Merge branch 'main' into openssl-fips-no-custom

.github/workflows/ci_linting.yml

@@ -144,7 +144,7 @@ jobs:
         with:
           route: GET /repos/{repo}/commits/{ref}/statuses?per_page=100
           repo: ${{ github.repository }}
-          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }}
+          ref: ${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha || github.event.after }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: check start_codebuild.sh against statuses

CMakeLists.txt

@@ -445,9 +445,8 @@ if (S2N_INTERN_LIBCRYPTO)
         # add all of the prefixed symbols to the archive
         add_custom_command(
             TARGET ${PROJECT_NAME} POST_BUILD
-            DEPENDS libcrypto.symbols
             COMMAND
-                bash -c "${CMAKE_AR} -r lib/libs2n.a s2n_libcrypto/*.o"
+                bash -c "${CMAKE_AR} -r $<TARGET_FILE:${PROJECT_NAME}> s2n_libcrypto/*.o"
             VERBATIM
         )
     endif()

bindings/rust/extended/s2n-tls-sys/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.11"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

bindings/rust/extended/s2n-tls-sys/templates/Cargo.template

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.11"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

bindings/rust/extended/s2n-tls-tokio/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-tokio"
 description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
-version = "0.3.10"
+version = "0.3.11"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -16,7 +16,7 @@ errno = { version = "0.3" }
 # A minimum libc version of 0.2.121 is required by aws-lc-sys 0.14.0.
 libc = { version = "0.2.121" }
 pin-project-lite = { version = "0.2" }
-s2n-tls = { version = "=0.3.10", path = "../s2n-tls" }
+s2n-tls = { version = "=0.3.11", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]

bindings/rust/extended/s2n-tls/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.3.10"
+version = "0.3.11"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -22,7 +22,7 @@ unstable-testing = []
 errno = { version = "0.3" }
 # A minimum libc version of 0.2.121 is required by aws-lc-sys 0.14.0.
 libc = "0.2.121"
-s2n-tls-sys = { version = "=0.3.10", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.3.11", path = "../s2n-tls-sys", features = ["internal"] }
 pin-project-lite = "0.2"
 hex = "0.4"
 

bindings/rust/extended/s2n-tls/src/connection.rs

@@ -11,6 +11,7 @@ use crate::{
     config::Config,
     enums::*,
     error::{Error, Fallible, Pollable},
+    psk::Psk,
     security,
 };
 
@@ -1319,6 +1320,47 @@ impl Connection {
         unsafe { s2n_connection_is_session_resumed(self.connection.as_ptr()) == 1 }
     }
 
+    /// Append an external psk to a connection.
+    ///
+    /// This may be called repeatedly to support multiple PSKs.
+    ///
+    /// Corresponds to [s2n_connection_append_psk].
+    pub fn append_psk(&mut self, psk: &Psk) -> Result<(), Error> {
+        unsafe {
+            // SAFETY: retrieving a *mut s2n_psk from &Psk: s2n-tls does not treat
+            // the pointer as mutable, and only holds the reference to copy the
+            // PSK onto the connection.
+            s2n_connection_append_psk(self.as_ptr(), psk.ptr.as_ptr()).into_result()?
+        };
+        Ok(())
+    }
+
+    /// Corresponds to [s2n_connection_get_negotiated_psk_identity_length].
+    pub fn negotiated_psk_identity_length(&self) -> Result<usize, Error> {
+        let mut length = 0;
+        unsafe {
+            s2n_connection_get_negotiated_psk_identity_length(self.connection.as_ptr(), &mut length)
+                .into_result()?
+        };
+        Ok(length as usize)
+    }
+
+    /// Retrieve the negotiated psk identity. Use [Connection::negotiated_psk_identity_length]
+    /// to retrieve the length of the psk identity.
+    ///
+    /// Corresponds to [s2n_connection_get_negotiated_psk_identity].
+    pub fn negotiated_psk_identity(&self, destination: &mut [u8]) -> Result<(), Error> {
+        unsafe {
+            s2n_connection_get_negotiated_psk_identity(
+                self.connection.as_ptr(),
+                destination.as_mut_ptr(),
+                destination.len().min(u16::MAX as usize) as u16,
+            )
+            .into_result()?;
+        }
+        Ok(())
+    }
+
     /// Associates an arbitrary application context with the Connection to be later retrieved via
     /// the [`Self::application_context()`] and [`Self::application_context_mut()`] APIs.
     ///

bindings/rust/extended/s2n-tls/src/enums.rs

@@ -229,6 +229,38 @@ impl From<PeerKeyUpdate> for s2n_peer_key_update::Type {
     }
 }
 
+#[non_exhaustive]
+#[derive(Debug)]
+pub enum PskMode {
+    Resumption,
+    External,
+}
+
+impl From<PskMode> for s2n_psk_mode::Type {
+    fn from(input: PskMode) -> Self {
+        match input {
+            PskMode::Resumption => s2n_psk_mode::RESUMPTION,
+            PskMode::External => s2n_psk_mode::EXTERNAL,
+        }
+    }
+}
+
+#[non_exhaustive]
+#[derive(Debug)]
+pub enum PskHmac {
+    SHA256,
+    SHA384,
+}
+
+impl From<PskHmac> for s2n_psk_hmac::Type {
+    fn from(input: PskHmac) -> Self {
+        match input {
+            PskHmac::SHA256 => s2n_psk_hmac::SHA256,
+            PskHmac::SHA384 => s2n_psk_hmac::SHA384,
+        }
+    }
+}
+
 /// Corresponds to [s2n_serialization_version].
 #[non_exhaustive]
 #[derive(Debug, PartialEq, Copy, Clone)]

bindings/rust/extended/s2n-tls/src/lib.rs

@@ -23,6 +23,7 @@ pub mod enums;
 pub mod fingerprint;
 pub mod init;
 pub mod pool;
+pub mod psk;
 #[cfg(feature = "unstable-renegotiate")]
 pub mod renegotiate;
 pub mod security;