Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory
s2n
s2n.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s2n.changes of Package s2n
------------------------------------------------------------------- Thu Nov 21 11:11:40 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.5.9 * feat: Reworking cleanup behavior (#4871) * chore: broaden use of flaky mark (#4865) * chore: configure dependabot (#4861) - from version 1.5.8 * fix: fix open AF_INET sockets in s2n_self_talk_ktls_test.c (#4852) * chore: update github PR template (#4885) * feat: add new security policy `20241106` (#4874) * chore: remove unused benchmarks (#4869) * ci: Clean dup source tree for CRT (#4882) * ci: remove www.mozilla.com from well-known to unblock CI (#4880) * fix: move prelude inclusion as PRIVATE (#4876) * build: add s2n_prelude.h to consolidate defines (#4465) * chore: bindings release 0.3.6 (#4867) * doc: fix incorrect README references (#4863) * fix: typo in comment of s2n_self_talk_tls13_test (#4864) ------------------------------------------------------------------- Mon Nov 4 14:02:24 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.5.7 * fix: close all /dev/urandom open fds (#4835) * docs: update fips documentation to specify supported libcrypto (#4857) * fix(bindings): correct poll_flush implementation (#4859) * feat: Adds cleanup_final (#4853) * test(bindings): Consolidate test pems (#4858) * chore: bindings release 0.3.5 (#4860) * chore: grant duvet action more permissions (#4854) * (feat): Adds certificate match metrics API (#4844) ------------------------------------------------------------------- Thu Oct 24 12:58:26 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.5.6 * chore: Fix failing OIDC workflows; cleanup unused actions (#4848) * chore(GHA): Update duvet arguments (#4850) * chore: remove unused compile definition (#4815) * Add new MLKEM TLS Policies (#4830) * fix: fix opened AF_UNIX sockets that didn't call s2n_io_pair_close (#4833) * bindings: pin openssl crate to 0.10.66 (#4849) * chore: flip 2 GHAs to use short lived creds. (#4839) * fix: fix s2n_io_pair_close_one_end (#4841) * ci: Re-enable asan and ubsan for fuzz tests (#4840) * fix: some open AF_UNIX sockets in forked child processes (#4834) * Update FIPS rules for ML-KEM (#4829) * ci: update ubuntu versions (#4828) * Add initial support for MLKEM768 (without any new Security Policies) (#4816) * chore: Adds print statements to help debug s2n_dynamic_load_test (#4836) * ci: add more libcryptos for fuzz batch & follow cmake idioms (#4795) * feature: bump cert authorities max size to 20kb (#4832) * ci: Add ubuntu24 with a new cmake buildspec (#4824) * Add ML-KEM Feature Probe and Test (#4823) * docs: update stateful resumption doc (#4818) * chore: remove make fuzz and AFL fuzz (#4808) - from version 1.5.5 * chore: bump awslc(non FIPS) to 1.36.0 (#4821) * chore: bindings release 0.3.4 (#4819) * feat: add s2n_cleanup_thread (#4584) * feat(bindings): add set receive buffering to the rust bindings (#4817) - from version 1.5.4 * refactor: make s2n_array_len constant (#4801) * feature(bindings): scheduled renegotiation via poll_recv (#4764) * Update PQ code to be generic over EVP_KEM API's (#4810) * refactor(bindings): add general bindings error context (#4811) * ci: adding CTest memcheck to CodeBuild (#4776) * Revert "test: disallow explict use of "default" policy in tests (#4750)" (#4812) * ci: check for s2n_array_len in loop bounds (#4802) * ci: use clang to build awslc (#4794) * ci: run clippy on all features (#4809) * docs: Update certificate loading documentation (#4790) * test: only build requested unit tests in nix (#4770) * refactor: clean up CMakelists.txt (#4779) * fix: pem parsing should allow single dashes in comments (#4787) * ci: use temporary directory for s2n_head build (#4771) * fix(bindings): handle failures from wipe (#4798) * fix: don't iterate over certs if not validating certs (#4797) * ci: add buildspec file for scheduled fuzzing (#4763) * Al2023 codebuild (#4756) * test: disallow explict use of "default" policy in tests (#4750) * chore: bindings release 0.3.3 (#4791) * docs: clarify pre-TLS1.2 support (#4780) * fix: update ja4 compliance (#4773) * chore(bindings): pin unicode-width (#4785) - from version 1.5.3 * ci: refactor fuzz buildspec (#4783) * docs(bindings): example for Policy::from_version (#4731) * test: refactor pcap test to use version from rtshark (#4774) * test: use seccomp on handshake test (#4768) * ci: use newer version of libFuzzer (#4762) * test: avoid mutating static configs in tests (#4749) * chore(bindings): release 0.3.2 (#4760) * ci: Emit CloudWatch metrics from rust benchmarks (#4742) * CI: enable fuzz test build with cmake (#4743) * fix: update handling of ja4 alpn edge cases (#4755) * fix(bindings): update cc and unpin jobserver (#4758) * fix: add missing null-checks in s2n_connection.c (#4754) - from version 1.5.2 * refactor: replace memcmp to s2n_constant_time_equals (#4709) * tests(pcap): fix support for older tshark versions (#4744) * refactor: move s2n_result functions inline (#4739) * refactor: make s2n_stuffer_read_hex match s2n_stuffer_read (#4726) * ci:Al2023 CodeBuild script (#4737) * Update to CBMC 6.2.0 (#4746) * docs: add test readme (#4718) * tests(pcaps): download additional pcaps (#4728) * ci: Add UBSAN test to the sanitizer (#4740) * chore(integrationv2): add license header (#4732) * fix: Cleanup libcrypto errors (#4733) * fix(ci): update CBMC proofs' Makefile.common (#4703) * ci: add separate license check (#4727) * chore: cleanup old docker dev build (#4729) * fix: resolve UBSAN violations in the codebase (#4722) * refactor: minor fixes for common fingerprint code (#4712) * tests: add JA4 pcap tests (#4714) * fix: correct JA4 alpn parsing (#4721) * chore: bump versions of aws-lc and aws-lc-fips (#4716) * fix: Reorder PR and Mainline in Regression Test Runner (#4720) * docs: Add a supported platforms section (#4695) * chore(bindings): release 0.3.1 (#4719) * test: add a harness for session resumption in regression test (#4706) * fix(bindings): ConfigPool should always yield associated connections (#4708) ------------------------------------------------------------------- Mon Aug 26 15:23:53 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.5.1 * Add performance regression tests in CI (#4701) * feat: JA4 fingerprinting (#4669) * Clarify s2nc/s2nd PQ output (#4702) * fix: building for AL2 (#4679) * ci(nix): Startup/configure apache for renegotiate test under nix (#4592) * fix: Initial config influences client hello parsing (#4676) * Add s2n_signature_preferences_20240521 (#4565) * New s2n core member (#4707) * Modify regression threshold to configurable percentage (#4698) * chore: remove unused benchmarks (#4696) * docs: add pq to usage guide (#4677) - from version 1.5.0 * chore: Rust bindings bump v0.3.0 (#4697) * Merge commit from fork * fix: upload fuzz output to s3 when test fails (#4694) * fix(ci): partially revert checking out head from current clone. (#4693) * Enabling differential performance benchmarking (#4667) * chore: document OpenSSL-FIPS restriction on RSA key size (#4654) * ci: store fuzz artifacts in s3 (#4678) * feat: Changes ticket encryption scheme to be nonce-reuse resistant (#4663) * chore: Bump rust bindings to 0.2.11 (#4690) * fix(bindings): enforce waker contract on `poll` operations (#4688) * docs: update blinding docs (#4686) * fix: zip corpus files before uploading to s3 (#4685) * Adopt CBMC 6.1 and cbmc-viewer 3.9 (#4661) * test(cbmc): add stuffer hex proofs (#4659) * fix: don't fail for 0 blinding delay (#4671) * chore(bindings): release 0.2.10 (#4683) * feat(bindings): Add hyper compatibility crate (#4617) * refactor: switch JA3 to use stuffer hex methods (#4662) * fix: SSLv3 handshake with openssl-1.0.2-fips fails (#4644) * feat(bindings): add renegotiate to the rust bindings (#4668) * ci: move fuzz corpus to S3 (#4665) * fix: default s2nc should accept default s2nd cert (#4670) * fix: add missing corpus files for s2n_deserialize_resumption_state_test (#4672) * refactor: clean up other hex methods (#4664) * Set up regression benchmark for scalar performance (#4649) * ci(nix): Setup a head build for the cross_compatibility integ test (#4567) * fix: new clippy lints (#4666) * fix: allow for clock skew in resumption (#4650) * fix: Refactor some s2n_resume functions (#4648) * fix: pin tokio-macros version (#4658) * refactor: move stuffer hex methods out of testlib (#4653) ------------------------------------------------------------------- Fri Jul 26 11:20:16 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.14.18 * chore: Bump Rust bindings v1.4.18 (#4656) * fix: Removing new usage of memcmp (#4657) * Merge commit from fork * Update s2n_connection_get_kem_group_name() to work with ClientHelloRetries (#4652) * fix: avoid cert validation on connection_set_config (#4612) * ci: add merge_group event to GHA workflow. (#4646) * feat: Add API to gate session tickets to TLS1.3 only (#4645) * feature: reusable fingerprinting interface (#4628) * refactor(bindings/s2n-tls): finish test harness refactor (#4636) * test(pcap): handle pcaps with tcp fragmentation (#4643) * Refactor: change is_available return type to bool in s2n_cipher struct (#4630) * Refactor: change init and destroy_key return type to S2N_RESULT in s2n_cipher struct (#4639) * Refactor: change set/get_decryption_key return type to S2N_RESULT in s2n_cipher struct (#4638) * chore: document why SHA1 is the only supported hash algorithm for cert_id generation in OCSP response (#4625) * ci(nix): Add tshark to nix devshell (#4571) * refactor: use feature probe for AEAD gate logic instead of AWS-LC/BoringSSL macros (#4642) * api(bindings/s2n-tls)!: remove public testing feature (#4623) * chore(bindings): release 0.2.8 (#4635) * feat(bindings/s2n-tls): add client_hello_version (#4609) * fix: remove S2N_NO_PQ option (#4622) * chore: fix CBMC proof summary count (#4627) * refactor: separate out ja3 specific logic (#4578) ------------------------------------------------------------------- Tue Jul 9 06:55:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.17 * bug: Fixing bash error (#4624) * chore: make cbmc proof build more strict by adding -Werror flag (#4606) * Perform 2-RTT Handshake to upgrade to PQ when possible (#4526) * test(bindings/s2n-tls): refactor testing::s2n-tls tests (#4613) * docs: add timeout note to blinding delay docs (#4621) * docs: Add back suggested FIPS + TLS1.3 policy (#4605) * ci: shallow clone musl repo (#4611) * example(bindings): add async ConfigResolver (#4477) * chore: use CBMC version 5.95.1 (#4586) * s2n-tls rust binding: expose selected application protocol (#4599) * test: add pcap testing crate (#4604) * testing(bindings): add new test helper (#4596) * chore(bindings): fix shebang in generate.sh (#4603) * fix(s2n_session_ticket_test): correct clock mocking (#4602) * Fix: update default cert chain for unit tests (#4582) * refactor(binding): more accurate naming for const str helper (#4601) * fix: error rather than empty cipher suites (#4597) * chore: update s2n_stuffer_printf CBMC harness (#4531) * ci(nix): Fix integ pq test in a devShell (#4576) * feature: new compatibility-focused security policy preferring ECDSA (#4579) * compliance: update generate_report.sh to point to compliance directory (#4588) * ci: fix cppcheck errors (#4589) * chore: cleanup duplicate duvet citations (#4587) ------------------------------------------------------------------- Tue Jun 11 07:33:04 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.16 * Merge pull request from GHSA-52xf-5p2m-9wrv * chore(bindings): release 0.2.7 (#4580) * fix: Validate received signature algorithm in EVP verify (#4574) * refactor: add try_compile feature probe for RSA-PSS signing (#4569) * feat: Configurable blinding (#4562) * docs: document s2n_cert_auth_type behavior (#4454) * fix: init implicit iv for serialization feature (#4572) * [Nix] adjust pytest retrys (#4558) * fix: cert verify test fix (#4545) * fix: update default security policies (#4523) * feat(bindings): Associate an application context with a Connection (#4563) * chore(bindings): version bump (#4566) * Additional test cases for s2n_constant_time_equals() (#4559) * test: backwards compatibility test for the serialization feature (#4548) * chore(bench): upgrade rustls (#4554) ------------------------------------------------------------------- Tue Jun 4 09:13:19 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.15 * bug(nix:corretto): use autoPatchelfHook on all systems and ignore als… (#4561) * feat(bindings): Add API to check for resumption (#4552) * fix: Send zero-length NST when session key is expired (#4532) * feat: add key preferences to rfc9151 policy (#4540) * chore: bindings release 0.2.5 (#4551) * refactor: Avoid unnecessary s2n_hmac calls in s2n_record_write (#4539) * feat: Modify s2nd/c to do serialization/deserialization (#4533) ------------------------------------------------------------------- Mon May 13 09:20:33 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.14 * fix: Increase received signature scheme limit (#4544) * fix: Fix a bug in tls1.3 code path (#4513) * ci: grep for S2N_RESULT_ERR without setting s2n_errno (#4534) * style(bindings): fix new clippy lints (#4536) * bin: tool to print security policies (#4524) * feat[bindings]: fips feature flag (#4527) * feat: set certificate_authorities from trust store (#4509) ------------------------------------------------------------------- Wed May 8 13:04:31 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.13 * chore(bindings): release 0.2.4 (#4530) * nix gdb/lldb utils (#4460) * binding: Add s2n_connection_get_session on the Connection (#4522) * chore: update s2n-core team (#4520) * fix: Python integ tests are flaky on arm (#4512) * ci: Nix libcrypto helpers (#4422) * ci: Remove actions-rs (#4514) * chore(bindings): Pin `zeroize` to avoid MSRV increase (#4519) * feat: add missing numbered security policies (#4511) * docs(bindings): fix client hello doc tests (#4495) * docs: add more warnings about security policy defaults (#4507) * feat: add basic support for certificate_authorities (#4506) * fix: Fix redundant code (#4504) * chore: Rust bindings bump v1.4.12 (#4505) * fix(sidetrail): Invalid stream cipher struct in proof wrapper (#4484) * refactor: rename error + extension iana for consistency (#4503) - from version 1.4.12 * feat: Serialization Rust APIs (#4493) * refactor: combine TLS1.2 and TLS1.3 sig scheme representations (#4498) * feat: Release C APIs for serialization (#4501) * fix: Wipe conn->in on all record parse failures (#4499) ------------------------------------------------------------------- Mon Apr 15 11:09:16 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.11 * chore(bindings): release 0.2.2 (#4497) * feat(binding): add key update request api (#4469) * tests: Serialization feature with post-handshake features (#4489) * fix: add missing TLS1.3 p521 sig schemes (#4496) * fix: correct broken early data test (#4494) * fix: better errors for all client auth failures (#4492) - from version 1.4.10 * feat: add s2n_peek_buffered (#4490) * feat: reduce read syscalls to improve performance (#4485) * feat: connection serialization (#4468) * chore(bindings): release 0.2.1 (#4486) * fix(bindings): print cargo commands to stdout (#4482) ------------------------------------------------------------------- Thu Apr 4 11:31:02 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.9 * New TLS1.2-only variant of 20230317 policy (#4483) * ci: add asan runs under gcc (#4402) * fix: Adds non_exhaustive flag to FingerprintType * fix: refactor rust bindings fingerprint methods (#4474) * example(bindings): client hello cb example (#4385) * feat: getter for TLS1.2 master secrets (#4470) * bindings: ensure CFLAGS includes come after build script includes (#4475) * bindings: mark Connection as Sync (#4467) * Make S2N_CERT_AUTH_OPTIONAL the default for clients (#4390) * fix(test): narrow valgrind suppressions (#4369) * fix: pedantic memory leak in handshake test (#4463) * chore(bindings): release 0.1.7 (#4462) ------------------------------------------------------------------- Fri Mar 22 09:19:59 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.8 * feat: Add additional EC key validation for FIPS (#4452) * refactor: UBSAN build and address out of bound reads (#4440) * Add s2n_stuffer_shift (#4458) * style: fix declarations without initial value (#4404) * feat: Add FIPS mode getter API (#4450) * remove unnecessary includes (#4451) * refactor: clang-tidy null deref and undefined mod (#4436) * refactor: make memmove vs memcpy behavior clearer (#4447) * fix(bindings): Apply with_system_certs to Config builder (#4456) - from version 1.4.7 * api: add key update request functionality (#4453) * style: manual initial value fix (#4449) - from version 1.4.6 * docs: Specify the return value of S2N_FAILURE for IO APIs (#4446) * refactor: enforce stuffer return check (#4399) * refactor: fix unread variable warnings (#4405) * fix: Unsets global libcrypto rand (#4424) * Relax HRR consistency requirements for second client hello (#4429) * fix: prevent enabling ktls with a buffered record header fragment (#4426) * feat: add cert key preferences (#4434) * chore: bindings bump 0.1.6 (#4437) * test: add cert chain with mixed key sizes (#4433) * feat: apply cert signature preferences locally (#4407) * docs: Extend license check to .rs files (#4428) * fix(test): fix dangling pointers in cert verify test (#4430) * Add Rust bindings for certificate chains (#4398) - from version 1.4.5 * fix: parse fragmented sslv2 client hellos (#4425) * chore(ci): Give OpenBSD CI job a performance boost (#4427) * fix: s2n_shutdown should handle partial records (#4421) * feat: Server name getter for client hello (#4396) * refactor: zero static s2n_configs on cleanup (#4416) * Removed unused dependencies (#4417) * chore(bindings): release 0.1.5 (#4420) * chore(bindings): release 0.1.4 (#4418) * bindings: use aws-lc-rs instead of aws-lc-sys (#4415) ------------------------------------------------------------------- Wed Feb 21 13:13:22 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.4 * allows cmake to force crypto linkage (#4383) * refactor: consolidate record wiping (#4412) * build: make CMake test flags more consistent with make (#4392) * style(bindings): address new clippy lint (#4411) * refactor: generalize cert sig preference handling (#4379) * feat: More client hello getters (#4380) * fix: only initialize default tls 1.3 config in tests (#4302) * Check fd status before using urandom (#4352) * utils: add map iteration iterator (#4377) * chore(bindings): release (#4388) * chore(bindings): bump aws-lc-sys (#4393) * s2n-tls-tokio: use s2n_shutdown_send instead of s2n_shutdown (#4374) * enforce result checking for blob and mem (#4389) ------------------------------------------------------------------- Wed Feb 7 11:42:55 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.3 * ci: Disable broken rust dry-runs (#4384) * Fix SSLv3 detection with AWS-LC (#4361) * More specific error for unexpected cert request (#4381) * test: Adds SSLv3 integ test (#4372) * chore: add valgrind to nix develop (#4365) * test: additional test certs (#4378) * chore: bindings release 0.1.2 (#4376) * test: add additional test certs (#4353) * feature: Use S2N_FAST_INTEG_TESTS to run pytest in parallel under nix (#4368) * refactor: ossl x509 parsing (#4351) ------------------------------------------------------------------- Fri Jan 26 12:20:42 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.2 * docs(bench): update docs to reflect aws-lc default (#4336) * Fix initialization errors in unit tests (#4370) * bindings: fix handling of s2n_shutdown errors (#4358) * Fix s2n_shutdown + failed recv bug (#4350) * Add new PQ TLS Policies (#4327) * ktls: add method to track key updates (#4364) * Move client hello parsing out of unstable (#4359) * bindings: clean up blinding tests (#4356) * ci: cmake asan buildspec (#4048) * fix: stack-use-after-scope variable ordering (#4355) * fix(bindings): remove optional cmake dependency (#4347) * ktls: improve messaging around freed handshakes (#4346) * bug: Fixes mdbook action (#4345) * feat: Publishes mdbook to Github Pages (#4343) * Add PQ integration tests between s2n and AWS-LC's libssl (#4267) * chore: bindings release 0.1.1 (#4341) * (feat): Adds API to allow s2n-quic to check for resumption (#4335) * bindings: ensure CFLAGS includes come after libcrypto includes (#4338) * Add FIPS security rule (#4315) ------------------------------------------------------------------- Wed Jan 3 14:37:59 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.4.1 * bindings: match tcp EOF behavior (#4323) * (docs): Reordered and moved usage guide into an mdbook (#4300) * ktls: add method to enable TLS1.3 (#4331) * ci: fix flaky interning test (#4334) * Add CBMC proof for s2n_stuffer_printf (#4309) * docs: remove gitter references (#4332) * ktls: handle TLS1.3 key limits (#4318) * ci: pin home crate to fix rust build (#4330) * ci: switch autopep8 action (#4322) * ci: ignore cbmc prereleases (#4328) * ci: switch FreeBSD back to vmactions (#4326) * ktls: add TLS1.3 support (#4314) * ci: fix pep8 linting (#4319) * cleanup: add getter for sequence number (#4317) * Mark inline asm output as earlyclobber (#4310) * bindings: release rust bindings 0.1.0 (#4313) * ci: add workflow for rust bench crate (#4210) * Enforce security rules on security policies (#4311) * documentation: fix security policy table (#4304) - from version 1.4.0 * Add basic "security rules" (#4298) * Update CloudFront's upstream ECC Preference list (#4301) * Bump AWS-LC version to v1.17.4 (#4303) * Clean up selecting a signature algorithm (#4285) * Remove s2n's internal Kyber512 implementation, and rely on AWS-LC for Kyber support (#4283) * feat: Adds ConnectionInitializer to Rust bindings (#4250) * Remove NULLs in s2n_kex (#4293) * feat(bindings): use aws-lc-sys instead of openssl-sys (#4290) * fix: probe for all AES_GCM variants (#4295) * ci: add mainline coverage job (#4288) * bench: increase cert chain length (#4287) * fix(bindings): enable session tickets after setting callback (#4292) * fix(bindings): pin jobserver in more places and run cargo publish --dry-run in generate.sh (#4255) * bindings(rust): make callbacks Send + Sync (#4289) * Add API to retrieve the supported groups for a security policy (#4273) * test: Bump cross-platform actions to pull in fix for flaky BSD (#4278) * test: remove blinding from unit tests (#4281) * ci: update integ dependencies (#4261) * ci: add additional p-384 test coverage (#4275) * Detect KEM support at runtime (#4101) * Bumped version to 0.41.0 (#4276) * Change pkey parse methods to return s2n_result (#4271) * Fixes failing FreeBSD build in CI (#4272) - from version 1.3.56 * ci: Minor cppcheck speedup (#4268) * fix: update permissions to allow dashboard to write to gh-pages. (#4228) * Clean up receiving peer sig alg (#4259) * Switch from vmactions to cross-platform-actions (#4266) * Update get_client_cert_chain API documentation (#4260) * Always apply the PARTIAL_CHAIN flag (#4258) * Allow TLS 1.2 servers to report client versions from the supported versions extension (#4249) * Clean up sending supported sig algs (#4254) * refactor(bench): remove non-generic connection logic (#4236) * docs: remove extra security policy item (#4248) * bindings: release 0.0.40 (#4251) - from version 1.3.55 * Add new PQ TLS 1.3 policies (#4247) * Switch sig schemes from copies to references (#4237) * feat: Turns off automatic ticket creation for quic (#4239) * chore: pin dependency to fix rust MSRV issues (#4243) * feat: Processes post-handshake messages for quic (#4218) * bindings: release 0.0.39 (#4235) * Run clang-format (#4238) - from version 1.3.54 * Merge pull request from GHSA-97r4-p6c4-5gv3 * ktls: support aes256 (#4227) * ktls: forbid renegotiation (#4229) * ci: add ktls + asan build (#4213) * Add support for exporting symmetric keys from connections (#4230) - from version 1.3.53 * ktls: make usable outside of tests (#4232) * overwrite the random state key only if initialized (#4225) * ci: Authorize requests to GitHub API (#4223) - from version 1.3.52 * ktls: release APIs as unstable (#4217) * Add API to retrieve parsed supported groups (#4216) * docs: generate citations meta data and add CI check (#4205) * feat: add s2n_strerror_source API (#4209) * feat: send psk_ke_modes ext in first flight (#4177) * ktls: clean up enable (#4212) * Generalize io handling + add ktls EINTR handling (#4203) * ktls: fix flaky test (#4214) * docs: add rfc citations (#4202) * build: use feature probes for CLOEXEC (#4206) * Add asan support to cmake/nix (#4194) * ktls: receive app data (#4201) * docs: add citations for alert behavior (#4198) * bindings: release 0.0.38 (#4196) * ktls: recv alerts (#4199) * Reduce allocs in ktls app data send (#4181) * ktls: self-talk tests for send (#4189) * ci: run duvet when commits are merged into main branch (#4197) * ci: Upgrade asan to catch use after scope (#4192) * ktls: add sendfile (#4186) * Add test with ktls enabled to s2nGeneralBatch (#4190) ------------------------------------------------------------------- Thu Sep 14 08:17:30 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.51 * Add API to disable certificate validity period validation (#4183) * Commit buildspec for s2nGeneralBatch (#4188) * ktls: Send alerts (#4185) * Add AL2 test with system libcrypto (#4179) * ci: buildspec for qemu ktls test (#4175) * Add testlib to track memory allocations (#4180) * ktls: Send app data (#4174) * Small sendv doc fix (#4178) * api: Add S2N_EXTENSION_SUPPORTED_VERSIONS as s2n_tls_extension_type (#4160) * feat(benchmarks): Add session resumption support (#4173) * bindings: Release 0.0.37 (#4172) ------------------------------------------------------------------- Fri Sep 1 15:00:29 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.50 * Publish cert validation callback APIs and add documentation (#4161) * kTLS: implement recvmsg (#4154) * Fix clippy (#4166) * Add cert validation callback (#4156) * kTLS: implement sendmsg (#4147) * Fix s2n_ecdsa_secp521r1_sha512 + improve integ ECDSA coverage (#4148) * refactor and cleanup some ktls code (#4152) * Call enable_session_tickets before adding a ticket key (#4150) * kTLS: get and set control data on msghdr (#4146) * Don't exit nix dev shell on integ test failure (#4149) * docs(bench): update historical benching graphs and readme (#4136) * Use client_hello.parsed as precondition for retrieving client_hello (#4144) * bindings: release 0.0.36 (#4145) * Update blocked status documentation (#4139) * Make invalid chains available via get_client_cert_chain (#4134) * Adds resumption functions to Rust bindings (#4114) ------------------------------------------------------------------- Thu Aug 17 07:34:24 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.49 * ktls: mock send/recvmsg IO (#4109) * test: ensure s2n_recv blocked status behavior doesn't change (#4127) * Add additional Kyber768 tests (#4089) * Prevent get_peer_cert_chain from modifying existing cert chain (#4135) * Update build documentation (#4126) * feat(bench): add different parameters for memory benching (#4125) * feat(bench): add flamegraph generation to benchmarks and reuse configs when benching (#4128) * Add new Kyber768+ KEMs and security policy (#4034) * fix(bench): fix throughput bench issues and add documentation (#4130) * refactor(bench): unnest loops over parameters in handshake bench (#4129) * ktls: self talk inet socket test (#4075) * refactor(bench): feature cleanup for benches (#4120) * refactor(bench): move around and update scripts in bench crate (#4115) * Fix PR template styling (#4116) * bindings: release 0.0.35 (#4122) * refactor(bench): separate out client and server connections in benching harness (#4113) - from version 1.3.48 * Print error for 32bit test (#4107) * ktls: set keys on socket and enable ktls (#4071) * Trying to use an invalid ticket should not mutate state (#4110) * fix: get_session behavior for TLS 1.3 (#4104) * feat(bench): add different certificate signature algorithms to benchmarks (#4080) * feat(bench): add memory bench with valgrind/massif (#4081) * feat(bench): add historical performance benchmark (#4083) * nix: pin corretto version (#4103) * bindings: release 0.0.34 (#4096) - from version 1.3.47 * Fix try_compile bug on gcc 4 (#4091) * Fix clippy warnings (#4093) * Generify Kyber files + functions over security parameters (#4087) * Disabling sign compare check as debug build option, enabling wsign-compare check and fixing 32bit build failures (#4061) * ktls: config socket ULP (#4066) * feat(bench): add throughput benchmarks (#4077) * feat(bench): add mTLS to benchmarks (#4079) * Fix pthread key cleanup with musl libc (#4085) * feat: introduce s2n_key_material for handling key material info (#4047) * Fix openssl-1.0.2k x509 validator test failure (#4084) * bindings: release 0.0.33 (#4076) * feat(bench): add openssl handshake to benchmarking (#4069) * fix: Add implicit gcc flag to all feature probes (#4074) * nix: skip the sslyze test on aarch64 (#4050) * Adds new CRT policies (#4072) * Add KeyUpdate threading test (#4059) ------------------------------------------------------------------- Wed Jun 28 12:32:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.46 * Create new KMS TLS Policy with TLSv1.2 Minimum (#4068) * bindings: do not enable OCSP when calling trust_location() (#4016) * Fixes broken link in comment (#4060) * Disable build flag for openssl102 nix aarch64-linux (#4045) * Add rustls handshake to benchmarks (#4063) * remove kTLS feature probe (#4064) * Validate PRK output size in the libcrypto HKDF implementation (#4057) * s2n-tls handshake benchmark (#4053) * feat(bindings/s2n-tls): add ja-3 apis (#4009) * Fix TSAN s2n_shutdown failures (#4055) * Update nix corretto; make it platform aware. (#4043) * Add ThreadSanitizer (#4046) * feat: add checked return values diagnostic (#3798) * Fix usage guide examples + enable testing of examples (#4044) * Fix pthread leak (#4037) * Add libcrypto HKDF implementation (#4035) * ci: allow running multiple integ tests at once in nix devshell (#4029) * Never send KeyUpdate message if <TLS1.3 (#4038) * nix devShell with aws-lc (#4028) * fix: ossl3 legacy provider mem leak (#4033) * Add pre-TLS13 libcrypto PRF implementation (#4020) * ci: typos config file (#4021) * Refactor alerts to make behavior clear (#4019) * bindings: release 0.0.32 (#4032) * Fixes dynamic loading bug (#4024) * build: make feature flags consistent (#3921) ------------------------------------------------------------------- Sat Jun 10 02:49:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.45 * fix: improve compatibility with old Linux versions (#4027) * Disable retry client random validation outside of tests (#4023) * Only call getenv for integ test marker in s2n_init (#4025) * Publish minimal s2n_config APIs and add documentation (#3972) * Fix s2n_error_get_type mistake in usage guide (#4022) * nix: add an Openssl102 nix devShell (#4014) * fix(api/unstable): make all api methods visible (#4015) * test(bindings/s2n-tls-tokio): fix tokio bindings close test (#4007) * fix: open files with the O_CLOEXEC flag (#3989) * feat(s2n-tls): X509 asn1 refactor (#4011) * Add the libcrypto random generation implementation (#4004) * nix: Use nixpkgs gnutls instead (#4013) * nix: add a LibreSSL nix devShell (#4010) * style: simplfy api for test utility (#4008) * fix(s2nd): parse psk given to s2nd non-destructively (#4006) * nix devShell with openssl3 (#3993) * Upgrade OpenSSL model for CBMC proofs (#3978) * Quoting RFC-4492 to verify behavior when supported_groups extension is not sent (#3998) * docs: add notes on s2nc and s2nd usage (#4003) * bindings: Add option to disable loading system certs (#3985) * Update FAQ + add s2n_negotiate example to Usage Guide (#3984) * test: add more x509 OCSP tests (#3970) * ci: enable ossl3 tls13 tests (#3992) * chore: bindings release 0.0.31 (#3997) * Print Wire Bytes In and Out for s2nc (#3986) * ci: nix devShell simplification (#3964) * utils: Add a stale box to the GH dashboard; use an action for pushing pages (#3947) - from version 1.3.44 * test: fix session-ticket, non-blocking-io tests on 32 bit (#3969) * ci: add 32 bit buildspec (#3977) * [ci]: Use custom library context for rc4 instead of global default context (#3980) * s2n_rand_cleanup: be sure to unregister s2n RAND engine from libcrypto (#3966) * docs: update clang-format and gdb documentation (#3967) * Only LTO on GCC (#3968) * style: clean up fuzz corpus (#3971) * Add test for cipher selection with dh params (#3974) * Add new API to perform half-close (#3952) * Add API to create s2n_configs without loading system certs (#3950) * chore: remove module.modulemap and allow customers to generate it themselves (#3961) * chore: bindings release (#3956) * Cover more situations where no close_notify is sent/received (#3957) * Add logging for failed CRT tests (#3962) * Fix end-of-data behavior (#3945) - from version 1.3.43 * Fix expected negotiated version in client auth downgrade test (#3951) * ci: Disable automatically closing stale PRs (#3946) * add 32 bit cross-compile toolchain (#3924) * ci: Add AWSLC-FIPS 2022 to CI (#3943) * bindings: add verify_host_callback to the connection (#3925) * Add basic half-close TLS1.3 behavior (#3932) * Update IO section of Usage Guide (#3917) * Don't send close_notify after an alert (#3942) * Reinstate Kyber KEM check (#3905) * Add test to verify TLS1.2 downgrade (#3939) * Add github stale action (#3929) * update security policy and rust binding documentation (#3906) * Remove unnecessary flush (#3940) * Adds FAQ doc (#3920) * ci: Update AWSLC test dependency to v1.8.0 (#3938) * Add note about server_name spec requirements (#3930) * doc: Flesh out steps in nix readme. (#3923) * Create new PQ TLS Policies with minimum of TLSv1.2 (#3927) * Attempts to fix flakiness in session_ticket_test (#3913) * test: Bump nix devShell python to 3.10 (#3914) * chore(bindings): release 0.0.29 (#3919) * test: add retry logic for well-known endpoints (#3918) * docs: add compliance notes for RFC 6125 (#3915) ------------------------------------------------------------------- Wed Apr 19 12:12:25 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.42 * CI: Restrict Nix integ test to 1 job (#3897) * Don't set actual_protocol_version early when resuming a session (#3907) * Expose curve details to rust bindings (#3912) * Move secret type out of tls12/tls13 union (#3908) * Appends S2N_API (#3910) * chore: bump rust bindings (#3909) * test: Nix s3 cache (#3904) ------------------------------------------------------------------- Tue Apr 4 10:53:05 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.41 * fix: remove broken check in test (#3901) - from version 1.3.40 * Rewrite of the PSK section in Usage Guide (#3864) * test: cleanup after tests (#3831) * ktls: feature probe test (#3869) * Fixes some compiler warnings coming from tests (#3883) * tokio-s2n-tls: Enable access to the IO instance from TcpStream (#3882) * chore: bump rust bindings for 1.3.39 release (#3887) * Migrate Kyber 512 to EVP KEM API (#3853) * test: cleanup tests (#3832) * test: Add missing packages to nix devShell (#3885) * Document behavior of s2n_negotiate for a client with client auth (#3891) * Switch OpenBSD CI job GH action to something more robust (#3877) * Enable strict compile checks in unit test build (#3878) * ci: enable valgrind pedantic check (#3886) * Allow client hellos from raw bytes (#3871) * Add new security policy (#3895) - from version 1.3.39 * Removed codecov github status badge. (#3859) * Add method to create Rust certs without private keys (#3860) * Update s2n to latest revision of PQ Hybrid TLS 1.3 Draft RFC (#3800) * chore: bump rust bindings version; crates msrv to 1.63.0 (#3863) * ci: Check for msrv match between rust-toolchain an crates; make them match. (#3866) * fix: disable defer cleanup in failure case in s2n_cert_chain_and_key_load_cns (#3870) * tests: add checks for LTO+interning compatibility (#3839) * Enforce that ENSURE and GUARD_OSSL use valid error codes (#3873) - from version 1.3.38 * Add CMake targets for integration tests and switch CI to use them (#3776) * ci: reduce the number of BSD artifacts (#3837) * Enable -Wsign-Compare-check_v2-tests/unit (#3827) * Add github trigger event for merge queue (#3836) * Prevent auto-enabling OCSP requests for servers (#3830) * Enable -Wsign-Compare-check_v3-tests/unit/ (#3828) * Enable -Wsign-Compare-check_bin/_crypto/_stuffer/_utils/ (#3825) * Enable -Wsign-Compare-check_v1-tests/ (#3826) * Update s2n_libcrypto_validate_name_prefix to only check the prefix of the libcrypto name (#3779) * Enable -Wsign-Compare-check_tls/ (#3829) * Add OCSP stapling for client auth (#3770) * Enable -Wsign-Compare-check_CMakeLists (#3842) * CI: pin AWS-LC versions #3846 * [bindings] Generalize async in preparation for pkey offloading (#3844) * fix: use actual_protocol_version for session ID (#3845) * Add JA3 to s2nd (#3838) * filter do_not_merge label from Ready to merge (#3849) * Remove unused s2n_config_client_hello_cb_enable_poll (#3850) * Run integv2 tests with nix (#3824) * ci: nix fmt action (#3834) * Add CBMC proof-running GitHub Action (#3840) * Upgrade OpenSSL model for CBMC proofs (#3857) * Bump Rust MSRV for latest openssl-src. (#3858) * Handle ASN.1 type detection errors (#3855) * [bindings] Add private key callback (#3847) ------------------------------------------------------------------- Fri Feb 17 10:17:45 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.37 * Make unstable fingerprint methods accessible (#3823) * Clean up thread-local memory (#3771) * bindings(rust): bump MSRV to 1.60.0 (#3833) * Criterion delta (#3811) * Add JA3 fingerprinting (#3817) * Clarify that AWS-LC is also supported (#3821) * Add unit test to check that the build's libcrypto reflects the CI's intended libcrypto (#3774) * Clarify SSLv2 ClientHellos (#3815) * Bump rust bindings for 1.3.36 release (#3818) * Add stuffer method for standard init process (#3814) - from version 1.3.36 * ktls: rm kTLS request field on config (#3816) * ktls: add ktls_supported field to s2n_cipher (#3806) * Make test_install_shared_and_static easier to debug * ktls: s2n_ktls_mode and building blocks (#3797) * ci: Update OpenBSD's MEM_PER_CONNECTION, based on error message (#3791) * s2n-tls nix flake (#3794) * Updated rust bindings (#3802) * Update omnibus fuzz image; remove fuzz job we're not running anymore in PR (#3796) * Adds client hello section to usage guide (#3757) * Integration test to check default signature algorithm behavior (#3719) * Blob Initialization fix-Test_1 (#3790) - from version 1.3.35 * fix: pass an empty string to host verify without usable identifiers (#3793) * add code coverage support (#3759) * ci: Enable CTEST_OUTPUT_ON_FAILURE on all targets (#3789) * Enforce that clippy msrv matches rust-toolchain (#3787) * Blob Initialization fix-Test (#3780) * s2n_shutdown should ignore unread messages (#3769) * Add min supported rust version for clippy (#3785) - from version 1.3.34 * Initialize blobs and stuffers (#3783) * s2n_shutdown: no not require response during handshake (#3772) * ci: remove build-dashboard action from PR flow (#3764) * ci: remove build-dashboard action from PR flow (#3764) * Blob initialization fix-3 (#3768) * Consolidate handshake and post-handshake record writing (#3750) * Blob initialization fix-2 (#3762) * Rename OCSP extensions (#3765) * Record padding integration test (#3715) * Adds check to ensure no switching between state machines (#3747) * Clang format cleanup (#3767) ------------------------------------------------------------------- Thu Jan 26 13:28:14 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.33 * ci: enable multicore builds for unit test (#3753) * Blob initialization fix-1 (#3735) * ci: upgrade checkout action (#3761) * ci: Bump boringssl version (#3739) * chore(ci): add CI workflow for OpenBSD (#3754) * Remove unused extension functions (#3752) * Repair build on OpenBSD (#3670) * Criterion tests (#3534) * Fragment large post-handshake records (#3741) * Bump rust bindings for 1.3.32 release (#3746) * ci: improve test name parsing for criterion (#3704) * Ensure non-zero record protocol version (#3744) * Add check to s2n_signature_scheme_valid_to_accept (#3728) - from version 1.3.32 * ci: Fix libfuzzer path for third-party-src dir (#3742) * added ecdhe_rsa_aes128 cipher to the tls_1_2_2017 policy (#3740) * Intentionally disable fragmenting KeyUpdates (#3708) * utils: guard POSIX signals with >S2N_FAILURE (#3733) * Autopep8 updated CI and code (#3736) * ci: CLean up integration v1 buildspecs (#3627) * ci: Update fuzz buildspec to use pre-built image (#3604) * Upgrade CBMC infrastructure (starter-kit 2.8.8) (#3731) * quick fix (#3716) * Update team members (#3640) * fix: disable pthread_atfork fork detection on OpenBSD (#3712) * Upgrade CBMC infrastructure (starter-kit 2.8) (#3727) * Adds TLSv1.2_2017 security policy with ECDHE-{RSA,ECDSA}-AES256-SHA ciphers enabled (#3723) * Fix s2n_record_write return value (#3722) * Remove unnecessary "extern" from function declarations (#3726) * Adds no-strict-prototypes (#3721) * Clang-format `tests/unit/s2n_[l-r].*\.c` and enforce in CI (#3677) * CBMC proofs: fix typing (#3718) * ci: codebuid scripts for criterion (#3703) * CBMC proofs: remove type-conflicting definition of s2n_calculate_stacktrace (#3714) * Clang-format `tests/unit/s2n_s.*\.c` and enforce in CI (#3678) * bindings bump (#3709) * Fix sizes in s2n_resume_test (#3705) - Drop patches for issues fixed upstream * s2n_disable-werror.patch ------------------------------------------------------------------- Wed Jan 4 13:17:13 UTC 2023 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.31 * Clang format `tls/s2n_[a-h].*\.[ch]` and enforce in CI (#3681) * tokio-s2n-tls: add poll_blinding and fix blinding on shutdown (#3700) * Clang-format `crypto/` and enforce in CI (#3680) * Clang-format `tls/s2n_[s-z].*\.[ch]` and enforce in CI (#3683) * Clang-format `tests/unit/s2n_[t-z].*\.c` and enforce in CI (#3679) * Clang format `tests/unit/s2n_[bc].*\.c` and enforce in CI (#3675) * Clang-format `tests/unit/s2n_[d-k].*\.c` and enforce in CI (#3676) * Add `CloudFront-TLS-1-2-2021-ChaCha20-Boosted` Security Policy w/ Docs Update (#3686) * Fix FreeBSD minherit arg naming (#3694) * Add config to read until error or supplied buffer is full (#3690) * Clang-format `tls/s2n_[i-r].*\.[ch]` and enforce in CI (#3682) - from version 1.3.30 * chore: bump rust bindings version (#3693) * Clean up test trust store (#3692) * Add support for AWS-LC PQ KEM (#3634) * chore: introduce rust-toolchain and enforce MSRV (#3691) * bindings (rust): handle propagating the async client_hello callback error (#3687) * ci: Fix LibreSSL paths in CI (#3688) * tests: delete integv1 code (#3685) * bindings(rust): avoid unnecessarily zeroing the receive buffer in poll_read (#3662) * Handle fragmented post-handshake messages (#3641) * Add CodeQL workflow for GitHub code scanning (#3601) * ci: pin ubuntu version to 20.04 for cppcheck (#3673) * ci: Remove references to TEST=integration and related codebuild scripting (#3628) * Make header deps explicit in preperation for clang-format (#3684) * Clang-format of `tests/unit/s2n_[3a].*\.c` + transision to exclude regex (#3664) * Add prioritize_chacha20 flag to cipher preferences (#3543) * Fix default X509 store flags (#3671) * Regenerate CRL pems (#3672) * fix(tests): honour RFC 5280 4.1.2.5 when creating CRLs (#3669) * fix(rust-bindings): store client_hello_callback state on connection (#3631) * Bump rust bindings for 1.3.29 release (#3666) * Removes double semicolons and expands simple_mistakes.sh (#3665) * ci: Update OpenSSL dependencies (#3623) * Test for legacy version vs SupportedVersions priority (#3661) * Update to clang-format causes reformat of api folder (#3663) * clang-format `tests/testslib` and add to ci (#3650) * Fix flaky send buffer test (#3647) - from version 1.3.29 * Fix clippy issues and formatting in bindings (#3659) * Add batch of clang-format PRs to .git-blame-ignore-revs (#3653) * Use gcc-ar instead of ar (#3625) * bindings(rust): Implement Deref and DerefMut traits for PooledConnection (#3642) * clang-format `utils/` and enforce in ci (#3651) * clang-format `api/` and enforce in ci (#3637) * clang-format `error/` and enforce in ci (#3638) * Fix file modes and enforce in ci (#3645) * clang-format `bin/` and enforce in ci (#3635) * Add and document CRL APIs (#3523) * clang-format `tls/extensions` and enforce in ci (#3633) * Add stuffer version of s2n_io_pair (#3632) * Add clang-format of stuffer to .git-blame-ignore-revs (#3629) * Add clang-format ci action (#3618) * Adds Usage Guide section on the Config object (#3620) * bump rust bindings for 1.3.28 release (#3622) * Add buffered send integration test (#3537) * Declaring Virtual Function Tables as const- crypto (#3616) * Add proof for TLS handshake with NPN extension nondeterministically enabled or disabled (#3613) * ci: Fix SAW sha_bad_magic_mod failure test (#3617) * Remove s2n_cbc_verify_test (#3615) - from version 1.3.28 * bindings(rust): add lto in release mode (#3610) * wrapper for wall_clock (#3611) * Fix very minor DeprecationWarning in integrationv2 (#3609) * Adds s2n_connection section to usage guide (#3605) * Fix to handle callback failure (#3597) * Move CRL timestamp validation into the CRL lookup callback (#3515) * Re-enable saw proofs for TLS handshake with NPN extension disabled (#3594) * [bindings] Fix client hello callback with config swap (#3600) * Fix FreeBSD build test bug (#3587) * Add some missing null ptr checks for defence in depth (#3596) * 1.3.27 bindings update (#3599) * Apache renegotiation integration tests (#3580) * Try to clarify the use of s2n_blob_zeroize_free (#3591) ------------------------------------------------------------------- Fri Nov 11 22:00:55 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.27 * Npn cleanup (#3590) * Ensure extended master secrets ext have no data (#3588) * LibreSSL version 3.5 implements the OpenSSL 1.1 API (almost) (#3589) * Update vmactions/freebsd github action (#3592) * Fix free error when using jemalloc (#3585) * Add rust binding for s2n_set_config_send_buffer_size (#3582) * NPN integration tests (#3583) * Adding null checks to tls/extensions and tls/s2n_perf (#3578) * Adds API for NPN support (#3575) * Add CRL lookup callback (#3546) * Bump Doxygen version 1.9.3 -> 1.9.5 (#3581) * Add apache renegotiation test server to CI (#3565) * Adds TLS12 Encrypted Extensions Messages (#3545) * Removing more failing saw (#3577) * bump to 0.0.17 (#3574) * More openssl renegotiate integ tests (#3570) * Added compliance comment for renegotiate (#3572) * Remove s2n-core from CODEOWNERS (#3571) - from version 1.3.26 * Add IO debug info to integrationv2 framework (#3564) * Fix check for non-portable optimizations (#3573) * Handshake changes necessary to negotiate NPN (#3558) * Add array init with capacity API (#3554) * Basic renegotiation integ tests (#3563) * Rust bindings version bump for 1.3.25 (#3567) - from version 1.3.25 * Only enable non-portable optimizations safety checks during GitHub CI builds (#3562) * Release renegotiation feature as unstable (#3556) * Refactor write_pem_file_to_stuffer_as_chain (#3553) * Temporarily removing TLS12 SAW tests (#3560) * Fix bug on RHEL5 platform (#3561) * Tweaks to HelloRequest handling (#3555) * ci: update group for labeler action (#3544) * test(rust-bindings): improve test reliability (#3552) * Add send-file option to s2nc (#3550) * Add API to handle renegotiation (#3549) * Change behavior when no protocols match (#3548) * Limit slow DHE handshakes in test (#3541) * Keep finished data on s2n_renegotiate_wipe (#3539) * Rust bindings version bump for 1.3.24 (#3540) * Add wrapper struct for X509_CRL (#3520) * Added NPN Handshake Message (#3526) * Add server secure_renegotiation checks for testing (#3533) * Finish compliance comments for secure renegotiation (RFC5746) (#3536) - from version 1.3.24 * Fix fatal no_renegotiation alert (#3535) * Add renegotiation callback (#3527) * Partially wipe connections for renegotiation (#3522) * Revert "ci: Criterion integv2 test changes (#3222)" (#3531) * ci: Criterion integv2 test changes (#3222) * Enforce init and cleanup calling rules (#3512) * Fix npn test bug (#3529) * Npn Extension Functions (#3521) * ci: Move sidetrail docker container to other repo; rework sidetrail to install tooling ahead of time. (#3518) * docs: update openssl docs (#3503) * Add additional CBMC dependencies to README (#3517) * Refactor s2n_x509_validator_validate_cert_chain to support an async callback (#3500) * Fix memory leaked by s2n_cleanup (#3506) (#3506) * Disable AVX2 compiler flags in portable PQ implementation (#3508) - from version 1.3.23 * Merge pull request from GHSA-m74w-59v6-c5r8 * Merge pull request from GHSA-mm47-wjfh-4hf5 * ci: Custom ubuntu18 image (#3513) * release: bump rust bindings (#3507) * Implement client-side safety features for secure renegotiation (#3497) * ci: Criterion benchmark handlers (#3223) - from version 1.3.22 * Add compliance exceptions for server renegotiation (#3498) * Store explicit length of verify_data (#3494) * Send no_renegotiation alert (#3490) * Add FS2 Scala Native binding (#3496) * Allow static and shared libs to be mixed (take 2) (#3484) * Removing some LGTM warnings (#3493) * Add compliance comments for secure renegotiation initial handshakes (#3485) * release(rust-bindings): 0.0.13 (#3487) * Add test for verify after sign failure (#3486) * Add option to verify after sign (#3482) * Usage Guide Changes for Certificate Inspection Methods (#3480) - from version 1.3.21 * Revert "Allow static and shared libs to be mixed. (#3467)" (#3483) * Allow static and shared libs to be mixed. (#3467) * openssl3 integration: cleanup providers (#3481) * openssl3 integration: store const RSA and EC_KEY (#3474) * ci: update freebsd image (#3479) * Fix documentation for record sizes (#3418) * Fix reference to wrong function (#3478) * ci: add openssl111 to LD_LIBRARY_PATH for integv2 testing (#3464) * Add test certificate chains and CRLs for testing CRL validation (#3458) * feat: add dynamic buffer capabilities (#3472) * openssl3 integration: workaround for new EVP_Cipher return code (#3466) * Allocate s2n_crypto_parameters separately (#3470) * Reference s2n_crypto_parameters via pointers (#3469) * openssl3 integration: work around for broken make build (#3468) * create rfc9151 security policy (#3431) * openssl3 integration: fix padding (#3450) * openssl3 integration: load legacy provider for rc4 cipher (#3457) * Re-worked Session Resumption Usage Guide Sections (#3423) * release(rust-bindings): 0.0.12 (#3462) - from version 1.3.20 * Initialize locking sooner (#3456) * build and link s2n-tls with openssl3 (#3441) * build: fix Ubuntu quickstart instructions (#3452) * double fallback for load libcrypto (#3451) * tests: add global retries and fail fast (#3454) * Add basic buffered send behavior (#3434) * Fixing cargo clippy complaints (#3448) * Return s2n_result from x509 validator functions (#3444) * Correct CODEOWNERS team name (#3449) * Fuzz s2n_deserialize_resumption_state (#3421) * s2n_peek should not report partial, encrypted data (#3443) * Fix early data reporting on partial send (#3439) * rust bindings release 0.0.11 (#3437) - from version 1.3.19 * ci(rust-bindings): Bump nightly version (#3430) * S2N client negotation of un-offered group fix (#3422) * Remove patch version from .so (#3426) * cleanup codecov from codebuild (#3425) * Shared library .so version (#3407) * Revert "ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414)" (#3424) * Set Openssl-1.0.2 locking callback (#3415) * Add more testing for s2n_send (#3409) * Miscellaneous Usage Guide Fixes (#3411) * Added RFC exception comment (#3405) ------------------------------------------------------------------- Mon Aug 8 07:22:14 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.18 * ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414) * [bindings] Bump s2n-tls-tokio version (#3413) * [bindings] Make errno a required dependency (#3412) * release (rust bindings) for v1.3.17 release (#3402) * [bindings] Fix constant name (#3410) * ci: update OSX env for FreeBSD action (#3406) * [bindings] Include errno in errors (#3403) * Don't force static crypto dependency in case of a static build (#3395) * pq: Remove support for BIKE, SIKE, and Kyber (Round 2) (#3392) ------------------------------------------------------------------- Tue Jul 26 09:02:30 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.17 * Don't wipe extensions after processing (#3401) * fail generate.sh when cargo fails (#3398) * Remove CBMC proof typechecking warnings (#3397) * ci: Remove Integration Tests from Omnibus (#3391) * Remove litani submodule and update CBMC starter kit to 2.5 (#3385) * Prevent modifying of shared cert chains through config API (#3384) * Fix how KeyUpdates trigger (#3387) * Added OCSP and CT Sections to the Usage Guide (#3382) * release(rust-bindings): 0.0.9 (#3388) * Add HRR compliance comments and tests for remaining TLS RFC sections (#3363) * build(rust-bindings): use the 2021 rust edition (#3386) * Add HRR compliance comments and tests for TLS RFC section 4.2.8 (#3362) ------------------------------------------------------------------- Tue Jul 12 12:38:11 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.16 * Add 'poll_' to polling method names (#3383) * Update fips_default security policy (#3378) * [bindings] Parity with unofficial bindings (#3374) * Add clone and initialisation unit tests (#3367) * [bindings] Export policy macro (#3375) * ci: Generate Duvet reports in CI (#3372) * Set server key share extension as a response extension (#3358) * Enable S2N_AES_SHA1/256_COMPOSITE when AWSLC_API_VERSION >= 18. (#3269) * Update CBMC starter kit to v2.4 (#3376) * Import Microsoft's recent PQCrypto-SIDH SIKE patches into s2n (#3366) * Temporarily change OpenSSL 1.1.1 versions to fix CI. (#3368) * [bindings] Get rid of 'raw' module (#3360) * Replace existing fork detection with the FGN implementation (#3355) * Fix clap dependency (#3361) * Add compliance comments and tests for TLS RFC section 4.1.4 (#3337) * [bindings] Apply async blinding (#3356) * [bindings] Add connection pooling support (#3336) * [bindings] Rework connection builder trait (#3335) * Expand random api tests (#3342) * docs: Documentation Clean Up (#3329) - from version 1.3.15 * fix: Add option to disable stacktrace feature (#3345) * Fix interning build for cmake version 3.15+ (#3346) * docs: Make Doxygen prettier. (#3343) * free EVP_PKEY_CTX before returning from s2n_evp_sign/verify (#3333) * ci:Add valgrind tests for awslc (#3338) * Improve libcrypto checks (#3272) * fix: Accurately track wire_bytes_out (#3332) * ci: CodeBuild spec updates to support criterion integv2 (#3225) * [bindings] Handle async callback behavior (#3325) * release(rust-bindings): 0.0.8 (#3341) * Refactor randomness API tests (#3328) * Catch broken pipe exceptions on pipe flush. (#3321) * doc fix: Update documentation for s2n_connection_get_cipher. (#3330) ------------------------------------------------------------------- Wed May 25 08:31:30 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.14 * [bindings] Allow modification of new connections (#3320) * fix(bindings-rust): move vendored openssl-sys to dev-dependency (#3323) * ci: Temporarily remove more test endpoints with expired certs (#3322) * [bindings] Move enums to separate file (#3319) * Feature probe for EVP_rc4 (#3301) * Use CaDiCaL solver for s2n_stuffer_private_key_from_pem proof (#3318) * docs: Introduce Doxygen to s2n (#3302) ------------------------------------------------------------------- Wed May 18 13:54:10 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.13 * Enforce how the client hello is modified during retry (#3311) * Use SHA1+MD5 for <TLS1.2 + FIPS (#3310) * Don't generate a new client random on retries (#3312) * Rewrite cookie extension (#3306) * Fixed CBMC_ENSURE_REF calls where NULL return type expected (#3304) * ci: Fix boringssl unit tests (#3309) * Improve cmake logging (#3305) * [bindings] Clean up async behavior (#3299) * ci: Temporarily remove more test endpoints with expired certs (#3300) * ci: add awslc interning to omnibus (#3295) * fix(s2n-tls-sys): add cmake files to the include directive (#3297) * release(rust-bindings): 0.0.6 (#3296) * build(bindings): use cmake when building with pq feature (#3294) * [bindings] Add basic send and recv (#3290) * Interning not supported with FIPS enabled. (#3277) * fix: FreeBSD will now fail loudly (#3284) * [bindings] Hide ffi types + basic debug info (#3279) ------------------------------------------------------------------- Thu Apr 28 11:06:16 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.12 * Use pointer to variable type as required by cleanup attribute (#3289) * bug: fix s2n_connection->cookie_stuffer initialization (#3282) * Add test utility for fork tests (#3253) * Add additional libcryptos to V2 integration tests (#3244) * ci: GitHub actions for osx (#3280) * Fix MacOS unit tests (#3278) * build: use S2N_LIBCRYPTO to pick interning lib (#3276) * [bindings] Add basic s2n-tls-tokio skeleton (#3261) * exclude cast-qual in Cmake for aws-lcw (#3270) * Disable strict-prototypes diagnostic flag in Clang (#3275) * ci: check integv2 python for pep8 issues (#3271) - from version 1.3.11 * auto format integv2 python (#3268) * ci: don't update the ghpages dashboard outside of main repo (#3267) * release(rust-bindings): 0.0.5 (#3256) * Add basic rust ci jobs (#3265) * Fix wrong assumption about osx/apple (#3264) * ci: temporarily remove expired certs (#3266) * fix: correctly export internal APIs (#3260) * deps: Upgrade CBMC submodules (#3259) * Fully separate key and secret state machines (#3238) * test: OCSP integrationv2 test with GnuTLS (#3207) * Port drbg.c functions to use S2N_RESULT (#3252) * feat(rust-bindings): add support for linking an external build (#3254) - from version 1.3.10 * build: fix libcrypto interning (#3204) * Update install_awslc to install the correct FIPS branch of AWS-LC (#3255) * ci: add make install (#3224) * ci: Add a CRT codebuild job (#3245) * ci: script changes to test aws-crt (#3176) * Add step by step instructions to Readme (#3061) * ci: Issue/PR dashboard (#3235) * feat(rust-bindings): add support for mTLS (#3241) * Address new-ish python warning (#3208) * Add check on zero returned by EVP_CIPHER_CTX_ctrl. (#3221) * Changed function declarations to match their definitions (#3243) * Add missing safety macro deprecation messages (#3242) * Fix auto-generated RESULT_GUARD_RESULT macros (#3239) * sike_r3: add missing GNU note for executable stack on ELF (#3194) * Implementation of fork generation number API (#3191) * fix cmake package name in usage guide (#3232) * bindings: update version in preperation for publishing the bindings to crates.io (#3233) * bindings: manually track Config lifetime and expose ClientHelloHandler for client_hello_callback (#3216) * Remove nonexistent macro reference from docs (#3237) * internal api: add new api to poll client_hello callback (#3230) * Make secrets available early for QUIC (#3229) - from version 1.3.9 * Remove PQ tests that break on Openssl DRBG calling pattern updates (#3231) * Split up slow pq test (#3226) * Secret reorder for s2n-quic (#3227) * Fix BIKE Round 3 try_compile statements (#3219) * Update sidetrail readme (#3220) - from version 1.3.8 * Delete more old key schedule methods (#3215) * Wipe TLS1.3 secrets after handshake (#3212) * Fix cleanup issues with HELLO_REQUEST received during handshake (#3217) * Add tls13 state machaine file back (#3205) * api: add context on s2n_config. add internal api to access config set on connection (#3210) * Clarify TLS1.3 secrets tracking (#3213) * Remove old key schedule methods (#3209) * Refactor TLS1.3 key schedule (#3198) ------------------------------------------------------------------- Tue Mar 1 12:10:42 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.7 * Crypto variable update missing from #3181 (#3189) * SSLyze integrationv2 test (#3186) * Added try_compile for features.h (#3197) * bindings: update rust bindings (#3196) * Centralize transcript hash copy logic (#3195) * Enable PQ in FIPS mode with awslc (#3183) * Revert "Flush stdout with initial BEGIN_TEST message (#3185)" (#3193) - from version 1.3.6 * Store TLS1.3 transcript hash digests rather than full hash state (#3188) * Remove in-source build target check hackery. (#3181) - Refresh patches for new version * s2n_fix-cmake-modules-path.patch ------------------------------------------------------------------- Tue Feb 1 11:21:51 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.5 * remove extra S2N_API (#3187) * Use `llvm_points_to_bitfield` in SAW proofs (#3155) * Add API s2n_client_hello_has_extension to check if extension exists (#3180) * Flush stdout with initial BEGIN_TEST message (#3185) * FreeBSD ci (#3184) * Add some comments to build scripts (#3182) * Document which macros should not be used for new code (#3179) * remove unused function s2n_actual_getpid (#3172) * Workaround AL2 nodejs package issue (#3174) * Add API method to translate errors to alerts (#3171) * Upgrade CBMC submodules (#3165) * tests: add s2n_init/s2n_cleanup tests (#3164) ------------------------------------------------------------------- Thu Jan 20 11:39:19 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.4 * Change AWS-LC aes-gcm aead APIs to the ones that are FIPS validated (#3137) * Conflicting ports in integration test (#3161) ------------------------------------------------------------------- Tue Jan 4 14:34:21 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.3 * Fix s2n_connection_get_client_cert_chain for TLS1.3 (#3156) * Fixing Flakiness in Cross-Compat Test (#3158) * Enforce RSA-PSS saltlen requirements (#3157) * Rearrange TLS1.2 and TLS1.3 secret storage (#3154) * Use libcrypto signing methods in compliance with FIPS 140-3 (#3142) * docs: update readme (#3153) - from version 1.3.2 * Adds Cross-Compatibility Test (#3147) * Makes s2n_stuffer_skip_whitespace verification friendly (#3143) * ci: fix Kwstyle (#3136) * only print on retries (#3151) * integration: enforce timeout, allow for the process to shutdown gracefully, run in non-blocking mode (#3148) * Added Script to Compile Main for Cross-Compat Testing (#3139) * Adds Options to Output and Input Session Ticket to s2nc (#3134) * Upgrade CBMC submodules (#3135) ------------------------------------------------------------------- Thu Dec 9 10:04:33 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.3.1 * Nitpick usage guide links (#3133) * FIPS Static Config is Only Created When Needed (#3129) * Fix build on NetBSD. (#3131) * Feature probe for EVP_md5_sha1() (#3128) * Allow EVP hash implementation to use EVP_md5_sha1 if available (#3126) * Allow synchronous private key operations (#3121) - from version 1.3.0 * EMS Re-Release (#3122) * If QUIC, only offer TLS1.3 (#3124) - from version 1.2.1 * tests: fix s2n_enable_tls13 deprecation warnings (#3120) * Fix FindLibCrypto for list-typed CMAKE_PREFIX_PATH (#3067) * Add AWS-LC FIPS integration target (#3084) * Detect nested s2n_negotiate calls (#3119) * build: add the option to enable LTO (#3117) * Prevent Uninitialized Memory Access in case of FIPS Mode Disabled (#3016) * Fixed EMS to work with Session Caching (#3102) * Rename internal HMAC implementations in s2n_prf to clarify which implementation is used (#3103) * Finish memcpy->memmove migration (#3110) - from version 1.2.0 * Revert "EMS Release (#3053)" (#3113) * Reapply "Update QUIC parameters IANA (#3029)" (#3106) * Add a flag to s2nc to enable FIPS mode in the underlying libcrypto. Update integration tests to use the new flag when needed (#3101) * Added Backwards-Incompatible Ticket Version (#3099) * Don't allow QUIC to be enabled if TLS1.3 not possible (#3088) * ci: remove spaces from benchmark name (#3097) * Lets make S2N play nicely with the rest of the world shall we? Added … (#2669) - from version 1.1.2 * ci: add a CODEOWNERS file (#3071) * utils: fix constant time equals return value (#3093) * Upgrade CBMC templates (#3094) * tests: fix fuzz count formatting (#3091) * Turn on Endpoint Tests (#3090) * Offer only TLS1.3 handshake options if QUIC enabled (#3085) * Added test for mutal auth (#3087) * Repair TLS 1.3 proofs after c096a55 (#3079) * Bench handshake (#3043) * Rename CBMC proof bound BLOB_SIZE -> MAX_BLOB_SIZE (#3073) ------------------------------------------------------------------- Tue Oct 12 12:42:24 UTC 2021 - Jan Engelhardt <jengelh@inai.de> - Trim conjecture and redundant metadata from description. - Simplify package names and set right shlib package name. ------------------------------------------------------------------- Mon Oct 11 09:13:10 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.1.1 * Advance CBMC litani and template submodules to latest release (#3072) * Update integv1 trust store (#3074) * Revert "Re-enable TLS 1.3 SAW tests (#3031)" (#3077) * Re-enable TLS 1.3 SAW tests (#3031) * Revert "Update QUIC parameters IANA (#3029)" (#3069) * NULL-check s2n_cert_chain_and_key_get_pkey_type (#3064) * Enable RSA_PSS_SIGNING_SUPPORTED when OPENSSL_IS_AWSLC. (#2801) * audit memcmp usage (#3059) * Turn on OCSP functionality for AWS-LC (#3058) * ci: Use stable for openssl1.1.1 (#3065) - from version 1.1.0 * Fix TLS1.3 ticket lifetime math (#3060) * Add API to track session tickets sent (#3056) * Turn On Client OCSP Stapled Test (#3055) * EMS Release (#3053) * Add more well known endpoints for integration testing (#3054) * Update READING-LIST.md (#3004) * Add new Fuzz Test Corpus Files (#3021) * Remove ChaCha TLS 1.3 Cipher from KMS FIPS Cipher Pref List (#3039) * Re-enable Twitter.com client integration test (#3051) * Fix BIKE R3 PQ Assembly detection bug for AMD Zen 3 CPUs (#3050) * EMS Testing (#3042) * Enable Client-side TLS 1.2 Self Downgrade (#3030) * Allow QUIC to be enabled per-connection (#3048) - from version 1.0.19 * Disable EndOfEarlyData message for QUIC + clean up QUIC special casing (#3044) * Fix TLS1.2 session cache + missing ticket key (#3041) * Remove twitter.com from endpoint handshake test for OpenSSL 1.0.2 (#3038) - from version 1.0.18 * build: add libcrypto interning tests (#3035) * Add more TLS Security Policies with TLS 1.3 support (#3023) * Enable offloading of private key operations (#3024) * Fixes Potential IO Memory Leak (#3027) * build: add option to intern libcrypto (#3028) * Update QUIC parameters IANA (#3029) * Adding s2n_negotiate benchmarking framework (#3014) * Update s2n_cipher_suites.c (#3026) * Self Downgrade to TLS 1.2 if RSA PSS is not available and it's possible that it may be needed (#3009) - from version 1.0.17 * Use pthread_equal for pthread_t comparison (#3022) * Fix pre-TLS1.2 ECDSA client certs (#3019) * Improved support for using s2n-tls from within an unloadable shared lib (#3011) * Adds EMS flag to session ticket (#2982) * Extra EMS Requirements (#3018) * Create 20210816 security policies (#3015) * Add RSA-PSS-PSS to integration tests (#3012) * Added s2n_client_hello_get_session_id calls (#3006) * Upgrade CBMC sub-modules (#3017) * Switch sigalg integ test to use s2n output instead of Openssl output (#3010) * bindings: import "mid-level" bindings (#2920) * Move/Modify methods from s2nd to common.h/common.c (#3008) * And test to verify unencrypted EncryptedExtensions rejected (#3003) * Fix behavior of signature scheme getters in TLS1.2 (#3007) * Added call to generate EMS when negotiated (#2986) * Test psk_kex_exchange_mode GREASE values (#3002) * introduce fd getter new API (#2981) * Fix build issue with AWS Common Runtime SDK CI (#3005) * Adds Client and Server EMS Extension (#2991) * Import Kyber512 Round3 AVX2 Implementation (#2946) * Moving code to broader files to allow for usage in other programs (#2996) - Refresh patches for new version * s2n_add-so-version.patch ------------------------------------------------------------------- Thu Aug 12 10:57:59 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.16 * Updated PSS support definition to account for new BoringSSL version (#2297) * Add quic_transport_parameters extension (#2288) * added unit test for sort order of s2n_all_cipher_suites in IANA order (#2192) * Add initial QUIC setup (#2283) * Fix macro usage, indexing and magic numbers (#2271) - from version 1.0.15 * Add client-side support for PQ HRR (#2260) * Add AWS-LC pre-processor directive similar to BoringSSL (#2273) * Fix awslc codebuild hang (#2282) * Fixed processing issue with status request extension (#2229) * Update s2n to compile on FreeBSD (#2272) * Add aws-lc code build. (#2275) * Don't enable OCSP stapling if not available (#2253) * Improves performance and coverage of s2n_stuffer_* proofs (#2230) * Codebuild batch and Omnibus job (#2245) * Disable sending of PQ group IDs for FIPS or TLS1.2 (#2267) * Use NIST P-256 for key generation when client do not specify curve (#2265) * Fix TLS 1.3 server side OCSP metrics (#2241) * Add client/server share size fields to s2n_kem_group (#2269) * alloc and sub overflow proofs (#2255) * Add ECDSA ciphers for viewer side support (#2219) * Adds proof harnesses for s2n_array_free* functions (#2244) * Checking data size instead of data pointers in s2n_stream_cipher_null_endecrypt (#2263) - from version 1.0.14 * Update CloudFront security policies (#2238) * Adds proof harnesses for s2n_array_* functions (#2246) * Implements client-side sending of PQ key shares for 1.3 (#2215) * Change fuzz coverage below minimum to an error (#2259) * Initialize slot variable to fix ARM compiler warning (#2258) * Adds proof harnesses for s2n_set_* functions (#2248) * Check if S2N_COVERAGE and FUZZ_COVERAGE are true (#2254) * Use allocation function for session key object (#2249) * Adds initial CBMC proofs for s2n_array and s2n_set (#2193) * Update the default keyshare list sent by the client (#2190) - from version 1.0.13 * Support TLS 1.3 clients that do not specify signature algorithms (#2222) * Importing Kyber512-90s PQ KEM (#2202) * build: fix cmake shared lib build (#2237) ------------------------------------------------------------------- Wed Jul 7 11:53:45 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.12 * Update Max Connection memory usage to support Round 3 KEM Groups (#2933) * Check for -1 return code from OCSP_basic_verify() (#2931) * Add Round 3 PQ TLS Policies (#2842) * Add public function for wiping the trust store (#2927) * fix memcpy bug in client hello - copy address of pointer (#2917) * Stops TLS13 From Erroring if Session Ticket Write Fails (#2928) * Fixing wrong file path in makefile for BIKE R3 (#2925) * Check Cipher Suite is ECC Before Returning Curve (#2908) * Add unit test to monitor s2n_connection size changes (#2913) * bindings: export include dir in rust build (#2918) - from version 1.0.11 * Add a stale bot configuration (#2897) * bindings: add rust bindings (#2754) * Suggestion: Prevent randomness callbacks being set to NULL (#2916) * Reduce memory allocated for conn->out (#2904) * document sigpipe handling (#2909) * place -Werror behind a flag which is ON by default (#2903) * resolve -Wstrict-prototypes compiler warning (#2906) * OpenSSL rand-engine requires engine support (#2885) * Fix TLS1.3 dynamic record min calculation (#2900) * Make client respect max frag len extension result (#2898) * Initial proofs for s2n_socket functions (#2896) * Do not calculate transcript on failed connection (#2886) * Add gcov and lcov targets for pq (#2895) * Adds close markers to flaky test (#2863) * Fix some OCSP-related cert behavior (#2894) * Adding Usage Guide for Pre-Shared Keys (#2890) * Remove sikep434r2 code (#2864) * Adds Error Checking Around Fragment Length (#2888) - Refresh patches for new version * s2n_disable-werror.patch * s2n_fix-cmake-modules-path.patch ------------------------------------------------------------------- Fri Jun 11 11:26:46 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.10 * Release TLS1.3 Pre-Shared Key (PSK) (#2889) * Release early data / 0RTT (#2882) * Release TLS1.3 Session Resumption (#2877) * Limit session resumption PSKs processed (#2879) * Client should not accept invalid TLS1.3 ticket_lifetime (#2878) * Updates CI buildspec to include PSK integration tests (#2875) * Adds External PSK Integration Tests (#2821) * Make TLS1.3 ticket processing less strict to handle future changes (#2876) * Add handshake type message for integration tests (#2873) * Fixes s2n_get_session_length in TLS1.3 (#2858) * Update Codebuild batch spec with early data integration test (#2872) * Duplicate Certificate Error Message (#2870) * Early data integration tests (#2857) * Various small integration framework fixes (#2868) * Bring __ANDROID__ and ANDROID back for tm_gmtoff (#2869) * More fixes for BIKE R3 optimized builds (#2867) * Supports in-source build with AWS-LC. (#2714) * Larger chunk size based on worker count (#2865) * BIKE R3 fix for gcc-4.8.2 (#2866) * Fix BIKE_R3 build issue (#2860) * Error blinding updates / fixes (#2852) * BIKE Round-3 runtime code path selection based on CPU capabilities (#2793) * Removes tolower stub from CBMC proofs (#2853) * Stop rejected 0RTT data from triggering error blinding (#2849) - from version 1.0.9 * Add new s2n_cert_chain_and_key load api that takes non-null-terminated data and length (#2753) * Adds TLS1.3 Session Resumption Integration Tests (#2814) * Integrate sikep434r3 x86_64 assembly (#2820) * Fix duplicate KEM assignment in pq_kem_test (#2848) * Adds new proof allocators for s2n_connection (#2832) * s2n_connection_get_session_id_len returns 0 for >= TLS1.3 (#2844) * Update codebuild script for NO_PQ when building unit tests with cmake (#2841) * Adds getters for connection signature algorithm and digest algorithm (#2843) * Adds TLS1.3 Session Resumption and Early Data Functionality to s2nd/s2nd (#2826) * Add signature validation for async sign call (#2791) * Make digest_allow_md5_for_fips proof UID unique (#2837) * Add BIKE Round 3 Fuzz Tests (#2790) - Add patch to strip -Werror from build flags * s2n_disable-werror.patch ------------------------------------------------------------------- Mon May 17 12:27:25 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.8 * Disable mlock during unit tests (#2829) * Fix HRR + 0RTT bug (#2824) * ci: Adding AL2 unit tests to CI (#2828) * Separate TLS1.2 and TLS1.3 client ticket memory lifecycles (#2825) * Remove unused macro and safeguard against removing prediction resistance (#2807) * Implement async private key op offload interface (#2779) * Updating api documentation for s2n_cert_chain_get_cert (#2822) * update usage docs (#2816) * Add AES-GCM prioritized versions of older security policies (#2767) * Async private key operation offload documentation (#2799) * ci:Create a NoPQ unit test job (#2451) * docs: add a Semver document (#2268) * Formally verify no memory leaks in s2n_stuffer (#2813) * Add early-data session resumption self-talk tests (#2795) * Formally verify no memory leaks for s2n_array & s2n_set deallocators (#2810) * Update gitter link (#2806) * Disable TLS1.3 ticket issuing outside of tests (#2809) * Ignore `munlock` failures (#2804) * Relax SIKE Round 3 architecture restrictions (#2800) * Ensure that s2n is initialized in s2n_free_object (#2805) * No optimization when debugging (#2798) * Formally verify no memory leaks in hash functions (#2792) * async_pkey support for s2n_client_verify (#2755) * Import sikep434r3 (#2701) * Use POSIX/glibc __USE_MISC feature detection instead of platform macros (#2778) * Adding EC_KEY_check_key for p521 curve (#2789) * Import kyber512r3 (#2694) * ci: add unit test to s2n_codebuild.sh (#2773) * Formally verify no memory leaks for s2n_blob (#2788) * tests: fix typos in identifiers and comments (#2783) * Clean up pq_kem_test and add negative test case for decaps (#2785) * Adds session-resumption self-talk tests (#2770) * ci: Codebuild al2 scripts (#2782) * Use S2N_HMAC_SHA256 in psk PRF match test case (#2746) * Make server_name send check more efficient (#2719) * Remove all occurrences of `#pragma check disable` (#2781) * Fix incorrect blob resize (#2784) * Make s2n_connection_get_session/session_length work for TLS1.3 (#2768) * Removes pragmas from CBMC-proof harnesses (#2775) * Avoid arithmetic operations on NULL pointers (#2772) * Make s2n_connection_get_session_ticket_lifetime_hint work with TLS1.3 (#2769) * Allow ecc preferences without secp256r1 (#2763) * docs: fix a few typos (#2765) * add missing Bike_r3 symbols when S2N_NO_PQ is set (#2771) * Update s2n_config_set_session_tickets_onoff for TLS1.3 (#2762) * Update s2n_connection_is_session_resumed for TLS1.3 (#2761) * Put limits on use of keying material (#2751) * Adds selection logic for resumption psks (#2743) * External PSK Integration Tests Part 1 (#2749) * Adding s2n_psk_get APIs (#2748) * Remove unnecessary BIKE R3 code for verbose logging (#2758) ------------------------------------------------------------------- Mon Apr 26 09:23:44 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.5 * utils: remove deprecated safety macros (#2747) * Fix loop counter overflow due to inconsistent type (#2739) * Upgrades CBMC templates for proof harnesses (#2744) * Import Bike Round 3 Implementation into s2n (#2726) * Cleanup TLS1.3 fixed ticket sizes (#2729) * Export symbols when building dynamically (#2730) * Check for validity in s2n_stuffer_wipe*operations (#2732) * Skip coverage upload (#2734) * Don't send the client_session_ticket extension when using TLS1.3 tickets (#2725) * Added server deserialize method (#2709) * Make early data callback async (#2717) * Include early data config in session tickets (#2720) * quic: add S2N_API to secret callback api (#2728) * Consolidate handshake pause logic (#2716) * Pinned bash script to previous commit (#2723) * Add early data callback (#2715) * Set early data context for new session tickets (#2718) * Adding prefix s2n_cert for s2n certificate APIs (#2713) * Safeguard linker flags on Apple (#2710) * Add APIs to send and receive early data (#2682) * Adds helper function to obtain the OID value from the X509v3 extensions (#2702) * Created GDB flag to remove optimizations (#2711) - from version 1.0.4 * Add flags for non exec stack and read only GOT. (#2707) * Fix for failing resume test (#2706) * Add context to PSK selection callback (#2704) * Calculated obfuscated ticket age (#2697) * Don't allow non-post handshake messages to be received post handshake (#2703) - from version 1.0.3 * Reduce fuzz timeouts due to codebuild timeout limits. (#2586) * Prepare s2n_config_set_psk_selection_callback to someday be async (#2689) * Add early_data_indication extension for new session tickets (#2686) * Don't allow both resumption and external PSKs at the same time (#2696) * Command Line Options Fix For s2nc.c (#2681) * Centralize and correct ">= S2N_TLS13" checks for extensions (#2699) * dont await close_notify alert if we have already received one before (#2674) * Add support for non blocking client hello callback (#2688) * Update OSX quickstart instructions (#2700) * Resolve conflict between 516a99e and abed2a3 (#2698) * Allow early data via s2n_negotiate/s2n_send/s2n_recv (#2680) * Send the Client CCS message early when sending early data (#2691) * Handle pre-TLS1.3 peers and early data (#2690) * Adding a new resumption psk deletes all previous psks (#2684) * Add api to configure max early data for new tickets (#2683) - from version 1.0.2 * Add methods to report early data status / limits (#2678) * Add bitflag to enable early data (#2679) * Added client deserialization method (#2675) * ci: disable go proxy (#2677) * Add s2n_connection_get_peer_cert_chain API (#2666) * Added nst to post_handshake handler (#2665) * Add method to perform a partial handshake (#2662) * Removes all proof allocators from CBMC proofs (#2668) * Update readable writable flags (#2667) * Read New Session Ticket message (#2657) * Add early data negotiation tests + misc minor fixes (#2658) * APIs to get s2n certificate in der format (#2649) * Added nst callback (#2639) * Handle rejected early data (#2647) * Add early traffic secrets (#2645) * Adds support for incremental proof-results in CI reports (#2644) * ci: Update action * Add server early data indication extension (#2612) - Drop patches for issues fixed upstream * s2n_no-visibility-hidden.patch ------------------------------------------------------------------- Tue Mar 16 11:54:46 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 1.0.1 * Make HRRs work with early data (#2611) * Reduce memory used by handshake arrays (#2628) * utils: apply safety codemod script (#2441) * ci: update cppcheck (#2638) * utils: remove the usage of S2N_ERROR_IF in favor of POSIX_ENSURE (#2636) * utils: add codemod script for explicit safety macro contexts (#2339) * Send New Session Ticket message (#2598) * Add support for riscv64 (#2613) * util: remove S2N_RESULT_TO_POSIX macro to reduce confusion (#2634) * Adjust test threshold (typo?) (#2631) * docs: Org change to aws (#2596) * utils: add safety_macros codegen script (#2423) * Parse multiple post-handshake messages in a record (#2604) * Fixed -Werror=strict-prototypes failure on s2n_error_location (#2632) * ci: bump the asan coverage instance type to 2XL (#2630) * [0RTT] Add early data handshakes (#2594) * Add client early data indication extension (#2610) * Self talk tests for External PSK (#2578) * Removing flaky test (#2621) * Early data config should use cipher suite instead of iana value (#2608) * Make some alpn operations reuseable (#2609) * Allow no-op transitions in early data state machine (#2607) * Add separate extension list for HelloRetryRequest (#2605) * Build issue (#2606) * Detect "index" variable names to avoid build issues (#2597) - from version 1.0.0 * Updating rsa_2048_sha256_uri_sans_cert (#2601) * Renaming index to psk_index to prevent name collision (#2595) * Added New Session Ticket send handler (#2580) * Add simple early data state machine (#2589) * Add CMake config to build benchmarks (#2582) * Add APIs to configure early data for external PSKs (#2581) * Update PQ KEM branches to use constant time functions. (#2590) * tls: add NSS key log callback (#2584) * Add missing newlines at end of feature test files (#2588) * Rework psk_selection_callback to use opaque structures (#2558) * api: add method to get the iana value for the negotiated cipher suite (#2550) * Add support for powerpc64 (#2533) * Refactor how external PSKs are configured (#2557) * ci: Cleanup travis (#2579) * Added new ticket api (#2549) * Remove the manual updating of the Yarn Debian key as CloudBuild as addressed this (#2560) * Probe for support of fall through attribute (#2559) * Removes unnecessary includes from CBMC proof harnesses (#2556) * Added new serialization format and updated encryption logic (#2538) * quic: ignore middlebox mode (#2554) * Add a command to manually update the Yarn Debian key (#2555) * ci: Update CodeBuild docker version, part 2 (#2535) * Remove s2n_cipher_suite_from_wire (#2546) * api: add method to append protocol preferences (#2534) - from version 0.10.26 * extensions: fix quic_transport_parameters extension IANA value (#2551) * Detect nested send/recv calls (#2545) * Adds a proof harness for s2n_hmac_update (#2531) * Adds a proof harnesses for s2n_hmac_digest* functions (#2537) * Adds a proof harness for s2n_hmac_init (#2543) * Fix 'index' var shadowing with old toolchains (#2540) * Added session resumption to key schedule (#2528) * Adding callback to select a PSK identity (#2512) * ci: Fix annoying NONE error (#2491) * api: add s2n_errno_location function (#2532) * Migrate some KEX functions to S2N_RESULT (#2524) * Adds memory-safety proofs for s2n_hmac functions (#2525) * Adds memory-safety proofs for s2n_hmac functions (#2530) * ci: CodeBuild docker image version bump for fuzz jobs (#2527) * New CloudFront 2021 security policy (#2514) * Correct PSK + cert interaction (#2519) * Relax 3 bytes for cert length check (#2518) * Fix and simplify psk_param lifecycle (#2523) * enable secp521r1 in fips test security policy (#2516) - from version 0.10.25 * Complete the migration to s2n_pq_is_enabled() (#2510) * Fix missing GUARDs after s2n_pkey_size calls (#2517) * Ensures memory safety in s2n_hmac functions (#2486) * Added set psk api (#2499) * Optimization for client psk extension on hello retry (#2508) * compliance: format a few comments (#2511) * Update PQ fuzz tests to run when PQ is disabled (#2489) * Clean up PSKs after early secret calculation (#2506) - from version 0.10.24 * Fix for rsa_pss_rsae_test (#2507) * Adding server pre_shared_key extension (#2494) * Reduce deprecated warning noise when building the tests (#2500) * Enforce that client psk extension is parsed last (#2493) * Added psk to key schedule (#2481) * Updates to readme and debugging docs for Sidetrail (#2478) * Ensure PQ is enabled when calling low-level PQ KEM functions (#2475) * Consolidate PQ unit tests (#2460) * Fix sys/poll.h import (#2224) * Added pre-shared key handshakes to tls13 state machine (#2445) * PskKeyExchangeModes extension (#2466) * Adds proof harnesses for s2n_hmac functions (#2457) * [PSK] Update s2n_hash_algorithm to s2n_hmac_algorithm (#2465) - Pass '-n %{name}-tls-%{version}' to %setup in %prep section ------------------------------------------------------------------- Wed Dec 16 13:36:46 UTC 2020 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Update to version 0.10.23 + Fix memory allocation when session ticket is used (#2470) + Remove unused security policies to avoid confusion (#2448) + Refactor PQ crypto functions and header files (#2452) + Update client auth integ tests to test ECDSA (#2454) + Upgrades Litani (#2468) + [PSK] Update cipher selection logic (#2443) + Add support for debug conditions (#2433) - from version 0.10.22 + Eliminate EC_KEY_check_key validation in s2n_ecc_evp_write_params_point function (#2459) + ci: AFL automation (#2395) + Make server psk identity comparison constant time (#2437) + Adds proof harnesses for s2n_dhe functions (#2439) + Remove obsolete integv2 makefile target (#2450) + Remove static qualifier from pq unit test helper function (#2449) + Adds proof harnesses for s2n_hash functions (#2429) + Add security policy to enable PQ TLS1.3 (#2444) + Fix cert verify signature size calculation (#2442) + Fix declaration order in cbmc_utils.c (#2438) + Adds proof harnesses for s2n_dhe functions (#2440) + Adds proof harnesses for s2n_hash functions (#2428) + Adds CBMC proofs for s2n_evp functions (#2427) + Added certificate signature preferences (#2370) + PQ-enabled migration part 1 (#2426) + Ensures memory safety in s2n_dhe functions (#2432) + Adds CBMC proof harness for s2n_array_init (#2430) + Only check the auth method for signatures server side (#2434) + Ensure memory safety in s2n_hash functions (#2412) + Add client pre_shared_key extension (#2409) + Litani integration (#2381) + S2n leaks (#2410) + Update PSS support definition to account for new AWS-LC version (#2407) + Upgrade OpenSSL verification model (#2408) + Add psk binder functions (#2400) + Update well known endpoint test with new PQ KMS ciphers (#2388) + Allow for up to 1 trailing unparsed byte for cert length check (#2383) + Remove hash state from s2n_map (#2386) + Adds proof harnesses for s2n_hash functions (#2382) + Verify HMAC with unbounded key/data. (#2353) + Support for curve secp521r1 (#2344) + Update saw (#2374) + Adds a verification model for OpenSSL (#2293) + ci: CodeBuild scripts to support AL2 (#2362) + Add more QUIC safety checks (#2373) + Add S2N_RESULT to a couple functions. (#2371) + Add secret callbacks for QUIC (#2364) + ci: Add well_known_endpoints to the Omnibus job (#2369) + Pin the version of the BoringSSL test dependency (#2304) + Improve run- and compile-time support for PQ assembly (#2338) + Update the integv2 README to match the latest changes (#2365) + Fix edge cases with buffer write in both s2nc and the java client. (#2367) + Allow slightly overlarge TLS 1.3 inner plaintext (#2360) - Refresh patches for new version + s2n_no-visibility-hidden.patch ------------------------------------------------------------------- Thu Nov 19 13:48:39 UTC 2020 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> - Initial build + Version 0.10.21
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor