read until error or supplied buffer is full (#3690)
* Clang-format `tls/s2n_[i-r].*\.[ch]` and enforce in CI (#3682)
- from version 1.3.30
* chore: bump rust bindings version (#3693)
* Clean up test trust store (#3692)
* Add support for AWS-LC PQ KEM (#3634)
* chore: introduce rust-toolchain and enforce MSRV (#3691)
* bindings (rust): handle propagating the async client_hello callback error (#3687)
* ci: Fix LibreSSL paths in CI (#3688)
* tests: delete integv1 code (#3685)
* bindings(rust): avoid unnecessarily zeroing the receive buffer in poll_read (#3662)
* Handle fragmented post-handshake messages (#3641)
* Add CodeQL workflow for GitHub code scanning (#3601)
* ci: pin ubuntu version to 20.04 for cppcheck (#3673)
* ci: Remove references to TEST=integration and related codebuild scripting (#3628)
* Make header deps explicit in preperation for clang-format (#3684)
* Clang-format of `tests/unit/s2n_[3a].*\.c` + transision to exclude regex (#3664)
* Add prioritize_chacha20 flag to cipher preferences (#3543)
* Fix default X509 store flags (#3671)
* Regenerate CRL pems (#3672)
* fix(tests): honour RFC 5280 4.1.2.5 when creating CRLs (#3669)
* fix(rust-bindings): store client_hello_callback state on connection (#3631)
* Bump rust bindings for 1.3.29 release (#3666)
* Removes double semicolons and expands simple_mistakes.sh (#3665)
* ci: Update OpenSSL dependencies (#3623)
* Test for legacy version vs SupportedVersions priority (#3661)
* Update to clang-format causes reformat of api folder (#3663)
* clang-format `tests/testslib` and add to ci (#3650)
* Fix flaky send buffer test (#3647)
- from version 1.3.29
* Fix clippy issues and formatting in bindings (#3659)
* Add batch of clang-format PRs to .git-blame-ignore-revs (#3653)
* Use gcc-ar instead of ar (#3625)
* bindings(rust): Implement Deref and DerefMut traits for PooledConnection (#3642)
* clang-format `utils/` and enforce in ci (#3651)
* clang-format `api/` and enforce in ci (#3637)
* clang-format `error/` and enforce in ci (#3638)
* Fix file modes and enforce in ci (#3645)
* clang-format `bin/` and enforce in ci (#3635)
* Add and document CRL APIs (#3523)
* clang-format `tls/extensions` and enforce in ci (#3633)
* Add stuffer version of s2n_io_pair (#3632)
* Add clang-format of stuffer to .git-blame-ignore-revs (#3629)
* Add clang-format ci action (#3618)
* Adds Usage Guide section on the Config object (#3620)
* bump rust bindings for 1.3.28 release (#3622)
* Add buffered send integration test (#3537)
* Declaring Virtual Function Tables as const- crypto (#3616)
* Add proof for TLS handshake with NPN extension nondeterministically enabled or disabled (#3613)
* ci: Fix SAW sha_bad_magic_mod failure test (#3617)
* Remove s2n_cbc_verify_test (#3615)
- from version 1.3.28
* bindings(rust): add lto in release mode (#3610)
* wrapper for wall_clock (#3611)
* Fix very minor DeprecationWarning in integrationv2 (#3609)
* Adds s2n_connection section to usage guide (#3605)
* Fix to handle callback failure (#3597)
* Move CRL timestamp validation into the CRL lookup callback (#3515)
* Re-enable saw proofs for TLS handshake with NPN extension disabled (#3594)
* [bindings] Fix client hello callback with config swap (#3600)
* Fix FreeBSD build test bug (#3587)
* Add some missing null ptr checks for defence in depth (#3596)
* 1.3.27 bindings update (#3599)
* Apache renegotiation integration tests (#3580)
* Try to clarify the use of s2n_blob_zeroize_free (#3591)
-------------------------------------------------------------------
Fri Nov 11 22:00:55 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.27
* Npn cleanup (#3590)
* Ensure extended master secrets ext have no data (#3588)
* LibreSSL version 3.5 implements the OpenSSL 1.1 API (almost) (#3589)
* Update vmactions/freebsd github action (#3592)
* Fix free error when using jemalloc (#3585)
* Add rust binding for s2n_set_config_send_buffer_size (#3582)
* NPN integration tests (#3583)
* Adding null checks to tls/extensions and tls/s2n_perf (#3578)
* Adds API for NPN support (#3575)
* Add CRL lookup callback (#3546)
* Bump Doxygen version 1.9.3 -> 1.9.5 (#3581)
* Add apache renegotiation test server to CI (#3565)
* Adds TLS12 Encrypted Extensions Messages (#3545)
* Removing more failing saw (#3577)
* bump to 0.0.17 (#3574)
* More openssl renegotiate integ tests (#3570)
* Added compliance comment for renegotiate (#3572)
* Remove s2n-core from CODEOWNERS (#3571)
- from version 1.3.26
* Add IO debug info to integrationv2 framework (#3564)
* Fix check for non-portable optimizations (#3573)
* Handshake changes necessary to negotiate NPN (#3558)
* Add array init with capacity API (#3554)
* Basic renegotiation integ tests (#3563)
* Rust bindings version bump for 1.3.25 (#3567)
- from version 1.3.25
* Only enable non-portable optimizations safety
checks during GitHub CI builds (#3562)
* Release renegotiation feature as unstable (#3556)
* Refactor write_pem_file_to_stuffer_as_chain (#3553)
* Temporarily removing TLS12 SAW tests (#3560)
* Fix bug on RHEL5 platform (#3561)
* Tweaks to HelloRequest handling (#3555)
* ci: update group for labeler action (#3544)
* test(rust-bindings): improve test reliability (#3552)
* Add send-file option to s2nc (#3550)
* Add API to handle renegotiation (#3549)
* Change behavior when no protocols match (#3548)
* Limit slow DHE handshakes in test (#3541)
* Keep finished data on s2n_renegotiate_wipe (#3539)
* Rust bindings version bump for 1.3.24 (#3540)
* Add wrapper struct for X509_CRL (#3520)
* Added NPN Handshake Message (#3526)
* Add server secure_renegotiation checks for testing (#3533)
* Finish compliance comments for secure renegotiation (RFC5746) (#3536)
- from version 1.3.24
* Fix fatal no_renegotiation alert (#3535)
* Add renegotiation callback (#3527)
* Partially wipe connections for renegotiation (#3522)
* Revert "ci: Criterion integv2 test changes (#3222)" (#3531)
* ci: Criterion integv2 test changes (#3222)
* Enforce init and cleanup calling rules (#3512)
* Fix npn test bug (#3529)
* Npn Extension Functions (#3521)
* ci: Move sidetrail docker container to other repo; rework sidetrail
to install tooling ahead of time. (#3518)
* docs: update openssl docs (#3503)
* Add additional CBMC dependencies to README (#3517)
* Refactor s2n_x509_validator_validate_cert_chain to support an async callback (#3500)
* Fix memory leaked by s2n_cleanup (#3506) (#3506)
* Disable AVX2 compiler flags in portable PQ implementation (#3508)
- from version 1.3.23
* Merge pull request from GHSA-m74w-59v6-c5r8
* Merge pull request from GHSA-mm47-wjfh-4hf5
* ci: Custom ubuntu18 image (#3513)
* release: bump rust bindings (#3507)
* Implement client-side safety features for secure renegotiation (#3497)
* ci: Criterion benchmark handlers (#3223)
- from version 1.3.22
* Add compliance exceptions for server renegotiation (#3498)
* Store explicit length of verify_data (#3494)
* Send no_renegotiation alert (#3490)
* Add FS2 Scala Native binding (#3496)
* Allow static and shared libs to be mixed (take 2) (#3484)
* Removing some LGTM warnings (#3493)
* Add compliance comments for secure renegotiation initial handshakes (#3485)
* release(rust-bindings): 0.0.13 (#3487)
* Add test for verify after sign failure (#3486)
* Add option to verify after sign (#3482)
* Usage Guide Changes for Certificate Inspection Methods (#3480)
- from version 1.3.21
* Revert "Allow static and shared libs to be mixed. (#3467)" (#3483)
* Allow static and shared libs to be mixed. (#3467)
* openssl3 integration: cleanup providers (#3481)
* openssl3 integration: store const RSA and EC_KEY (#3474)
* ci: update freebsd image (#3479)
* Fix documentation for record sizes (#3418)
* Fix reference to wrong function (#3478)
* ci: add openssl111 to LD_LIBRARY_PATH for integv2 testing (#3464)
* Add test certificate chains and CRLs for testing CRL validation (#3458)
* feat: add dynamic buffer capabilities (#3472)
* openssl3 integration: workaround for new EVP_Cipher return code (#3466)
* Allocate s2n_crypto_parameters separately (#3470)
* Reference s2n_crypto_parameters via pointers (#3469)
* openssl3 integration: work around for broken make build (#3468)
* create rfc9151 security policy (#3431)
* openssl3 integration: fix padding (#3450)
* openssl3 integration: load legacy provider for rc4 cipher (#3457)
* Re-worked Session Resumption Usage Guide Sections (#3423)
* release(rust-bindings): 0.0.12 (#3462)
- from version 1.3.20
* Initialize locking sooner (#3456)
* build and link s2n-tls with openssl3 (#3441)
* build: fix Ubuntu quickstart instructions (#3452)
* double fallback for load libcrypto (#3451)
* tests: add global retries and fail fast (#3454)
* Add basic buffered send behavior (#3434)
* Fixing cargo clippy complaints (#3448)
* Return s2n_result from x509 validator functions (#3444)
* Correct CODEOWNERS team name (#3449)
* Fuzz s2n_deserialize_resumption_state (#3421)
* s2n_peek should not report partial, encrypted data (#3443)
* Fix early data reporting on partial send (#3439)
* rust bindings release 0.0.11 (#3437)
- from version 1.3.19
* ci(rust-bindings): Bump nightly version (#3430)
* S2N client negotation of un-offered group fix (#3422)
* Remove patch version from .so (#3426)
* cleanup codecov from codebuild (#3425)
* Shared library .so version (#3407)
* Revert "ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414)" (#3424)
* Set Openssl-1.0.2 locking callback (#3415)
* Add more testing for s2n_send (#3409)
* Miscellaneous Usage Guide Fixes (#3411)
* Added RFC exception comment (#3405)
-------------------------------------------------------------------
Mon Aug 8 07:22:14 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.18
* ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414)
* [bindings] Bump s2n-tls-tokio version (#3413)
* [bindings] Make errno a required dependency (#3412)
* release (rust bindings) for v1.3.17 release (#3402)
* [bindings] Fix constant name (#3410)
* ci: update OSX env for FreeBSD action (#3406)
* [bindings] Include errno in errors (#3403)
* Don't force static crypto dependency in case of a static build (#3395)
* pq: Remove support for BIKE, SIKE, and Kyber (Round 2) (#3392)
-------------------------------------------------------------------
Tue Jul 26 09:02:30 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.17
* Don't wipe extensions after processing (#3401)
* fail generate.sh when cargo fails (#3398)
* Remove CBMC proof typechecking warnings (#3397)
* ci: Remove Integration Tests from Omnibus (#3391)
* Remove litani submodule and update CBMC starter kit to 2.5 (#3385)
* Prevent modifying of shared cert chains through config API (#3384)
* Fix how KeyUpdates trigger (#3387)
* Added OCSP and CT Sections to the Usage Guide (#3382)
* release(rust-bindings): 0.0.9 (#3388)
* Add HRR compliance comments and tests for remaining TLS RFC sections (#3363)
* build(rust-bindings): use the 2021 rust edition (#3386)
* Add HRR compliance comments and tests for TLS RFC section 4.2.8 (#3362)
-------------------------------------------------------------------
Tue Jul 12 12:38:11 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.16
* Add 'poll_' to polling method names (#3383)
* Update fips_default security policy (#3378)
* [bindings] Parity with unofficial bindings (#3374)
* Add clone and initialisation unit tests (#3367)
* [bindings] Export policy macro (#3375)
* ci: Generate Duvet reports in CI (#3372)
* Set server key share extension as a response extension (#3358)
* Enable S2N_AES_SHA1/256_COMPOSITE when AWSLC_API_VERSION >= 18. (#3269)
* Update CBMC starter kit to v2.4 (#3376)
* Import Microsoft's recent PQCrypto-SIDH SIKE patches into s2n (#3366)
* Temporarily change OpenSSL 1.1.1 versions to fix CI. (#3368)
* [bindings] Get rid of 'raw' module (#3360)
* Replace existing fork detection with the FGN implementation (#3355)
* Fix clap dependency (#3361)
* Add compliance comments and tests for TLS RFC section 4.1.4 (#3337)
* [bindings] Apply async blinding (#3356)
* [bindings] Add connection pooling support (#3336)
* [bindings] Rework connection builder trait (#3335)
* Expand random api tests (#3342)
* docs: Documentation Clean Up (#3329)
- from version 1.3.15
* fix: Add option to disable stacktrace feature (#3345)
* Fix interning build for cmake version 3.15+ (#3346)
* docs: Make Doxygen prettier. (#3343)
* free EVP_PKEY_CTX before returning from s2n_evp_sign/verify (#3333)
* ci:Add valgrind tests for awslc (#3338)
* Improve libcrypto checks (#3272)
* fix: Accurately track wire_bytes_out (#3332)
* ci: CodeBuild spec updates to support criterion integv2 (#3225)
* [bindings] Handle async callback behavior (#3325)
* release(rust-bindings): 0.0.8 (#3341)
* Refactor randomness API tests (#3328)
* Catch broken pipe exceptions on pipe flush. (#3321)
* doc fix: Update documentation for s2n_connection_get_cipher. (#3330)
-------------------------------------------------------------------
Wed May 25 08:31:30 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.14
* [bindings] Allow modification of new connections (#3320)
* fix(bindings-rust): move vendored openssl-sys to dev-dependency (#3323)
* ci: Temporarily remove more test endpoints with expired certs (#3322)
* [bindings] Move enums to separate file (#3319)
* Feature probe for EVP_rc4 (#3301)
* Use CaDiCaL solver for s2n_stuffer_private_key_from_pem proof (#3318)
* docs: Introduce Doxygen to s2n (#3302)
-------------------------------------------------------------------
Wed May 18 13:54:10 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.13
* Enforce how the client hello is modified during retry (#3311)
* Use SHA1+MD5 for <TLS1.2 + FIPS (#3310)
* Don't generate a new client random on retries (#3312)
* Rewrite cookie extension (#3306)
* Fixed CBMC_ENSURE_REF calls where NULL return type expected (#3304)
* ci: Fix boringssl unit tests (#3309)
* Improve cmake logging (#3305)
* [bindings] Clean up async behavior (#3299)
* ci: Temporarily remove more test endpoints with expired certs (#3300)
* ci: add awslc interning to omnibus (#3295)
* fix(s2n-tls-sys): add cmake files to the include directive (#3297)
* release(rust-bindings): 0.0.6 (#3296)
* build(bindings): use cmake when building with pq feature (#3294)
* [bindings] Add basic send and recv (#3290)
* Interning not supported with FIPS enabled. (#3277)
* fix: FreeBSD will now fail loudly (#3284)
* [bindings] Hide ffi types + basic debug info (#3279)
-------------------------------------------------------------------
Thu Apr 28 11:06:16 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.12
* Use pointer to variable type as required by cleanup attribute (#3289)
* bug: fix s2n_connection->cookie_stuffer initialization (#3282)
* Add test utility for fork tests (#3253)
* Add additional libcryptos to V2 integration tests (#3244)
* ci: GitHub actions for osx (#3280)
* Fix MacOS unit tests (#3278)
* build: use S2N_LIBCRYPTO to pick interning lib (#3276)
* [bindings] Add basic s2n-tls-tokio skeleton (#3261)
* exclude cast-qual in Cmake for aws-lcw (#3270)
* Disable strict-prototypes diagnostic flag in Clang (#3275)
* ci: check integv2 python for pep8 issues (#3271)
- from version 1.3.11
* auto format integv2 python (#3268)
* ci: don't update the ghpages dashboard outside of main repo (#3267)
* release(rust-bindings): 0.0.5 (#3256)
* Add basic rust ci jobs (#3265)
* Fix wrong assumption about osx/apple (#3264)
* ci: temporarily remove expired certs (#3266)
* fix: correctly export internal APIs (#3260)
* deps: Upgrade CBMC submodules (#3259)
* Fully separate key and secret state machines (#3238)
* test: OCSP integrationv2 test with GnuTLS (#3207)
* Port drbg.c functions to use S2N_RESULT (#3252)
* feat(rust-bindings): add support for linking an external build (#3254)
- from version 1.3.10
* build: fix libcrypto interning (#3204)
* Update install_awslc to install the correct FIPS branch of AWS-LC (#3255)
* ci: add make install (#3224)
* ci: Add a CRT codebuild job (#3245)
* ci: script changes to test aws-crt (#3176)
* Add step by step instructions to Readme (#3061)
* ci: Issue/PR dashboard (#3235)
* feat(rust-bindings): add support for mTLS (#3241)
* Address new-ish python warning (#3208)
* Add check on zero returned by EVP_CIPHER_CTX_ctrl. (#3221)
* Changed function declarations to match their definitions (#3243)
* Add missing safety macro deprecation messages (#3242)
* Fix auto-generated RESULT_GUARD_RESULT macros (#3239)
* sike_r3: add missing GNU note for executable stack on ELF (#3194)
* Implementation of fork generation number API (#3191)
* fix cmake package name in usage guide (#3232)
* bindings: update version in preperation for publishing the bindings to crates.io (#3233)
* bindings: manually track Config lifetime and expose
ClientHelloHandler for client_hello_callback (#3216)
* Remove nonexistent macro reference from docs (#3237)
* internal api: add new api to poll client_hello callback (#3230)
* Make secrets available early for QUIC (#3229)
- from version 1.3.9
* Remove PQ tests that break on Openssl DRBG calling pattern updates (#3231)
* Split up slow pq test (#3226)
* Secret reorder for s2n-quic (#3227)
* Fix BIKE Round 3 try_compile statements (#3219)
* Update sidetrail readme (#3220)
- from version 1.3.8
* Delete more old key schedule methods (#3215)
* Wipe TLS1.3 secrets after handshake (#3212)
* Fix cleanup issues with HELLO_REQUEST received during handshake (#3217)
* Add tls13 state machaine file back (#3205)
* api: add context on s2n_config. add internal api to
access config set on connection (#3210)
* Clarify TLS1.3 secrets tracking (#3213)
* Remove old key schedule methods (#3209)
* Refactor TLS1.3 key schedule (#3198)
-------------------------------------------------------------------
Tue Mar 1 12:10:42 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.7
* Crypto variable update missing from #3181 (#3189)
* SSLyze integrationv2 test (#3186)
* Added try_compile for features.h (#3197)
* bindings: update rust bindings (#3196)
* Centralize transcript hash copy logic (#3195)
* Enable PQ in FIPS mode with awslc (#3183)
* Revert "Flush stdout with initial BEGIN_TEST message (#3185)" (#3193)
- from version 1.3.6
* Store TLS1.3 transcript hash digests rather than full hash state (#3188)
* Remove in-source build target check hackery. (#3181)
- Refresh patches for new version
* s2n_fix-cmake-modules-path.patch
-------------------------------------------------------------------
Tue Feb 1 11:21:51 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.5
* remove extra S2N_API (#3187)
* Use `llvm_points_to_bitfield` in SAW proofs (#3155)
* Add API s2n_client_hello_has_extension to check if extension exists (#3180)
* Flush stdout with initial BEGIN_TEST message (#3185)
* FreeBSD ci (#3184)
* Add some comments to build scripts (#3182)
* Document which macros should not be used for new code (#3179)
* remove unused function s2n_actual_getpid (#3172)
* Workaround AL2 nodejs package issue (#3174)
* Add API method to translate errors to alerts (#3171)
* Upgrade CBMC submodules (#3165)
* tests: add s2n_init/s2n_cleanup tests (#3164)
-------------------------------------------------------------------
Thu Jan 20 11:39:19 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.4
* Change AWS-LC aes-gcm aead APIs to the ones that
are FIPS validated (#3137)
* Conflicting ports in integration test (#3161)
-------------------------------------------------------------------
Tue Jan 4 14:34:21 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.3
* Fix s2n_connection_get_client_cert_chain for TLS1.3 (#3156)
* Fixing Flakiness in Cross-Compat Test (#3158)
* Enforce RSA-PSS saltlen requirements (#3157)
* Rearrange TLS1.2 and TLS1.3 secret storage (#3154)
* Use libcrypto signing methods in compliance with FIPS 140-3 (#3142)
* docs: update readme (#3153)
- from version 1.3.2
* Adds Cross-Compatibility Test (#3147)
* Makes s2n_stuffer_skip_whitespace verification friendly (#3143)
* ci: fix Kwstyle (#3136)
* only print on retries (#3151)
* integration: enforce timeout, allow for the process to
shutdown gracefully, run in non-blocking mode (#3148)
* Added Script to Compile Main for Cross-Compat Testing (#3139)
* Adds Options to Output and Input Session Ticket to s2nc (#3134)
* Upgrade CBMC submodules (#3135)
-------------------------------------------------------------------
Thu Dec 9 10:04:33 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.3.1
* Nitpick usage guide links (#3133)
* FIPS Static Config is Only Created When Needed (#3129)
* Fix build on NetBSD. (#3131)
* Feature probe for EVP_md5_sha1() (#3128)
* Allow EVP hash implementation to use EVP_md5_sha1 if available (#3126)
* Allow synchronous private key operations (#3121)
- from version 1.3.0
* EMS Re-Release (#3122)
* If QUIC, only offer TLS1.3 (#3124)
- from version 1.2.1
* tests: fix s2n_enable_tls13 deprecation warnings (#3120)
* Fix FindLibCrypto for list-typed CMAKE_PREFIX_PATH (#3067)
* Add AWS-LC FIPS integration target (#3084)
* Detect nested s2n_negotiate calls (#3119)
* build: add the option to enable LTO (#3117)
* Prevent Uninitialized Memory Access in case of FIPS Mode Disabled (#3016)
* Fixed EMS to work with Session Caching (#3102)
* Rename internal HMAC implementations in s2n_prf to
clarify which implementation is used (#3103)
* Finish memcpy->memmove migration (#3110)
- from version 1.2.0
* Revert "EMS Release (#3053)" (#3113)
* Reapply "Update QUIC parameters IANA (#3029)" (#3106)
* Add a flag to s2nc to enable FIPS mode in the underlying libcrypto.
Update integration tests to use the new flag when needed (#3101)
* Added Backwards-Incompatible Ticket Version (#3099)
* Don't allow QUIC to be enabled if TLS1.3 not possible (#3088)
* ci: remove spaces from benchmark name (#3097)
* Lets make S2N play nicely with the rest of the world shall we? Added … (#2669)
- from version 1.1.2
* ci: add a CODEOWNERS file (#3071)
* utils: fix constant time equals return value (#3093)
* Upgrade CBMC templates (#3094)
* tests: fix fuzz count formatting (#3091)
* Turn on Endpoint Tests (#3090)
* Offer only TLS1.3 handshake options if QUIC enabled (#3085)
* Added test for mutal auth (#3087)
* Repair TLS 1.3 proofs after c096a55 (#3079)
* Bench handshake (#3043)
* Rename CBMC proof bound BLOB_SIZE -> MAX_BLOB_SIZE (#3073)
-------------------------------------------------------------------
Tue Oct 12 12:42:24 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Trim conjecture and redundant metadata from description.
- Simplify package names and set right shlib package name.
-------------------------------------------------------------------
Mon Oct 11 09:13:10 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.1.1
* Advance CBMC litani and template submodules to latest release (#3072)
* Update integv1 trust store (#3074)
* Revert "Re-enable TLS 1.3 SAW tests (#3031)" (#3077)
* Re-enable TLS 1.3 SAW tests (#3031)
* Revert "Update QUIC parameters IANA (#3029)" (#3069)
* NULL-check s2n_cert_chain_and_key_get_pkey_type (#3064)
* Enable RSA_PSS_SIGNING_SUPPORTED when OPENSSL_IS_AWSLC. (#2801)
* audit memcmp usage (#3059)
* Turn on OCSP functionality for AWS-LC (#3058)
* ci: Use stable for openssl1.1.1 (#3065)
- from version 1.1.0
* Fix TLS1.3 ticket lifetime math (#3060)
* Add API to track session tickets sent (#3056)
* Turn On Client OCSP Stapled Test (#3055)
* EMS Release (#3053)
* Add more well known endpoints for integration testing (#3054)
* Update READING-LIST.md (#3004)
* Add new Fuzz Test Corpus Files (#3021)
* Remove ChaCha TLS 1.3 Cipher from KMS FIPS Cipher Pref List (#3039)
* Re-enable Twitter.com client integration test (#3051)
* Fix BIKE R3 PQ Assembly detection bug for AMD Zen 3 CPUs (#3050)
* EMS Testing (#3042)
* Enable Client-side TLS 1.2 Self Downgrade (#3030)
* Allow QUIC to be enabled per-connection (#3048)
- from version 1.0.19
* Disable EndOfEarlyData message for QUIC + clean up
QUIC special casing (#3044)
* Fix TLS1.2 session cache + missing ticket key (#3041)
* Remove twitter.com from endpoint handshake test for
OpenSSL 1.0.2 (#3038)
- from version 1.0.18
* build: add libcrypto interning tests (#3035)
* Add more TLS Security Policies with TLS 1.3 support (#3023)
* Enable offloading of private key operations (#3024)
* Fixes Potential IO Memory Leak (#3027)
* build: add option to intern libcrypto (#3028)
* Update QUIC parameters IANA (#3029)
* Adding s2n_negotiate benchmarking framework (#3014)
* Update s2n_cipher_suites.c (#3026)
* Self Downgrade to TLS 1.2 if RSA PSS is not available and it's
possible that it may be needed (#3009)
- from version 1.0.17
* Use pthread_equal for pthread_t comparison (#3022)
* Fix pre-TLS1.2 ECDSA client certs (#3019)
* Improved support for using s2n-tls from within an unloadable shared lib (#3011)
* Adds EMS flag to session ticket (#2982)
* Extra EMS Requirements (#3018)
* Create 20210816 security policies (#3015)
* Add RSA-PSS-PSS to integration tests (#3012)
* Added s2n_client_hello_get_session_id calls (#3006)
* Upgrade CBMC sub-modules (#3017)
* Switch sigalg integ test to use s2n output instead of Openssl output (#3010)
* bindings: import "mid-level" bindings (#2920)
* Move/Modify methods from s2nd to common.h/common.c (#3008)
* And test to verify unencrypted EncryptedExtensions rejected (#3003)
* Fix behavior of signature scheme getters in TLS1.2 (#3007)
* Added call to generate EMS when negotiated (#2986)
* Test psk_kex_exchange_mode GREASE values (#3002)
* introduce fd getter new API (#2981)
* Fix build issue with AWS Common Runtime SDK CI (#3005)
* Adds Client and Server EMS Extension (#2991)
* Import Kyber512 Round3 AVX2 Implementation (#2946)
* Moving code to broader files to allow for usage in other programs (#2996)
- Refresh patches for new version
* s2n_add-so-version.patch
-------------------------------------------------------------------
Thu Aug 12 10:57:59 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.16
* Updated PSS support definition to account for new BoringSSL version (#2297)
* Add quic_transport_parameters extension (#2288)
* added unit test for sort order of s2n_all_cipher_suites in IANA order (#2192)
* Add initial QUIC setup (#2283)
* Fix macro usage, indexing and magic numbers (#2271)
- from version 1.0.15
* Add client-side support for PQ HRR (#2260)
* Add AWS-LC pre-processor directive similar to BoringSSL (#2273)
* Fix awslc codebuild hang (#2282)
* Fixed processing issue with status request extension (#2229)
* Update s2n to compile on FreeBSD (#2272)
* Add aws-lc code build. (#2275)
* Don't enable OCSP stapling if not available (#2253)
* Improves performance and coverage of s2n_stuffer_* proofs (#2230)
* Codebuild batch and Omnibus job (#2245)
* Disable sending of PQ group IDs for FIPS or TLS1.2 (#2267)
* Use NIST P-256 for key generation when client do not specify curve (#2265)
* Fix TLS 1.3 server side OCSP metrics (#2241)
* Add client/server share size fields to s2n_kem_group (#2269)
* alloc and sub overflow proofs (#2255)
* Add ECDSA ciphers for viewer side support (#2219)
* Adds proof harnesses for s2n_array_free* functions (#2244)
* Checking data size instead of data pointers in
s2n_stream_cipher_null_endecrypt (#2263)
- from version 1.0.14
* Update CloudFront security policies (#2238)
* Adds proof harnesses for s2n_array_* functions (#2246)
* Implements client-side sending of PQ key shares for 1.3 (#2215)
* Change fuzz coverage below minimum to an error (#2259)
* Initialize slot variable to fix ARM compiler warning (#2258)
* Adds proof harnesses for s2n_set_* functions (#2248)
* Check if S2N_COVERAGE and FUZZ_COVERAGE are true (#2254)
* Use allocation function for session key object (#2249)
* Adds initial CBMC proofs for s2n_array and s2n_set (#2193)
* Update the default keyshare list sent by the client (#2190)
- from version 1.0.13
* Support TLS 1.3 clients that do not specify signature algorithms (#2222)
* Importing Kyber512-90s PQ KEM (#2202)
* build: fix cmake shared lib build (#2237)
-------------------------------------------------------------------
Wed Jul 7 11:53:45 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.12
* Update Max Connection memory usage to support Round 3 KEM Groups (#2933)
* Check for -1 return code from OCSP_basic_verify() (#2931)
* Add Round 3 PQ TLS Policies (#2842)
* Add public function for wiping the trust store (#2927)
* fix memcpy bug in client hello - copy address of pointer (#2917)
* Stops TLS13 From Erroring if Session Ticket Write Fails (#2928)
* Fixing wrong file path in makefile for BIKE R3 (#2925)
* Check Cipher Suite is ECC Before Returning Curve (#2908)
* Add unit test to monitor s2n_connection size changes (#2913)
* bindings: export include dir in rust build (#2918)
- from version 1.0.11
* Add a stale bot configuration (#2897)
* bindings: add rust bindings (#2754)
* Suggestion: Prevent randomness callbacks being set to NULL (#2916)
* Reduce memory allocated for conn->out (#2904)
* document sigpipe handling (#2909)
* place -Werror behind a flag which is ON by default (#2903)
* resolve -Wstrict-prototypes compiler warning (#2906)
* OpenSSL rand-engine requires engine support (#2885)
* Fix TLS1.3 dynamic record min calculation (#2900)
* Make client respect max frag len extension result (#2898)
* Initial proofs for s2n_socket functions (#2896)
* Do not calculate transcript on failed connection (#2886)
* Add gcov and lcov targets for pq (#2895)
* Adds close markers to flaky test (#2863)
* Fix some OCSP-related cert behavior (#2894)
* Adding Usage Guide for Pre-Shared Keys (#2890)
* Remove sikep434r2 code (#2864)
* Adds Error Checking Around Fragment Length (#2888)
- Refresh patches for new version
* s2n_disable-werror.patch
* s2n_fix-cmake-modules-path.patch
-------------------------------------------------------------------
Fri Jun 11 11:26:46 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.10
* Release TLS1.3 Pre-Shared Key (PSK) (#2889)
* Release early data / 0RTT (#2882)
* Release TLS1.3 Session Resumption (#2877)
* Limit session resumption PSKs processed (#2879)
* Client should not accept invalid TLS1.3 ticket_lifetime (#2878)
* Updates CI buildspec to include PSK integration tests (#2875)
* Adds External PSK Integration Tests (#2821)
* Make TLS1.3 ticket processing less strict to handle future changes (#2876)
* Add handshake type message for integration tests (#2873)
* Fixes s2n_get_session_length in TLS1.3 (#2858)
* Update Codebuild batch spec with early data integration test (#2872)
* Duplicate Certificate Error Message (#2870)
* Early data integration tests (#2857)
* Various small integration framework fixes (#2868)
* Bring __ANDROID__ and ANDROID back for tm_gmtoff (#2869)
* More fixes for BIKE R3 optimized builds (#2867)
* Supports in-source build with AWS-LC. (#2714)
* Larger chunk size based on worker count (#2865)
* BIKE R3 fix for gcc-4.8.2 (#2866)
* Fix BIKE_R3 build issue (#2860)
* Error blinding updates / fixes (#2852)
* BIKE Round-3 runtime code path selection based on CPU capabilities (#2793)
* Removes tolower stub from CBMC proofs (#2853)
* Stop rejected 0RTT data from triggering error blinding (#2849)
- from version 1.0.9
* Add new s2n_cert_chain_and_key load api that takes non-null-terminated
data and length (#2753)
* Adds TLS1.3 Session Resumption Integration Tests (#2814)
* Integrate sikep434r3 x86_64 assembly (#2820)
* Fix duplicate KEM assignment in pq_kem_test (#2848)
* Adds new proof allocators for s2n_connection (#2832)
* s2n_connection_get_session_id_len returns 0 for >= TLS1.3 (#2844)
* Update codebuild script for NO_PQ when building unit tests with cmake (#2841)
* Adds getters for connection signature algorithm and digest algorithm (#2843)
* Adds TLS1.3 Session Resumption and Early Data Functionality to s2nd/s2nd (#2826)
* Add signature validation for async sign call (#2791)
* Make digest_allow_md5_for_fips proof UID unique (#2837)
* Add BIKE Round 3 Fuzz Tests (#2790)
- Add patch to strip -Werror from build flags
* s2n_disable-werror.patch
-------------------------------------------------------------------
Mon May 17 12:27:25 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.8
* Disable mlock during unit tests (#2829)
* Fix HRR + 0RTT bug (#2824)
* ci: Adding AL2 unit tests to CI (#2828)
* Separate TLS1.2 and TLS1.3 client ticket memory lifecycles (#2825)
* Remove unused macro and safeguard against removing prediction resistance (#2807)
* Implement async private key op offload interface (#2779)
* Updating api documentation for s2n_cert_chain_get_cert (#2822)
* update usage docs (#2816)
* Add AES-GCM prioritized versions of older security policies (#2767)
* Async private key operation offload documentation (#2799)
* ci:Create a NoPQ unit test job (#2451)
* docs: add a Semver document (#2268)
* Formally verify no memory leaks in s2n_stuffer (#2813)
* Add early-data session resumption self-talk tests (#2795)
* Formally verify no memory leaks for s2n_array & s2n_set deallocators (#2810)
* Update gitter link (#2806)
* Disable TLS1.3 ticket issuing outside of tests (#2809)
* Ignore `munlock` failures (#2804)
* Relax SIKE Round 3 architecture restrictions (#2800)
* Ensure that s2n is initialized in s2n_free_object (#2805)
* No optimization when debugging (#2798)
* Formally verify no memory leaks in hash functions (#2792)
* async_pkey support for s2n_client_verify (#2755)
* Import sikep434r3 (#2701)
* Use POSIX/glibc __USE_MISC feature detection instead of platform macros (#2778)
* Adding EC_KEY_check_key for p521 curve (#2789)
* Import kyber512r3 (#2694)
* ci: add unit test to s2n_codebuild.sh (#2773)
* Formally verify no memory leaks for s2n_blob (#2788)
* tests: fix typos in identifiers and comments (#2783)
* Clean up pq_kem_test and add negative test case for decaps (#2785)
* Adds session-resumption self-talk tests (#2770)
* ci: Codebuild al2 scripts (#2782)
* Use S2N_HMAC_SHA256 in psk PRF match test case (#2746)
* Make server_name send check more efficient (#2719)
* Remove all occurrences of `#pragma check disable` (#2781)
* Fix incorrect blob resize (#2784)
* Make s2n_connection_get_session/session_length work for TLS1.3 (#2768)
* Removes pragmas from CBMC-proof harnesses (#2775)
* Avoid arithmetic operations on NULL pointers (#2772)
* Make s2n_connection_get_session_ticket_lifetime_hint work with TLS1.3 (#2769)
* Allow ecc preferences without secp256r1 (#2763)
* docs: fix a few typos (#2765)
* add missing Bike_r3 symbols when S2N_NO_PQ is set (#2771)
* Update s2n_config_set_session_tickets_onoff for TLS1.3 (#2762)
* Update s2n_connection_is_session_resumed for TLS1.3 (#2761)
* Put limits on use of keying material (#2751)
* Adds selection logic for resumption psks (#2743)
* External PSK Integration Tests Part 1 (#2749)
* Adding s2n_psk_get APIs (#2748)
* Remove unnecessary BIKE R3 code for verbose logging (#2758)
-------------------------------------------------------------------
Mon Apr 26 09:23:44 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.5
* utils: remove deprecated safety macros (#2747)
* Fix loop counter overflow due to inconsistent type (#2739)
* Upgrades CBMC templates for proof harnesses (#2744)
* Import Bike Round 3 Implementation into s2n (#2726)
* Cleanup TLS1.3 fixed ticket sizes (#2729)
* Export symbols when building dynamically (#2730)
* Check for validity in s2n_stuffer_wipe*operations (#2732)
* Skip coverage upload (#2734)
* Don't send the client_session_ticket extension when using TLS1.3 tickets (#2725)
* Added server deserialize method (#2709)
* Make early data callback async (#2717)
* Include early data config in session tickets (#2720)
* quic: add S2N_API to secret callback api (#2728)
* Consolidate handshake pause logic (#2716)
* Pinned bash script to previous commit (#2723)
* Add early data callback (#2715)
* Set early data context for new session tickets (#2718)
* Adding prefix s2n_cert for s2n certificate APIs (#2713)
* Safeguard linker flags on Apple (#2710)
* Add APIs to send and receive early data (#2682)
* Adds helper function to obtain the OID value from the X509v3 extensions (#2702)
* Created GDB flag to remove optimizations (#2711)
- from version 1.0.4
* Add flags for non exec stack and read only GOT. (#2707)
* Fix for failing resume test (#2706)
* Add context to PSK selection callback (#2704)
* Calculated obfuscated ticket age (#2697)
* Don't allow non-post handshake messages to be received post handshake (#2703)
- from version 1.0.3
* Reduce fuzz timeouts due to codebuild timeout limits. (#2586)
* Prepare s2n_config_set_psk_selection_callback to someday be async (#2689)
* Add early_data_indication extension for new session tickets (#2686)
* Don't allow both resumption and external PSKs at the same time (#2696)
* Command Line Options Fix For s2nc.c (#2681)
* Centralize and correct ">= S2N_TLS13" checks for extensions (#2699)
* dont await close_notify alert if we have already received one before (#2674)
* Add support for non blocking client hello callback (#2688)
* Update OSX quickstart instructions (#2700)
* Resolve conflict between 516a99e and abed2a3 (#2698)
* Allow early data via s2n_negotiate/s2n_send/s2n_recv (#2680)
* Send the Client CCS message early when sending early data (#2691)
* Handle pre-TLS1.3 peers and early data (#2690)
* Adding a new resumption psk deletes all previous psks (#2684)
* Add api to configure max early data for new tickets (#2683)
- from version 1.0.2
* Add methods to report early data status / limits (#2678)
* Add bitflag to enable early data (#2679)
* Added client deserialization method (#2675)
* ci: disable go proxy (#2677)
* Add s2n_connection_get_peer_cert_chain API (#2666)
* Added nst to post_handshake handler (#2665)
* Add method to perform a partial handshake (#2662)
* Removes all proof allocators from CBMC proofs (#2668)
* Update readable writable flags (#2667)
* Read New Session Ticket message (#2657)
* Add early data negotiation tests + misc minor fixes (#2658)
* APIs to get s2n certificate in der format (#2649)
* Added nst callback (#2639)
* Handle rejected early data (#2647)
* Add early traffic secrets (#2645)
* Adds support for incremental proof-results in CI reports (#2644)
* ci: Update action
* Add server early data indication extension (#2612)
- Drop patches for issues fixed upstream
* s2n_no-visibility-hidden.patch
-------------------------------------------------------------------
Tue Mar 16 11:54:46 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 1.0.1
* Make HRRs work with early data (#2611)
* Reduce memory used by handshake arrays (#2628)
* utils: apply safety codemod script (#2441)
* ci: update cppcheck (#2638)
* utils: remove the usage of S2N_ERROR_IF in favor of POSIX_ENSURE (#2636)
* utils: add codemod script for explicit safety macro contexts (#2339)
* Send New Session Ticket message (#2598)
* Add support for riscv64 (#2613)
* util: remove S2N_RESULT_TO_POSIX macro to reduce confusion (#2634)
* Adjust test threshold (typo?) (#2631)
* docs: Org change to aws (#2596)
* utils: add safety_macros codegen script (#2423)
* Parse multiple post-handshake messages in a record (#2604)
* Fixed -Werror=strict-prototypes failure on s2n_error_location (#2632)
* ci: bump the asan coverage instance type to 2XL (#2630)
* [0RTT] Add early data handshakes (#2594)
* Add client early data indication extension (#2610)
* Self talk tests for External PSK (#2578)
* Removing flaky test (#2621)
* Early data config should use cipher suite instead of iana value (#2608)
* Make some alpn operations reuseable (#2609)
* Allow no-op transitions in early data state machine (#2607)
* Add separate extension list for HelloRetryRequest (#2605)
* Build issue (#2606)
* Detect "index" variable names to avoid build issues (#2597)
- from version 1.0.0
* Updating rsa_2048_sha256_uri_sans_cert (#2601)
* Renaming index to psk_index to prevent name collision (#2595)
* Added New Session Ticket send handler (#2580)
* Add simple early data state machine (#2589)
* Add CMake config to build benchmarks (#2582)
* Add APIs to configure early data for external PSKs (#2581)
* Update PQ KEM branches to use constant time functions. (#2590)
* tls: add NSS key log callback (#2584)
* Add missing newlines at end of feature test files (#2588)
* Rework psk_selection_callback to use opaque structures (#2558)
* api: add method to get the iana value for the negotiated cipher suite (#2550)
* Add support for powerpc64 (#2533)
* Refactor how external PSKs are configured (#2557)
* ci: Cleanup travis (#2579)
* Added new ticket api (#2549)
* Remove the manual updating of the Yarn Debian key as CloudBuild as addressed this (#2560)
* Probe for support of fall through attribute (#2559)
* Removes unnecessary includes from CBMC proof harnesses (#2556)
* Added new serialization format and updated encryption logic (#2538)
* quic: ignore middlebox mode (#2554)
* Add a command to manually update the Yarn Debian key (#2555)
* ci: Update CodeBuild docker version, part 2 (#2535)
* Remove s2n_cipher_suite_from_wire (#2546)
* api: add method to append protocol preferences (#2534)
- from version 0.10.26
* extensions: fix quic_transport_parameters extension IANA value (#2551)
* Detect nested send/recv calls (#2545)
* Adds a proof harness for s2n_hmac_update (#2531)
* Adds a proof harnesses for s2n_hmac_digest* functions (#2537)
* Adds a proof harness for s2n_hmac_init (#2543)
* Fix 'index' var shadowing with old toolchains (#2540)
* Added session resumption to key schedule (#2528)
* Adding callback to select a PSK identity (#2512)
* ci: Fix annoying NONE error (#2491)
* api: add s2n_errno_location function (#2532)
* Migrate some KEX functions to S2N_RESULT (#2524)
* Adds memory-safety proofs for s2n_hmac functions (#2525)
* Adds memory-safety proofs for s2n_hmac functions (#2530)
* ci: CodeBuild docker image version bump for fuzz jobs (#2527)
* New CloudFront 2021 security policy (#2514)
* Correct PSK + cert interaction (#2519)
* Relax 3 bytes for cert length check (#2518)
* Fix and simplify psk_param lifecycle (#2523)
* enable secp521r1 in fips test security policy (#2516)
- from version 0.10.25
* Complete the migration to s2n_pq_is_enabled() (#2510)
* Fix missing GUARDs after s2n_pkey_size calls (#2517)
* Ensures memory safety in s2n_hmac functions (#2486)
* Added set psk api (#2499)
* Optimization for client psk extension on hello retry (#2508)
* compliance: format a few comments (#2511)
* Update PQ fuzz tests to run when PQ is disabled (#2489)
* Clean up PSKs after early secret calculation (#2506)
- from version 0.10.24
* Fix for rsa_pss_rsae_test (#2507)
* Adding server pre_shared_key extension (#2494)
* Reduce deprecated warning noise when building the tests (#2500)
* Enforce that client psk extension is parsed last (#2493)
* Added psk to key schedule (#2481)
* Updates to readme and debugging docs for Sidetrail (#2478)
* Ensure PQ is enabled when calling low-level PQ KEM functions (#2475)
* Consolidate PQ unit tests (#2460)
* Fix sys/poll.h import (#2224)
* Added pre-shared key handshakes to tls13 state machine (#2445)
* PskKeyExchangeModes extension (#2466)
* Adds proof harnesses for s2n_hmac functions (#2457)
* [PSK] Update s2n_hash_algorithm to s2n_hmac_algorithm (#2465)
- Pass '-n %{name}-tls-%{version}' to %setup in %prep section
-------------------------------------------------------------------
Wed Dec 16 13:36:46 UTC 2020 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to version 0.10.23
+ Fix memory allocation when session ticket is used (#2470)
+ Remove unused security policies to avoid confusion (#2448)
+ Refactor PQ crypto functions and header files (#2452)
+ Update client auth integ tests to test ECDSA (#2454)
+ Upgrades Litani (#2468)
+ [PSK] Update cipher selection logic (#2443)
+ Add support for debug conditions (#2433)
- from version 0.10.22
+ Eliminate EC_KEY_check_key validation in s2n_ecc_evp_write_params_point function (#2459)
+ ci: AFL automation (#2395)
+ Make server psk identity comparison constant time (#2437)
+ Adds proof harnesses for s2n_dhe functions (#2439)
+ Remove obsolete integv2 makefile target (#2450)
+ Remove static qualifier from pq unit test helper function (#2449)
+ Adds proof harnesses for s2n_hash functions (#2429)
+ Add security policy to enable PQ TLS1.3 (#2444)
+ Fix cert verify signature size calculation (#2442)
+ Fix declaration order in cbmc_utils.c (#2438)
+ Adds proof harnesses for s2n_dhe functions (#2440)
+ Adds proof harnesses for s2n_hash functions (#2428)
+ Adds CBMC proofs for s2n_evp functions (#2427)
+ Added certificate signature preferences (#2370)
+ PQ-enabled migration part 1 (#2426)
+ Ensures memory safety in s2n_dhe functions (#2432)
+ Adds CBMC proof harness for s2n_array_init (#2430)
+ Only check the auth method for signatures server side (#2434)
+ Ensure memory safety in s2n_hash functions (#2412)
+ Add client pre_shared_key extension (#2409)
+ Litani integration (#2381)
+ S2n leaks (#2410)
+ Update PSS support definition to account for new AWS-LC version (#2407)
+ Upgrade OpenSSL verification model (#2408)
+ Add psk binder functions (#2400)
+ Update well known endpoint test with new PQ KMS ciphers (#2388)
+ Allow for up to 1 trailing unparsed byte for cert length check (#2383)
+ Remove hash state from s2n_map (#2386)
+ Adds proof harnesses for s2n_hash functions (#2382)
+ Verify HMAC with unbounded key/data. (#2353)
+ Support for curve secp521r1 (#2344)
+ Update saw (#2374)
+ Adds a verification model for OpenSSL (#2293)
+ ci: CodeBuild scripts to support AL2 (#2362)
+ Add more QUIC safety checks (#2373)
+ Add S2N_RESULT to a couple functions. (#2371)
+ Add secret callbacks for QUIC (#2364)
+ ci: Add well_known_endpoints to the Omnibus job (#2369)
+ Pin the version of the BoringSSL test dependency (#2304)
+ Improve run- and compile-time support for PQ assembly (#2338)
+ Update the integv2 README to match the latest changes (#2365)
+ Fix edge cases with buffer write in both s2nc and the java client. (#2367)
+ Allow slightly overlarge TLS 1.3 inner plaintext (#2360)
- Refresh patches for new version
+ s2n_no-visibility-hidden.patch
-------------------------------------------------------------------
Thu Nov 19 13:48:39 UTC 2020 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Initial build
+ Version 0.10.21
