SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for libs2n0unstable-1.4.8-1.1.3.1.x86_64.rpm :

* Fri Mar 22 2024 John Paul Adrian Glaubitz - Update to version 1.4.8
* feat: Add additional EC key validation for FIPS (#4452)
* refactor: UBSAN build and address out of bound reads (#4440)
* Add s2n_stuffer_shift (#4458)
* style: fix declarations without initial value (#4404)
* feat: Add FIPS mode getter API (#4450)
* remove unnecessary includes (#4451)
* refactor: clang-tidy null deref and undefined mod (#4436)
* refactor: make memmove vs memcpy behavior clearer (#4447)
* fix(bindings): Apply with_system_certs to Config builder (#4456)- from version 1.4.7
* api: add key update request functionality (#4453)
* style: manual initial value fix (#4449)- from version 1.4.6
* docs: Specify the return value of S2N_FAILURE for IO APIs (#4446)
* refactor: enforce stuffer return check (#4399)
* refactor: fix unread variable warnings (#4405)
* fix: Unsets global libcrypto rand (#4424)
* Relax HRR consistency requirements for second client hello (#4429)
* fix: prevent enabling ktls with a buffered record header fragment (#4426)
* feat: add cert key preferences (#4434)
* chore: bindings bump 0.1.6 (#4437)
* test: add cert chain with mixed key sizes (#4433)
* feat: apply cert signature preferences locally (#4407)
* docs: Extend license check to .rs files (#4428)
* fix(test): fix dangling pointers in cert verify test (#4430)
* Add Rust bindings for certificate chains (#4398)- from version 1.4.5
* fix: parse fragmented sslv2 client hellos (#4425)
* chore(ci): Give OpenBSD CI job a performance boost (#4427)
* fix: s2n_shutdown should handle partial records (#4421)
* feat: Server name getter for client hello (#4396)
* refactor: zero static s2n_configs on cleanup (#4416)
* Removed unused dependencies (#4417)
* chore(bindings): release 0.1.5 (#4420)
* chore(bindings): release 0.1.4 (#4418)
* bindings: use aws-lc-rs instead of aws-lc-sys (#4415)
* Wed Feb 21 2024 John Paul Adrian Glaubitz - Update to version 1.4.4
* allows cmake to force crypto linkage (#4383)
* refactor: consolidate record wiping (#4412)
* build: make CMake test flags more consistent with make (#4392)
* style(bindings): address new clippy lint (#4411)
* refactor: generalize cert sig preference handling (#4379)
* feat: More client hello getters (#4380)
* fix: only initialize default tls 1.3 config in tests (#4302)
* Check fd status before using urandom (#4352)
* utils: add map iteration iterator (#4377)
* chore(bindings): release (#4388)
* chore(bindings): bump aws-lc-sys (#4393)
* s2n-tls-tokio: use s2n_shutdown_send instead of s2n_shutdown (#4374)
* enforce result checking for blob and mem (#4389)
* Wed Feb 07 2024 John Paul Adrian Glaubitz - Update to version 1.4.3
* ci: Disable broken rust dry-runs (#4384)
* Fix SSLv3 detection with AWS-LC (#4361)
* More specific error for unexpected cert request (#4381)
* test: Adds SSLv3 integ test (#4372)
* chore: add valgrind to nix develop (#4365)
* test: additional test certs (#4378)
* chore: bindings release 0.1.2 (#4376)
* test: add additional test certs (#4353)
* feature: Use S2N_FAST_INTEG_TESTS to run pytest in parallel under nix (#4368)
* refactor: ossl x509 parsing (#4351)
* Fri Jan 26 2024 John Paul Adrian Glaubitz - Update to version 1.4.2
* docs(bench): update docs to reflect aws-lc default (#4336)
* Fix initialization errors in unit tests (#4370)
* bindings: fix handling of s2n_shutdown errors (#4358)
* Fix s2n_shutdown + failed recv bug (#4350)
* Add new PQ TLS Policies (#4327)
* ktls: add method to track key updates (#4364)
* Move client hello parsing out of unstable (#4359)
* bindings: clean up blinding tests (#4356)
* ci: cmake asan buildspec (#4048)
* fix: stack-use-after-scope variable ordering (#4355)
* fix(bindings): remove optional cmake dependency (#4347)
* ktls: improve messaging around freed handshakes (#4346)
* bug: Fixes mdbook action (#4345)
* feat: Publishes mdbook to Github Pages (#4343)
* Add PQ integration tests between s2n and AWS-LC\'s libssl (#4267)
* chore: bindings release 0.1.1 (#4341)
* (feat): Adds API to allow s2n-quic to check for resumption (#4335)
* bindings: ensure CFLAGS includes come after libcrypto includes (#4338)
* Add FIPS security rule (#4315)
* Wed Jan 03 2024 John Paul Adrian Glaubitz - Update to version 1.4.1
* bindings: match tcp EOF behavior (#4323)
* (docs): Reordered and moved usage guide into an mdbook (#4300)
* ktls: add method to enable TLS1.3 (#4331)
* ci: fix flaky interning test (#4334)
* Add CBMC proof for s2n_stuffer_printf (#4309)
* docs: remove gitter references (#4332)
* ktls: handle TLS1.3 key limits (#4318)
* ci: pin home crate to fix rust build (#4330)
* ci: switch autopep8 action (#4322)
* ci: ignore cbmc prereleases (#4328)
* ci: switch FreeBSD back to vmactions (#4326)
* ktls: add TLS1.3 support (#4314)
* ci: fix pep8 linting (#4319)
* cleanup: add getter for sequence number (#4317)
* Mark inline asm output as earlyclobber (#4310)
* bindings: release rust bindings 0.1.0 (#4313)
* ci: add workflow for rust bench crate (#4210)
* Enforce security rules on security policies (#4311)
* documentation: fix security policy table (#4304)- from version 1.4.0
* Add basic \"security rules\" (#4298)
* Update CloudFront\'s upstream ECC Preference list (#4301)
* Bump AWS-LC version to v1.17.4 (#4303)
* Clean up selecting a signature algorithm (#4285)
* Remove s2n\'s internal Kyber512 implementation, and rely on AWS-LC for Kyber support (#4283)
* feat: Adds ConnectionInitializer to Rust bindings (#4250)
* Remove NULLs in s2n_kex (#4293)
* feat(bindings): use aws-lc-sys instead of openssl-sys (#4290)
* fix: probe for all AES_GCM variants (#4295)
* ci: add mainline coverage job (#4288)
* bench: increase cert chain length (#4287)
* fix(bindings): enable session tickets after setting callback (#4292)
* fix(bindings): pin jobserver in more places and run cargo publish --dry-run in generate.sh (#4255)
* bindings(rust): make callbacks Send + Sync (#4289)
* Add API to retrieve the supported groups for a security policy (#4273)
* test: Bump cross-platform actions to pull in fix for flaky BSD (#4278)
* test: remove blinding from unit tests (#4281)
* ci: update integ dependencies (#4261)
* ci: add additional p-384 test coverage (#4275)
* Detect KEM support at runtime (#4101)
* Bumped version to 0.41.0 (#4276)
* Change pkey parse methods to return s2n_result (#4271)
* Fixes failing FreeBSD build in CI (#4272)- from version 1.3.56
* ci: Minor cppcheck speedup (#4268)
* fix: update permissions to allow dashboard to write to gh-pages. (#4228)
* Clean up receiving peer sig alg (#4259)
* Switch from vmactions to cross-platform-actions (#4266)
* Update get_client_cert_chain API documentation (#4260)
* Always apply the PARTIAL_CHAIN flag (#4258)
* Allow TLS 1.2 servers to report client versions from the supported versions extension (#4249)
* Clean up sending supported sig algs (#4254)
* refactor(bench): remove non-generic connection logic (#4236)
* docs: remove extra security policy item (#4248)
* bindings: release 0.0.40 (#4251)- from version 1.3.55
* Add new PQ TLS 1.3 policies (#4247)
* Switch sig schemes from copies to references (#4237)
* feat: Turns off automatic ticket creation for quic (#4239)
* chore: pin dependency to fix rust MSRV issues (#4243)
* feat: Processes post-handshake messages for quic (#4218)
* bindings: release 0.0.39 (#4235)
* Run clang-format (#4238)- from version 1.3.54
* Merge pull request from GHSA-97r4-p6c4-5gv3
* ktls: support aes256 (#4227)
* ktls: forbid renegotiation (#4229)
* ci: add ktls + asan build (#4213)
* Add support for exporting symmetric keys from connections (#4230)- from version 1.3.53
* ktls: make usable outside of tests (#4232)
* overwrite the random state key only if initialized (#4225)
* ci: Authorize requests to GitHub API (#4223)- from version 1.3.52
* ktls: release APIs as unstable (#4217)
* Add API to retrieve parsed supported groups (#4216)
* docs: generate citations meta data and add CI check (#4205)
* feat: add s2n_strerror_source API (#4209)
* feat: send psk_ke_modes ext in first flight (#4177)
* ktls: clean up enable (#4212)
* Generalize io handling + add ktls EINTR handling (#4203)
* ktls: fix flaky test (#4214)
* docs: add rfc citations (#4202)
* build: use feature probes for CLOEXEC (#4206)
* Add asan support to cmake/nix (#4194)
* ktls: receive app data (#4201)
* docs: add citations for alert behavior (#4198)
* bindings: release 0.0.38 (#4196)
* ktls: recv alerts (#4199)
* Reduce allocs in ktls app data send (#4181)
* ktls: self-talk tests for send (#4189)
* ci: run duvet when commits are merged into main branch (#4197)
* ci: Upgrade asan to catch use after scope (#4192)
* ktls: add sendfile (#4186)
* Add test with ktls enabled to s2nGeneralBatch (#4190)
* Thu Sep 14 2023 John Paul Adrian Glaubitz - Update to version 1.3.51
* Add API to disable certificate validity period validation (#4183)
* Commit buildspec for s2nGeneralBatch (#4188)
* ktls: Send alerts (#4185)
* Add AL2 test with system libcrypto (#4179)
* ci: buildspec for qemu ktls test (#4175)
* Add testlib to track memory allocations (#4180)
* ktls: Send app data (#4174)
* Small sendv doc fix (#4178)
* api: Add S2N_EXTENSION_SUPPORTED_VERSIONS as s2n_tls_extension_type (#4160)
* feat(benchmarks): Add session resumption support (#4173)
* bindings: Release 0.0.37 (#4172)
* Fri Sep 01 2023 John Paul Adrian Glaubitz - Update to version 1.3.50
* Publish cert validation callback APIs and add documentation (#4161)
* kTLS: implement recvmsg (#4154)
* Fix clippy (#4166)
* Add cert validation callback (#4156)
* kTLS: implement sendmsg (#4147)
* Fix s2n_ecdsa_secp521r1_sha512 + improve integ ECDSA coverage (#4148)
* refactor and cleanup some ktls code (#4152)
* Call enable_session_tickets before adding a ticket key (#4150)
* kTLS: get and set control data on msghdr (#4146)
* Don\'t exit nix dev shell on integ test failure (#4149)
* docs(bench): update historical benching graphs and readme (#4136)
* Use client_hello.parsed as precondition for retrieving client_hello (#4144)
* bindings: release 0.0.36 (#4145)
* Update blocked status documentation (#4139)
* Make invalid chains available via get_client_cert_chain (#4134)
* Adds resumption functions to Rust bindings (#4114)
* Thu Aug 17 2023 John Paul Adrian Glaubitz - Update to version 1.3.49
* ktls: mock send/recvmsg IO (#4109)
* test: ensure s2n_recv blocked status behavior doesn\'t change (#4127)
* Add additional Kyber768 tests (#4089)
* Prevent get_peer_cert_chain from modifying existing cert chain (#4135)
* Update build documentation (#4126)
* feat(bench): add different parameters for memory benching (#4125)
* feat(bench): add flamegraph generation to benchmarks and reuse configs when benching (#4128)
* Add new Kyber768+ KEMs and security policy (#4034)
* fix(bench): fix throughput bench issues and add documentation (#4130)
* refactor(bench): unnest loops over parameters in handshake bench (#4129)
* ktls: self talk inet socket test (#4075)
* refactor(bench): feature cleanup for benches (#4120)
* refactor(bench): move around and update scripts in bench crate (#4115)
* Fix PR template styling (#4116)
* bindings: release 0.0.35 (#4122)
* refactor(bench): separate out client and server connections in benching harness (#4113)- from version 1.3.48
* Print error for 32bit test (#4107)
* ktls: set keys on socket and enable ktls (#4071)
* Trying to use an invalid ticket should not mutate state (#4110)
* fix: get_session behavior for TLS 1.3 (#4104)
* feat(bench): add different certificate signature algorithms to benchmarks (#4080)
* feat(bench): add memory bench with valgrind/massif (#4081)
* feat(bench): add historical performance benchmark (#4083)
* nix: pin corretto version (#4103)
* bindings: release 0.0.34 (#4096)- from version 1.3.47
* Fix try_compile bug on gcc 4 (#4091)
* Fix clippy warnings (#4093)
* Generify Kyber files + functions over security parameters (#4087)
* Disabling sign compare check as debug build option, enabling wsign-compare check and fixing 32bit build failures (#4061)
* ktls: config socket ULP (#4066)
* feat(bench): add throughput benchmarks (#4077)
* feat(bench): add mTLS to benchmarks (#4079)
* Fix pthread key cleanup with musl libc (#4085)
* feat: introduce s2n_key_material for handling key material info (#4047)
* Fix openssl-1.0.2k x509 validator test failure (#4084)
* bindings: release 0.0.33 (#4076)
* feat(bench): add openssl handshake to benchmarking (#4069)
* fix: Add implicit gcc flag to all feature probes (#4074)
* nix: skip the sslyze test on aarch64 (#4050)
* Adds new CRT policies (#4072)
* Add KeyUpdate threading test (#4059)
* Wed Jun 28 2023 John Paul Adrian Glaubitz - Update to version 1.3.46
* Create new KMS TLS Policy with TLSv1.2 Minimum (#4068)
* bindings: do not enable OCSP when calling trust_location() (#4016)
* Fixes broken link in comment (#4060)
* Disable build flag for openssl102 nix aarch64-linux (#4045)
* Add rustls handshake to benchmarks (#4063)
* remove kTLS feature probe (#4064)
* Validate PRK output size in the libcrypto HKDF implementation (#4057)
* s2n-tls handshake benchmark (#4053)
* feat(bindings/s2n-tls): add ja-3 apis (#4009)
* Fix TSAN s2n_shutdown failures (#4055)
* Update nix corretto; make it platform aware. (#4043)
* Add ThreadSanitizer (#4046)
* feat: add checked return values diagnostic (#3798)
* Fix usage guide examples + enable testing of examples (#4044)
* Fix pthread leak (#4037)
* Add libcrypto HKDF implementation (#4035)
* ci: allow running multiple integ tests at once in nix devshell (#4029)
* Never send KeyUpdate message if * nix devShell with aws-lc (#4028)
* fix: ossl3 legacy provider mem leak (#4033)
* Add pre-TLS13 libcrypto PRF implementation (#4020)
* ci: typos config file (#4021)
* Refactor alerts to make behavior clear (#4019)
* bindings: release 0.0.32 (#4032)
* Fixes dynamic loading bug (#4024)
* build: make feature flags consistent (#3921)
* Sat Jun 10 2023 John Paul Adrian Glaubitz - Update to version 1.3.45
* fix: improve compatibility with old Linux versions (#4027)
* Disable retry client random validation outside of tests (#4023)
* Only call getenv for integ test marker in s2n_init (#4025)
* Publish minimal s2n_config APIs and add documentation (#3972)
* Fix s2n_error_get_type mistake in usage guide (#4022)
* nix: add an Openssl102 nix devShell (#4014)
* fix(api/unstable): make all api methods visible (#4015)
* test(bindings/s2n-tls-tokio): fix tokio bindings close test (#4007)
* fix: open files with the O_CLOEXEC flag (#3989)
* feat(s2n-tls): X509 asn1 refactor (#4011)
* Add the libcrypto random generation implementation (#4004)
* nix: Use nixpkgs gnutls instead (#4013)
* nix: add a LibreSSL nix devShell (#4010)
* style: simplfy api for test utility (#4008)
* fix(s2nd): parse psk given to s2nd non-destructively (#4006)
* nix devShell with openssl3 (#3993)
* Upgrade OpenSSL model for CBMC proofs (#3978)
* Quoting RFC-4492 to verify behavior when supported_groups extension is not sent (#3998)
* docs: add notes on s2nc and s2nd usage (#4003)
* bindings: Add option to disable loading system certs (#3985)
* Update FAQ + add s2n_negotiate example to Usage Guide (#3984)
* test: add more x509 OCSP tests (#3970)
* ci: enable ossl3 tls13 tests (#3992)
* chore: bindings release 0.0.31 (#3997)
* Print Wire Bytes In and Out for s2nc (#3986)
* ci: nix devShell simplification (#3964)
* utils: Add a stale box to the GH dashboard; use an action for pushing pages (#3947)- from version 1.3.44
* test: fix session-ticket, non-blocking-io tests on 32 bit (#3969)
* ci: add 32 bit buildspec (#3977)
* [ci]: Use custom library context for rc4 instead of global default context (#3980)
* s2n_rand_cleanup: be sure to unregister s2n RAND engine from libcrypto (#3966)
* docs: update clang-format and gdb documentation (#3967)
* Only LTO on GCC (#3968)
* style: clean up fuzz corpus (#3971)
* Add test for cipher selection with dh params (#3974)
* Add new API to perform half-close (#3952)
* Add API to create s2n_configs without loading system certs (#3950)
* chore: remove module.modulemap and allow customers to generate it themselves (#3961)
* chore: bindings release (#3956)
* Cover more situations where no close_notify is sent/received (#3957)
* Add logging for failed CRT tests (#3962)
* Fix end-of-data behavior (#3945)- from version 1.3.43
* Fix expected negotiated version in client auth downgrade test (#3951)
* ci: Disable automatically closing stale PRs (#3946)
* add 32 bit cross-compile toolchain (#3924)
* ci: Add AWSLC-FIPS 2022 to CI (#3943)
* bindings: add verify_host_callback to the connection (#3925)
* Add basic half-close TLS1.3 behavior (#3932)
* Update IO section of Usage Guide (#3917)
* Don\'t send close_notify after an alert (#3942)
* Reinstate Kyber KEM check (#3905)
* Add test to verify TLS1.2 downgrade (#3939)
* Add github stale action (#3929)
* update security policy and rust binding documentation (#3906)
* Remove unnecessary flush (#3940)
* Adds FAQ doc (#3920)
* ci: Update AWSLC test dependency to v1.8.0 (#3938)
* Add note about server_name spec requirements (#3930)
* doc: Flesh out steps in nix readme. (#3923)
* Create new PQ TLS Policies with minimum of TLSv1.2 (#3927)
* Attempts to fix flakiness in session_ticket_test (#3913)
* test: Bump nix devShell python to 3.10 (#3914)
* chore(bindings): release 0.0.29 (#3919)
* test: add retry logic for well-known endpoints (#3918)
* docs: add compliance notes for RFC 6125 (#3915)
* Wed Apr 19 2023 John Paul Adrian Glaubitz - Update to version 1.3.42
* CI: Restrict Nix integ test to 1 job (#3897)
* Don\'t set actual_protocol_version early when resuming a session (#3907)
* Expose curve details to rust bindings (#3912)
* Move secret type out of tls12/tls13 union (#3908)
* Appends S2N_API (#3910)
* chore: bump rust bindings (#3909)
* test: Nix s3 cache (#3904)
* Tue Apr 04 2023 John Paul Adrian Glaubitz - Update to version 1.3.41
* fix: remove broken check in test (#3901)- from version 1.3.40
* Rewrite of the PSK section in Usage Guide (#3864)
* test: cleanup after tests (#3831)
* ktls: feature probe test (#3869)
* Fixes some compiler warnings coming from tests (#3883)
* tokio-s2n-tls: Enable access to the IO instance from TcpStream (#3882)
* chore: bump rust bindings for 1.3.39 release (#3887)
* Migrate Kyber 512 to EVP KEM API (#3853)
* test: cleanup tests (#3832)
* test: Add missing packages to nix devShell (#3885)
* Document behavior of s2n_negotiate for a client with client auth (#3891)
* Switch OpenBSD CI job GH action to something more robust (#3877)
* Enable strict compile checks in unit test build (#3878)
* ci: enable valgrind pedantic check (#3886)
* Allow client hellos from raw bytes (#3871)
* Add new security policy (#3895)- from version 1.3.39
* Removed codecov github status badge. (#3859)
* Add method to create Rust certs without private keys (#3860)
* Update s2n to latest revision of PQ Hybrid TLS 1.3 Draft RFC (#3800)
* chore: bump rust bindings version; crates msrv to 1.63.0 (#3863)
* ci: Check for msrv match between rust-toolchain an crates; make them match. (#3866)
* fix: disable defer cleanup in failure case in s2n_cert_chain_and_key_load_cns (#3870)
* tests: add checks for LTO+interning compatibility (#3839)
* Enforce that ENSURE and GUARD_OSSL use valid error codes (#3873)- from version 1.3.38
* Add CMake targets for integration tests and switch CI to use them (#3776)
* ci: reduce the number of BSD artifacts (#3837)
* Enable -Wsign-Compare-check_v2-tests/unit (#3827)
* Add github trigger event for merge queue (#3836)
* Prevent auto-enabling OCSP requests for servers (#3830)
* Enable -Wsign-Compare-check_v3-tests/unit/ (#3828)
* Enable -Wsign-Compare-check_bin/_crypto/_stuffer/_utils/ (#3825)
* Enable -Wsign-Compare-check_v1-tests/ (#3826)
* Update s2n_libcrypto_validate_name_prefix to only check the prefix of the libcrypto name (#3779)
* Enable -Wsign-Compare-check_tls/ (#3829)
* Add OCSP stapling for client auth (#3770)
* Enable -Wsign-Compare-check_CMakeLists (#3842)
* CI: pin AWS-LC versions #3846
* [bindings] Generalize async in preparation for pkey offloading (#3844)
* fix: use actual_protocol_version for session ID (#3845)
* Add JA3 to s2nd (#3838)
* filter do_not_merge label from Ready to merge (#3849)
* Remove unused s2n_config_client_hello_cb_enable_poll (#3850)
* Run integv2 tests with nix (#3824)
* ci: nix fmt action (#3834)
* Add CBMC proof-running GitHub Action (#3840)
* Upgrade OpenSSL model for CBMC proofs (#3857)
* Bump Rust MSRV for latest openssl-src. (#3858)
* Handle ASN.1 type detection errors (#3855)
* [bindings] Add private key callback (#3847)
* Fri Feb 17 2023 John Paul Adrian Glaubitz - Update to version 1.3.37
* Make unstable fingerprint methods accessible (#3823)
* Clean up thread-local memory (#3771)
* bindings(rust): bump MSRV to 1.60.0 (#3833)
* Criterion delta (#3811)
* Add JA3 fingerprinting (#3817)
* Clarify that AWS-LC is also supported (#3821)
* Add unit test to check that the build\'s libcrypto reflects the CI\'s intended libcrypto (#3774)
* Clarify SSLv2 ClientHellos (#3815)
* Bump rust bindings for 1.3.36 release (#3818)
* Add stuffer method for standard init process (#3814)- from version 1.3.36
* ktls: rm kTLS request field on config (#3816)
* ktls: add ktls_supported field to s2n_cipher (#3806)
* Make test_install_shared_and_static easier to debug
* ktls: s2n_ktls_mode and building blocks (#3797)
* ci: Update OpenBSD\'s MEM_PER_CONNECTION, based on error message (#3791)
* s2n-tls nix flake (#3794)
* Updated rust bindings (#3802)
* Update omnibus fuzz image; remove fuzz job we\'re not running anymore in PR (#3796)
* Adds client hello section to usage guide (#3757)
* Integration test to check default signature algorithm behavior (#3719)
* Blob Initialization fix-Test_1 (#3790)- from version 1.3.35
* fix: pass an empty string to host verify without usable identifiers (#3793)
* add code coverage support (#3759)
* ci: Enable CTEST_OUTPUT_ON_FAILURE on all targets (#3789)
* Enforce that clippy msrv matches rust-toolchain (#3787)
* Blob Initialization fix-Test (#3780)
* s2n_shutdown should ignore unread messages (#3769)
* Add min supported rust version for clippy (#3785)- from version 1.3.34
* Initialize blobs and stuffers (#3783)
* s2n_shutdown: no not require response during handshake (#3772)
* ci: remove build-dashboard action from PR flow (#3764)
* ci: remove build-dashboard action from PR flow (#3764)
* Blob initialization fix-3 (#3768)
* Consolidate handshake and post-handshake record writing (#3750)
* Blob initialization fix-2 (#3762)
* Rename OCSP extensions (#3765)
* Record padding integration test (#3715)
* Adds check to ensure no switching between state machines (#3747)
* Clang format cleanup (#3767)
* Thu Jan 26 2023 John Paul Adrian Glaubitz - Update to version 1.3.33
* ci: enable multicore builds for unit test (#3753)
* Blob initialization fix-1 (#3735)
* ci: upgrade checkout action (#3761)
* ci: Bump boringssl version (#3739)
* chore(ci): add CI workflow for OpenBSD (#3754)
* Remove unused extension functions (#3752)
* Repair build on OpenBSD (#3670)
* Criterion tests (#3534)
* Fragment large post-handshake records (#3741)
* Bump rust bindings for 1.3.32 release (#3746)
* ci: improve test name parsing for criterion (#3704)
* Ensure non-zero record protocol version (#3744)
* Add check to s2n_signature_scheme_valid_to_accept (#3728)- from version 1.3.32
* ci: Fix libfuzzer path for third-party-src dir (#3742)
* added ecdhe_rsa_aes128 cipher to the tls_1_2_2017 policy (#3740)
* Intentionally disable fragmenting KeyUpdates (#3708)
* utils: guard POSIX signals with >S2N_FAILURE (#3733)
* Autopep8 updated CI and code (#3736)
* ci: CLean up integration v1 buildspecs (#3627)
* ci: Update fuzz buildspec to use pre-built image (#3604)
* Upgrade CBMC infrastructure (starter-kit 2.8.8) (#3731)
* quick fix (#3716)
* Update team members (#3640)
* fix: disable pthread_atfork fork detection on OpenBSD (#3712)
* Upgrade CBMC infrastructure (starter-kit 2.8) (#3727)
* Adds TLSv1.2_2017 security policy with ECDHE-{RSA,ECDSA}-AES256-SHA ciphers enabled (#3723)
* Fix s2n_record_write return value (#3722)
* Remove unnecessary \"extern\" from function declarations (#3726)
* Adds no-strict-prototypes (#3721)
* Clang-format `tests/unit/s2n_[l-r].
*\\.c` and enforce in CI (#3677)
* CBMC proofs: fix typing (#3718)
* ci: codebuid scripts for criterion (#3703)
* CBMC proofs: remove type-conflicting definition of s2n_calculate_stacktrace (#3714)
* Clang-format `tests/unit/s2n_s.
*\\.c` and enforce in CI (#3678)
* bindings bump (#3709)
* Fix sizes in s2n_resume_test (#3705)- Drop patches for issues fixed upstream
* s2n_disable-werror.patch
* Wed Jan 04 2023 John Paul Adrian Glaubitz - Update to version 1.3.31
* Clang format `tls/s2n_[a-h].
*\\.[ch]` and enforce in CI (#3681)
* tokio-s2n-tls: add poll_blinding and fix blinding on shutdown (#3700)
* Clang-format `crypto/` and enforce in CI (#3680)
* Clang-format `tls/s2n_[s-z].
*\\.[ch]` and enforce in CI (#3683)
* Clang-format `tests/unit/s2n_[t-z].
*\\.c` and enforce in CI (#3679)
* Clang format `tests/unit/s2n_[bc].
*\\.c` and enforce in CI (#3675)
* Clang-format `tests/unit/s2n_[d-k].
*\\.c` and enforce in CI (#3676)
* Add `CloudFront-TLS-1-2-2021-ChaCha20-Boosted` Security Policy w/ Docs Update (#3686)
* Fix FreeBSD minherit arg naming (#3694)
* Add config to read until error or supplied buffer is full (#3690)
* Clang-format `tls/s2n_[i-r].
*\\.[ch]` and enforce in CI (#3682)- from version 1.3.30
* chore: bump rust bindings version (#3693)
* Clean up test trust store (#3692)
* Add support for AWS-LC PQ KEM (#3634)
* chore: introduce rust-toolchain and enforce MSRV (#3691)
* bindings (rust): handle propagating the async client_hello callback error (#3687)
* ci: Fix LibreSSL paths in CI (#3688)
* tests: delete integv1 code (#3685)
* bindings(rust): avoid unnecessarily zeroing the receive buffer in poll_read (#3662)
* Handle fragmented post-handshake messages (#3641)
* Add CodeQL workflow for GitHub code scanning (#3601)
* ci: pin ubuntu version to 20.04 for cppcheck (#3673)
* ci: Remove references to TEST=integration and related codebuild scripting (#3628)
* Make header deps explicit in preperation for clang-format (#3684)
* Clang-format of `tests/unit/s2n_[3a].
*\\.c` + transision to exclude regex (#3664)
* Add prioritize_chacha20 flag to cipher preferences (#3543)
* Fix default X509 store flags (#3671)
* Regenerate CRL pems (#3672)
* fix(tests): honour RFC 5280 4.1.2.5 when creating CRLs (#3669)
* fix(rust-bindings): store client_hello_callback state on connection (#3631)
* Bump rust bindings for 1.3.29 release (#3666)
* Removes double semicolons and expands simple_mistakes.sh (#3665)
* ci: Update OpenSSL dependencies (#3623)
* Test for legacy version vs SupportedVersions priority (#3661)
* Update to clang-format causes reformat of api folder (#3663)
* clang-format `tests/testslib` and add to ci (#3650)
* Fix flaky send buffer test (#3647)- from version 1.3.29
* Fix clippy issues and formatting in bindings (#3659)
* Add batch of clang-format PRs to .git-blame-ignore-revs (#3653)
* Use gcc-ar instead of ar (#3625)
* bindings(rust): Implement Deref and DerefMut traits for PooledConnection (#3642)
* clang-format `utils/` and enforce in ci (#3651)
* clang-format `api/` and enforce in ci (#3637)
* clang-format `error/` and enforce in ci (#3638)
* Fix file modes and enforce in ci (#3645)
* clang-format `bin/` and enforce in ci (#3635)
* Add and document CRL APIs (#3523)
* clang-format `tls/extensions` and enforce in ci (#3633)
* Add stuffer version of s2n_io_pair (#3632)
* Add clang-format of stuffer to .git-blame-ignore-revs (#3629)
* Add clang-format ci action (#3618)
* Adds Usage Guide section on the Config object (#3620)
* bump rust bindings for 1.3.28 release (#3622)
* Add buffered send integration test (#3537)
* Declaring Virtual Function Tables as const- crypto (#3616)
* Add proof for TLS handshake with NPN extension nondeterministically enabled or disabled (#3613)
* ci: Fix SAW sha_bad_magic_mod failure test (#3617)
* Remove s2n_cbc_verify_test (#3615)- from version 1.3.28
* bindings(rust): add lto in release mode (#3610)
* wrapper for wall_clock (#3611)
* Fix very minor DeprecationWarning in integrationv2 (#3609)
* Adds s2n_connection section to usage guide (#3605)
* Fix to handle callback failure (#3597)
* Move CRL timestamp validation into the CRL lookup callback (#3515)
* Re-enable saw proofs for TLS handshake with NPN extension disabled (#3594)
* [bindings] Fix client hello callback with config swap (#3600)
* Fix FreeBSD build test bug (#3587)
* Add some missing null ptr checks for defence in depth (#3596)
* 1.3.27 bindings update (#3599)
* Apache renegotiation integration tests (#3580)
* Try to clarify the use of s2n_blob_zeroize_free (#3591)
* Fri Nov 11 2022 John Paul Adrian Glaubitz - Update to version 1.3.27
* Npn cleanup (#3590)
* Ensure extended master secrets ext have no data (#3588)
* LibreSSL version 3.5 implements the OpenSSL 1.1 API (almost) (#3589)
* Update vmactions/freebsd github action (#3592)
* Fix free error when using jemalloc (#3585)
* Add rust binding for s2n_set_config_send_buffer_size (#3582)
* NPN integration tests (#3583)
* Adding null checks to tls/extensions and tls/s2n_perf (#3578)
* Adds API for NPN support (#3575)
* Add CRL lookup callback (#3546)
* Bump Doxygen version 1.9.3 -> 1.9.5 (#3581)
* Add apache renegotiation test server to CI (#3565)
* Adds TLS12 Encrypted Extensions Messages (#3545)
* Removing more failing saw (#3577)
* bump to 0.0.17 (#3574)
* More openssl renegotiate integ tests (#3570)
* Added compliance comment for renegotiate (#3572)
* Remove s2n-core from CODEOWNERS (#3571)- from version 1.3.26
* Add IO debug info to integrationv2 framework (#3564)
* Fix check for non-portable optimizations (#3573)
* Handshake changes necessary to negotiate NPN (#3558)
* Add array init with capacity API (#3554)
* Basic renegotiation integ tests (#3563)
* Rust bindings version bump for 1.3.25 (#3567)- from version 1.3.25
* Only enable non-portable optimizations safety checks during GitHub CI builds (#3562)
* Release renegotiation feature as unstable (#3556)
* Refactor write_pem_file_to_stuffer_as_chain (#3553)
* Temporarily removing TLS12 SAW tests (#3560)
* Fix bug on RHEL5 platform (#3561)
* Tweaks to HelloRequest handling (#3555)
* ci: update group for labeler action (#3544)
* test(rust-bindings): improve test reliability (#3552)
* Add send-file option to s2nc (#3550)
* Add API to handle renegotiation (#3549)
* Change behavior when no protocols match (#3548)
* Limit slow DHE handshakes in test (#3541)
* Keep finished data on s2n_renegotiate_wipe (#3539)
* Rust bindings version bump for 1.3.24 (#3540)
* Add wrapper struct for X509_CRL (#3520)
* Added NPN Handshake Message (#3526)
* Add server secure_renegotiation checks for testing (#3533)
* Finish compliance comments for secure renegotiation (RFC5746) (#3536)- from version 1.3.24
* Fix fatal no_renegotiation alert (#3535)
* Add renegotiation callback (#3527)
* Partially wipe connections for renegotiation (#3522)
* Revert \"ci: Criterion integv2 test changes (#3222)\" (#3531)
* ci: Criterion integv2 test changes (#3222)
* Enforce init and cleanup calling rules (#3512)
* Fix npn test bug (#3529)
* Npn Extension Functions (#3521)
* ci: Move sidetrail docker container to other repo; rework sidetrail to install tooling ahead of time. (#3518)
* docs: update openssl docs (#3503)
* Add additional CBMC dependencies to README (#3517)
* Refactor s2n_x509_validator_validate_cert_chain to support an async callback (#3500)
* Fix memory leaked by s2n_cleanup (#3506) (#3506)
* Disable AVX2 compiler flags in portable PQ implementation (#3508)- from version 1.3.23
* Merge pull request from GHSA-m74w-59v6-c5r8
* Merge pull request from GHSA-mm47-wjfh-4hf5
* ci: Custom ubuntu18 image (#3513)
* release: bump rust bindings (#3507)
* Implement client-side safety features for secure renegotiation (#3497)
* ci: Criterion benchmark handlers (#3223)- from version 1.3.22
* Add compliance exceptions for server renegotiation (#3498)
* Store explicit length of verify_data (#3494)
* Send no_renegotiation alert (#3490)
* Add FS2 Scala Native binding (#3496)
* Allow static and shared libs to be mixed (take 2) (#3484)
* Removing some LGTM warnings (#3493)
* Add compliance comments for secure renegotiation initial handshakes (#3485)
* release(rust-bindings): 0.0.13 (#3487)
* Add test for verify after sign failure (#3486)
* Add option to verify after sign (#3482)
* Usage Guide Changes for Certificate Inspection Methods (#3480)- from version 1.3.21
* Revert \"Allow static and shared libs to be mixed. (#3467)\" (#3483)
* Allow static and shared libs to be mixed. (#3467)
* openssl3 integration: cleanup providers (#3481)
* openssl3 integration: store const RSA and EC_KEY (#3474)
* ci: update freebsd image (#3479)
* Fix documentation for record sizes (#3418)
* Fix reference to wrong function (#3478)
* ci: add openssl111 to LD_LIBRARY_PATH for integv2 testing (#3464)
* Add test certificate chains and CRLs for testing CRL validation (#3458)
* feat: add dynamic buffer capabilities (#3472)
* openssl3 integration: workaround for new EVP_Cipher return code (#3466)
* Allocate s2n_crypto_parameters separately (#3470)
* Reference s2n_crypto_parameters via pointers (#3469)
* openssl3 integration: work around for broken make build (#3468)
* create rfc9151 security policy (#3431)
* openssl3 integration: fix padding (#3450)
* openssl3 integration: load legacy provider for rc4 cipher (#3457)
* Re-worked Session Resumption Usage Guide Sections (#3423)
* release(rust-bindings): 0.0.12 (#3462)- from version 1.3.20
* Initialize locking sooner (#3456)
* build and link s2n-tls with openssl3 (#3441)
* build: fix Ubuntu quickstart instructions (#3452)
* double fallback for load libcrypto (#3451)
* tests: add global retries and fail fast (#3454)
* Add basic buffered send behavior (#3434)
* Fixing cargo clippy complaints (#3448)
* Return s2n_result from x509 validator functions (#3444)
* Correct CODEOWNERS team name (#3449)
* Fuzz s2n_deserialize_resumption_state (#3421)
* s2n_peek should not report partial, encrypted data (#3443)
* Fix early data reporting on partial send (#3439)
* rust bindings release 0.0.11 (#3437)- from version 1.3.19
* ci(rust-bindings): Bump nightly version (#3430)
* S2N client negotation of un-offered group fix (#3422)
* Remove patch version from .so (#3426)
* cleanup codecov from codebuild (#3425)
* Shared library .so version (#3407)
* Revert \"ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414)\" (#3424)
* Set Openssl-1.0.2 locking callback (#3415)
* Add more testing for s2n_send (#3409)
* Miscellaneous Usage Guide Fixes (#3411)
* Added RFC exception comment (#3405)
* Mon Aug 08 2022 John Paul Adrian Glaubitz - Update to version 1.3.18
* ci: Temporarily pin AWS-LC to a commit before gcc4.8 breaks (#3414)
* [bindings] Bump s2n-tls-tokio version (#3413)
* [bindings] Make errno a required dependency (#3412)
* release (rust bindings) for v1.3.17 release (#3402)
* [bindings] Fix constant name (#3410)
* ci: update OSX env for FreeBSD action (#3406)
* [bindings] Include errno in errors (#3403)
* Don\'t force static crypto dependency in case of a static build (#3395)
* pq: Remove support for BIKE, SIKE, and Kyber (Round 2) (#3392)
* Tue Jul 26 2022 John Paul Adrian Glaubitz - Update to version 1.3.17
* Don\'t wipe extensions after processing (#3401)
* fail generate.sh when cargo fails (#3398)
* Remove CBMC proof typechecking warnings (#3397)
* ci: Remove Integration Tests from Omnibus (#3391)
* Remove litani submodule and update CBMC starter kit to 2.5 (#3385)
* Prevent modifying of shared cert chains through config API (#3384)
* Fix how KeyUpdates trigger (#3387)
* Added OCSP and CT Sections to the Usage Guide (#3382)
* release(rust-bindings): 0.0.9 (#3388)
* Add HRR compliance comments and tests for remaining TLS RFC sections (#3363)
* build(rust-bindings): use the 2021 rust edition (#3386)
* Add HRR compliance comments and tests for TLS RFC section 4.2.8 (#3362)
* Tue Jul 12 2022 John Paul Adrian Glaubitz - Update to version 1.3.16
* Add \'poll_\' to polling method names (#3383)
* Update fips_default security policy (#3378)
* [bindings] Parity with unofficial bindings (#3374)
* Add clone and initialisation unit tests (#3367)
* [bindings] Export policy macro (#3375)
* ci: Generate Duvet reports in CI (#3372)
* Set server key share extension as a response extension (#3358)
* Enable S2N_AES_SHA1/256_COMPOSITE when AWSLC_API_VERSION >= 18. (#3269)
* Update CBMC starter kit to v2.4 (#3376)
* Import Microsoft\'s recent PQCrypto-SIDH SIKE patches into s2n (#3366)
* Temporarily change OpenSSL 1.1.1 versions to fix CI. (#3368)
* [bindings] Get rid of \'raw\' module (#3360)
* Replace existing fork detection with the FGN implementation (#3355)
* Fix clap dependency (#3361)
* Add compliance comments and tests for TLS RFC section 4.1.4 (#3337)
* [bindings] Apply async blinding (#3356)
* [bindings] Add connection pooling support (#3336)
* [bindings] Rework connection builder trait (#3335)
* Expand random api tests (#3342)
* docs: Documentation Clean Up (#3329)- from version 1.3.15
* fix: Add option to disable stacktrace feature (#3345)
* Fix interning build for cmake version 3.15+ (#3346)
* docs: Make Doxygen prettier. (#3343)
* free EVP_PKEY_CTX before returning from s2n_evp_sign/verify (#3333)
* ci:Add valgrind tests for awslc (#3338)
* Improve libcrypto checks (#3272)
* fix: Accurately track wire_bytes_out (#3332)
* ci: CodeBuild spec updates to support criterion integv2 (#3225)
* [bindings] Handle async callback behavior (#3325)
* release(rust-bindings): 0.0.8 (#3341)
* Refactor randomness API tests (#3328)
* Catch broken pipe exceptions on pipe flush. (#3321)
* doc fix: Update documentation for s2n_connection_get_cipher. (#3330)
* Wed May 25 2022 John Paul Adrian Glaubitz - Update to version 1.3.14
* [bindings] Allow modification of new connections (#3320)
* fix(bindings-rust): move vendored openssl-sys to dev-dependency (#3323)
* ci: Temporarily remove more test endpoints with expired certs (#3322)
* [bindings] Move enums to separate file (#3319)
* Feature probe for EVP_rc4 (#3301)
* Use CaDiCaL solver for s2n_stuffer_private_key_from_pem proof (#3318)
* docs: Introduce Doxygen to s2n (#3302)
* Wed May 18 2022 John Paul Adrian Glaubitz - Update to version 1.3.13
* Enforce how the client hello is modified during retry (#3311)
* Use SHA1+MD5 for * Don\'t generate a new client random on retries (#3312)
* Rewrite cookie extension (#3306)
* Fixed CBMC_ENSURE_REF calls where NULL return type expected (#3304)
* ci: Fix boringssl unit tests (#3309)
* Improve cmake logging (#3305)
* [bindings] Clean up async behavior (#3299)
* ci: Temporarily remove more test endpoints with expired certs (#3300)
* ci: add awslc interning to omnibus (#3295)
* fix(s2n-tls-sys): add cmake files to the include directive (#3297)
* release(rust-bindings): 0.0.6 (#3296)
* build(bindings): use cmake when building with pq feature (#3294)
* [bindings] Add basic send and recv (#3290)
* Interning not supported with FIPS enabled. (#3277)
* fix: FreeBSD will now fail loudly (#3284)
* [bindings] Hide ffi types + basic debug info (#3279)
* Thu Apr 28 2022 John Paul Adrian Glaubitz - Update to version 1.3.12
* Use pointer to variable type as required by cleanup attribute (#3289)
* bug: fix s2n_connection->cookie_stuffer initialization (#3282)
* Add test utility for fork tests (#3253)
* Add additional libcryptos to V2 integration tests (#3244)
* ci: GitHub actions for osx (#3280)
* Fix MacOS unit tests (#3278)
* build: use S2N_LIBCRYPTO to pick interning lib (#3276)
* [bindings] Add basic s2n-tls-tokio skeleton (#3261)
* exclude cast-qual in Cmake for aws-lcw (#3270)
* Disable strict-prototypes diagnostic flag in Clang (#3275)
* ci: check integv2 python for pep8 issues (#3271)- from version 1.3.11
* auto format integv2 python (#3268)
* ci: don\'t update the ghpages dashboard outside of main repo (#3267)
* release(rust-bindings): 0.0.5 (#3256)
* Add basic rust ci jobs (#3265)
* Fix wrong assumption about osx/apple (#3264)
* ci: temporarily remove expired certs (#3266)
* fix: correctly export internal APIs (#3260)
* deps: Upgrade CBMC submodules (#3259)
* Fully separate key and secret state machines (#3238)
* test: OCSP integrationv2 test with GnuTLS (#3207)
* Port drbg.c functions to use S2N_RESULT (#3252)
* feat(rust-bindings): add support for linking an external build (#3254)- from version 1.3.10
* build: fix libcrypto interning (#3204)
* Update install_awslc to install the correct FIPS branch of AWS-LC (#3255)
* ci: add make install (#3224)
* ci: Add a CRT codebuild job (#3245)
* ci: script changes to test aws-crt (#3176)
* Add step by step instructions to Readme (#3061)
* ci: Issue/PR dashboard (#3235)
* feat(rust-bindings): add support for mTLS (#3241)
* Address new-ish python warning (#3208)
* Add check on zero returned by EVP_CIPHER_CTX_ctrl. (#3221)
* Changed function declarations to match their definitions (#3243)
* Add missing safety macro deprecation messages (#3242)
* Fix auto-generated RESULT_GUARD_RESULT macros (#3239)
* sike_r3: add missing GNU note for executable stack on ELF (#3194)
* Implementation of fork generation number API (#3191)
* fix cmake package name in usage guide (#3232)
* bindings: update version in preperation for publishing the bindings to crates.io (#3233)
* bindings: manually track Config lifetime and expose ClientHelloHandler for client_hello_callback (#3216)
* Remove nonexistent macro reference from docs (#3237)
* internal api: add new api to poll client_hello callback (#3230)
* Make secrets available early for QUIC (#3229)- from version 1.3.9
* Remove PQ tests that break on Openssl DRBG calling pattern updates (#3231)
* Split up slow pq test (#3226)
* Secret reorder for s2n-quic (#3227)
* Fix BIKE Round 3 try_compile statements (#3219)
* Update sidetrail readme (#3220)- from version 1.3.8
* Delete more old key schedule methods (#3215)
* Wipe TLS1.3 secrets after handshake (#3212)
* Fix cleanup issues with HELLO_REQUEST received during handshake (#3217)
* Add tls13 state machaine file back (#3205)
* api: add context on s2n_config. add internal api to access config set on connection (#3210)
* Clarify TLS1.3 secrets tracking (#3213)
* Remove old key schedule methods (#3209)
* Refactor TLS1.3 key schedule (#3198)
* Tue Mar 01 2022 John Paul Adrian Glaubitz - Update to version 1.3.7
* Crypto variable update missing from #3181 (#3189)
* SSLyze integrationv2 test (#3186)
* Added try_compile for features.h (#3197)
* bindings: update rust bindings (#3196)
* Centralize transcript hash copy logic (#3195)
* Enable PQ in FIPS mode with awslc (#3183)
* Revert \"Flush stdout with initial BEGIN_TEST message (#3185)\" (#3193)- from version 1.3.6
* Store TLS1.3 transcript hash digests rather than full hash state (#3188)
* Remove in-source build target check hackery. (#3181)- Refresh patches for new version
* s2n_fix-cmake-modules-path.patch
* Tue Feb 01 2022 John Paul Adrian Glaubitz - Update to version 1.3.5
* remove extra S2N_API (#3187)
* Use `llvm_points_to_bitfield` in SAW proofs (#3155)
* Add API s2n_client_hello_has_extension to check if extension exists (#3180)
* Flush stdout with initial BEGIN_TEST message (#3185)
* FreeBSD ci (#3184)
* Add some comments to build scripts (#3182)
* Document which macros should not be used for new code (#3179)
* remove unused function s2n_actual_getpid (#3172)
* Workaround AL2 nodejs package issue (#3174)
* Add API method to translate errors to alerts (#3171)
* Upgrade CBMC submodules (#3165)
* tests: add s2n_init/s2n_cleanup tests (#3164)
* Thu Jan 20 2022 John Paul Adrian Glaubitz - Update to version 1.3.4
* Change AWS-LC aes-gcm aead APIs to the ones that are FIPS validated (#3137)
* Conflicting ports in integration test (#3161)
* Tue Jan 04 2022 John Paul Adrian Glaubitz - Update to version 1.3.3
* Fix s2n_connection_get_client_cert_chain for TLS1.3 (#3156)
* Fixing Flakiness in Cross-Compat Test (#3158)
* Enforce RSA-PSS saltlen requirements (#3157)
* Rearrange TLS1.2 and TLS1.3 secret storage (#3154)
* Use libcrypto signing methods in compliance with FIPS 140-3 (#3142)
* docs: update readme (#3153)- from version 1.3.2
* Adds Cross-Compatibility Test (#3147)
* Makes s2n_stuffer_skip_whitespace verification friendly (#3143)
* ci: fix Kwstyle (#3136)
* only print on retries (#3151)
* integration: enforce timeout, allow for the process to shutdown gracefully, run in non-blocking mode (#3148)
* Added Script to Compile Main for Cross-Compat Testing (#3139)
* Adds Options to Output and Input Session Ticket to s2nc (#3134)
* Upgrade CBMC submodules (#3135)
* Thu Dec 09 2021 John Paul Adrian Glaubitz - Update to version 1.3.1
* Nitpick usage guide links (#3133)
* FIPS Static Config is Only Created When Needed (#3129)
* Fix build on NetBSD. (#3131)
* Feature probe for EVP_md5_sha1() (#3128)
* Allow EVP hash implementation to use EVP_md5_sha1 if available (#3126)
* Allow synchronous private key operations (#3121)- from version 1.3.0
* EMS Re-Release (#3122)
* If QUIC, only offer TLS1.3 (#3124)- from version 1.2.1
* tests: fix s2n_enable_tls13 deprecation warnings (#3120)
* Fix FindLibCrypto for list-typed CMAKE_PREFIX_PATH (#3067)
* Add AWS-LC FIPS integration target (#3084)
* Detect nested s2n_negotiate calls (#3119)
* build: add the option to enable LTO (#3117)
* Prevent Uninitialized Memory Access in case of FIPS Mode Disabled (#3016)
* Fixed EMS to work with Session Caching (#3102)
* Rename internal HMAC implementations in s2n_prf to clarify which implementation is used (#3103)
* Finish memcpy->memmove migration (#3110)- from version 1.2.0
* Revert \"EMS Release (#3053)\" (#3113)
* Reapply \"Update QUIC parameters IANA (#3029)\" (#3106)
* Add a flag to s2nc to enable FIPS mode in the underlying libcrypto. Update integration tests to use the new flag when needed (#3101)
* Added Backwards-Incompatible Ticket Version (#3099)
* Don\'t allow QUIC to be enabled if TLS1.3 not possible (#3088)
* ci: remove spaces from benchmark name (#3097)
* Lets make S2N play nicely with the rest of the world shall we? Added … (#2669)- from version 1.1.2
* ci: add a CODEOWNERS file (#3071)
* utils: fix constant time equals return value (#3093)
* Upgrade CBMC templates (#3094)
* tests: fix fuzz count formatting (#3091)
* Turn on Endpoint Tests (#3090)
* Offer only TLS1.3 handshake options if QUIC enabled (#3085)
* Added test for mutal auth (#3087)
* Repair TLS 1.3 proofs after c096a55 (#3079)
* Bench handshake (#3043)
* Rename CBMC proof bound BLOB_SIZE -> MAX_BLOB_SIZE (#3073)
* Tue Oct 12 2021 Jan Engelhardt - Trim conjecture and redundant metadata from description.- Simplify package names and set right shlib package name.
* Mon Oct 11 2021 John Paul Adrian Glaubitz - Update to version 1.1.1
* Advance CBMC litani and template submodules to latest release (#3072)
* Update integv1 trust store (#3074)
* Revert \"Re-enable TLS 1.3 SAW tests (#3031)\" (#3077)
* Re-enable TLS 1.3 SAW tests (#3031)
* Revert \"Update QUIC parameters IANA (#3029)\" (#3069)
* NULL-check s2n_cert_chain_and_key_get_pkey_type (#3064)
* Enable RSA_PSS_SIGNING_SUPPORTED when OPENSSL_IS_AWSLC. (#2801)
* audit memcmp usage (#3059)
* Turn on OCSP functionality for AWS-LC (#3058)
* ci: Use stable for openssl1.1.1 (#3065)- from version 1.1.0
* Fix TLS1.3 ticket lifetime math (#3060)
* Add API to track session tickets sent (#3056)
* Turn On Client OCSP Stapled Test (#3055)
* EMS Release (#3053)
* Add more well known endpoints for integration testing (#3054)
* Update READING-LIST.md (#3004)
* Add new Fuzz Test Corpus Files (#3021)
* Remove ChaCha TLS 1.3 Cipher from KMS FIPS Cipher Pref List (#3039)
* Re-enable Twitter.com client integration test (#3051)
* Fix BIKE R3 PQ Assembly detection bug for AMD Zen 3 CPUs (#3050)
* EMS Testing (#3042)
* Enable Client-side TLS 1.2 Self Downgrade (#3030)
* Allow QUIC to be enabled per-connection (#3048)- from version 1.0.19
* Disable EndOfEarlyData message for QUIC + clean up QUIC special casing (#3044)
* Fix TLS1.2 session cache + missing ticket key (#3041)
* Remove twitter.com from endpoint handshake test for OpenSSL 1.0.2 (#3038)- from version 1.0.18
* build: add libcrypto interning tests (#3035)
* Add more TLS Security Policies with TLS 1.3 support (#3023)
* Enable offloading of private key operations (#3024)
* Fixes Potential IO Memory Leak (#3027)
* build: add option to intern libcrypto (#3028)
* Update QUIC parameters IANA (#3029)
* Adding s2n_negotiate benchmarking framework (#3014)
* Update s2n_cipher_suites.c (#3026)
* Self Downgrade to TLS 1.2 if RSA PSS is not available and it\'s possible that it may be needed (#3009)- from version 1.0.17
* Use pthread_equal for pthread_t comparison (#3022)
* Fix pre-TLS1.2 ECDSA client certs (#3019)
* Improved support for using s2n-tls from within an unloadable shared lib (#3011)
* Adds EMS flag to session ticket (#2982)
* Extra EMS Requirements (#3018)
* Create 20210816 security policies (#3015)
* Add RSA-PSS-PSS to integration tests (#3012)
* Added s2n_client_hello_get_session_id calls (#3006)
* Upgrade CBMC sub-modules (#3017)
* Switch sigalg integ test to use s2n output instead of Openssl output (#3010)
* bindings: import \"mid-level\" bindings (#2920)
* Move/Modify methods from s2nd to common.h/common.c (#3008)
* And test to verify unencrypted EncryptedExtensions rejected (#3003)
* Fix behavior of signature scheme getters in TLS1.2 (#3007)
* Added call to generate EMS when negotiated (#2986)
* Test psk_kex_exchange_mode GREASE values (#3002)
* introduce fd getter new API (#2981)
* Fix build issue with AWS Common Runtime SDK CI (#3005)
* Adds Client and Server EMS Extension (#2991)
* Import Kyber512 Round3 AVX2 Implementation (#2946)
* Moving code to broader files to allow for usage in other programs (#2996)- Refresh patches for new version
* s2n_add-so-version.patch
* Thu Aug 12 2021 John Paul Adrian Glaubitz - Update to version 1.0.16
* Updated PSS support definition to account for new BoringSSL version (#2297)
* Add quic_transport_parameters extension (#2288)
* added unit test for sort order of s2n_all_cipher_suites in IANA order (#2192)
* Add initial QUIC setup (#2283)
* Fix macro usage, indexing and magic numbers (#2271)- from version 1.0.15
* Add client-side support for PQ HRR (#2260)
* Add AWS-LC pre-processor directive similar to BoringSSL (#2273)
* Fix awslc codebuild hang (#2282)
* Fixed processing issue with status request extension (#2229)
* Update s2n to compile on FreeBSD (#2272)
* Add aws-lc code build. (#2275)
* Don\'t enable OCSP stapling if not available (#2253)
* Improves performance and coverage of s2n_stuffer_
* proofs (#2230)
* Codebuild batch and Omnibus job (#2245)
* Disable sending of PQ group IDs for FIPS or TLS1.2 (#2267)
* Use NIST P-256 for key generation when client do not specify curve (#2265)
* Fix TLS 1.3 server side OCSP metrics (#2241)
* Add client/server share size fields to s2n_kem_group (#2269)
* alloc and sub overflow proofs (#2255)
* Add ECDSA ciphers for viewer side support (#2219)
* Adds proof harnesses for s2n_array_free
* functions (#2244)
* Checking data size instead of data pointers in s2n_stream_cipher_null_endecrypt (#2263)- from version 1.0.14
* Update CloudFront security policies (#2238)
* Adds proof harnesses for s2n_array_
* functions (#2246)
* Implements client-side sending of PQ key shares for 1.3 (#2215)
* Change fuzz coverage below minimum to an error (#2259)
* Initialize slot variable to fix ARM compiler warning (#2258)
* Adds proof harnesses for s2n_set_
* functions (#2248)
* Check if S2N_COVERAGE and FUZZ_COVERAGE are true (#2254)
* Use allocation function for session key object (#2249)
* Adds initial CBMC proofs for s2n_array and s2n_set (#2193)
* Update the default keyshare list sent by the client (#2190)- from version 1.0.13
* Support TLS 1.3 clients that do not specify signature algorithms (#2222)
* Importing Kyber512-90s PQ KEM (#2202)
* build: fix cmake shared lib build (#2237)
* Wed Jul 07 2021 John Paul Adrian Glaubitz - Update to version 1.0.12
* Update Max Connection memory usage to support Round 3 KEM Groups (#2933)
* Check for -1 return code from OCSP_basic_verify() (#2931)
* Add Round 3 PQ TLS Policies (#2842)
* Add public function for wiping the trust store (#2927)
* fix memcpy bug in client hello - copy address of pointer (#2917)
* Stops TLS13 From Erroring if Session Ticket Write Fails (#2928)
* Fixing wrong file path in makefile for BIKE R3 (#2925)
* Check Cipher Suite is ECC Before Returning Curve (#2908)
* Add unit test to monitor s2n_connection size changes (#2913)
* bindings: export include dir in rust build (#2918)- from version 1.0.11
* Add a stale bot configuration (#2897)
* bindings: add rust bindings (#2754)
* Suggestion: Prevent randomness callbacks being set to NULL (#2916)
* Reduce memory allocated for conn->out (#2904)
* document sigpipe handling (#2909)
* place -Werror behind a flag which is ON by default (#2903)
* resolve -Wstrict-prototypes compiler warning (#2906)
* OpenSSL rand-engine requires engine support (#2885)
* Fix TLS1.3 dynamic record min calculation (#2900)
* Make client respect max frag len extension result (#2898)
* Initial proofs for s2n_socket functions (#2896)
* Do not calculate transcript on failed connection (#2886)
* Add gcov and lcov targets for pq (#2895)
* Adds close markers to flaky test (#2863)
* Fix some OCSP-related cert behavior (#2894)
* Adding Usage Guide for Pre-Shared Keys (#2890)
* Remove sikep434r2 code (#2864)
* Adds Error Checking Around Fragment Length (#2888)- Refresh patches for new version
* s2n_disable-werror.patch
* s2n_fix-cmake-modules-path.patch
* Fri Jun 11 2021 John Paul Adrian Glaubitz - Update to version 1.0.10
* Release TLS1.3 Pre-Shared Key (PSK) (#2889)
* Release early data / 0RTT (#2882)
* Release TLS1.3 Session Resumption (#2877)
* Limit session resumption PSKs processed (#2879)
* Client should not accept invalid TLS1.3 ticket_lifetime (#2878)
* Updates CI buildspec to include PSK integration tests (#2875)
* Adds External PSK Integration Tests (#2821)
* Make TLS1.3 ticket processing less strict to handle future changes (#2876)
* Add handshake type message for integration tests (#2873)
* Fixes s2n_get_session_length in TLS1.3 (#2858)
* Update Codebuild batch spec with early data integration test (#2872)
* Duplicate Certificate Error Message (#2870)
* Early data integration tests (#2857)
* Various small integration framework fixes (#2868)
* Bring __ANDROID__ and ANDROID back for tm_gmtoff (#2869)
* More fixes for BIKE R3 optimized builds (#2867)
* Supports in-source build with AWS-LC. (#2714)
* Larger chunk size based on worker count (#2865)
* BIKE R3 fix for gcc-4.8.2 (#2866)
* Fix BIKE_R3 build issue (#2860)
* Error blinding updates / fixes (#2852)
* BIKE Round-3 runtime code path selection based on CPU capabilities (#2793)
* Removes tolower stub from CBMC proofs (#2853)
* Stop rejected 0RTT data from triggering error blinding (#2849)- from version 1.0.9
* Add new s2n_cert_chain_and_key load api that takes non-null-terminated data and length (#2753)
* Adds TLS1.3 Session Resumption Integration Tests (#2814)
* Integrate sikep434r3 x86_64 assembly (#2820)
* Fix duplicate KEM assignment in pq_kem_test (#2848)
* Adds new proof allocators for s2n_connection (#2832)
* s2n_connection_get_session_id_len returns 0 for >= TLS1.3 (#2844)
* Update codebuild script for NO_PQ when building unit tests with cmake (#2841)
* Adds getters for connection signature algorithm and digest algorithm (#2843)
* Adds TLS1.3 Session Resumption and Early Data Functionality to s2nd/s2nd (#2826)
* Add signature validation for async sign call (#2791)
* Make digest_allow_md5_for_fips proof UID unique (#2837)
* Add BIKE Round 3 Fuzz Tests (#2790)- Add patch to strip -Werror from build flags
* s2n_disable-werror.patch
* Mon May 17 2021 John Paul Adrian Glaubitz - Update to version 1.0.8
* Disable mlock during unit tests (#2829)
* Fix HRR + 0RTT bug (#2824)
* ci: Adding AL2 unit tests to CI (#2828)
* Separate TLS1.2 and TLS1.3 client ticket memory lifecycles (#2825)
* Remove unused macro and safeguard against removing prediction resistance (#2807)
* Implement async private key op offload interface (#2779)
* Updating api documentation for s2n_cert_chain_get_cert (#2822)
* update usage docs (#2816)
* Add AES-GCM prioritized versions of older security policies (#2767)
* Async private key operation offload documentation (#2799)
* ci:Create a NoPQ unit test job (#2451)
* docs: add a Semver document (#2268)
* Formally verify no memory leaks in s2n_stuffer (#2813)
* Add early-data session resumption self-talk tests (#2795)
* Formally verify no memory leaks for s2n_array & s2n_set deallocators (#2810)
* Update gitter link (#2806)
* Disable TLS1.3 ticket issuing outside of tests (#2809)
* Ignore `munlock` failures (#2804)
* Relax SIKE Round 3 architecture restrictions (#2800)
* Ensure that s2n is initialized in s2n_free_object (#2805)
* No optimization when debugging (#2798)
* Formally verify no memory leaks in hash functions (#2792)
* async_pkey support for s2n_client_verify (#2755)
* Import sikep434r3 (#2701)
* Use POSIX/glibc __USE_MISC feature detection instead of platform macros (#2778)
* Adding EC_KEY_check_key for p521 curve (#2789)
* Import kyber512r3 (#2694)
* ci: add unit test to s2n_codebuild.sh (#2773)
* Formally verify no memory leaks for s2n_blob (#2788)
* tests: fix typos in identifiers and comments (#2783)
* Clean up pq_kem_test and add negative test case for decaps (#2785)
* Adds session-resumption self-talk tests (#2770)
* ci: Codebuild al2 scripts (#2782)
* Use S2N_HMAC_SHA256 in psk PRF match test case (#2746)
* Make server_name send check more efficient (#2719)
* Remove all occurrences of `#pragma check disable` (#2781)
* Fix incorrect blob resize (#2784)
* Make s2n_connection_get_session/session_length work for TLS1.3 (#2768)
* Removes pragmas from CBMC-proof harnesses (#2775)
* Avoid arithmetic operations on NULL pointers (#2772)
* Make s2n_connection_get_session_ticket_lifetime_hint work with TLS1.3 (#2769)
* Allow ecc preferences without secp256r1 (#2763)
* docs: fix a few typos (#2765)
* add missing Bike_r3 symbols when S2N_NO_PQ is set (#2771)
* Update s2n_config_set_session_tickets_onoff for TLS1.3 (#2762)
* Update s2n_connection_is_session_resumed for TLS1.3 (#2761)
* Put limits on use of keying material (#2751)
* Adds selection logic for resumption psks (#2743)
* External PSK Integration Tests Part 1 (#2749)
* Adding s2n_psk_get APIs (#2748)
* Remove unnecessary BIKE R3 code for verbose logging (#2758)
* Mon Apr 26 2021 John Paul Adrian Glaubitz - Update to version 1.0.5
* utils: remove deprecated safety macros (#2747)
* Fix loop counter overflow due to inconsistent type (#2739)
* Upgrades CBMC templates for proof harnesses (#2744)
* Import Bike Round 3 Implementation into s2n (#2726)
* Cleanup TLS1.3 fixed ticket sizes (#2729)
* Export symbols when building dynamically (#2730)
* Check for validity in s2n_stuffer_wipe
*operations (#2732)
* Skip coverage upload (#2734)
* Don\'t send the client_session_ticket extension when using TLS1.3 tickets (#2725)
* Added server deserialize method (#2709)
* Make early data callback async (#2717)
* Include early data config in session tickets (#2720)
* quic: add S2N_API to secret callback api (#2728)
* Consolidate handshake pause logic (#2716)
* Pinned bash script to previous commit (#2723)
* Add early data callback (#2715)
* Set early data context for new session tickets (#2718)
* Adding prefix s2n_cert for s2n certificate APIs (#2713)
* Safeguard linker flags on Apple (#2710)
* Add APIs to send and receive early data (#2682)
* Adds helper function to obtain the OID value from the X509v3 extensions (#2702)
* Created GDB flag to remove optimizations (#2711)- from version 1.0.4
* Add flags for non exec stack and read only GOT. (#2707)
* Fix for failing resume test (#2706)
* Add context to PSK selection callback (#2704)
* Calculated obfuscated ticket age (#2697)
* Don\'t allow non-post handshake messages to be received post handshake (#2703)- from version 1.0.3
* Reduce fuzz timeouts due to codebuild timeout limits. (#2586)
* Prepare s2n_config_set_psk_selection_callback to someday be async (#2689)
* Add early_data_indication extension for new session tickets (#2686)
* Don\'t allow both resumption and external PSKs at the same time (#2696)
* Command Line Options Fix For s2nc.c (#2681)
* Centralize and correct \">= S2N_TLS13\" checks for extensions (#2699)
* dont await close_notify alert if we have already received one before (#2674)
* Add support for non blocking client hello callback (#2688)
* Update OSX quickstart instructions (#2700)
* Resolve conflict between 516a99e and abed2a3 (#2698)
* Allow early data via s2n_negotiate/s2n_send/s2n_recv (#2680)
* Send the Client CCS message early when sending early data (#2691)
* Handle pre-TLS1.3 peers and early data (#2690)
* Adding a new resumption psk deletes all previous psks (#2684)
* Add api to configure max early data for new tickets (#2683)- from version 1.0.2
* Add methods to report early data status / limits (#2678)
* Add bitflag to enable early data (#2679)
* Added client deserialization method (#2675)
* ci: disable go proxy (#2677)
* Add s2n_connection_get_peer_cert_chain API (#2666)
* Added nst to post_handshake handler (#2665)
* Add method to perform a partial handshake (#2662)
* Removes all proof allocators from CBMC proofs (#2668)
* Update readable writable flags (#2667)
* Read New Session Ticket message (#2657)
* Add early data negotiation tests + misc minor fixes (#2658)
* APIs to get s2n certificate in der format (#2649)
* Added nst callback (#2639)
* Handle rejected early data (#2647)
* Add early traffic secrets (#2645)
* Adds support for incremental proof-results in CI reports (#2644)
* ci: Update action
* Add server early data indication extension (#2612)- Drop patches for issues fixed upstream
* s2n_no-visibility-hidden.patch
* Tue Mar 16 2021 John Paul Adrian Glaubitz - Update to version 1.0.1
* Make HRRs work with early data (#2611)
* Reduce memory used by handshake arrays (#2628)
* utils: apply safety codemod script (#2441)
* ci: update cppcheck (#2638)
* utils: remove the usage of S2N_ERROR_IF in favor of POSIX_ENSURE (#2636)
* utils: add codemod script for explicit safety macro contexts (#2339)
* Send New Session Ticket message (#2598)
* Add support for riscv64 (#2613)
* util: remove S2N_RESULT_TO_POSIX macro to reduce confusion (#2634)
* Adjust test threshold (typo?) (#2631)
* docs: Org change to aws (#2596)
* utils: add safety_macros codegen script (#2423)
* Parse multiple post-handshake messages in a record (#2604)
* Fixed -Werror=strict-prototypes failure on s2n_error_location (#2632)
* ci: bump the asan coverage instance type to 2XL (#2630)
* [0RTT] Add early data handshakes (#2594)
* Add client early data indication extension (#2610)
* Self talk tests for External PSK (#2578)
* Removing flaky test (#2621)
* Early data config should use cipher suite instead of iana value (#2608)
* Make some alpn operations reuseable (#2609)
* Allow no-op transitions in early data state machine (#2607)
* Add separate extension list for HelloRetryRequest (#2605)
* Build issue (#2606)
* Detect \"index\" variable names to avoid build issues (#2597)- from version 1.0.0
* Updating rsa_2048_sha256_uri_sans_cert (#2601)
* Renaming index to psk_index to prevent name collision (#2595)
* Added New Session Ticket send handler (#2580)
* Add simple early data state machine (#2589)
* Add CMake config to build benchmarks (#2582)
* Add APIs to configure early data for external PSKs (#2581)
* Update PQ KEM branches to use constant time functions. (#2590)
* tls: add NSS key log callback (#2584)
* Add missing newlines at end of feature test files (#2588)
* Rework psk_selection_callback to use opaque structures (#2558)
* api: add method to get the iana value for the negotiated cipher suite (#2550)
* Add support for powerpc64 (#2533)
* Refactor how external PSKs are configured (#2557)
* ci: Cleanup travis (#2579)
* Added new ticket api (#2549)
* Remove the manual updating of the Yarn Debian key as CloudBuild as addressed this (#2560)
* Probe for support of fall through attribute (#2559)
* Removes unnecessary includes from CBMC proof harnesses (#2556)
* Added new serialization format and updated encryption logic (#2538)
* quic: ignore middlebox mode (#2554)
* Add a command to manually update the Yarn Debian key (#2555)
* ci: Update CodeBuild docker version, part 2 (#2535)
* Remove s2n_cipher_suite_from_wire (#2546)
* api: add method to append protocol preferences (#2534)- from version 0.10.26
* extensions: fix quic_transport_parameters extension IANA value (#2551)
* Detect nested send/recv calls (#2545)
* Adds a proof harness for s2n_hmac_update (#2531)
* Adds a proof harnesses for s2n_hmac_digest
* functions (#2537)
* Adds a proof harness for s2n_hmac_init (#2543)
* Fix \'index\' var shadowing with old toolchains (#2540)
* Added session resumption to key schedule (#2528)
* Adding callback to select a PSK identity (#2512)
* ci: Fix annoying NONE error (#2491)
* api: add s2n_errno_location function (#2532)
* Migrate some KEX functions to S2N_RESULT (#2524)
* Adds memory-safety proofs for s2n_hmac functions (#2525)
* Adds memory-safety proofs for s2n_hmac functions (#2530)
* ci: CodeBuild docker image version bump for fuzz jobs (#2527)
* New CloudFront 2021 security policy (#2514)
* Correct PSK + cert interaction (#2519)
* Relax 3 bytes for cert length check (#2518)
* Fix and simplify psk_param lifecycle (#2523)
* enable secp521r1 in fips test security policy (#2516)- from version 0.10.25
* Complete the migration to s2n_pq_is_enabled() (#2510)
* Fix missing GUARDs after s2n_pkey_size calls (#2517)
* Ensures memory safety in s2n_hmac functions (#2486)
* Added set psk api (#2499)
* Optimization for client psk extension on hello retry (#2508)
* compliance: format a few comments (#2511)
* Update PQ fuzz tests to run when PQ is disabled (#2489)
* Clean up PSKs after early secret calculation (#2506)- from version 0.10.24
* Fix for rsa_pss_rsae_test (#2507)
* Adding server pre_shared_key extension (#2494)
* Reduce deprecated warning noise when building the tests (#2500)
* Enforce that client psk extension is parsed last (#2493)
* Added psk to key schedule (#2481)
* Updates to readme and debugging docs for Sidetrail (#2478)
* Ensure PQ is enabled when calling low-level PQ KEM functions (#2475)
* Consolidate PQ unit tests (#2460)
* Fix sys/poll.h import (#2224)
* Added pre-shared key handshakes to tls13 state machine (#2445)
* PskKeyExchangeModes extension (#2466)
* Adds proof harnesses for s2n_hmac functions (#2457)
* [PSK] Update s2n_hash_algorithm to s2n_hmac_algorithm (#2465)- Pass \'-n %{name}-tls-%{version}\' to %setup in %prep section
 
ICM