Merge branch 'main' into nix_junit

Author: dougch

.github/s2n_osx.sh

@@ -28,3 +28,12 @@ cmake . -Bbuild -GNinja \
 
 cmake --build ./build -j $(nproc)
 time CTEST_PARALLEL_LEVEL=$(nproc) ninja -C build test
+
+# Build shared library
+cmake . -Bbuild -GNinja \
+-DCMAKE_BUILD_TYPE=Debug \
+-DCMAKE_PREFIX_PATH=${OPENSSL_1_1_1_INSTALL_DIR} .. \
+-DBUILD_SHARED_LIBS=ON
+
+cmake --build ./build -j $(nproc)
+time CTEST_PARALLEL_LEVEL=$(nproc) ninja -C build test

.github/workflows/ci_freebsd.yml

@@ -9,13 +9,14 @@ on:
 
 jobs:
   testfreebsd:
-    runs-on: macos-12
+    runs-on: ubuntu-latest
     name: CI FreeBSD
     steps:
       - uses: actions/checkout@v3
       - name: Build and test in FreeBSD
         id: test
-        uses: vmactions/[email protected]
+        uses: vmactions/freebsd-vm@v1
+        timeout-minutes: 45
         with:
           prepare: pkg install -y ninja cmake
           run: |

.github/workflows/ci_linting.yml

@@ -77,11 +77,16 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v3
-      - name: pep8 exp
-        uses: harrisonkaiser/autopep8_action@python-latest
+      - name: Run autopep8
+        id: autopep8
+        uses: peter-evans/autopep8@v2
         with:
-          dry: true
-          checkpath: ./tests/integrationv2/*.py
+          args: --diff --exit-code .
+      - name: Check exit code
+        if: steps.autopep8.outputs.exit-code != 0
+        run: |
+            echo "Run 'autopep8 --in-place .' to fix"
+            exit 1
   clang-format:
     runs-on: ubuntu-latest
     steps:

.github/workflows/ci_openbsd.yml

@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: Build and test in OpenBSD
         id: test
-        uses: cross-platform-actions/action@v0.10.0
+        uses: cross-platform-actions/action@v0.21.1
         with:
           operating_system: openbsd
           architecture: x86-64

.github/workflows/ci_rust.yml

@@ -59,6 +59,26 @@ jobs:
           ./generate.sh
           ldd target/debug/integration | grep libs2n.so
 
+  # our benchmark testing includes interop tests between s2n-tls, rustls, and
+  # openssl
+  harness-interop-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions-rs/toolchain@v1
+        id: toolchain
+        with:
+          toolchain: stable
+          override: true
+
+      - name: generate bindings
+        run: ${{env.ROOT_PATH}}/generate.sh --skip-tests
+
+      - name: bench tests
+        working-directory: ${{env.ROOT_PATH}}/bench
+        run: cargo test
+
   generate-openssl-102:
     runs-on: ubuntu-latest
     steps:

.github/workflows/dashboard.yml

@@ -9,7 +9,7 @@ jobs:
     if: contains(github.repository, 'aws/s2n-tls')
     runs-on: ubuntu-latest
     permissions:
-      pages: write
+      contents: write
     steps:
       - name: Check out repository
         uses: actions/checkout@v3

.github/workflows/proof_ci.yaml

@@ -62,7 +62,7 @@ jobs:
         run: |
           # Search within 5 most recent releases for latest available package
           CBMC_REL="https://api.github.com/repos/diffblue/cbmc/releases?page=1&per_page=5"
-          CBMC_DEB=$(curl -s $CBMC_REL --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' | jq -r '.[].assets[].browser_download_url' | grep -e 'ubuntu-20.04' | head -n 1)
+          CBMC_DEB=$(curl -s $CBMC_REL --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' | jq -r '.[]|select(.prerelease|not).assets[].browser_download_url' | grep -e 'ubuntu-20.04' | head -n 1)
           CBMC_ARTIFACT_NAME=$(basename $CBMC_DEB)
           curl -o $CBMC_ARTIFACT_NAME -L $CBMC_DEB
           sudo dpkg -i $CBMC_ARTIFACT_NAME
@@ -96,7 +96,7 @@ jobs:
         run: |
           # Search within 5 most recent releases for latest available package
           LITANI_REL="https://api.github.com/repos/awslabs/aws-build-accumulator/releases?page=1&per_page=5"
-          LITANI_DEB=$(curl -s $LITANI_REL --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' | jq -r '.[].assets[0].browser_download_url' | head -n 1)
+          LITANI_DEB=$(curl -s $LITANI_REL --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' | jq -r '.[]|select(.prerelease|not).assets[0].browser_download_url' | head -n 1)
           DBN_PKG_FILENAME=$(basename $LITANI_DEB)
           curl -L $LITANI_DEB -o $DBN_PKG_FILENAME
           sudo apt-get update

.github/workflows/usage_guide.yml

@@ -0,0 +1,73 @@
+name: Publish Usage Guide
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+env:
+  CDN: https://d3fqnyekunr9xg.cloudfront.net
+
+# By default dependabot only receives read permissions. Explicitly give it write
+# permissions which is needed by the ouzi-dev/commit-status-updater task.
+#
+# Updating status is relatively safe (doesnt modify source code) and caution
+# should be taken before adding more permissions.
+permissions:
+  contents: write
+  statuses: write
+
+jobs:
+  build-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout s2n-tls repo
+        uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - name: Set override
+        run: rustup override set stable
+
+      - uses: camshaft/install@v1
+        with:
+          crate: mdbook
+
+      - name: Build book
+        run: |
+          cd docs/usage-guide
+          mdbook build
+      
+      - name: Deploy documentation to gh-pages
+        uses: JamesIves/[email protected]
+        if: github.event_name == 'push'
+        with:
+          target-folder: usage-guide
+          folder: docs/usage-guide/book
+  
+      - name: Configure AWS credentials
+        uses: aws-actions/[email protected]
+        if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-1
+      
+      - name: Upload to S3
+        if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+        id: s3
+        run: |
+          TARGET="${{ github.sha }}/book"
+          aws s3 sync docs/usage-guide/book "s3://s2n-tls-ci-artifacts/$TARGET" --acl private --follow-symlinks
+          URL="$CDN/$TARGET/index.html"
+          echo "URL=$URL" >> $GITHUB_OUTPUT
+      
+      - name: Output mdbook url 
+        uses: ouzi-dev/[email protected]
+        if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+        with:
+          name: "book / url"
+          status: "success"
+          url: "${{ steps.s3.outputs.URL }}"

tests/integrationv2/.pep8 .pep8

@@ -1,4 +1,3 @@
 [pep8]
 max_line_length = 120
-in-place = true
 recursive = true

CMakeLists.txt

@@ -19,10 +19,6 @@ set(VERSION_MAJOR 1)
 set(VERSION_MINOR 0)
 set(VERSION_PATCH 0)
 
-option(S2N_NO_PQ "Disables all Post Quantum Crypto code. You likely want this
-for older compilers or uncommon platforms." OFF)
-option(S2N_NO_PQ_ASM "Turns off the ASM for PQ Crypto even if it's available for the toolchain.
-You likely want this on older compilers." OFF)
 option(SEARCH_LIBCRYPTO "Set this if you want to let S2N search libcrypto for you,
 otherwise a crypto target needs to be defined." ON)
 option(UNSAFE_TREAT_WARNINGS_AS_ERRORS "Compiler warnings are treated as errors. Warnings may
@@ -36,7 +32,7 @@ option(S2N_STACKTRACE "Enables stacktrace functionality in s2n-tls. Note that th
 only available on platforms that support execinfo." ON)
 option(COVERAGE "Enable profiling collection for code coverage calculation" OFF)
 option(S2N_INTEG_TESTS "Enable the integrationv2 tests" OFF)
-option(S2N_FAST_INTEG_TESTS "Enable the integrationv2 with more parallelism, only has effect if S2N_INTEG_TESTS=ON" OFF)
+option(S2N_FAST_INTEG_TESTS "Enable the integrationv2 with more parallelism, only has effect if S2N_INTEG_TESTS=ON" ON)
 option(S2N_INSTALL_S2NC_S2ND "Install the binaries s2nc and s2nd" OFF)
 option(TSAN "Enable ThreadSanitizer to test thread safety" OFF)
 option(ASAN "Enable AddressSanitizer to test memory safety" OFF)
@@ -62,47 +58,25 @@ file(GLOB_RECURSE TLS_SRC "tls/*.c")
 file(GLOB UTILS_HEADERS "utils/*.h")
 file(GLOB UTILS_SRC "utils/*.c")
 
-# Always include the top-level pq-crypto/ files
-file(GLOB PQ_HEADERS "pq-crypto/*.h")
-file(GLOB PQ_SRC "pq-crypto/*.c")
-
 message(STATUS "Detected CMAKE_SYSTEM_PROCESSOR as ${CMAKE_SYSTEM_PROCESSOR}")
 
 if(CMAKE_SIZEOF_VOID_P EQUAL 4)
-  message(STATUS "Detected 32-Bit system - disabling PQ crypto assembly optimizations")
-  set(S2N_NO_PQ_ASM ON)
+  message(STATUS "Detected 32-Bit system")
 else()
     message(STATUS "Detected 64-Bit system")
 endif()
 
-if(S2N_NO_PQ)
-    # PQ is disabled, so we do not include any PQ crypto code
-    message(STATUS "S2N_NO_PQ flag was detected - disabling PQ crypto")
-    set(S2N_NO_PQ_ASM ON)
-else()
-    # PQ is enabled, so include all of the PQ crypto code
-    file(GLOB PQ_HEADERS
-        "pq-crypto/*.h"
-        "pq-crypto/kyber_r3/*.h")
-
-    file(GLOB PQ_SRC
-        "pq-crypto/*.c"
-        "pq-crypto/kyber_r3/*.c")
-endif()
-
 ##be nice to visual studio users
 if(MSVC)
     source_group("Header Files\\s2n\\api" FILES ${API_HEADERS} ${API_UNSTABLE_HEADERS})
     source_group("Header Files\\s2n\\crypto" FILES ${CRYPTO_HEADERS})
     source_group("Header Files\\s2n\\error" FILES ${ERROR_HEADERS})
-    source_group("Header Files\\s2n\\pq-crypto" FILES ${PQ_HEADERS})
     source_group("Header Files\\s2n\\stuffer" FILES ${STUFFER_HEADERS})
     source_group("Header Files\\s2n\\tls" FILES ${TLS_HEADERS})
     source_group("Header Files\\s2n\\utils" FILES ${UTILS_HEADERS})
 
     source_group("Source Files\\crypto" FILES ${CRYPTO_SRC})
     source_group("Source Files\\error" FILES ${ERROR_SRC})
-    source_group("Source Files\\pq-crypto" FILES ${PQ_SRC})
     source_group("Source Files\\stuffer" FILES ${STUFFER_SRC})
     source_group("Source Files\\tls" FILES ${TLS_SRC})
     source_group("Source Files\\utils" FILES ${UTILS_SRC})
@@ -135,7 +109,6 @@ file(GLOB S2N_HEADERS
     ${API_UNSTABLE_HEADERS}
     ${CRYPTO_HEADERS}
     ${ERROR_HEADERS}
-    ${PQ_HEADERS}
     ${STUFFER_HEADERS}
     ${TLS_HEADERS}
     ${UTILS_HEADERS}
@@ -144,7 +117,6 @@ file(GLOB S2N_HEADERS
 file(GLOB S2N_SRC
     ${CRYPTO_SRC}
     ${ERROR_SRC}
-    ${PQ_SRC}
     ${STUFFER_SRC}
     ${TLS_SRC}
     ${UTILS_SRC}
@@ -186,10 +158,6 @@ if(NOT APPLE)
     set(CMAKE_SHARED_LINKER_FLAGS -Wl,-z,noexecstack,-z,relro,-z,now)
 endif()
 
-if(S2N_NO_PQ)
-    add_definitions(-DS2N_NO_PQ)
-endif()
-
 # Whether to fail the build when compiling s2n's portable C code with non-portable assembly optimizations. Doing this
 # can lead to runtime crashes if build artifacts are built on modern hardware, but deployed to older hardware without
 # newer CPU instructions. s2n, by default, should be backwards compatible with older CPU types so this flag should be
@@ -367,32 +335,6 @@ if (NOT S2N_EXECINFO_AVAILABLE)
 endif()
 feature_probe_result(S2N_STACKTRACE ${S2N_STACKTRACE})
 
-set(S2N_KYBER512R3_AVX2_BMI2 FALSE)
-if(NOT S2N_NO_PQ_ASM)
-    # Kyber Round-3 code has several different optimizations which require
-    # specific compiler flags to be supported by the compiler.
-    # So for each needed instruction set extension we check if the compiler
-    # supports it and set proper compiler flags to be added later to the
-    # Kyber compilation units.
-    if(${CMAKE_SYSTEM_PROCESSOR} MATCHES "^(x86_64|amd64|AMD64)$")
-        # Some platforms support -mavx2 flag but not m256 intrinsics required to use them. Only enable Kyber assembly
-        # optimizations if both are supported. See https://github.com/aws/s2n-tls/pull/3005 for more info.
-        if(S2N_KYBER512R3_AVX2_BMI2_SUPPORTED AND S2N_KYBER512R3_M256_INTRINSICS_SUPPORTED)
-            set(S2N_KYBER512R3_AVX2_BMI2 TRUE)
-            enable_language(ASM)
-
-            # add the assembly files to the project
-            FILE(GLOB KYBER512R3_AVX2_BMI2_ASM_SRCS "pq-crypto/kyber_r3/*_avx2.S")
-            target_sources(${PROJECT_NAME} PRIVATE ${KYBER512R3_AVX2_BMI2_ASM_SRCS})
-
-            # compile the C files with avx flags
-            FILE(GLOB KYBER512R3_AVX2_BMI2_SRCS "pq-crypto/kyber_r3/*_avx2.c")
-            set_source_files_properties(${KYBER512R3_AVX2_BMI2_SRCS} PROPERTIES COMPILE_FLAGS ${S2N_KYBER512R3_AVX2_BMI2_SUPPORTED_FLAGS})
-        endif()
-    endif()
-endif()
-feature_probe_result(S2N_KYBER512R3_AVX2_BMI2 ${S2N_KYBER512R3_AVX2_BMI2})
-
 if (S2N_INTERN_LIBCRYPTO)
 
     # Check if the AWS::crypto target has beeen added and handle it
@@ -558,7 +500,7 @@ if (BUILD_TESTING)
                   find . -name '${test_case_name}.c.o' -exec objcopy --redefine-syms libcrypto.symbols {} \\\;
             )
         endif()
-        target_compile_options(${test_case_name} PRIVATE -Wno-implicit-function-declaration -Wno-deprecated -D_POSIX_C_SOURCE=200809L -std=gnu99)
+        target_compile_options(${test_case_name} PRIVATE -Wno-implicit-function-declaration -Wno-deprecated -Wunused-result -D_POSIX_C_SOURCE=200809L -std=gnu99)
         if (S2N_LTO)
             target_compile_options(${test_case_name} PRIVATE -flto)
         endif()
@@ -609,6 +551,10 @@ if (BUILD_TESTING)
     if (S2N_INTEG_TESTS)
         find_package (Python3 COMPONENTS Interpreter Development)
         file(GLOB integv2_test_files "${PROJECT_SOURCE_DIR}/tests/integrationv2/test_*.py")
+        set(N 1)
+        if (S2N_FAST_INTEG_TESTS)
+            set(N auto)
+        endif()
         foreach(test_file_path ${integv2_test_files})
             get_filename_component(test_filename ${test_file_path} NAME_WE)
             string(REGEX REPLACE "^test_" "integrationv2_" test_target ${test_filename})

LICENSE

@@ -200,25 +200,3 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-   
-   
-============================================================================
-    S2N SUBCOMPONENTS:
-
-    The s2n Project contains subcomponents with separate copyright notices
-    and license terms. Your use of the source code for these subcomponents is
-    subject to the terms and conditions of the following licenses.
-
-
-========================================================================
-Third party MIT licenses
-========================================================================
-
-The following components are provided under the MIT License. See project link for details.
-
-
-    SIKE
-      -> s2n/pq-crypto/sike_r1/LICENSE.txt
-
-   
-